Analysis
-
max time kernel
1801s -
max time network
1609s -
platform
windows11_x64 -
resource
win11 -
submitted
15-09-2021 19:17
Static task
static1
Behavioral task
behavioral1
Sample
585aa60f224f5f7b3696efafbb7b6f4cc9d3b029964f80fb83c02f55d1a52b27.exe
Resource
win7v20210408
Behavioral task
behavioral2
Sample
585aa60f224f5f7b3696efafbb7b6f4cc9d3b029964f80fb83c02f55d1a52b27.exe
Resource
win11
Behavioral task
behavioral3
Sample
585aa60f224f5f7b3696efafbb7b6f4cc9d3b029964f80fb83c02f55d1a52b27.exe
Resource
win10v20210408
General
-
Target
585aa60f224f5f7b3696efafbb7b6f4cc9d3b029964f80fb83c02f55d1a52b27.exe
-
Size
164KB
-
MD5
47501bca2d855a6792f7cd363796356c
-
SHA1
43f3eb90cb3edceba86c682958af8c825a587cfd
-
SHA256
585aa60f224f5f7b3696efafbb7b6f4cc9d3b029964f80fb83c02f55d1a52b27
-
SHA512
64ba1d47162cc92b96b1ad581b3288b5869e2baf14d72496ee633fa28caae3c438ceebc96fe633e00253acb2d987c2ad54360e4976ff160e78af6826c5d466af
Malware Config
Extracted
smokeloader
2020
http://fazanaharahe1.xyz/
http://xandelissane2.xyz/
http://ustiassosale3.xyz/
http://cytheriata4.xyz/
http://ggiergionard5.xyz/
http://rrelleynaniy6.store/
http://danniemusoa7.store/
http://nastanizab8.store/
http://onyokandis9.store/
http://dmunaavank10.store/
http://gilmandros11.site/
http://cusanthana12.site/
http://willietjeana13.site/
http://ximusokall14.site/
http://blodinetisha15.site/
http://urydiahadyss16.club/
http://glasamaddama17.club/
http://marlingarly18.club/
http://alluvianna19.club/
http://xandirkaniel20.club/
Extracted
redline
Mix 1592021
93.115.20.139:28978
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine Payload 3 IoCs
Processes:
resource yara_rule behavioral2/memory/480-191-0x0000000000000000-mapping.dmp family_redline behavioral2/memory/480-192-0x0000000000400000-0x0000000000422000-memory.dmp family_redline behavioral2/memory/480-204-0x0000000005650000-0x0000000005C68000-memory.dmp family_redline -
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Suspicious use of NtCreateProcessExOtherParentProcess 7 IoCs
Processes:
WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exedescription pid process target process PID 2736 created 3100 2736 WerFault.exe 7801.exe PID 4660 created 4960 4660 WerFault.exe EA18.exe PID 3436 created 2572 3436 WerFault.exe 35E.exe PID 4456 created 1296 4456 WerFault.exe A55.exe PID 1456 created 4148 1456 WerFault.exe 2001.exe PID 4360 created 2940 4360 WerFault.exe D38C.exe PID 2936 created 3728 2936 WerFault.exe D959.exe -
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
-
Downloads MZ/PE file
-
Executes dropped EXE 17 IoCs
Processes:
64C6.exe64C6.exe6E2D.exe7801.exe6E2D.exe838C.exeE024.exeEA18.exeFB7E.exe35E.exeA55.exe17C3.exe2001.exeStub.exeLogicNPSoftware.exeD38C.exeD959.exepid process 3036 64C6.exe 3288 64C6.exe 664 6E2D.exe 3100 7801.exe 480 6E2D.exe 1512 838C.exe 4052 E024.exe 4960 EA18.exe 904 FB7E.exe 2572 35E.exe 1296 A55.exe 3808 17C3.exe 4148 2001.exe 4748 Stub.exe 1884 LogicNPSoftware.exe 2940 D38C.exe 3728 D959.exe -
Checks BIOS information in registry 2 TTPs 8 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
17C3.exe838C.exeE024.exeFB7E.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 17C3.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 17C3.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 838C.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 838C.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion E024.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion E024.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion FB7E.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion FB7E.exe -
Loads dropped DLL 2 IoCs
Processes:
Stub.exeLogicNPSoftware.exepid process 4748 Stub.exe 1884 LogicNPSoftware.exe -
Obfuscated with Agile.Net obfuscator 4 IoCs
Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\Stub.exe agile_net C:\Users\Admin\AppData\Local\Temp\Stub.exe agile_net C:\Users\Admin\AppData\Local\LogicNP Software ver4.46\LogicNPSoftware.exe agile_net C:\Users\Admin\AppData\Local\LogicNP Software ver4.46\LogicNPSoftware.exe agile_net -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\838C.exe themida C:\Users\Admin\AppData\Local\Temp\838C.exe themida behavioral2/memory/1512-210-0x0000000000E30000-0x0000000000E31000-memory.dmp themida C:\Users\Admin\AppData\Local\Temp\E024.exe themida C:\Users\Admin\AppData\Local\Temp\E024.exe themida C:\Users\Admin\AppData\Local\Temp\FB7E.exe themida C:\Users\Admin\AppData\Local\Temp\FB7E.exe themida C:\Users\Admin\AppData\Local\Temp\17C3.exe themida -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Processes:
E024.exeFB7E.exe17C3.exe838C.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA E024.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA FB7E.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 17C3.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 838C.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs
Processes:
