Analysis

  • max time kernel
    139s
  • max time network
    125s
  • platform
    windows7_x64
  • resource
    win7v200430
  • submitted
    28-06-2020 07:40

General

  • Target

    0ab5f0bee96577cb81bd9bc464d0ca85.exe

  • Size

    908KB

  • MD5

    0ab5f0bee96577cb81bd9bc464d0ca85

  • SHA1

    e5e1f336d88b06a25754662f345bdec893c7c6ff

  • SHA256

    2ba0f2e22ed07ca3188c898a0c9256fd30e878916ebe669ed52b25cb18d5ccde

  • SHA512

    b00fb070ff0c178e40a833c8fc5c56873963d9d93e39544629da155d7dec217a2f62f6c14e33384433633f085b046700e2b012cd74e929a3750d4ee2ee1ad194

Malware Config

Extracted

Family

danabot

C2

92.204.160.126

37.120.145.243

195.133.147.230

185.227.138.52

rsa_pubkey.plain

Signatures

  • Danabot

    Danabot is a modular banking Trojan that has been linked with other malware.

  • Danabot x86 payload 6 IoCs

    Detection of Danabot x86 payload, mapped in memory during the execution of its loader.

  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
  • Blocklisted process makes network request 10 IoCs
  • Executes dropped EXE 7 IoCs
  • VMProtect packed file 6 IoCs

    Detects executables packed with VMProtect commercial packer.

  • Checks BIOS information in registry 2 TTPs 6 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Drops startup file 1 IoCs
  • Identifies Wine through registry keys 2 TTPs 2 IoCs

    Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

  • Loads dropped DLL 16 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

  • Legitimate hosting services abused for malware hosting/C2 1 TTPs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Checks processor information in registry 2 TTPs 6 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Delays execution with timeout.exe 4 IoCs
  • Modifies system certificate store 2 TTPs 9 IoCs
  • Script User-Agent 1 IoCs

    Uses user-agent string associated with script host/environment.

  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of FindShellTrayWindow 13 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\0ab5f0bee96577cb81bd9bc464d0ca85.exe
    "C:\Users\Admin\AppData\Local\Temp\0ab5f0bee96577cb81bd9bc464d0ca85.exe"
    1⤵
    • Loads dropped DLL
    • Checks processor information in registry
    • Suspicious use of WriteProcessMemory
    PID:1492
    • C:\Users\Admin\AppData\Roaming\indepoped\test.exe
      test.exe
      2⤵
      • Executes dropped EXE
      • Checks BIOS information in registry
      • Identifies Wine through registry keys
      • Loads dropped DLL
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • Modifies system certificate store
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:1436
      • C:\ProgramData\sde\2_protected.exe
        C:\ProgramData\sde\2_protected.exe
        3⤵
        • Executes dropped EXE
        • Checks BIOS information in registry
        • Checks processor information in registry
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of WriteProcessMemory
        PID:1344
        • C:\Windows\system32\cmd.exe
          "C:\Windows\system32\cmd.exe" /c rd /s /q C:\ProgramData\VXPi5wxqfVJv & timeout 1 & del /f /q "C:\ProgramData\sde\2_protected.exe"
          4⤵
          • Suspicious use of WriteProcessMemory
          PID:1244
          • C:\Windows\system32\timeout.exe
            timeout 1
            5⤵
            • Delays execution with timeout.exe
            PID:644
      • C:\ProgramData\sde\1_protected.exe
        C:\ProgramData\sde\1_protected.exe
        3⤵
        • Executes dropped EXE
        • Checks BIOS information in registry
        • Identifies Wine through registry keys
        • Suspicious use of NtSetInformationThreadHideFromDebugger
        • Checks processor information in registry
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of WriteProcessMemory
        PID:2008
        • C:\Windows\SysWOW64\cmd.exe
          "C:\Windows\system32\cmd.exe" /c rd /s /q C:\ProgramData\kAlHMqh4 & timeout 2 & del /f /q "C:\ProgramData\sde\1_protected.exe"
          4⤵
          • Suspicious use of WriteProcessMemory
          PID:1796
          • C:\Windows\SysWOW64\timeout.exe
            timeout 2
            5⤵
            • Delays execution with timeout.exe
            PID:1328
      • C:\Users\Admin\AppData\Roaming\dfgdfg.exe
        dfgdfg.exe
        3⤵
        • Executes dropped EXE
        • Suspicious use of WriteProcessMemory
        PID:644
        • C:\Windows\SysWOW64\regsvr32.exe
          C:\Windows\system32\regsvr32.exe -s C:\Users\Admin\AppData\Roaming\dfgdfg.dll f1 C:\Users\Admin\AppData\Roaming\dfgdfg.exe@644
          4⤵
          • Loads dropped DLL
          • Suspicious use of WriteProcessMemory
          PID:1424
          • C:\Windows\SysWOW64\rundll32.exe
            C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Roaming\dfgdfg.dll,f0
            5⤵
            • Blocklisted process makes network request
            • Loads dropped DLL
            PID:672
      • C:\Users\Admin\AppData\Roaming\trhgdf.exe
        trhgdf.exe
        3⤵
        • Executes dropped EXE
        • Suspicious use of NtSetInformationThreadHideFromDebugger
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:1132
        • C:\Windows\SysWOW64\cmd.exe
          "C:\Windows\system32\cmd.exe" /c rd /s /q C:\ProgramData\rgntwwkuijub & timeout 2 & del /f /q "C:\Users\Admin\AppData\Roaming\trhgdf.exe"
          4⤵
            PID:1272
            • C:\Windows\SysWOW64\timeout.exe
              timeout 2
              5⤵
              • Delays execution with timeout.exe
              PID:1544
          • C:\Windows\SysWOW64\cmd.exe
            "C:\Windows\system32\cmd.exe" /c rd /s /q C:\ProgramData\rgntwwkuijub & timeout 2 & del /f /q "C:\Users\Admin\AppData\Roaming\trhgdf.exe"
            4⤵
              PID:1440
              • C:\Windows\SysWOW64\timeout.exe
                timeout 2
                5⤵
                • Delays execution with timeout.exe
                PID:1656
          • C:\Users\Admin\AppData\Roaming\rthgf.exe
            rthgf.exe
            3⤵
            • Executes dropped EXE
            • Drops startup file
            • Loads dropped DLL
            PID:1816
            • C:\Users\Admin\AppData\Roaming\Smart Clock\SmartClock.exe
              "C:\Users\Admin\AppData\Roaming\Smart Clock\SmartClock.exe"
              4⤵
              • Executes dropped EXE
              • Suspicious behavior: AddClipboardFormatListener
              PID:1636

