Analysis

  • max time kernel
    150s
  • max time network
    148s
  • platform
    windows7_x64
  • resource
    win7-20220812-en
  • resource tags

    arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
  • submitted
    18/11/2022, 18:57

General

  • Target

    file.exe

  • Size

    380KB

  • MD5

    e91e8a603108c29db5d1a1ba1c8123fd

  • SHA1

    e609bf5881c00aa4c325a2250407d0d8b254e04c

  • SHA256

    d026b0f1bfa1ea1bc142695477450d6bd4c10e6d7cdbff1d4e8abaad8f04b6c1

  • SHA512

    2d0c23f0a9cc784820291595816ec49a9f12d3b4bdd5cc569f56810d1766fb73b9a1a8ece293210678d03ebe8d3413bb9ebc7ae9eb757588345bebcd4e8abff7

  • SSDEEP

    6144:x/QiQXCWkm+ksmpk3U9j0IV/OGBfj/WUplm6zIOYQNd28pTXdAmpCLVRZoglM7LT:pQi3WP6m6UR0IV/lL//plmW9bTXeVhD4

Malware Config

Extracted

Family

nymaim

C2

45.139.105.171

85.31.46.167

Signatures

  • NyMaim

    NyMaim is a malware with various capabilities written in C++ and first seen in 2013.

  • Process spawned unexpected child process 1 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
  • Checks for common network interception software 1 TTPs

    Looks in the registry for tools like Wireshark or Fiddler commonly used to analyze network activity.

  • Downloads MZ/PE file
  • Drops file in Drivers directory 1 IoCs
  • Executes dropped EXE 9 IoCs
  • VMProtect packed file 6 IoCs

    Detects executables packed with VMProtect commercial packer.

  • Loads dropped DLL 14 IoCs
  • Unexpected DNS network traffic destination 1 IoCs

    Network traffic to other servers than the configured DNS servers was detected on the DNS port.

  • Adds Run key to start application 2 TTPs 1 IoCs
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Drops file in System32 directory 11 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Drops file in Program Files directory 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Program crash 1 IoCs
  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Kills process with taskkill 2 IoCs
  • Modifies Internet Explorer settings 1 TTPs 64 IoCs
  • Modifies data under HKEY_USERS 64 IoCs
  • Modifies registry class 22 IoCs
  • Modifies system certificate store 2 TTPs 8 IoCs
  • Script User-Agent 1 IoCs

    Uses user-agent string associated with script host/environment.

