Analysis Overview
SHA256
86aab09b278fe8e538d8cecd28f2d7a32fe413724d5ee52e2815a3267a988595
Threat Level: Known bad
The file aa.exe was found to be: Known bad.
Malicious Activity Summary
Modifies firewall policy service
BetaBot
Sets file to hidden
Downloads MZ/PE file
Sets file execution options in registry
Executes dropped EXE
Checks BIOS information in registry
Loads dropped DLL
Drops desktop.ini file(s)
Checks whether UAC is enabled
Adds Run key to start application
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Enumerates physical storage devices
Suspicious use of SetWindowsHookEx
Modifies Internet Explorer Protected Mode Banner
Suspicious behavior: GetForegroundWindowSpam
Delays execution with timeout.exe
Suspicious use of WriteProcessMemory
NTFS ADS
Modifies registry class
Modifies Internet Explorer Protected Mode
Enumerates system info in registry
Suspicious use of FindShellTrayWindow
Runs ping.exe
Suspicious behavior: MapViewOfSection
Views/modifies file attributes
Kills process with taskkill
Suspicious use of SendNotifyMessage
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: EnumeratesProcesses
Checks processor information in registry
Modifies Internet Explorer settings
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2021-06-22 18:14
Signatures
Analysis: behavioral2
Detonation Overview
Submitted
2021-06-22 18:14
Reported
2021-06-22 18:17
Platform
win10v20210410
Max time kernel
150s
Max time network
165s
Command Line
Signatures
BetaBot
Modifies firewall policy service
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" | C:\Windows\SysWOW64\explorer.exe | N/A |
| Key created | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile | C:\Windows\SysWOW64\explorer.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile\EnableFirewall = "0" | C:\Windows\SysWOW64\explorer.exe | N/A |
| Key created | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile | C:\Windows\SysWOW64\explorer.exe | N/A |
Downloads MZ/PE file
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\LMPupdate\set\unpakedree.exe | N/A |
| N/A | N/A | C:\LMPupdate\set\xc829374091FD.exe | N/A |
| N/A | N/A | C:\LMPupdate\set\xc829374091FD.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1e57ciq55wge9_1.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\37s3u9g3wa5w5.exe | N/A |
Sets file execution options in registry
Sets file to hidden
Checks BIOS information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Windows\SysWOW64\explorer.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\Google Updater 2.09 = "\"C:\\ProgramData\\Google Updater 2.09\\1e57ciq55wge9.exe\"" | C:\Windows\SysWOW64\explorer.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce | C:\Windows\SysWOW64\explorer.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Google Updater 2.09 = "\"C:\\ProgramData\\Google Updater 2.09\\1e57ciq55wge9.exe\"" | C:\Windows\SysWOW64\explorer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce | C:\Windows\SysWOW64\explorer.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Google Updater 2.09 = "C:\\ProgramData\\Google Updater 2.09\\1e57ciq55wge9.exe" | C:\Windows\SysWOW64\explorer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run | C:\Windows\SysWOW64\explorer.exe | N/A |
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\LMPupdate\set\xc829374091FD.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Windows\SysWOW64\cmd.exe | N/A |
Drops desktop.ini file(s)
| Description | Indicator | Process | Target |
| File opened for modification | C:\ProgramData\Google Updater 2.09\desktop.ini | C:\Windows\SysWOW64\explorer.exe | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\LMPupdate\set\xc829374091FD.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2792 set thread context of 188 | N/A | C:\LMPupdate\set\xc829374091FD.exe | C:\LMPupdate\set\xc829374091FD.exe |
| PID 1772 set thread context of 0 | N/A | C:\Users\Admin\AppData\Local\Temp\1e57ciq55wge9_1.exe | N/A |
Enumerates physical storage devices
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\LMPupdate\set\xc829374091FD.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\LMPupdate\set\xc829374091FD.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Windows\SysWOW64\explorer.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Windows\SysWOW64\explorer.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
Delays execution with timeout.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\timeout.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\timeout.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\timeout.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\timeout.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\timeout.exe | N/A |
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Windows\SysWOW64\explorer.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer | C:\Windows\SysWOW64\explorer.exe | N/A |
Kills process with taskkill
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
Modifies Internet Explorer Protected Mode
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\2500 = "3" | C:\Windows\SysWOW64\explorer.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\2500 = "3" | C:\Windows\SysWOW64\explorer.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\2500 = "3" | C:\Windows\SysWOW64\explorer.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\2500 = "3" | C:\Windows\SysWOW64\explorer.exe | N/A |
Modifies Internet Explorer Protected Mode Banner
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Main\NoProtectedModeBanner = "1" | C:\Windows\SysWOW64\explorer.exe | N/A |
