a40c09f512bb32a22f20793acb26145c8c23f35feb1dd469028c716297b44962

Analysis

max time kernel
144s
max time network
197s
platform
windows10-1703_x64
resource
win10-20220812-en
resource tags

arch:x64arch:x86image:win10-20220812-enlocale:en-usos:windows10-1703-x64system
submitted
18/10/2022, 14:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a40c09f512bb32a22f20793acb26145c8c23f35feb1dd469028c716297b44962.exe
Size

3.8MB
MD5

0cc0034904eca2f881b61885c5715415
SHA1

8934a9e2e87a15c472549466650301126f4dcae1
SHA256

a40c09f512bb32a22f20793acb26145c8c23f35feb1dd469028c716297b44962
SHA512

09a76f05819d5d5d891f77f9730e33e592301e01f46cb6cf6097a9a0357de91b83e920c2a2b7fa7c5ed7467ff740743b4cb29af43b339d518fa9475e661258d4
SSDEEP

98304:V1CGfmFxqzj9P9B4bM3cwQQKk7D65Pq9zKfD6UqE5/u/aZhmOGXltvEcni:NfPlPUI3cRkH65izkuyGVtMKi

Score

8^/10

discovery persistence

Malware Config

Signatures

Creates new service(s) 1 TTPs
persistence

New Service
T1050
Downloads MZ/PE file

Executes dropped EXE 3 IoCs

pid	Process
4988	vdfyl2hg.c3u.exe
2316	EsgInstallerDelay__0.exe
508	EsgInstallerDelay__1.exe

Registers COM server for autorun 1 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{D71FC887-4726-44C5-AAE3-A27DE8B8322F}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{D71FC887-4726-44C5-AAE3-A27DE8B8322F}\InprocServer32\ = "C:\\Program Files\\EnigmaSoft\\SpyHunter\\ShShellExt.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{D71FC887-4726-44C5-AAE3-A27DE8B8322F}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe

Loads dropped DLL 8 IoCs

pid	Process
3828	a40c09f512bb32a22f20793acb26145c8c23f35feb1dd469028c716297b44962.exe
3828	a40c09f512bb32a22f20793acb26145c8c23f35feb1dd469028c716297b44962.exe
3828	a40c09f512bb32a22f20793acb26145c8c23f35feb1dd469028c716297b44962.exe
3828	a40c09f512bb32a22f20793acb26145c8c23f35feb1dd469028c716297b44962.exe
3828	a40c09f512bb32a22f20793acb26145c8c23f35feb1dd469028c716297b44962.exe
3828	a40c09f512bb32a22f20793acb26145c8c23f35feb1dd469028c716297b44962.exe
3828	a40c09f512bb32a22f20793acb26145c8c23f35feb1dd469028c716297b44962.exe
216	regsvr32.exe

Checks for any installed AV software in registry 1 TTPs 9 IoCs

Security Software Discovery

T1063

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\AVG\AV	a40c09f512bb32a22f20793acb26145c8c23f35feb1dd469028c716297b44962.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\AVG\AV\Dir	a40c09f512bb32a22f20793acb26145c8c23f35feb1dd469028c716297b44962.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\AVG\AV	a40c09f512bb32a22f20793acb26145c8c23f35feb1dd469028c716297b44962.exe
Key opened	\REGISTRY\MACHINE\Software\Avast Software\Avast	a40c09f512bb32a22f20793acb26145c8c23f35feb1dd469028c716297b44962.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\AVAST Software\Avast\Version	a40c09f512bb32a22f20793acb26145c8c23f35feb1dd469028c716297b44962.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\AVAST Software\Avast	a40c09f512bb32a22f20793acb26145c8c23f35feb1dd469028c716297b44962.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\AVG\AV\Dir	a40c09f512bb32a22f20793acb26145c8c23f35feb1dd469028c716297b44962.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\AVAST Software\Avast	a40c09f512bb32a22f20793acb26145c8c23f35feb1dd469028c716297b44962.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\AVAST Software\Avast\Version	a40c09f512bb32a22f20793acb26145c8c23f35feb1dd469028c716297b44962.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Program Files directory 42 IoCs

