Analysis
-
max time kernel
142s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220113 -
submitted
08-02-2022 18:02
Static task
static1
Behavioral task
behavioral1
Sample
2cb326bf23a15dfa548df0266743efffefe1cb91450b3146e03e72f51c2cf0d9.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
2cb326bf23a15dfa548df0266743efffefe1cb91450b3146e03e72f51c2cf0d9.exe
Resource
win10v2004-en-20220113
General
-
Target
2cb326bf23a15dfa548df0266743efffefe1cb91450b3146e03e72f51c2cf0d9.exe
-
Size
1.1MB
-
MD5
d163e4d75e3e115cce99679d08595c6e
-
SHA1
a859952a86158d2f60ed927a966d17eede94887d
-
SHA256
2cb326bf23a15dfa548df0266743efffefe1cb91450b3146e03e72f51c2cf0d9
-
SHA512
e43b7db81a24c0b27df91f0fac967be0e2089b3b74ea3b431be47a900e73c5f5bf498da14921edbfa397ff3f5d767716ff60a5ca10d1ff7f213d9d20023b6413
Malware Config
Extracted
oski
pretorian.ug
Extracted
raccoon
125d9f8ed76e486f6563be097a710bd4cba7f7f2
-
url4cnc
http://5.252.178.180/brikitiki
https://t.me/brikitiki
Extracted
azorult
http://195.245.112.115/index.php
Signatures
-
Azorult
An information stealer that was first discovered in 2016, targeting browsing history and passwords.
-
ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
-
Oski
Oski is an infostealer targeting browser data, crypto wallets.
-
ModiLoader First Stage 2 IoCs
Processes:
resource yara_rule behavioral2/memory/3588-201-0x0000000002F00000-0x0000000002F1B000-memory.dmp modiloader_stage1 behavioral2/memory/1932-237-0x0000000002400000-0x000000000241B000-memory.dmp modiloader_stage1 -
Downloads MZ/PE file
-
Executes dropped EXE 16 IoCs
Processes:
kgen.exeKeygen.exekgen.exeCcmfdgsaYsd.exeDbvsdfe.exedfgasdme.exeCHmfdgaYsHsd.exeDbvsdfe.exedfgasdme.exeCcmfdgsaYsd.exepm.execc.execc.exeaspnet_compiler.exefodhelper.exefodhelper.exepid process 116 kgen.exe 2136 Keygen.exe 3192 kgen.exe 4088 CcmfdgsaYsd.exe 1772 Dbvsdfe.exe 3144 dfgasdme.exe 3736 CHmfdgaYsHsd.exe 1620 Dbvsdfe.exe 3848 dfgasdme.exe 1352 CcmfdgsaYsd.exe 3876 pm.exe 3588 cc.exe 4796 cc.exe 4420 aspnet_compiler.exe 1932 fodhelper.exe 2776 fodhelper.exe -
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\66D5.tmp\Keygen.exe upx -
Checks computer location settings 2 TTPs 7 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
Dbvsdfe.exedfgasdme.exepm.exeWScript.exe2cb326bf23a15dfa548df0266743efffefe1cb91450b3146e03e72f51c2cf0d9.exekgen.exeCcmfdgsaYsd.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation Dbvsdfe.exe Key value queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation dfgasdme.exe Key value queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation pm.exe Key value queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation WScript.exe Key value queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation 2cb326bf23a15dfa548df0266743efffefe1cb91450b3146e03e72f51c2cf0d9.exe Key value queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation kgen.exe Key value queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation CcmfdgsaYsd.exe -
Loads dropped DLL 9 IoCs
Processes:
Dbvsdfe.exedfgasdme.exepid process 1620 Dbvsdfe.exe 1620 Dbvsdfe.exe 1620 Dbvsdfe.exe 3848 dfgasdme.exe 3848 dfgasdme.exe 3848 dfgasdme.exe 3848 dfgasdme.exe 3848 dfgasdme.exe 3848 dfgasdme.exe -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads local data of messenger clients 2 TTPs
Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
Processes:
dfgasdme.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook dfgasdme.exe Key opened \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook dfgasdme.exe Key opened \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook dfgasdme.exe -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
pm.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winda = "\"C:\\Users\\Admin\\AppData\\Roaming\\winda.exe\"" pm.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
Processes:
kgen.exepid process 3192 kgen.exe 3192 kgen.exe -
Suspicious use of SetThreadContext 7 IoCs
Processes:
kgen.exeDbvsdfe.exedfgasdme.exeCcmfdgsaYsd.execc.exepm.exefodhelper.exedescription pid process target process PID 116 set thread context of 3192 116 kgen.exe kgen.exe PID 1772 set thread context of 1620 1772 Dbvsdfe.exe Dbvsdfe.exe PID 3144 set thread context of 3848 3144 dfgasdme.exe dfgasdme.exe PID 4088 set thread context of 1352 4088 CcmfdgsaYsd.exe CcmfdgsaYsd.exe PID 3588 set thread context of 4796 3588 cc.exe cc.exe PID 3876 set thread context of 4420 3876 pm.exe aspnet_compiler.exe PID 1932 set thread context of 2776 1932 fodhelper.exe fodhelper.exe -
Drops file in Windows directory 8 IoCs
Processes:
TiWorker.exesvchost.exedescription ioc process File opened for modification C:\Windows\WinSxS\pending.xml TiWorker.exe File opened for modification C:\Windows\WindowsUpdate.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.chk svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.edb svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.jfm svchost.exe File opened for modification C:\Windows\SoftwareDistribution\ReportingEvents.log svchost.exe File opened for modification C:\Windows\Logs\CBS\CBS.log TiWorker.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
dfgasdme.exeDbvsdfe.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 dfgasdme.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString dfgasdme.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString Dbvsdfe.exe -
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exepid process 4816 schtasks.exe 4836 schtasks.exe -
Delays execution with timeout.exe 1 IoCs
Processes:
timeout.exepid process 544 timeout.exe -
Gathers network information 2 TTPs 2 IoCs
Uses commandline utility to view network configuration.