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\VersionManager | C:\Windows\SysWOW64\explorer.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\VersionManager\DownloadVersionList = "0" | C:\Windows\SysWOW64\explorer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Main | C:\Windows\SysWOW64\explorer.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings | C:\Users\Admin\AppData\Local\Temp\aa.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
NTFS ADS
| Description | Indicator | Process | Target |
| File opened for modification | C:\Users\Admin\AppData\Local\Temp\1e57ciq55wge9_1.exe:14EDFC78 | C:\Windows\SysWOW64\explorer.exe | N/A |
| File created | C:\Users\Admin\AppData\Local\Temp\1e57ciq55wge9_1.exe:14EDFC78 | C:\Windows\SysWOW64\explorer.exe | N/A |
Runs ping.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\37s3u9g3wa5w5.exe | N/A |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\LMPupdate\set\xc829374091FD.exe | N/A |
| N/A | N/A | C:\LMPupdate\set\xc829374091FD.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\LMPupdate\set\xc829374091FD.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\LMPupdate\set\xc829374091FD.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\LMPupdate\set\xc829374091FD.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\LMPupdate\set\xc829374091FD.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\LMPupdate\set\xc829374091FD.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\LMPupdate\set\xc829374091FD.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\LMPupdate\set\xc829374091FD.exe | N/A |
| Token: SeChangeNotifyPrivilege | N/A | C:\LMPupdate\set\xc829374091FD.exe | N/A |
| Token: SeCreateTokenPrivilege | N/A | C:\LMPupdate\set\xc829374091FD.exe | N/A |
| Token: SeMachineAccountPrivilege | N/A | C:\LMPupdate\set\xc829374091FD.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\LMPupdate\set\xc829374091FD.exe | N/A |
| Token: SeAssignPrimaryTokenPrivilege | N/A | C:\LMPupdate\set\xc829374091FD.exe | N/A |
| Token: SeCreateGlobalPrivilege | N/A | C:\LMPupdate\set\xc829374091FD.exe | N/A |
| Token: 33 | N/A | C:\LMPupdate\set\xc829374091FD.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| Token: SeChangeNotifyPrivilege | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| Token: SeCreateTokenPrivilege | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| Token: SeMachineAccountPrivilege | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| Token: SeAssignPrimaryTokenPrivilege | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| Token: SeCreateGlobalPrivilege | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| Token: 33 | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\37s3u9g3wa5w5.exe | N/A |
| N/A | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| N/A | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| N/A | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| N/A | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| N/A | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| N/A | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\37s3u9g3wa5w5.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\37s3u9g3wa5w5.exe | N/A |
| N/A | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| N/A | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| N/A | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| N/A | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
Suspicious use of WriteProcessMemory
Views/modifies file attributes
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\attrib.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\attrib.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\aa.exe
"C:\Users\Admin\AppData\Local\Temp\aa.exe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\LMPupdate\set\435246.vbs"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\LMPupdate\set\183.bat" "
C:\Windows\SysWOW64\timeout.exe
timeout 0
C:\Windows\SysWOW64\PING.EXE
ping dhgfg sgudy
C:\LMPupdate\set\unpakedree.exe
"unpakedree.exe" e -p67dah9fasdd8kja8ds9h9sad 43939237cx.rar
C:\Windows\SysWOW64\timeout.exe
timeout 5
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\LMPupdate\set\3980392CV.vbs"
C:\Windows\SysWOW64\timeout.exe
timeout 6
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\LMPupdate\set\48551.bat" "
C:\Windows\SysWOW64\attrib.exe
attrib +s +h "C:\LMPupdate\set"
C:\Windows\SysWOW64\timeout.exe
timeout 2
C:\LMPupdate\set\xc829374091FD.exe
xc829374091FD.exe /start
C:\LMPupdate\set\xc829374091FD.exe
xc829374091FD.exe /start
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im unpakedree.exe
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im unpakedree.exe
C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\attrib.exe
attrib -s -h "C:\LMPupdate\set\xc829374091FD.exe"
C:\Windows\SysWOW64\timeout.exe
timeout 4
C:\Users\Admin\AppData\Local\Temp\1e57ciq55wge9_1.exe
/suac
C:\Users\Admin\AppData\Local\Temp\37s3u9g3wa5w5.exe
"C:\Users\Admin\AppData\Local\Temp\37s3u9g3wa5w5.exe"
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1856.0.1627484503\360541948" -parentBuildID 20200403170909 -prefsHandle 1528 -prefMapHandle 1500 -prefsLen 1 -prefMapSize 219680 -appdir "C:\Program Files\Mozilla Firefox\browser" - 1856 "\\.\pipe\gecko-crash-server-pipe.1856" 1608 gpu
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1856.3.1471842186\1553374617" -childID 1 -isForBrowser -prefsHandle 2224 -prefMapHandle 2220 -prefsLen 156 -prefMapSize 219680 -parentBuildID 20200403170909 -appdir "C:\Program Files\Mozilla Firefox\browser" - 1856 "\\.\pipe\gecko-crash-server-pipe.1856" 2236 tab