838C.exeE024.exeFB7E.exe17C3.exepid process 1512 838C.exe 4052 E024.exe 904 FB7E.exe 3808 17C3.exe -
Suspicious use of SetThreadContext 3 IoCs
Processes:
585aa60f224f5f7b3696efafbb7b6f4cc9d3b029964f80fb83c02f55d1a52b27.exe64C6.exe6E2D.exedescription pid process target process PID 4868 set thread context of 4860 4868 585aa60f224f5f7b3696efafbb7b6f4cc9d3b029964f80fb83c02f55d1a52b27.exe 585aa60f224f5f7b3696efafbb7b6f4cc9d3b029964f80fb83c02f55d1a52b27.exe PID 3036 set thread context of 3288 3036 64C6.exe 64C6.exe PID 664 set thread context of 480 664 6E2D.exe 6E2D.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 7 IoCs
Processes:
WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exepid pid_target process target process 1652 3100 WerFault.exe 7801.exe 4652 4960 WerFault.exe EA18.exe 4396 2572 WerFault.exe 35E.exe 3440 1296 WerFault.exe A55.exe 2004 4148 WerFault.exe 2001.exe 1044 2940 WerFault.exe D38C.exe 4032 3728 WerFault.exe D959.exe -
Checks SCSI registry key(s) 3 TTPs 6 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
585aa60f224f5f7b3696efafbb7b6f4cc9d3b029964f80fb83c02f55d1a52b27.exe64C6.exedescription ioc process Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 585aa60f224f5f7b3696efafbb7b6f4cc9d3b029964f80fb83c02f55d1a52b27.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 64C6.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 64C6.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 64C6.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 585aa60f224f5f7b3696efafbb7b6f4cc9d3b029964f80fb83c02f55d1a52b27.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 585aa60f224f5f7b3696efafbb7b6f4cc9d3b029964f80fb83c02f55d1a52b27.exe -
Checks processor information in registry 2 TTPs 51 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeFB7E.exedescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1 WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString FB7E.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1 WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1 WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1 WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1 WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1 WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1 WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision WerFault.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 FB7E.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier WerFault.exe -
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Delays execution with timeout.exe 1 IoCs
Processes:
timeout.exepid process 2012 timeout.exe -
Enumerates system info in registry 2 TTPs 14 IoCs
Processes:
WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exedescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe -
Modifies data under HKEY_USERS 43 IoCs
Processes:
sihclient.exesvchost.exedescription ioc process Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates sihclient.exe Key created \REGISTRY\USER\S-1-5-19\Software\Classes\Local Settings\MuiCache svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs sihclient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA sihclient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs sihclient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs sihclient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed sihclient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs sihclient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root sihclient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople sihclient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs sihclient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust sihclient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust sihclient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs sihclient.exe Key created \REGISTRY\USER\S-1-5-19\Software\Classes\Local Settings\MuiCache\7\52C64B7E svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot sihclient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs sihclient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs sihclient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates sihclient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs sihclient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs sihclient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates sihclient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs sihclient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople sihclient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates sihclient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA sihclient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates sihclient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates sihclient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates sihclient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs sihclient.exe Key created \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed sihclient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs sihclient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs sihclient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs sihclient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs sihclient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs sihclient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs sihclient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs sihclient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates sihclient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates sihclient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs sihclient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates sihclient.exe -
