Analysis

  • max time kernel
    164s
  • max time network
    169s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-en-20220112
  • submitted
    10-03-2022 20:17

General

  • Target

    4b8b148df99767e18dd0d91993d3ff7734ab34d6b2a904a2c00674378dc41d80.exe

  • Size

    3.2MB

  • MD5

    53a52311d4939fb6a79cfe209b2d4ab5

  • SHA1

    157351eadbe2c7b82de96549eec3816182d7922c

  • SHA256

    4b8b148df99767e18dd0d91993d3ff7734ab34d6b2a904a2c00674378dc41d80

  • SHA512

    d14b9f7f12d91c98a9492f1d050c052064fecb1cddc9c4fdc65d3c1b119669b82c9bbeeb9974e29e1e1cb309ed401f5de34f40fe15dd18a7c7f3c305913cfb63

Malware Config

Extracted

Family

socelars

C2

http://www.fddnice.pw/

http://www.sokoinfo.pw/

http://www.zzhlike.pw/

http://www.wygexde.xyz/

Extracted

Family

smokeloader

Version

2020

C2

http://perseus007.xyz/upload/

http://lambos1.xyz/upload/

http://cipluks.com/upload/

http://ragnar77.com/upload/

http://aslauk.com/upload/

http://qunersoo.xyz/upload /

http://hostunes.info/upload/

http://leonisdas.xyz/upload/

rc4.i32
rc4.i32

Signatures

  • SmokeLoader

    Modular backdoor trojan in use since 2014.

  • Socelars

    Socelars is an infostealer targeting browser cookies and credit card credentials.

  • Socelars Payload 2 IoCs
  • suricata: ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz