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1856.13.825623938\2053762801" -childID 2 -isForBrowser -prefsHandle 3440 -prefMapHandle 3436 -prefsLen 7013 -prefMapSize 219680 -parentBuildID 20200403170909 -appdir "C:\Program Files\Mozilla Firefox\browser" - 1856 "\\.\pipe\gecko-crash-server-pipe.1856" 3428 tab
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1856.20.214192916\1808397449" -childID 3 -isForBrowser -prefsHandle 4352 -prefMapHandle 3948 -prefsLen 7941 -prefMapSize 219680 -parentBuildID 20200403170909 -appdir "C:\Program Files\Mozilla Firefox\browser" - 1856 "\\.\pipe\gecko-crash-server-pipe.1856" 4368 tab
C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
Network
| Country | Destination | Domain | Proto |
| N/A | 8.8.8.8:53 | google.com | udp |
| N/A | 172.217.168.206:80 | google.com | tcp |
| N/A | 8.8.8.8:53 | russk18.icu | udp |
| N/A | 8.8.8.8:53 | russk18.icu | udp |
| N/A | 23.95.225.105:80 | russk18.icu | tcp |
| N/A | 8.8.8.8:53 | morningstarlincoln.co.uk | udp |
| N/A | 79.170.44.146:80 | morningstarlincoln.co.uk | tcp |
| N/A | 127.0.0.1:54023 | tcp | |
| N/A | 8.8.8.8:53 | firefox.settings.services.mozilla.com | udp |
| N/A | 65.9.77.82:443 | firefox.settings.services.mozilla.com | tcp |
| N/A | 8.8.8.8:53 | firefox.settings.services.mozilla.com | udp |
| N/A | 8.8.8.8:53 | firefox.settings.services.mozilla.com | udp |
| N/A | 8.8.8.8:53 | content-signature-2.cdn.mozilla.net | udp |
| N/A | 65.9.77.114:443 | content-signature-2.cdn.mozilla.net | tcp |
| N/A | 8.8.8.8:53 | d2nxq2uap88usk.cloudfront.net | udp |
| N/A | 8.8.8.8:53 | location.services.mozilla.com | udp |
| N/A | 54.186.181.218:443 | location.services.mozilla.com | tcp |
| N/A | 8.8.8.8:53 | locprod2-elb-us-west-2.prod.mozaws.net | udp |
| N/A | 8.8.8.8:53 | d2nxq2uap88usk.cloudfront.net | udp |
| N/A | 8.8.8.8:53 | locprod2-elb-us-west-2.prod.mozaws.net | udp |
| N/A | 8.8.8.8:53 | shavar.services.mozilla.com | udp |
| N/A | 35.163.190.176:443 | shavar.services.mozilla.com | tcp |
| N/A | 8.8.8.8:53 | shavar.prod.mozaws.net | udp |
| N/A | 8.8.8.8:53 | shavar.prod.mozaws.net | udp |
| N/A | 127.0.0.1:54031 | tcp | |
| N/A | 8.8.8.8:53 | push.services.mozilla.com | udp |
| N/A | 8.8.8.8:53 | cs9.wac.phicdn.net | udp |
| N/A | 8.8.8.8:53 | autopush.prod.mozaws.net | udp |
| N/A | 8.8.8.8:53 | cs9.wac.phicdn.net | udp |
| N/A | 8.8.8.8:53 | autopush.prod.mozaws.net | udp |
| N/A | 34.211.62.63:443 | push.services.mozilla.com | tcp |
| N/A | 8.8.8.8:53 | firefox-settings-attachments.cdn.mozilla.net | udp |
| N/A | 65.9.77.103:443 | firefox-settings-attachments.cdn.mozilla.net | tcp |
| N/A | 8.8.8.8:53 | fennec-catalog-cdn.prod.mozaws.net | udp |
| N/A | 8.8.8.8:53 | fennec-catalog-cdn.prod.mozaws.net | udp |
| N/A | 8.8.8.8:53 | search.services.mozilla.com | udp |
| N/A | 8.8.8.8:53 | snippets.cdn.mozilla.net | udp |
| N/A | 65.9.77.113:443 | snippets.cdn.mozilla.net | tcp |
| N/A | 52.41.131.191:443 | search.services.mozilla.com | tcp |
| N/A | 8.8.8.8:53 | d228z91au11ukj.cloudfront.net | udp |
| N/A | 8.8.8.8:53 | search.r53-2.services.mozilla.com | udp |
| N/A | 8.8.8.8:53 | search.r53-2.services.mozilla.com | udp |
| N/A | 8.8.8.8:53 | d228z91au11ukj.cloudfront.net | udp |
| N/A | 8.8.8.8:53 | tracking-protection.cdn.mozilla.net | udp |
| N/A | 65.9.77.39:443 | tracking-protection.cdn.mozilla.net | tcp |
| N/A | 8.8.8.8:53 | d1zkz3k4cclnv6.cloudfront.net | udp |
| N/A | 8.8.8.8:53 | d1zkz3k4cclnv6.cloudfront.net | udp |
| N/A | 65.9.77.113:443 | d228z91au11ukj.cloudfront.net | tcp |
| N/A | 65.9.77.113:443 | d228z91au11ukj.cloudfront.net | tcp |
| N/A | 8.8.8.8:53 | www.facebook.com | udp |
| N/A | 8.8.8.8:53 | www.wikipedia.org | udp |
| N/A | 8.8.8.8:53 | dyna.wikimedia.org | udp |
| N/A | 8.8.8.8:53 | star-mini.c10r.facebook.com | udp |
| N/A | 8.8.8.8:53 | youtube-ui.l.google.com | udp |
| N/A | 8.8.8.8:53 | dyna.wikimedia.org | udp |
| N/A | 8.8.8.8:53 | youtube-ui.l.google.com | udp |
| N/A | 8.8.8.8:53 | star-mini.c10r.facebook.com | udp |
| N/A | 8.8.8.8:53 | www.reddit.com | udp |
| N/A | 8.8.8.8:53 | twitter.com | udp |
| N/A | 8.8.8.8:53 | twitter.com | udp |
| N/A | 8.8.8.8:53 | reddit.map.fastly.net | udp |
| N/A | 8.8.8.8:53 | twitter.com | udp |
| N/A | 8.8.8.8:53 | reddit.map.fastly.net | udp |
| N/A | 8.8.8.8:53 | support.mozilla.org | udp |
| N/A | 8.8.8.8:53 | prod-tp.sumo.mozit.cloud | udp |
| N/A | 8.8.8.8:53 | prod-tp.sumo.mozit.cloud | udp |
| N/A | 127.0.0.1:54044 | tcp | |
| N/A | 127.0.0.1:54053 | tcp | |
| N/A | 8.8.8.8:53 | safebrowsing.googleapis.com | udp |
| N/A | 142.250.179.138:443 | safebrowsing.googleapis.com | tcp |
| N/A | 8.8.8.8:53 | safebrowsing.googleapis.com | udp |
| N/A | 8.8.8.8:53 | safebrowsing.googleapis.com | udp |
| N/A | 8.8.8.8:53 | pki-goog.l.google.com | udp |
| N/A | 172.217.17.99:80 | pki-goog.l.google.com | tcp |
| N/A | 8.8.8.8:53 | pki-goog.l.google.com | udp |
| N/A | 8.8.8.8:53 | aus5.mozilla.org | udp |
| N/A | 8.8.8.8:53 | prod.balrog.prod.cloudops.mozgcp.net | udp |
| N/A | 8.8.8.8:53 | prod.balrog.prod.cloudops.mozgcp.net | udp |
| N/A | 35.244.181.201:443 | prod.balrog.prod.cloudops.mozgcp.net | tcp |
| N/A | 8.8.8.8:53 | ciscobinary.openh264.org | udp |
| N/A | 2.16.106.176:80 | ciscobinary.openh264.org | tcp |
| N/A | 8.8.8.8:53 | a19.dscg10.akamai.net | udp |
| N/A | 8.8.8.8:53 | a19.dscg10.akamai.net | udp |
| N/A | 8.8.8.8:53 | redirector.gvt1.com | udp |
| N/A | 172.217.17.78:443 | redirector.gvt1.com | tcp |
| N/A | 8.8.8.8:53 | redirector.gvt1.com | udp |
| N/A | 172.217.17.99:80 | pki-goog.l.google.com | tcp |
| N/A | 8.8.8.8:53 | r5---sn-5hne6nlr.gvt1.com | udp |
| N/A | 8.8.8.8:53 | redirector.gvt1.com | udp |
| N/A | 74.125.8.187:443 | r5---sn-5hne6nlr.gvt1.com | tcp |