  • Suspicious behavior: CmdExeWriteProcessMemorySpam 3 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 4 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Windows\system32\services.exe
    C:\Windows\system32\services.exe
    1⤵
      PID:468
      • C:\Windows\system32\svchost.exe
        C:\Windows\system32\svchost.exe -k netsvcs
        2⤵
        • Suspicious use of NtCreateUserProcessOtherParentProcess
        • Suspicious use of SetThreadContext
        • Modifies registry class
        • Suspicious use of AdjustPrivilegeToken
        PID:892
      • C:\Windows\system32\svchost.exe
        C:\Windows\system32\svchost.exe -k WspService
        2⤵
        • Drops file in System32 directory
        • Checks processor information in registry
        • Modifies data under HKEY_USERS
        • Modifies registry class
        PID:2320
    • C:\Users\Admin\AppData\Local\Temp\file.exe
      "C:\Users\Admin\AppData\Local\Temp\file.exe"
      1⤵
      • Loads dropped DLL
      • Suspicious use of WriteProcessMemory
      PID:1848
      • C:\Users\Admin\AppData\Local\Temp\is-VDHII.tmp\file.tmp
        "C:\Users\Admin\AppData\Local\Temp\is-VDHII.tmp\file.tmp" /SL5="$60126,140559,56832,C:\Users\Admin\AppData\Local\Temp\file.exe"
        2⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Suspicious use of WriteProcessMemory
        PID:1752
        • C:\Users\Admin\AppData\Local\Temp\is-9TIL8.tmp\PowerOff.exe
          "C:\Users\Admin\AppData\Local\Temp\is-9TIL8.tmp\PowerOff.exe" /S /UID=95
          3⤵
          • Drops file in Drivers directory
          • Executes dropped EXE
          • Adds Run key to start application
          • Drops file in Program Files directory
          • Modifies system certificate store
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:1068
          • C:\Users\Admin\AppData\Local\Temp\15-a5a65-3a0-60ca8-0f4d0008259b3\Taeqikaeveny.exe
            "C:\Users\Admin\AppData\Local\Temp\15-a5a65-3a0-60ca8-0f4d0008259b3\Taeqikaeveny.exe"
            4⤵
            • Executes dropped EXE
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:1628
            • C:\Windows\System32\cmd.exe
              "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\3qhlznls.x4a\GcleanerEU.exe /eufive & exit
              5⤵
              • Suspicious use of WriteProcessMemory
              PID:4164
              • C:\Users\Admin\AppData\Local\Temp\3qhlznls.x4a\GcleanerEU.exe
                C:\Users\Admin\AppData\Local\Temp\3qhlznls.x4a\GcleanerEU.exe /eufive
                6⤵
                • Executes dropped EXE
                • Suspicious behavior: CmdExeWriteProcessMemorySpam
                • Suspicious use of WriteProcessMemory
                PID:4436
                • C:\Windows\SysWOW64\cmd.exe
                  "C:\Windows\System32\cmd.exe" /c taskkill /im "GcleanerEU.exe" /f & erase "C:\Users\Admin\AppData\Local\Temp\3qhlznls.x4a\GcleanerEU.exe" & exit
                  7⤵
                    PID:832
                    • C:\Windows\SysWOW64\taskkill.exe
                      taskkill /im "GcleanerEU.exe" /f
                      8⤵
                      • Kills process with taskkill
                      • Suspicious use of AdjustPrivilegeToken
                      PID:2108
              • C:\Windows\System32\cmd.exe
                "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\fpt3wfdc.vey\gcleaner.exe /mixfive & exit
                5⤵
                • Suspicious use of WriteProcessMemory
                PID:4488
                • C:\Users\Admin\AppData\Local\Temp\fpt3wfdc.vey\gcleaner.exe
                  C:\Users\Admin\AppData\Local\Temp\fpt3wfdc.vey\gcleaner.exe /mixfive
                  6⤵
                  • Executes dropped EXE
                  • Suspicious behavior: CmdExeWriteProcessMemorySpam
                  • Suspicious use of WriteProcessMemory
                  PID:4524
                  • C:\Windows\SysWOW64\cmd.exe
                    "C:\Windows\System32\cmd.exe" /c taskkill /im "gcleaner.exe" /f & erase "C:\Users\Admin\AppData\Local\Temp\fpt3wfdc.vey\gcleaner.exe" & exit
                    7⤵
                      PID:1564
                      • C:\Windows\SysWOW64\taskkill.exe
                        taskkill /im "gcleaner.exe" /f
                        8⤵
                        • Kills process with taskkill
                        • Suspicious use of AdjustPrivilegeToken
                        PID:2140
                • C:\Windows\System32\cmd.exe
                  "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\rhonb33j.fco\random.exe & exit
                  5⤵
                  • Suspicious use of WriteProcessMemory
                  PID:4740
                  • C:\Users\Admin\AppData\Local\Temp\rhonb33j.fco\random.exe
                    C:\Users\Admin\AppData\Local\Temp\rhonb33j.fco\random.exe
                    6⤵
                    • Executes dropped EXE
                    • Loads dropped DLL
                    • Suspicious behavior: CmdExeWriteProcessMemorySpam
                    • Suspicious use of WriteProcessMemory
                    PID:4840
                    • C:\Users\Admin\AppData\Local\Temp\rhonb33j.fco\random.exe
                      "C:\Users\Admin\AppData\Local\Temp\rhonb33j.fco\random.exe" -q
                      7⤵
                      • Executes dropped EXE
                      PID:4968
                • C:\Windows\System32\cmd.exe
                  "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\iumcnilo.xyp\pb1117.exe & exit
                  5⤵
                  • Loads dropped DLL
                  • Suspicious use of WriteProcessMemory
                  PID:4928
                  • C:\Users\Admin\AppData\Local\Temp\iumcnilo.xyp\pb1117.exe
                    C:\Users\Admin\AppData\Local\Temp\iumcnilo.xyp\pb1117.exe
                    6⤵
                    • Executes dropped EXE
                    • Suspicious use of WriteProcessMemory
                    PID:5048
                    • C:\Windows\system32\WerFault.exe
                      C:\Windows\system32\WerFault.exe -u -p 5048 -s 56
                      7⤵
                      • Loads dropped DLL
                      • Program crash
                      PID:4464
              • C:\Users\Admin\AppData\Local\Temp\63-b91af-ff1-4a883-bcce84fce1c3c\Taeqikaeveny.exe
                "C:\Users\Admin\AppData\Local\Temp\63-b91af-ff1-4a883-bcce84fce1c3c\Taeqikaeveny.exe"
                4⤵
                • Executes dropped EXE
                • Suspicious use of WriteProcessMemory
                PID:1984
                • C:\Program Files\Internet Explorer\iexplore.exe
                  "C:\Program Files\Internet Explorer\iexplore.exe" https://www.profitabletrustednetwork.com/e2q8zu9hu?key=a971bbe4a40a7216a1a87d8f455f71e6
                  5⤵
                  • Modifies Internet Explorer settings
                  • Suspicious use of FindShellTrayWindow
                  • Suspicious use of SetWindowsHookEx
                  • Suspicious use of WriteProcessMemory
                  PID:768
                  • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
                    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:768 CREDAT:275457 /prefetch:2
                    6⤵
                    • Modifies Internet Explorer settings
                    • Suspicious use of SetWindowsHookEx
                    PID:1260
        • C:\Windows\system32\rundll32.exe
          rundll32.exe "C:\Users\Admin\AppData\Local\Temp\db.dll",open
          1⤵
          • Process spawned unexpected child process
          PID:2076
          • C:\Windows\SysWOW64\rundll32.exe
            rundll32.exe "C:\Users\Admin\AppData\Local\Temp\db.dll",open
            2⤵
            • Loads dropped DLL
            • Modifies registry class
            • Suspicious use of AdjustPrivilegeToken
            PID:2124

        Network

              MITRE ATT&CK Enterprise v6

              Replay Monitor

              Loading Replay Monitor...