    suricata: ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz

  • Executes dropped EXE 10 IoCs
  • UPX packed file 4 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Checks computer location settings 2 TTPs 3 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Loads dropped DLL 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 1 IoCs
  • Checks for any installed AV software in registry 1 TTPs 2 IoCs
  • Enumerates connected drives 3 TTPs 24 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Legitimate hosting services abused for malware hosting/C2 1 TTPs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Drops file in System32 directory 4 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Drops file in Program Files directory 2 IoCs
  • Drops file in Windows directory 6 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Program crash 1 IoCs
  • Checks SCSI registry key(s) 3 TTPs 3 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Checks processor information in registry 2 TTPs 7 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 8 IoCs
  • Kills process with taskkill 1 IoCs
  • Modifies data under HKEY_USERS 12 IoCs
  • Modifies registry class 11 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 3 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of UnmapMainImage 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Windows\System32\svchost.exe
    C:\Windows\System32\svchost.exe -k netsvcs -p
    1⤵
      PID:1940
    • C:\Windows\system32\svchost.exe
      C:\Windows\system32\svchost.exe -k netsvcs -p
      1⤵
      • Checks for any installed AV software in registry
      • Enumerates connected drives
      • Drops file in System32 directory
      • Suspicious use of SetThreadContext
      • Drops file in Windows directory
      • Checks processor information in registry
      • Enumerates system info in registry
      • Modifies data under HKEY_USERS
      • Modifies registry class
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of UnmapMainImage
      • Suspicious use of WriteProcessMemory
      PID:444
      • C:\Windows\system32\svchost.exe
        C:\Windows\system32\svchost.exe -k SystemNetworkService
        2⤵
        • Checks processor information in registry
        • Modifies data under HKEY_USERS
        • Modifies registry class
        PID:2700
    • C:\Users\Admin\AppData\Local\Temp\4b8b148df99767e18dd0d91993d3ff7734ab34d6b2a904a2c00674378dc41d80.exe
      "C:\Users\Admin\AppData\Local\Temp\4b8b148df99767e18dd0d91993d3ff7734ab34d6b2a904a2c00674378dc41d80.exe"
      1⤵
      • Checks computer location settings
      • Suspicious use of WriteProcessMemory
      PID:3940
      • C:\Users\Admin\AppData\Local\Temp\agdsk.exe
        "C:\Users\Admin\AppData\Local\Temp\agdsk.exe"
        2⤵
        • Executes dropped EXE
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:3092
        • C:\Windows\SysWOW64\cmd.exe
          cmd.exe /c taskkill /f /im chrome.exe
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:1900
          • C:\Windows\SysWOW64\taskkill.exe
            taskkill /f /im chrome.exe
            4⤵
            • Kills process with taskkill
            • Suspicious use of AdjustPrivilegeToken
            PID:2584
      • C:\Users\Admin\AppData\Local\Temp\jg4_4jaa.exe
        "C:\Users\Admin\AppData\Local\Temp\jg4_4jaa.exe"
        2⤵
        • Executes dropped EXE
        • Suspicious use of AdjustPrivilegeToken
        PID:3712
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 3712 -s 1192
          3⤵
          • Program crash
          PID:2844
      • C:\Users\Admin\AppData\Local\Temp\wf-game.exe
        "C:\Users\Admin\AppData\Local\Temp\wf-game.exe"
        2⤵
        • Executes dropped EXE
        • Checks computer location settings
        • Drops file in Program Files directory
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:3208
        • C:\Windows\SysWOW64\rundll32.exe
          "C:\Windows\System32\rundll32.exe" "C:\Program Files\patch.dll",patch
          3⤵
          • Loads dropped DLL
          • Modifies registry class
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:640
      • C:\Users\Admin\AppData\Local\Temp\KRSetp.exe
        "C:\Users\Admin\AppData\Local\Temp\KRSetp.exe"
        2⤵
        • Executes dropped EXE
        • Suspicious use of AdjustPrivilegeToken
        PID:2796
      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://iplogger.org/1wNij7
        2⤵
        • Enumerates system info in registry
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of WriteProcessMemory
        PID:2692
        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffb376746f8,0x7ffb37674708,0x7ffb37674718
          3⤵
            PID:1588
          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2124,13882962809248295692,6933210096945020792,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2136 /prefetch:2
            3⤵
              PID:1476
            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2124,13882962809248295692,6933210096945020792,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2484 /prefetch:3
              3⤵
                PID:1704
              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2124,13882962809248295692,6933210096945020792,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3132 /prefetch:8
                3⤵
                  PID:820
              • C:\Users\Admin\AppData\Local\Temp\ujqb.exe
                "C:\Users\Admin\AppData\Local\Temp\ujqb.exe"
                2⤵
                • Executes dropped EXE
                • Checks computer location settings
                • Suspicious use of WriteProcessMemory
                PID:3616
                • C:\Users\Admin\AppData\Local\Temp\RarSFX0\File.exe
                  "C:\Users\Admin\AppData\Local\Temp\RarSFX0\File.exe"
                  3⤵
                  • Executes dropped EXE
                  PID:1924
              • C:\Users\Admin\AppData\Local\Temp\pub2.exe
                "C:\Users\Admin\AppData\Local\Temp\pub2.exe"
                2⤵
                • Executes dropped EXE
                • Loads dropped DLL
                • Checks SCSI registry key(s)
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious behavior: MapViewOfSection
                PID:3144
              • C:\Users\Admin\AppData\Local\Temp\pzyh.exe
                "C:\Users\Admin\AppData\Local\Temp\pzyh.exe"
                2⤵
                • Executes dropped EXE
                • Adds Run key to start application
                • Suspicious use of WriteProcessMemory
                PID:2276
                • C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
                  C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
                  3⤵
                  • Executes dropped EXE
                  PID:1844
                • C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
                  C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
                  3⤵
                  • Executes dropped EXE
                  • Suspicious behavior: EnumeratesProcesses
                  PID:3920
            • C:\Windows\System32\CompPkgSrv.exe
              C:\Windows\System32\CompPkgSrv.exe -Embedding
              1⤵
                PID:3920
              • C:\Windows\SysWOW64\WerFault.exe
                C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 3712 -ip 3712
                1⤵
                  PID:1324

                Network

                MITRE ATT&CK Matrix ATT&CK v6

                Persistence

                Registry Run Keys / Startup Folder

                1
                T1060

                Defense Evasion

                Modify Registry

                1
                T1112

                Credential Access

                Credentials in Files

                1
                T1081

                Discovery

                Query Registry

                5
                T1012

                System Information Discovery

                6
                T1082

                Security Software Discovery

                1
                T1063

                Peripheral Device Discovery

                2
                T1120

                Collection

                Data from Local System

                1
                T1005

                Command and Control

                Web Service

                1
                T1102

                Replay Monitor

                Loading Replay Monitor...