description	ioc	Process
File created	C:\Program Files\EnigmaSoft\SpyHunter\Languages\Norwegian.lng	vdfyl2hg.c3u.exe
File created	C:\Program Files\EnigmaSoft\SpyHunter\Languages\Portuguese (Portugal).lng	vdfyl2hg.c3u.exe
File created	C:\Program Files\EnigmaSoft\SpyHunter\Languages\Serbian.lng	vdfyl2hg.c3u.exe
File created	C:\Program Files\EnigmaSoft\SpyHunter\Languages\Ukrainian.lng	vdfyl2hg.c3u.exe
File created	C:\Program Files\EnigmaSoft\SpyHunter\Native.exe	vdfyl2hg.c3u.exe
File created	C:\Program Files\EnigmaSoft\SpyHunter\ShKernel.exe	vdfyl2hg.c3u.exe
File created	C:\Program Files\EnigmaSoft\SpyHunter\Languages\Chinese (Simplified).lng	vdfyl2hg.c3u.exe
File created	C:\Program Files\EnigmaSoft\SpyHunter\Languages\Greek.lng	vdfyl2hg.c3u.exe
File created	C:\Program Files\EnigmaSoft\SpyHunter\Languages\Spanish.lng	vdfyl2hg.c3u.exe
File created	C:\Program Files\EnigmaSoft\SpyHunter\Languages\Czech.lng	vdfyl2hg.c3u.exe
File created	C:\Program Files\EnigmaSoft\SpyHunter\Languages\Dutch.lng	vdfyl2hg.c3u.exe
File created	C:\Program Files\EnigmaSoft\SpyHunter\Languages\Hungarian.lng	vdfyl2hg.c3u.exe
File created	C:\Program Files\EnigmaSoft\SpyHunter\Languages\Indonesian.lng	vdfyl2hg.c3u.exe
File created	C:\Program Files\EnigmaSoft\SpyHunter\Defs\full.def	vdfyl2hg.c3u.exe
File created	C:\Program Files\EnigmaSoft\SpyHunter\purl.dat	vdfyl2hg.c3u.exe
File created	C:\Program Files\EnigmaSoft\SpyHunter\Languages\Croatian.lng	vdfyl2hg.c3u.exe
File created	C:\Program Files\EnigmaSoft\SpyHunter\Languages\Danish.lng	vdfyl2hg.c3u.exe
File created	C:\Program Files\EnigmaSoft\SpyHunter\Languages\Portuguese (Brazil).lng	vdfyl2hg.c3u.exe
File created	C:\Program Files\EnigmaSoft\SpyHunter\Languages\Japanese.lng	vdfyl2hg.c3u.exe
File created	C:\Program Files\EnigmaSoft\SpyHunter\Languages\Turkish.lng	vdfyl2hg.c3u.exe
File created	C:\Program Files\EnigmaSoft\SpyHunter\data\acpwl.dat	vdfyl2hg.c3u.exe
File created	C:\Program Files\EnigmaSoft\SpyHunter\ShShellExt.dll	vdfyl2hg.c3u.exe
File created	C:\Program Files\EnigmaSoft\SpyHunter\Languages\Chinese (Traditional).lng	vdfyl2hg.c3u.exe
File created	C:\Program Files\EnigmaSoft\SpyHunter\Languages\Finnish.lng	vdfyl2hg.c3u.exe
File created	C:\Program Files\EnigmaSoft\SpyHunter\Languages\Lithuanian.lng	vdfyl2hg.c3u.exe
File created	C:\Program Files\EnigmaSoft\SpyHunter\data\acpdata.dat	vdfyl2hg.c3u.exe
File created	C:\Program Files\EnigmaSoft\SpyHunter\license.txt	vdfyl2hg.c3u.exe
File created	C:\Program Files\EnigmaSoft\SpyHunter\Languages\Albanian.lng	vdfyl2hg.c3u.exe
File created	C:\Program Files\EnigmaSoft\SpyHunter\Languages\French.lng	vdfyl2hg.c3u.exe
File created	C:\Program Files\EnigmaSoft\SpyHunter\Languages\Swedish.lng	vdfyl2hg.c3u.exe
File created	C:\Program Files\EnigmaSoft\SpyHunter\Languages\Romanian.lng	vdfyl2hg.c3u.exe
File created	C:\Program Files\EnigmaSoft\SpyHunter\Languages\Slovene.lng	vdfyl2hg.c3u.exe
File created	C:\Program Files\EnigmaSoft\SpyHunter\Defs\Rh\full.dat	vdfyl2hg.c3u.exe
File created	C:\Program Files\EnigmaSoft\SpyHunter\SpyHunter5.exe	vdfyl2hg.c3u.exe
File created	C:\Program Files\EnigmaSoft\SpyHunter\Languages\English.lng	vdfyl2hg.c3u.exe
File created	C:\Program Files\EnigmaSoft\SpyHunter\Languages\German.lng	vdfyl2hg.c3u.exe
File created	C:\Program Files\EnigmaSoft\SpyHunter\Languages\Korean.lng	vdfyl2hg.c3u.exe
File created	C:\Program Files\EnigmaSoft\SpyHunter\Languages\Russian.lng	vdfyl2hg.c3u.exe
File created	C:\Program Files\EnigmaSoft\SpyHunter\ShMonitor.exe	vdfyl2hg.c3u.exe
File created	C:\Program Files\EnigmaSoft\SpyHunter\Languages\Bulgarian.lng	vdfyl2hg.c3u.exe
File created	C:\Program Files\EnigmaSoft\SpyHunter\Languages\Italian.lng	vdfyl2hg.c3u.exe
File created	C:\Program Files\EnigmaSoft\SpyHunter\Languages\Polish.lng	vdfyl2hg.c3u.exe

Launches sc.exe 6 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
3164	sc.exe
4812	sc.exe
740	sc.exe
1432	sc.exe
4592	sc.exe
428	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies registry class 18 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{026941B7-ABD1-4F16-ADB7-E811B8BAC354}\1.0\0\win64	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{D71FC887-4726-44C5-AAE3-A27DE8B8322F}\ = "SHContextMenuExt Class"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\{D71FC887-4726-44C5-AAE3-A27DE8B8322F}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{026941B7-ABD1-4F16-ADB7-E811B8BAC354}\1.0\ = "SH ShellExt Type Library"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{026941B7-ABD1-4F16-ADB7-E811B8BAC354}\1.0\HELPDIR	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{026941B7-ABD1-4F16-ADB7-E811B8BAC354}\1.0\HELPDIR\ = "C:\\Program Files\\EnigmaSoft\\SpyHunter"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{D71FC887-4726-44C5-AAE3-A27DE8B8322F}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\{D71FC887-4726-44C5-AAE3-A27DE8B8322F}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\{D71FC887-4726-44C5-AAE3-A27DE8B8322F}\ = "SH5 Shell Extension"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{026941B7-ABD1-4F16-ADB7-E811B8BAC354}\1.0\0	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{026941B7-ABD1-4F16-ADB7-E811B8BAC354}\1.0\0\win64\ = "C:\\Program Files\\EnigmaSoft\\SpyHunter\\ShShellExt.dll"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{D71FC887-4726-44C5-AAE3-A27DE8B8322F}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{026941B7-ABD1-4F16-ADB7-E811B8BAC354}\1.0\FLAGS	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{026941B7-ABD1-4F16-ADB7-E811B8BAC354}\1.0\FLAGS\ = "0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{026941B7-ABD1-4F16-ADB7-E811B8BAC354}\1.0	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{D71FC887-4726-44C5-AAE3-A27DE8B8322F}\InprocServer32\ = "C:\\Program Files\\EnigmaSoft\\SpyHunter\\ShShellExt.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{D71FC887-4726-44C5-AAE3-A27DE8B8322F}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{026941B7-ABD1-4F16-ADB7-E811B8BAC354}	regsvr32.exe

