Analysis Overview
SHA256
226e6bd65f3b4c849f0187975780958a6cad49bb21d2d1e5a3c8897506f37d54
Threat Level: Likely malicious
The file 226e6bd65f3b4c849f0187975780958a6cad49bb21d2d1e5a3c8897506f37d54 was found to be: Likely malicious.
Malicious Activity Summary
Sets service image path in registry
Executes dropped EXE
UPX packed file
Checks computer location settings
Loads dropped DLL
Enumerates connected drives
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: LoadsDriver
Modifies system certificate store
Checks processor information in registry
Enumerates system info in registry
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2022-10-31 22:53
Signatures
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2022-10-31 22:53
Reported
2022-10-31 22:56
Platform
win7-20220901-en
Max time kernel
60s
Max time network
99s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\Documents\1226e6bd65f3b4c849f0187975780958a6cad49bb21d2d1e5a3c8897506f37d54\1226e6bd65f3b4c849f0187975780958a6cad49bb21d2d1e5a3c8897506f37d54.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\jlhLVVvnT | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\eYE5FB1jlh.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\TlYcAgLotB.exe | N/A |
Sets service image path in registry
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\ZS3Hh2uG\ImagePath = "\\??\\C:\\Users\\Admin\\AppData\\Local\\Temp\\ZS3Hh2uG.sys" | C:\Users\Admin\AppData\Local\Temp\TlYcAgLotB.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\L9DgpOL_S1\ImagePath = "\\??\\C:\\Users\\Admin\\AppData\\Local\\Temp\\L9DgpOL_S1.sys" | C:\Users\Admin\AppData\Local\Temp\TlYcAgLotB.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\226e6bd65f3b4c849f0187975780958a6cad49bb21d2d1e5a3c8897506f37d54.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\226e6bd65f3b4c849f0187975780958a6cad49bb21d2d1e5a3c8897506f37d54.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\226e6bd65f3b4c849f0187975780958a6cad49bb21d2d1e5a3c8897506f37d54.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\jlhLVVvnT | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\jlhLVVvnT | N/A |
Enumerates connected drives
Enumerates physical storage devices
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 | C:\Users\Admin\Documents\1226e6bd65f3b4c849f0187975780958a6cad49bb21d2d1e5a3c8897506f37d54\1226e6bd65f3b4c849f0187975780958a6cad49bb21d2d1e5a3c8897506f37d54.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Users\Admin\Documents\1226e6bd65f3b4c849f0187975780958a6cad49bb21d2d1e5a3c8897506f37d54\1226e6bd65f3b4c849f0187975780958a6cad49bb21d2d1e5a3c8897506f37d54.exe | N/A |
Enumerates system info in registry
Modifies system certificate store
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349 | C:\Users\Admin\AppData\Local\Temp\226e6bd65f3b4c849f0187975780958a6cad49bb21d2d1e5a3c8897506f37d54.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e | C:\Users\Admin\AppData\Local\Temp\226e6bd65f3b4c849f0187975780958a6cad49bb21d2d1e5a3c8897506f37d54.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f00000053000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e | C:\Users\Admin\AppData\Local\Temp\226e6bd65f3b4c849f0187975780958a6cad49bb21d2d1e5a3c8897506f37d54.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 040000000100000010000000497904b0eb8719ac47b0bc11519b74d00f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e | C:\Users\Admin\AppData\Local\Temp\226e6bd65f3b4c849f0187975780958a6cad49bb21d2d1e5a3c8897506f37d54.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: LoadsDriver
