Analysis

  • max time kernel
    81s
  • max time network
    143s
  • platform
    windows10_x64
  • resource
    win10
  • submitted
    28-06-2020 07:40

General

  • Target

    0ab5f0bee96577cb81bd9bc464d0ca85.exe

  • Size

    908KB

  • MD5

    0ab5f0bee96577cb81bd9bc464d0ca85

  • SHA1

    e5e1f336d88b06a25754662f345bdec893c7c6ff

  • SHA256

    2ba0f2e22ed07ca3188c898a0c9256fd30e878916ebe669ed52b25cb18d5ccde

  • SHA512

    b00fb070ff0c178e40a833c8fc5c56873963d9d93e39544629da155d7dec217a2f62f6c14e33384433633f085b046700e2b012cd74e929a3750d4ee2ee1ad194

Malware Config

Extracted

Family

danabot

C2

92.204.160.126

37.120.145.243

195.133.147.230

185.227.138.52

rsa_pubkey.plain

Signatures

  • Danabot

    Danabot is a modular banking Trojan that has been linked with other malware.

  • Danabot x86 payload 4 IoCs

    Detection of Danabot x86 payload, mapped in memory during the execution of its loader.

  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
  • Blocklisted process makes network request 10 IoCs
  • Executes dropped EXE 7 IoCs
  • VMProtect packed file 3 IoCs

    Detects executables packed with VMProtect commercial packer.

  • Checks BIOS information in registry 2 TTPs 6 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Drops startup file 1 IoCs
  • Identifies Wine through registry keys 2 TTPs 2 IoCs

    Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

  • Loads dropped DLL 3 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

  • Legitimate hosting services abused for malware hosting/C2 1 TTPs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of NtSetInformationThreadHideFromDebugger 5 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Checks processor information in registry 2 TTPs 6 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Delays execution with timeout.exe 4 IoCs
  • Script User-Agent 1 IoCs

    Uses user-agent string associated with script host/environment.