                Downloads

                • C:\Program Files\patch.dat
                  MD5

                  e0951976d9544f909a27f759bb3b7f85

                  SHA1

                  f85ab0b98b6b46d2c52a61ae57e6cc381049cd4a

                  SHA256

                  bb0c68cfd8555c4526f36a4a1aabff3ab9565cc1ca8535de1f99f6dcf60c6652

                  SHA512

                  023e61bd1ffab2e909e585a84f2c63fb4748ca118264ec6aac2335df1d286d84f2a97cc983a491af5834b07102951563d29613d2ecc71df1ca43c0e7554d9992

                • C:\Program Files\patch.dll
                  MD5

                  75ca86f2b605a5924edeb57b180620e7

                  SHA1

                  df2fda930efd40c2ae7c59533e5097bd631c3b47

                  SHA256

                  00cb52b80d015d1b692158ce9ca867b99b1ac82d9538090a09881b9edaa0c417

                  SHA512

                  d68b04f03d719506c418daa65d601d55a9319b84d5c53d16430a484a24f78d1237d14168fbc5c94221bf18ed40302cff7a2f02b05f7a0c3b95e870356d2cd63c

                • C:\Program Files\patch.dll
                  MD5

                  75ca86f2b605a5924edeb57b180620e7

                  SHA1

                  df2fda930efd40c2ae7c59533e5097bd631c3b47

                  SHA256

                  00cb52b80d015d1b692158ce9ca867b99b1ac82d9538090a09881b9edaa0c417

                  SHA512

                  d68b04f03d719506c418daa65d601d55a9319b84d5c53d16430a484a24f78d1237d14168fbc5c94221bf18ed40302cff7a2f02b05f7a0c3b95e870356d2cd63c

                • C:\Users\Admin\AppData\Local\Temp\CC4F.tmp
                  MD5

                  4f3387277ccbd6d1f21ac5c07fe4ca68

                  SHA1

                  e16506f662dc92023bf82def1d621497c8ab5890

                  SHA256

                  767a3fc4a7a6818cdc3f0b99aaa95db694f6bcde719d2057a88b3d4df3d74fac

                  SHA512

                  9da199ac69e3c0d4e0c6307e0ab8178f12cc25cb2f14c3511f6b64e6e60a925c860f3263cb38353a97b55a71ef4d27f8cb7fa3cfc08e7c1a349fd8d209dfa219

                • C:\Users\Admin\AppData\Local\Temp\KRSetp.exe
                  MD5

                  9a775c1b77e6f57f169bee906747f9d7

                  SHA1

                  8343038dab797653c0348710dc4c987653f1a5dd

                  SHA256

                  4382a0dc6a9998261aae2eaff81b655b2be27a4c1e418c366477b64b6130deea

                  SHA512

                  f83d91c403bf79ff65e5a514f55eb23c60c3b47776bf7411c5e4d0b5ed4aaf2699cadeadc0cf445a9f149920059b1d2c90f2d77e0edd7d13ea55d182f8c1962e

                • C:\Users\Admin\AppData\Local\Temp\KRSetp.exe
                  MD5

                  9a775c1b77e6f57f169bee906747f9d7

                  SHA1

                  8343038dab797653c0348710dc4c987653f1a5dd

                  SHA256

                  4382a0dc6a9998261aae2eaff81b655b2be27a4c1e418c366477b64b6130deea

                  SHA512

                  f83d91c403bf79ff65e5a514f55eb23c60c3b47776bf7411c5e4d0b5ed4aaf2699cadeadc0cf445a9f149920059b1d2c90f2d77e0edd7d13ea55d182f8c1962e