Modifies registry class 4 IoCs
Processes:
description ioc process Key created \REGISTRY\USER\S-1-5-21-257790753-2419383948-818201544-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\ Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\ Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{5b934b42-522b-4c34-bbfe-37a3ef7b9c90}\Instance\ Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{f8278c54-a712-415b-b593-b77a2be0dda9}\Instance\ -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
LogicNPSoftware.exepid process 1884 LogicNPSoftware.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
585aa60f224f5f7b3696efafbb7b6f4cc9d3b029964f80fb83c02f55d1a52b27.exepid process 4860 585aa60f224f5f7b3696efafbb7b6f4cc9d3b029964f80fb83c02f55d1a52b27.exe 4860 585aa60f224f5f7b3696efafbb7b6f4cc9d3b029964f80fb83c02f55d1a52b27.exe 3240 3240 3240 3240 3240 3240 3240 3240 3240 3240 3240 3240 3240 3240 3240 3240 3240 3240 3240 3240 3240 3240 3240 3240 3240 3240 3240 3240 3240 3240 3240 3240 3240 3240 3240 3240 3240 3240 3240 3240 3240 3240 3240 3240 3240 3240 3240 3240 3240 3240 3240 3240 3240 3240 3240 3240 3240 3240 3240 3240 3240 3240 -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
pid process 3240 -
Suspicious behavior: MapViewOfSection 2 IoCs
Processes:
585aa60f224f5f7b3696efafbb7b6f4cc9d3b029964f80fb83c02f55d1a52b27.exe64C6.exepid process 4860 585aa60f224f5f7b3696efafbb7b6f4cc9d3b029964f80fb83c02f55d1a52b27.exe 3288 64C6.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
WerFault.exe6E2D.exe838C.exeE024.exedescription pid process Token: SeShutdownPrivilege 3240 Token: SeCreatePagefilePrivilege 3240 Token: SeShutdownPrivilege 3240 Token: SeCreatePagefilePrivilege 3240 Token: SeShutdownPrivilege 3240 Token: SeCreatePagefilePrivilege 3240 Token: SeShutdownPrivilege 3240 Token: SeCreatePagefilePrivilege 3240 Token: SeRestorePrivilege 1652 WerFault.exe Token: SeBackupPrivilege 1652 WerFault.exe Token: SeShutdownPrivilege 3240 Token: SeCreatePagefilePrivilege 3240 Token: SeShutdownPrivilege 3240 Token: SeCreatePagefilePrivilege 3240 Token: SeShutdownPrivilege 3240 Token: SeCreatePagefilePrivilege 3240 Token: SeShutdownPrivilege 3240 Token: SeCreatePagefilePrivilege 3240 Token: SeShutdownPrivilege 3240 Token: SeCreatePagefilePrivilege 3240 Token: SeShutdownPrivilege 3240 Token: SeCreatePagefilePrivilege 3240 Token: SeDebugPrivilege 480 6E2D.exe Token: SeDebugPrivilege 1512 838C.exe Token: SeShutdownPrivilege 3240 Token: SeCreatePagefilePrivilege 3240 Token: SeShutdownPrivilege 3240 Token: SeCreatePagefilePrivilege 3240 Token: SeShutdownPrivilege 3240 Token: SeCreatePagefilePrivilege 3240 Token: SeShutdownPrivilege 3240 Token: SeCreatePagefilePrivilege 3240 Token: SeShutdownPrivilege 3240 Token: SeCreatePagefilePrivilege 3240 Token: SeShutdownPrivilege 3240 Token: SeCreatePagefilePrivilege 3240 Token: SeShutdownPrivilege 3240 Token: SeCreatePagefilePrivilege 3240 Token: SeShutdownPrivilege 3240 Token: SeCreatePagefilePrivilege 3240 Token: SeShutdownPrivilege 3240 Token: SeCreatePagefilePrivilege 3240 Token: SeShutdownPrivilege 3240 Token: SeCreatePagefilePrivilege 3240 Token: SeShutdownPrivilege 3240 Token: SeCreatePagefilePrivilege 3240 Token: SeShutdownPrivilege 3240 Token: SeCreatePagefilePrivilege 3240 Token: SeShutdownPrivilege 3240 Token: SeCreatePagefilePrivilege 3240 Token: SeShutdownPrivilege 3240 Token: SeCreatePagefilePrivilege 3240 Token: SeShutdownPrivilege 3240 Token: SeCreatePagefilePrivilege 3240 Token: SeShutdownPrivilege 3240 Token: SeCreatePagefilePrivilege 3240 Token: SeDebugPrivilege 4052 E024.exe Token: SeShutdownPrivilege 3240 Token: SeCreatePagefilePrivilege 3240 Token: SeShutdownPrivilege 3240 Token: SeCreatePagefilePrivilege 3240 Token: SeShutdownPrivilege 3240 Token: SeCreatePagefilePrivilege 3240 Token: SeShutdownPrivilege 3240 -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