  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of FindShellTrayWindow 13 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 60 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\0ab5f0bee96577cb81bd9bc464d0ca85.exe
    "C:\Users\Admin\AppData\Local\Temp\0ab5f0bee96577cb81bd9bc464d0ca85.exe"
    1⤵
    • Checks processor information in registry
    • Suspicious use of WriteProcessMemory
    PID:3672
    • C:\Users\Admin\AppData\Roaming\indepoped\test.exe
      test.exe
      2⤵
      • Executes dropped EXE
      • Checks BIOS information in registry
      • Identifies Wine through registry keys
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:3160
      • C:\ProgramData\sde\2_protected.exe
        C:\ProgramData\sde\2_protected.exe
        3⤵
        • Executes dropped EXE
        • Checks BIOS information in registry
        • Checks processor information in registry
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of WriteProcessMemory
        PID:3444
        • C:\Windows\system32\cmd.exe
          "C:\Windows\system32\cmd.exe" /c rd /s /q C:\ProgramData\yg2nZ1aiuf3a & timeout 1 & del /f /q "C:\ProgramData\sde\2_protected.exe"
          4⤵
          • Suspicious use of WriteProcessMemory
          PID:1228
          • C:\Windows\system32\timeout.exe
            timeout 1
            5⤵
            • Delays execution with timeout.exe
            PID:648
      • C:\ProgramData\sde\1_protected.exe
        C:\ProgramData\sde\1_protected.exe
        3⤵
        • Executes dropped EXE
        • Checks BIOS information in registry
        • Identifies Wine through registry keys
        • Suspicious use of NtSetInformationThreadHideFromDebugger
        • Checks processor information in registry
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of WriteProcessMemory
        PID:3044
        • C:\Windows\SysWOW64\cmd.exe
          "C:\Windows\system32\cmd.exe" /c rd /s /q C:\ProgramData\10dtUofscdN & timeout 2 & del /f /q "C:\ProgramData\sde\1_protected.exe"
          4⤵
          • Suspicious use of WriteProcessMemory
          PID:1856
          • C:\Windows\SysWOW64\timeout.exe
            timeout 2
            5⤵
            • Delays execution with timeout.exe
            PID:2152
      • C:\Users\Admin\AppData\Roaming\dfgdfg.exe
        dfgdfg.exe
        3⤵
        • Executes dropped EXE
        • Suspicious use of WriteProcessMemory
        PID:2432
        • C:\Windows\SysWOW64\regsvr32.exe
          C:\Windows\system32\regsvr32.exe -s C:\Users\Admin\AppData\Roaming\dfgdfg.dll f1 C:\Users\Admin\AppData\Roaming\dfgdfg.exe@2432
          4⤵
          • Loads dropped DLL
          • Suspicious use of WriteProcessMemory
          PID:1888
          • C:\Windows\SysWOW64\rundll32.exe
            C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Roaming\dfgdfg.dll,f0
            5⤵
            • Blocklisted process makes network request
            • Loads dropped DLL
            PID:2708
      • C:\Users\Admin\AppData\Roaming\trhgdf.exe
        trhgdf.exe
        3⤵
        • Executes dropped EXE
        • Suspicious use of NtSetInformationThreadHideFromDebugger
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:3120
        • C:\Windows\SysWOW64\cmd.exe
          "C:\Windows\system32\cmd.exe" /c rd /s /q C:\ProgramData\agaebiyoqixpo & timeout 2 & del /f /q "C:\Users\Admin\AppData\Roaming\trhgdf.exe"
          4⤵
          • Suspicious use of WriteProcessMemory
          PID:3700
          • C:\Windows\SysWOW64\timeout.exe
            timeout 2
            5⤵
            • Delays execution with timeout.exe
            PID:3920
        • C:\Windows\SysWOW64\cmd.exe
          "C:\Windows\system32\cmd.exe" /c rd /s /q C:\ProgramData\agaebiyoqixpo & timeout 2 & del /f /q "C:\Users\Admin\AppData\Roaming\trhgdf.exe"
          4⤵
          • Suspicious use of WriteProcessMemory
          PID:3780
          • C:\Windows\SysWOW64\timeout.exe
            timeout 2
            5⤵
            • Delays execution with timeout.exe
            PID:3612
      • C:\Users\Admin\AppData\Roaming\rthgf.exe
        rthgf.exe
        3⤵
        • Executes dropped EXE
        • Drops startup file
        • Suspicious use of WriteProcessMemory
        PID:812
        • C:\Users\Admin\AppData\Roaming\Smart Clock\SmartClock.exe
          "C:\Users\Admin\AppData\Roaming\Smart Clock\SmartClock.exe"
          4⤵
          • Executes dropped EXE
          • Suspicious behavior: AddClipboardFormatListener
          PID:396

Network

MITRE ATT&CK Matrix ATT&CK v6

Defense Evasion

Virtualization/Sandbox Evasion

2
T1497

Credential Access

Credentials in Files

2
T1081

Discovery

Query Registry

5
T1012

Virtualization/Sandbox Evasion

2
T1497

System Information Discovery

3
T1082

Collection

Data from Local System

2
T1005

Command and Control

Web Service

1
T1102

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\ProgramData\10dtUofscdN\6CTLKV~1.ZIP
    MD5

    abfc8be9d1b02e4d1c3c5298a6127461

    SHA1

    1cb95b2cbfe60b1d20619a3441cc5bc3a476da6a

    SHA256

    f5ef12a0f536561ae2cdb59a8b1e1fb1e1984254209fc450eb8eb0a16fbf7f79

    SHA512

    21e4079a4bf234a0ec12e5b64903573374b17a8ccd6aa0cc7546ee6f09b2562c551cccc2dae5e31c4bd9d897e08fc2f069d103bd46e583c34797b15be08476a6

  • C:\ProgramData\10dtUofscdN\_Files\_Files\OPENUN~1.TXT
    MD5

    75a761f128d422397f12ce073e02afc8

    SHA1

    d321202928f1aa0e802bb1f7498073a22abf15bc

    SHA256

    31ce0aa15bb7fb727817304c96e92add39fb7bfd2bd1468155912ef5a5f6d0db

    SHA512

    cd220b8a3f83dbe5775471e77663586c9c90f8daff23a39251756e7998d266f11205cf7881dba86a5ed759cfc39129b78dc60d8f0dc5cbd3c8c667d3642236e4