Processes:
ipconfig.exeipconfig.exepid process 4204 ipconfig.exe 5028 ipconfig.exe -
Kills process with taskkill 1 IoCs
Processes:
taskkill.exepid process 1924 taskkill.exe -
Modifies registry class 1 IoCs
Processes:
pm.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000_Classes\Local Settings pm.exe -
Processes:
cc.exedescription ioc process Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 5c000000010000000400000000080000090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e cc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349 cc.exe -
Suspicious behavior: EnumeratesProcesses 20 IoCs
Processes:
dfgasdme.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepm.exeaspnet_compiler.exepid process 3848 dfgasdme.exe 3848 dfgasdme.exe 3864 powershell.exe 3864 powershell.exe 3864 powershell.exe 4256 powershell.exe 4256 powershell.exe 4256 powershell.exe 4912 powershell.exe 4912 powershell.exe 5064 powershell.exe 5064 powershell.exe 4236 powershell.exe 4236 powershell.exe 3876 pm.exe 3876 pm.exe 4420 aspnet_compiler.exe 4420 aspnet_compiler.exe 4420 aspnet_compiler.exe 4420 aspnet_compiler.exe -
Suspicious behavior: MapViewOfSection 4 IoCs
Processes:
kgen.exeDbvsdfe.exedfgasdme.exeCcmfdgsaYsd.exepid process 116 kgen.exe 1772 Dbvsdfe.exe 3144 dfgasdme.exe 4088 CcmfdgsaYsd.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
svchost.exetaskkill.exepm.exepowershell.exepowershell.exeTiWorker.exedescription pid process Token: SeShutdownPrivilege 1288 svchost.exe Token: SeCreatePagefilePrivilege 1288 svchost.exe Token: SeShutdownPrivilege 1288 svchost.exe Token: SeCreatePagefilePrivilege 1288 svchost.exe Token: SeShutdownPrivilege 1288 svchost.exe Token: SeCreatePagefilePrivilege 1288 svchost.exe Token: SeDebugPrivilege 1924 taskkill.exe Token: SeDebugPrivilege 3876 pm.exe Token: SeDebugPrivilege 3864 powershell.exe Token: SeDebugPrivilege 4256 powershell.exe Token: SeSecurityPrivilege 4636 TiWorker.exe Token: SeRestorePrivilege 4636 TiWorker.exe Token: SeBackupPrivilege 4636 TiWorker.exe Token: SeBackupPrivilege 4636 TiWorker.exe Token: SeRestorePrivilege 4636 TiWorker.exe Token: SeSecurityPrivilege 4636 TiWorker.exe Token: SeBackupPrivilege 4636 TiWorker.exe Token: SeRestorePrivilege 4636 TiWorker.exe Token: SeSecurityPrivilege 4636 TiWorker.exe Token: SeBackupPrivilege 4636 TiWorker.exe Token: SeRestorePrivilege 4636 TiWorker.exe Token: SeSecurityPrivilege 4636 TiWorker.exe Token: SeBackupPrivilege 4636 TiWorker.exe Token: SeRestorePrivilege 4636 TiWorker.exe Token: SeSecurityPrivilege 4636 TiWorker.exe Token: SeBackupPrivilege 4636 TiWorker.exe Token: SeRestorePrivilege 4636 TiWorker.exe Token: SeSecurityPrivilege 4636 TiWorker.exe Token: SeBackupPrivilege 4636 TiWorker.exe Token: SeRestorePrivilege 4636 TiWorker.exe Token: SeSecurityPrivilege 4636 TiWorker.exe Token: SeBackupPrivilege 4636 TiWorker.exe Token: SeRestorePrivilege 4636 TiWorker.exe Token: SeSecurityPrivilege 4636 TiWorker.exe Token: SeBackupPrivilege 4636 TiWorker.exe Token: SeRestorePrivilege 4636 TiWorker.exe Token: SeSecurityPrivilege 4636 TiWorker.exe Token: SeBackupPrivilege 4636 TiWorker.exe Token: SeRestorePrivilege 4636 TiWorker.exe Token: SeSecurityPrivilege 4636 TiWorker.exe Token: SeBackupPrivilege 4636 TiWorker.exe Token: SeRestorePrivilege 4636 TiWorker.exe Token: SeSecurityPrivilege 4636 TiWorker.exe Token: SeBackupPrivilege 4636 TiWorker.exe Token: SeRestorePrivilege 4636 TiWorker.exe Token: SeSecurityPrivilege 4636 TiWorker.exe Token: SeBackupPrivilege 4636 TiWorker.exe Token: SeRestorePrivilege 4636 TiWorker.exe Token: SeSecurityPrivilege 4636 TiWorker.exe Token: SeBackupPrivilege 4636 TiWorker.exe Token: SeRestorePrivilege 4636 TiWorker.exe Token: SeSecurityPrivilege 4636 TiWorker.exe Token: SeBackupPrivilege 4636 TiWorker.exe Token: SeRestorePrivilege 4636 TiWorker.exe Token: SeSecurityPrivilege 4636 TiWorker.exe Token: SeBackupPrivilege 4636 TiWorker.exe Token: SeRestorePrivilege 4636 TiWorker.exe Token: SeSecurityPrivilege 4636 TiWorker.exe Token: SeBackupPrivilege 4636 TiWorker.exe Token: SeRestorePrivilege 4636 TiWorker.exe Token: SeSecurityPrivilege 4636 TiWorker.exe Token: SeBackupPrivilege 4636 TiWorker.exe Token: SeRestorePrivilege 4636 TiWorker.exe Token: SeSecurityPrivilege 4636 TiWorker.exe -
Suspicious use of SetWindowsHookEx 6 IoCs
Processes:
kgen.exekgen.exeCcmfdgsaYsd.exeDbvsdfe.exedfgasdme.exeCHmfdgaYsHsd.exepid process 116 kgen.exe 3192 kgen.exe 4088 CcmfdgsaYsd.exe 1772 Dbvsdfe.exe 3144 dfgasdme.exe 3736 CHmfdgaYsHsd.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
