Analysis

  • max time kernel
    150s
  • max time network
    153s
  • platform
    windows7_x64
  • resource
    win7-20220812-en
  • resource tags

    arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
  • submitted
    18/11/2022, 18:56

General

  • Target

    file.exe

  • Size

    380KB

  • MD5

    e91e8a603108c29db5d1a1ba1c8123fd

  • SHA1

    e609bf5881c00aa4c325a2250407d0d8b254e04c

  • SHA256

    d026b0f1bfa1ea1bc142695477450d6bd4c10e6d7cdbff1d4e8abaad8f04b6c1

  • SHA512

    2d0c23f0a9cc784820291595816ec49a9f12d3b4bdd5cc569f56810d1766fb73b9a1a8ece293210678d03ebe8d3413bb9ebc7ae9eb757588345bebcd4e8abff7

  • SSDEEP

    6144:x/QiQXCWkm+ksmpk3U9j0IV/OGBfj/WUplm6zIOYQNd28pTXdAmpCLVRZoglM7LT:pQi3WP6m6UR0IV/lL//plmW9bTXeVhD4

Malware Config

Extracted

Family

nymaim

C2

45.139.105.171

85.31.46.167

Signatures

  • NyMaim

    NyMaim is a malware with various capabilities written in C++ and first seen in 2013.

  • Process spawned unexpected child process 1 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
  • Checks for common network interception software 1 TTPs

    Looks in the registry for tools like Wireshark or Fiddler commonly used to analyze network activity.

  • Downloads MZ/PE file
  • Drops file in Drivers directory 1 IoCs
  • Executes dropped EXE 9 IoCs
  • VMProtect packed file 6 IoCs

    Detects executables packed with VMProtect commercial packer.

  • Loads dropped DLL 14 IoCs
  • Unexpected DNS network traffic destination 1 IoCs

    Network traffic to other servers than the configured DNS servers was detected on the DNS port.

  • Adds Run key to start application 2 TTPs 1 IoCs
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Drops file in System32 directory 11 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Drops file in Program Files directory 3 IoCs
  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Program crash 1 IoCs
  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Kills process with taskkill 2 IoCs
  • Modifies Internet Explorer settings 1 TTPs 64 IoCs
  • Modifies data under HKEY_USERS 64 IoCs
  • Modifies registry class 22 IoCs
  • Modifies system certificate store 2 TTPs 13 IoCs
  • Script User-Agent 1 IoCs

    Uses user-agent string associated with script host/environment.