585aa60f224f5f7b3696efafbb7b6f4cc9d3b029964f80fb83c02f55d1a52b27.exe64C6.exe6E2D.exeWerFault.exeWerFault.exeFB7E.execmd.exeWerFault.exeWerFault.exedescription pid process target process PID 4868 wrote to memory of 4860 4868 585aa60f224f5f7b3696efafbb7b6f4cc9d3b029964f80fb83c02f55d1a52b27.exe 585aa60f224f5f7b3696efafbb7b6f4cc9d3b029964f80fb83c02f55d1a52b27.exe PID 4868 wrote to memory of 4860 4868 585aa60f224f5f7b3696efafbb7b6f4cc9d3b029964f80fb83c02f55d1a52b27.exe 585aa60f224f5f7b3696efafbb7b6f4cc9d3b029964f80fb83c02f55d1a52b27.exe PID 4868 wrote to memory of 4860 4868 585aa60f224f5f7b3696efafbb7b6f4cc9d3b029964f80fb83c02f55d1a52b27.exe 585aa60f224f5f7b3696efafbb7b6f4cc9d3b029964f80fb83c02f55d1a52b27.exe PID 4868 wrote to memory of 4860 4868 585aa60f224f5f7b3696efafbb7b6f4cc9d3b029964f80fb83c02f55d1a52b27.exe 585aa60f224f5f7b3696efafbb7b6f4cc9d3b029964f80fb83c02f55d1a52b27.exe PID 4868 wrote to memory of 4860 4868 585aa60f224f5f7b3696efafbb7b6f4cc9d3b029964f80fb83c02f55d1a52b27.exe 585aa60f224f5f7b3696efafbb7b6f4cc9d3b029964f80fb83c02f55d1a52b27.exe PID 4868 wrote to memory of 4860 4868 585aa60f224f5f7b3696efafbb7b6f4cc9d3b029964f80fb83c02f55d1a52b27.exe 585aa60f224f5f7b3696efafbb7b6f4cc9d3b029964f80fb83c02f55d1a52b27.exe PID 3240 wrote to memory of 3036 3240 64C6.exe PID 3240 wrote to memory of 3036 3240 64C6.exe PID 3240 wrote to memory of 3036 3240 64C6.exe PID 3036 wrote to memory of 3288 3036 64C6.exe 64C6.exe PID 3036 wrote to memory of 3288 3036 64C6.exe 64C6.exe PID 3036 wrote to memory of 3288 3036 64C6.exe 64C6.exe PID 3036 wrote to memory of 3288 3036 64C6.exe 64C6.exe PID 3036 wrote to memory of 3288 3036 64C6.exe 64C6.exe PID 3036 wrote to memory of 3288 3036 64C6.exe 64C6.exe PID 3240 wrote to memory of 664 3240 6E2D.exe PID 3240 wrote to memory of 664 3240 6E2D.exe PID 3240 wrote to memory of 664 3240 6E2D.exe PID 664 wrote to memory of 480 664 6E2D.exe 6E2D.exe PID 664 wrote to memory of 480 664 6E2D.exe 6E2D.exe PID 664 wrote to memory of 480 664 6E2D.exe 6E2D.exe PID 3240 wrote to memory of 3100 3240 7801.exe PID 3240 wrote to memory of 3100 3240 7801.exe PID 3240 wrote to memory of 3100 3240 7801.exe PID 2736 wrote to memory of 3100 2736 WerFault.exe 7801.exe PID 2736 wrote to memory of 3100 2736 WerFault.exe 7801.exe PID 664 wrote to memory of 480 664 6E2D.exe 6E2D.exe PID 664 wrote to memory of 480 664 6E2D.exe 6E2D.exe PID 664 wrote to memory of 480 664 6E2D.exe 6E2D.exe PID 664 wrote to memory of 480 664 6E2D.exe 6E2D.exe PID 664 wrote to memory of 480 664 6E2D.exe 6E2D.exe PID 3240 wrote to memory of 1512 3240 838C.exe PID 3240 wrote to memory of 1512 3240 838C.exe PID 3240 wrote to memory of 1512 3240 838C.exe PID 3240 wrote to memory of 4052 3240 E024.exe PID 3240 wrote to memory of 4052 3240 E024.exe PID 3240 wrote to memory of 4052 3240 E024.exe PID 3240 wrote to memory of 4960 3240 EA18.exe PID 3240 wrote to memory of 4960 3240 EA18.exe PID 3240 wrote to memory of 4960 3240 EA18.exe PID 4660 wrote to memory of 4960 4660 WerFault.exe EA18.exe PID 4660 wrote to memory of 4960 4660 WerFault.exe EA18.exe PID 3240 wrote to memory of 904 3240 FB7E.exe PID 3240 wrote to memory of 904 3240 FB7E.exe PID 3240 wrote to memory of 904 3240 FB7E.exe PID 3240 wrote to memory of 2572 3240 35E.exe PID 3240 wrote to memory of 2572 3240 35E.exe PID 3240 wrote to memory of 2572 3240 35E.exe PID 904 wrote to memory of 1168 904 FB7E.exe cmd.exe PID 904 wrote to memory of 1168 904 FB7E.exe cmd.exe PID 904 wrote to memory of 1168 904 FB7E.exe cmd.exe PID 1168 wrote to memory of 2012 1168 cmd.exe timeout.exe PID 1168 wrote to memory of 2012 1168 cmd.exe timeout.exe PID 1168 wrote to memory of 2012 1168 cmd.exe timeout.exe PID 3436 wrote to memory of 2572 3436 WerFault.exe 35E.exe PID 3436 wrote to memory of 2572 3436 WerFault.exe 35E.exe PID 3240 wrote to memory of 1296 3240 A55.exe PID 3240 wrote to memory of 1296 3240 A55.exe PID 3240 wrote to memory of 1296 3240 A55.exe PID 4456 wrote to memory of 1296 4456 WerFault.exe A55.exe PID 4456 wrote to memory of 1296 4456 WerFault.exe A55.exe PID 3240 wrote to memory of 3808 3240 17C3.exe PID 3240 wrote to memory of 3808 3240 17C3.exe PID 3240 wrote to memory of 3808 3240 17C3.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\585aa60f224f5f7b3696efafbb7b6f4cc9d3b029964f80fb83c02f55d1a52b27.exe"C:\Users\Admin\AppData\Local\Temp\585aa60f224f5f7b3696efafbb7b6f4cc9d3b029964f80fb83c02f55d1a52b27.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\585aa60f224f5f7b3696efafbb7b6f4cc9d3b029964f80fb83c02f55d1a52b27.exe"C:\Users\Admin\AppData\Local\Temp\585aa60f224f5f7b3696efafbb7b6f4cc9d3b029964f80fb83c02f55d1a52b27.exe"2⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
-
C:\Windows\System32\sihclient.exeC:\Windows\System32\sihclient.exe /cv dn8LwwbFRkCXo9mq/8woaw.0.21⤵
- Modifies data under HKEY_USERS
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k netsvcs -p -s BITS1⤵
- Modifies data under HKEY_USERS
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s SSDPSRV1⤵
-
C:\Users\Admin\AppData\Local\Temp\64C6.exeC:\Users\Admin\AppData\Local\Temp\64C6.exe1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\64C6.exeC:\Users\Admin\AppData\Local\Temp\64C6.exe2⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
-