                • C:\Users\Admin\AppData\Local\Temp\RarSFX0\File.exe
                  MD5

                  954b39f45379c530b7f659d697c29ac7

                  SHA1

                  9fa7dcb754041cc878f6ca3a71581a04e3b23427

                  SHA256

                  301a510700f2ebccd25fc5cc6c579ead2196b957ed81aa3eda29c7bc40887c26

                  SHA512

                  aecda633e082d00a5d9989aad8e20e300372efdcdbe4f48991b7fb7f70079d7465f420c278167edf25656966c44ac03ab72c3f1aaa18962771bee63364e7a6d8

                • C:\Users\Admin\AppData\Local\Temp\RarSFX0\File.exe
                  MD5

                  954b39f45379c530b7f659d697c29ac7

                  SHA1

                  9fa7dcb754041cc878f6ca3a71581a04e3b23427

                  SHA256

                  301a510700f2ebccd25fc5cc6c579ead2196b957ed81aa3eda29c7bc40887c26

                  SHA512

                  aecda633e082d00a5d9989aad8e20e300372efdcdbe4f48991b7fb7f70079d7465f420c278167edf25656966c44ac03ab72c3f1aaa18962771bee63364e7a6d8

                • C:\Users\Admin\AppData\Local\Temp\agdsk.exe
                  MD5

                  618c39d0b0b20b2b5449ab2eae8e00a2

                  SHA1

                  8cb2c1556062e3352b24e7c05f32c65138cb71ac

                  SHA256

                  e8ba721c624ea94595a594790089702d36e024966bf2110bdf374ee2a292e375

                  SHA512

                  197a6e6e591d665f2b32ff7e4dd2fea5a1fa81f873d9295ed45617869a4802c24d2eb8c213f30a05b8739c609435493f7d672c5ba8362e009086294b1067555d

                • C:\Users\Admin\AppData\Local\Temp\agdsk.exe
                  MD5

                  618c39d0b0b20b2b5449ab2eae8e00a2

                  SHA1

                  8cb2c1556062e3352b24e7c05f32c65138cb71ac

                  SHA256

                  e8ba721c624ea94595a594790089702d36e024966bf2110bdf374ee2a292e375

                  SHA512

                  197a6e6e591d665f2b32ff7e4dd2fea5a1fa81f873d9295ed45617869a4802c24d2eb8c213f30a05b8739c609435493f7d672c5ba8362e009086294b1067555d

                • C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
                  MD5

                  94391d38abcfb81a8315857a70bc920c

                  SHA1

                  6dd19b70a306ff09c2fcb75a49259bab1dcb4e11

                  SHA256

                  f6e3e6ae2a161baa8ecbeb47a916203455e9f00d449301b7f101c36891b12975

                  SHA512

                  0869be209f3e8a6d71d54d45a9ecd4c86be1290508810c09e52f96affdda626c2be1dca54704c281ecb3413aa225311cca85daefd1ede46b5279375aa386db75

                • C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
                  MD5

                  b7161c0845a64ff6d7345b67ff97f3b0

                  SHA1

                  d223f855da541fe8e4c1d5c50cb26da0a1deb5fc

                  SHA256

                  fe9e28ff0b652e22a124b0a05382bc1ac48cbd9c7c76ca647b0c9f8542888f66

                  SHA512

                  98d8971ff20ba256cf886a9db416ac9366d2c6ad4ff51a65bd7e539974dc93f4c897f92d8c9c0319c69b27eacf05cd350a0302828e63190b03457a0eda57f680

                • C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
                  MD5

                  a6279ec92ff948760ce53bba817d6a77

                  SHA1

                  5345505e12f9e4c6d569a226d50e71b5a572dce2

                  SHA256

                  8b581869bf8944a8e0aa169adea2a4afe47434123da477132880aff6a5032181

                  SHA512

                  213cb374f1273c899e0c88a20c0101a7c28024ce5046a2e0d7898bd182d918288bb80367fea4454c437c057ff9ed4fffd42be48a13ca73653021a6d63e1cfa9c

                • C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
                  MD5

                  a6279ec92ff948760ce53bba817d6a77

                  SHA1

                  5345505e12f9e4c6d569a226d50e71b5a572dce2

                  SHA256

                  8b581869bf8944a8e0aa169adea2a4afe47434123da477132880aff6a5032181

                  SHA512

                  213cb374f1273c899e0c88a20c0101a7c28024ce5046a2e0d7898bd182d918288bb80367fea4454c437c057ff9ed4fffd42be48a13ca73653021a6d63e1cfa9c