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\TlYcAgLotB.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\TlYcAgLotB.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeBackupPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\226e6bd65f3b4c849f0187975780958a6cad49bb21d2d1e5a3c8897506f37d54.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\226e6bd65f3b4c849f0187975780958a6cad49bb21d2d1e5a3c8897506f37d54.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\jlhLVVvnT | N/A |
| Token: SeRestorePrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\jlhLVVvnT | N/A |
| Token: SeBackupPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\jlhLVVvnT | N/A |
| Token: SeRestorePrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\jlhLVVvnT | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\TlYcAgLotB.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\jlhLVVvnT | N/A |
| Token: SeRestorePrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\jlhLVVvnT | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\226e6bd65f3b4c849f0187975780958a6cad49bb21d2d1e5a3c8897506f37d54.exe
"C:\Users\Admin\AppData\Local\Temp\226e6bd65f3b4c849f0187975780958a6cad49bb21d2d1e5a3c8897506f37d54.exe"
C:\Users\Admin\Documents\1226e6bd65f3b4c849f0187975780958a6cad49bb21d2d1e5a3c8897506f37d54\1226e6bd65f3b4c849f0187975780958a6cad49bb21d2d1e5a3c8897506f37d54.exe
C:\Users\Admin\Documents\1226e6bd65f3b4c849f0187975780958a6cad49bb21d2d1e5a3c8897506f37d54\1226e6bd65f3b4c849f0187975780958a6cad49bb21d2d1e5a3c8897506f37d54.exe
C:\Users\Admin\AppData\Local\Temp\jlhLVVvnT
2001 5399FF9C8181E7600A5D20B9521F8EF6 84
C:\Users\Admin\AppData\Local\Temp\eYE5FB1jlh.exe
C:\Users\Admin\AppData\Local\Temp\eYE5FB1jlh.exe C:\Users\Admin\AppData\Local\Temp\eYE5FB0jlh.dat
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\EYE5FB~1.EXE >> NUL
C:\Users\Admin\AppData\Local\Temp\TlYcAgLotB.exe
C:\Users\Admin\AppData\Local\Temp\ZS3Hh2uG.sys
C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\TLYCAG~1.EXE >> NUL
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\JLHLVV~1 >> NUL
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | sosowebcache.com | udp |
| CN | 103.112.31.51:443 | sosowebcache.com | tcp |
| US | 8.8.8.8:53 | pic.rmb.bdstatic.com | udp |
| DE | 185.10.104.115:80 | pic.rmb.bdstatic.com | tcp |
| CN | 103.112.31.51:443 | sosowebcache.com | tcp |
| CN | 103.112.31.51:443 | sosowebcache.com | tcp |
| HK | 154.39.245.90:10199 | tcp | |
| DE | 185.10.104.115:80 | pic.rmb.bdstatic.com | tcp |
| CN | 103.112.31.51:443 | sosowebcache.com | tcp |
| HK | 154.39.245.90:10199 | tcp | |
| US | 8.8.8.8:53 | i4.hoopchina.com.cn | udp |
| NL | 101.33.29.223:80 | i4.hoopchina.com.cn | tcp |
| HK | 154.39.245.90:10199 | tcp | |
| US | 8.8.8.8:53 | i5.hoopchina.com.cn | udp |
| NL | 101.33.29.235:80 | i5.hoopchina.com.cn | tcp |
| US | 8.8.8.8:53 | baiduwebcache.com | udp |
| CN | 103.112.31.51:443 | baiduwebcache.com | tcp |
| HK | 154.39.245.90:10199 | tcp | |
| HK | 154.39.245.90:10199 | tcp |
Files
memory/1340-54-0x00000000758B1000-0x00000000758B3000-memory.dmp
memory/1340-55-0x0000000001190000-0x00000000019D8000-memory.dmp
\Users\Admin\Documents\1226e6bd65f3b4c849f0187975780958a6cad49bb21d2d1e5a3c8897506f37d54\1226e6bd65f3b4c849f0187975780958a6cad49bb21d2d1e5a3c8897506f37d54.exe
| MD5 | 48eed6e83346784e2213509f4892c0b7 |
| SHA1 | d9016ac27e6b370f75b0a6b25c9978c78be1b792 |
| SHA256 | d39c949d27f3b8fdea3dc72abbce0a12d9eb9a21f101bc0a0e6f8b24eb2d6f05 |
| SHA512 | 0f3ae00ac453d12777a1034034a14b0ecc106433c7d7a03ad1d18116f2e16966fa0f946488ed08a826eea30c1074726f16dd2c9bad7a642acf2602e348302f6b |
memory/1420-58-0x0000000000000000-mapping.dmp