Modifies system certificate store 2 TTPs 7 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43	a40c09f512bb32a22f20793acb26145c8c23f35feb1dd469028c716297b44962.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 0f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703086200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c14000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d432000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	a40c09f512bb32a22f20793acb26145c8c23f35feb1dd469028c716297b44962.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\8CF427FD790C3AD166068DE81E57EFBB932272D4	a40c09f512bb32a22f20793acb26145c8c23f35feb1dd469028c716297b44962.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\8CF427FD790C3AD166068DE81E57EFBB932272D4\Blob = 0f0000000100000020000000fde5f2d9ce2026e1e10064c0a468c9f355b90acf85baf5ce6f52d4016837fd94090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b06010505070308530000000100000041000000303f3020060a6086480186fa6c0a010230123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c07f000000010000002c000000302a060a2b0601040182370a030406082b0601050507030506082b0601050507030606082b0601050507030762000000010000002000000043df5774b03e7fef5fe40d931a7bedf1bb2e6b42738c4e6d3841103d3aa7f3390b000000010000001800000045006e00740072007500730074002e006e006500740000001400000001000000140000006a72267ad01eef7de73b6951d46c8d9f901266ab1d0000000100000010000000521b5f4582c1dcaae381b05e37ca2d347e000000010000000800000000c001b39667d6010300000001000000140000008cf427fd790c3ad166068de81e57efbb932272d42000000001000000420400003082043e30820326a00302010202044a538c28300d06092a864886f70d01010b05003081be310b300906035504061302555331163014060355040a130d456e74727573742c20496e632e31283026060355040b131f536565207777772e656e74727573742e6e65742f6c6567616c2d7465726d7331393037060355040b1330286329203230303920456e74727573742c20496e632e202d20666f7220617574686f72697a656420757365206f6e6c793132303006035504031329456e747275737420526f6f742043657274696669636174696f6e20417574686f72697479202d204732301e170d3039303730373137323535345a170d3330313230373137353535345a3081be310b300906035504061302555331163014060355040a130d456e74727573742c20496e632e31283026060355040b131f536565207777772e656e74727573742e6e65742f6c6567616c2d7465726d7331393037060355040b1330286329203230303920456e74727573742c20496e632e202d20666f7220617574686f72697a656420757365206f6e6c793132303006035504031329456e747275737420526f6f742043657274696669636174696f6e20417574686f72697479202d20473230820122300d06092a864886f70d01010105000382010f003082010a0282010100ba84b672db9e0c6be299e93001a776ea32b895411ac9da614e5872cffef68279bf7361060aa527d8b35fd3454e1c72d64e32f2728a0ff78319d06a808000451eb0c7e79abf1257271ca3682f0a87bd6a6b0e5e65f31c77d5d4858d7021b4b332e78ba2d5863902b1b8d247cee4c949c43ba7defb547d57bef0e86ec279b23a0b55e250981632135c2f7856c1c294b3f25ae4279a9f24d7c6ecd09b2582e3ccc2c445c58c977a066b2a119fa90a6e483b6fdbd4111942f78f07bff5535f9c3ef4172ce669ac4e324c6277eab7e8e5bb34bc198bae9c51e7b77eb553b13322e56dcf703c1afae29b67b683f48da5af624c4de058ac64341203f8b68d946324a4710203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e041604146a72267ad01eef7de73b6951d46c8d9f901266ab300d06092a864886f70d01010b05000382010100799f1d96c6b6793f228d87d3870304606a6b9a2e59897311ac43d1f513ff8d392bc0f2bd4f708ca92fea17c40b549ed41b9698333ca8ad62a20076ab59696e061d7ec4b9448d98af12d461db0a194647f3ebf763c1400540a5d2b7f4b59a36bfa98876880455042b9c877f1a373c7e2da51ad8d4895ecabdac3d6cd86dafd5f3760fcd3b8838229d6c939ac43dbf821b653fa60f5daafce5b215cab5adc6bc3dd084e8ea0672b04d393278bf3e119c0ba49d9a21f3f09b0b3078dbc1dc8743febc639acac5c21cc9c78dff3b125808e6b63dec7a2c4efb8396ce0c3c69875473a473c293ff5110ac155401d8fc05b189a17f74839a49d7dc4e7b8a486f8b45f6	a40c09f512bb32a22f20793acb26145c8c23f35feb1dd469028c716297b44962.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\8CF427FD790C3AD166068DE81E57EFBB932272D4\Blob = 190000000100000010000000fa46ce7cbb85cfb4310075313a09ee050300000001000000140000008cf427fd790c3ad166068de81e57efbb932272d47e000000010000000800000000c001b39667d6011d0000000100000010000000521b5f4582c1dcaae381b05e37ca2d341400000001000000140000006a72267ad01eef7de73b6951d46c8d9f901266ab0b000000010000001800000045006e00740072007500730074002e006e0065007400000062000000010000002000000043df5774b03e7fef5fe40d931a7bedf1bb2e6b42738c4e6d3841103d3aa7f3397f000000010000002c000000302a060a2b0601040182370a030406082b0601050507030506082b0601050507030606082b06010505070307530000000100000041000000303f3020060a6086480186fa6c0a010230123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b060105050703080f0000000100000020000000fde5f2d9ce2026e1e10064c0a468c9f355b90acf85baf5ce6f52d4016837fd942000000001000000420400003082043e30820326a00302010202044a538c28300d06092a864886f70d01010b05003081be310b300906035504061302555331163014060355040a130d456e74727573742c20496e632e31283026060355040b131f536565207777772e656e74727573742e6e65742f6c6567616c2d7465726d7331393037060355040b1330286329203230303920456e74727573742c20496e632e202d20666f7220617574686f72697a656420757365206f6e6c793132303006035504031329456e747275737420526f6f742043657274696669636174696f6e20417574686f72697479202d204732301e170d3039303730373137323535345a170d3330313230373137353535345a3081be310b300906035504061302555331163014060355040a130d456e74727573742c20496e632e31283026060355040b131f536565207777772e656e74727573742e6e65742f6c6567616c2d7465726d7331393037060355040b1330286329203230303920456e74727573742c20496e632e202d20666f7220617574686f72697a656420757365206f6e6c793132303006035504031329456e747275737420526f6f742043657274696669636174696f6e20417574686f72697479202d20473230820122300d06092a864886f70d01010105000382010f003082010a0282010100ba84b672db9e0c6be299e93001a776ea32b895411ac9da614e5872cffef68279bf7361060aa527d8b35fd3454e1c72d64e32f2728a0ff78319d06a808000451eb0c7e79abf1257271ca3682f0a87bd6a6b0e5e65f31c77d5d4858d7021b4b332e78ba2d5863902b1b8d247cee4c949c43ba7defb547d57bef0e86ec279b23a0b55e250981632135c2f7856c1c294b3f25ae4279a9f24d7c6ecd09b2582e3ccc2c445c58c977a066b2a119fa90a6e483b6fdbd4111942f78f07bff5535f9c3ef4172ce669ac4e324c6277eab7e8e5bb34bc198bae9c51e7b77eb553b13322e56dcf703c1afae29b67b683f48da5af624c4de058ac64341203f8b68d946324a4710203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e041604146a72267ad01eef7de73b6951d46c8d9f901266ab300d06092a864886f70d01010b05000382010100799f1d96c6b6793f228d87d3870304606a6b9a2e59897311ac43d1f513ff8d392bc0f2bd4f708ca92fea17c40b549ed41b9698333ca8ad62a20076ab59696e061d7ec4b9448d98af12d461db0a194647f3ebf763c1400540a5d2b7f4b59a36bfa98876880455042b9c877f1a373c7e2da51ad8d4895ecabdac3d6cd86dafd5f3760fcd3b8838229d6c939ac43dbf821b653fa60f5daafce5b215cab5adc6bc3dd084e8ea0672b04d393278bf3e119c0ba49d9a21f3f09b0b3078dbc1dc8743febc639acac5c21cc9c78dff3b125808e6b63dec7a2c4efb8396ce0c3c69875473a473c293ff5110ac155401d8fc05b189a17f74839a49d7dc4e7b8a486f8b45f6	a40c09f512bb32a22f20793acb26145c8c23f35feb1dd469028c716297b44962.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 04000000010000001000000087ce0b7b2a0e4900e158719b37a893720f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703086200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c14000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d43190000000100000010000000749966cecc95c1874194ca7203f9b6202000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	a40c09f512bb32a22f20793acb26145c8c23f35feb1dd469028c716297b44962.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 5c000000010000000400000000080000190000000100000010000000749966cecc95c1874194ca7203f9b6200300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d431d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0b000000010000001200000044006900670069004300650072007400000014000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f6200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa604000000010000001000000087ce0b7b2a0e4900e158719b37a893722000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	a40c09f512bb32a22f20793acb26145c8c23f35feb1dd469028c716297b44962.exe