                • C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
                  MD5

                  7fee8223d6e4f82d6cd115a28f0b6d58

                  SHA1

                  1b89c25f25253df23426bd9ff6c9208f1202f58b

                  SHA256

                  a45317c374d54e322153afd73f0e90f1486638d77b7fd85746d091071bbecd59

                  SHA512

                  3ed900b83dd178637c2fd4e8444a899f17f12c4ec92a6f4de4fe544fe8d41b521c69b8f348343cb397d0e160f23e27429042d758b5fa5acac0bab5c3584bace4

                • C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
                  MD5

                  7fee8223d6e4f82d6cd115a28f0b6d58

                  SHA1

                  1b89c25f25253df23426bd9ff6c9208f1202f58b

                  SHA256

                  a45317c374d54e322153afd73f0e90f1486638d77b7fd85746d091071bbecd59

                  SHA512

                  3ed900b83dd178637c2fd4e8444a899f17f12c4ec92a6f4de4fe544fe8d41b521c69b8f348343cb397d0e160f23e27429042d758b5fa5acac0bab5c3584bace4

                • C:\Users\Admin\AppData\Local\Temp\jg4_4jaa.exe
                  MD5

                  338921a2482dbb47a0ac6ba265179316

                  SHA1

                  8ec2d631aa5a52b7aa1c4c62b788e8dd35e20f49

                  SHA256

                  90c97549326a337f150c97dc59b7cad89176773cd71851423c2f8ae80472f518

                  SHA512

                  42b5fc41392b14365250ee832cedd86be590128d9fdf459d1fc8727f818910c86439e63de1b492fd16d695bc915c4a74187191b6be2f59de7470d521984e8f77

                • C:\Users\Admin\AppData\Local\Temp\jg4_4jaa.exe
                  MD5

                  338921a2482dbb47a0ac6ba265179316

                  SHA1

                  8ec2d631aa5a52b7aa1c4c62b788e8dd35e20f49

                  SHA256

                  90c97549326a337f150c97dc59b7cad89176773cd71851423c2f8ae80472f518

                  SHA512

                  42b5fc41392b14365250ee832cedd86be590128d9fdf459d1fc8727f818910c86439e63de1b492fd16d695bc915c4a74187191b6be2f59de7470d521984e8f77

                • C:\Users\Admin\AppData\Local\Temp\pub2.exe
                  MD5

                  ec371c1d7049994691dec1823780420b

                  SHA1

                  f0f73d2a875e2a9857bccf316dcafdabaf8a1770

                  SHA256

                  2e63d4629b16c51063dbf03c8c0cb53757001e8024578770d2432b0f26a8d76b

                  SHA512

                  de6671d88b59f8d887702b79b652ddaecc6051a8652878a7d843a5acca486a36173b72f26f987894367b9c8f08f4e6ad408663b4d48ae39356de0465c398731b

                • C:\Users\Admin\AppData\Local\Temp\pub2.exe
                  MD5

                  ec371c1d7049994691dec1823780420b

                  SHA1

                  f0f73d2a875e2a9857bccf316dcafdabaf8a1770

                  SHA256

                  2e63d4629b16c51063dbf03c8c0cb53757001e8024578770d2432b0f26a8d76b

                  SHA512

                  de6671d88b59f8d887702b79b652ddaecc6051a8652878a7d843a5acca486a36173b72f26f987894367b9c8f08f4e6ad408663b4d48ae39356de0465c398731b

                • C:\Users\Admin\AppData\Local\Temp\pzyh.exe
                  MD5

                  8cbde3982249e20a6f564eb414f06fe4

                  SHA1

                  6d040b6c0f9d10b07f0b63797aa7bfabf0703925

                  SHA256

                  4a8a37d0010b2a946e9b202ea07d8b93a29a3ea9a56852678307076e10999c83

                  SHA512

                  d84863489b5fb2d17ee1df47de735a88d510bb8f5e378126243e34edb017d3ed82807c7dbd5cf6a977601f0e440be12e680679f1ce472619fd0ebbe9579c3e1b