  • Suspicious behavior: CmdExeWriteProcessMemorySpam 3 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 6 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Windows\system32\services.exe
    C:\Windows\system32\services.exe
    1⤵
      PID:464
      • C:\Windows\system32\svchost.exe
        C:\Windows\system32\svchost.exe -k netsvcs
        2⤵
        • Suspicious use of NtCreateUserProcessOtherParentProcess
        • Suspicious use of SetThreadContext
        • Drops file in Windows directory
        • Modifies registry class
        • Suspicious use of AdjustPrivilegeToken
        PID:888
      • C:\Windows\system32\svchost.exe
        C:\Windows\system32\svchost.exe -k WspService
        2⤵
        • Drops file in System32 directory
        • Checks processor information in registry
        • Modifies data under HKEY_USERS
        • Modifies registry class
        PID:2184
    • C:\Users\Admin\AppData\Local\Temp\file.exe
      "C:\Users\Admin\AppData\Local\Temp\file.exe"
      1⤵
      • Loads dropped DLL
      • Suspicious use of WriteProcessMemory
      PID:2004
      • C:\Users\Admin\AppData\Local\Temp\is-BMTEE.tmp\file.tmp
        "C:\Users\Admin\AppData\Local\Temp\is-BMTEE.tmp\file.tmp" /SL5="$80126,140559,56832,C:\Users\Admin\AppData\Local\Temp\file.exe"
        2⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Suspicious use of WriteProcessMemory
        PID:1976
        • C:\Users\Admin\AppData\Local\Temp\is-SKGQO.tmp\PowerOff.exe
          "C:\Users\Admin\AppData\Local\Temp\is-SKGQO.tmp\PowerOff.exe" /S /UID=95
          3⤵
          • Drops file in Drivers directory
          • Executes dropped EXE
          • Adds Run key to start application
          • Drops file in Program Files directory
          • Modifies system certificate store
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:1188
          • C:\Users\Admin\AppData\Local\Temp\cc-790ab-bf9-3e6ae-18237e9e1063a\Nytyxamehe.exe
            "C:\Users\Admin\AppData\Local\Temp\cc-790ab-bf9-3e6ae-18237e9e1063a\Nytyxamehe.exe"
            4⤵
            • Executes dropped EXE
            • Modifies system certificate store
            • Suspicious use of WriteProcessMemory
            PID:1596
            • C:\Program Files\Internet Explorer\iexplore.exe
              "C:\Program Files\Internet Explorer\iexplore.exe" https://www.profitabletrustednetwork.com/e2q8zu9hu?key=a971bbe4a40a7216a1a87d8f455f71e6
              5⤵
              • Modifies Internet Explorer settings
              • Suspicious use of FindShellTrayWindow
              • Suspicious use of SetWindowsHookEx
              • Suspicious use of WriteProcessMemory
              PID:708
              • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
                "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:708 CREDAT:275457 /prefetch:2
                6⤵
                • Modifies Internet Explorer settings
                • Suspicious use of SetWindowsHookEx
                PID:1376
          • C:\Users\Admin\AppData\Local\Temp\cf-fd428-d2e-b29b3-64f0a6a6b84a3\Nytyxamehe.exe
            "C:\Users\Admin\AppData\Local\Temp\cf-fd428-d2e-b29b3-64f0a6a6b84a3\Nytyxamehe.exe"
            4⤵
            • Executes dropped EXE
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:1364
            • C:\Windows\System32\cmd.exe
              "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\udscpxib.qvz\GcleanerEU.exe /eufive & exit
              5⤵
              • Suspicious use of WriteProcessMemory
              PID:5872
              • C:\Users\Admin\AppData\Local\Temp\udscpxib.qvz\GcleanerEU.exe
                C:\Users\Admin\AppData\Local\Temp\udscpxib.qvz\GcleanerEU.exe /eufive
                6⤵
                • Executes dropped EXE
                • Suspicious behavior: CmdExeWriteProcessMemorySpam
                PID:6804
                • C:\Windows\SysWOW64\cmd.exe
                  "C:\Windows\System32\cmd.exe" /c taskkill /im "GcleanerEU.exe" /f & erase "C:\Users\Admin\AppData\Local\Temp\udscpxib.qvz\GcleanerEU.exe" & exit
                  7⤵
                    PID:832
                    • C:\Windows\SysWOW64\taskkill.exe
                      taskkill /im "GcleanerEU.exe" /f
                      8⤵
                      • Kills process with taskkill
                      • Suspicious use of AdjustPrivilegeToken
                      PID:2124
              • C:\Windows\System32\cmd.exe
                "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\xw42u2b2.lle\gcleaner.exe /mixfive & exit
                5⤵
                • Suspicious use of WriteProcessMemory
                PID:6828
                • C:\Users\Admin\AppData\Local\Temp\xw42u2b2.lle\gcleaner.exe
                  C:\Users\Admin\AppData\Local\Temp\xw42u2b2.lle\gcleaner.exe /mixfive
                  6⤵
                  • Executes dropped EXE
                  • Suspicious behavior: CmdExeWriteProcessMemorySpam
                  PID:6856
                  • C:\Windows\SysWOW64\cmd.exe
                    "C:\Windows\System32\cmd.exe" /c taskkill /im "gcleaner.exe" /f & erase "C:\Users\Admin\AppData\Local\Temp\xw42u2b2.lle\gcleaner.exe" & exit
                    7⤵
                      PID:2052
                      • C:\Windows\SysWOW64\taskkill.exe
                        taskkill /im "gcleaner.exe" /f
                        8⤵
                        • Kills process with taskkill
                        • Suspicious use of AdjustPrivilegeToken
                        PID:2168
                • C:\Windows\System32\cmd.exe
                  "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\za0pi2sv.0t5\random.exe & exit
                  5⤵
                  • Suspicious use of WriteProcessMemory
                  PID:6976
                  • C:\Users\Admin\AppData\Local\Temp\za0pi2sv.0t5\random.exe
                    C:\Users\Admin\AppData\Local\Temp\za0pi2sv.0t5\random.exe
                    6⤵
                    • Executes dropped EXE
                    • Loads dropped DLL
                    • Suspicious behavior: CmdExeWriteProcessMemorySpam
                    • Suspicious use of WriteProcessMemory
                    PID:7012
                    • C:\Users\Admin\AppData\Local\Temp\za0pi2sv.0t5\random.exe
                      "C:\Users\Admin\AppData\Local\Temp\za0pi2sv.0t5\random.exe" -q
                      7⤵
                      • Executes dropped EXE
                      PID:7052
                • C:\Windows\System32\cmd.exe
                  "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\5jwc2z02.t2c\pb1117.exe & exit
                  5⤵
                  • Loads dropped DLL
                  • Suspicious use of WriteProcessMemory
                  PID:7120
                  • C:\Users\Admin\AppData\Local\Temp\5jwc2z02.t2c\pb1117.exe
                    C:\Users\Admin\AppData\Local\Temp\5jwc2z02.t2c\pb1117.exe
                    6⤵
                    • Executes dropped EXE
                    • Suspicious use of WriteProcessMemory
                    PID:7148
                    • C:\Windows\system32\WerFault.exe
                      C:\Windows\system32\WerFault.exe -u -p 7148 -s 56
                      7⤵
                      • Loads dropped DLL
                      • Program crash
                      PID:6868
        • C:\Windows\system32\rundll32.exe
          rundll32.exe "C:\Users\Admin\AppData\Local\Temp\db.dll",open
          1⤵
          • Process spawned unexpected child process
          • Suspicious use of WriteProcessMemory
          PID:916
          • C:\Windows\SysWOW64\rundll32.exe
            rundll32.exe "C:\Users\Admin\AppData\Local\Temp\db.dll",open
            2⤵
            • Loads dropped DLL
            • Modifies registry class
            • Suspicious use of AdjustPrivilegeToken
            PID:1716