      Network

      MITRE ATT&CK Matrix ATT&CK v6

      Defense Evasion

      Virtualization/Sandbox Evasion

      2
      T1497

      Install Root Certificate

      1
      T1130

      Modify Registry

      1
      T1112

      Credential Access

      Credentials in Files

      2
      T1081

      Discovery

      Query Registry

      5
      T1012

      Virtualization/Sandbox Evasion

      2
      T1497

      System Information Discovery

      3
      T1082

      Collection

      Data from Local System

      2
      T1005

      Command and Control

      Web Service

      1
      T1102

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\ProgramData\VXPi5wxqfVJv\1723651.txt
        MD5

        550cc6486c1ac1d65c8f1b14517a8294

        SHA1

        6f7b60b1f5b90ac815ab56c78cd7a5de05311fe1

        SHA256

        176bf49d4a7f854a30e1fb19acc33650ad5531a95bba23a9b7108b0129d15e9b

        SHA512

        eb29aefebe6d2ce5d06082c9ea8750de5cf5141e51ecc39457362bd4e8c1ec0313801f805b8b7ef6eaaf24d3e6b5d3ed2912216728ed5308165c00b17dc6f726

      • C:\ProgramData\VXPi5wxqfVJv\435612~1.TXT
        MD5

        b8e5d6b80acdf20cc06d7382396b077c

        SHA1

        b4da897d5852d64708f5876fc8c634f816afcdcd

        SHA256

        4a53fb1eaa27664d8c0b93da6d87ae601e8c0fdc11af8571bc31ae7c31d18662

        SHA512

        3122641ebbc91e45eaca1fdd9cc2949ab003c24b29169e3b1aeac1a1298019e7565f7242928d5bbf7ca8df15d0cdc5024be518f8cddd03c51edab82cc6d866a6

      • C:\ProgramData\VXPi5wxqfVJv\Files\COOKIE~1.TXT
        MD5

        ecaa88f7fa0bf610a5a26cf545dcd3aa

        SHA1

        57218c316b6921e2cd61027a2387edc31a2d9471

        SHA256

        f1945cd6c19e56b3c1c78943ef5ec18116907a4ca1efc40a57d48ab1db7adfc5

        SHA512

        37c783b80b1d458b89e712c2dfe2777050eff0aefc9f6d8beedee77807d9aeb2e27d14815cf4f0229b1d36c186bb5f2b5ef55e632b108cc41e9fb964c39b42a5