\Users\Admin\Documents\1226e6bd65f3b4c849f0187975780958a6cad49bb21d2d1e5a3c8897506f37d54\1226e6bd65f3b4c849f0187975780958a6cad49bb21d2d1e5a3c8897506f37d54.exe
| MD5 | 48eed6e83346784e2213509f4892c0b7 |
| SHA1 | d9016ac27e6b370f75b0a6b25c9978c78be1b792 |
| SHA256 | d39c949d27f3b8fdea3dc72abbce0a12d9eb9a21f101bc0a0e6f8b24eb2d6f05 |
| SHA512 | 0f3ae00ac453d12777a1034034a14b0ecc106433c7d7a03ad1d18116f2e16966fa0f946488ed08a826eea30c1074726f16dd2c9bad7a642acf2602e348302f6b |
C:\Users\Admin\Documents\1226e6bd65f3b4c849f0187975780958a6cad49bb21d2d1e5a3c8897506f37d54\1226e6bd65f3b4c849f0187975780958a6cad49bb21d2d1e5a3c8897506f37d54.exe
| MD5 | 48eed6e83346784e2213509f4892c0b7 |
| SHA1 | d9016ac27e6b370f75b0a6b25c9978c78be1b792 |
| SHA256 | d39c949d27f3b8fdea3dc72abbce0a12d9eb9a21f101bc0a0e6f8b24eb2d6f05 |
| SHA512 | 0f3ae00ac453d12777a1034034a14b0ecc106433c7d7a03ad1d18116f2e16966fa0f946488ed08a826eea30c1074726f16dd2c9bad7a642acf2602e348302f6b |
memory/1340-61-0x00000000045D0000-0x0000000004DB7000-memory.dmp
memory/1340-62-0x00000000045D0000-0x0000000004DB7000-memory.dmp
memory/1420-64-0x0000000000400000-0x0000000000BE7000-memory.dmp
memory/1420-65-0x0000000000220000-0x0000000000223000-memory.dmp
memory/1420-66-0x0000000000400000-0x0000000000BE7000-memory.dmp
memory/1420-67-0x0000000000400000-0x0000000000BE7000-memory.dmp
C:\Users\Admin\Documents\1226e6bd65f3b4c849f0187975780958a6cad49bb21d2d1e5a3c8897506f37d54\1226e6bd65f3b4c849f0187975780958a6cad49bb21d2d1e5a3c8897506f37d54.exe
| MD5 | 48eed6e83346784e2213509f4892c0b7 |
| SHA1 | d9016ac27e6b370f75b0a6b25c9978c78be1b792 |
| SHA256 | d39c949d27f3b8fdea3dc72abbce0a12d9eb9a21f101bc0a0e6f8b24eb2d6f05 |
| SHA512 | 0f3ae00ac453d12777a1034034a14b0ecc106433c7d7a03ad1d18116f2e16966fa0f946488ed08a826eea30c1074726f16dd2c9bad7a642acf2602e348302f6b |
memory/1340-69-0x0000000000A60000-0x0000000000AAD000-memory.dmp
memory/1340-70-0x0000000000A60000-0x0000000000AAD000-memory.dmp
\Users\Admin\AppData\Local\Temp\jlhLVVvnT
| MD5 | f79f5ce86c81d6b0edb45a4a92c572af |
| SHA1 | 4f8fe0760f075c60831513637935049c697d9725 |
| SHA256 | d2e9b3a4933bd3772b2789a393eeb3d3afadcfc1a34546da48ebc2ff3fb15317 |
| SHA512 | 0773ecb29c70b17dfc02c439b1a50d9e9426c951e48dfaec88bcd8344a5e757d8074a1db590d52519a313686e8efb60beedc0aa801e9d1364ada8e0567fa9f4d |
memory/1896-72-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\jlhLVVvnT
| MD5 | f79f5ce86c81d6b0edb45a4a92c572af |
| SHA1 | 4f8fe0760f075c60831513637935049c697d9725 |
| SHA256 | d2e9b3a4933bd3772b2789a393eeb3d3afadcfc1a34546da48ebc2ff3fb15317 |
| SHA512 | 0773ecb29c70b17dfc02c439b1a50d9e9426c951e48dfaec88bcd8344a5e757d8074a1db590d52519a313686e8efb60beedc0aa801e9d1364ada8e0567fa9f4d |
memory/1896-74-0x0000000000230000-0x0000000000255000-memory.dmp
memory/1340-76-0x0000000001120000-0x0000000001177000-memory.dmp
memory/1896-77-0x0000000000400000-0x0000000000457000-memory.dmp
memory/1896-78-0x0000000000230000-0x0000000000255000-memory.dmp
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\400EC0C30337DCB94CB9C65FAB2BF5CA
| MD5 | 83343201c58ce331a5de9b207a0542a7 |
| SHA1 | 678743995d807544cebfbf82d534094f8c356231 |
| SHA256 | 27cc0e7305dfab9ab96d7a06655d4b699e42b30a075be7c1fe22d4736d20f115 |
| SHA512 | ab1d3da9a6977dbe6814466ca17092707e47a9e49f5767b2cfea0d23d41e207cb64d4427afec5aa14c1735b9f9ec34db1a8954d779d49457bf3ea14e494c772c |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\400EC0C30337DCB94CB9C65FAB2BF5CA
| MD5 | bf590d9a3e929861d2533ff2b328fe40 |
| SHA1 | bb59528c458e7c19dbdfd9dac15a8767e7b24964 |
| SHA256 | c751a6ab02852b445e2db9e74cc6fc41e131b40c96a961b2a8bd56232476efd0 |