2cb326bf23a15dfa548df0266743efffefe1cb91450b3146e03e72f51c2cf0d9.execmd.exekgen.exekgen.exeCcmfdgsaYsd.exeDbvsdfe.exedfgasdme.exeDbvsdfe.execmd.exedfgasdme.exepm.execmd.exepowershell.execc.exedescription pid process target process PID 1016 wrote to memory of 1772 1016 2cb326bf23a15dfa548df0266743efffefe1cb91450b3146e03e72f51c2cf0d9.exe cmd.exe PID 1016 wrote to memory of 1772 1016 2cb326bf23a15dfa548df0266743efffefe1cb91450b3146e03e72f51c2cf0d9.exe cmd.exe PID 1016 wrote to memory of 1772 1016 2cb326bf23a15dfa548df0266743efffefe1cb91450b3146e03e72f51c2cf0d9.exe cmd.exe PID 1772 wrote to memory of 116 1772 cmd.exe kgen.exe PID 1772 wrote to memory of 116 1772 cmd.exe kgen.exe PID 1772 wrote to memory of 116 1772 cmd.exe kgen.exe PID 1772 wrote to memory of 2136 1772 cmd.exe Keygen.exe PID 1772 wrote to memory of 2136 1772 cmd.exe Keygen.exe PID 1772 wrote to memory of 2136 1772 cmd.exe Keygen.exe PID 116 wrote to memory of 3192 116 kgen.exe kgen.exe PID 116 wrote to memory of 3192 116 kgen.exe kgen.exe PID 116 wrote to memory of 3192 116 kgen.exe kgen.exe PID 116 wrote to memory of 3192 116 kgen.exe kgen.exe PID 3192 wrote to memory of 4088 3192 kgen.exe CcmfdgsaYsd.exe PID 3192 wrote to memory of 4088 3192 kgen.exe CcmfdgsaYsd.exe PID 3192 wrote to memory of 4088 3192 kgen.exe CcmfdgsaYsd.exe PID 4088 wrote to memory of 1772 4088 CcmfdgsaYsd.exe Dbvsdfe.exe PID 4088 wrote to memory of 1772 4088 CcmfdgsaYsd.exe Dbvsdfe.exe PID 4088 wrote to memory of 1772 4088 CcmfdgsaYsd.exe Dbvsdfe.exe PID 4088 wrote to memory of 3144 4088 CcmfdgsaYsd.exe dfgasdme.exe PID 4088 wrote to memory of 3144 4088 CcmfdgsaYsd.exe dfgasdme.exe PID 4088 wrote to memory of 3144 4088 CcmfdgsaYsd.exe dfgasdme.exe PID 3192 wrote to memory of 3736 3192 kgen.exe CHmfdgaYsHsd.exe PID 3192 wrote to memory of 3736 3192 kgen.exe CHmfdgaYsHsd.exe PID 3192 wrote to memory of 3736 3192 kgen.exe CHmfdgaYsHsd.exe PID 1772 wrote to memory of 1620 1772 Dbvsdfe.exe Dbvsdfe.exe PID 1772 wrote to memory of 1620 1772 Dbvsdfe.exe Dbvsdfe.exe PID 1772 wrote to memory of 1620 1772 Dbvsdfe.exe Dbvsdfe.exe PID 1772 wrote to memory of 1620 1772 Dbvsdfe.exe Dbvsdfe.exe PID 3144 wrote to memory of 3848 3144 dfgasdme.exe dfgasdme.exe PID 3144 wrote to memory of 3848 3144 dfgasdme.exe dfgasdme.exe PID 3144 wrote to memory of 3848 3144 dfgasdme.exe dfgasdme.exe PID 3144 wrote to memory of 3848 3144 dfgasdme.exe dfgasdme.exe PID 4088 wrote to memory of 1352 4088 CcmfdgsaYsd.exe CcmfdgsaYsd.exe PID 4088 wrote to memory of 1352 4088 CcmfdgsaYsd.exe CcmfdgsaYsd.exe PID 4088 wrote to memory of 1352 4088 CcmfdgsaYsd.exe CcmfdgsaYsd.exe PID 4088 wrote to memory of 1352 4088 CcmfdgsaYsd.exe CcmfdgsaYsd.exe PID 1620 wrote to memory of 808 1620 Dbvsdfe.exe cmd.exe PID 1620 wrote to memory of 808 1620 Dbvsdfe.exe cmd.exe PID 1620 wrote to memory of 808 1620 Dbvsdfe.exe cmd.exe PID 808 wrote to memory of 1924 808 cmd.exe taskkill.exe PID 808 wrote to memory of 1924 808 cmd.exe taskkill.exe PID 808 wrote to memory of 1924 808 cmd.exe taskkill.exe PID 3848 wrote to memory of 3876 3848 dfgasdme.exe pm.exe PID 3848 wrote to memory of 3876 3848 dfgasdme.exe pm.exe PID 3848 wrote to memory of 3588 3848 dfgasdme.exe cc.exe PID 3848 wrote to memory of 3588 3848 dfgasdme.exe cc.exe PID 3848 wrote to memory of 3588 3848 dfgasdme.exe cc.exe PID 3848 wrote to memory of 428 3848 dfgasdme.exe cmd.exe PID 3848 wrote to memory of 428 3848 dfgasdme.exe cmd.exe PID 3848 wrote to memory of 428 3848 dfgasdme.exe cmd.exe PID 3876 wrote to memory of 3864 3876 pm.exe powershell.exe PID 3876 wrote to memory of 3864 3876 pm.exe powershell.exe PID 428 wrote to memory of 544 428 cmd.exe timeout.exe PID 428 wrote to memory of 544 428 cmd.exe timeout.exe PID 428 wrote to memory of 544 428 cmd.exe timeout.exe PID 3864 wrote to memory of 4204 3864 powershell.exe ipconfig.exe PID 3864 wrote to memory of 4204 3864 powershell.exe ipconfig.exe PID 3876 wrote to memory of 4256 3876 pm.exe powershell.exe PID 3876 wrote to memory of 4256 3876 pm.exe powershell.exe PID 3588 wrote to memory of 4796 3588 cc.exe cc.exe PID 3588 wrote to memory of 4796 3588 cc.exe cc.exe PID 3588 wrote to memory of 4796 3588 cc.exe cc.exe PID 3588 wrote to memory of 4796 3588 cc.exe cc.exe -
outlook_office_path 1 IoCs
Processes:
dfgasdme.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook dfgasdme.exe -
outlook_win_path 1 IoCs
Processes:
dfgasdme.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook dfgasdme.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\2cb326bf23a15dfa548df0266743efffefe1cb91450b3146e03e72f51c2cf0d9.exe"C:\Users\Admin\AppData\Local\Temp\2cb326bf23a15dfa548df0266743efffefe1cb91450b3146e03e72f51c2cf0d9.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\66D5.tmp\start.bat" C:\Users\Admin\AppData\Local\Temp\2cb326bf23a15dfa548df0266743efffefe1cb91450b3146e03e72f51c2cf0d9.exe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\66D5.tmp\kgen.exekgen.exe3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\66D5.tmp\kgen.exe"C:\Users\Admin\AppData\Local\Temp\66D5.tmp\kgen.exe"4⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\CcmfdgsaYsd.exe"C:\Users\Admin\AppData\Local\Temp\CcmfdgsaYsd.exe" 05⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Dbvsdfe.exe"C:\Users\Admin\AppData\Local\Temp\Dbvsdfe.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Dbvsdfe.exe"C:\Users\Admin\AppData\Local\Temp\Dbvsdfe.exe"7⤵