      • C:\ProgramData\VXPi5wxqfVJv\Files\Cookies\MOZILL~1.TXT
        MD5

        ecaa88f7fa0bf610a5a26cf545dcd3aa

        SHA1

        57218c316b6921e2cd61027a2387edc31a2d9471

        SHA256

        f1945cd6c19e56b3c1c78943ef5ec18116907a4ca1efc40a57d48ab1db7adfc5

        SHA512

        37c783b80b1d458b89e712c2dfe2777050eff0aefc9f6d8beedee77807d9aeb2e27d14815cf4f0229b1d36c186bb5f2b5ef55e632b108cc41e9fb964c39b42a5

      • C:\ProgramData\VXPi5wxqfVJv\Files\INFORM~1.TXT
        MD5

        96324364189d55e816edf8cc330f2bbe

        SHA1

        2fa9d188e7de5af2373dddf09dd66cd674c776f0

        SHA256

        27cbf0f207c6c81e597db4c76bccb2a5cd29b26a5f5429e446100f73303b162e

        SHA512

        07a41f9b0dec87837566c142632231f53816652c0bf480d5c4d331c7b054da8b9bf4443312a449c624833ce32635bfdf58b42cf7cd1053727231f2efb7fd754e

      • C:\ProgramData\VXPi5wxqfVJv\Files\SCREEN~1.JPG
        MD5

        aa4d0915b31d8ae39fe516477699c73f

        SHA1

        da726ff5e9fc22c827112510d8f5c51e156348a5

        SHA256

        f4c8d86f16a20a6ae57d9aa7309a6eb40f877a5eedf5f84ad50494a64a8d68d5

        SHA512

        030b804f2eda0fe6dc585ec04b1f10fd84701c442e662cce473c36dfb2b9ecba8d7e1492151a0f48e65b3ac160e358371df5585dccb7ba1baf130eb89de92311

      • C:\ProgramData\VXPi5wxqfVJv\MOZ_CO~1.DB
        MD5

        89d4b62651fa5c864b12f3ea6b1521cb

        SHA1

        570d48367b6b66ade9900a9f22d67d67a8fb2081

        SHA256

        22f1159db346d2cc8f4fa544796cc9d243a5737110a17d8e3755a2448404ce70

        SHA512

        e6d3109c5e2aef98a63f42eebe3b10feedb1a8c81d7823380553f84d2d6585f328c18f02e72c3e5c98ace7ffedfb6214a4ea6c87e85cefceada8e630f8df61ff

      • C:\ProgramData\VXPi5wxqfVJv\NL___2~1.ZIP
        MD5

        3f3092b345d93c90fc15733b0aa2fde2

        SHA1

        b082c8702f7a5f9c0b544aea60cb23ef832d0669

        SHA256

        1f443f52f307813c62ca9e977f7182eabb0e26aa71b142f9b8be22cbb0a9f9b0

        SHA512

        86aacd158b4f4c73f9b3c69b394afdb6561a33f65af887b4cefab8a9f859ac454c6e3927f475d950ca1412d1add4ecd790c3ece76b6ef2c6b5a60bbf247dffa6

      • C:\ProgramData\kAlHMqh4\TFRYAH~1.ZIP
        MD5

        f92d28dc66f50f6da1d4b10035453684

        SHA1

        fa7cdff024cb0484d8e77c0a6170b8e7d1f95304

        SHA256

        a778d7907f01d8fc786d3c04d9c3d5f994f5573cae7e61af1f258521d102a2fb

        SHA512

        9af2dcfc99679e216a7f6329cf4880854dcb98264dd1de86dcac2c791d09a84faaaf94705c6c6de8bc4f8267abe5a7f75bdc9c24e074e0338db93b6ed31d0fae

      • C:\ProgramData\kAlHMqh4\_Files\_INFOR~1.TXT
        MD5

        797d51c91f22be0d224aa906b2623a17

        SHA1

        d934fc74b46cda76d5b0ca5c4675d2e3bf7a6dcc

        SHA256

        9a633aafa558a0f5040179daeb9e35a9d201992ac918f8a06ee259cd6876af68

        SHA512

        688db811bdbee5667023394fb04158ebee4a447ff5d58461102adbcb50af9fee001caac01df811110776468f12355039f4508051e7051e914944886eadfc832c

      • C:\ProgramData\kAlHMqh4\_Files\_SCREE~1.JPE
        MD5

        af96502087469077263ad0b6e78861a8

        SHA1

        ade328c5b311fc4912b27eaa8dec4ca703115e9e

        SHA256

        fe0f7f86395d83371b3d5161ba257a291b0e79752cc923706f28e2bf475ee19f

        SHA512

        1f7cedbe7f6d9dd7ff9aba9d7ab57ecb5cb3200015d252da3c995e48e29e30458e3210f152ba80134fcf04b873afd4d3c28de2f7759d090743438b569438e8d5