Suspicious behavior: EnumeratesProcesses 21 IoCs

pid	Process
3828	a40c09f512bb32a22f20793acb26145c8c23f35feb1dd469028c716297b44962.exe
3828	a40c09f512bb32a22f20793acb26145c8c23f35feb1dd469028c716297b44962.exe
3828	a40c09f512bb32a22f20793acb26145c8c23f35feb1dd469028c716297b44962.exe
3828	a40c09f512bb32a22f20793acb26145c8c23f35feb1dd469028c716297b44962.exe
3828	a40c09f512bb32a22f20793acb26145c8c23f35feb1dd469028c716297b44962.exe
3828	a40c09f512bb32a22f20793acb26145c8c23f35feb1dd469028c716297b44962.exe
3828	a40c09f512bb32a22f20793acb26145c8c23f35feb1dd469028c716297b44962.exe
3828	a40c09f512bb32a22f20793acb26145c8c23f35feb1dd469028c716297b44962.exe
3828	a40c09f512bb32a22f20793acb26145c8c23f35feb1dd469028c716297b44962.exe
3828	a40c09f512bb32a22f20793acb26145c8c23f35feb1dd469028c716297b44962.exe
3828	a40c09f512bb32a22f20793acb26145c8c23f35feb1dd469028c716297b44962.exe
4988	vdfyl2hg.c3u.exe
4988	vdfyl2hg.c3u.exe
4988	vdfyl2hg.c3u.exe
4988	vdfyl2hg.c3u.exe
4988	vdfyl2hg.c3u.exe
4988	vdfyl2hg.c3u.exe
4988	vdfyl2hg.c3u.exe
4988	vdfyl2hg.c3u.exe
4988	vdfyl2hg.c3u.exe
4988	vdfyl2hg.c3u.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeDebugPrivilege	3828	a40c09f512bb32a22f20793acb26145c8c23f35feb1dd469028c716297b44962.exe
Token: SeShutdownPrivilege	4988	vdfyl2hg.c3u.exe
Token: SeBackupPrivilege	4988	vdfyl2hg.c3u.exe
Token: SeRestorePrivilege	4988	vdfyl2hg.c3u.exe
Token: SeDebugPrivilege	4988	vdfyl2hg.c3u.exe
Token: SeTakeOwnershipPrivilege	4988	vdfyl2hg.c3u.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
3828	a40c09f512bb32a22f20793acb26145c8c23f35feb1dd469028c716297b44962.exe