- Executes dropped EXE
- Checks computer location settings
- Loads dropped DLL
- Checks processor information in registry
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c taskkill /pid 1620 & erase C:\Users\Admin\AppData\Local\Temp\Dbvsdfe.exe & RD /S /Q C:\\ProgramData\\854816050712042\\* & exit8⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\taskkill.exetaskkill /pid 16209⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\dfgasdme.exe"C:\Users\Admin\AppData\Local\Temp\dfgasdme.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\dfgasdme.exe"C:\Users\Admin\AppData\Local\Temp\dfgasdme.exe"7⤵
- Executes dropped EXE
- Checks computer location settings
- Loads dropped DLL
- Accesses Microsoft Outlook profiles
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- outlook_office_path
- outlook_win_path
-
C:\Users\Admin\AppData\Local\Temp\pm.exe"C:\Users\Admin\AppData\Local\Temp\pm.exe"8⤵
- Executes dropped EXE
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc aQBwAGMAbwBuAGYAaQBnACAALwByAGUAbABlAGEAcwBlAA==9⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\ipconfig.exe"C:\Windows\system32\ipconfig.exe" /release10⤵
- Gathers network information
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBzACAAMgA1AA==9⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc aQBwAGMAbwBuAGYAaQBnACAALwByAGUAbgBlAHcA9⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\system32\ipconfig.exe"C:\Windows\system32\ipconfig.exe" /renew10⤵
- Gathers network information
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMQAuADUA9⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Mijezedarcutnmc.vbs"9⤵
- Checks computer location settings
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -ExclusionPath 'C:\','C:\Users\Admin\AppData\Roaming\winda.exe'10⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\AppData\Local\Temp\aspnet_compiler.exeC:\Users\Admin\AppData\Local\Temp\aspnet_compiler.exe9⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\AppData\Local\Temp\cc.exe"C:\Users\Admin\AppData\Local\Temp\cc.exe"8⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Modifies system certificate store
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\cc.exeC:\Users\Admin\AppData\Local\Temp\cc.exe9⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\schtasks.exe/C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\TelemetryServices\fodhelper.exe"10⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c C:\Windows\system32\timeout.exe 3 & del "dfgasdme.exe"8⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\timeout.exeC:\Windows\system32\timeout.exe 39⤵
- Delays execution with timeout.exe
-
C:\Users\Admin\AppData\Local\Temp\CcmfdgsaYsd.exe"C:\Users\Admin\AppData\Local\Temp\CcmfdgsaYsd.exe"6⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\CHmfdgaYsHsd.exe"C:\Users\Admin\AppData\Local\Temp\CHmfdgaYsHsd.exe" 05⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Local\Temp\66D5.tmp\Keygen.exeKeygen.exe3⤵
- Executes dropped EXE
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exeC:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Roaming\Microsoft\TelemetryServices\fodhelper.exeC:\Users\Admin\AppData\Roaming\Microsoft\TelemetryServices\fodhelper.exe1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Roaming\Microsoft\TelemetryServices\fodhelper.exeC:\Users\Admin\AppData\Roaming\Microsoft\TelemetryServices\fodhelper.exe2⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\schtasks.exe/C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\TelemetryServices\fodhelper.exe"3⤵
- Creates scheduled task(s)
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\mozglue.dllMD5
8f73c08a9660691143661bf7332c3c27
SHA137fa65dd737c50fda710fdbde89e51374d0c204a
SHA2563fe6b1c54b8cf28f571e0c5d6636b4069a8ab00b4f11dd842cfec00691d0c9cd
SHA5120042ecf9b3571bb5eba2de893e8b2371df18f7c5a589f52ee66e4bfbaa15a5b8b7cc6a155792aaa8988528c27196896d5e82e1751c998bacea0d92395f66ad89
-
C:\ProgramData\nss3.dllMD5
bfac4e3c5908856ba17d41edcd455a51
SHA18eec7e888767aa9e4cca8ff246eb2aacb9170428
SHA256e2935b5b28550d47dc971f456d6961f20d1633b4892998750140e0eaa9ae9d78
SHA5122565bab776c4d732ffb1f9b415992a4c65b81bcd644a9a1df1333a269e322925fc1df4f76913463296efd7c88ef194c3056de2f1ca1357d7b5fe5ff0da877a66
-
C:\ProgramData\sqlite3.dllMD5
e477a96c8f2b18d6b5c27bde49c990bf
SHA1e980c9bf41330d1e5bd04556db4646a0210f7409
SHA25616574f51785b0e2fc29c2c61477eb47bb39f714829999511dc8952b43ab17660
SHA512335a86268e7c0e568b1c30981ec644e6cd332e66f96d2551b58a82515316693c1859d87b4f4b7310cf1ac386cee671580fdd999c3bcb23acf2c2282c01c8798c
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\07CEF2F654E3ED6050FFC9B6EB844250_3F26ED5DE6B4E859CCCA6035ECB8D9CBMD5
43391b412c650cde148653f76041c4c9
SHA1f01dede729775576d9b3f4055bcb2f266c6260ed
SHA256563836a148088af7fd35407fdb197f3b03198f89d7b44ec21efcdf87e03735ad
SHA512593874dcb37de114829dd0de6ea879324121f898d9201a4ed26668aa9b77886e0afb7103dd3e1a15a42d520b1987ec0ba116e371610093fa03b7649b0056e716