| N/A | 8.8.8.8:53 | r5.sn-5hne6nlr.gvt1.com | udp |
| N/A | 8.8.8.8:53 | r5.sn-5hne6nlr.gvt1.com | udp |
| N/A | 65.9.77.82:443 | firefox.settings.services.mozilla.com | tcp |
| N/A | 65.9.77.114:443 | d2nxq2uap88usk.cloudfront.net | tcp |
| N/A | 65.9.77.82:443 | firefox.settings.services.mozilla.com | tcp |
| N/A | 65.9.77.114:443 | d2nxq2uap88usk.cloudfront.net | tcp |
| N/A | 23.95.225.105:80 | russk18.icu | tcp |
| N/A | 65.9.77.82:443 | firefox.settings.services.mozilla.com | tcp |
| N/A | 65.9.77.103:443 | fennec-catalog-cdn.prod.mozaws.net | tcp |
| N/A | 65.9.77.103:443 | fennec-catalog-cdn.prod.mozaws.net | tcp |
| N/A | 65.9.77.103:443 | fennec-catalog-cdn.prod.mozaws.net | tcp |
| N/A | 65.9.77.103:443 | fennec-catalog-cdn.prod.mozaws.net | tcp |
| N/A | 65.9.77.103:443 | fennec-catalog-cdn.prod.mozaws.net | tcp |
| N/A | 65.9.77.103:443 | fennec-catalog-cdn.prod.mozaws.net | tcp |
| N/A | 8.8.8.8:53 | normandy.cdn.mozilla.net | udp |
| N/A | 65.9.77.52:443 | normandy.cdn.mozilla.net | tcp |
| N/A | 8.8.8.8:53 | normandy-cdn.services.mozilla.com | udp |
| N/A | 8.8.8.8:53 | classify-client.services.mozilla.com | udp |
| N/A | 34.98.75.36:443 | classify-client.services.mozilla.com | tcp |
| N/A | 8.8.8.8:53 | prod-classifyclient.normandy.prod.cloudops.mozgcp.net | udp |
| N/A | 8.8.8.8:53 | prod-classifyclient.normandy.prod.cloudops.mozgcp.net | udp |
| N/A | 8.8.8.8:53 | content-signature-2.cdn.mozilla.net | udp |
| N/A | 8.8.8.8:53 | d2nxq2uap88usk.cloudfront.net | udp |
| N/A | 8.8.8.8:53 | d2nxq2uap88usk.cloudfront.net | udp |
Files
memory/3540-114-0x0000000000860000-0x0000000000861000-memory.dmp
memory/2804-115-0x0000000000000000-mapping.dmp
C:\LMPupdate\set\435246.vbs
| MD5 | f6e0c73782e7a0768006b7be0fc4a1a1 |
| SHA1 | 2a5dea82a47544d00bfa99563fb899a41fa7a1f7 |
| SHA256 | 8c968d170289989dcca0c9bb5f2381dd6e38c3cfb6a324e80dbb6e556e6c5317 |
| SHA512 | 89827dcd80d9b5c2eedf18996a882feda400036df0b9691fc30701265f11528b0ab312dc69246f56e0388f75d2fa394329f502f9f796cbec702cd1dbfa9f2703 |
C:\LMPupdate\set\183.bat
| MD5 | 49d00501554543d18a49c5b93c4528f0 |
| SHA1 | 7a73595e37fda30fb1554b9d8bfe8a855f803d0b |
| SHA256 | 74560d7c92a3cb7c3782e59fb45bd5a9b1a77a619fad985c4d5bdd17a48c2735 |
| SHA512 | 9c6c296b4bd21de5d13dc56dc92eab363bbd982335858a09537a34f2394be5632d34e002dfa73e312f685f45126c3d5d497a3d7c4553c46bcf4b8c65c4178fb6 |
memory/3436-118-0x0000000000000000-mapping.dmp
C:\LMPupdate\set\x0329847998
| MD5 | a5a4cc669d306e9b25ae2202e1ccc565 |
| SHA1 | 4e8e841ba4915641f989a061f092f95f9070d164 |
| SHA256 | 3da185d70e391a0449a2e86823e181ca35f5356306a856701ec92cfee639c705 |
| SHA512 | 5398c3722d4c6119d9a033558ca6fe0d57735b8259b4907cf1844ba2921e48ffad1ae9f1dcc760158857c6fb13572cb4dd897ee6f6c260efce247b2b793b0216 |
memory/208-120-0x0000000000000000-mapping.dmp
memory/2816-121-0x0000000000000000-mapping.dmp
memory/3144-122-0x0000000000000000-mapping.dmp
C:\LMPupdate\set\unpakedree.exe
| MD5 | 397a93800d56a2308bffc872d4a08032 |
| SHA1 | 6f5334d51195a521e8a03f0e05ac777b96c77bc4 |
| SHA256 | efe3abcfde6e9846a99049a68e6a38d0bc42baa3ac1cf6f236c894abef0a7720 |
| SHA512 | 7fc7b6c8ffe640295085cab4e56ba4c3eea9738a2c9fa27d1032fd60bb3a638e93cd2522058b6212dd7237366510a83c7d1d9b3cbd5f9712852c72959ace53eb |
memory/1248-124-0x0000000000000000-mapping.dmp
C:\LMPupdate\set\3980392CV.vbs
| MD5 | 0c4747ed40d52d992d44951de476c21b |
| SHA1 | 24cc5271d1a379e0ebdd0814a1148ecd6e7c880a |
| SHA256 | 3c01bb32fd4de8574e37cb8293e61d869b8f5bbec69f3cb882a17d5d285b3264 |
| SHA512 | 6e7a264c288c8939c5d8f482229c92915a9bef427b5b1b1df8d942ffded006feba548acfa08588327587f34928acb0912d6f464536f5beb8027b78def01cffe1 |
memory/2144-126-0x0000000000000000-mapping.dmp
memory/2288-127-0x0000000000000000-mapping.dmp
C:\LMPupdate\set\48551.bat
| MD5 | ec8f0f76fe14a110317c3b5c71fce669 |
| SHA1 | d41207a90b96b124630f3f8ad7f1657cd39a4dd2 |
| SHA256 | 1447333e356ed3c1c5183ebef48730c370429c40137c2255585a1d3ba2a37614 |
| SHA512 | 9e78bf61280430edbc2ed2c5869acc2cde3e92f236f2eabf83f715a0d6fbc3a79a420c94364cdf4863dd5ca68e4b0109eefb34f7571c5acdc14944eaebdf8b1f |
memory/3872-129-0x0000000000000000-mapping.dmp
memory/2484-130-0x0000000000000000-mapping.dmp
memory/2828-131-0x0000000000000000-mapping.dmp
memory/2792-132-0x0000000000000000-mapping.dmp
C:\LMPupdate\set\xc829374091FD.exe
| MD5 | a8d1d7e6c60c73faf55d64e724e97aa7 |
| SHA1 | 9c0e3ff55ede8ad1e3a3e0eb8ff9ab467469f687 |
| SHA256 | 5624eea08b241314b8bd13ee9429449c53085a6bb2bcc481655f1f28b4314122 |
| SHA512 | 237507eef8f19f0f99dc15d30d43ec202963e00cb735902ac7304eb6cc8f658ab9db2b7952b94f082441a020725002dbf103dfc919e29235c87430fa19942df1 |
C:\LMPupdate\set\xc829374091FD.exe
| MD5 | a8d1d7e6c60c73faf55d64e724e97aa7 |
| SHA1 | 9c0e3ff55ede8ad1e3a3e0eb8ff9ab467469f687 |
| SHA256 | 5624eea08b241314b8bd13ee9429449c53085a6bb2bcc481655f1f28b4314122 |
| SHA512 | 237507eef8f19f0f99dc15d30d43ec202963e00cb735902ac7304eb6cc8f658ab9db2b7952b94f082441a020725002dbf103dfc919e29235c87430fa19942df1 |
memory/188-135-0x0000000000400000-0x0000000000435000-memory.dmp
C:\LMPupdate\set\xc829374091FD.exe
| MD5 | a8d1d7e6c60c73faf55d64e724e97aa7 |
| SHA1 | 9c0e3ff55ede8ad1e3a3e0eb8ff9ab467469f687 |
| SHA256 | 5624eea08b241314b8bd13ee9429449c53085a6bb2bcc481655f1f28b4314122 |
| SHA512 | 237507eef8f19f0f99dc15d30d43ec202963e00cb735902ac7304eb6cc8f658ab9db2b7952b94f082441a020725002dbf103dfc919e29235c87430fa19942df1 |
memory/188-136-0x00000000004015C6-mapping.dmp
memory/1920-138-0x0000000000000000-mapping.dmp
memory/188-139-0x0000000000400000-0x0000000000435000-memory.dmp
memory/188-140-0x00000000007A0000-0x0000000000806000-memory.dmp