      • C:\ProgramData\rgntwwkuijub\46173476.txt
        MD5

        005f70f7040289d50a14db2128d7cdf3

        SHA1

        7cbc75bcb838f507021a480b556afa430f4987df

        SHA256

        3c5dd6c05fa0009d238cee780a9dbb1bfe86ec46e663f281bffa537a583c2596

        SHA512

        0b0c69897eca61a2b3e06c07cba26cdd873284e4422e2f8fe9557a720275ba97e84388d7b01679a8163d09fdfd3623c2bd5e291261cab7b64a5af7ca8e897cc9

      • C:\ProgramData\rgntwwkuijub\8372422.txt
        MD5

        550cc6486c1ac1d65c8f1b14517a8294

        SHA1

        6f7b60b1f5b90ac815ab56c78cd7a5de05311fe1

        SHA256

        176bf49d4a7f854a30e1fb19acc33650ad5531a95bba23a9b7108b0129d15e9b

        SHA512

        eb29aefebe6d2ce5d06082c9ea8750de5cf5141e51ecc39457362bd4e8c1ec0313801f805b8b7ef6eaaf24d3e6b5d3ed2912216728ed5308165c00b17dc6f726

      • C:\ProgramData\rgntwwkuijub\Files\_INFOR~1.TXT
        MD5

        fffc98b9ca7f694c12310a92ca008a43

        SHA1

        645d30dda18fba634f7422b388dba1b73a6bff91

        SHA256

        bedf12d70311aedafbb0ff6eca874592f23a4fec3bdc60c67d50068aad114e25

        SHA512

        d79760fc6f8af5cfdbcd24b6f7e2f408efd65baa1b8c2385c2f5de83bcf835581193ed2bc4337628ce23963ba104ceb4427cb1b2e8770d99c1afc4867b3d1cd5

      • C:\ProgramData\rgntwwkuijub\NL_202~1.ZIP
        MD5

        eb2e2366eccf9e1153fe93594b0abbab

        SHA1

        c786fda00b296dc3cd076617e4bbbe0caf0f85f7

        SHA256

        d1868d5ce46449c99575386f8161f47e8181412ac572dc0a767b50d9605d9862

        SHA512

        7929d2d15373447f0e7da7ca0189e8f04fd2c93e14d17700c92a9cbe121c7f8589dffe075adeeb23264cb4970cd75415138f2a502b5a6bf4fb48ccdcd62dd014

      • C:\ProgramData\sde\1_protected.exe
        MD5

        3752f4636ff709f8c54fe404e206b296

        SHA1

        da3f986927d3e6b2851848516f7e9074117e6186

        SHA256

        24efd97ca09841327e297a04da88301a5c99b89f07a79c92b75c7eafdde2f72b

        SHA512

        7e67308b721c4359f10b11507cb528a0309f48d04265ab430e86c6a428602901d1c49c9b96beb9dcaf7293ffb36b1cd6a63078c10f661c2b704c1cdfb10cf7ab

      • C:\ProgramData\sde\1_protected.exe
        MD5

        3752f4636ff709f8c54fe404e206b296

        SHA1

        da3f986927d3e6b2851848516f7e9074117e6186

        SHA256

        24efd97ca09841327e297a04da88301a5c99b89f07a79c92b75c7eafdde2f72b

        SHA512

        7e67308b721c4359f10b11507cb528a0309f48d04265ab430e86c6a428602901d1c49c9b96beb9dcaf7293ffb36b1cd6a63078c10f661c2b704c1cdfb10cf7ab

      • C:\ProgramData\sde\2_protected.exe
        MD5

        faf5882cc5f51c2c9d17a7b6bfdb2214

        SHA1

        d020ed9432211a772f9216677807568bf72757ce

        SHA256

        db3abc3b678697579ce46af4041abb675c03bd16e78806f02e9e76e3ab9a224f

        SHA512

        8d049aaa4608a5703b88cc87e3b064ea662649e1a3a1f8c9752027d39cb49c6b558a50732b9f778edfa7bd229757f4ad36fe9612425ff403d9433285ccde9af1

      • C:\ProgramData\sde\2_protected.exe
        MD5

        faf5882cc5f51c2c9d17a7b6bfdb2214

        SHA1

        d020ed9432211a772f9216677807568bf72757ce

        SHA256

        db3abc3b678697579ce46af4041abb675c03bd16e78806f02e9e76e3ab9a224f

        SHA512

        8d049aaa4608a5703b88cc87e3b064ea662649e1a3a1f8c9752027d39cb49c6b558a50732b9f778edfa7bd229757f4ad36fe9612425ff403d9433285ccde9af1