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\204C1AA6F6114E6A513754A2AB5760FA_1F4A11E5811034EBF23B87214B129489MD5
5000ae6bdaa4dea1f666b806ebd730fd
SHA12d0e92b224fdf9e72742ef7d89ec95fe9e3201c3
SHA25612b6e8adc80c96a2b36d50f07c08e6b7ee6d045b9ec4421168d100d3ef1090a3
SHA51201bb56bdd5b2c93df27e451a0a47eaaf8be551643dc7f0b8420cb289a50f623fd4a8c1aeb7e8f92343a08f96e5723c4c0285aa29e743e03a524178cc994d1503
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711EMD5
09c39cd47a026a9f730cedcf0cd6c086
SHA1c496f857cdd321b0c233908e5cfca3a2741774db
SHA256dac2163db6f8f5efe2040c00e1af9f71605f892ea29a858f8b95cd5469a74e3b
SHA512722839ff8035ea20e14bdaeee553ecfcf8679ec7800c3f826163d3f978eb933c662fa3c66178a84463fd3aa6cd78469d275a26e0779b00b978665037d4736bfa
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\07CEF2F654E3ED6050FFC9B6EB844250_3F26ED5DE6B4E859CCCA6035ECB8D9CBMD5
4e5462a537bd97cc8da8a0148fcf7fa4
SHA111c46904f02c4cd09705ec20ac6485379082fce3
SHA2568f2318d5edeb504766bd00ee7c76fccefa424d46c30f34cfc8b1a017f20da85a
SHA512266ef243b543d63e4770788d4148d763121fe58d311d3230b7f5987792c68d063916d7c62ef8e18542dc3f17ccf80048b7bc8f7aca2f1eb7239c2fb865720afd
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\204C1AA6F6114E6A513754A2AB5760FA_1F4A11E5811034EBF23B87214B129489MD5
ab4389cd22e84b7c77e5447e3d219b71
SHA10dd12521baad369479e669baaf2bfa774558b488
SHA256c06391e03d9df769920f843128bcb50bb157dd88264553f11a5f01369cfe4a87
SHA512edc10bfda55b4dfe87e568ed3a7cd53b092fb0a578cd80bc17181529b1167fd192469e80c7f37793723763f57188b4ace295bdc1e77807ddde1cb36c608d6d32
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711EMD5
3a8fc9bdb85f967998f7b9ecbf47040b
SHA1d6c59de77f6e57854031c9a4967c03c2a1ed7356
SHA2562ffb4fa3180790bd6ea2418695fae6eb1980ed759f0945901a0fb7af7e8eebf5
SHA512e91aebf04093e7bb1d4c61bb9b4a6f4475885dfa695f70c6bd20d17e60e94f13614fa9a645d2579fbb7b70ecf35b541044e1d54f7a81ce6671f0fb16760b6a13
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.logMD5
d85ba6ff808d9e5444a4b369f5bc2730
SHA131aa9d96590fff6981b315e0b391b575e4c0804a
SHA25684739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f
SHA5128c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\G62MFOMV\Abqtrvrhcjiuauawrxxwwmyxelgyffl[1].htmMD5
1f1d28875f2782638dd9ee072ebecb7e
SHA12dc58874eb002d0a9ec5ecded19d1e1523577421
SHA256849add4aa76d040ca6fc9fb886c61101a11f8ca472029921b6dd4829890b448b
SHA5120a17e30a8875875287bb1f1789084b0e38a500a10e354f3eae707a9aac5fc840bd5dc58e73315d48e75f93cb00bd8f781f88b8c86b7b936524f08881cfeef46d
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\K6H59MEI\Abqtrvrhcjiuauawrxxwwmyxelgyffl[1].bmpMD5
476c36c2a9a28a5952e0fce37c03d09d
SHA1e70e70a2d01b4a1574040ba44d7f653e6944ce99
SHA256f517d401eb25a435831b72ba04e1f06acd6b960c6f52cba8c9045de963f59b90
SHA5121939753c3d1bc82c3ae419a0d0bdde6d59aec9dffc9ca8c761598a486012f9b8c104b449fc2ebf7204c7974c7d2988c976c35d21bb8b3c3c83a5fcd9c27c4bd5
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveMD5
5caad758326454b5788ec35315c4c304
SHA13aef8dba8042662a7fcf97e51047dc636b4d4724
SHA25683e613b6dc8d70e3bb67c58535e014f58f3e8b2921e93b55137d799fc8c56391
SHA5124e0d443cf81e2f49829b0a458a08294bf1bdc0e38d3a938fb8274eeb637d9a688b14c7999dd6b86a31fcec839a9e8c1a9611ed0bbae8bd59caa9dba1e8253693
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveMD5
63e62e02ee9c90b7adfb2eefe7efa04f
SHA19bc1eda86f7f95345c2a3901288b6867447dee6b
SHA256cbafbcef08446541d49da9d11842ab860628a7d317db15f570b7b1e1048ade11
SHA5123d2bf16c2a9b42e28dc9d2c18d6d697d3749b14f2f6c708ea9e587022aeb5fbbcffaa49c4f4f994f1cd1f6c886b8d8b6ab3a29d3b65fe0659ea0f2fa9d47ba52
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveMD5
feadc4e1a70c13480ef147aca0c47bc0
SHA1d7a5084c93842a290b24dacec0cd3904c2266819
SHA2565b4f1fe7ba74b245b6368dbe4ceffa438f14eef08ba270e9a13c57505c7717ac
SHA512c9681a19c773891808fefa9445cea598d118c83bba89530a51ab993adbff39bce72b43f8e99d0c68e4a44f7e0f4c8ec128641c45cd557a8e1215721d5d992a23
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveMD5
1dffbab5ecc6d06e8b259ad505a0dc2a
SHA10938ec61e4af55d7ee9d12708fdc55c72ccb090c
SHA256a9d2e6d35c5e9b94326042c6f2fe7ef381f25a0c02b8a559fc1ee888ccffb18e
SHA51293209a16400574416f6f992c2d403acc399179fc911818c4967c9a0211924486878578d1c98ba3bc9e269012603c96ab118a291bf53c57d8af9ab48f9e7b9b76
-
C:\Users\Admin\AppData\Local\Temp\66D5.tmp\Keygen.exeMD5
381170fcadbe7a253f4b0bf3cc8ddf62
SHA1a6e6656c898767cc874cff40b84aa75523242ebe
SHA2561ba645e92ebd1ee549cdbd885a0b7ad40f5304eb123b6c3c8d7397013560fe80
SHA512b2c6cda8ce6e6d395e73965eb937dc15ea786aed883649b774582e8102d2868e23b6f294c4035b193c09d5b35a9a0e224541e09fb2c5a134e1ba523a65823ac8
-
C:\Users\Admin\AppData\Local\Temp\66D5.tmp\kgen.exeMD5
2898e4611e6b86fa578342cb15474b2a
SHA198357be30082787c709ca216000d0799973221d4
SHA25604cf90592acf1f6033ba299b18ef8a7c8b1ab6f356d6bb9ff33b44743fe2c787
SHA512213b53a27a4d820742ed1b60eaec1b86a0e2a7b692664e09a9374df63a1b6b38de04e3cebc70c9be9d5eae411a84c13fa9603788adf453c59be07db81390f4c2
-
C:\Users\Admin\AppData\Local\Temp\66D5.tmp\kgen.exeMD5