  • C:\ProgramData\10dtUofscdN\_Files\_INFOR~1.TXT
    MD5

    9408b0d72cf13dba28d463870538002a

    SHA1

    ea103418b3759e694dca5fde00fed3eca29cacfb

    SHA256

    382f553390f2cfeec562714dbda9622ee0edc89a36162dc617f2777987c62367

    SHA512

    fca757f06aa17dfcd17a70137391274a766378abac3f97c7663dc243fce325f185b290455021f07e0ed191701911bcc9f57c4b9ff4490669054b0e85449c3dc2

  • C:\ProgramData\10dtUofscdN\_Files\_SCREE~1.JPE
    MD5

    022db9f05f2488337a093ac965893c87

    SHA1

    73c8b640cb9669877f007cfdb322a5701306e16c

    SHA256

    1725a6792ce2181161f83448ed69f83833ea1148543a0950a8c3e32f71f9da5e

    SHA512

    71df679490093a2e8e32466881205c228131c5bfe2ce58dec66be86e5d099c29a9897e2589a2b2569a8e18e3680f22f90a7ab89dcf08aba95bd522c1ec64e8ac

  • C:\ProgramData\agaebiyoqixpo\46173476.txt
    MD5

    596fd059966ee8fd125299b7da04bfde

    SHA1

    3d2d703a2b75c6cea55819589e2cfd1d46fb780f

    SHA256

    5158d97345f45833aaff85d405d0472a984650abad1ef7d06a84a924f3d7ab52

    SHA512

    a2e69b33d8751be888e6170fd2ae2cd833e4cdb522f192b1882eb335b5a1b03f472f8e03af584475826aab7fa543753d5c6dee9ebad8094c4521bbcd344042a7

  • C:\ProgramData\agaebiyoqixpo\8372422.txt
    MD5

    681e86c44d5f65b11eab4613008ac6fb

    SHA1

    8b404015c1281d4cf9fc5ad48bbbd6db16ccff4c

    SHA256

    4513bce79a3e5dd52833962e18e28021052ce284504bc201cc7efaf627342d4d

    SHA512

    fdfd791d3fc4150c4ed12792cabac523bfd6d1ab6483138a60fb20f8ecd87d553c37162f4f644ca3860fabc61bbaaeea4dafec0da4367175fe015c979e5d9ba0

  • C:\ProgramData\agaebiyoqixpo\Files\_INFOR~1.TXT
    MD5

    cc9641bb56d2b347bf69109857dc4f27

    SHA1

    5bf25494e31f6a3178eba714435b994fce33dd8c

    SHA256

    45323d64402a6d298039f84c548a674a8ff0e22de5c74ace124590f2955f2a5c

    SHA512

    c4fa73b93565fdfcf11548a8e8b065f7ca2ea9a00cb414e9e044731d41932a8ec4b5f1f9f815585f1d5fed163735d64a4181103169dd1d6be3e3c1a23b6fcc0b

  • C:\ProgramData\agaebiyoqixpo\NL_202~1.ZIP
    MD5

    a42001d1ae1ec83124ccb688b5b7d530

    SHA1

    b305811451f75b365b70cf1d203f6ef36bb15f7c

    SHA256

    016be7b9dcffd723872730ab4eb7a80d2852ad8aa73ff4e03bb7eb779f934e37

    SHA512

    cbfe4d7434bf0f9b90c3d06047cd2d4c9d0638a86a8e8844efcaf3537fce968e8a0dba4e1e5fcb1293846cbb852cb71b2fcafa501dd5712a44be1fd457158178

  • C:\ProgramData\sde\1_protected.exe
    MD5

    3752f4636ff709f8c54fe404e206b296

    SHA1

    da3f986927d3e6b2851848516f7e9074117e6186

    SHA256

    24efd97ca09841327e297a04da88301a5c99b89f07a79c92b75c7eafdde2f72b

    SHA512

    7e67308b721c4359f10b11507cb528a0309f48d04265ab430e86c6a428602901d1c49c9b96beb9dcaf7293ffb36b1cd6a63078c10f661c2b704c1cdfb10cf7ab

