Downloads.rar

General
Target

HYDRA.exe

Filesize

139MB

Completed

19-11-2020 10:39

Score
10 /10
Malware Config

Extracted

Family smokeloader
Version 2017
C2

http://92.53.105.14/

Signatures 12

Filter: none

Defense Evasion
Discovery
Persistence
  • SmokeLoader

    Description

    Modular backdoor trojan in use since 2014.

  • Suspicious use of NtCreateUserProcessOtherParentProcess
    svchost.exe

    Reported IOCs

    descriptionpidprocesstarget process
    PID 628 created 3076628svchost.exestarter.exe
    PID 628 created 3076628svchost.exestarter.exe
  • Executes dropped EXE
    yaya.exeva.exeufx.exesant.exepower.exestarter.exeusc.exeusc.exeusc.exeusc.exe

    Reported IOCs

    pidprocess
    3524yaya.exe
    3212va.exe
    3608ufx.exe
    3468sant.exe
    2896power.exe
    3076starter.exe
    3540usc.exe
    3988usc.exe
    2076usc.exe
    3812usc.exe
  • Drops startup file
    va.exe

    Reported IOCs

    descriptioniocprocess
    File createdC:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HDAudo.vbsva.exe
  • Adds Run key to start application
    explorer.exe

    TTPs

    Registry Run Keys / Startup FolderModify Registry

    Reported IOCs

    descriptioniocprocess
    Key created\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Windows\CurrentVersion\Runexplorer.exe
    Set value (str)\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Windows\CurrentVersion\Run\Classes = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\ahecdbir\\bwwttfrb.exe"explorer.exe
  • Maps connected drives based on registry
    sant.exe

    Description

    Disk information is often read in order to detect sandboxing environments.

    TTPs

    Query RegistryPeripheral Device DiscoverySystem Information Discovery

    Reported IOCs

    descriptioniocprocess
    Key value queried\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum\0sant.exe
    Key opened\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enumsant.exe
  • Enumerates physical storage devices

    Description

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

    TTPs

    System Information Discovery
  • Creates scheduled task(s)
    SCHTASKS.exeSCHTASKS.exeSCHTASKS.exeSCHTASKS.exe

    Description

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    TTPs

    Scheduled Task

    Reported IOCs

    pidprocess
    3152SCHTASKS.exe
    768SCHTASKS.exe
    4012SCHTASKS.exe
    3576SCHTASKS.exe
  • Suspicious behavior: EnumeratesProcesses
    sant.exe

    Reported IOCs

    pidprocess
    3468sant.exe
    3468sant.exe
    3468sant.exe
    3468sant.exe
    3468sant.exe
    3468sant.exe
    3468sant.exe
    3468sant.exe
    3468sant.exe
    3468sant.exe
    3468sant.exe
    3468sant.exe
    3468sant.exe
    3468sant.exe
    3468sant.exe
    3468sant.exe
    3468sant.exe
    3468sant.exe
    3468sant.exe
    3468sant.exe
    3468sant.exe
    3468sant.exe
    3468sant.exe
    3468sant.exe
    3468sant.exe
    3468sant.exe
    3468sant.exe
    3468sant.exe
    3468sant.exe
    3468sant.exe
    3468sant.exe
    3468sant.exe
    3468sant.exe
    3468sant.exe
    3468sant.exe
    3468sant.exe
    3468sant.exe
    3468sant.exe
    3468sant.exe
    3468sant.exe
    3468sant.exe
    3468sant.exe
    3468sant.exe
    3468sant.exe
    3468sant.exe
    3468sant.exe
    3468sant.exe
    3468sant.exe
    3468sant.exe
    3468sant.exe
    3468sant.exe
    3468sant.exe
    3468sant.exe
    3468sant.exe
    3468sant.exe
    3468sant.exe
    3468sant.exe
    3468sant.exe
    3468sant.exe
    3468sant.exe
    3468sant.exe
    3468sant.exe
    3468sant.exe
    3468sant.exe
  • Suspicious behavior: MapViewOfSection
    sant.exe

    Reported IOCs

    pidprocess
    3468sant.exe
    3468sant.exe
  • Suspicious use of AdjustPrivilegeToken
    usc.exesvchost.exestarter.exepowershell.exeusc.exeusc.exeusc.exe