                • C:\Users\Admin\AppData\Local\Temp\pzyh.exe
                  MD5

                  8cbde3982249e20a6f564eb414f06fe4

                  SHA1

                  6d040b6c0f9d10b07f0b63797aa7bfabf0703925

                  SHA256

                  4a8a37d0010b2a946e9b202ea07d8b93a29a3ea9a56852678307076e10999c83

                  SHA512

                  d84863489b5fb2d17ee1df47de735a88d510bb8f5e378126243e34edb017d3ed82807c7dbd5cf6a977601f0e440be12e680679f1ce472619fd0ebbe9579c3e1b

                • C:\Users\Admin\AppData\Local\Temp\ujqb.exe
                  MD5

                  6b650672411aac9b2693f665f95f9662

                  SHA1

                  1eff879a2df660446fbffc70503f63e0849d1007

                  SHA256

                  2b61ab162c522f3872fdbd0bfde315319b0a018defdeb2fd671c13c09ad75f3e

                  SHA512

                  dedf377a019cb13dc6d915bacca68d9196cc81df23c45f0baae64293a26c40fa12bbed891437de5616d3de382d917d9c4ab623ac2ca0d16d70cc38fe4806e869

                • C:\Users\Admin\AppData\Local\Temp\ujqb.exe
                  MD5

                  6b650672411aac9b2693f665f95f9662

                  SHA1

                  1eff879a2df660446fbffc70503f63e0849d1007

                  SHA256

                  2b61ab162c522f3872fdbd0bfde315319b0a018defdeb2fd671c13c09ad75f3e

                  SHA512

                  dedf377a019cb13dc6d915bacca68d9196cc81df23c45f0baae64293a26c40fa12bbed891437de5616d3de382d917d9c4ab623ac2ca0d16d70cc38fe4806e869

                • C:\Users\Admin\AppData\Local\Temp\wf-game.exe
                  MD5

                  5530c8bf2fddf2afc18b2defc14d3a74

                  SHA1

                  872b5a3d72b20f64fbe5e5ed1998ea749d0ef648

                  SHA256

                  6e052a1f2392408efc528e25591b417c14cb1ff6e96faa6ff26b61f61ebfca3c

                  SHA512

                  a388aa78aecb876d42823c2a06f10f873182eacd18c31ae52323014f635e13fab16b07b0752462ad02fd9cdbba47c269bbcf4dacb89be39f0352bc02ee09ae0b

                • C:\Users\Admin\AppData\Local\Temp\wf-game.exe
                  MD5

                  5530c8bf2fddf2afc18b2defc14d3a74

                  SHA1

                  872b5a3d72b20f64fbe5e5ed1998ea749d0ef648

                  SHA256

                  6e052a1f2392408efc528e25591b417c14cb1ff6e96faa6ff26b61f61ebfca3c

                  SHA512

                  a388aa78aecb876d42823c2a06f10f873182eacd18c31ae52323014f635e13fab16b07b0752462ad02fd9cdbba47c269bbcf4dacb89be39f0352bc02ee09ae0b

                • \??\pipe\LOCAL\crashpad_2692_KTRYVCXPZHTKBZWY
                  MD5

                  d41d8cd98f00b204e9800998ecf8427e

                  SHA1

                  da39a3ee5e6b4b0d3255bfef95601890afd80709

                  SHA256

                  e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

                  SHA512

                  cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

                • memory/444-225-0x000001B844860000-0x000001B844864000-memory.dmp
                  Filesize

                  16KB

                • memory/444-227-0x000001B844860000-0x000001B844864000-memory.dmp
                  Filesize

                  16KB

                • memory/444-150-0x000001B8448A0000-0x000001B8448E4000-memory.dmp
                  Filesize

                  272KB

                • memory/444-212-0x000001B8449E0000-0x000001B8449E4000-memory.dmp
                  Filesize

                  16KB

                • memory/444-229-0x000001B844840000-0x000001B844844000-memory.dmp
                  Filesize

                  16KB

                • memory/444-226-0x000001B844840000-0x000001B844841000-memory.dmp
                  Filesize