2898e4611e6b86fa578342cb15474b2a
SHA198357be30082787c709ca216000d0799973221d4
SHA25604cf90592acf1f6033ba299b18ef8a7c8b1ab6f356d6bb9ff33b44743fe2c787
SHA512213b53a27a4d820742ed1b60eaec1b86a0e2a7b692664e09a9374df63a1b6b38de04e3cebc70c9be9d5eae411a84c13fa9603788adf453c59be07db81390f4c2
-
C:\Users\Admin\AppData\Local\Temp\66D5.tmp\kgen.exeMD5
2898e4611e6b86fa578342cb15474b2a
SHA198357be30082787c709ca216000d0799973221d4
SHA25604cf90592acf1f6033ba299b18ef8a7c8b1ab6f356d6bb9ff33b44743fe2c787
SHA512213b53a27a4d820742ed1b60eaec1b86a0e2a7b692664e09a9374df63a1b6b38de04e3cebc70c9be9d5eae411a84c13fa9603788adf453c59be07db81390f4c2
-
C:\Users\Admin\AppData\Local\Temp\66D5.tmp\start.batMD5
41b62aa43fb500043e95f85bed7c5877
SHA13585109e61c14745639adb0b43699482ce4be2fe
SHA25679bbb6cc02a9fde15e0e4aa84e27e2357a4c4dbf017bae7b235853d06cd6c00c
SHA5122d731c42313844d4cf8f4cc49da0dbaec585793bfc9e2abd75293c60ae3524bc51cce51639e199319faf8ce07791e7647871709a073096a3cf94df3f873b544e
-
C:\Users\Admin\AppData\Local\Temp\9B5325BF\mozglue.dllMD5
9e682f1eb98a9d41468fc3e50f907635
SHA185e0ceca36f657ddf6547aa0744f0855a27527ee
SHA256830533bb569594ec2f7c07896b90225006b90a9af108f49d6fb6bebd02428b2d
SHA512230230722d61ac1089fabf3f2decfa04f9296498f8e2a2a49b1527797dca67b5a11ab8656f04087acadf873fa8976400d57c77c404eba4aff89d92b9986f32ed
-
C:\Users\Admin\AppData\Local\Temp\9B5325BF\msvcp140.dllMD5
109f0f02fd37c84bfc7508d4227d7ed5
SHA1ef7420141bb15ac334d3964082361a460bfdb975
SHA256334e69ac9367f708ce601a6f490ff227d6c20636da5222f148b25831d22e13d4
SHA51246eb62b65817365c249b48863d894b4669e20fcb3992e747cd5c9fdd57968e1b2cf7418d1c9340a89865eadda362b8db51947eb4427412eb83b35994f932fd39
-
C:\Users\Admin\AppData\Local\Temp\9B5325BF\nss3.dllMD5
556ea09421a0f74d31c4c0a89a70dc23
SHA1f739ba9b548ee64b13eb434a3130406d23f836e3
SHA256f0e6210d4a0d48c7908d8d1c270449c91eb4523e312a61256833bfeaf699abfb
SHA5122481fc80dffa8922569552c3c3ebaef8d0341b80427447a14b291ec39ea62ab9c05a75e85eef5ea7f857488cab1463c18586f9b076e2958c5a314e459045ede2
-
C:\Users\Admin\AppData\Local\Temp\9B5325BF\vcruntime140.dllMD5
7587bf9cb4147022cd5681b015183046
SHA1f2106306a8f6f0da5afb7fc765cfa0757ad5a628
SHA256c40bb03199a2054dabfc7a8e01d6098e91de7193619effbd0f142a7bf031c14d
SHA5120b63e4979846ceba1b1ed8470432ea6aa18cca66b5f5322d17b14bc0dfa4b2ee09ca300a016e16a01db5123e4e022820698f46d9bad1078bd24675b4b181e91f
-
C:\Users\Admin\AppData\Local\Temp\9B5325BF\vcruntime140.dllMD5
7587bf9cb4147022cd5681b015183046
SHA1f2106306a8f6f0da5afb7fc765cfa0757ad5a628
SHA256c40bb03199a2054dabfc7a8e01d6098e91de7193619effbd0f142a7bf031c14d
SHA5120b63e4979846ceba1b1ed8470432ea6aa18cca66b5f5322d17b14bc0dfa4b2ee09ca300a016e16a01db5123e4e022820698f46d9bad1078bd24675b4b181e91f
-
C:\Users\Admin\AppData\Local\Temp\9B5325BF\vcruntime140.dllMD5
7587bf9cb4147022cd5681b015183046
SHA1f2106306a8f6f0da5afb7fc765cfa0757ad5a628
SHA256c40bb03199a2054dabfc7a8e01d6098e91de7193619effbd0f142a7bf031c14d
SHA5120b63e4979846ceba1b1ed8470432ea6aa18cca66b5f5322d17b14bc0dfa4b2ee09ca300a016e16a01db5123e4e022820698f46d9bad1078bd24675b4b181e91f
-
C:\Users\Admin\AppData\Local\Temp\CHmfdgaYsHsd.exeMD5
f9af0046085177c4ae153bd1eacde3e8
SHA14f6fe60cd9bb7644cb30003799aa97e8e3947b0c
SHA256857fc01da428dccc15e996c5e737eda4148df3676c987a4416c5bb0768ce982d
SHA512f2f828a8a99d54d6757a51060e1665b2146afccf5b5fa529db691ce761b49c8a170b19a692ed7b32c550eee5b5697fdb67f85c5db260047506f7368c81a1fcee
-
C:\Users\Admin\AppData\Local\Temp\CHmfdgaYsHsd.exeMD5
f9af0046085177c4ae153bd1eacde3e8
SHA14f6fe60cd9bb7644cb30003799aa97e8e3947b0c
SHA256857fc01da428dccc15e996c5e737eda4148df3676c987a4416c5bb0768ce982d
SHA512f2f828a8a99d54d6757a51060e1665b2146afccf5b5fa529db691ce761b49c8a170b19a692ed7b32c550eee5b5697fdb67f85c5db260047506f7368c81a1fcee
-
C:\Users\Admin\AppData\Local\Temp\CcmfdgsaYsd.exeMD5
f9af0046085177c4ae153bd1eacde3e8
SHA14f6fe60cd9bb7644cb30003799aa97e8e3947b0c
SHA256857fc01da428dccc15e996c5e737eda4148df3676c987a4416c5bb0768ce982d
SHA512f2f828a8a99d54d6757a51060e1665b2146afccf5b5fa529db691ce761b49c8a170b19a692ed7b32c550eee5b5697fdb67f85c5db260047506f7368c81a1fcee
-
C:\Users\Admin\AppData\Local\Temp\CcmfdgsaYsd.exeMD5
f9af0046085177c4ae153bd1eacde3e8
SHA14f6fe60cd9bb7644cb30003799aa97e8e3947b0c
SHA256857fc01da428dccc15e996c5e737eda4148df3676c987a4416c5bb0768ce982d
SHA512f2f828a8a99d54d6757a51060e1665b2146afccf5b5fa529db691ce761b49c8a170b19a692ed7b32c550eee5b5697fdb67f85c5db260047506f7368c81a1fcee
-
C:\Users\Admin\AppData\Local\Temp\CcmfdgsaYsd.exeMD5
f9af0046085177c4ae153bd1eacde3e8
SHA14f6fe60cd9bb7644cb30003799aa97e8e3947b0c
SHA256857fc01da428dccc15e996c5e737eda4148df3676c987a4416c5bb0768ce982d
SHA512f2f828a8a99d54d6757a51060e1665b2146afccf5b5fa529db691ce761b49c8a170b19a692ed7b32c550eee5b5697fdb67f85c5db260047506f7368c81a1fcee
-
C:\Users\Admin\AppData\Local\Temp\Dbvsdfe.exeMD5
3466dbd3779c31dc2fccfe73e6d6a44e
SHA19e3b082853d4b3b1dd1a0e4877ee4763a02c3171
SHA25658dedea111e322e46e115f2344c5685224004c0ebac9ab1cfba88c3105e4e5d4