    Reported IOCs

    descriptionpidprocess
    Token: SeDebugPrivilege3540usc.exe
    Token: SeTcbPrivilege628svchost.exe
    Token: SeTcbPrivilege628svchost.exe
    Token: SeDebugPrivilege3076starter.exe
    Token: SeDebugPrivilege2800powershell.exe
    Token: SeDebugPrivilege3988usc.exe
    Token: SeDebugPrivilege2076usc.exe
    Token: SeDebugPrivilege3812usc.exe
  • Suspicious use of WriteProcessMemory
    HYDRA.exeyaya.exeufx.exeusc.exesant.exestarter.execsc.exesvchost.exepower.exeusc.exeusc.exeusc.exe

    Reported IOCs

    descriptionpidprocesstarget process
    PID 576 wrote to memory of 3524576HYDRA.exeyaya.exe
    PID 576 wrote to memory of 3524576HYDRA.exeyaya.exe
    PID 576 wrote to memory of 3524576HYDRA.exeyaya.exe
    PID 576 wrote to memory of 3212576HYDRA.exeva.exe
    PID 576 wrote to memory of 3212576HYDRA.exeva.exe
    PID 576 wrote to memory of 3212576HYDRA.exeva.exe
    PID 576 wrote to memory of 3608576HYDRA.exeufx.exe
    PID 576 wrote to memory of 3608576HYDRA.exeufx.exe
    PID 576 wrote to memory of 3608576HYDRA.exeufx.exe
    PID 576 wrote to memory of 3468576HYDRA.exesant.exe
    PID 576 wrote to memory of 3468576HYDRA.exesant.exe
    PID 576 wrote to memory of 3468576HYDRA.exesant.exe
    PID 576 wrote to memory of 2896576HYDRA.exepower.exe
    PID 576 wrote to memory of 2896576HYDRA.exepower.exe
    PID 576 wrote to memory of 2896576HYDRA.exepower.exe
    PID 3524 wrote to memory of 30763524yaya.exestarter.exe
    PID 3524 wrote to memory of 30763524yaya.exestarter.exe
    PID 3608 wrote to memory of 35403608ufx.exeusc.exe
    PID 3608 wrote to memory of 35403608ufx.exeusc.exe
    PID 3608 wrote to memory of 35403608ufx.exeusc.exe
    PID 3540 wrote to memory of 31523540usc.exeSCHTASKS.exe
    PID 3540 wrote to memory of 31523540usc.exeSCHTASKS.exe
    PID 3540 wrote to memory of 31523540usc.exeSCHTASKS.exe
    PID 3468 wrote to memory of 4163468sant.exeexplorer.exe
    PID 3468 wrote to memory of 4163468sant.exeexplorer.exe
    PID 3468 wrote to memory of 4163468sant.exeexplorer.exe
    PID 3076 wrote to memory of 4923076starter.execsc.exe
    PID 3076 wrote to memory of 4923076starter.execsc.exe
    PID 492 wrote to memory of 3276492csc.execvtres.exe
    PID 492 wrote to memory of 3276492csc.execvtres.exe
    PID 628 wrote to memory of 3512628svchost.execmd.exe
    PID 628 wrote to memory of 3512628svchost.execmd.exe
    PID 628 wrote to memory of 3952628svchost.execmd.exe
    PID 628 wrote to memory of 3952628svchost.execmd.exe
    PID 2896 wrote to memory of 28002896power.exepowershell.exe
    PID 2896 wrote to memory of 28002896power.exepowershell.exe
    PID 2896 wrote to memory of 28002896power.exepowershell.exe
    PID 3988 wrote to memory of 7683988usc.exeSCHTASKS.exe
    PID 3988 wrote to memory of 7683988usc.exeSCHTASKS.exe
    PID 3988 wrote to memory of 7683988usc.exeSCHTASKS.exe
    PID 2076 wrote to memory of 40122076usc.exeSCHTASKS.exe
    PID 2076 wrote to memory of 40122076usc.exeSCHTASKS.exe
    PID 2076 wrote to memory of 40122076usc.exeSCHTASKS.exe
    PID 3812 wrote to memory of 35763812usc.exeSCHTASKS.exe
    PID 3812 wrote to memory of 35763812usc.exeSCHTASKS.exe
    PID 3812 wrote to memory of 35763812usc.exeSCHTASKS.exe
Processes 22
  • C:\Users\Admin\AppData\Local\Temp\HYDRA.exe
    "C:\Users\Admin\AppData\Local\Temp\HYDRA.exe"
    Suspicious use of WriteProcessMemory
    PID:576
    • C:\Users\Admin\AppData\Roaming\yaya.exe
      C:\Users\Admin\AppData\Roaming\yaya.exe
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:3524
      • C:\Windows\Temp\{1945BBS40-8571-3DA1-BB29-HYDRA7A13A1E}\starter.exe
        "C:\Windows\Temp\{1945BBS40-8571-3DA1-BB29-HYDRA7A13A1E}\starter.exe"
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        PID:3076