| SHA512 | 2f4c23130ba5d264a1f81c7ba76ed9bb9f62a4bea6a4bdd3a660110ce25ccb7eabd72509fcc8f02aceb94701c7ecc93fcf80dce278e22ed7d9f60842f1cf73a5 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\07CEF2F654E3ED6050FFC9B6EB844250_3431D4C539FB2CFCB781821E9902850D
| MD5 | 1a295f69dfd5c6f54042f8bc5b31a6af |
| SHA1 | d2b64e2902114ce584f382cbd78b06354b6b14f7 |
| SHA256 | b14043ac188588e6e6282e515cc581ca0aaae5fbf84a0cf087204bae7fcdad55 |
| SHA512 | 3ed6b02a4b6f723f5ca54e78e2c787e5670cc7bec3e3517e06fdc57afe966fbb62b3702bf6cc6a903fd8ef83ea6f79949018e35b7ca4d93cd3f8e865bc2e724f |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
| MD5 | 3dcf580a93972319e82cafbc047d34d5 |
| SHA1 | 8528d2a1363e5de77dc3b1142850e51ead0f4b6b |
| SHA256 | 40810e31f1b69075c727e6d557f9614d5880112895ff6f4df1767e87ae5640d1 |
| SHA512 | 98384be7218340f95dae88d1cb865f23a0b4e12855beb6e74a3752274c9b4c601e493864db777bca677a370d0a9dbffd68d94898a82014537f3a801cce839c42 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | e740351645128f3ee51f973ab6fea4ed |
| SHA1 | f7fcad0f25466ba74189bb26b4b3dbcfac91673c |
| SHA256 | 79e719147509da5692a81bd47f79fa641df1ca4fd6da17ad843f9a1f627ce820 |
| SHA512 | 646f47069f063da0d162b0436db60df8abf8f78848a34f8aa3414f7d33f18917ec3e947856aab371cc130c85bddc9179f34f7dd19b99a60d1e9aaefc7a28a82b |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\07CEF2F654E3ED6050FFC9B6EB844250_3431D4C539FB2CFCB781821E9902850D
| MD5 | 2867ce7d2d7815a64513046b43651098 |
| SHA1 | 14abccac4b083847bd45b75b2f961658ce102581 |
| SHA256 | 01edfade18de3223ee71523c90bb063b51b5a06ded7532bad52d1062ec0ab3b3 |
| SHA512 | 33bc9242ce7f7a6014fc7874b8ee32ac94f92ee3294b503531b0a21102180f6de3133038e43e512666efa95d326c2b6e8a83a7b0a1ef6755bc888dd0a3304ac6 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E
| MD5 | 136889ac23008bfdfefb91c9e5d8a11d |
| SHA1 | 8343b8ef34dc565eda256e042b43064cb8017131 |
| SHA256 | 35188ecd41bd046f9f71e26f5404d5406be5e20bf8f2b6963adaec084783bef5 |
| SHA512 | b19722ef132c9169aa442b87f633f915934a51ea4164c674864aaffe4b01dd7ad6b7488450ca14b6d1467eb231e6941cad0aab29733ae4fa6b7df7d2a2f75bdb |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E
| MD5 | 82b7eab0fbc3065bb0ae647388fc9fe7 |
| SHA1 | 12163d31764664fc87b76e6a5cda91cd7d747cf4 |
| SHA256 | 3500c638861a2749bf5a498a0d2d59b555e628ac4098d5ff5326b9a5ffd2c579 |
| SHA512 | 6251943e9e7aca115ccb96e2205894cde8391835bab5ff6f1960b4075c8dee25e732e57e6b4f5204733a9bc7d7a6d6ec5ce3ade23c67f10c2159b00041a0d97d |
memory/1896-87-0x0000000003270000-0x00000000032C3000-memory.dmp
memory/1896-88-0x0000000003270000-0x00000000032C3000-memory.dmp
memory/1896-89-0x0000000003590000-0x00000000035F9000-memory.dmp
memory/1896-90-0x0000000003590000-0x00000000035F9000-memory.dmp
\Users\Admin\AppData\Local\Temp\eYE5FB1jlh.exe
| MD5 | cd3f1df2d4a06ac82cd816bc799dd65e |
| SHA1 | a77c7aa9b4857d0ec504403528e2cfe625b6bc83 |
| SHA256 | ba2a2ae38a31d5f4ae98cd3e7c21792d36f2386a252ebd506353d1487da6b8ce |
| SHA512 | 60f9e5329169a68d1548200a9bcd05d380bb924ebbaa57797683042f7ce17870e7a9e33dd70330da17c37b86c9ae4161b50cc84a673fce69af563118bfe7a6d0 |
memory/1524-92-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\eYE5FB1jlh.exe
| MD5 | cd3f1df2d4a06ac82cd816bc799dd65e |
| SHA1 | a77c7aa9b4857d0ec504403528e2cfe625b6bc83 |
| SHA256 | ba2a2ae38a31d5f4ae98cd3e7c21792d36f2386a252ebd506353d1487da6b8ce |
| SHA512 | 60f9e5329169a68d1548200a9bcd05d380bb924ebbaa57797683042f7ce17870e7a9e33dd70330da17c37b86c9ae4161b50cc84a673fce69af563118bfe7a6d0 |
memory/1276-95-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\eYE5FB1jlh.exe
| MD5 | cd3f1df2d4a06ac82cd816bc799dd65e |
