Analysis Overview
SHA256
0344fb9d8c337685e1edfb2f24a35d649bd52dfd31e65212823da0b1f351bbbc
Threat Level: Known bad
The file 0344fb9d8c337685e1edfb2f24a35d649bd52dfd31e65212823da0b1f351bbbc was found to be: Known bad.
Malicious Activity Summary
CyberGate, Rebhip
Suspicious use of NtCreateProcessExOtherParentProcess
Adds policy Run key to start application
UPX packed file
Executes dropped EXE
Modifies Installed Components in the registry
Loads dropped DLL
Checks computer location settings
Adds Run key to start application
Drops file in System32 directory
Suspicious use of SetThreadContext
Drops file in Windows directory
Enumerates physical storage devices
Program crash
Enumerates system info in registry
Suspicious use of WriteProcessMemory
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of FindShellTrayWindow
Suspicious use of AdjustPrivilegeToken
Runs net.exe
Checks processor information in registry
Suspicious behavior: EnumeratesProcesses
Modifies registry class
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2022-11-06 09:51
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2022-11-06 09:51
Reported
2022-11-06 11:46
Platform
win7-20220812-en
Max time kernel
152s
Max time network
56s
Command Line
Signatures
CyberGate, Rebhip
Adds policy Run key to start application
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run | C:\Users\Admin\AppData\Local\Temp\0344fb9d8c337685e1edfb2f24a35d649bd52dfd31e65212823da0b1f351bbbc.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "c:\\windows\\system32\\microsoft\\bin\\windows.exe" | C:\Users\Admin\AppData\Local\Temp\0344fb9d8c337685e1edfb2f24a35d649bd52dfd31e65212823da0b1f351bbbc.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run | C:\Users\Admin\AppData\Local\Temp\0344fb9d8c337685e1edfb2f24a35d649bd52dfd31e65212823da0b1f351bbbc.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "c:\\windows\\system32\\microsoft\\bin\\windows.exe" | C:\Users\Admin\AppData\Local\Temp\0344fb9d8c337685e1edfb2f24a35d649bd52dfd31e65212823da0b1f351bbbc.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\0344fb9d8c337685e1edfb2f24a35d649bd52dfd31e65212823da0b1f351bbbc.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\0344fb9d8c337685e1edfb2f24a35d649bd52dfd31e65212823da0b1f351bbbc.exe | N/A |
| N/A | N/A | C:\windows\SysWOW64\microsoft\bin\windows.exe | N/A |
| N/A | N/A | C:\windows\SysWOW64\microsoft\bin\windows.exe | N/A |
Modifies Installed Components in the registry
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{GF4X7745-WQW6-GR05-83C3-J2A4J26U82BY} | C:\Users\Admin\AppData\Local\Temp\0344fb9d8c337685e1edfb2f24a35d649bd52dfd31e65212823da0b1f351bbbc.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{GF4X7745-WQW6-GR05-83C3-J2A4J26U82BY}\StubPath = "c:\\windows\\system32\\microsoft\\bin\\windows.exe Restart" | C:\Users\Admin\AppData\Local\Temp\0344fb9d8c337685e1edfb2f24a35d649bd52dfd31e65212823da0b1f351bbbc.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{GF4X7745-WQW6-GR05-83C3-J2A4J26U82BY} | C:\Windows\SysWOW64\explorer.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{GF4X7745-WQW6-GR05-83C3-J2A4J26U82BY}\StubPath = "c:\\windows\\system32\\microsoft\\bin\\windows.exe" | C:\Windows\SysWOW64\explorer.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Loads dropped DLL