        • C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
          "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\fuyr5mj-.cmdline"
          Suspicious use of WriteProcessMemory
          PID:492
          • C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
            C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESA04.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC9F4.tmp"
            PID:3276
        • C:\Windows\System32\cmd.exe
          "C:\Windows\System32\cmd.exe"
          PID:3512
        • C:\Windows\System32\cmd.exe
          "C:\Windows\System32\cmd.exe"
          PID:3952
    • C:\Users\Admin\AppData\Roaming\va.exe
      C:\Users\Admin\AppData\Roaming\va.exe
      Executes dropped EXE
      Drops startup file
      PID:3212
    • C:\Users\Admin\AppData\Roaming\ufx.exe
      C:\Users\Admin\AppData\Roaming\ufx.exe
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:3608
      • C:\ProgramData\ucp\usc.exe
        "C:\ProgramData\ucp\usc.exe" /ucp/usc.exe
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        PID:3540
        • C:\Windows\SysWOW64\SCHTASKS.exe
          SCHTASKS /Create /SC MINUTE /MO 10 /F /TN SystemOptimize /TR C:\ProgramData\ucp\usc.exe
          Creates scheduled task(s)
          PID:3152
    • C:\Users\Admin\AppData\Roaming\sant.exe
      C:\Users\Admin\AppData\Roaming\sant.exe
      Executes dropped EXE
      Maps connected drives based on registry
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: MapViewOfSection
      Suspicious use of WriteProcessMemory
      PID:3468
      • C:\Windows\SysWOW64\explorer.exe
        explorer.exe
        Adds Run key to start application
        PID:416
    • C:\Users\Admin\AppData\Roaming\power.exe
      C:\Users\Admin\AppData\Roaming\power.exe
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:2896
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
        Suspicious use of AdjustPrivilegeToken
        PID:2800
  • \??\c:\windows\system32\svchost.exe
    c:\windows\system32\svchost.exe -k netsvcs -s seclogon
    Suspicious use of NtCreateUserProcessOtherParentProcess
    Suspicious use of AdjustPrivilegeToken
    Suspicious use of WriteProcessMemory
    PID:628
  • C:\ProgramData\ucp\usc.exe
    C:\ProgramData\ucp\usc.exe
    Executes dropped EXE
    Suspicious use of AdjustPrivilegeToken
    Suspicious use of WriteProcessMemory
    PID:3988
    • C:\Windows\SysWOW64\SCHTASKS.exe
      SCHTASKS /Create /SC MINUTE /MO 10 /F /TN SystemOptimize /TR C:\ProgramData\ucp\usc.exe
      Creates scheduled task(s)
      PID:768
  • C:\ProgramData\ucp\usc.exe
    C:\ProgramData\ucp\usc.exe
    Executes dropped EXE
    Suspicious use of AdjustPrivilegeToken
    Suspicious use of WriteProcessMemory
    PID:2076
    • C:\Windows\SysWOW64\SCHTASKS.exe
      SCHTASKS /Create /SC MINUTE /MO 10 /F /TN SystemOptimize /TR C:\ProgramData\ucp\usc.exe
      Creates scheduled task(s)
      PID:4012
  • C:\ProgramData\ucp\usc.exe
    C:\ProgramData\ucp\usc.exe
    Executes dropped EXE
    Suspicious use of AdjustPrivilegeToken
    Suspicious use of WriteProcessMemory
    PID:3812
    • C:\Windows\SysWOW64\SCHTASKS.exe
      SCHTASKS /Create /SC MINUTE /MO 10 /F /TN SystemOptimize /TR C:\ProgramData\ucp\usc.exe
      Creates scheduled task(s)
      PID:3576
Network
MITRE ATT&CK Matrix
Collection
    Command and Control
      Credential Access
        Defense Evasion
        Execution
          Exfiltration
            Impact
              Initial Access
                Lateral Movement
                  Privilege Escalation
                    Replay Monitor
                    00:00 00:00
                    Downloads
                    • C:\ProgramData\ucp\usc.exe