SHA5124f75e9095685f6bf3a570cd437cf9251b586ab95c7b3135750efa611d347bd4b816ba1525e08fd7776dadb03d62dbc01b9f6c8d0ba5b59d0ad2b5bf2052b67b3
-
C:\Users\Admin\AppData\Local\Temp\Dbvsdfe.exeMD5
3466dbd3779c31dc2fccfe73e6d6a44e
SHA19e3b082853d4b3b1dd1a0e4877ee4763a02c3171
SHA25658dedea111e322e46e115f2344c5685224004c0ebac9ab1cfba88c3105e4e5d4
SHA5124f75e9095685f6bf3a570cd437cf9251b586ab95c7b3135750efa611d347bd4b816ba1525e08fd7776dadb03d62dbc01b9f6c8d0ba5b59d0ad2b5bf2052b67b3
-
C:\Users\Admin\AppData\Local\Temp\Dbvsdfe.exeMD5
3466dbd3779c31dc2fccfe73e6d6a44e
SHA19e3b082853d4b3b1dd1a0e4877ee4763a02c3171
SHA25658dedea111e322e46e115f2344c5685224004c0ebac9ab1cfba88c3105e4e5d4
SHA5124f75e9095685f6bf3a570cd437cf9251b586ab95c7b3135750efa611d347bd4b816ba1525e08fd7776dadb03d62dbc01b9f6c8d0ba5b59d0ad2b5bf2052b67b3
-
C:\Users\Admin\AppData\Local\Temp\Mijezedarcutnmc.vbsMD5
5538f172ee41acfa7e101ec4ac13bf67
SHA1d250a0b0ecc2de3869f24461a889301e5e10d711
SHA256d1dcd271aaa9def8bfb39d134b2b625db8f2cc3788e111d29066c4208ca754f7
SHA5129091c13212df6c56b9189c6f9d7ea144357b08c639361a87d95c9917d93e92a53790b6147a1b3ee4cf9504bc28443f498c78a46f38f2bbdd87f324aa404da5c0
-
C:\Users\Admin\AppData\Local\Temp\aspnet_compiler.exeMD5
df5419b32657d2896514b6a1d041fe08
SHA1eae192043f75ca972697c3b1875988bebd66f713
SHA2569ed0aa0a40c864f65ff867fd6b8491467786ce1bc60fd1e55f300a0fae5a77b4
SHA512f1a7a409c99942b39060d327bbc2f0b7cf600e8c3d8e60164ae27a78e1a16c07de58872b8864a0783d71ccad5800c02ade0ac14954b30a75a6b5c8d4b1fcd560
-
C:\Users\Admin\AppData\Local\Temp\aspnet_compiler.exeMD5
df5419b32657d2896514b6a1d041fe08
SHA1eae192043f75ca972697c3b1875988bebd66f713
SHA2569ed0aa0a40c864f65ff867fd6b8491467786ce1bc60fd1e55f300a0fae5a77b4
SHA512f1a7a409c99942b39060d327bbc2f0b7cf600e8c3d8e60164ae27a78e1a16c07de58872b8864a0783d71ccad5800c02ade0ac14954b30a75a6b5c8d4b1fcd560
-
C:\Users\Admin\AppData\Local\Temp\cc.exeMD5
0c6a0c6c6ae6ca92b8dbbf7802c13381
SHA1fe6a5b7eaa8076a6304a23444456ccb4e8662ff7
SHA25692cee18d0c9e246f28b38a8d35442d44f8cc8eab883b5e3e0c3a09ae96de846c
SHA512809baf2fbb989144ba047ed3b02534a77bbcd4fc8dc09d614df7fe980811ae7eef2eaf60c6a0be9b09c3512a55be1a286904a26607eb330c8caf28a5ecf4d148
-
C:\Users\Admin\AppData\Local\Temp\cc.exeMD5
0c6a0c6c6ae6ca92b8dbbf7802c13381
SHA1fe6a5b7eaa8076a6304a23444456ccb4e8662ff7
SHA25692cee18d0c9e246f28b38a8d35442d44f8cc8eab883b5e3e0c3a09ae96de846c
SHA512809baf2fbb989144ba047ed3b02534a77bbcd4fc8dc09d614df7fe980811ae7eef2eaf60c6a0be9b09c3512a55be1a286904a26607eb330c8caf28a5ecf4d148
-
C:\Users\Admin\AppData\Local\Temp\cc.exeMD5
0c6a0c6c6ae6ca92b8dbbf7802c13381
SHA1fe6a5b7eaa8076a6304a23444456ccb4e8662ff7
SHA25692cee18d0c9e246f28b38a8d35442d44f8cc8eab883b5e3e0c3a09ae96de846c
SHA512809baf2fbb989144ba047ed3b02534a77bbcd4fc8dc09d614df7fe980811ae7eef2eaf60c6a0be9b09c3512a55be1a286904a26607eb330c8caf28a5ecf4d148
-
C:\Users\Admin\AppData\Local\Temp\dfgasdme.exeMD5
bead6aca8d274c82140361874ca95b59
SHA133d6cade432ebc63043170e1a8b049f51b093e59
SHA2565820149ad3c898bdc7b9cf0ff98648f32192c9c5da5914aa1ae1cbe8a915c388
SHA512293c616ca82744b34bd2ee389314de7b0fd05cc2e7d02aac08da7c11c1c201f9c026bcc66ee51d5bd0f9ee6d20660a50a9db19ca217479366ceb68d7d159eda8
-
C:\Users\Admin\AppData\Local\Temp\dfgasdme.exeMD5
bead6aca8d274c82140361874ca95b59
SHA133d6cade432ebc63043170e1a8b049f51b093e59
SHA2565820149ad3c898bdc7b9cf0ff98648f32192c9c5da5914aa1ae1cbe8a915c388
SHA512293c616ca82744b34bd2ee389314de7b0fd05cc2e7d02aac08da7c11c1c201f9c026bcc66ee51d5bd0f9ee6d20660a50a9db19ca217479366ceb68d7d159eda8
-
C:\Users\Admin\AppData\Local\Temp\dfgasdme.exeMD5
bead6aca8d274c82140361874ca95b59
SHA133d6cade432ebc63043170e1a8b049f51b093e59
SHA2565820149ad3c898bdc7b9cf0ff98648f32192c9c5da5914aa1ae1cbe8a915c388
SHA512293c616ca82744b34bd2ee389314de7b0fd05cc2e7d02aac08da7c11c1c201f9c026bcc66ee51d5bd0f9ee6d20660a50a9db19ca217479366ceb68d7d159eda8
-
C:\Users\Admin\AppData\Local\Temp\pm.exeMD5
27e6d5f08acbcc787e860da1229929c6
SHA1426120de8b17120c60013734e6553c1dd50129c2
SHA25605bd6e05fa5cba8cf94a0cfd567351cd15e2d873e9e6ae3a951175e21deddaf4
SHA51256e93ffcef18302e24035d3b10a4fe0d6feaf73614616f910245da2937cdcb23fd0dd4e31278b94ca3db7581c8af3ef3722e6b566f74ca0d41e4f98b4e7e1326
-
C:\Users\Admin\AppData\Local\Temp\pm.exeMD5
27e6d5f08acbcc787e860da1229929c6
SHA1426120de8b17120c60013734e6553c1dd50129c2
SHA25605bd6e05fa5cba8cf94a0cfd567351cd15e2d873e9e6ae3a951175e21deddaf4
SHA51256e93ffcef18302e24035d3b10a4fe0d6feaf73614616f910245da2937cdcb23fd0dd4e31278b94ca3db7581c8af3ef3722e6b566f74ca0d41e4f98b4e7e1326
-
C:\Users\Admin\AppData\Roaming\Microsoft\TelemetryServices\fodhelper.exeMD5
0c6a0c6c6ae6ca92b8dbbf7802c13381
SHA1fe6a5b7eaa8076a6304a23444456ccb4e8662ff7
SHA25692cee18d0c9e246f28b38a8d35442d44f8cc8eab883b5e3e0c3a09ae96de846c
SHA512809baf2fbb989144ba047ed3b02534a77bbcd4fc8dc09d614df7fe980811ae7eef2eaf60c6a0be9b09c3512a55be1a286904a26607eb330c8caf28a5ecf4d148
-
C:\Users\Admin\AppData\Roaming\Microsoft\TelemetryServices\fodhelper.exeMD5
0c6a0c6c6ae6ca92b8dbbf7802c13381
SHA1fe6a5b7eaa8076a6304a23444456ccb4e8662ff7