| SHA1 | a77c7aa9b4857d0ec504403528e2cfe625b6bc83 |
| SHA256 | ba2a2ae38a31d5f4ae98cd3e7c21792d36f2386a252ebd506353d1487da6b8ce |
| SHA512 | 60f9e5329169a68d1548200a9bcd05d380bb924ebbaa57797683042f7ce17870e7a9e33dd70330da17c37b86c9ae4161b50cc84a673fce69af563118bfe7a6d0 |
memory/1340-97-0x0000000001190000-0x00000000019D8000-memory.dmp
\Users\Admin\AppData\Local\Temp\TlYcAgLotB.exe
| MD5 | 4c839dc7014281acda2456d611ac73b7 |
| SHA1 | 13073f7b2d0ce49143d021cec9d863c0597a6f3e |
| SHA256 | 188dca807ca0613941037af948e42527f9a7be9ff8bd80ff083cf0670a54c31e |
| SHA512 | 9b9030287fb84c7ee616b2829f2797b867d26a3d034e83d5f06b4aea643cfc0cc1c5892892ab415c2d0d8e9922684fe0143e5fecb8f686d3db37bb1a87d631ea |
memory/1468-99-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\TlYcAgLotB.exe
| MD5 | 4c839dc7014281acda2456d611ac73b7 |
| SHA1 | 13073f7b2d0ce49143d021cec9d863c0597a6f3e |
| SHA256 | 188dca807ca0613941037af948e42527f9a7be9ff8bd80ff083cf0670a54c31e |
| SHA512 | 9b9030287fb84c7ee616b2829f2797b867d26a3d034e83d5f06b4aea643cfc0cc1c5892892ab415c2d0d8e9922684fe0143e5fecb8f686d3db37bb1a87d631ea |
memory/1468-101-0x000007FEFB9E1000-0x000007FEFB9E3000-memory.dmp
memory/572-102-0x0000000000000000-mapping.dmp
memory/1468-103-0x000000013FE20000-0x000000013FE57000-memory.dmp
memory/1420-104-0x0000000000400000-0x0000000000BE7000-memory.dmp
memory/1340-105-0x0000000000A60000-0x0000000000AAD000-memory.dmp
memory/1340-106-0x0000000001120000-0x0000000001177000-memory.dmp
memory/1896-107-0x0000000000230000-0x0000000000255000-memory.dmp
memory/1896-108-0x0000000003270000-0x00000000032C3000-memory.dmp
memory/1340-109-0x0000000001190000-0x00000000019D8000-memory.dmp
memory/1896-110-0x0000000003590000-0x00000000035F9000-memory.dmp
memory/1148-111-0x0000000000000000-mapping.dmp
memory/1896-112-0x0000000000400000-0x0000000000457000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\jlhLVVvnT
| MD5 | f79f5ce86c81d6b0edb45a4a92c572af |
| SHA1 | 4f8fe0760f075c60831513637935049c697d9725 |
| SHA256 | d2e9b3a4933bd3772b2789a393eeb3d3afadcfc1a34546da48ebc2ff3fb15317 |
| SHA512 | 0773ecb29c70b17dfc02c439b1a50d9e9426c951e48dfaec88bcd8344a5e757d8074a1db590d52519a313686e8efb60beedc0aa801e9d1364ada8e0567fa9f4d |
Analysis: behavioral2
Detonation Overview
Submitted
2022-10-31 22:53
Reported
2022-10-31 22:56
Platform
win10v2004-20220812-en
Max time kernel
62s
Max time network
141s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\Documents\1226e6bd65f3b4c849f0187975780958a6cad49bb21d2d1e5a3c8897506f37d54\1226e6bd65f3b4c849f0187975780958a6cad49bb21d2d1e5a3c8897506f37d54.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\jlh6Lwbzh | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\BaQBE06jlh.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\0Q6_aU5lvG.exe | N/A |
Sets service image path in registry
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\ZSixoSOX\ImagePath = "\\??\\C:\\Users\\Admin\\AppData\\Local\\Temp\\ZSixoSOX.sys" | C:\Users\Admin\AppData\Local\Temp\0Q6_aU5lvG.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\6m9sZYwATX\ImagePath = "\\??\\C:\\Users\\Admin\\AppData\\Local\\Temp\\6m9sZYwATX.sys" | C:\Users\Admin\AppData\Local\Temp\0Q6_aU5lvG.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\BaQBE06jlh.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\0Q6_aU5lvG.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\jlh6Lwbzh | N/A |
Enumerates connected drives
Enumerates physical storage devices