  • C:\ProgramData\sde\1_protected.exe
    MD5

    3752f4636ff709f8c54fe404e206b296

    SHA1

    da3f986927d3e6b2851848516f7e9074117e6186

    SHA256

    24efd97ca09841327e297a04da88301a5c99b89f07a79c92b75c7eafdde2f72b

    SHA512

    7e67308b721c4359f10b11507cb528a0309f48d04265ab430e86c6a428602901d1c49c9b96beb9dcaf7293ffb36b1cd6a63078c10f661c2b704c1cdfb10cf7ab

  • C:\ProgramData\sde\2_protected.exe
    MD5

    faf5882cc5f51c2c9d17a7b6bfdb2214

    SHA1

    d020ed9432211a772f9216677807568bf72757ce

    SHA256

    db3abc3b678697579ce46af4041abb675c03bd16e78806f02e9e76e3ab9a224f

    SHA512

    8d049aaa4608a5703b88cc87e3b064ea662649e1a3a1f8c9752027d39cb49c6b558a50732b9f778edfa7bd229757f4ad36fe9612425ff403d9433285ccde9af1

  • C:\ProgramData\sde\2_protected.exe
    MD5

    faf5882cc5f51c2c9d17a7b6bfdb2214

    SHA1

    d020ed9432211a772f9216677807568bf72757ce

    SHA256

    db3abc3b678697579ce46af4041abb675c03bd16e78806f02e9e76e3ab9a224f

    SHA512

    8d049aaa4608a5703b88cc87e3b064ea662649e1a3a1f8c9752027d39cb49c6b558a50732b9f778edfa7bd229757f4ad36fe9612425ff403d9433285ccde9af1

  • C:\ProgramData\yg2nZ1aiuf3a\1723651.txt
    MD5

    681e86c44d5f65b11eab4613008ac6fb

    SHA1

    8b404015c1281d4cf9fc5ad48bbbd6db16ccff4c

    SHA256

    4513bce79a3e5dd52833962e18e28021052ce284504bc201cc7efaf627342d4d

    SHA512

    fdfd791d3fc4150c4ed12792cabac523bfd6d1ab6483138a60fb20f8ecd87d553c37162f4f644ca3860fabc61bbaaeea4dafec0da4367175fe015c979e5d9ba0

  • C:\ProgramData\yg2nZ1aiuf3a\435612~1.TXT
    MD5

    51a3f8de3ad50b0b22c5206ca3418bab

    SHA1

    97740c0882692aa42ce56d0aa4d61e6d8c39152b

    SHA256

    3b173b4cb402c8c458067073c3f3c656f23c8339509bb5466b45eb047eb6ad07

    SHA512

    5b0c137ad95674565f0deccabbd26d8a15660c88d5909046fd61acff48d75c94c43e6b571d53de5993dcaf9f79bb4d39413751d1881be77eb32ef6fedceaa571

  • C:\ProgramData\yg2nZ1aiuf3a\Files\COOKIE~1.TXT
    MD5

    ecaa88f7fa0bf610a5a26cf545dcd3aa

    SHA1

    57218c316b6921e2cd61027a2387edc31a2d9471

    SHA256

    f1945cd6c19e56b3c1c78943ef5ec18116907a4ca1efc40a57d48ab1db7adfc5

    SHA512

    37c783b80b1d458b89e712c2dfe2777050eff0aefc9f6d8beedee77807d9aeb2e27d14815cf4f0229b1d36c186bb5f2b5ef55e632b108cc41e9fb964c39b42a5

  • C:\ProgramData\yg2nZ1aiuf3a\Files\Cookies\MOZILL~1.TXT
    MD5

    ecaa88f7fa0bf610a5a26cf545dcd3aa

    SHA1

    57218c316b6921e2cd61027a2387edc31a2d9471

    SHA256

    f1945cd6c19e56b3c1c78943ef5ec18116907a4ca1efc40a57d48ab1db7adfc5

    SHA512

    37c783b80b1d458b89e712c2dfe2777050eff0aefc9f6d8beedee77807d9aeb2e27d14815cf4f0229b1d36c186bb5f2b5ef55e632b108cc41e9fb964c39b42a5

  • C:\ProgramData\yg2nZ1aiuf3a\Files\Files\OPENUN~1.TXT
    MD5

    75a761f128d422397f12ce073e02afc8

    SHA1

    d321202928f1aa0e802bb1f7498073a22abf15bc

    SHA256

    31ce0aa15bb7fb727817304c96e92add39fb7bfd2bd1468155912ef5a5f6d0db

    SHA512

    cd220b8a3f83dbe5775471e77663586c9c90f8daff23a39251756e7998d266f11205cf7881dba86a5ed759cfc39129b78dc60d8f0dc5cbd3c8c667d3642236e4