                      MD5

                      b100b373d645bf59b0487dbbda6c426d

                      SHA1

                      44a4ad2913f5f35408b8c16459dcce3f101bdcc7

                      SHA256

                      84d7fd0a93d963e9808212917f79fe2d485bb7fbc94ee374a141bbd15da725b7

                      SHA512

                      69483fed79f33da065b1cc65a2576ba268c78990545070f6f76fca8f48aaec8274faecdc9bcf92bf84a87809a318b159d1a3c835f848a6eea6c163f41612bf9b

                    • C:\ProgramData\ucp\usc.exe

                      MD5

                      b100b373d645bf59b0487dbbda6c426d

                      SHA1

                      44a4ad2913f5f35408b8c16459dcce3f101bdcc7

                      SHA256

                      84d7fd0a93d963e9808212917f79fe2d485bb7fbc94ee374a141bbd15da725b7

                      SHA512

                      69483fed79f33da065b1cc65a2576ba268c78990545070f6f76fca8f48aaec8274faecdc9bcf92bf84a87809a318b159d1a3c835f848a6eea6c163f41612bf9b

                    • C:\ProgramData\ucp\usc.exe

                      MD5

                      b100b373d645bf59b0487dbbda6c426d

                      SHA1

                      44a4ad2913f5f35408b8c16459dcce3f101bdcc7

                      SHA256

                      84d7fd0a93d963e9808212917f79fe2d485bb7fbc94ee374a141bbd15da725b7

                      SHA512

                      69483fed79f33da065b1cc65a2576ba268c78990545070f6f76fca8f48aaec8274faecdc9bcf92bf84a87809a318b159d1a3c835f848a6eea6c163f41612bf9b

                    • C:\ProgramData\ucp\usc.exe

                      MD5

                      b100b373d645bf59b0487dbbda6c426d

                      SHA1

                      44a4ad2913f5f35408b8c16459dcce3f101bdcc7

                      SHA256

                      84d7fd0a93d963e9808212917f79fe2d485bb7fbc94ee374a141bbd15da725b7

                      SHA512

                      69483fed79f33da065b1cc65a2576ba268c78990545070f6f76fca8f48aaec8274faecdc9bcf92bf84a87809a318b159d1a3c835f848a6eea6c163f41612bf9b

                    • C:\ProgramData\ucp\usc.exe

                      MD5

                      b100b373d645bf59b0487dbbda6c426d

                      SHA1

                      44a4ad2913f5f35408b8c16459dcce3f101bdcc7

                      SHA256

                      84d7fd0a93d963e9808212917f79fe2d485bb7fbc94ee374a141bbd15da725b7

                      SHA512

                      69483fed79f33da065b1cc65a2576ba268c78990545070f6f76fca8f48aaec8274faecdc9bcf92bf84a87809a318b159d1a3c835f848a6eea6c163f41612bf9b

                    • C:\Users\Admin\AppData\Local\Temp\RESA04.tmp

                      MD5

                      4dde8f7c6d84ccaf8d9c4815aff44229

                      SHA1

                      21bcd8a3aacc356cbc4624cd8374e5196a27dd37

                      SHA256

                      c3b2eebbf4e2d4e91d6f1a67987ee698113494178b1e030707542aa8a04ed3ff

                      SHA512

                      72ea428a62f47d7e83bf5bd890261aa0fe374a1e04a8c3d4e4b55855823498388a9dade9b06a6d04166443406954530d24543363e79a61e13023f7aff8fc9136