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 | C:\Users\Admin\Documents\1226e6bd65f3b4c849f0187975780958a6cad49bb21d2d1e5a3c8897506f37d54\1226e6bd65f3b4c849f0187975780958a6cad49bb21d2d1e5a3c8897506f37d54.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Users\Admin\Documents\1226e6bd65f3b4c849f0187975780958a6cad49bb21d2d1e5a3c8897506f37d54\1226e6bd65f3b4c849f0187975780958a6cad49bb21d2d1e5a3c8897506f37d54.exe | N/A |
Enumerates system info in registry
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: LoadsDriver
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\0Q6_aU5lvG.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\0Q6_aU5lvG.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeBackupPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\226e6bd65f3b4c849f0187975780958a6cad49bb21d2d1e5a3c8897506f37d54.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\226e6bd65f3b4c849f0187975780958a6cad49bb21d2d1e5a3c8897506f37d54.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\jlh6Lwbzh | N/A |
| Token: SeRestorePrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\jlh6Lwbzh | N/A |
| Token: SeBackupPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\jlh6Lwbzh | N/A |
| Token: SeRestorePrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\jlh6Lwbzh | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\0Q6_aU5lvG.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\jlh6Lwbzh | N/A |
| Token: SeRestorePrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\jlh6Lwbzh | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\226e6bd65f3b4c849f0187975780958a6cad49bb21d2d1e5a3c8897506f37d54.exe
"C:\Users\Admin\AppData\Local\Temp\226e6bd65f3b4c849f0187975780958a6cad49bb21d2d1e5a3c8897506f37d54.exe"
C:\Users\Admin\Documents\1226e6bd65f3b4c849f0187975780958a6cad49bb21d2d1e5a3c8897506f37d54\1226e6bd65f3b4c849f0187975780958a6cad49bb21d2d1e5a3c8897506f37d54.exe
C:\Users\Admin\Documents\1226e6bd65f3b4c849f0187975780958a6cad49bb21d2d1e5a3c8897506f37d54\1226e6bd65f3b4c849f0187975780958a6cad49bb21d2d1e5a3c8897506f37d54.exe
C:\Users\Admin\AppData\Local\Temp\jlh6Lwbzh
2001 5399FF9C8181E7600A5D20B9521F8EF6 84
C:\Users\Admin\AppData\Local\Temp\BaQBE06jlh.exe
C:\Users\Admin\AppData\Local\Temp\BaQBE06jlh.exe C:\Users\Admin\AppData\Local\Temp\BaQBE05jlh.dat
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\BAQBE0~1.EXE >> NUL
C:\Users\Admin\AppData\Local\Temp\0Q6_aU5lvG.exe
C:\Users\Admin\AppData\Local\Temp\ZSixoSOX.sys
C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\0Q6_AU~1.EXE >> NUL
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\JLH6LW~1 >> NUL
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | sosowebcache.com | udp |
| CN | 103.112.31.51:443 | sosowebcache.com | tcp |
| US | 8.8.8.8:53 | pic.rmb.bdstatic.com | udp |
| DE | 185.10.104.115:80 | pic.rmb.bdstatic.com | tcp |
| CN | 103.112.31.51:443 | sosowebcache.com | tcp |
| CN | 103.112.31.51:443 | sosowebcache.com | tcp |
| HK | 154.39.245.90:10199 | tcp | |
| DE | 185.10.104.115:80 | pic.rmb.bdstatic.com | tcp |
| CN | 103.112.31.51:443 | sosowebcache.com | tcp |
| HK | 154.39.245.90:10199 | tcp | |
| US | 8.8.8.8:53 | i4.hoopchina.com.cn | udp |
| NL | 101.33.29.231:80 | i4.hoopchina.com.cn | tcp |
| HK | 154.39.245.90:10199 | tcp | |
| US | 8.8.8.8:53 | i5.hoopchina.com.cn | udp |
| NL | 101.33.29.225:80 | i5.hoopchina.com.cn | tcp |
| US | 8.8.8.8:53 | baiduwebcache.com | udp |
| CN | 103.112.31.51:443 | baiduwebcache.com | tcp |
| HK | 154.39.245.90:10199 | tcp | |
| US | 93.184.221.240:80 | tcp | |
| HK | 154.39.245.90:10199 | tcp | |
| DE | 20.52.64.200:443 | tcp |
Files
memory/4996-132-0x0000000000CA0000-0x00000000014E8000-memory.dmp
memory/4412-133-0x0000000000000000-mapping.dmp