Suspicious use of WriteProcessMemory 21 IoCs

description	pid	Process	procid_target
PID 3828 wrote to memory of 4988	3828	a40c09f512bb32a22f20793acb26145c8c23f35feb1dd469028c716297b44962.exe	67
PID 3828 wrote to memory of 4988	3828	a40c09f512bb32a22f20793acb26145c8c23f35feb1dd469028c716297b44962.exe	67
PID 3828 wrote to memory of 4988	3828	a40c09f512bb32a22f20793acb26145c8c23f35feb1dd469028c716297b44962.exe	67
PID 4988 wrote to memory of 3164	4988	vdfyl2hg.c3u.exe	68
PID 4988 wrote to memory of 3164	4988	vdfyl2hg.c3u.exe	68
PID 4988 wrote to memory of 4812	4988	vdfyl2hg.c3u.exe	70
PID 4988 wrote to memory of 4812	4988	vdfyl2hg.c3u.exe	70
PID 4988 wrote to memory of 740	4988	vdfyl2hg.c3u.exe	73
PID 4988 wrote to memory of 740	4988	vdfyl2hg.c3u.exe	73
PID 4988 wrote to memory of 1432	4988	vdfyl2hg.c3u.exe	75
PID 4988 wrote to memory of 1432	4988	vdfyl2hg.c3u.exe	75
PID 4988 wrote to memory of 4592	4988	vdfyl2hg.c3u.exe	77
PID 4988 wrote to memory of 4592	4988	vdfyl2hg.c3u.exe	77
PID 4988 wrote to memory of 428	4988	vdfyl2hg.c3u.exe	79
PID 4988 wrote to memory of 428	4988	vdfyl2hg.c3u.exe	79
PID 4988 wrote to memory of 216	4988	vdfyl2hg.c3u.exe	81
PID 4988 wrote to memory of 216	4988	vdfyl2hg.c3u.exe	81
PID 4988 wrote to memory of 2316	4988	vdfyl2hg.c3u.exe	82
PID 4988 wrote to memory of 2316	4988	vdfyl2hg.c3u.exe	82
PID 4988 wrote to memory of 508	4988	vdfyl2hg.c3u.exe	84
PID 4988 wrote to memory of 508	4988	vdfyl2hg.c3u.exe	84

C:\Users\Admin\AppData\Local\Temp\a40c09f512bb32a22f20793acb26145c8c23f35feb1dd469028c716297b44962.exe
"C:\Users\Admin\AppData\Local\Temp\a40c09f512bb32a22f20793acb26145c8c23f35feb1dd469028c716297b44962.exe"
1⤵
- Loads dropped DLL
- Checks for any installed AV software in registry
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3828
- C:\Users\Admin\AppData\Local\Temp\vdfyl2hg.c3u.exe
  "C:\Users\Admin\AppData\Local\Temp\vdfyl2hg.c3u.exe" -i * -accept -silent -p pubid EF -p templateid 60db44bc4852f33a3e67f8c3 -p source lvsppi
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4988
- - C:\Windows\System32\sc.exe
    C:\Windows\System32\sc.exe create EsgShKernel start= demand binPath= "\"C:\Program Files\EnigmaSoft\SpyHunter\ShKernel.exe\"" DisplayName= "SpyHunter 5 Kernel"
    3⤵
    - Launches sc.exe
    PID:3164
- - C:\Windows\System32\sc.exe
    C:\Windows\System32\sc.exe description EsgShKernel "SpyHunter 5 Kernel"
    3⤵
    - Launches sc.exe
    PID:4812
- - C:\Windows\System32\sc.exe
    C:\Windows\System32\sc.exe create ShMonitor start= demand binPath= "\"C:\Program Files\EnigmaSoft\SpyHunter\ShMonitor.exe\"" DisplayName= "SpyHunter 5 Kernel Monitor"
    3⤵
    - Launches sc.exe
    PID:740
- - C:\Windows\System32\sc.exe
    C:\Windows\System32\sc.exe description ShMonitor "SpyHunter 5 Kernel Monitor"
    3⤵
    - Launches sc.exe
    PID:1432
- - C:\Windows\System32\sc.exe
    C:\Windows\System32\sc.exe config ShMonitor start= auto
    3⤵
    - Launches sc.exe
    PID:4592
- - C:\Windows\System32\sc.exe
    C:\Windows\System32\sc.exe config EsgShKernel start= auto
    3⤵
    - Launches sc.exe
    PID:428
- - C:\Windows\System32\regsvr32.exe
    C:\Windows\System32\regsvr32.exe /s "C:\Program Files\EnigmaSoft\SpyHunter\ShShellExt.dll"
    3⤵
    - Registers COM server for autorun
    - Loads dropped DLL
    - Modifies registry class
    PID:216
- - C:\Users\Admin\AppData\Local\Temp\EsgInstallerDelay__0.exe
    C:\Users\Admin\AppData\Local\Temp\EsgInstallerDelay__0.exe -exec OpfXySN2sIJfRn7kaByo3fAgnhU5bFC+1YK5gktB214= -args MHLPvv2eVF5BDDAj57kaKhLlRzVl3TCPBu81sCtfDvA= -wait 300
    3⤵
    - Executes dropped EXE
    PID:2316
- - C:\Users\Admin\AppData\Local\Temp\EsgInstallerDelay__1.exe
    C:\Users\Admin\AppData\Local\Temp\EsgInstallerDelay__1.exe -exec OpfXySN2sIJfRn7kaByo3fAgnhU5bFC+1YK5gktB214= -args hOGTiE/QHFPjrWqL1njGygtJtFEVLgswO/2BlkHQX4U= -wait 300
    3⤵
    - Executes dropped EXE
    PID:508

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

New Service

T1050

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

New Service

T1050

Defense Evasion

Install Root Certificate

T1130

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

Security Software Discovery

T1063

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\EnigmaSoft\SpyHunter\ShShellExt.dll