memory/188-141-0x00000000004C0000-0x000000000056E000-memory.dmp
memory/188-142-0x0000000002630000-0x0000000002631000-memory.dmp
memory/188-143-0x0000000002660000-0x000000000266C000-memory.dmp
memory/1468-144-0x0000000000000000-mapping.dmp
memory/2088-145-0x0000000000000000-mapping.dmp
memory/1828-146-0x0000000000000000-mapping.dmp
memory/1548-147-0x0000000000000000-mapping.dmp
memory/1548-148-0x00000000002D0000-0x000000000070F000-memory.dmp
memory/1548-149-0x0000000003200000-0x000000000333E000-memory.dmp
memory/1548-150-0x0000000004BD0000-0x0000000004BD1000-memory.dmp
memory/1548-151-0x0000000002E50000-0x0000000002E5D000-memory.dmp
C:\LMPupdate\set\unpakedree.exe
| MD5 | 397a93800d56a2308bffc872d4a08032 |
| SHA1 | 6f5334d51195a521e8a03f0e05ac777b96c77bc4 |
| SHA256 | efe3abcfde6e9846a99049a68e6a38d0bc42baa3ac1cf6f236c894abef0a7720 |
| SHA512 | 7fc7b6c8ffe640295085cab4e56ba4c3eea9738a2c9fa27d1032fd60bb3a638e93cd2522058b6212dd7237366510a83c7d1d9b3cbd5f9712852c72959ace53eb |
memory/3872-156-0x0000000003130000-0x000000000326E000-memory.dmp
memory/1548-157-0x0000000004BF0000-0x0000000004D7E000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1e57ciq55wge9_1.exe
| MD5 | a8d1d7e6c60c73faf55d64e724e97aa7 |
| SHA1 | 9c0e3ff55ede8ad1e3a3e0eb8ff9ab467469f687 |
| SHA256 | 5624eea08b241314b8bd13ee9429449c53085a6bb2bcc481655f1f28b4314122 |
| SHA512 | 237507eef8f19f0f99dc15d30d43ec202963e00cb735902ac7304eb6cc8f658ab9db2b7952b94f082441a020725002dbf103dfc919e29235c87430fa19942df1 |
C:\Users\Admin\AppData\Local\Temp\1e57ciq55wge9_1.exe
| MD5 | a8d1d7e6c60c73faf55d64e724e97aa7 |
| SHA1 | 9c0e3ff55ede8ad1e3a3e0eb8ff9ab467469f687 |
| SHA256 | 5624eea08b241314b8bd13ee9429449c53085a6bb2bcc481655f1f28b4314122 |
| SHA512 | 237507eef8f19f0f99dc15d30d43ec202963e00cb735902ac7304eb6cc8f658ab9db2b7952b94f082441a020725002dbf103dfc919e29235c87430fa19942df1 |
memory/1772-158-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\37s3u9g3wa5w5.exe
| MD5 | 5aad89d35ec7e782a1efc68441f98bcc |
| SHA1 | 1bc02754a29cf413a2a89b68f89b25df3066847e |
| SHA256 | 35617cfc3e8cf02b91d59209fc1cd07c9c1bc4d639309d9ab0198cd60af05d29 |
| SHA512 | 25490392971c0268d55886827db9f4ac3c35baf0803baf3342c2186c4dfa4de8c891ec30b4afd1d40f900671a841057dd30161306fa8239030d11bc820d68ea7 |
memory/3512-161-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\37s3u9g3wa5w5.exe
| MD5 | 5aad89d35ec7e782a1efc68441f98bcc |
| SHA1 | 1bc02754a29cf413a2a89b68f89b25df3066847e |
| SHA256 | 35617cfc3e8cf02b91d59209fc1cd07c9c1bc4d639309d9ab0198cd60af05d29 |
| SHA512 | 25490392971c0268d55886827db9f4ac3c35baf0803baf3342c2186c4dfa4de8c891ec30b4afd1d40f900671a841057dd30161306fa8239030d11bc820d68ea7 |
memory/3512-164-0x0000000000540000-0x0000000000541000-memory.dmp
memory/3512-166-0x000000001B190000-0x000000001B192000-memory.dmp
memory/3512-168-0x000000001B194000-0x000000001B195000-memory.dmp
memory/3512-167-0x000000001B192000-0x000000001B194000-memory.dmp
memory/3512-169-0x000000001B195000-0x000000001B197000-memory.dmp
memory/3512-170-0x000000001B197000-0x000000001B199000-memory.dmp
memory/3512-171-0x000000001B199000-0x000000001B19F000-memory.dmp
memory/1856-172-0x0000000000000000-mapping.dmp
memory/2564-174-0x0000000000000000-mapping.dmp
memory/2528-179-0x0000000000000000-mapping.dmp
memory/2940-182-0x0000000000000000-mapping.dmp
memory/4236-184-0x0000000000000000-mapping.dmp
Analysis: behavioral1
Detonation Overview
Submitted
2021-06-22 18:14
Reported
2021-06-22 18:18
Platform
win7v20210410
Max time kernel
149s
Max time network
200s
Command Line
Signatures
BetaBot
Modifies firewall policy service
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\PublicProfile\EnableFirewall = "0" | C:\Windows\SysWOW64\explorer.exe | N/A |
| Key created | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile | C:\Windows\SysWOW64\explorer.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" | C:\Windows\SysWOW64\explorer.exe | N/A |
| Key created | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile | C:\Windows\SysWOW64\explorer.exe | N/A |
Downloads MZ/PE file
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\LMPupdate\set\unpakedree.exe | N/A |
| N/A | N/A | C:\LMPupdate\set\xc829374091FD.exe | N/A |
| N/A | N/A | C:\LMPupdate\set\xc829374091FD.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\9q53193m7c9m37_1.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\wy7q59o5ek533y.exe | N/A |
Sets file execution options in registry
Sets file to hidden
Checks BIOS information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Windows\SysWOW64\explorer.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce | C:\Windows\SysWOW64\explorer.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Google Updater 2.09 = "C:\\ProgramData\\Google Updater 2.09\\9q53193m7c9m37.exe" | C:\Windows\SysWOW64\explorer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run | C:\Windows\SysWOW64\explorer.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\Google Updater 2.09 = "\"C:\\ProgramData\\Google Updater 2.09\\9q53193m7c9m37.exe\"" | C:\Windows\SysWOW64\explorer.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce | C:\Windows\SysWOW64\explorer.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Google Updater 2.09 = "\"C:\\ProgramData\\Google Updater 2.09\\9q53193m7c9m37.exe\"" | C:\Windows\SysWOW64\explorer.exe | N/A |
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\LMPupdate\set\xc829374091FD.exe | N/A |
Drops desktop.ini file(s)
| Description | Indicator | Process | Target |