C:\Users\Admin\Documents\1226e6bd65f3b4c849f0187975780958a6cad49bb21d2d1e5a3c8897506f37d54\1226e6bd65f3b4c849f0187975780958a6cad49bb21d2d1e5a3c8897506f37d54.exe
| MD5 | 48eed6e83346784e2213509f4892c0b7 |
| SHA1 | d9016ac27e6b370f75b0a6b25c9978c78be1b792 |
| SHA256 | d39c949d27f3b8fdea3dc72abbce0a12d9eb9a21f101bc0a0e6f8b24eb2d6f05 |
| SHA512 | 0f3ae00ac453d12777a1034034a14b0ecc106433c7d7a03ad1d18116f2e16966fa0f946488ed08a826eea30c1074726f16dd2c9bad7a642acf2602e348302f6b |
C:\Users\Admin\Documents\1226e6bd65f3b4c849f0187975780958a6cad49bb21d2d1e5a3c8897506f37d54\1226e6bd65f3b4c849f0187975780958a6cad49bb21d2d1e5a3c8897506f37d54.exe
| MD5 | 48eed6e83346784e2213509f4892c0b7 |
| SHA1 | d9016ac27e6b370f75b0a6b25c9978c78be1b792 |
| SHA256 | d39c949d27f3b8fdea3dc72abbce0a12d9eb9a21f101bc0a0e6f8b24eb2d6f05 |
| SHA512 | 0f3ae00ac453d12777a1034034a14b0ecc106433c7d7a03ad1d18116f2e16966fa0f946488ed08a826eea30c1074726f16dd2c9bad7a642acf2602e348302f6b |
memory/4412-136-0x0000000000400000-0x0000000000BE7000-memory.dmp
memory/4412-137-0x0000000000400000-0x0000000000BE7000-memory.dmp
memory/4412-138-0x0000000000400000-0x0000000000BE7000-memory.dmp
memory/4412-139-0x0000000000D80000-0x0000000000D83000-memory.dmp
memory/4996-140-0x0000000004360000-0x00000000043AD000-memory.dmp
memory/4996-141-0x0000000004360000-0x00000000043AD000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\jlh6Lwbzh
| MD5 | f79f5ce86c81d6b0edb45a4a92c572af |
| SHA1 | 4f8fe0760f075c60831513637935049c697d9725 |
| SHA256 | d2e9b3a4933bd3772b2789a393eeb3d3afadcfc1a34546da48ebc2ff3fb15317 |
| SHA512 | 0773ecb29c70b17dfc02c439b1a50d9e9426c951e48dfaec88bcd8344a5e757d8074a1db590d52519a313686e8efb60beedc0aa801e9d1364ada8e0567fa9f4d |
C:\Users\Admin\AppData\Local\Temp\jlh6Lwbzh
| MD5 | f79f5ce86c81d6b0edb45a4a92c572af |
| SHA1 | 4f8fe0760f075c60831513637935049c697d9725 |
| SHA256 | d2e9b3a4933bd3772b2789a393eeb3d3afadcfc1a34546da48ebc2ff3fb15317 |
| SHA512 | 0773ecb29c70b17dfc02c439b1a50d9e9426c951e48dfaec88bcd8344a5e757d8074a1db590d52519a313686e8efb60beedc0aa801e9d1364ada8e0567fa9f4d |
memory/1180-142-0x0000000000000000-mapping.dmp
memory/1180-145-0x0000000000530000-0x0000000000555000-memory.dmp
memory/1180-146-0x0000000000400000-0x0000000000457000-memory.dmp
memory/1180-147-0x0000000000530000-0x0000000000555000-memory.dmp
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E
| MD5 | 10c64006105304b4ed0904acce3ba9c1 |
| SHA1 | 56fa0b3213d539a8a779ef5f88daa6f60e87391b |
| SHA256 | e59e528e19b5a60686b2ac6165ddbc45bd8cd90379ec1bbdfa03a480b9c4fabb |
| SHA512 | bfd168c0239fdd831ee45998f5e6b8bd17adce1155948be5a98b5dffffa14a967e582471511f4236cd9142890bfefe6a132f871555e6da5ab0ec3b692fc1fde8 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E
| MD5 | 136889ac23008bfdfefb91c9e5d8a11d |
| SHA1 | 8343b8ef34dc565eda256e042b43064cb8017131 |
| SHA256 | 35188ecd41bd046f9f71e26f5404d5406be5e20bf8f2b6963adaec084783bef5 |
| SHA512 | b19722ef132c9169aa442b87f633f915934a51ea4164c674864aaffe4b01dd7ad6b7488450ca14b6d1467eb231e6941cad0aab29733ae4fa6b7df7d2a2f75bdb |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\07CEF2F654E3ED6050FFC9B6EB844250_3431D4C539FB2CFCB781821E9902850D
| MD5 | 1a295f69dfd5c6f54042f8bc5b31a6af |
| SHA1 | d2b64e2902114ce584f382cbd78b06354b6b14f7 |
| SHA256 | b14043ac188588e6e6282e515cc581ca0aaae5fbf84a0cf087204bae7fcdad55 |
| SHA512 | 3ed6b02a4b6f723f5ca54e78e2c787e5670cc7bec3e3517e06fdc57afe966fbb62b3702bf6cc6a903fd8ef83ea6f79949018e35b7ca4d93cd3f8e865bc2e724f |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\07CEF2F654E3ED6050FFC9B6EB844250_3431D4C539FB2CFCB781821E9902850D
| MD5 | 7da0f0010d9f684e8d08f2715bd5a000 |
| SHA1 | cb6e4b8ebac810080212358954384b34991eb7cc |