Filesize
836KB

MD5
063e0478e4b486727b461901126c15da

SHA1
e552135017a177ace07dc5543713ac6aa1b01ac1

SHA256
1c8cbc1f0b127ff218f2bde1f1d21991c384f6be4524cd926f1b7061150929b6

SHA512
1786efc1dca4c7c7307ffa9d70847606a1d5561fd7514cef8fe2c8851e3a8bf2ee4a71e9193514fe15708e55a63ce2781406d62fbe760bd2f8ebd90a143a397a

Download Submit
C:\Users\Admin\AppData\Local\Temp\EsgInstallerDelay__0.exe

Filesize
360KB

MD5
edce372de488aa221da7db7544c09b3e

SHA1
e684be09c22e93b12af9f78508e5422b83cbe0fc

SHA256
dbc0b0afeae1e33f3f8fa2384bbbfd2f787aca1c75bf2e5372812b3da33a7efe

SHA512
89a21c8c4d4963b02e36cd887b071b866cebafc1f8e04aab6cf043746aadb37799644e41fa3b1ddb1e297593b0035693e151b9b5ecf95041e0796bf47174e6b1

Download Submit
C:\Users\Admin\AppData\Local\Temp\EsgInstallerDelay__1.exe

Filesize
360KB

MD5
edce372de488aa221da7db7544c09b3e

SHA1
e684be09c22e93b12af9f78508e5422b83cbe0fc

SHA256
dbc0b0afeae1e33f3f8fa2384bbbfd2f787aca1c75bf2e5372812b3da33a7efe

SHA512
89a21c8c4d4963b02e36cd887b071b866cebafc1f8e04aab6cf043746aadb37799644e41fa3b1ddb1e297593b0035693e151b9b5ecf95041e0796bf47174e6b1

Download Submit
C:\Users\Admin\AppData\Local\Temp\vdfyl2hg.c3u.exe

Filesize
6.5MB

MD5
e6641ee42850560ca64b0d25627e7a4e

SHA1
ee69ae31882d73a8ce45bdc4126c3444a67b67ae

SHA256
6032a910115f270683c9aa0044b12dcad498409a9d1e71d3aa8c05c6fd4e7670

SHA512
8acab949a20f5cfd17e3d897dfcb31ed0f2954ea7cb0f0978066f9a56e5903b39d50200f8d3e2dabad25b495d0ed941c98fc2e14177bda655dd89c9460047f33

Download Submit
C:\Users\Admin\AppData\Local\Temp\vdfyl2hg.c3u.exe

Filesize
6.5MB

MD5
e6641ee42850560ca64b0d25627e7a4e

SHA1
ee69ae31882d73a8ce45bdc4126c3444a67b67ae

SHA256
6032a910115f270683c9aa0044b12dcad498409a9d1e71d3aa8c05c6fd4e7670

SHA512
8acab949a20f5cfd17e3d897dfcb31ed0f2954ea7cb0f0978066f9a56e5903b39d50200f8d3e2dabad25b495d0ed941c98fc2e14177bda655dd89c9460047f33

Download Submit
\Program Files\EnigmaSoft\SpyHunter\ShShellExt.dll

Filesize
836KB

MD5
063e0478e4b486727b461901126c15da

SHA1
e552135017a177ace07dc5543713ac6aa1b01ac1

SHA256
1c8cbc1f0b127ff218f2bde1f1d21991c384f6be4524cd926f1b7061150929b6

SHA512
1786efc1dca4c7c7307ffa9d70847606a1d5561fd7514cef8fe2c8851e3a8bf2ee4a71e9193514fe15708e55a63ce2781406d62fbe760bd2f8ebd90a143a397a

Download Submit
\Users\Admin\AppData\Local\Temp\b0798393d0554967284c5503d2e1a4da\ServiceHide.Net.dll

Filesize
102KB

MD5
657db9c5ee9729f548008dc840bda659

SHA1
847b319acb03f37fca5753aaa3f36eeba168561a

SHA256
0d45a75a4571e380fe51bc8ceba4c99a23339c8e39f15487eeaf6f0a25d4ace2

SHA512
7c49e05c718f253be689a18e57c93dd66415531f6cde0194f20762aaa7ac4533ee5461c924b2bd576fd3f3f3cd1025fad4efb64e7ab014b751f50c8d05ba369b

Download Submit
\Users\Admin\AppData\Local\Temp\b0798393d0554967284c5503d2e1a4da\ServiceHide.Net.dll

Filesize
102KB

MD5
657db9c5ee9729f548008dc840bda659

SHA1
847b319acb03f37fca5753aaa3f36eeba168561a

SHA256
0d45a75a4571e380fe51bc8ceba4c99a23339c8e39f15487eeaf6f0a25d4ace2

SHA512
7c49e05c718f253be689a18e57c93dd66415531f6cde0194f20762aaa7ac4533ee5461c924b2bd576fd3f3f3cd1025fad4efb64e7ab014b751f50c8d05ba369b

Download Submit
\Users\Admin\AppData\Local\Temp\b0798393d0554967284c5503d2e1a4da\ServiceHide.Net.dll

Filesize
102KB

MD5
657db9c5ee9729f548008dc840bda659

SHA1
847b319acb03f37fca5753aaa3f36eeba168561a

SHA256
0d45a75a4571e380fe51bc8ceba4c99a23339c8e39f15487eeaf6f0a25d4ace2

SHA512
7c49e05c718f253be689a18e57c93dd66415531f6cde0194f20762aaa7ac4533ee5461c924b2bd576fd3f3f3cd1025fad4efb64e7ab014b751f50c8d05ba369b

Download Submit
\Users\Admin\AppData\Local\Temp\b0798393d0554967284c5503d2e1a4da\ServiceHide.dll