C:\Users\Admin\AppData\Local\Temp\6E2D.exeC:\Users\Admin\AppData\Local\Temp\6E2D.exe1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\6E2D.exeC:\Users\Admin\AppData\Local\Temp\6E2D.exe2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\7801.exeC:\Users\Admin\AppData\Local\Temp\7801.exe1⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3100 -s 3002⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 3100 -ip 31001⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\838C.exeC:\Users\Admin\AppData\Local\Temp\838C.exe1⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\E024.exeC:\Users\Admin\AppData\Local\Temp\E024.exe1⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\EA18.exeC:\Users\Admin\AppData\Local\Temp\EA18.exe1⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4960 -s 3122⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 4960 -ip 49601⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\FB7E.exeC:\Users\Admin\AppData\Local\Temp\FB7E.exe1⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks processor information in registry
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c rd /s /q C:\Users\Admin\AppData\Local\Temp\dfmIGuhjephxB & timeout 4 & del /f /q "C:\Users\Admin\AppData\Local\Temp\FB7E.exe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\timeout.exetimeout 43⤵
- Delays execution with timeout.exe
-
C:\Users\Admin\AppData\Local\Temp\35E.exeC:\Users\Admin\AppData\Local\Temp\35E.exe1⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2572 -s 2802⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 2572 -ip 25721⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\A55.exeC:\Users\Admin\AppData\Local\Temp\A55.exe1⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1296 -s 2802⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 596 -p 1296 -ip 12961⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\17C3.exeC:\Users\Admin\AppData\Local\Temp\17C3.exe1⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Users\Admin\AppData\Local\Temp\Stub.exe"C:\Users\Admin\AppData\Local\Temp\Stub.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Users\Admin\AppData\Local\LogicNP Software ver4.46\LogicNPSoftware.exe"C:\Users\Admin\AppData\Local\LogicNP Software ver4.46\LogicNPSoftware.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: AddClipboardFormatListener
-
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /sc MINUTE /mo 1 /tn "regid.1991-06.com.microsoft ver2.31" /tr "'C:\Users\Admin\AppData\Local\LogicNP Software ver4.46\LogicNPSoftware.exe"'/f4⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Local\Temp\2001.exeC:\Users\Admin\AppData\Local\Temp\2001.exe1⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4148 -s 3002⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 600 -p 4148 -ip 41481⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Users\Admin\AppData\Local\Temp\D38C.exeC:\Users\Admin\AppData\Local\Temp\D38C.exe1⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2940 -s 2762⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 2940 -ip 29401⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Users\Admin\AppData\Local\Temp\D959.exeC:\Users\Admin\AppData\Local\Temp\D959.exe1⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3728 -s 2802⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 3728 -ip 37281⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\LogicNP Software ver4.46\LogicNPSoftware.exeMD5
96eebd46f272afb94c847ca8c6c218e2
SHA10d9b606861e245dfd13e419d3a240c806dad07ca
SHA2568936a73f7dcaf1569506a7cae1c69eca5bd93602d20992d53a64592e9a0537f7
SHA512a51362a1d9ddc32abbc74f09b8182212f56999f43e21355a84a6ccfda6c0d5578da19eb6c1a1fbf8970e88e79d439c4cad966d2de3403ed81b1aa38632c3c700
-
C:\Users\Admin\AppData\Local\LogicNP Software ver4.46\LogicNPSoftware.exeMD5
96eebd46f272afb94c847ca8c6c218e2
SHA10d9b606861e245dfd13e419d3a240c806dad07ca
SHA2568936a73f7dcaf1569506a7cae1c69eca5bd93602d20992d53a64592e9a0537f7
SHA512a51362a1d9ddc32abbc74f09b8182212f56999f43e21355a84a6ccfda6c0d5578da19eb6c1a1fbf8970e88e79d439c4cad966d2de3403ed81b1aa38632c3c700
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\6E2D.exe.logMD5
e07da89fc7e325db9d25e845e27027a8
SHA14b6a03bcdb46f325984cbbb6302ff79f33637e19
SHA25694ab73c00494d10a2159175b81e23047621451e3a566e5a0b1222379db634aaf
SHA5121e33e34595ebb6ce129d0244199d29722c916c036da542c3001f84b10a964b96cec7a9fdd19e120d7840614b307b504be993a4f8538d54382aa4944575476dda
-
C:\Users\Admin\AppData\Local\Temp\17C3.exeMD5
ba0dd19b99693a9e154792c572c4bb89
SHA1917bbc04a7dbd9371c0fdf98305b6fa0451b20b1
SHA2560ea94abed4864fc286c8c12a65872de9c44526b0ccf013d061b50dc393c33476
SHA512f892821e6068fc3aad212d8e90542f6bfae5efdc8ee7520a2502d2b5ac80d0ad41109b87a416ffdfb085c6769764ee99299a34454ad6e98f435d626e76025c0e
-
C:\Users\Admin\AppData\Local\Temp\2001.exeMD5
7a0654c0902e8985ac639b70a9bb8189
SHA10829dbbdd0561f64c5e74a9bfe5c2c2f55a505ac
SHA2565b0e27255c5bf04142214edeffde81aa02834c565bf3a59f4909c2e6414b4226