      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
        MD5

        a6ae1529822f87a98b1c36a59381c88b

        SHA1

        f5275f395bf562cc2724b88138601f3ca727b198

        SHA256

        d12dd18018f984aaa88f7611d4f93314a5625e4a9fc0f78bc207bdd53bb8a799

        SHA512

        6b9c5aa26d04e8d5cfabfd02eff6d6d69f70dd800a0d209e0c14785cc5b16a86266ab1e3c49053d43231d16c524da63443cb019cf88c882ebbf82338af70b579

      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
        MD5

        06815d0cc90aced287b11c8f486eefe4

        SHA1

        32eed814f44b927b1ce94a31ff5243a5738fa915

        SHA256

        5f584a216f73448fdc6a131e27f0200898a1726eacdfbc5eea2d25c0289086ea

        SHA512

        f61a2e06a6a50ae7e9faa43683e644e6501c598a41a74c6b15f8df83902b2a828792e9202baa1ed62d3bb7acac3be3fd008b536010ae99ce6acc12213663561c

      • C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\G6PZ2T8A\line[1].txt
        MD5

        550cc6486c1ac1d65c8f1b14517a8294

        SHA1

        6f7b60b1f5b90ac815ab56c78cd7a5de05311fe1

        SHA256

        176bf49d4a7f854a30e1fb19acc33650ad5531a95bba23a9b7108b0129d15e9b

        SHA512

        eb29aefebe6d2ce5d06082c9ea8750de5cf5141e51ecc39457362bd4e8c1ec0313801f805b8b7ef6eaaf24d3e6b5d3ed2912216728ed5308165c00b17dc6f726

      • C:\Users\Admin\AppData\Roaming\Smart Clock\SmartClock.exe
        MD5

        6a243284c22977437ee1937367fabce8

        SHA1

        e1d2dcfcc243ab3b6c998990ef0d2859a05dac2c

        SHA256

        4b3ceae68f6d8a8ec7ecf95684491bb867cc3fc23cde3d7225da1d94bbcf7342

        SHA512

        24d5100607aa211b86056e61e528fa24c76a839746b2b1698bcb1dcae1c2c185ed6b807461c5ecaf49a3a8200fe8450722a250fe26cb5352de8e0c78fbb8b3f1

      • C:\Users\Admin\AppData\Roaming\dfgdfg.dll
        MD5

        659d88b593d74a9349d410046689d8e5

        SHA1

        0467f5ba5f21ac6ac618a7ac3a24e14cc99eef2e

        SHA256

        fa23608138a370733034d40cdf40f994834a78ccd4bd8e69341d40963e2a270f

        SHA512

        e09168b9ca47a60748c026f015b66464a53bcf09e43153c50ad6ea7b687964c01cb52b01d47b0864ac35af662dda721dd98ed925e1817f75a88f2012241531cc

      • C:\Users\Admin\AppData\Roaming\dfgdfg.exe
        MD5

        e68f382d32ecf93ddb5b76179fd9d42f

        SHA1

        4a6f15366f6c35e530d3e71136ddcb3efab838aa

        SHA256

        cd38d232ca87e0f0cda669f8840e06163a4786119edd28f0164a85fd77b16498

        SHA512

        6007220d7fda5d88862197d2dbb4ec45598756933bff782f821c6a5e0757452a323be3df7d68eb0fbfee2aaf2f1b1c808b2bb7cc482e2a6aec14f0f31b2196d9

      • C:\Users\Admin\AppData\Roaming\indepoped\test.exe
        MD5

        0edb4d751ca93495901b5367a0546ae7

        SHA1

        147b2a2f9e3d6b82dfdb56554e6032d11e141e1b

        SHA256

        b4a6db1ed343e961dd9a012fcf724bc0b6e7774c3d107907b538a4beb20f6753

        SHA512

        2ee862023f9cd8d0820db63e0720b3debf1cad4ba99756c4c0f774768efb8901e537ef9d6e19df497cc1cf4f18063f652f9f0a514f0232d778d31ebee846862a

      • C:\Users\Admin\AppData\Roaming\rthgf.exe
        MD5

        6a243284c22977437ee1937367fabce8

        SHA1

        e1d2dcfcc243ab3b6c998990ef0d2859a05dac2c

        SHA256

        4b3ceae68f6d8a8ec7ecf95684491bb867cc3fc23cde3d7225da1d94bbcf7342

        SHA512

        24d5100607aa211b86056e61e528fa24c76a839746b2b1698bcb1dcae1c2c185ed6b807461c5ecaf49a3a8200fe8450722a250fe26cb5352de8e0c78fbb8b3f1