Filesize
150KB

MD5
09abd0294a86d5871ad9fc60ce3eedc9

SHA1
353aaaa71980d97d9cc2cc19b557fce3dd9ab1ee

SHA256
448126e9edf267f6b42b6e7b318c9c1622422ec1625688add58472717a392d14

SHA512
97828ad9d67229d2454ec69589dda2a2e11e6754587859c47ec197f279f8e6dda4c436fff8d2e0c8f71dd0266ff6db5e459699db38923a7d2ea1fb136ac4141d

Download Submit
\Users\Admin\AppData\Local\Temp\b0798393d0554967284c5503d2e1a4da\msvcp140.dll

Filesize
426KB

MD5
8ff1898897f3f4391803c7253366a87b

SHA1
9bdbeed8f75a892b6b630ef9e634667f4c620fa0

SHA256
51398691feef7ae0a876b523aec47c4a06d9a1ee62f1a0aee27de6d6191c68ad

SHA512
cb071ad55beaa541b5baf1f7d5e145f2c26fbee53e535e8c31b8f2b8df4bf7723f7bef214b670b2c3de57a4a75711dd204a940a2158939ad72f551e32da7ab03

Download Submit
\Users\Admin\AppData\Local\Temp\b0798393d0554967284c5503d2e1a4da\sciter32.dll

Filesize
5.6MB

MD5
b431083586e39d018e19880ad1a5ce8f

SHA1
3bbf957ab534d845d485a8698accc0a40b63cedd

SHA256
b525fdcc32c5a359a7f5738a30eff0c6390734d8a2c987c62e14c619f99d406b

SHA512
7805a3464fcc3ac4ea1258e2412180c52f2af40a79b540348486c830a20c2bbed337bbf5f4a8926b3ef98c63c87747014f5b43c35f7ec4e7a3693b9dbd0ae67b

Download Submit
\Users\Admin\AppData\Local\Temp\b0798393d0554967284c5503d2e1a4da\vcruntime140.dll

Filesize
74KB

MD5
1a84957b6e681fca057160cd04e26b27

SHA1
8d7e4c98d1ec858db26a3540baaaa9bbf96b5bfe

SHA256
9faeaa45e8cc986af56f28350b38238b03c01c355e9564b849604b8d690919c5

SHA512
5f54c9e87f2510c56f3cf2ceeb5b5ad7711abd9f85a1ff84e74dd82d15181505e7e5428eae6ff823f1190964eb0a82a569273a4562ec4131cecfa00a9d0d02aa