SHA25692cee18d0c9e246f28b38a8d35442d44f8cc8eab883b5e3e0c3a09ae96de846c
SHA512809baf2fbb989144ba047ed3b02534a77bbcd4fc8dc09d614df7fe980811ae7eef2eaf60c6a0be9b09c3512a55be1a286904a26607eb330c8caf28a5ecf4d148
-
C:\Users\Admin\AppData\Roaming\Microsoft\TelemetryServices\fodhelper.exeMD5
0c6a0c6c6ae6ca92b8dbbf7802c13381
SHA1fe6a5b7eaa8076a6304a23444456ccb4e8662ff7
SHA25692cee18d0c9e246f28b38a8d35442d44f8cc8eab883b5e3e0c3a09ae96de846c
SHA512809baf2fbb989144ba047ed3b02534a77bbcd4fc8dc09d614df7fe980811ae7eef2eaf60c6a0be9b09c3512a55be1a286904a26607eb330c8caf28a5ecf4d148
-
memory/116-139-0x00000000005B0000-0x00000000005B7000-memory.dmpFilesize
28KB
-
memory/116-138-0x00000000005A0000-0x00000000005A1000-memory.dmpFilesize
4KB
-
memory/116-137-0x0000000077BE2000-0x0000000077BE3000-memory.dmpFilesize
4KB
-
memory/1288-182-0x000001F1B13A0000-0x000001F1B13B0000-memory.dmpFilesize
64KB
-
memory/1288-181-0x000001F1B1340000-0x000001F1B1350000-memory.dmpFilesize
64KB
-
memory/1288-183-0x000001F1B40C0000-0x000001F1B40C4000-memory.dmpFilesize
16KB
-
memory/1352-173-0x0000000000400000-0x0000000000497000-memory.dmpFilesize
604KB
-
memory/1352-177-0x0000000001F60000-0x0000000001F61000-memory.dmpFilesize
4KB
-
memory/1352-174-0x0000000077BE2000-0x0000000077BE3000-memory.dmpFilesize
4KB
-
memory/1620-176-0x0000000000480000-0x0000000000481000-memory.dmpFilesize
4KB
-
memory/1620-172-0x0000000000400000-0x0000000000438000-memory.dmpFilesize
224KB
-
memory/1620-175-0x0000000077BE2000-0x0000000077BE3000-memory.dmpFilesize
4KB
-
memory/1772-164-0x00000000006E0000-0x00000000006E1000-memory.dmpFilesize
4KB
-
memory/1772-169-0x00000000006F0000-0x00000000006F6000-memory.dmpFilesize
24KB
-
memory/1932-237-0x0000000002400000-0x000000000241B000-memory.dmpFilesize
108KB
-
memory/1932-238-0x00000000006A0000-0x00000000006A1000-memory.dmpFilesize
4KB
-
memory/2136-136-0x0000000000960000-0x0000000000961000-memory.dmpFilesize
4KB
-
memory/3144-165-0x00000000005C0000-0x00000000005C1000-memory.dmpFilesize
4KB
-
memory/3192-143-0x0000000000400000-0x0000000000409000-memory.dmpFilesize
36KB
-
memory/3192-145-0x0000000002020000-0x0000000002021000-memory.dmpFilesize
4KB
-
memory/3192-144-0x0000000077BE2000-0x0000000077BE3000-memory.dmpFilesize
4KB
-
memory/3588-201-0x0000000002F00000-0x0000000002F1B000-memory.dmpFilesize
108KB
-
memory/3588-198-0x00000000023C0000-0x00000000023C1000-memory.dmpFilesize
4KB
-
memory/3736-166-0x0000000000670000-0x0000000000671000-memory.dmpFilesize
4KB
-
memory/3848-179-0x0000000077BE2000-0x0000000077BE3000-memory.dmpFilesize
4KB
-
memory/3848-170-0x0000000001F00000-0x0000000001F01000-memory.dmpFilesize
4KB
-
memory/3848-178-0x0000000000400000-0x0000000000424000-memory.dmpFilesize
144KB
-
memory/3864-202-0x0000029BD5300000-0x0000029BD5322000-memory.dmpFilesize
136KB
-
memory/3876-197-0x00007FFC06183000-0x00007FFC06185000-memory.dmpFilesize
8KB
-
memory/3876-196-0x0000000000B10000-0x0000000000C5A000-memory.dmpFilesize
1.3MB
-
memory/3876-199-0x0000000002C20000-0x0000000002C22000-memory.dmpFilesize
8KB
-
memory/4088-163-0x0000000000680000-0x0000000000681000-memory.dmpFilesize
4KB
-
memory/4088-162-0x0000000077BE2000-0x0000000077BE3000-memory.dmpFilesize
4KB
-
memory/4236-231-0x000002C570118000-0x000002C570119000-memory.dmpFilesize
4KB
-
memory/4236-227-0x000002C56F113000-0x000002C56F115000-memory.dmpFilesize
8KB
-
memory/4236-228-0x000002C570110000-0x000002C570112000-memory.dmpFilesize
8KB
-
memory/4236-230-0x000002C570116000-0x000002C570118000-memory.dmpFilesize
8KB
-
memory/4236-229-0x000002C570113000-0x000002C570115000-memory.dmpFilesize
8KB
-
memory/4256-205-0x00000229408B3000-0x00000229408B5000-memory.dmpFilesize
8KB
-
memory/4256-206-0x0000022959670000-0x0000022959672000-memory.dmpFilesize
8KB
-
memory/4256-207-0x0000022959673000-0x0000022959675000-memory.dmpFilesize
8KB
-
memory/4256-208-0x0000022959676000-0x0000022959678000-memory.dmpFilesize
8KB
-
memory/4420-232-0x00007FFC06183000-0x00007FFC06185000-memory.dmpFilesize
8KB
-
memory/4420-233-0x000001EA60C40000-0x000001EA60C42000-memory.dmpFilesize
8KB
-
memory/4420-224-0x0000000140000000-0x000000014006E000-memory.dmpFilesize
440KB
-
memory/4420-249-0x000001EA60C42000-0x000001EA60C44000-memory.dmpFilesize
8KB
-
memory/4796-209-0x0000000000400000-0x0000000000406000-memory.dmpFilesize
24KB
-
memory/4796-211-0x0000000000400000-0x0000000000406000-memory.dmpFilesize
24KB
-
memory/4912-213-0x000001FCD26C3000-0x000001FCD26C5000-memory.dmpFilesize
8KB
-
memory/4912-216-0x000001FCD2246000-0x000001FCD2248000-memory.dmpFilesize
8KB
-
memory/4912-215-0x000001FCD2243000-0x000001FCD2245000-memory.dmpFilesize
8KB
-
memory/4912-214-0x000001FCD2240000-0x000001FCD2242000-memory.dmpFilesize
8KB
-
memory/5064-218-0x000001A310C63000-0x000001A310C65000-memory.dmpFilesize
8KB
-
memory/5064-219-0x000001A329A50000-0x000001A329A52000-memory.dmpFilesize
8KB
-
memory/5064-220-0x000001A329A53000-0x000001A329A55000-memory.dmpFilesize
8KB
-
memory/5064-221-0x000001A329A56000-0x000001A329A58000-memory.dmpFilesize
8KB