              Downloads

              • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

                Filesize

                61KB

                MD5

                3dcf580a93972319e82cafbc047d34d5

                SHA1

                8528d2a1363e5de77dc3b1142850e51ead0f4b6b

                SHA256

                40810e31f1b69075c727e6d557f9614d5880112895ff6f4df1767e87ae5640d1

                SHA512

                98384be7218340f95dae88d1cb865f23a0b4e12855beb6e74a3752274c9b4c601e493864db777bca677a370d0a9dbffd68d94898a82014537f3a801cce839c42

              • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                Filesize

                342B

                MD5

                5c4b7af0ba3f5169658aa68e3719676d

                SHA1

                f9e2ac953a791bbd7ae2e5a1df6b5ddce4d27722

                SHA256

                9392661476826d6aaf24aa22101ce3f87ed3b6bb5d683e2d9b915da91d9f9754

                SHA512

                5b586b948706e41b6d8724fc36bfce04304cf409d445ba30e6892c1a430fabdcf8fc5cd18dcd2a0b368143a36e4d1cb0b5876472d0e5d89f81605911d5e3cfc3

              • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                Filesize

                342B

                MD5

                5e54317221fd8b3b437c6b173a1eb4d8

                SHA1

                1e5086cfb32ad1dd89c322dffe6c22b47bb4249f

                SHA256

                599fb0b7eff347bf0a4c26db6ecf0c00ddf97b4cd2fc603edb9e593a8f6b98ce

                SHA512

                e7f6fda20563cde0f97f4302944f7e63c0e075fddeeb4c25b7f2284f9f229d1e54eae73f4640873eaefd8627fb4d64d17a8b88a0359a178d59a703c1d82dfb9e

              • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                Filesize

                342B

                MD5

                9ee97c602f1e1e1d216a655256f73d62

                SHA1

                2b9aad35540c99b60cf450f6e4356933bf1249ea

                SHA256

                3cdf9e6e382a5b0ede5227d970d699836dba788e210a606c1b8c4b29c6b64650

                SHA512

                1874b256018a48345c803580e4930b96c44369b1d0a8531fe5067a46c73b6c2ab1bf64f5ca872fdf22a9a493a803935a7a0bd3c4a0dc09bd419894ea4d09a659

              • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                Filesize

                342B

                MD5

                14347cf285c41145f9591009f51e1dd7

                SHA1

                a52379edfc94b9ccb698dcfda978d01997ed206c

                SHA256

                797b74347bc8cbc4fb41590c09a78cb1cc8b9cbb6efb275a48c87cec8a8f1fab

                SHA512

                0ffe66a2615a52c8fc51ebcce42eba9b360d281814c4b4eca06f1b350c4c8a46d8f4da10b23ccd4990d091694897650fdada55ab7e448f0c40759db0557defb5

              • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                Filesize

                342B

                MD5

                2d2bd386f6206cc29ed0e4cb5db57625

                SHA1

                ee74c45967fb561c1eda78b2108c59bb0ae7f344

                SHA256

                5e6c1a0eaa91f834c6915b80b6c5b3d2b53fe4690d76df61d1395764d185fe0a

                SHA512

                243d769431f91c947afad00fd4c9a69d34e885721d045fa65001208c54a37a91732f1d8e2e95855c6a279b9c77ad5296c56220e8c64284bdd457ca769d251ea0

              • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                Filesize

                342B

                MD5

                06eb5ab047110c6545cd65e2aec20553

                SHA1

                efb29542b7bb10530ca297fbb4a3786cee8be3cb

                SHA256

                07230270f78d27d9ed2c3132ef33aed569a51eb62124d88845ca06e6d942028f

                SHA512

                efc7751ded4bca83ffe8c079b879ae63eaf09cc7d485f6e1eb24d7400a30fe4433ee17e1b725fe9fcb135f31df4c661906a5a17c60414ca69b8e6e7184c206e5

              • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                Filesize

                342B

                MD5

                2f8aa9d59a4a77e3804bd20435c23246

                SHA1

                b7ad77918b1ed0e8be645816a173ef2858f689ec

                SHA256

                f639281b0699da2329dd7a5f37ebfa4e4b6ff89cf20bd9a4749b10c5669778b0

                SHA512

                c3879cb830eb138186911fae468875fd1451973b8709b02acc85170d4012c56db89a71a44a49ae3e759e8048b3d787447b581aea4162b463e533da9f8f0b3687

              • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                Filesize

                342B

                MD5

                2b4fd47e4472a5706ae0b841b48e11e8

                SHA1

                c5950d321a97045028238837cf798ee62c72f45e

                SHA256

                c1f0eac4adb19b94590fb5baec77ae6a843c3f11674b4f9f22921f089c7f45ff

                SHA512

                286eb29bb55f6c8855ebf873d47cf37aca4395e43f2e852d58499f31ffa120b14e9d222ed0b0ea782b1cfe8cf00ba9d4e8a22eb817616c6b13beaa93acfee142

              • C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\lwrmjt1\imagestore.dat

                Filesize

                6KB

                MD5

                f5a93cbb4781125e66f86c269db38c8d

                SHA1

                5ff58b0a9e597634fb1e2238948ef8b088d53b5d

                SHA256

                58a99bfd791b01e917a895104f7337cdc1f425825e1459508cfd29c6360f716a

                SHA512

                431f5c12527f2c71132f7a8b3c68bf08efaabf4e375242636901a1f83ce61f8b899d87de21d1df3579aec6be112f4caf51f1721339d3b1bfbf7a07d8992419b6