Download Submit
memory/3828-141-0x0000000077440000-0x00000000775CE000-memory.dmp

Filesize
1.6MB

Download
memory/3828-177-0x0000000077440000-0x00000000775CE000-memory.dmp

Filesize
1.6MB

Download
memory/3828-138-0x0000000077440000-0x00000000775CE000-memory.dmp

Filesize
1.6MB

Download
memory/3828-139-0x0000000077440000-0x00000000775CE000-memory.dmp

Filesize
1.6MB

Download
memory/3828-140-0x0000000077440000-0x00000000775CE000-memory.dmp

Filesize
1.6MB

Download
memory/3828-116-0x0000000077440000-0x00000000775CE000-memory.dmp

Filesize
1.6MB

Download
memory/3828-142-0x0000000077440000-0x00000000775CE000-memory.dmp

Filesize
1.6MB

Download
memory/3828-143-0x0000000077440000-0x00000000775CE000-memory.dmp

Filesize
1.6MB

Download
memory/3828-144-0x0000000077440000-0x00000000775CE000-memory.dmp

Filesize
1.6MB

Download
memory/3828-145-0x0000000077440000-0x00000000775CE000-memory.dmp

Filesize
1.6MB

Download
memory/3828-146-0x0000000077440000-0x00000000775CE000-memory.dmp

Filesize
1.6MB

Download
memory/3828-147-0x0000000077440000-0x00000000775CE000-memory.dmp

Filesize
1.6MB

Download
memory/3828-148-0x0000000000480000-0x0000000000852000-memory.dmp

Filesize
3.8MB

Download
memory/3828-149-0x0000000077440000-0x00000000775CE000-memory.dmp

Filesize
1.6MB

Download
memory/3828-150-0x0000000077440000-0x00000000775CE000-memory.dmp

Filesize
1.6MB

Download
memory/3828-151-0x0000000077440000-0x00000000775CE000-memory.dmp

Filesize
1.6MB

Download
memory/3828-152-0x0000000077440000-0x00000000775CE000-memory.dmp

Filesize
1.6MB

Download
memory/3828-153-0x0000000077440000-0x00000000775CE000-memory.dmp

Filesize
1.6MB

Download
memory/3828-154-0x0000000077440000-0x00000000775CE000-memory.dmp

Filesize
1.6MB

Download
memory/3828-155-0x0000000077440000-0x00000000775CE000-memory.dmp

Filesize
1.6MB

Download
memory/3828-156-0x00000000052C0000-0x00000000056E6000-memory.dmp

Filesize
4.1MB

Download
memory/3828-136-0x0000000077440000-0x00000000775CE000-memory.dmp

Filesize
1.6MB

Download
memory/3828-158-0x0000000077440000-0x00000000775CE000-memory.dmp

Filesize
1.6MB

Download
memory/3828-160-0x0000000077440000-0x00000000775CE000-memory.dmp

Filesize
1.6MB

Download
memory/3828-163-0x0000000077440000-0x00000000775CE000-memory.dmp

Filesize
1.6MB

Download
memory/3828-162-0x0000000077440000-0x00000000775CE000-memory.dmp

Filesize
1.6MB

Download
memory/3828-161-0x0000000077440000-0x00000000775CE000-memory.dmp

Filesize
1.6MB

Download
memory/3828-159-0x0000000077440000-0x00000000775CE000-memory.dmp

Filesize
1.6MB

Download
memory/3828-164-0x0000000077440000-0x00000000775CE000-memory.dmp

Filesize
1.6MB

Download
memory/3828-165-0x0000000077440000-0x00000000775CE000-memory.dmp

Filesize
1.6MB

Download
memory/3828-166-0x0000000077440000-0x00000000775CE000-memory.dmp

Filesize
1.6MB

Download
memory/3828-167-0x0000000077440000-0x00000000775CE000-memory.dmp

Filesize
1.6MB

Download
memory/3828-169-0x0000000077440000-0x00000000775CE000-memory.dmp

Filesize
1.6MB

Download
memory/3828-168-0x0000000077440000-0x00000000775CE000-memory.dmp

Filesize
1.6MB

Download
memory/3828-170-0x0000000077440000-0x00000000775CE000-memory.dmp

Filesize
1.6MB

Download
memory/3828-171-0x0000000077440000-0x00000000775CE000-memory.dmp

Filesize
1.6MB

Download
memory/3828-172-0x0000000077440000-0x00000000775CE000-memory.dmp

Filesize
1.6MB

Download
memory/3828-173-0x0000000077440000-0x00000000775CE000-memory.dmp

Filesize
1.6MB

Download
memory/3828-174-0x0000000077440000-0x00000000775CE000-memory.dmp

Filesize
1.6MB

Download
memory/3828-137-0x0000000077440000-0x00000000775CE000-memory.dmp

Filesize
1.6MB

Download
memory/3828-175-0x0000000077440000-0x00000000775CE000-memory.dmp

Filesize
1.6MB

Download
memory/3828-176-0x0000000077440000-0x00000000775CE000-memory.dmp

Filesize
1.6MB

Download
memory/3828-179-0x0000000077440000-0x00000000775CE000-memory.dmp

Filesize
1.6MB

Download
memory/3828-135-0x0000000077440000-0x00000000775CE000-memory.dmp

Filesize
1.6MB

Download
memory/3828-181-0x0000000077440000-0x00000000775CE000-memory.dmp

Filesize
1.6MB

Download
memory/3828-184-0x0000000001210000-0x0000000001238000-memory.dmp

Filesize
160KB

Download
memory/3828-185-0x0000000077440000-0x00000000775CE000-memory.dmp

Filesize
1.6MB

Download
memory/3828-186-0x0000000077440000-0x00000000775CE000-memory.dmp

Filesize
1.6MB

Download
memory/3828-132-0x0000000077440000-0x00000000775CE000-memory.dmp

Filesize
1.6MB

Download
memory/3828-183-0x0000000077440000-0x00000000775CE000-memory.dmp

Filesize
1.6MB

Download
memory/3828-134-0x0000000077440000-0x00000000775CE000-memory.dmp

Filesize
1.6MB

Download
memory/3828-188-0x0000000005240000-0x000000000526C000-memory.dmp

Filesize
176KB

Download
memory/3828-192-0x0000000005270000-0x000000000528D000-memory.dmp

Filesize
116KB

Download
memory/3828-133-0x0000000077440000-0x00000000775CE000-memory.dmp

Filesize
1.6MB

Download
memory/3828-131-0x0000000077440000-0x00000000775CE000-memory.dmp

Filesize
1.6MB

Download
memory/3828-130-0x0000000077440000-0x00000000775CE000-memory.dmp

Filesize
1.6MB

Download
memory/3828-199-0x00000000073A0000-0x00000000073B2000-memory.dmp

Filesize
72KB

Download
memory/3828-223-0x0000000007BF0000-0x0000000007C7C000-memory.dmp

Filesize
560KB

Download
memory/3828-224-0x0000000007CE0000-0x0000000007D02000-memory.dmp

Filesize
136KB

Download
memory/3828-226-0x0000000007D10000-0x0000000008060000-memory.dmp

Filesize
3.3MB

Download
memory/3828-228-0x0000000005D10000-0x000000000620E000-memory.dmp

Filesize
5.0MB

Download
memory/3828-238-0x0000000005A80000-0x0000000005B12000-memory.dmp

Filesize
584KB

Download
memory/3828-245-0x0000000005CE0000-0x0000000005D0E000-memory.dmp

Filesize
184KB

Download
memory/3828-261-0x0000000006400000-0x000000000640A000-memory.dmp

Filesize
40KB

Download
memory/3828-117-0x0000000077440000-0x00000000775CE000-memory.dmp

Filesize
1.6MB

Download
memory/3828-129-0x0000000077440000-0x00000000775CE000-memory.dmp

Filesize
1.6MB

Download
memory/3828-128-0x0000000077440000-0x00000000775CE000-memory.dmp

Filesize
1.6MB

Download
memory/3828-127-0x0000000077440000-0x00000000775CE000-memory.dmp

Filesize
1.6MB

Download
memory/3828-118-0x0000000077440000-0x00000000775CE000-memory.dmp

Filesize
1.6MB

Download
memory/3828-126-0x0000000077440000-0x00000000775CE000-memory.dmp

Filesize
1.6MB

Download
memory/3828-125-0x0000000077440000-0x00000000775CE000-memory.dmp

Filesize
1.6MB

Download
memory/3828-119-0x0000000077440000-0x00000000775CE000-memory.dmp

Filesize
1.6MB

Download
memory/3828-124-0x0000000077440000-0x00000000775CE000-memory.dmp

Filesize
1.6MB

Download
memory/3828-123-0x0000000077440000-0x00000000775CE000-memory.dmp

Filesize
1.6MB

Download
memory/3828-122-0x0000000077440000-0x00000000775CE000-memory.dmp

Filesize
1.6MB

Download
memory/3828-121-0x0000000077440000-0x00000000775CE000-memory.dmp

Filesize
1.6MB

Download
memory/3828-120-0x0000000077440000-0x00000000775CE000-memory.dmp

Filesize
1.6MB

Download