      • C:\Users\Admin\AppData\Roaming\rthgf.exe
        MD5

        6a243284c22977437ee1937367fabce8

        SHA1

        e1d2dcfcc243ab3b6c998990ef0d2859a05dac2c

        SHA256

        4b3ceae68f6d8a8ec7ecf95684491bb867cc3fc23cde3d7225da1d94bbcf7342

        SHA512

        24d5100607aa211b86056e61e528fa24c76a839746b2b1698bcb1dcae1c2c185ed6b807461c5ecaf49a3a8200fe8450722a250fe26cb5352de8e0c78fbb8b3f1

      • C:\Users\Admin\AppData\Roaming\trhgdf.exe
        MD5

        5962593fc72416f6482a40902f5a0364

        SHA1

        95cbfd8528c48815fe940ca6d34a6b9caf9d947c

        SHA256

        d9847357c2a4b36382ca602a855d6f75e5b5784d25a72511bdfbf9682900ef60

        SHA512

        5afedd73b5cef29214e8eb69970c76e847565a98733fcab0ed7d7fdf6c3483074a65f04f319b60dbe732bf164ef937d082c3776cf47158d7abe20efc9fc2f5e0

      • \??\c:\users\admin\appdata\roaming\trhgdf.exe
        MD5

        5962593fc72416f6482a40902f5a0364

        SHA1

        95cbfd8528c48815fe940ca6d34a6b9caf9d947c

        SHA256

        d9847357c2a4b36382ca602a855d6f75e5b5784d25a72511bdfbf9682900ef60

        SHA512

        5afedd73b5cef29214e8eb69970c76e847565a98733fcab0ed7d7fdf6c3483074a65f04f319b60dbe732bf164ef937d082c3776cf47158d7abe20efc9fc2f5e0

      • \ProgramData\sde\1_protected.exe
        MD5

        3752f4636ff709f8c54fe404e206b296

        SHA1

        da3f986927d3e6b2851848516f7e9074117e6186

        SHA256

        24efd97ca09841327e297a04da88301a5c99b89f07a79c92b75c7eafdde2f72b

        SHA512

        7e67308b721c4359f10b11507cb528a0309f48d04265ab430e86c6a428602901d1c49c9b96beb9dcaf7293ffb36b1cd6a63078c10f661c2b704c1cdfb10cf7ab

      • \ProgramData\sde\1_protected.exe
        MD5

        3752f4636ff709f8c54fe404e206b296

        SHA1

        da3f986927d3e6b2851848516f7e9074117e6186

        SHA256

        24efd97ca09841327e297a04da88301a5c99b89f07a79c92b75c7eafdde2f72b

        SHA512

        7e67308b721c4359f10b11507cb528a0309f48d04265ab430e86c6a428602901d1c49c9b96beb9dcaf7293ffb36b1cd6a63078c10f661c2b704c1cdfb10cf7ab

      • \ProgramData\sde\2_protected.exe
        MD5

        faf5882cc5f51c2c9d17a7b6bfdb2214

        SHA1

        d020ed9432211a772f9216677807568bf72757ce

        SHA256

        db3abc3b678697579ce46af4041abb675c03bd16e78806f02e9e76e3ab9a224f

        SHA512

        8d049aaa4608a5703b88cc87e3b064ea662649e1a3a1f8c9752027d39cb49c6b558a50732b9f778edfa7bd229757f4ad36fe9612425ff403d9433285ccde9af1

      • \ProgramData\sde\2_protected.exe
        MD5

        faf5882cc5f51c2c9d17a7b6bfdb2214

        SHA1

        d020ed9432211a772f9216677807568bf72757ce

        SHA256

        db3abc3b678697579ce46af4041abb675c03bd16e78806f02e9e76e3ab9a224f

        SHA512

        8d049aaa4608a5703b88cc87e3b064ea662649e1a3a1f8c9752027d39cb49c6b558a50732b9f778edfa7bd229757f4ad36fe9612425ff403d9433285ccde9af1

      • \Users\Admin\AppData\Roaming\Smart Clock\SmartClock.exe
        MD5

        6a243284c22977437ee1937367fabce8

        SHA1

        e1d2dcfcc243ab3b6c998990ef0d2859a05dac2c

        SHA256

        4b3ceae68f6d8a8ec7ecf95684491bb867cc3fc23cde3d7225da1d94bbcf7342

        SHA512

        24d5100607aa211b86056e61e528fa24c76a839746b2b1698bcb1dcae1c2c185ed6b807461c5ecaf49a3a8200fe8450722a250fe26cb5352de8e0c78fbb8b3f1