              • C:\Users\Admin\AppData\Local\Temp\15-a5a65-3a0-60ca8-0f4d0008259b3\Kenessey.txt

                Filesize

                9B

                MD5

                97384261b8bbf966df16e5ad509922db

                SHA1

                2fc42d37fee2c81d767e09fb298b70c748940f86

                SHA256

                9c0d294c05fc1d88d698034609bb81c0c69196327594e4c69d2915c80fd9850c

                SHA512

                b77fe2d86fbc5bd116d6a073eb447e76a74add3fa0d0b801f97535963241be3cdce1dbcaed603b78f020d0845b2d4bfc892ceb2a7d1c8f1d98abc4812ef5af21

              • C:\Users\Admin\AppData\Local\Temp\15-a5a65-3a0-60ca8-0f4d0008259b3\Taeqikaeveny.exe

                Filesize

                358KB

                MD5

                7d742eb4667ab6dcf933fa6908b3fb98

                SHA1

                95dc2bdcf018074356a9dccdce4173b90649fd84

                SHA256

                ed72c7dd4305b314ecc097beca33750d40088072cbdca4f18b3e02c2b810e81c

                SHA512

                3df327ae1b405f2b12384315a8742544b78f9869e0d53bc3a58bb96065d651b1092576816512ff2866d0d32025739739f6380a6c1cd70b4b09eb2b7ac52de9b4

              • C:\Users\Admin\AppData\Local\Temp\15-a5a65-3a0-60ca8-0f4d0008259b3\Taeqikaeveny.exe

                Filesize

                358KB

                MD5

                7d742eb4667ab6dcf933fa6908b3fb98

                SHA1

                95dc2bdcf018074356a9dccdce4173b90649fd84

                SHA256

                ed72c7dd4305b314ecc097beca33750d40088072cbdca4f18b3e02c2b810e81c

                SHA512

                3df327ae1b405f2b12384315a8742544b78f9869e0d53bc3a58bb96065d651b1092576816512ff2866d0d32025739739f6380a6c1cd70b4b09eb2b7ac52de9b4

              • C:\Users\Admin\AppData\Local\Temp\15-a5a65-3a0-60ca8-0f4d0008259b3\Taeqikaeveny.exe.config

                Filesize

                1KB

                MD5

                98d2687aec923f98c37f7cda8de0eb19

                SHA1

                f6dcfcdcfe570340ecdbbd9e2a61f3cb4f281ba7

                SHA256

                8a94163256a722ef8cc140bcd115a5b8f8725c04fe158b129d47be81cb693465

                SHA512

                95c7290d59749df8df495e04789c1793265e0f34e0d091df5c0d4aefe1af4c8ac1f5460f1f198fc28c4c8c900827b8f22e2851957bbaea5914ea962b3a1d0590

              • C:\Users\Admin\AppData\Local\Temp\3qhlznls.x4a\GcleanerEU.exe

                Filesize

                404KB

                MD5

                94cf983d41cc69f6a67371770a48c0ec

                SHA1

                76c27034dba34863a3cc6c3c6e9966cebec0990d

                SHA256

                73aa861f2ac4ba1af21d78bd169a2887c436941eb5a82baedbaed556c4583eb6

                SHA512

                b17b2fc672cc401e901289fe2873f6ce03c36f014392c040374f002bc76040a23c184731d7a37ad96c32b915d2ca091b881469cf164f50298a88b537572d91c8

              • C:\Users\Admin\AppData\Local\Temp\3qhlznls.x4a\GcleanerEU.exe

                Filesize

                404KB

                MD5

                94cf983d41cc69f6a67371770a48c0ec

                SHA1

                76c27034dba34863a3cc6c3c6e9966cebec0990d

                SHA256

                73aa861f2ac4ba1af21d78bd169a2887c436941eb5a82baedbaed556c4583eb6

                SHA512

                b17b2fc672cc401e901289fe2873f6ce03c36f014392c040374f002bc76040a23c184731d7a37ad96c32b915d2ca091b881469cf164f50298a88b537572d91c8

              • C:\Users\Admin\AppData\Local\Temp\63-b91af-ff1-4a883-bcce84fce1c3c\Taeqikaeveny.exe

                Filesize

                586KB

                MD5

                436e921da691211e16a1adb9ff4d90cd

                SHA1

                6f64647c26bc9d98367618f185fbcfc7717d2851

                SHA256

                5f96df0fb078c706569a49150cf1674f2d6e94cefec73b39a19275ea9a3ac7c6

                SHA512

                493c08bebef58d516461c9fc9249ab7d27a129c4e8bece05c45cbfb0e757c0a132173b41f7ed3dd0a7d0576acfc7113f4c389f894607d1f6498742ec6f3a5369

              • C:\Users\Admin\AppData\Local\Temp\63-b91af-ff1-4a883-bcce84fce1c3c\Taeqikaeveny.exe

                Filesize

                586KB

                MD5

                436e921da691211e16a1adb9ff4d90cd

                SHA1

                6f64647c26bc9d98367618f185fbcfc7717d2851

                SHA256

                5f96df0fb078c706569a49150cf1674f2d6e94cefec73b39a19275ea9a3ac7c6

                SHA512

                493c08bebef58d516461c9fc9249ab7d27a129c4e8bece05c45cbfb0e757c0a132173b41f7ed3dd0a7d0576acfc7113f4c389f894607d1f6498742ec6f3a5369