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\FacebookUpdater.com = "C:\\Windows\\system32\\bin\\help.exe" | C:\Users\Admin\AppData\Local\Temp\0344fb9d8c337685e1edfb2f24a35d649bd52dfd31e65212823da0b1f351bbbc.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\FacebookUpdater.com = "C:\\Windows\\system32\\bin\\help.exe" | C:\Users\Admin\AppData\Local\Temp\0344fb9d8c337685e1edfb2f24a35d649bd52dfd31e65212823da0b1f351bbbc.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\FacebookUpdater.com = "C:\\Windows\\system32\\bin\\help.exe" | C:\windows\SysWOW64\microsoft\bin\windows.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\FacebookUpdater.com = "C:\\Windows\\system32\\bin\\help.exe" | C:\windows\SysWOW64\microsoft\bin\windows.exe | N/A |
Drops file in System32 directory
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 780 set thread context of 1996 | N/A | C:\Users\Admin\AppData\Local\Temp\0344fb9d8c337685e1edfb2f24a35d649bd52dfd31e65212823da0b1f351bbbc.exe | C:\Users\Admin\AppData\Local\Temp\0344fb9d8c337685e1edfb2f24a35d649bd52dfd31e65212823da0b1f351bbbc.exe |
| PID 1356 set thread context of 1692 | N/A | C:\windows\SysWOW64\microsoft\bin\windows.exe | C:\windows\SysWOW64\microsoft\bin\windows.exe |
Enumerates physical storage devices
Runs net.exe
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\0344fb9d8c337685e1edfb2f24a35d649bd52dfd31e65212823da0b1f351bbbc.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\0344fb9d8c337685e1edfb2f24a35d649bd52dfd31e65212823da0b1f351bbbc.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\0344fb9d8c337685e1edfb2f24a35d649bd52dfd31e65212823da0b1f351bbbc.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\0344fb9d8c337685e1edfb2f24a35d649bd52dfd31e65212823da0b1f351bbbc.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\lsass.exe
C:\Windows\system32\lsass.exe
C:\Windows\system32\services.exe
C:\Windows\system32\services.exe
C:\Windows\system32\winlogon.exe
winlogon.exe
C:\Windows\system32\csrss.exe
%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16
C:\Windows\system32\wininit.exe
wininit.exe
C:\Windows\system32\csrss.exe
%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16
C:\Windows\System32\smss.exe
\SystemRoot\System32\smss.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\taskhost.exe
"taskhost.exe"
C:\Windows\system32\sppsvc.exe
C:\Windows\system32\sppsvc.exe
\\?\C:\Windows\system32\wbem\WMIADAP.EXE
wmiadap.exe /F /T /R
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\System32\spoolsv.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Users\Admin\AppData\Local\Temp\0344fb9d8c337685e1edfb2f24a35d649bd52dfd31e65212823da0b1f351bbbc.exe
"C:\Users\Admin\AppData\Local\Temp\0344fb9d8c337685e1edfb2f24a35d649bd52dfd31e65212823da0b1f351bbbc.exe"
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\SysWOW64\cmd.exe
/c net stop MpsSvc
C:\Users\Admin\AppData\Local\Temp\0344fb9d8c337685e1edfb2f24a35d649bd52dfd31e65212823da0b1f351bbbc.exe
C:\Users\Admin\AppData\Local\Temp\0344fb9d8c337685e1edfb2f24a35d649bd52dfd31e65212823da0b1f351bbbc.exe
C:\Windows\SysWOW64\net.exe
net stop MpsSvc
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MpsSvc
C:\Windows\SysWOW64\explorer.exe
explorer.exe
C:\Users\Admin\AppData\Local\Temp\0344fb9d8c337685e1edfb2f24a35d649bd52dfd31e65212823da0b1f351bbbc.exe
"C:\Users\Admin\AppData\Local\Temp\0344fb9d8c337685e1edfb2f24a35d649bd52dfd31e65212823da0b1f351bbbc.exe"
C:\windows\SysWOW64\microsoft\bin\windows.exe
"C:\windows\system32\microsoft\bin\windows.exe"
C:\Windows\SysWOW64\cmd.exe
/c net stop MpsSvc
C:\windows\SysWOW64\microsoft\bin\windows.exe
C:\windows\SysWOW64\microsoft\bin\windows.exe
C:\Windows\SysWOW64\net.exe
net stop MpsSvc
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MpsSvc
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | tunisia-sat.no-ip.biz | udp |
| N/A | 127.0.0.1:8081 | tcp | |
| N/A | 127.0.0.1:8081 | tcp | |
| N/A | 127.0.0.1:8081 | tcp | |
| N/A | 127.0.0.1:8081 | tcp |