| File opened for modification | C:\ProgramData\Google Updater 2.09\desktop.ini | C:\Windows\SysWOW64\explorer.exe | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\LMPupdate\set\xc829374091FD.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 1548 set thread context of 1344 | N/A | C:\LMPupdate\set\xc829374091FD.exe | C:\LMPupdate\set\xc829374091FD.exe |
| PID 1944 set thread context of 0 | N/A | C:\Users\Admin\AppData\Local\Temp\9q53193m7c9m37_1.exe | N/A |
Enumerates physical storage devices
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\LMPupdate\set\xc829374091FD.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\LMPupdate\set\xc829374091FD.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Windows\SysWOW64\explorer.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Windows\SysWOW64\explorer.exe | N/A |
Delays execution with timeout.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\timeout.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\timeout.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\timeout.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\timeout.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\timeout.exe | N/A |
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Windows\SysWOW64\explorer.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer | C:\Windows\SysWOW64\explorer.exe | N/A |
Kills process with taskkill
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
Modifies Internet Explorer Protected Mode
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\2500 = "3" | C:\Windows\SysWOW64\explorer.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\2500 = "3" | C:\Windows\SysWOW64\explorer.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\2500 = "3" | C:\Windows\SysWOW64\explorer.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\2500 = "3" | C:\Windows\SysWOW64\explorer.exe | N/A |
Modifies Internet Explorer Protected Mode Banner
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Main\NoProtectedModeBanner = "1" | C:\Windows\SysWOW64\explorer.exe | N/A |
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Main | C:\Windows\SysWOW64\explorer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\VersionManager | C:\Windows\SysWOW64\explorer.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\VersionManager\DownloadVersionList = "0" | C:\Windows\SysWOW64\explorer.exe | N/A |
NTFS ADS
| Description | Indicator | Process | Target |
| File opened for modification | C:\Users\Admin\AppData\Local\Temp\9q53193m7c9m37_1.exe:14EDFC78 | C:\Windows\SysWOW64\explorer.exe | N/A |
| File created | C:\Users\Admin\AppData\Local\Temp\9q53193m7c9m37_1.exe:14EDFC78 | C:\Windows\SysWOW64\explorer.exe | N/A |
Runs ping.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\taskmgr.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\wy7q59o5ek533y.exe | N/A |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\LMPupdate\set\xc829374091FD.exe | N/A |
| N/A | N/A | C:\LMPupdate\set\xc829374091FD.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\LMPupdate\set\xc829374091FD.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\LMPupdate\set\xc829374091FD.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\LMPupdate\set\xc829374091FD.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\LMPupdate\set\xc829374091FD.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\LMPupdate\set\xc829374091FD.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\LMPupdate\set\xc829374091FD.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\LMPupdate\set\xc829374091FD.exe | N/A |
| Token: SeChangeNotifyPrivilege | N/A | C:\LMPupdate\set\xc829374091FD.exe | N/A |
| Token: SeCreateTokenPrivilege | N/A | C:\LMPupdate\set\xc829374091FD.exe | N/A |
| Token: SeMachineAccountPrivilege | N/A | C:\LMPupdate\set\xc829374091FD.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\LMPupdate\set\xc829374091FD.exe | N/A |
| Token: SeAssignPrimaryTokenPrivilege | N/A | C:\LMPupdate\set\xc829374091FD.exe | N/A |
| Token: SeCreateGlobalPrivilege | N/A | C:\LMPupdate\set\xc829374091FD.exe | N/A |
| Token: 33 | N/A | C:\LMPupdate\set\xc829374091FD.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| Token: SeChangeNotifyPrivilege | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| Token: SeCreateTokenPrivilege | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| Token: SeMachineAccountPrivilege | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| Token: SeAssignPrimaryTokenPrivilege | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| Token: SeCreateGlobalPrivilege | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| Token: 33 | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\taskmgr.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\system32\taskmgr.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\taskmgr.exe | N/A |
| Token: 33 | N/A | C:\Windows\system32\AUDIODG.EXE | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\system32\AUDIODG.EXE | N/A |
| Token: 33 | N/A | C:\Windows\system32\AUDIODG.EXE | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\system32\AUDIODG.EXE | N/A |
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\wy7q59o5ek533y.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\wy7q59o5ek533y.exe | N/A |
Suspicious use of WriteProcessMemory
Views/modifies file attributes
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\attrib.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\attrib.exe | N/A |
Processes
C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
C:\Users\Admin\AppData\Local\Temp\aa.exe
"C:\Users\Admin\AppData\Local\Temp\aa.exe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\LMPupdate\set\435246.vbs"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\LMPupdate\set\183.bat" "