  • C:\ProgramData\yg2nZ1aiuf3a\Files\INFORM~1.TXT
    MD5

    85621a82bed0e873ba0541140ac995ec

    SHA1

    0a756478d622001ad824bc0b3cc7fe3c76629ab3

    SHA256

    13f5c25cf6b7f5ef7b6f34291ab325028aeadf4ca3588c7010120c90c1870690

    SHA512

    b89c3cf86cf50e79834d6c5ab767141eb167e9f05876d22ba16adcf250f34cc3eda7fb8a7b74ec5ccd5438033d9115f15f15f9d1e1930f5ab981e485573bcf77

  • C:\ProgramData\yg2nZ1aiuf3a\Files\SCREEN~1.JPG
    MD5

    674f33ca246661f7b339ff722502feba

    SHA1

    ac4e20d1ef8a9cba2715576638f9e70698779973

    SHA256

    2fefdd0ad92bee5eeadc0307c240497773a9bc9a3d69ba0a5db764428602b671

    SHA512

    fe9457f2e3f9450ffc99b0a9667c4d06dc9ea63a0f9254a27d91c9a5c1928778448bc8eb141a27aa33d4460377c04aee971f252613cb65b699ed343c0d720d59

  • C:\ProgramData\yg2nZ1aiuf3a\MOZ_CO~1.DB
    MD5

    89d4b62651fa5c864b12f3ea6b1521cb

    SHA1

    570d48367b6b66ade9900a9f22d67d67a8fb2081

    SHA256

    22f1159db346d2cc8f4fa544796cc9d243a5737110a17d8e3755a2448404ce70

    SHA512

    e6d3109c5e2aef98a63f42eebe3b10feedb1a8c81d7823380553f84d2d6585f328c18f02e72c3e5c98ace7ffedfb6214a4ea6c87e85cefceada8e630f8df61ff

  • C:\ProgramData\yg2nZ1aiuf3a\NL___2~1.ZIP
    MD5

    83e413c92f4adb3c27804c23bf5d3dd0

    SHA1

    456645e5ef649c5d21eca594e529f10cbeb57e8a

    SHA256

    9aef1197e0b7a9171be1183bda7463bc8eb4756768084aff583d5eefe718ecd8

    SHA512

    85850f5d64508a424a118db1d5fbb53424a0753d2add6b59cd436139ec7f443af298b34f00276a53a7f6347ce8b6731d3f00555e97dc167ab880fd7e004bc379

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\7ITI1NQU\line[1].txt
    MD5

    681e86c44d5f65b11eab4613008ac6fb

    SHA1

    8b404015c1281d4cf9fc5ad48bbbd6db16ccff4c

    SHA256

    4513bce79a3e5dd52833962e18e28021052ce284504bc201cc7efaf627342d4d

    SHA512

    fdfd791d3fc4150c4ed12792cabac523bfd6d1ab6483138a60fb20f8ecd87d553c37162f4f644ca3860fabc61bbaaeea4dafec0da4367175fe015c979e5d9ba0

  • C:\Users\Admin\AppData\Roaming\Smart Clock\SmartClock.exe
    MD5

    6a243284c22977437ee1937367fabce8

    SHA1

    e1d2dcfcc243ab3b6c998990ef0d2859a05dac2c

    SHA256

    4b3ceae68f6d8a8ec7ecf95684491bb867cc3fc23cde3d7225da1d94bbcf7342

    SHA512

    24d5100607aa211b86056e61e528fa24c76a839746b2b1698bcb1dcae1c2c185ed6b807461c5ecaf49a3a8200fe8450722a250fe26cb5352de8e0c78fbb8b3f1

  • C:\Users\Admin\AppData\Roaming\dfgdfg.dll
    MD5

    872f43427a22d22bceec47e632828589

    SHA1

    2f2ce208cb5c9c5d83de36425552fe25ff1682de

    SHA256

    424ee5f1bd26e38f9abe250044766d6c8a656c790d112400b472a0411bc81d61

    SHA512

    c35e78fa738b16ed949f6733106b356b7d34d7ab92f59f0829e7d6a1e23b65feadc8266b9aae908fa063d0a8178da3455b2284eb92a8814c3e484be7ece56b6a