Files
memory/780-54-0x0000000076121000-0x0000000076123000-memory.dmp
\Users\Admin\AppData\Local\Temp\0344fb9d8c337685e1edfb2f24a35d649bd52dfd31e65212823da0b1f351bbbc.exe
| MD5 | 2184e73b4a2ecee7a726b2d7f8374946 |
| SHA1 | 8dd0ef00c55f8470ae513b66773a6369539a8dc9 |
| SHA256 | 0344fb9d8c337685e1edfb2f24a35d649bd52dfd31e65212823da0b1f351bbbc |
| SHA512 | 15c5dce97fa43344e7d4f53c992d23fa13d107fec0fa3eca5cbdc12902981157d12df5d74ce226afabe787a53565437c728b9c3b18b2f3d828b27d8a1ba0b0b6 |
memory/1920-55-0x0000000000000000-mapping.dmp
memory/1996-57-0x0000000000400000-0x0000000000459000-memory.dmp
memory/1996-60-0x0000000000400000-0x0000000000459000-memory.dmp
memory/1996-61-0x0000000000400000-0x0000000000459000-memory.dmp
memory/1996-58-0x0000000000400000-0x0000000000459000-memory.dmp
memory/1996-62-0x0000000000457D30-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\0344fb9d8c337685e1edfb2f24a35d649bd52dfd31e65212823da0b1f351bbbc.exe
| MD5 | 2184e73b4a2ecee7a726b2d7f8374946 |
| SHA1 | 8dd0ef00c55f8470ae513b66773a6369539a8dc9 |
| SHA256 | 0344fb9d8c337685e1edfb2f24a35d649bd52dfd31e65212823da0b1f351bbbc |
| SHA512 | 15c5dce97fa43344e7d4f53c992d23fa13d107fec0fa3eca5cbdc12902981157d12df5d74ce226afabe787a53565437c728b9c3b18b2f3d828b27d8a1ba0b0b6 |
memory/780-65-0x0000000000250000-0x0000000000254000-memory.dmp
memory/1904-66-0x0000000000000000-mapping.dmp
memory/1996-68-0x0000000000400000-0x0000000000459000-memory.dmp
memory/1996-69-0x0000000000400000-0x0000000000459000-memory.dmp
memory/1936-70-0x0000000000000000-mapping.dmp
memory/1996-71-0x0000000000400000-0x0000000000459000-memory.dmp
memory/1996-73-0x0000000024010000-0x0000000024072000-memory.dmp
memory/1420-76-0x0000000024010000-0x0000000024072000-memory.dmp
memory/584-79-0x0000000000000000-mapping.dmp
memory/584-81-0x0000000074CA1000-0x0000000074CA3000-memory.dmp
memory/1996-82-0x0000000024080000-0x00000000240E2000-memory.dmp
memory/584-87-0x0000000024080000-0x00000000240E2000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\XX--XX--XX.txt
| MD5 | b2c82cbdb8f096f842da7521b7944713 |
| SHA1 | bc6d73b2a3ab5e88e601dcee7a2dc80fa05ced54 |
| SHA256 | ea6023ee5139e5fcc3682d7a562ae7cbbe58c045f20ec5727fa61a2c4c25f33b |
| SHA512 | 27589fd68218bf7b5b2eb27d17e9145a79f027665c71ef503d9a6cd0914a8ae75801618fd20101ef01c1ebbb24c2255ef1b6bec9b73f006255da84bc6fe9533a |
\??\c:\windows\SysWOW64\microsoft\bin\windows.exe
| MD5 | 2184e73b4a2ecee7a726b2d7f8374946 |
| SHA1 | 8dd0ef00c55f8470ae513b66773a6369539a8dc9 |
| SHA256 | 0344fb9d8c337685e1edfb2f24a35d649bd52dfd31e65212823da0b1f351bbbc |
| SHA512 | 15c5dce97fa43344e7d4f53c992d23fa13d107fec0fa3eca5cbdc12902981157d12df5d74ce226afabe787a53565437c728b9c3b18b2f3d828b27d8a1ba0b0b6 |
memory/584-90-0x0000000024080000-0x00000000240E2000-memory.dmp
memory/1996-92-0x0000000000460000-0x00000000004C2000-memory.dmp
\Users\Admin\AppData\Local\Temp\0344fb9d8c337685e1edfb2f24a35d649bd52dfd31e65212823da0b1f351bbbc.exe
| MD5 | 2184e73b4a2ecee7a726b2d7f8374946 |
| SHA1 | 8dd0ef00c55f8470ae513b66773a6369539a8dc9 |
| SHA256 | 0344fb9d8c337685e1edfb2f24a35d649bd52dfd31e65212823da0b1f351bbbc |
| SHA512 | 15c5dce97fa43344e7d4f53c992d23fa13d107fec0fa3eca5cbdc12902981157d12df5d74ce226afabe787a53565437c728b9c3b18b2f3d828b27d8a1ba0b0b6 |
memory/1192-97-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\0344fb9d8c337685e1edfb2f24a35d649bd52dfd31e65212823da0b1f351bbbc.exe
| MD5 | 2184e73b4a2ecee7a726b2d7f8374946 |
| SHA1 | 8dd0ef00c55f8470ae513b66773a6369539a8dc9 |
| SHA256 | 0344fb9d8c337685e1edfb2f24a35d649bd52dfd31e65212823da0b1f351bbbc |