      • \Users\Admin\AppData\Roaming\Smart Clock\SmartClock.exe
        MD5

        6a243284c22977437ee1937367fabce8

        SHA1

        e1d2dcfcc243ab3b6c998990ef0d2859a05dac2c

        SHA256

        4b3ceae68f6d8a8ec7ecf95684491bb867cc3fc23cde3d7225da1d94bbcf7342

        SHA512

        24d5100607aa211b86056e61e528fa24c76a839746b2b1698bcb1dcae1c2c185ed6b807461c5ecaf49a3a8200fe8450722a250fe26cb5352de8e0c78fbb8b3f1

      • \Users\Admin\AppData\Roaming\dfgdfg.dll
        MD5

        659d88b593d74a9349d410046689d8e5

        SHA1

        0467f5ba5f21ac6ac618a7ac3a24e14cc99eef2e

        SHA256

        fa23608138a370733034d40cdf40f994834a78ccd4bd8e69341d40963e2a270f

        SHA512

        e09168b9ca47a60748c026f015b66464a53bcf09e43153c50ad6ea7b687964c01cb52b01d47b0864ac35af662dda721dd98ed925e1817f75a88f2012241531cc

      • \Users\Admin\AppData\Roaming\dfgdfg.dll
        MD5

        659d88b593d74a9349d410046689d8e5

        SHA1

        0467f5ba5f21ac6ac618a7ac3a24e14cc99eef2e

        SHA256

        fa23608138a370733034d40cdf40f994834a78ccd4bd8e69341d40963e2a270f

        SHA512

        e09168b9ca47a60748c026f015b66464a53bcf09e43153c50ad6ea7b687964c01cb52b01d47b0864ac35af662dda721dd98ed925e1817f75a88f2012241531cc

      • \Users\Admin\AppData\Roaming\dfgdfg.dll
        MD5

        659d88b593d74a9349d410046689d8e5

        SHA1

        0467f5ba5f21ac6ac618a7ac3a24e14cc99eef2e

        SHA256

        fa23608138a370733034d40cdf40f994834a78ccd4bd8e69341d40963e2a270f

        SHA512

        e09168b9ca47a60748c026f015b66464a53bcf09e43153c50ad6ea7b687964c01cb52b01d47b0864ac35af662dda721dd98ed925e1817f75a88f2012241531cc

      • \Users\Admin\AppData\Roaming\dfgdfg.dll
        MD5

        659d88b593d74a9349d410046689d8e5

        SHA1

        0467f5ba5f21ac6ac618a7ac3a24e14cc99eef2e

        SHA256

        fa23608138a370733034d40cdf40f994834a78ccd4bd8e69341d40963e2a270f

        SHA512

        e09168b9ca47a60748c026f015b66464a53bcf09e43153c50ad6ea7b687964c01cb52b01d47b0864ac35af662dda721dd98ed925e1817f75a88f2012241531cc

      • \Users\Admin\AppData\Roaming\dfgdfg.dll
        MD5

        659d88b593d74a9349d410046689d8e5

        SHA1

        0467f5ba5f21ac6ac618a7ac3a24e14cc99eef2e

        SHA256

        fa23608138a370733034d40cdf40f994834a78ccd4bd8e69341d40963e2a270f

        SHA512

        e09168b9ca47a60748c026f015b66464a53bcf09e43153c50ad6ea7b687964c01cb52b01d47b0864ac35af662dda721dd98ed925e1817f75a88f2012241531cc

      • \Users\Admin\AppData\Roaming\dfgdfg.exe
        MD5

        e68f382d32ecf93ddb5b76179fd9d42f

        SHA1

        4a6f15366f6c35e530d3e71136ddcb3efab838aa

        SHA256

        cd38d232ca87e0f0cda669f8840e06163a4786119edd28f0164a85fd77b16498

        SHA512

        6007220d7fda5d88862197d2dbb4ec45598756933bff782f821c6a5e0757452a323be3df7d68eb0fbfee2aaf2f1b1c808b2bb7cc482e2a6aec14f0f31b2196d9