SHA512b67fd356296012920a5c6e543a3dc7586fcd14ca8331dc03d266a441458aae59b7466540b6c59d6bca6f6bfa62cff99f518d76959741f8fe0b34145615c004db
-
C:\Users\Admin\AppData\Local\Temp\2001.exeMD5
7a0654c0902e8985ac639b70a9bb8189
SHA10829dbbdd0561f64c5e74a9bfe5c2c2f55a505ac
SHA2565b0e27255c5bf04142214edeffde81aa02834c565bf3a59f4909c2e6414b4226
SHA512b67fd356296012920a5c6e543a3dc7586fcd14ca8331dc03d266a441458aae59b7466540b6c59d6bca6f6bfa62cff99f518d76959741f8fe0b34145615c004db
-
C:\Users\Admin\AppData\Local\Temp\3598b1bf-5eab-4729-b384-2a3852bdd6c3\AgileDotNetRT64.dllMD5
e8641f344213ca05d8b5264b5f4e2dee
SHA196729e31f9b805800b2248fd22a4b53e226c8309
SHA25685e82b9e9200e798e8f434459eacee03ed9818cc6c9a513fe083e72d48884e24
SHA5123130f32c100ecb97083ad8ac4c67863e9ceed3a9b06fc464d1aeeaec389f74c8bf56f4ce04f6450fd2cc0fa861d085101c433cfa4bec3095f8ebeeb53b739109
-
C:\Users\Admin\AppData\Local\Temp\3598b1bf-5eab-4729-b384-2a3852bdd6c3\AgileDotNetRT64.dllMD5
e8641f344213ca05d8b5264b5f4e2dee
SHA196729e31f9b805800b2248fd22a4b53e226c8309
SHA25685e82b9e9200e798e8f434459eacee03ed9818cc6c9a513fe083e72d48884e24
SHA5123130f32c100ecb97083ad8ac4c67863e9ceed3a9b06fc464d1aeeaec389f74c8bf56f4ce04f6450fd2cc0fa861d085101c433cfa4bec3095f8ebeeb53b739109
-
C:\Users\Admin\AppData\Local\Temp\3598b1bf-5eab-4729-b384-2a3852bdd6c3\AgileDotNetRT64.dllMD5
e8641f344213ca05d8b5264b5f4e2dee
SHA196729e31f9b805800b2248fd22a4b53e226c8309
SHA25685e82b9e9200e798e8f434459eacee03ed9818cc6c9a513fe083e72d48884e24
SHA5123130f32c100ecb97083ad8ac4c67863e9ceed3a9b06fc464d1aeeaec389f74c8bf56f4ce04f6450fd2cc0fa861d085101c433cfa4bec3095f8ebeeb53b739109
-
C:\Users\Admin\AppData\Local\Temp\35E.exeMD5
491f64dd179f6482a6b8e2f86a04c737
SHA17aaca750d55378f3276e64149bf6bf4038221c1c
SHA256826ccfdce68cfec814790d31bec89a79bed5b2b4e46867bb8b38690d1a79840b
SHA5123d30215abf5c7813f4251d190873a2506a89ec97e7ec3261fb5f4440505155d1cd2e5f0b08d6ce397185319697667c35615f6512e17db0975a9683d75a4f6b1a
-
C:\Users\Admin\AppData\Local\Temp\35E.exeMD5
491f64dd179f6482a6b8e2f86a04c737
SHA17aaca750d55378f3276e64149bf6bf4038221c1c
SHA256826ccfdce68cfec814790d31bec89a79bed5b2b4e46867bb8b38690d1a79840b
SHA5123d30215abf5c7813f4251d190873a2506a89ec97e7ec3261fb5f4440505155d1cd2e5f0b08d6ce397185319697667c35615f6512e17db0975a9683d75a4f6b1a
-
C:\Users\Admin\AppData\Local\Temp\64C6.exeMD5
47501bca2d855a6792f7cd363796356c
SHA143f3eb90cb3edceba86c682958af8c825a587cfd
SHA256585aa60f224f5f7b3696efafbb7b6f4cc9d3b029964f80fb83c02f55d1a52b27
SHA51264ba1d47162cc92b96b1ad581b3288b5869e2baf14d72496ee633fa28caae3c438ceebc96fe633e00253acb2d987c2ad54360e4976ff160e78af6826c5d466af
-
C:\Users\Admin\AppData\Local\Temp\64C6.exeMD5
47501bca2d855a6792f7cd363796356c
SHA143f3eb90cb3edceba86c682958af8c825a587cfd
SHA256585aa60f224f5f7b3696efafbb7b6f4cc9d3b029964f80fb83c02f55d1a52b27
SHA51264ba1d47162cc92b96b1ad581b3288b5869e2baf14d72496ee633fa28caae3c438ceebc96fe633e00253acb2d987c2ad54360e4976ff160e78af6826c5d466af
-
C:\Users\Admin\AppData\Local\Temp\64C6.exeMD5
47501bca2d855a6792f7cd363796356c
SHA143f3eb90cb3edceba86c682958af8c825a587cfd
SHA256585aa60f224f5f7b3696efafbb7b6f4cc9d3b029964f80fb83c02f55d1a52b27
SHA51264ba1d47162cc92b96b1ad581b3288b5869e2baf14d72496ee633fa28caae3c438ceebc96fe633e00253acb2d987c2ad54360e4976ff160e78af6826c5d466af
-
C:\Users\Admin\AppData\Local\Temp\6E2D.exeMD5
9d9b13b42035d341d721ac396370e0d2
SHA19f753604cd2c0c39a6c564ed617e79b491dc63f3
SHA256dfab32c05c3ee8754a23d584e56b54312db92e6b7d540afbd272fc84fae71008
SHA51211f7fac62750a51863d3727475fef8e6ee197d3069198463738265166cefbfc3c29ebf40e6a3433471f67a5c53142d7afae99b597afdd2f8c6d7e5bc37df366e
-
C:\Users\Admin\AppData\Local\Temp\6E2D.exeMD5
9d9b13b42035d341d721ac396370e0d2
SHA19f753604cd2c0c39a6c564ed617e79b491dc63f3
SHA256dfab32c05c3ee8754a23d584e56b54312db92e6b7d540afbd272fc84fae71008
SHA51211f7fac62750a51863d3727475fef8e6ee197d3069198463738265166cefbfc3c29ebf40e6a3433471f67a5c53142d7afae99b597afdd2f8c6d7e5bc37df366e
-
C:\Users\Admin\AppData\Local\Temp\6E2D.exeMD5
9d9b13b42035d341d721ac396370e0d2
SHA19f753604cd2c0c39a6c564ed617e79b491dc63f3
SHA256dfab32c05c3ee8754a23d584e56b54312db92e6b7d540afbd272fc84fae71008
SHA51211f7fac62750a51863d3727475fef8e6ee197d3069198463738265166cefbfc3c29ebf40e6a3433471f67a5c53142d7afae99b597afdd2f8c6d7e5bc37df366e
-
C:\Users\Admin\AppData\Local\Temp\7801.exeMD5
19ca8392cd7994d20b14e493d2aff92e
SHA182777bc3b9608507edb6a3f428ad06dc27274542
SHA25606e6f384d569d1484e4e36abbf54b3a09df7a13d85fc33d5e18d13b91b649c4d
SHA5123a1af3c9cf3c1adb443f612145d73c916de75a64455dce7053f3d9c191b681f16df6942aaa68a47f33c20b35ddb0d2559afdb9d9afc4049cd79a335a72ac9a56
-
C:\Users\Admin\AppData\Local\Temp\7801.exeMD5
19ca8392cd7994d20b14e493d2aff92e
SHA182777bc3b9608507edb6a3f428ad06dc27274542
SHA25606e6f384d569d1484e4e36abbf54b3a09df7a13d85fc33d5e18d13b91b649c4d
SHA5123a1af3c9cf3c1adb443f612145d73c916de75a64455dce7053f3d9c191b681f16df6942aaa68a47f33c20b35ddb0d2559afdb9d9afc4049cd79a335a72ac9a56
-
C:\Users\Admin\AppData\Local\Temp\838C.exeMD5
604ba9fde3cb322f5284ac9d29f8a3a2