  • C:\Users\Admin\AppData\Roaming\dfgdfg.exe
    MD5

    e68f382d32ecf93ddb5b76179fd9d42f

    SHA1

    4a6f15366f6c35e530d3e71136ddcb3efab838aa

    SHA256

    cd38d232ca87e0f0cda669f8840e06163a4786119edd28f0164a85fd77b16498

    SHA512

    6007220d7fda5d88862197d2dbb4ec45598756933bff782f821c6a5e0757452a323be3df7d68eb0fbfee2aaf2f1b1c808b2bb7cc482e2a6aec14f0f31b2196d9

  • C:\Users\Admin\AppData\Roaming\dfgdfg.exe
    MD5

    e68f382d32ecf93ddb5b76179fd9d42f

    SHA1

    4a6f15366f6c35e530d3e71136ddcb3efab838aa

    SHA256

    cd38d232ca87e0f0cda669f8840e06163a4786119edd28f0164a85fd77b16498

    SHA512

    6007220d7fda5d88862197d2dbb4ec45598756933bff782f821c6a5e0757452a323be3df7d68eb0fbfee2aaf2f1b1c808b2bb7cc482e2a6aec14f0f31b2196d9

  • C:\Users\Admin\AppData\Roaming\indepoped\test.exe
    MD5

    0edb4d751ca93495901b5367a0546ae7

    SHA1

    147b2a2f9e3d6b82dfdb56554e6032d11e141e1b

    SHA256

    b4a6db1ed343e961dd9a012fcf724bc0b6e7774c3d107907b538a4beb20f6753

    SHA512

    2ee862023f9cd8d0820db63e0720b3debf1cad4ba99756c4c0f774768efb8901e537ef9d6e19df497cc1cf4f18063f652f9f0a514f0232d778d31ebee846862a

  • C:\Users\Admin\AppData\Roaming\rthgf.exe
    MD5

    6a243284c22977437ee1937367fabce8

    SHA1

    e1d2dcfcc243ab3b6c998990ef0d2859a05dac2c

    SHA256

    4b3ceae68f6d8a8ec7ecf95684491bb867cc3fc23cde3d7225da1d94bbcf7342

    SHA512

    24d5100607aa211b86056e61e528fa24c76a839746b2b1698bcb1dcae1c2c185ed6b807461c5ecaf49a3a8200fe8450722a250fe26cb5352de8e0c78fbb8b3f1

  • C:\Users\Admin\AppData\Roaming\rthgf.exe
    MD5

    6a243284c22977437ee1937367fabce8

    SHA1

    e1d2dcfcc243ab3b6c998990ef0d2859a05dac2c

    SHA256

    4b3ceae68f6d8a8ec7ecf95684491bb867cc3fc23cde3d7225da1d94bbcf7342

    SHA512

    24d5100607aa211b86056e61e528fa24c76a839746b2b1698bcb1dcae1c2c185ed6b807461c5ecaf49a3a8200fe8450722a250fe26cb5352de8e0c78fbb8b3f1

  • C:\Users\Admin\AppData\Roaming\trhgdf.exe
    MD5

    5962593fc72416f6482a40902f5a0364

    SHA1

    95cbfd8528c48815fe940ca6d34a6b9caf9d947c

    SHA256

    d9847357c2a4b36382ca602a855d6f75e5b5784d25a72511bdfbf9682900ef60

    SHA512

    5afedd73b5cef29214e8eb69970c76e847565a98733fcab0ed7d7fdf6c3483074a65f04f319b60dbe732bf164ef937d082c3776cf47158d7abe20efc9fc2f5e0

  • \??\c:\users\admin\appdata\roaming\trhgdf.exe
    MD5

    5962593fc72416f6482a40902f5a0364

    SHA1

    95cbfd8528c48815fe940ca6d34a6b9caf9d947c

    SHA256

    d9847357c2a4b36382ca602a855d6f75e5b5784d25a72511bdfbf9682900ef60

    SHA512

    5afedd73b5cef29214e8eb69970c76e847565a98733fcab0ed7d7fdf6c3483074a65f04f319b60dbe732bf164ef937d082c3776cf47158d7abe20efc9fc2f5e0