C:\Windows\SysWOW64\timeout.exe
timeout 0
C:\Windows\SysWOW64\PING.EXE
ping dhgfg sgudy
C:\LMPupdate\set\unpakedree.exe
"unpakedree.exe" e -p67dah9fasdd8kja8ds9h9sad 43939237cx.rar
C:\Windows\SysWOW64\timeout.exe
timeout 5
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\LMPupdate\set\3980392CV.vbs"
C:\Windows\SysWOW64\timeout.exe
timeout 6
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\LMPupdate\set\48551.bat" "
C:\Windows\SysWOW64\attrib.exe
attrib +s +h "C:\LMPupdate\set"
C:\Windows\SysWOW64\timeout.exe
timeout 2
C:\LMPupdate\set\xc829374091FD.exe
xc829374091FD.exe /start
C:\LMPupdate\set\xc829374091FD.exe
xc829374091FD.exe /start
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im unpakedree.exe
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im unpakedree.exe
C:\Windows\SysWOW64\attrib.exe
attrib -s -h "C:\LMPupdate\set\xc829374091FD.exe"
C:\Windows\SysWOW64\timeout.exe
timeout 4
C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
C:\Users\Admin\AppData\Local\Temp\9q53193m7c9m37_1.exe
/suac
C:\Users\Admin\AppData\Local\Temp\wy7q59o5ek533y.exe
"C:\Users\Admin\AppData\Local\Temp\wy7q59o5ek533y.exe"
C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
C:\Windows\explorer.exe
"C:\Windows\explorer.exe"
C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x56c
Network
| Country | Destination | Domain | Proto |
| N/A | 8.8.8.8:53 | windowsupdate.microsoft.com | udp |
| N/A | 52.137.90.34:80 | windowsupdate.microsoft.com | tcp |
| N/A | 8.8.8.8:53 | russk18.icu | udp |
| N/A | 8.8.8.8:53 | russk18.icu | udp |
| N/A | 23.95.225.105:80 | russk18.icu | tcp |
| N/A | 8.8.8.8:53 | morningstarlincoln.co.uk | udp |
| N/A | 79.170.44.146:80 | morningstarlincoln.co.uk | tcp |
| N/A | 8.8.8.8:53 | russk18.icu | udp |
| N/A | 23.95.225.105:80 | russk18.icu | tcp |
Files
memory/1028-59-0x0000000075591000-0x0000000075593000-memory.dmp
memory/1028-60-0x00000000001D0000-0x00000000001D1000-memory.dmp
memory/608-61-0x0000000000000000-mapping.dmp
C:\LMPupdate\set\435246.vbs
| MD5 | f6e0c73782e7a0768006b7be0fc4a1a1 |
| SHA1 | 2a5dea82a47544d00bfa99563fb899a41fa7a1f7 |
| SHA256 | 8c968d170289989dcca0c9bb5f2381dd6e38c3cfb6a324e80dbb6e556e6c5317 |
| SHA512 | 89827dcd80d9b5c2eedf18996a882feda400036df0b9691fc30701265f11528b0ab312dc69246f56e0388f75d2fa394329f502f9f796cbec702cd1dbfa9f2703 |
C:\LMPupdate\set\183.bat
| MD5 | 49d00501554543d18a49c5b93c4528f0 |
| SHA1 | 7a73595e37fda30fb1554b9d8bfe8a855f803d0b |
| SHA256 | 74560d7c92a3cb7c3782e59fb45bd5a9b1a77a619fad985c4d5bdd17a48c2735 |
| SHA512 | 9c6c296b4bd21de5d13dc56dc92eab363bbd982335858a09537a34f2394be5632d34e002dfa73e312f685f45126c3d5d497a3d7c4553c46bcf4b8c65c4178fb6 |
memory/332-65-0x0000000000000000-mapping.dmp
C:\LMPupdate\set\x0329847998
| MD5 | a5a4cc669d306e9b25ae2202e1ccc565 |
| SHA1 | 4e8e841ba4915641f989a061f092f95f9070d164 |
| SHA256 | 3da185d70e391a0449a2e86823e181ca35f5356306a856701ec92cfee639c705 |
| SHA512 | 5398c3722d4c6119d9a033558ca6fe0d57735b8259b4907cf1844ba2921e48ffad1ae9f1dcc760158857c6fb13572cb4dd897ee6f6c260efce247b2b793b0216 |
memory/568-67-0x0000000000000000-mapping.dmp
memory/1104-68-0x0000000000000000-mapping.dmp
\LMPupdate\set\unpakedree.exe
| MD5 | 397a93800d56a2308bffc872d4a08032 |
| SHA1 | 6f5334d51195a521e8a03f0e05ac777b96c77bc4 |
| SHA256 | efe3abcfde6e9846a99049a68e6a38d0bc42baa3ac1cf6f236c894abef0a7720 |
| SHA512 | 7fc7b6c8ffe640295085cab4e56ba4c3eea9738a2c9fa27d1032fd60bb3a638e93cd2522058b6212dd7237366510a83c7d1d9b3cbd5f9712852c72959ace53eb |
C:\LMPupdate\set\unpakedree.exe
| MD5 | 397a93800d56a2308bffc872d4a08032 |
| SHA1 | 6f5334d51195a521e8a03f0e05ac777b96c77bc4 |
| SHA256 | efe3abcfde6e9846a99049a68e6a38d0bc42baa3ac1cf6f236c894abef0a7720 |
| SHA512 | 7fc7b6c8ffe640295085cab4e56ba4c3eea9738a2c9fa27d1032fd60bb3a638e93cd2522058b6212dd7237366510a83c7d1d9b3cbd5f9712852c72959ace53eb |
memory/1872-71-0x0000000000000000-mapping.dmp
C:\LMPupdate\set\unpakedree.exe
| MD5 | 397a93800d56a2308bffc872d4a08032 |
| SHA1 | 6f5334d51195a521e8a03f0e05ac777b96c77bc4 |
| SHA256 | efe3abcfde6e9846a99049a68e6a38d0bc42baa3ac1cf6f236c894abef0a7720 |
| SHA512 | 7fc7b6c8ffe640295085cab4e56ba4c3eea9738a2c9fa27d1032fd60bb3a638e93cd2522058b6212dd7237366510a83c7d1d9b3cbd5f9712852c72959ace53eb |
memory/1496-74-0x0000000000000000-mapping.dmp
C:\LMPupdate\set\3980392CV.vbs
| MD5 | 0c4747ed40d52d992d44951de476c21b |
| SHA1 | 24cc5271d1a379e0ebdd0814a1148ecd6e7c880a |
| SHA256 | 3c01bb32fd4de8574e37cb8293e61d869b8f5bbec69f3cb882a17d5d285b3264 |
| SHA512 | 6e7a264c288c8939c5d8f482229c92915a9bef427b5b1b1df8d942ffded006feba548acfa08588327587f34928acb0912d6f464536f5beb8027b78def01cffe1 |
memory/760-77-0x0000000000000000-mapping.dmp
memory/1900-78-0x0000000000000000-mapping.dmp
C:\LMPupdate\set\48551.bat
| MD5 | ec8f0f76fe14a110317c3b5c71fce669 |
| SHA1 | d41207a90b96b124630f3f8ad7f1657cd39a4dd2 |
| SHA256 | 1447333e356ed3c1c5183ebef48730c370429c40137c2255585a1d3ba2a37614 |
| SHA512 | 9e78bf61280430edbc2ed2c5869acc2cde3e92f236f2eabf83f715a0d6fbc3a79a420c94364cdf4863dd5ca68e4b0109eefb34f7571c5acdc14944eaebdf8b1f |
memory/1504-81-0x0000000000000000-mapping.dmp
memory/876-82-0x0000000000000000-mapping.dmp
memory/1644-83-0x0000000000000000-mapping.dmp
\LMPupdate\set\xc829374091FD.exe
| MD5 | a8d1d7e6c60c73faf55d64e724e97aa7 |
| SHA1 | 9c0e3ff55ede8ad1e3a3e0eb8ff9ab467469f687 |
| SHA256 | 5624eea08b241314b8bd13ee9429449c53085a6bb2bcc481655f1f28b4314122 |
| SHA512 | 237507eef8f19f0f99dc15d30d43ec202963e00cb735902ac7304eb6cc8f658ab9db2b7952b94f082441a020725002dbf103dfc919e29235c87430fa19942df1 |
C:\LMPupdate\set\xc829374091FD.exe
| MD5 | a8d1d7e6c60c73faf55d64e724e97aa7 |
| SHA1 | 9c0e3ff55ede8ad1e3a3e0eb8ff9ab467469f687 |