                    • C:\Users\Admin\AppData\Local\Temp\fuyr5mj-.dll

                      MD5

                      2d3d46826da1e2a5a0effa5afe55011f

                      SHA1

                      f633fc74f0e8eaee438b2995aa685bd4393c86d8

                      SHA256

                      4784f916cafe7eb0b80edc68663c4707e5fc5577f109bc6b0e411e3f43a25ea3

                      SHA512

                      299ccc5eb1970e064e0b247079648ee500f0c7a825fb330377ae84418fc48f88570de617e1a70700e1add19222fed541941d4ff0784c4eeffb8175f091df7139

                    • C:\Users\Admin\AppData\Local\Temp\fuyr5mj-.pdb

                      MD5

                      7524a29cd7379e874221eebd21722ba8

                      SHA1

                      64eb4a87cfc44ce57b50ea88a618187328c88353

                      SHA256

                      d9c7d95dc0f7a33caf08cc51539847121a30433b9eb5103e02ee929b9321d19e

                      SHA512

                      7ada7f25405255d9901ad1bb76138ee529e5ee532de5e4cca686e8eaba44a4954b10c5106d6318862a536761aa382316edac4fd5fcad14a82b3c7e4ddc22c5c3

                    • C:\Users\Admin\AppData\Roaming\power.exe

                      MD5

                      743f47ae7d09fce22d0a7c724461f7e3

                      SHA1

                      8e98dd1efb70749af72c57344aab409fb927394e

                      SHA256

                      1bee45423044b5a6bf0ad0dd2870117824b000784ce81c5f8a1b930bb8bc0465

                      SHA512

                      567993c3b798365efa07b7a46fda98494bfe540647f27654764e78b7f60f093d403b77b9abb889cfb09b44f13515ce3c041fc5db05882418313c3b3409dd77bf

                    • C:\Users\Admin\AppData\Roaming\power.exe

                      MD5

                      743f47ae7d09fce22d0a7c724461f7e3

                      SHA1

                      8e98dd1efb70749af72c57344aab409fb927394e

                      SHA256

                      1bee45423044b5a6bf0ad0dd2870117824b000784ce81c5f8a1b930bb8bc0465

                      SHA512

                      567993c3b798365efa07b7a46fda98494bfe540647f27654764e78b7f60f093d403b77b9abb889cfb09b44f13515ce3c041fc5db05882418313c3b3409dd77bf

                    • C:\Users\Admin\AppData\Roaming\sant.exe

                      MD5

                      5effca91c3f1e9c87d364460097f8048

                      SHA1

                      28387c043ab6857aaa51865346046cf5dc4c7b49

                      SHA256

                      3fd826fc0c032721466b94ab3ec7dcfe006cc284e16132af6b91dfbc064b0907

                      SHA512

                      b0dba30fde295d3f7858db9d1463239b30cd84921971032b2afb96f811a53ac12c1e6f72013d2eff397b0b89c371e7c023c951cd2102f94157cba9918cd2c3e0

                    • C:\Users\Admin\AppData\Roaming\sant.exe

                      MD5

                      5effca91c3f1e9c87d364460097f8048

                      SHA1

                      28387c043ab6857aaa51865346046cf5dc4c7b49

                      SHA256

                      3fd826fc0c032721466b94ab3ec7dcfe006cc284e16132af6b91dfbc064b0907

                      SHA512

                      b0dba30fde295d3f7858db9d1463239b30cd84921971032b2afb96f811a53ac12c1e6f72013d2eff397b0b89c371e7c023c951cd2102f94157cba9918cd2c3e0

                    • C:\Users\Admin\AppData\Roaming\ufx.exe

                      MD5

                      22e088012519e1013c39a3828bda7498

                      SHA1

                      3a8a87cce3f6aff415ee39cf21738663c0610016

                      SHA256

                      9e3826138bacac89845c26278f52854117db1652174c1c76dbb2bd24f00f4973

                      SHA512

                      5559e279dd3d72b2c9062d88e99212bbc67639fe5a42076efd24ae890cfce72cfe2235adb20bf5ed1f547b6da9e69effa4ccb80c0407b7524f134a24603ea5a8