| SHA256 | 797a6c5f4c139b2c785391fb02ed47b1d104c9ec7b2106faca2af18ac0452d57 |
| SHA512 | 006f3ed99813e211cc5d7c04a1b8585c5f2fe281b332c75fd0122c723278fe4aa6a9f11bb81824ec0e27732062889c32feabdaca0d2ede874b5dbeb7963b4d6f |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\400EC0C30337DCB94CB9C65FAB2BF5CA
| MD5 | 83343201c58ce331a5de9b207a0542a7 |
| SHA1 | 678743995d807544cebfbf82d534094f8c356231 |
| SHA256 | 27cc0e7305dfab9ab96d7a06655d4b699e42b30a075be7c1fe22d4736d20f115 |
| SHA512 | ab1d3da9a6977dbe6814466ca17092707e47a9e49f5767b2cfea0d23d41e207cb64d4427afec5aa14c1735b9f9ec34db1a8954d779d49457bf3ea14e494c772c |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\400EC0C30337DCB94CB9C65FAB2BF5CA
| MD5 | c2ed069efa024354f4cace5e63d914a3 |
| SHA1 | b6e61c792b1305f6d1f6af8ef63e592f062525c8 |
| SHA256 | 1871913a75f5f9f5958356c770f7e56a246b1b6c836bf78f59a03c9de789a5e4 |
| SHA512 | f0e4b26e7dba8a7db620ff848fbeca96ad33e0352e5a82afe38a320f2033c1c95b85dc406c6980269f9aa30fc0793f859f5fedc0a11bd592f87e57d94286dd54 |
memory/1180-154-0x0000000003110000-0x0000000003163000-memory.dmp
memory/1180-155-0x0000000003110000-0x0000000003163000-memory.dmp
memory/4996-156-0x0000000000CA0000-0x00000000014E8000-memory.dmp
memory/4412-157-0x0000000000D80000-0x0000000000D83000-memory.dmp
memory/4412-158-0x0000000000400000-0x0000000000BE7000-memory.dmp
memory/4996-159-0x0000000004360000-0x00000000043AD000-memory.dmp
memory/1180-160-0x0000000003B40000-0x0000000003BA9000-memory.dmp
memory/3792-161-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\BaQBE06jlh.exe
| MD5 | cd3f1df2d4a06ac82cd816bc799dd65e |
| SHA1 | a77c7aa9b4857d0ec504403528e2cfe625b6bc83 |
| SHA256 | ba2a2ae38a31d5f4ae98cd3e7c21792d36f2386a252ebd506353d1487da6b8ce |
| SHA512 | 60f9e5329169a68d1548200a9bcd05d380bb924ebbaa57797683042f7ce17870e7a9e33dd70330da17c37b86c9ae4161b50cc84a673fce69af563118bfe7a6d0 |
C:\Users\Admin\AppData\Local\Temp\BaQBE06jlh.exe
| MD5 | cd3f1df2d4a06ac82cd816bc799dd65e |
| SHA1 | a77c7aa9b4857d0ec504403528e2cfe625b6bc83 |
| SHA256 | ba2a2ae38a31d5f4ae98cd3e7c21792d36f2386a252ebd506353d1487da6b8ce |
| SHA512 | 60f9e5329169a68d1548200a9bcd05d380bb924ebbaa57797683042f7ce17870e7a9e33dd70330da17c37b86c9ae4161b50cc84a673fce69af563118bfe7a6d0 |
memory/1180-164-0x0000000003B40000-0x0000000003BA9000-memory.dmp
memory/1384-165-0x0000000000000000-mapping.dmp
memory/1180-166-0x0000000000530000-0x0000000000555000-memory.dmp
memory/4972-167-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\0Q6_aU5lvG.exe
| MD5 | 4c839dc7014281acda2456d611ac73b7 |
| SHA1 | 13073f7b2d0ce49143d021cec9d863c0597a6f3e |
| SHA256 | 188dca807ca0613941037af948e42527f9a7be9ff8bd80ff083cf0670a54c31e |
| SHA512 | 9b9030287fb84c7ee616b2829f2797b867d26a3d034e83d5f06b4aea643cfc0cc1c5892892ab415c2d0d8e9922684fe0143e5fecb8f686d3db37bb1a87d631ea |
C:\Users\Admin\AppData\Local\Temp\0Q6_aU5lvG.exe
| MD5 | 4c839dc7014281acda2456d611ac73b7 |
| SHA1 | 13073f7b2d0ce49143d021cec9d863c0597a6f3e |
| SHA256 | 188dca807ca0613941037af948e42527f9a7be9ff8bd80ff083cf0670a54c31e |
| SHA512 | 9b9030287fb84c7ee616b2829f2797b867d26a3d034e83d5f06b4aea643cfc0cc1c5892892ab415c2d0d8e9922684fe0143e5fecb8f686d3db37bb1a87d631ea |
memory/4312-170-0x0000000000000000-mapping.dmp
memory/4972-171-0x00007FF627F60000-0x00007FF627F97000-memory.dmp
memory/1180-172-0x0000000003110000-0x0000000003163000-memory.dmp
memory/1180-173-0x0000000003B40000-0x0000000003BA9000-memory.dmp
memory/4996-174-0x0000000000CA0000-0x00000000014E8000-memory.dmp
memory/1548-175-0x0000000000000000-mapping.dmp
memory/1180-176-0x0000000000400000-0x0000000000457000-memory.dmp