SHA16f274e9e373c2926bf4f1248dfc6b8c4a5a7fa7a
SHA2563b7c8c80c90efc1550b8f8a495c8f4712261a99578d60147b8f335ee11c0c3ac
SHA5123dacffe6371090877021b5a83ef72b3b13dd09e991c717ba3848d099f46d1ea00583816bc2a4db22fa4d185c5395dfb145ba812108987c9ee69720f02c01c394
-
C:\Users\Admin\AppData\Local\Temp\838C.exeMD5
604ba9fde3cb322f5284ac9d29f8a3a2
SHA16f274e9e373c2926bf4f1248dfc6b8c4a5a7fa7a
SHA2563b7c8c80c90efc1550b8f8a495c8f4712261a99578d60147b8f335ee11c0c3ac
SHA5123dacffe6371090877021b5a83ef72b3b13dd09e991c717ba3848d099f46d1ea00583816bc2a4db22fa4d185c5395dfb145ba812108987c9ee69720f02c01c394
-
C:\Users\Admin\AppData\Local\Temp\A55.exeMD5
219a348a0d4396f037d0d79d32ab682d
SHA13e5495c0efac34ac23f0f5071514ae9003baa41b
SHA2562337ae8c73dbda47e647eec68d0061f084c34bf862badc08a260dbd424e8e798
SHA512718f85de934fd0a676cf235ad0375328cfe379f99c6e9c15fda291cf6707c341f903b47ae2876b4fdb2d8c817da5f441902a7dc7831167a44167aeab2fd477e9
-
C:\Users\Admin\AppData\Local\Temp\A55.exeMD5
219a348a0d4396f037d0d79d32ab682d
SHA13e5495c0efac34ac23f0f5071514ae9003baa41b
SHA2562337ae8c73dbda47e647eec68d0061f084c34bf862badc08a260dbd424e8e798
SHA512718f85de934fd0a676cf235ad0375328cfe379f99c6e9c15fda291cf6707c341f903b47ae2876b4fdb2d8c817da5f441902a7dc7831167a44167aeab2fd477e9
-
C:\Users\Admin\AppData\Local\Temp\D38C.exeMD5
9396835aa81bb10645d3fbc364edf5ef
SHA10b9ce38a9c16bf4f7d7b7d669fb4c873d760e1b5
SHA2566360921251093229ccece234ef9c1ed2b917eec327c2ddfa1ae83cca1f31d72a
SHA51271dd226d75e056bbdaf880d6b454b29afcc1f7dca2f19aee7228918c238d69bc559cd8cfdf0395c29d099ca17b7242ebdcf58811acd6b997ac42987dd633665f
-
C:\Users\Admin\AppData\Local\Temp\D38C.exeMD5
9396835aa81bb10645d3fbc364edf5ef
SHA10b9ce38a9c16bf4f7d7b7d669fb4c873d760e1b5
SHA2566360921251093229ccece234ef9c1ed2b917eec327c2ddfa1ae83cca1f31d72a
SHA51271dd226d75e056bbdaf880d6b454b29afcc1f7dca2f19aee7228918c238d69bc559cd8cfdf0395c29d099ca17b7242ebdcf58811acd6b997ac42987dd633665f
-
C:\Users\Admin\AppData\Local\Temp\D5EC2B01498B61F9B01DMD5
0f1f14b0ae305bea9c8182ac49d6518e
SHA160b072ed77f3f2b83e07a3164c370efa0a6991ff
SHA25643fb6990ef7dce9b8e9faec01e43443a07d953e3739c6f7880f3d764c4c7da0c
SHA5121dd957bddace586d2989f259e44838d342e4c93ffbff21c56e0aa178d12732bb63100416c5e0ec867dc0e9d06d4a8d259d1ac2c22473f8cf730bc92f56733ed0
-
C:\Users\Admin\AppData\Local\Temp\D959.exeMD5
9396835aa81bb10645d3fbc364edf5ef
SHA10b9ce38a9c16bf4f7d7b7d669fb4c873d760e1b5
SHA2566360921251093229ccece234ef9c1ed2b917eec327c2ddfa1ae83cca1f31d72a
SHA51271dd226d75e056bbdaf880d6b454b29afcc1f7dca2f19aee7228918c238d69bc559cd8cfdf0395c29d099ca17b7242ebdcf58811acd6b997ac42987dd633665f
-
C:\Users\Admin\AppData\Local\Temp\D959.exeMD5
9396835aa81bb10645d3fbc364edf5ef
SHA10b9ce38a9c16bf4f7d7b7d669fb4c873d760e1b5
SHA2566360921251093229ccece234ef9c1ed2b917eec327c2ddfa1ae83cca1f31d72a
SHA51271dd226d75e056bbdaf880d6b454b29afcc1f7dca2f19aee7228918c238d69bc559cd8cfdf0395c29d099ca17b7242ebdcf58811acd6b997ac42987dd633665f
-
C:\Users\Admin\AppData\Local\Temp\E024.exeMD5
d1538b6133b25af809af8ff176796e36
SHA190b55c262d3367bc057769e31f41c2232a8e6af3
SHA2568b596ea3b94f0a71ca113f0dc956d86e7de7130feaf538df2588357a91acc05f
SHA5120ded0836a96fff9dbbf473ce09b71a711214eab98d7cb2da105f57dbc9d3ff92317286ab28bac5ce947c0835cc71116360b6fdaa79800808a612f637884b0bb6
-
C:\Users\Admin\AppData\Local\Temp\E024.exeMD5
d1538b6133b25af809af8ff176796e36
SHA190b55c262d3367bc057769e31f41c2232a8e6af3
SHA2568b596ea3b94f0a71ca113f0dc956d86e7de7130feaf538df2588357a91acc05f
SHA5120ded0836a96fff9dbbf473ce09b71a711214eab98d7cb2da105f57dbc9d3ff92317286ab28bac5ce947c0835cc71116360b6fdaa79800808a612f637884b0bb6
-
C:\Users\Admin\AppData\Local\Temp\EA18.exeMD5
dd283112e52bc6b6c5c37d7501291498
SHA1ef4065201f0848a8f735203797da74a3917362c0
SHA256eefe80bd8f09a8e4d75d1d66402bc7000f56f5f4f337b2aa84cc0c76d81435a3
SHA512f41f6347219cf69fc308d0155e42432e209b305f47159c4e867cf666455fc3143e8b4d99bd5724d071da419aa83800e6009b1272fc2eb25dabd38fe2225b2f70
-
C:\Users\Admin\AppData\Local\Temp\EA18.exeMD5
dd283112e52bc6b6c5c37d7501291498
SHA1ef4065201f0848a8f735203797da74a3917362c0
SHA256eefe80bd8f09a8e4d75d1d66402bc7000f56f5f4f337b2aa84cc0c76d81435a3
SHA512f41f6347219cf69fc308d0155e42432e209b305f47159c4e867cf666455fc3143e8b4d99bd5724d071da419aa83800e6009b1272fc2eb25dabd38fe2225b2f70
-
C:\Users\Admin\AppData\Local\Temp\FB7E.exeMD5
5286f944c769d5dc97b4d0d4ae83c56d
SHA1836ac55696c0f53fcb38cd6fdeb3a2e6a2e5b06d
SHA256717190eb4edc11546b3ee8555b6c5ad8ee8aa72d3171e0460584fb182d69641d
SHA51295854f2d6dcaf422a9209a8476feccc73f33d94a7a515f10e2de78a52d0d371ff777584e9e443623f311fbd16bf3079ddd9c38f1e11d73a385fbd3c9923a2011
-
C:\Users\Admin\AppData\Local\Temp\FB7E.exeMD5
5286f944c769d5dc97b4d0d4ae83c56d
SHA1836ac55696c0f53fcb38cd6fdeb3a2e6a2e5b06d
SHA256717190eb4edc11546b3ee8555b6c5ad8ee8aa72d3171e0460584fb182d69641d
SHA51295854f2d6dcaf422a9209a8476feccc73f33d94a7a515f10e2de78a52d0d371ff777584e9e443623f311fbd16bf3079ddd9c38f1e11d73a385fbd3c9923a2011
-
C:\Users\Admin\AppData\Local\Temp\Stub.exeMD5