              • C:\Users\Admin\AppData\Local\Temp\63-b91af-ff1-4a883-bcce84fce1c3c\Taeqikaeveny.exe.config

                Filesize

                1KB

                MD5

                98d2687aec923f98c37f7cda8de0eb19

                SHA1

                f6dcfcdcfe570340ecdbbd9e2a61f3cb4f281ba7

                SHA256

                8a94163256a722ef8cc140bcd115a5b8f8725c04fe158b129d47be81cb693465

                SHA512

                95c7290d59749df8df495e04789c1793265e0f34e0d091df5c0d4aefe1af4c8ac1f5460f1f198fc28c4c8c900827b8f22e2851957bbaea5914ea962b3a1d0590

              • C:\Users\Admin\AppData\Local\Temp\db.dat

                Filesize

                557KB

                MD5

                76c3dbb1e9fea62090cdf53dadcbe28e

                SHA1

                d44b32d04adc810c6df258be85dc6b62bd48a307

                SHA256

                556fd54e5595d222cfa2bd353afa66d8d4d1fbb3003afed604672fceae991860

                SHA512

                de4ea57497cf26237430880742f59e8d2a0ac7e7a0b09ed7be590f36fbd08c9ced0ffe46eb69ec2215a9cff55720f24fffcae752cd282250b4da6b75a30b3a1b

              • C:\Users\Admin\AppData\Local\Temp\db.dll

                Filesize

                52KB

                MD5

                845a5f94673e266f80fae41538a94db1

                SHA1

                a8ed5ba958b94eb55a44f20a4791a58b76e91f0c

                SHA256

                3d73e4425bb7294f20ef86096504ab96d288bd70d2bc6a8361b629903f3b1d01

                SHA512

                f01450a61a6b2daec92fab31c9f153c76574f169f3fef2c6d0cf9283cf730a099c9b7c0cbc4ac44cc4d3c067565a49b8135aa85b745ea340a9d5f8c9dc5c3f81

              • C:\Users\Admin\AppData\Local\Temp\fpt3wfdc.vey\gcleaner.exe

                Filesize

                404KB

                MD5

                94cf983d41cc69f6a67371770a48c0ec

                SHA1

                76c27034dba34863a3cc6c3c6e9966cebec0990d

                SHA256

                73aa861f2ac4ba1af21d78bd169a2887c436941eb5a82baedbaed556c4583eb6

                SHA512

                b17b2fc672cc401e901289fe2873f6ce03c36f014392c040374f002bc76040a23c184731d7a37ad96c32b915d2ca091b881469cf164f50298a88b537572d91c8

              • C:\Users\Admin\AppData\Local\Temp\fpt3wfdc.vey\gcleaner.exe

                Filesize

                404KB

                MD5

                94cf983d41cc69f6a67371770a48c0ec

                SHA1

                76c27034dba34863a3cc6c3c6e9966cebec0990d

                SHA256

                73aa861f2ac4ba1af21d78bd169a2887c436941eb5a82baedbaed556c4583eb6

                SHA512

                b17b2fc672cc401e901289fe2873f6ce03c36f014392c040374f002bc76040a23c184731d7a37ad96c32b915d2ca091b881469cf164f50298a88b537572d91c8

              • C:\Users\Admin\AppData\Local\Temp\is-9TIL8.tmp\PowerOff.exe

                Filesize

                576KB

                MD5

                cfa7c46797e6d113d41adbd97fe38755

                SHA1

                96b1836c44b6aae601c05d547ebf4a79e6361e4b

                SHA256

                ccac7fb768ac6e7f1868de19d0f61454e355b319d332089382f256968dddeb5b

                SHA512

                8f748abb6124c7d2924507aba6239a383d7c170ee5fb1b0fe322c2f6d75f0fb959bab7a94ba99643cfda9bed8402fc3362881232a485d75e0ebee6cee758a6ad

              • C:\Users\Admin\AppData\Local\Temp\is-9TIL8.tmp\PowerOff.exe

                Filesize

                576KB

                MD5

                cfa7c46797e6d113d41adbd97fe38755

                SHA1

                96b1836c44b6aae601c05d547ebf4a79e6361e4b

                SHA256

                ccac7fb768ac6e7f1868de19d0f61454e355b319d332089382f256968dddeb5b

                SHA512

                8f748abb6124c7d2924507aba6239a383d7c170ee5fb1b0fe322c2f6d75f0fb959bab7a94ba99643cfda9bed8402fc3362881232a485d75e0ebee6cee758a6ad

              • C:\Users\Admin\AppData\Local\Temp\is-VDHII.tmp\file.tmp

                Filesize

                694KB

                MD5

                ffcf263a020aa7794015af0edee5df0b

                SHA1

                bce1eb5f0efb2c83f416b1782ea07c776666fdab

                SHA256

                1d07cfb7104b85fc0dffd761f6848ad176117e146bbb4079fe993efa06b94c64

                SHA512

                49f2b062adfb99c0c7f1012c56f0b52a8850d9f030cc32073b90025b372e4eb373f06a351e9b33264967427b8174c060c8a6110979f0eaf0872f7da6d5e4308a