| SHA512 | 15c5dce97fa43344e7d4f53c992d23fa13d107fec0fa3eca5cbdc12902981157d12df5d74ce226afabe787a53565437c728b9c3b18b2f3d828b27d8a1ba0b0b6 |
memory/1996-100-0x00000000240F0000-0x0000000024152000-memory.dmp
memory/1996-106-0x0000000000400000-0x0000000000459000-memory.dmp
memory/1192-105-0x00000000240F0000-0x0000000024152000-memory.dmp
memory/260-107-0x0000000031770000-0x000000003177D000-memory.dmp
\Windows\SysWOW64\microsoft\bin\windows.exe
| MD5 | 2184e73b4a2ecee7a726b2d7f8374946 |
| SHA1 | 8dd0ef00c55f8470ae513b66773a6369539a8dc9 |
| SHA256 | 0344fb9d8c337685e1edfb2f24a35d649bd52dfd31e65212823da0b1f351bbbc |
| SHA512 | 15c5dce97fa43344e7d4f53c992d23fa13d107fec0fa3eca5cbdc12902981157d12df5d74ce226afabe787a53565437c728b9c3b18b2f3d828b27d8a1ba0b0b6 |
memory/1356-154-0x0000000000000000-mapping.dmp
memory/1192-152-0x00000000240F0000-0x0000000024152000-memory.dmp
memory/584-151-0x00000000318E0000-0x00000000318ED000-memory.dmp
C:\Windows\SysWOW64\microsoft\bin\windows.exe
| MD5 | 2184e73b4a2ecee7a726b2d7f8374946 |
| SHA1 | 8dd0ef00c55f8470ae513b66773a6369539a8dc9 |
| SHA256 | 0344fb9d8c337685e1edfb2f24a35d649bd52dfd31e65212823da0b1f351bbbc |
| SHA512 | 15c5dce97fa43344e7d4f53c992d23fa13d107fec0fa3eca5cbdc12902981157d12df5d74ce226afabe787a53565437c728b9c3b18b2f3d828b27d8a1ba0b0b6 |
C:\Windows\SysWOW64\bin\help.exe
| MD5 | 6003bcec2ceef7a6cca4a4e309cbf862 |
| SHA1 | 025eb656406fd10f06346a2171a9468be11b0de4 |
| SHA256 | 2dd53141e4b18919642002a48681fc3906b16a24637b7737aef24392a2bf0a0f |
| SHA512 | 32fd0ecc406723f8a0a1523bd846b7062e58d3c209c0c6c28b76b644e7f450e05970c4e9928c5f5ebc5cf210238268f1ed3365460e91e7f3cb0382d2336f057f |
memory/1704-158-0x0000000000000000-mapping.dmp
C:\Windows\SysWOW64\microsoft\bin\windows.exe
| MD5 | 2184e73b4a2ecee7a726b2d7f8374946 |
| SHA1 | 8dd0ef00c55f8470ae513b66773a6369539a8dc9 |
| SHA256 | 0344fb9d8c337685e1edfb2f24a35d649bd52dfd31e65212823da0b1f351bbbc |
| SHA512 | 15c5dce97fa43344e7d4f53c992d23fa13d107fec0fa3eca5cbdc12902981157d12df5d74ce226afabe787a53565437c728b9c3b18b2f3d828b27d8a1ba0b0b6 |
memory/1692-164-0x0000000000457D30-mapping.dmp
memory/1784-168-0x0000000000000000-mapping.dmp
memory/380-170-0x0000000000000000-mapping.dmp
memory/1692-175-0x0000000000400000-0x0000000000459000-memory.dmp
memory/1692-176-0x00000000318F0000-0x00000000318FD000-memory.dmp
memory/1692-177-0x0000000000400000-0x0000000000459000-memory.dmp
memory/1692-178-0x00000000318F0000-0x00000000318FD000-memory.dmp
memory/584-179-0x00000000318E0000-0x00000000318ED000-memory.dmp
memory/1192-180-0x00000000240F0000-0x0000000024152000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2022-11-06 09:51
Reported
2022-11-06 11:46
Platform
win10v2004-20220812-en
Max time kernel
158s
Max time network
174s
Command Line
Signatures
CyberGate, Rebhip
Suspicious use of NtCreateProcessExOtherParentProcess
| Description | Indicator | Process | Target |
| PID 1124 created 3280 | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\windows\SysWOW64\microsoft\bin\windows.exe |
Adds policy Run key to start application
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run | C:\Users\Admin\AppData\Local\Temp\0344fb9d8c337685e1edfb2f24a35d649bd52dfd31e65212823da0b1f351bbbc.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "c:\\windows\\system32\\microsoft\\bin\\windows.exe" | C:\Users\Admin\AppData\Local\Temp\0344fb9d8c337685e1edfb2f24a35d649bd52dfd31e65212823da0b1f351bbbc.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run | C:\Users\Admin\AppData\Local\Temp\0344fb9d8c337685e1edfb2f24a35d649bd52dfd31e65212823da0b1f351bbbc.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "c:\\windows\\system32\\microsoft\\bin\\windows.exe" | C:\Users\Admin\AppData\Local\Temp\0344fb9d8c337685e1edfb2f24a35d649bd52dfd31e65212823da0b1f351bbbc.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\0344fb9d8c337685e1edfb2f24a35d649bd52dfd31e65212823da0b1f351bbbc.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\0344fb9d8c337685e1edfb2f24a35d649bd52dfd31e65212823da0b1f351bbbc.exe | N/A |