      • \Users\Admin\AppData\Roaming\dfgdfg.exe
        MD5

        e68f382d32ecf93ddb5b76179fd9d42f

        SHA1

        4a6f15366f6c35e530d3e71136ddcb3efab838aa

        SHA256

        cd38d232ca87e0f0cda669f8840e06163a4786119edd28f0164a85fd77b16498

        SHA512

        6007220d7fda5d88862197d2dbb4ec45598756933bff782f821c6a5e0757452a323be3df7d68eb0fbfee2aaf2f1b1c808b2bb7cc482e2a6aec14f0f31b2196d9

      • \Users\Admin\AppData\Roaming\indepoped\test.exe
        MD5

        0edb4d751ca93495901b5367a0546ae7

        SHA1

        147b2a2f9e3d6b82dfdb56554e6032d11e141e1b

        SHA256

        b4a6db1ed343e961dd9a012fcf724bc0b6e7774c3d107907b538a4beb20f6753

        SHA512

        2ee862023f9cd8d0820db63e0720b3debf1cad4ba99756c4c0f774768efb8901e537ef9d6e19df497cc1cf4f18063f652f9f0a514f0232d778d31ebee846862a

      • \Users\Admin\AppData\Roaming\rthgf.exe
        MD5

        6a243284c22977437ee1937367fabce8

        SHA1

        e1d2dcfcc243ab3b6c998990ef0d2859a05dac2c

        SHA256

        4b3ceae68f6d8a8ec7ecf95684491bb867cc3fc23cde3d7225da1d94bbcf7342

        SHA512

        24d5100607aa211b86056e61e528fa24c76a839746b2b1698bcb1dcae1c2c185ed6b807461c5ecaf49a3a8200fe8450722a250fe26cb5352de8e0c78fbb8b3f1

      • \Users\Admin\AppData\Roaming\trhgdf.exe
        MD5

        5962593fc72416f6482a40902f5a0364

        SHA1

        95cbfd8528c48815fe940ca6d34a6b9caf9d947c

        SHA256

        d9847357c2a4b36382ca602a855d6f75e5b5784d25a72511bdfbf9682900ef60

        SHA512

        5afedd73b5cef29214e8eb69970c76e847565a98733fcab0ed7d7fdf6c3483074a65f04f319b60dbe732bf164ef937d082c3776cf47158d7abe20efc9fc2f5e0

      • memory/644-25-0x0000000000000000-mapping.dmp
      • memory/644-60-0x0000000000000000-mapping.dmp
      • memory/644-27-0x0000000002090000-0x0000000002307000-memory.dmp
        Filesize

        2.5MB

      • memory/644-28-0x0000000002310000-0x0000000002321000-memory.dmp
        Filesize

        68KB

      • memory/672-32-0x0000000000000000-mapping.dmp
      • memory/1132-42-0x0000000003D60000-0x0000000003D71000-memory.dmp
        Filesize

        68KB

      • memory/1132-41-0x00000000039F0000-0x0000000003A01000-memory.dmp
        Filesize

        68KB

      • memory/1132-38-0x0000000000000000-mapping.dmp
      • memory/1244-50-0x0000000000000000-mapping.dmp
      • memory/1272-48-0x00000000000E0000-0x00000000000E1000-memory.dmp
        Filesize

        4KB

      • memory/1272-51-0x0000000000000000-mapping.dmp
      • memory/1272-49-0x0000000000000000-mapping.dmp
      • memory/1328-19-0x0000000000000000-mapping.dmp
      • memory/1344-7-0x0000000000000000-mapping.dmp
      • memory/1424-29-0x0000000000000000-mapping.dmp
      • memory/1436-1-0x0000000000000000-mapping.dmp
      • memory/1436-4-0x00000000091C0000-0x00000000091D1000-memory.dmp
        Filesize

        68KB

      • memory/1436-3-0x0000000008DB0000-0x0000000008DC1000-memory.dmp
        Filesize

        68KB

      • memory/1440-74-0x0000000000000000-mapping.dmp
      • memory/1440-69-0x0000000000000000-mapping.dmp
      • memory/1544-70-0x0000000000000000-mapping.dmp
      • memory/1544-68-0x0000000000000000-mapping.dmp
      • memory/1636-73-0x0000000000000000-mapping.dmp
      • memory/1656-77-0x0000000000000000-mapping.dmp
      • memory/1656-78-0x0000000000000000-mapping.dmp
      • memory/1796-15-0x0000000000000000-mapping.dmp
      • memory/1816-45-0x0000000000000000-mapping.dmp
      • memory/2008-11-0x0000000000000000-mapping.dmp
      • memory/2008-14-0x0000000004CB0000-0x0000000004CC1000-memory.dmp
        Filesize

        68KB

      • memory/2008-13-0x00000000048A0000-0x00000000048B1000-memory.dmp
        Filesize

        68KB