              • C:\Users\Admin\AppData\Local\Temp\iumcnilo.xyp\pb1117.exe

                Filesize

                3.5MB

                MD5

                cdea279da102299e2bafb4ecc16b6c58

                SHA1

                732fede49b6e97859389b36895a07bea5d9ad9b9

                SHA256

                e2ad80fc97e02a207df083a6ed19776397bc7024456f1b3a6effdf2d13ac3284

                SHA512

                876075209ce64f71addb70ab9ba27a0cc142d4e1d43d23e10073d06f0bca3dd4a5b41800872f3a3b7044e96f6ed593c42ed32fd799cd825aefa6239694d6b1a4

              • C:\Users\Admin\AppData\Local\Temp\rhonb33j.fco\random.exe

                Filesize

                923KB

                MD5

                964da73180a995495797e2107c4b936a

                SHA1

                d941ec8cb8d06c07f77d1c5318abeda5f23ab730

                SHA256

                1ae013d4e99c5bc1b818e14963f275caada1f71fa0186834dc7680124aea8b8d

                SHA512

                6252c809c8aefa1ef8c6742a3099970c6af178a878eba3dd9ef557df62ce6903b9ccf00be534d2b9c1f9b8ffdb4cceed8cc6e5b257b2abe7efcd0a155fe7efa7

              • C:\Users\Admin\AppData\Local\Temp\rhonb33j.fco\random.exe

                Filesize

                923KB

                MD5

                964da73180a995495797e2107c4b936a

                SHA1

                d941ec8cb8d06c07f77d1c5318abeda5f23ab730

                SHA256

                1ae013d4e99c5bc1b818e14963f275caada1f71fa0186834dc7680124aea8b8d

                SHA512

                6252c809c8aefa1ef8c6742a3099970c6af178a878eba3dd9ef557df62ce6903b9ccf00be534d2b9c1f9b8ffdb4cceed8cc6e5b257b2abe7efcd0a155fe7efa7

              • C:\Users\Admin\AppData\Local\Temp\rhonb33j.fco\random.exe

                Filesize

                923KB

                MD5

                964da73180a995495797e2107c4b936a

                SHA1

                d941ec8cb8d06c07f77d1c5318abeda5f23ab730

                SHA256

                1ae013d4e99c5bc1b818e14963f275caada1f71fa0186834dc7680124aea8b8d

                SHA512

                6252c809c8aefa1ef8c6742a3099970c6af178a878eba3dd9ef557df62ce6903b9ccf00be534d2b9c1f9b8ffdb4cceed8cc6e5b257b2abe7efcd0a155fe7efa7

              • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\YPW2D6X8.txt

                Filesize

                603B

                MD5

                f86d15193c75a2a975668c669117f67c

                SHA1

                e682c0ef017f3b60c21e921fa1dce5f58e4f8664

                SHA256

                b655b36e4b41006b511f1b0975a49b5bed452d30371afc578456cb0e3b50ac85

                SHA512

                62cb792d4800bae8822a38d6f3522b8e16b424f8cfce0c081f8c559dfc312db926753de8fe924b738bdd17329b3f66963faf9ac19de2453415eca68565bb3f8b

              • \Users\Admin\AppData\Local\Temp\db.dll

                Filesize

                52KB

                MD5

                845a5f94673e266f80fae41538a94db1

                SHA1

                a8ed5ba958b94eb55a44f20a4791a58b76e91f0c

                SHA256

                3d73e4425bb7294f20ef86096504ab96d288bd70d2bc6a8361b629903f3b1d01

                SHA512

                f01450a61a6b2daec92fab31c9f153c76574f169f3fef2c6d0cf9283cf730a099c9b7c0cbc4ac44cc4d3c067565a49b8135aa85b745ea340a9d5f8c9dc5c3f81

              • \Users\Admin\AppData\Local\Temp\db.dll

                Filesize

                52KB

                MD5

                845a5f94673e266f80fae41538a94db1

                SHA1

                a8ed5ba958b94eb55a44f20a4791a58b76e91f0c

                SHA256

                3d73e4425bb7294f20ef86096504ab96d288bd70d2bc6a8361b629903f3b1d01

                SHA512

                f01450a61a6b2daec92fab31c9f153c76574f169f3fef2c6d0cf9283cf730a099c9b7c0cbc4ac44cc4d3c067565a49b8135aa85b745ea340a9d5f8c9dc5c3f81

              • \Users\Admin\AppData\Local\Temp\db.dll

                Filesize

                52KB

                MD5

                845a5f94673e266f80fae41538a94db1

                SHA1

                a8ed5ba958b94eb55a44f20a4791a58b76e91f0c

                SHA256

                3d73e4425bb7294f20ef86096504ab96d288bd70d2bc6a8361b629903f3b1d01

                SHA512

                f01450a61a6b2daec92fab31c9f153c76574f169f3fef2c6d0cf9283cf730a099c9b7c0cbc4ac44cc4d3c067565a49b8135aa85b745ea340a9d5f8c9dc5c3f81

              • \Users\Admin\AppData\Local\Temp\db.dll

                Filesize

                52KB

                MD5

                845a5f94673e266f80fae41538a94db1

                SHA1

                a8ed5ba958b94eb55a44f20a4791a58b76e91f0c

                SHA256

                3d73e4425bb7294f20ef86096504ab96d288bd70d2bc6a8361b629903f3b1d01

                SHA512

                f01450a61a6b2daec92fab31c9f153c76574f169f3fef2c6d0cf9283cf730a099c9b7c0cbc4ac44cc4d3c067565a49b8135aa85b745ea340a9d5f8c9dc5c3f81