                    • C:\Users\Admin\AppData\Roaming\ufx.exe

                      MD5

                      22e088012519e1013c39a3828bda7498

                      SHA1

                      3a8a87cce3f6aff415ee39cf21738663c0610016

                      SHA256

                      9e3826138bacac89845c26278f52854117db1652174c1c76dbb2bd24f00f4973

                      SHA512

                      5559e279dd3d72b2c9062d88e99212bbc67639fe5a42076efd24ae890cfce72cfe2235adb20bf5ed1f547b6da9e69effa4ccb80c0407b7524f134a24603ea5a8

                    • C:\Users\Admin\AppData\Roaming\va.exe

                      MD5

                      c084e736931c9e6656362b0ba971a628

                      SHA1

                      ef83b95fc645ad3a161a19ccef3224c72e5472bd

                      SHA256

                      3139bf3c4b958c3a019af512aecdb8161b9d6d7432d2c404abda3f42b63f34f1

                      SHA512

                      cbd6485840a117b52e24586da536cefa94ca087b41eb460d27bc2bd320217957c9e0e96b0daf74343efde2e23a5242e7a99075aabf5f9e18e03b52eb7151ae1f

                    • C:\Users\Admin\AppData\Roaming\va.exe

                      MD5

                      c084e736931c9e6656362b0ba971a628

                      SHA1

                      ef83b95fc645ad3a161a19ccef3224c72e5472bd

                      SHA256

                      3139bf3c4b958c3a019af512aecdb8161b9d6d7432d2c404abda3f42b63f34f1

                      SHA512

                      cbd6485840a117b52e24586da536cefa94ca087b41eb460d27bc2bd320217957c9e0e96b0daf74343efde2e23a5242e7a99075aabf5f9e18e03b52eb7151ae1f

                    • C:\Users\Admin\AppData\Roaming\yaya.exe

                      MD5

                      7d05ab95cfe93d84bc5db006c789a47f

                      SHA1

                      aa4aa0189140670c618348f1baad877b8eca04a4

                      SHA256

                      5c32e0d2a69fd77e85f2eecaabeb677b6f816de0d82bf7c29c9d124a818f424f

                      SHA512

                      40d1461e68994df56f19d9f7b2d96ffdc5300ca933e10dc53f7953471df8dea3aabeb178c3432c6819175475cadcbdb698384e3df57b3606c6fce3173a31fe84

                    • C:\Users\Admin\AppData\Roaming\yaya.exe

                      MD5

                      7d05ab95cfe93d84bc5db006c789a47f

                      SHA1

                      aa4aa0189140670c618348f1baad877b8eca04a4

                      SHA256

                      5c32e0d2a69fd77e85f2eecaabeb677b6f816de0d82bf7c29c9d124a818f424f

                      SHA512

                      40d1461e68994df56f19d9f7b2d96ffdc5300ca933e10dc53f7953471df8dea3aabeb178c3432c6819175475cadcbdb698384e3df57b3606c6fce3173a31fe84

                    • C:\Windows\Temp\{1945BBS40-8571-3DA1-BB29-HYDRA7A13A1E}\starter.exe

                      MD5

                      51bf85f3bf56e628b52d61614192359d

                      SHA1

                      c1bc90be6a4beb67fb7b195707798106114ec332

                      SHA256

                      990dffdc0694858514d6d7ff7fff5dc9f48fab3aa35a4d9301d94fc57e346446

                      SHA512

                      131173f3aabcfba484e972424c54201ec4b1facfb2df1efe08df0d43a816d4df03908b006884564c56a6245badd4f9ed442a295f1db2c0c970a8f80985d35474

                    • C:\Windows\Temp\{1945BBS40-8571-3DA1-BB29-HYDRA7A13A1E}\starter.exe

                      MD5

                      51bf85f3bf56e628b52d61614192359d

                      SHA1

                      c1bc90be6a4beb67fb7b195707798106114ec332

                      SHA256

                      990dffdc0694858514d6d7ff7fff5dc9f48fab3aa35a4d9301d94fc57e346446

                      SHA512

                      131173f3aabcfba484e972424c54201ec4b1facfb2df1efe08df0d43a816d4df03908b006884564c56a6245badd4f9ed442a295f1db2c0c970a8f80985d35474