| N/A | N/A | C:\windows\SysWOW64\microsoft\bin\windows.exe | N/A |
| N/A | N/A | C:\windows\SysWOW64\microsoft\bin\windows.exe | N/A |
Modifies Installed Components in the registry
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{GF4X7745-WQW6-GR05-83C3-J2A4J26U82BY}\StubPath = "c:\\windows\\system32\\microsoft\\bin\\windows.exe" | C:\Windows\SysWOW64\explorer.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{GF4X7745-WQW6-GR05-83C3-J2A4J26U82BY} | C:\Users\Admin\AppData\Local\Temp\0344fb9d8c337685e1edfb2f24a35d649bd52dfd31e65212823da0b1f351bbbc.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{GF4X7745-WQW6-GR05-83C3-J2A4J26U82BY}\StubPath = "c:\\windows\\system32\\microsoft\\bin\\windows.exe Restart" | C:\Users\Admin\AppData\Local\Temp\0344fb9d8c337685e1edfb2f24a35d649bd52dfd31e65212823da0b1f351bbbc.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{GF4X7745-WQW6-GR05-83C3-J2A4J26U82BY} | C:\Windows\SysWOW64\explorer.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\0344fb9d8c337685e1edfb2f24a35d649bd52dfd31e65212823da0b1f351bbbc.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\FacebookUpdater.com = "C:\\Windows\\system32\\bin\\help.exe" | C:\Users\Admin\AppData\Local\Temp\0344fb9d8c337685e1edfb2f24a35d649bd52dfd31e65212823da0b1f351bbbc.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\FacebookUpdater.com = "C:\\Windows\\system32\\bin\\help.exe" | C:\Users\Admin\AppData\Local\Temp\0344fb9d8c337685e1edfb2f24a35d649bd52dfd31e65212823da0b1f351bbbc.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\FacebookUpdater.com = "C:\\Windows\\system32\\bin\\help.exe" | C:\windows\SysWOW64\microsoft\bin\windows.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\FacebookUpdater.com = "C:\\Windows\\system32\\bin\\help.exe" | C:\windows\SysWOW64\microsoft\bin\windows.exe | N/A |
Drops file in System32 directory
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 1692 set thread context of 4616 | N/A | C:\Users\Admin\AppData\Local\Temp\0344fb9d8c337685e1edfb2f24a35d649bd52dfd31e65212823da0b1f351bbbc.exe | C:\Users\Admin\AppData\Local\Temp\0344fb9d8c337685e1edfb2f24a35d649bd52dfd31e65212823da0b1f351bbbc.exe |
| PID 1244 set thread context of 3280 | N/A | C:\windows\SysWOW64\microsoft\bin\windows.exe | C:\windows\SysWOW64\microsoft\bin\windows.exe |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\AppCompat\Programs\Amcache.hve.tmp | C:\Windows\SysWOW64\WerFault.exe | N/A |
Enumerates physical storage devices
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\windows\SysWOW64\microsoft\bin\windows.exe |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\WerFault.exe |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 | C:\Windows\SysWOW64\WerFault.exe | N/A |
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\BIOS | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU | C:\Windows\SysWOW64\WerFault.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ | C:\Users\Admin\AppData\Local\Temp\0344fb9d8c337685e1edfb2f24a35d649bd52dfd31e65212823da0b1f351bbbc.exe | N/A |
Runs net.exe