              • \Users\Admin\AppData\Local\Temp\is-9TIL8.tmp\PowerOff.exe

                Filesize

                576KB

                MD5

                cfa7c46797e6d113d41adbd97fe38755

                SHA1

                96b1836c44b6aae601c05d547ebf4a79e6361e4b

                SHA256

                ccac7fb768ac6e7f1868de19d0f61454e355b319d332089382f256968dddeb5b

                SHA512

                8f748abb6124c7d2924507aba6239a383d7c170ee5fb1b0fe322c2f6d75f0fb959bab7a94ba99643cfda9bed8402fc3362881232a485d75e0ebee6cee758a6ad

              • \Users\Admin\AppData\Local\Temp\is-9TIL8.tmp\_isetup\_shfoldr.dll

                Filesize

                22KB

                MD5

                92dc6ef532fbb4a5c3201469a5b5eb63

                SHA1

                3e89ff837147c16b4e41c30d6c796374e0b8e62c

                SHA256

                9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87

                SHA512

                9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

              • \Users\Admin\AppData\Local\Temp\is-9TIL8.tmp\_isetup\_shfoldr.dll

                Filesize

                22KB

                MD5

                92dc6ef532fbb4a5c3201469a5b5eb63

                SHA1

                3e89ff837147c16b4e41c30d6c796374e0b8e62c

                SHA256

                9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87

                SHA512

                9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

              • \Users\Admin\AppData\Local\Temp\is-9TIL8.tmp\idp.dll

                Filesize

                216KB

                MD5

                8f995688085bced38ba7795f60a5e1d3

                SHA1

                5b1ad67a149c05c50d6e388527af5c8a0af4343a

                SHA256

                203d7b61eac96de865ab3b586160e72c78d93ab5532b13d50ef27174126fd006

                SHA512

                043d41947ab69fc9297dcb5ad238acc2c35250d1172869945ed1a56894c10f93855f0210cbca41ceee9efb55fd56a35a4ec03c77e252409edc64bfb5fb821c35

              • \Users\Admin\AppData\Local\Temp\is-VDHII.tmp\file.tmp

                Filesize

                694KB

                MD5

                ffcf263a020aa7794015af0edee5df0b

                SHA1

                bce1eb5f0efb2c83f416b1782ea07c776666fdab

                SHA256

                1d07cfb7104b85fc0dffd761f6848ad176117e146bbb4079fe993efa06b94c64

                SHA512

                49f2b062adfb99c0c7f1012c56f0b52a8850d9f030cc32073b90025b372e4eb373f06a351e9b33264967427b8174c060c8a6110979f0eaf0872f7da6d5e4308a

              • \Users\Admin\AppData\Local\Temp\iumcnilo.xyp\pb1117.exe

                Filesize

                3.5MB

                MD5

                cdea279da102299e2bafb4ecc16b6c58

                SHA1

                732fede49b6e97859389b36895a07bea5d9ad9b9

                SHA256

                e2ad80fc97e02a207df083a6ed19776397bc7024456f1b3a6effdf2d13ac3284

                SHA512

                876075209ce64f71addb70ab9ba27a0cc142d4e1d43d23e10073d06f0bca3dd4a5b41800872f3a3b7044e96f6ed593c42ed32fd799cd825aefa6239694d6b1a4

              • \Users\Admin\AppData\Local\Temp\iumcnilo.xyp\pb1117.exe

                Filesize

                3.5MB

                MD5

                cdea279da102299e2bafb4ecc16b6c58

                SHA1

                732fede49b6e97859389b36895a07bea5d9ad9b9

                SHA256

                e2ad80fc97e02a207df083a6ed19776397bc7024456f1b3a6effdf2d13ac3284

                SHA512

                876075209ce64f71addb70ab9ba27a0cc142d4e1d43d23e10073d06f0bca3dd4a5b41800872f3a3b7044e96f6ed593c42ed32fd799cd825aefa6239694d6b1a4

              • \Users\Admin\AppData\Local\Temp\iumcnilo.xyp\pb1117.exe

                Filesize

                3.5MB

                MD5

                cdea279da102299e2bafb4ecc16b6c58

                SHA1

                732fede49b6e97859389b36895a07bea5d9ad9b9

                SHA256

                e2ad80fc97e02a207df083a6ed19776397bc7024456f1b3a6effdf2d13ac3284

                SHA512

                876075209ce64f71addb70ab9ba27a0cc142d4e1d43d23e10073d06f0bca3dd4a5b41800872f3a3b7044e96f6ed593c42ed32fd799cd825aefa6239694d6b1a4

              • \Users\Admin\AppData\Local\Temp\iumcnilo.xyp\pb1117.exe

                Filesize

                3.5MB

                MD5

                cdea279da102299e2bafb4ecc16b6c58

                SHA1

                732fede49b6e97859389b36895a07bea5d9ad9b9

                SHA256

                e2ad80fc97e02a207df083a6ed19776397bc7024456f1b3a6effdf2d13ac3284

                SHA512

                876075209ce64f71addb70ab9ba27a0cc142d4e1d43d23e10073d06f0bca3dd4a5b41800872f3a3b7044e96f6ed593c42ed32fd799cd825aefa6239694d6b1a4