                    • \??\c:\Users\Admin\AppData\Local\Temp\CSC9F4.tmp

                      MD5

                      33c315f06a192429bea7c586f50a86b6

                      SHA1

                      2b8143d56b3656dc4202bab5ae4e995ccb5e82dc

                      SHA256

                      c3ecc2adfbc35b1c4dba4ab15cb7ddc8f31c13af65b4590ee52237e4799fda71

                      SHA512

                      28099dac1bc22b1d53feb2e047cbff97cb7d96ce1b822a0757704a646202d6517def765896996eda74b3a96de67c1b125f8a400fec87a382ca39696dc41fa4dc

                    • \??\c:\Users\Admin\AppData\Local\Temp\fuyr5mj-.0.cs

                      MD5

                      a0d1b6f34f315b4d81d384b8ebcdeaa5

                      SHA1

                      794c1ff4f2a28e0c631a783846ecfffdd4c7ae09

                      SHA256

                      0b3a3f8f11eb6f50fe67943f2b73c5824614f31c2e0352cc234927d7cb1a52e0

                      SHA512

                      0a89293d731c5bca05e73148f85a740b324fc877f2fb05cde1f68e2098329fbca552d78249a46f4a1da15a450c8e754c73be20c652f7089d5cfec445ce950a0e

                    • \??\c:\Users\Admin\AppData\Local\Temp\fuyr5mj-.cmdline

                      MD5

                      608a8e984e40451d655af70f9c65f50e

                      SHA1

                      ad5a8ce7f486ab5b42baab315409ba8199884345

                      SHA256

                      fd2dc8db8d6e4c509a1777080ce1fde9b97ac759ad9214055f08e5c0eab2b527

                      SHA512

                      ca1136d5714eb81eb1abf366349f8fec7fe0d96414d06982a854f9100d3e18d164eaeaa97e15a1a9446c861c9c1894285d1c108b2b72cea78f5098580ba1d3b1

                    • memory/416-23-0x0000000000000000-mapping.dmp

                    • memory/416-24-0x0000000000C30000-0x000000000106F000-memory.dmp

                    • memory/416-25-0x0000000000C30000-0x000000000106F000-memory.dmp

                    • memory/492-26-0x0000000000000000-mapping.dmp

                    • memory/768-47-0x0000000000000000-mapping.dmp

                    • memory/2800-38-0x0000000007E70000-0x0000000007E71000-memory.dmp

                    • memory/2800-41-0x0000000008020000-0x0000000008021000-memory.dmp

                    • memory/2800-42-0x00000000083D0000-0x00000000083D1000-memory.dmp

                    • memory/2800-43-0x0000000008850000-0x0000000008851000-memory.dmp

                    • memory/2800-44-0x0000000008800000-0x0000000008801000-memory.dmp

                    • memory/2800-45-0x00000000094E0000-0x00000000094E1000-memory.dmp

                    • memory/2800-34-0x0000000000000000-mapping.dmp

                    • memory/2800-35-0x0000000071810000-0x0000000071EFE000-memory.dmp

                    • memory/2800-36-0x0000000004BF0000-0x0000000004BF1000-memory.dmp

                    • memory/2800-37-0x0000000007630000-0x0000000007631000-memory.dmp

                    • memory/2800-39-0x0000000007CD0000-0x0000000007CD1000-memory.dmp

                    • memory/2800-40-0x0000000007F10000-0x0000000007F11000-memory.dmp

                    • memory/2896-12-0x0000000000000000-mapping.dmp

                    • memory/3076-15-0x0000000000000000-mapping.dmp

                    • memory/3076-22-0x00007FFE9A360000-0x00007FFE9AD00000-memory.dmp

                    • memory/3152-21-0x0000000000000000-mapping.dmp

                    • memory/3212-3-0x0000000000000000-mapping.dmp

                    • memory/3276-29-0x0000000000000000-mapping.dmp

                    • memory/3468-9-0x0000000000000000-mapping.dmp

                    • memory/3524-0-0x0000000000000000-mapping.dmp

                    • memory/3540-18-0x0000000000000000-mapping.dmp

                    • memory/3576-51-0x0000000000000000-mapping.dmp

                    • memory/3608-6-0x0000000000000000-mapping.dmp

                    • memory/4012-49-0x0000000000000000-mapping.dmp