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\0344fb9d8c337685e1edfb2f24a35d649bd52dfd31e65212823da0b1f351bbbc.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\0344fb9d8c337685e1edfb2f24a35d649bd52dfd31e65212823da0b1f351bbbc.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\0344fb9d8c337685e1edfb2f24a35d649bd52dfd31e65212823da0b1f351bbbc.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\0344fb9d8c337685e1edfb2f24a35d649bd52dfd31e65212823da0b1f351bbbc.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\lsass.exe
C:\Windows\system32\lsass.exe
C:\Windows\system32\winlogon.exe
winlogon.exe
C:\Windows\system32\fontdrvhost.exe
"fontdrvhost.exe"
C:\Windows\system32\dwm.exe
"dwm.exe"
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k RPCSS -p
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch -p
C:\Windows\system32\fontdrvhost.exe
"fontdrvhost.exe"
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork -p
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -s RmSvc
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetworkFirewall -p
C:\Windows\System32\spoolsv.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s ShellHWDetection
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k appmodel -p -s StateRepository
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p -s Dnscache
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalService -p -s netprofm
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s NlaSvc
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s AudioEndpointBuilder
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s LanmanWorkstation
C:\Windows\system32\sihost.exe
sihost.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s TrkWks
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s LanmanServer
C:\Windows\system32\taskhostw.exe
taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p -s CryptSvc
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s WpnService
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -s W32Time
C:\Windows\system32\SppExtComObj.exe
C:\Windows\system32\SppExtComObj.exe -Embedding
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s WinHttpAutoProxySvc
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s CDPSvc
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p
C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe
"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted -p -s PolicyAgent
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s IKEEXT
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s FontCache
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s SENS
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s Dhcp
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s Themes
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s EventSystem
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s nsi
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s DispBrokerDesktopSvc
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts
C:\Users\Admin\AppData\Local\Temp\0344fb9d8c337685e1edfb2f24a35d649bd52dfd31e65212823da0b1f351bbbc.exe
"C:\Users\Admin\AppData\Local\Temp\0344fb9d8c337685e1edfb2f24a35d649bd52dfd31e65212823da0b1f351bbbc.exe"
C:\Windows\SysWOW64\cmd.exe
/c net stop MpsSvc
C:\Users\Admin\AppData\Local\Temp\0344fb9d8c337685e1edfb2f24a35d649bd52dfd31e65212823da0b1f351bbbc.exe
C:\Users\Admin\AppData\Local\Temp\0344fb9d8c337685e1edfb2f24a35d649bd52dfd31e65212823da0b1f351bbbc.exe
C:\Windows\SysWOW64\net.exe
net stop MpsSvc
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MpsSvc
C:\Windows\SysWOW64\explorer.exe
explorer.exe
C:\Users\Admin\AppData\Local\Temp\0344fb9d8c337685e1edfb2f24a35d649bd52dfd31e65212823da0b1f351bbbc.exe
"C:\Users\Admin\AppData\Local\Temp\0344fb9d8c337685e1edfb2f24a35d649bd52dfd31e65212823da0b1f351bbbc.exe"
C:\windows\SysWOW64\microsoft\bin\windows.exe