        Network

              MITRE ATT&CK Enterprise v6

              Replay Monitor

              Loading Replay Monitor...

              Downloads

              • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

                Filesize

                61KB

                MD5

                3dcf580a93972319e82cafbc047d34d5

                SHA1

                8528d2a1363e5de77dc3b1142850e51ead0f4b6b

                SHA256

                40810e31f1b69075c727e6d557f9614d5880112895ff6f4df1767e87ae5640d1

                SHA512

                98384be7218340f95dae88d1cb865f23a0b4e12855beb6e74a3752274c9b4c601e493864db777bca677a370d0a9dbffd68d94898a82014537f3a801cce839c42

              • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                Filesize

                342B

                MD5

                5275f008b163c686c1657be732094f5e

                SHA1

                2676d845de25edef225a0a5e5abb0513bdd76c6d

                SHA256

                e3cab3b4c6016d9d3188609dd3126515b61b9e6404c5f290d4e22f1fc07ba419

                SHA512

                1e97b10330f4008872641aa680962b4c98b45c26ca7e4c80daf2ca1179621cf4b54acbfb85d4023f5273ae06963ec37982bec63e63a50a9e53cad95dca0e0487

              • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                Filesize

                342B

                MD5

                967ef8aad289db8d48aa7ab7e37770e6

                SHA1

                d9c398571047a12fb33581cedd1be7c80dc85de7

                SHA256

                57ee8c4a5f1c7685141054e867f26f910a41a2b2c4ff3d34110db15c78f8342d

                SHA512

                bac94c8f131c26907da1c1d60b8d757bcc3ce7e6b9625164f2539d68a16610f3d15304c85d1bb8fa1d122b09d924dfb28c57e4c516976280d8938c7ecace4e15

              • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                Filesize

                342B

                MD5

                c8fa4cae2e4157b4a4dc6b77fe766645

                SHA1

                da54595aff609f0940d367eb8c0f88dd1438f141

                SHA256

                c8b8b9cba9f32239039571f0aaa9183c3f7c75e0c72aa371b333491d571a43b5

                SHA512

                f4ef305afa8a72ef1897e4a7eb475d12fabe4d32d7e9230dae35bf08d5e13092eb4161a364f43a65a75f74f81be7e80a8f21e7914c41fe37f2ef852c9b29cb56

              • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                Filesize

                342B

                MD5

                b8fb825cee812b70079764de9e20d63e

                SHA1

                a32356263dd16c4a74081a9664e8cf4a8fa4f0c6

                SHA256

                2e030f753e1b256f8da3c3a80f55870a450ace93bb67090fe95dafd5bccbf2ac

                SHA512

                650792f5f20288dea241b493216015f7581c768a8d1359d38e695e11d09400397094c2fe5b0fbcf8bd78a2bef25937859c4bb8afc6e987d5fe32f968c40ed2cd