c3f71954f3dfc7247052ebab10456c45
SHA11e90f3196660b58459f9a3f883fc02e4c5904cc4
SHA256479684aadb70fa5e6232553bc398ae988e999920a649d7fa7d89c77b13ca4109
SHA5127dbedb399f25539cf684060021295d3f79db5d6cb0146b28d86ae4a86f62d274471d3150b51b532381af8871e55ba3a70469871d4ddd8684d7625ec321fb136c
-
C:\Users\Admin\AppData\Local\Temp\Stub.exeMD5
c3f71954f3dfc7247052ebab10456c45
SHA11e90f3196660b58459f9a3f883fc02e4c5904cc4
SHA256479684aadb70fa5e6232553bc398ae988e999920a649d7fa7d89c77b13ca4109
SHA5127dbedb399f25539cf684060021295d3f79db5d6cb0146b28d86ae4a86f62d274471d3150b51b532381af8871e55ba3a70469871d4ddd8684d7625ec321fb136c
-
memory/480-205-0x0000000005A10000-0x0000000005A11000-memory.dmpFilesize
4KB
-
memory/480-224-0x0000000007AC0000-0x0000000007AC1000-memory.dmpFilesize
4KB
-
memory/480-204-0x0000000005650000-0x0000000005C68000-memory.dmpFilesize
6.1MB
-
memory/480-197-0x0000000005C70000-0x0000000005C71000-memory.dmpFilesize
4KB
-
memory/480-198-0x00000000056D0000-0x00000000056D1000-memory.dmpFilesize
4KB
-
memory/480-202-0x0000000006520000-0x0000000006521000-memory.dmpFilesize
4KB
-
memory/480-201-0x0000000005770000-0x0000000005771000-memory.dmpFilesize
4KB
-
memory/480-203-0x0000000005A80000-0x0000000005A81000-memory.dmpFilesize
4KB
-
memory/480-192-0x0000000000400000-0x0000000000422000-memory.dmpFilesize
136KB
-
memory/480-221-0x00000000077A0000-0x00000000077A1000-memory.dmpFilesize
4KB
-
memory/480-222-0x0000000007EA0000-0x0000000007EA1000-memory.dmpFilesize
4KB
-
memory/480-199-0x0000000005800000-0x0000000005801000-memory.dmpFilesize
4KB
-
memory/480-227-0x0000000007DC0000-0x0000000007DC1000-memory.dmpFilesize
4KB
-
memory/480-228-0x00000000087D0000-0x00000000087D1000-memory.dmpFilesize
4KB
-
memory/480-191-0x0000000000000000-mapping.dmp
-
memory/480-200-0x0000000005910000-0x0000000005911000-memory.dmpFilesize
4KB
-
memory/664-180-0x00000000005D0000-0x00000000005D1000-memory.dmpFilesize
4KB
-
memory/664-182-0x0000000005070000-0x0000000005071000-memory.dmpFilesize
4KB
-
memory/664-185-0x00000000057B0000-0x00000000057B1000-memory.dmpFilesize
4KB
-
memory/664-184-0x00000000051F0000-0x00000000051F1000-memory.dmpFilesize
4KB
-
memory/664-183-0x0000000005010000-0x0000000005011000-memory.dmpFilesize
4KB
-
memory/664-177-0x0000000000000000-mapping.dmp
-
memory/904-256-0x0000000000000000-mapping.dmp
-
memory/1168-271-0x0000000000000000-mapping.dmp
-
memory/1296-274-0x0000000000000000-mapping.dmp
-
memory/1296-278-0x0000000000620000-0x0000000000633000-memory.dmpFilesize
76KB
-
memory/1512-210-0x0000000000E30000-0x0000000000E31000-memory.dmpFilesize
4KB
-
memory/1512-206-0x0000000000000000-mapping.dmp
-
memory/1512-217-0x0000000005D10000-0x0000000005D11000-memory.dmpFilesize
4KB
-
memory/1884-314-0x0000000000000000-mapping.dmp
-
memory/1884-321-0x000000001B9A0000-0x000000001B9A2000-memory.dmpFilesize
8KB
-
memory/2012-272-0x0000000000000000-mapping.dmp
-
memory/2468-324-0x0000000000000000-mapping.dmp
-
memory/2572-273-0x0000000002130000-0x00000000021C0000-memory.dmpFilesize
576KB
-
memory/2572-268-0x0000000000000000-mapping.dmp
-
memory/2940-331-0x0000000000000000-mapping.dmp
-
memory/2940-335-0x0000000002130000-0x00000000021C0000-memory.dmpFilesize
576KB
-
memory/3036-171-0x0000000000000000-mapping.dmp
-
memory/3100-186-0x0000000000000000-mapping.dmp
-
memory/3100-189-0x0000000003ED0000-0x0000000003F5F000-memory.dmpFilesize
572KB
-
memory/3240-190-0x0000000000C80000-0x0000000000C96000-memory.dmpFilesize
88KB
-
memory/3240-149-0x000000000BFA0000-0x000000000BFB6000-memory.dmpFilesize
88KB
-
memory/3240-163-0x0000000007630000-0x00000000076B0000-memory.dmpFilesize
512KB
-
memory/3240-155-0x00000000044E0000-0x0000000004560000-memory.dmpFilesize
512KB
-
memory/3288-174-0x0000000000000000-mapping.dmp
-
memory/3728-334-0x0000000000000000-mapping.dmp
-
memory/3808-297-0x0000000005DA0000-0x0000000005DA1000-memory.dmpFilesize
4KB
-
memory/3808-305-0x0000000005DA3000-0x0000000005DA5000-memory.dmpFilesize
8KB
-
memory/3808-279-0x0000000000000000-mapping.dmp
-
memory/4052-237-0x0000000000000000-mapping.dmp
-
memory/4052-250-0x00000000057A0000-0x00000000057A1000-memory.dmpFilesize
4KB
-
memory/4148-298-0x0000000002210000-0x0000000002240000-memory.dmpFilesize
192KB
-
memory/4148-294-0x0000000000000000-mapping.dmp
-
memory/4388-152-0x00000273BD8E0000-0x00000273BD8E4000-memory.dmpFilesize
16KB
-
memory/4388-151-0x00000273BB2E0000-0x00000273BB2F0000-memory.dmpFilesize
64KB
-
memory/4388-150-0x00000273BB260000-0x00000273BB270000-memory.dmpFilesize
64KB
-
memory/4748-311-0x0000000002AA0000-0x0000000002AA2000-memory.dmpFilesize
8KB
-
memory/4748-306-0x0000000000000000-mapping.dmp
-
memory/4860-146-0x0000000000000000-mapping.dmp
-
memory/4860-147-0x0000000000400000-0x0000000000409000-memory.dmpFilesize
36KB
-
memory/4868-148-0x0000000000620000-0x0000000000629000-memory.dmpFilesize
36KB
-
memory/4960-252-0x0000000000000000-mapping.dmp
-
memory/4960-255-0x0000000000750000-0x0000000000780000-memory.dmpFilesize
192KB