                  4KB

                • memory/444-157-0x000001B844C00000-0x000001B844C67000-memory.dmp
                  Filesize

                  412KB

                • memory/444-228-0x000001B844840000-0x000001B844841000-memory.dmp
                  Filesize

                  4KB

                • memory/640-147-0x0000000004F40000-0x0000000004F96000-memory.dmp
                  Filesize

                  344KB

                • memory/640-146-0x0000000004EB0000-0x0000000004EEA000-memory.dmp
                  Filesize

                  232KB

                • memory/1476-208-0x00007FFB53E10000-0x00007FFB53E11000-memory.dmp
                  Filesize

                  4KB

                • memory/1924-224-0x00000000054D0000-0x0000000005A74000-memory.dmp
                  Filesize

                  5.6MB

                • memory/1924-222-0x0000000000420000-0x00000000004A0000-memory.dmp
                  Filesize

                  512KB

                • memory/1924-217-0x0000000070840000-0x0000000070FF0000-memory.dmp
                  Filesize

                  7.7MB

                • memory/1924-230-0x0000000004F20000-0x00000000054C4000-memory.dmp
                  Filesize

                  5.6MB

                • memory/1924-223-0x0000000004E80000-0x0000000004F12000-memory.dmp
                  Filesize

                  584KB

                • memory/1924-231-0x0000000005440000-0x000000000544A000-memory.dmp
                  Filesize

                  40KB

                • memory/1940-156-0x000001D803920000-0x000001D803987000-memory.dmp
                  Filesize

                  412KB

                • memory/1940-159-0x000001D803860000-0x000001D8038A4000-memory.dmp
                  Filesize

                  272KB

                • memory/2436-196-0x00000000006A0000-0x00000000006B6000-memory.dmp
                  Filesize

                  88KB

                • memory/2700-154-0x000001E420230000-0x000001E420274000-memory.dmp
                  Filesize

                  272KB

                • memory/2700-158-0x000001E420600000-0x000001E420667000-memory.dmp
                  Filesize

                  412KB

                • memory/2796-141-0x00007FFB35160000-0x00007FFB35C21000-memory.dmp
                  Filesize

                  10.8MB

                • memory/2796-140-0x0000000000750000-0x0000000000780000-memory.dmp
                  Filesize

                  192KB

                • memory/2796-142-0x000000001C8A0000-0x000000001C8A2000-memory.dmp
                  Filesize

                  8KB

                • memory/3144-171-0x0000000000A50000-0x0000000000A59000-memory.dmp
                  Filesize

                  36KB

                • memory/3144-176-0x0000000000400000-0x0000000000A16000-memory.dmp
                  Filesize

                  6.1MB

                • memory/3144-167-0x0000000000B0D000-0x0000000000B16000-memory.dmp
                  Filesize

                  36KB

                • memory/3144-169-0x0000000000B0D000-0x0000000000B16000-memory.dmp
                  Filesize

                  36KB

                • memory/3712-199-0x00000000041A0000-0x00000000041A8000-memory.dmp
                  Filesize

                  32KB

                • memory/3712-201-0x0000000004390000-0x0000000004398000-memory.dmp
                  Filesize

                  32KB

                • memory/3712-200-0x0000000004380000-0x0000000004388000-memory.dmp
                  Filesize

                  32KB

                • memory/3712-207-0x00000000041A0000-0x00000000041A8000-memory.dmp
                  Filesize

                  32KB

                • memory/3712-198-0x0000000004180000-0x0000000004188000-memory.dmp
                  Filesize

                  32KB

                • memory/3712-187-0x00000000036D0000-0x00000000036E0000-memory.dmp
                  Filesize

                  64KB

                • memory/3712-181-0x0000000003530000-0x0000000003540000-memory.dmp
                  Filesize

                  64KB

                • memory/3712-202-0x00000000043B0000-0x00000000043B8000-memory.dmp
                  Filesize

                  32KB

                • memory/3712-203-0x0000000004550000-0x0000000004558000-memory.dmp
                  Filesize

                  32KB

                • memory/3712-216-0x00000000041A0000-0x00000000041A8000-memory.dmp
                  Filesize

                  32KB