"C:\windows\system32\microsoft\bin\windows.exe"
C:\Windows\SysWOW64\cmd.exe
/c net stop MpsSvc
C:\windows\SysWOW64\microsoft\bin\windows.exe
C:\windows\SysWOW64\microsoft\bin\windows.exe
C:\Windows\SysWOW64\net.exe
net stop MpsSvc
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MpsSvc
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 3280 -ip 3280
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3280 -s 544
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 4940 -ip 4940
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4940 -s 648
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
C:\Windows\System32\WaaSMedicAgent.exe
C:\Windows\System32\WaaSMedicAgent.exe 8746cef025cd36a47dc626f7391c34b3 eYmZbZQ62kGF77bHBITviQ.0.1.0.0.0
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv
C:\Windows\servicing\TrustedInstaller.exe
C:\Windows\servicing\TrustedInstaller.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s UsoSvc
C:\Windows\System32\mousocoreworker.exe
C:\Windows\System32\mousocoreworker.exe -Embedding
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | tunisia-sat.no-ip.biz | udp |
| DE | 20.52.64.200:443 | tcp | |
| US | 72.21.91.29:80 | tcp | |
| N/A | 127.0.0.1:8081 | tcp | |
| US | 8.8.8.8:53 | tunisia-sat.no-ip.biz | udp |
| N/A | 127.0.0.1:8081 | tcp | |
| NL | 87.248.202.1:80 | tcp | |
| US | 8.8.8.8:53 | tunisia-sat.no-ip.biz | udp |
| N/A | 127.0.0.1:8081 | tcp | |
| US | 8.8.8.8:53 | tunisia-sat.no-ip.biz | udp |
| N/A | 127.0.0.1:8081 | tcp | |
| US | 8.8.8.8:53 | tunisia-sat.no-ip.biz | udp |
| N/A | 127.0.0.1:8081 | tcp | |
| US | 8.8.8.8:53 | tunisia-sat.no-ip.biz | udp |
| N/A | 127.0.0.1:8081 | tcp | |
| US | 8.8.8.8:53 | tunisia-sat.no-ip.biz | udp |
| N/A | 127.0.0.1:8081 | tcp | |
| US | 8.8.8.8:53 | tunisia-sat.no-ip.biz | udp |
| N/A | 127.0.0.1:8081 | tcp | |
| US | 8.8.8.8:53 | tunisia-sat.no-ip.biz | udp |
| N/A | 127.0.0.1:8081 | tcp | |
| US | 8.8.8.8:53 | tunisia-sat.no-ip.biz | udp |
Files
memory/1692-132-0x00000000005D0000-0x00000000005D4000-memory.dmp
memory/4616-134-0x0000000000000000-mapping.dmp
memory/1660-133-0x0000000000000000-mapping.dmp
memory/4616-135-0x0000000000400000-0x0000000000459000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\0344fb9d8c337685e1edfb2f24a35d649bd52dfd31e65212823da0b1f351bbbc.exe
| MD5 | 2184e73b4a2ecee7a726b2d7f8374946 |
| SHA1 | 8dd0ef00c55f8470ae513b66773a6369539a8dc9 |
| SHA256 | 0344fb9d8c337685e1edfb2f24a35d649bd52dfd31e65212823da0b1f351bbbc |
| SHA512 | 15c5dce97fa43344e7d4f53c992d23fa13d107fec0fa3eca5cbdc12902981157d12df5d74ce226afabe787a53565437c728b9c3b18b2f3d828b27d8a1ba0b0b6 |
memory/4616-138-0x0000000000400000-0x0000000000459000-memory.dmp
memory/5060-139-0x0000000000000000-mapping.dmp
memory/4616-140-0x0000000000400000-0x0000000000459000-memory.dmp
memory/4252-141-0x0000000000000000-mapping.dmp
memory/4616-142-0x0000000000400000-0x0000000000459000-memory.dmp
memory/4616-144-0x0000000024010000-0x0000000024072000-memory.dmp
memory/4152-148-0x0000000000000000-mapping.dmp
memory/4616-149-0x0000000024080000-0x00000000240E2000-memory.dmp
memory/4152-152-0x0000000024080000-0x00000000240E2000-memory.dmp
memory/4152-153-0x0000000024080000-0x00000000240E2000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\XX--XX--XX.txt
| MD5 | b2c82cbdb8f096f842da7521b7944713 |
| SHA1 | bc6d73b2a3ab5e88e601dcee7a2dc80fa05ced54 |
| SHA256 | ea6023ee5139e5fcc3682d7a562ae7cbbe58c045f20ec5727fa61a2c4c25f33b |
| SHA512 | 27589fd68218bf7b5b2eb27d17e9145a79f027665c71ef503d9a6cd0914a8ae75801618fd20101ef01c1ebbb24c2255ef1b6bec9b73f006255da84bc6fe9533a |
\??\c:\windows\SysWOW64\microsoft\bin\windows.exe