  • \Users\Admin\AppData\Roaming\dfgdfg.dll
    MD5

    872f43427a22d22bceec47e632828589

    SHA1

    2f2ce208cb5c9c5d83de36425552fe25ff1682de

    SHA256

    424ee5f1bd26e38f9abe250044766d6c8a656c790d112400b472a0411bc81d61

    SHA512

    c35e78fa738b16ed949f6733106b356b7d34d7ab92f59f0829e7d6a1e23b65feadc8266b9aae908fa063d0a8178da3455b2284eb92a8814c3e484be7ece56b6a

  • \Users\Admin\AppData\Roaming\dfgdfg.dll
    MD5

    872f43427a22d22bceec47e632828589

    SHA1

    2f2ce208cb5c9c5d83de36425552fe25ff1682de

    SHA256

    424ee5f1bd26e38f9abe250044766d6c8a656c790d112400b472a0411bc81d61

    SHA512

    c35e78fa738b16ed949f6733106b356b7d34d7ab92f59f0829e7d6a1e23b65feadc8266b9aae908fa063d0a8178da3455b2284eb92a8814c3e484be7ece56b6a

  • \Users\Admin\AppData\Roaming\dfgdfg.dll
    MD5

    872f43427a22d22bceec47e632828589

    SHA1

    2f2ce208cb5c9c5d83de36425552fe25ff1682de

    SHA256

    424ee5f1bd26e38f9abe250044766d6c8a656c790d112400b472a0411bc81d61

    SHA512

    c35e78fa738b16ed949f6733106b356b7d34d7ab92f59f0829e7d6a1e23b65feadc8266b9aae908fa063d0a8178da3455b2284eb92a8814c3e484be7ece56b6a

  • memory/396-57-0x0000000000000000-mapping.dmp
  • memory/648-53-0x0000000000000000-mapping.dmp
  • memory/812-54-0x0000000000000000-mapping.dmp
  • memory/1228-43-0x0000000000000000-mapping.dmp
  • memory/1856-16-0x0000000000000000-mapping.dmp
  • memory/1888-29-0x0000000000000000-mapping.dmp
  • memory/2152-23-0x0000000000000000-mapping.dmp
  • memory/2432-28-0x0000000002400000-0x0000000002401000-memory.dmp
    Filesize

    4KB

  • memory/2432-24-0x0000000000000000-mapping.dmp
  • memory/2708-32-0x0000000000000000-mapping.dmp
  • memory/3044-7-0x0000000000000000-mapping.dmp
  • memory/3044-18-0x0000000005560000-0x0000000005561000-memory.dmp
    Filesize

    4KB

  • memory/3044-11-0x0000000005560000-0x0000000005561000-memory.dmp
    Filesize

    4KB

  • memory/3044-10-0x0000000004D60000-0x0000000004D61000-memory.dmp
    Filesize

    4KB

  • memory/3120-39-0x0000000004170000-0x0000000004171000-memory.dmp
    Filesize

    4KB

  • memory/3120-38-0x0000000003F70000-0x0000000003F71000-memory.dmp
    Filesize

    4KB

  • memory/3120-35-0x0000000000000000-mapping.dmp
  • memory/3160-0-0x0000000000000000-mapping.dmp
  • memory/3160-3-0x000000000A0F0000-0x000000000A0F1000-memory.dmp
    Filesize

    4KB

  • memory/3160-2-0x00000000098F0000-0x00000000098F1000-memory.dmp
    Filesize

    4KB

  • memory/3444-4-0x0000000000000000-mapping.dmp
  • memory/3612-70-0x0000000000000000-mapping.dmp
  • memory/3612-71-0x0000000000000000-mapping.dmp
  • memory/3700-60-0x0000000000000000-mapping.dmp
  • memory/3700-61-0x0000000000000000-mapping.dmp
  • memory/3780-68-0x0000000000000000-mapping.dmp
  • memory/3780-69-0x0000000000000000-mapping.dmp
  • memory/3920-67-0x0000000000000000-mapping.dmp
  • memory/3920-66-0x0000000000000000-mapping.dmp