              • \Users\Admin\AppData\Local\Temp\rhonb33j.fco\random.exe

                Filesize

                923KB

                MD5

                964da73180a995495797e2107c4b936a

                SHA1

                d941ec8cb8d06c07f77d1c5318abeda5f23ab730

                SHA256

                1ae013d4e99c5bc1b818e14963f275caada1f71fa0186834dc7680124aea8b8d

                SHA512

                6252c809c8aefa1ef8c6742a3099970c6af178a878eba3dd9ef557df62ce6903b9ccf00be534d2b9c1f9b8ffdb4cceed8cc6e5b257b2abe7efcd0a155fe7efa7

              • memory/892-175-0x0000000001320000-0x0000000001392000-memory.dmp

                Filesize

                456KB

              • memory/892-174-0x00000000008A0000-0x00000000008ED000-memory.dmp

                Filesize

                308KB

              • memory/1068-71-0x0000000000240000-0x000000000029E000-memory.dmp

                Filesize

                376KB

              • memory/1068-70-0x000000001A730000-0x000000001A798000-memory.dmp

                Filesize

                416KB

              • memory/1068-69-0x0000000000820000-0x00000000008B4000-memory.dmp

                Filesize

                592KB

              • memory/1628-87-0x000000001DDC0000-0x000000001E0BF000-memory.dmp

                Filesize

                3.0MB

              • memory/1628-82-0x000007FEEAF00000-0x000007FEEBF96000-memory.dmp

                Filesize

                16.6MB

              • memory/1628-182-0x0000000001E26000-0x0000000001E45000-memory.dmp

                Filesize

                124KB

              • memory/1628-81-0x000007FEEBFA0000-0x000007FEEC9C3000-memory.dmp

                Filesize

                10.1MB

              • memory/1628-90-0x0000000001E26000-0x0000000001E45000-memory.dmp

                Filesize

                124KB

              • memory/1848-54-0x0000000076091000-0x0000000076093000-memory.dmp

                Filesize

                8KB

              • memory/1848-107-0x0000000000400000-0x0000000000414000-memory.dmp

                Filesize

                80KB

              • memory/1848-55-0x0000000000400000-0x0000000000414000-memory.dmp

                Filesize

                80KB

              • memory/1848-64-0x0000000000400000-0x0000000000414000-memory.dmp

                Filesize

                80KB

              • memory/1984-80-0x000007FEEBFA0000-0x000007FEEC9C3000-memory.dmp

                Filesize

                10.1MB

              • memory/1984-86-0x000000001C770000-0x000000001CA6F000-memory.dmp

                Filesize

                3.0MB

              • memory/1984-88-0x000007FEFBCA1000-0x000007FEFBCA3000-memory.dmp

                Filesize

                8KB

              • memory/2124-161-0x0000000001F10000-0x0000000002011000-memory.dmp

                Filesize

                1.0MB

              • memory/2124-164-0x0000000000230000-0x000000000028E000-memory.dmp

                Filesize

                376KB

              • memory/2320-160-0x0000000000060000-0x00000000000AD000-memory.dmp

                Filesize

                308KB

              • memory/2320-173-0x0000000000380000-0x00000000003F2000-memory.dmp

                Filesize

                456KB

              • memory/2320-211-0x0000000002E30000-0x0000000002F3A000-memory.dmp

                Filesize

                1.0MB

              • memory/2320-172-0x0000000000060000-0x00000000000AD000-memory.dmp

                Filesize

                308KB

              • memory/2320-198-0x0000000002E30000-0x0000000002F3A000-memory.dmp

                Filesize

                1.0MB

              • memory/2320-199-0x0000000000420000-0x0000000000440000-memory.dmp

                Filesize

                128KB

              • memory/2320-200-0x0000000001C70000-0x0000000001C8B000-memory.dmp

                Filesize

                108KB

              • memory/2320-197-0x0000000000400000-0x000000000041B000-memory.dmp

                Filesize

                108KB

              • memory/2320-188-0x0000000000380000-0x00000000003F2000-memory.dmp

                Filesize

                456KB

              • memory/4436-133-0x0000000000400000-0x0000000000869000-memory.dmp

                Filesize

                4.4MB

              • memory/4436-132-0x0000000000309000-0x000000000032F000-memory.dmp

                Filesize

                152KB

              • memory/4436-110-0x0000000000400000-0x0000000000869000-memory.dmp

                Filesize

                4.4MB

              • memory/4436-108-0x0000000000290000-0x00000000002D0000-memory.dmp

                Filesize

                256KB

              • memory/4436-106-0x0000000000309000-0x000000000032F000-memory.dmp

                Filesize

                152KB

              • memory/4524-111-0x0000000000A39000-0x0000000000A5F000-memory.dmp

                Filesize

                152KB

              • memory/4524-136-0x0000000000400000-0x0000000000869000-memory.dmp

                Filesize

                4.4MB

              • memory/4524-112-0x0000000000400000-0x0000000000869000-memory.dmp

                Filesize

                4.4MB

              • memory/4524-135-0x0000000000A39000-0x0000000000A5F000-memory.dmp

                Filesize

                152KB

              • memory/5048-124-0x0000000140000000-0x0000000140615000-memory.dmp

                Filesize

                6.1MB