| MD5 | 2184e73b4a2ecee7a726b2d7f8374946 |
| SHA1 | 8dd0ef00c55f8470ae513b66773a6369539a8dc9 |
| SHA256 | 0344fb9d8c337685e1edfb2f24a35d649bd52dfd31e65212823da0b1f351bbbc |
| SHA512 | 15c5dce97fa43344e7d4f53c992d23fa13d107fec0fa3eca5cbdc12902981157d12df5d74ce226afabe787a53565437c728b9c3b18b2f3d828b27d8a1ba0b0b6 |
memory/4616-157-0x00000000023E0000-0x0000000002442000-memory.dmp
memory/2064-161-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\0344fb9d8c337685e1edfb2f24a35d649bd52dfd31e65212823da0b1f351bbbc.exe
| MD5 | 2184e73b4a2ecee7a726b2d7f8374946 |
| SHA1 | 8dd0ef00c55f8470ae513b66773a6369539a8dc9 |
| SHA256 | 0344fb9d8c337685e1edfb2f24a35d649bd52dfd31e65212823da0b1f351bbbc |
| SHA512 | 15c5dce97fa43344e7d4f53c992d23fa13d107fec0fa3eca5cbdc12902981157d12df5d74ce226afabe787a53565437c728b9c3b18b2f3d828b27d8a1ba0b0b6 |
memory/4616-163-0x00000000240F0000-0x0000000024152000-memory.dmp
memory/4616-167-0x0000000000400000-0x0000000000459000-memory.dmp
memory/2064-166-0x00000000240F0000-0x0000000024152000-memory.dmp
memory/4152-168-0x0000000031B80000-0x0000000031B8D000-memory.dmp
memory/2064-169-0x00000000240F0000-0x0000000024152000-memory.dmp
memory/1244-170-0x0000000000000000-mapping.dmp
C:\Windows\SysWOW64\microsoft\bin\windows.exe
| MD5 | 2184e73b4a2ecee7a726b2d7f8374946 |
| SHA1 | 8dd0ef00c55f8470ae513b66773a6369539a8dc9 |
| SHA256 | 0344fb9d8c337685e1edfb2f24a35d649bd52dfd31e65212823da0b1f351bbbc |
| SHA512 | 15c5dce97fa43344e7d4f53c992d23fa13d107fec0fa3eca5cbdc12902981157d12df5d74ce226afabe787a53565437c728b9c3b18b2f3d828b27d8a1ba0b0b6 |
C:\Windows\SysWOW64\bin\help.exe
| MD5 | 2184e73b4a2ecee7a726b2d7f8374946 |
| SHA1 | 8dd0ef00c55f8470ae513b66773a6369539a8dc9 |
| SHA256 | 0344fb9d8c337685e1edfb2f24a35d649bd52dfd31e65212823da0b1f351bbbc |
| SHA512 | 15c5dce97fa43344e7d4f53c992d23fa13d107fec0fa3eca5cbdc12902981157d12df5d74ce226afabe787a53565437c728b9c3b18b2f3d828b27d8a1ba0b0b6 |
memory/4168-173-0x0000000000000000-mapping.dmp
memory/3280-174-0x0000000000000000-mapping.dmp
C:\Windows\SysWOW64\microsoft\bin\windows.exe
| MD5 | 2184e73b4a2ecee7a726b2d7f8374946 |
| SHA1 | 8dd0ef00c55f8470ae513b66773a6369539a8dc9 |
| SHA256 | 0344fb9d8c337685e1edfb2f24a35d649bd52dfd31e65212823da0b1f351bbbc |
| SHA512 | 15c5dce97fa43344e7d4f53c992d23fa13d107fec0fa3eca5cbdc12902981157d12df5d74ce226afabe787a53565437c728b9c3b18b2f3d828b27d8a1ba0b0b6 |
memory/3280-178-0x0000000000400000-0x0000000000459000-memory.dmp
memory/3280-179-0x0000000000400000-0x0000000000459000-memory.dmp
memory/1988-180-0x0000000000000000-mapping.dmp
memory/3660-181-0x0000000000000000-mapping.dmp
memory/4168-182-0x0000000031BA0000-0x0000000031BAD000-memory.dmp
memory/4168-183-0x0000000031BA0000-0x0000000031BAD000-memory.dmp
memory/3280-184-0x0000000031BB0000-0x0000000031BBD000-memory.dmp
memory/3280-185-0x0000000000400000-0x0000000000459000-memory.dmp
memory/3280-186-0x0000000031BB0000-0x0000000031BBD000-memory.dmp
memory/1124-187-0x0000000031BD0000-0x0000000031BDD000-memory.dmp
memory/4940-188-0x0000000031BF0000-0x0000000031BFD000-memory.dmp
memory/4940-189-0x0000000031BF0000-0x0000000031BFD000-memory.dmp
memory/4152-190-0x0000000024080000-0x00000000240E2000-memory.dmp
memory/4152-191-0x0000000031B80000-0x0000000031B8D000-memory.dmp
memory/2064-192-0x00000000240F0000-0x0000000024152000-memory.dmp
memory/4696-193-0x0000000031C10000-0x0000000031C1D000-memory.dmp
memory/4696-194-0x0000000031C10000-0x0000000031C1D000-memory.dmp
memory/4940-195-0x0000000031BF0000-0x0000000031BFD000-memory.dmp
memory/4696-196-0x0000000031C10000-0x0000000031C1D000-memory.dmp
memory/4696-197-0x0000000031C10000-0x0000000031C1D000-memory.dmp