| SHA256 | 5624eea08b241314b8bd13ee9429449c53085a6bb2bcc481655f1f28b4314122 |
| SHA512 | 237507eef8f19f0f99dc15d30d43ec202963e00cb735902ac7304eb6cc8f658ab9db2b7952b94f082441a020725002dbf103dfc919e29235c87430fa19942df1 |
\LMPupdate\set\xc829374091FD.exe
| MD5 | a8d1d7e6c60c73faf55d64e724e97aa7 |
| SHA1 | 9c0e3ff55ede8ad1e3a3e0eb8ff9ab467469f687 |
| SHA256 | 5624eea08b241314b8bd13ee9429449c53085a6bb2bcc481655f1f28b4314122 |
| SHA512 | 237507eef8f19f0f99dc15d30d43ec202963e00cb735902ac7304eb6cc8f658ab9db2b7952b94f082441a020725002dbf103dfc919e29235c87430fa19942df1 |
memory/1548-87-0x0000000000000000-mapping.dmp
C:\LMPupdate\set\xc829374091FD.exe
| MD5 | a8d1d7e6c60c73faf55d64e724e97aa7 |
| SHA1 | 9c0e3ff55ede8ad1e3a3e0eb8ff9ab467469f687 |
| SHA256 | 5624eea08b241314b8bd13ee9429449c53085a6bb2bcc481655f1f28b4314122 |
| SHA512 | 237507eef8f19f0f99dc15d30d43ec202963e00cb735902ac7304eb6cc8f658ab9db2b7952b94f082441a020725002dbf103dfc919e29235c87430fa19942df1 |
memory/1344-89-0x0000000000400000-0x0000000000435000-memory.dmp
C:\LMPupdate\set\xc829374091FD.exe
| MD5 | a8d1d7e6c60c73faf55d64e724e97aa7 |
| SHA1 | 9c0e3ff55ede8ad1e3a3e0eb8ff9ab467469f687 |
| SHA256 | 5624eea08b241314b8bd13ee9429449c53085a6bb2bcc481655f1f28b4314122 |
| SHA512 | 237507eef8f19f0f99dc15d30d43ec202963e00cb735902ac7304eb6cc8f658ab9db2b7952b94f082441a020725002dbf103dfc919e29235c87430fa19942df1 |
memory/1344-90-0x00000000004015C6-mapping.dmp
memory/1552-93-0x0000000000000000-mapping.dmp
memory/1632-95-0x0000000000000000-mapping.dmp
memory/1344-94-0x0000000000400000-0x0000000000435000-memory.dmp
memory/1344-99-0x0000000000540000-0x0000000000541000-memory.dmp
memory/1344-100-0x0000000001DD0000-0x0000000001DDC000-memory.dmp
memory/1344-98-0x0000000000290000-0x000000000029D000-memory.dmp
memory/1344-97-0x0000000000240000-0x0000000000241000-memory.dmp
memory/1344-96-0x0000000000440000-0x00000000004A6000-memory.dmp
memory/568-101-0x0000000000000000-mapping.dmp
memory/1648-102-0x0000000000000000-mapping.dmp
memory/2040-103-0x0000000000000000-mapping.dmp
memory/2040-105-0x00000000742C1000-0x00000000742C3000-memory.dmp
memory/2040-106-0x00000000772F0000-0x0000000077470000-memory.dmp
memory/2040-107-0x0000000000460000-0x000000000059E000-memory.dmp
memory/2040-110-0x0000000001FE0000-0x0000000002060000-memory.dmp
memory/2040-111-0x0000000001FE0000-0x0000000002060000-memory.dmp
memory/1344-112-0x0000000001DC0000-0x0000000001DC1000-memory.dmp
memory/2040-114-0x0000000002120000-0x0000000002122000-memory.dmp
\Users\Admin\AppData\Local\Temp\9q53193m7c9m37_1.exe
| MD5 | a8d1d7e6c60c73faf55d64e724e97aa7 |
| SHA1 | 9c0e3ff55ede8ad1e3a3e0eb8ff9ab467469f687 |
| SHA256 | 5624eea08b241314b8bd13ee9429449c53085a6bb2bcc481655f1f28b4314122 |
| SHA512 | 237507eef8f19f0f99dc15d30d43ec202963e00cb735902ac7304eb6cc8f658ab9db2b7952b94f082441a020725002dbf103dfc919e29235c87430fa19942df1 |
C:\Users\Admin\AppData\Local\Temp\9q53193m7c9m37_1.exe
| MD5 | a8d1d7e6c60c73faf55d64e724e97aa7 |
| SHA1 | 9c0e3ff55ede8ad1e3a3e0eb8ff9ab467469f687 |
| SHA256 | 5624eea08b241314b8bd13ee9429449c53085a6bb2bcc481655f1f28b4314122 |
| SHA512 | 237507eef8f19f0f99dc15d30d43ec202963e00cb735902ac7304eb6cc8f658ab9db2b7952b94f082441a020725002dbf103dfc919e29235c87430fa19942df1 |
memory/1944-116-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\9q53193m7c9m37_1.exe
| MD5 | a8d1d7e6c60c73faf55d64e724e97aa7 |
| SHA1 | 9c0e3ff55ede8ad1e3a3e0eb8ff9ab467469f687 |
| SHA256 | 5624eea08b241314b8bd13ee9429449c53085a6bb2bcc481655f1f28b4314122 |
| SHA512 | 237507eef8f19f0f99dc15d30d43ec202963e00cb735902ac7304eb6cc8f658ab9db2b7952b94f082441a020725002dbf103dfc919e29235c87430fa19942df1 |
memory/1196-119-0x0000000002AA0000-0x0000000002AA6000-memory.dmp
\Users\Admin\AppData\Local\Temp\wy7q59o5ek533y.exe
| MD5 | 5aad89d35ec7e782a1efc68441f98bcc |
| SHA1 | 1bc02754a29cf413a2a89b68f89b25df3066847e |
| SHA256 | 35617cfc3e8cf02b91d59209fc1cd07c9c1bc4d639309d9ab0198cd60af05d29 |
| SHA512 | 25490392971c0268d55886827db9f4ac3c35baf0803baf3342c2186c4dfa4de8c891ec30b4afd1d40f900671a841057dd30161306fa8239030d11bc820d68ea7 |
C:\Users\Admin\AppData\Local\Temp\wy7q59o5ek533y.exe
| MD5 | 5aad89d35ec7e782a1efc68441f98bcc |
| SHA1 | 1bc02754a29cf413a2a89b68f89b25df3066847e |
| SHA256 | 35617cfc3e8cf02b91d59209fc1cd07c9c1bc4d639309d9ab0198cd60af05d29 |
| SHA512 | 25490392971c0268d55886827db9f4ac3c35baf0803baf3342c2186c4dfa4de8c891ec30b4afd1d40f900671a841057dd30161306fa8239030d11bc820d68ea7 |
C:\Users\Admin\AppData\Local\Temp\wy7q59o5ek533y.exe
| MD5 | 5aad89d35ec7e782a1efc68441f98bcc |
| SHA1 | 1bc02754a29cf413a2a89b68f89b25df3066847e |
| SHA256 | 35617cfc3e8cf02b91d59209fc1cd07c9c1bc4d639309d9ab0198cd60af05d29 |
| SHA512 | 25490392971c0268d55886827db9f4ac3c35baf0803baf3342c2186c4dfa4de8c891ec30b4afd1d40f900671a841057dd30161306fa8239030d11bc820d68ea7 |
memory/1792-121-0x0000000000000000-mapping.dmp
memory/436-125-0x0000000002810000-0x0000000002816000-memory.dmp
memory/1792-124-0x0000000000C40000-0x0000000000C41000-memory.dmp
memory/1792-127-0x000000001B360000-0x000000001B362000-memory.dmp
memory/1792-129-0x000000001B367000-0x000000001B386000-memory.dmp
memory/1792-130-0x000000001B386000-0x000000001B387000-memory.dmp
memory/1792-128-0x000000001B362000-0x000000001B363000-memory.dmp
memory/1792-131-0x000000001B387000-0x000000001B388000-memory.dmp
memory/1792-132-0x000000001B388000-0x000000001B389000-memory.dmp
memory/1792-133-0x000000001B389000-0x000000001B38A000-memory.dmp
memory/1792-134-0x000000001B38A000-0x000000001B38B000-memory.dmp
memory/1012-135-0x000007FEFB991000-0x000007FEFB993000-memory.dmp
memory/1168-136-0x00000000001A0000-0x00000000001A6000-memory.dmp