              • C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\lwrmjt1\imagestore.dat

                Filesize

                6KB

                MD5

                d42d3b0489e33bd84599374ac30dbf05

                SHA1

                12efe089c293bdf6b45d472e1020c342fda4e3b1

                SHA256

                3f4375613cfc3e4ec57fb1197f4f94670dbcf9339b2e7d9e2739772f619e652b

                SHA512

                7696a7831b0cbba297305b2027ead597389c13db5b79bc80dc8d8a936da6c40ea2517297db6b9c666113da78cfb3a139960e810b83827a4a0574b198d4370627

              • C:\Users\Admin\AppData\Local\Temp\5jwc2z02.t2c\pb1117.exe

                Filesize

                3.5MB

                MD5

                cdea279da102299e2bafb4ecc16b6c58

                SHA1

                732fede49b6e97859389b36895a07bea5d9ad9b9

                SHA256

                e2ad80fc97e02a207df083a6ed19776397bc7024456f1b3a6effdf2d13ac3284

                SHA512

                876075209ce64f71addb70ab9ba27a0cc142d4e1d43d23e10073d06f0bca3dd4a5b41800872f3a3b7044e96f6ed593c42ed32fd799cd825aefa6239694d6b1a4

              • C:\Users\Admin\AppData\Local\Temp\cc-790ab-bf9-3e6ae-18237e9e1063a\Nytyxamehe.exe

                Filesize

                586KB

                MD5

                436e921da691211e16a1adb9ff4d90cd

                SHA1

                6f64647c26bc9d98367618f185fbcfc7717d2851

                SHA256

                5f96df0fb078c706569a49150cf1674f2d6e94cefec73b39a19275ea9a3ac7c6

                SHA512

                493c08bebef58d516461c9fc9249ab7d27a129c4e8bece05c45cbfb0e757c0a132173b41f7ed3dd0a7d0576acfc7113f4c389f894607d1f6498742ec6f3a5369

              • C:\Users\Admin\AppData\Local\Temp\cc-790ab-bf9-3e6ae-18237e9e1063a\Nytyxamehe.exe

                Filesize

                586KB

                MD5

                436e921da691211e16a1adb9ff4d90cd

                SHA1

                6f64647c26bc9d98367618f185fbcfc7717d2851

                SHA256

                5f96df0fb078c706569a49150cf1674f2d6e94cefec73b39a19275ea9a3ac7c6

                SHA512

                493c08bebef58d516461c9fc9249ab7d27a129c4e8bece05c45cbfb0e757c0a132173b41f7ed3dd0a7d0576acfc7113f4c389f894607d1f6498742ec6f3a5369

              • C:\Users\Admin\AppData\Local\Temp\cc-790ab-bf9-3e6ae-18237e9e1063a\Nytyxamehe.exe.config

                Filesize

                1KB

                MD5

                98d2687aec923f98c37f7cda8de0eb19

                SHA1

                f6dcfcdcfe570340ecdbbd9e2a61f3cb4f281ba7

                SHA256

                8a94163256a722ef8cc140bcd115a5b8f8725c04fe158b129d47be81cb693465

                SHA512

                95c7290d59749df8df495e04789c1793265e0f34e0d091df5c0d4aefe1af4c8ac1f5460f1f198fc28c4c8c900827b8f22e2851957bbaea5914ea962b3a1d0590

              • C:\Users\Admin\AppData\Local\Temp\cf-fd428-d2e-b29b3-64f0a6a6b84a3\Kenessey.txt

                Filesize

                9B

                MD5

                97384261b8bbf966df16e5ad509922db

                SHA1

                2fc42d37fee2c81d767e09fb298b70c748940f86

                SHA256

                9c0d294c05fc1d88d698034609bb81c0c69196327594e4c69d2915c80fd9850c

                SHA512

                b77fe2d86fbc5bd116d6a073eb447e76a74add3fa0d0b801f97535963241be3cdce1dbcaed603b78f020d0845b2d4bfc892ceb2a7d1c8f1d98abc4812ef5af21

              • C:\Users\Admin\AppData\Local\Temp\cf-fd428-d2e-b29b3-64f0a6a6b84a3\Nytyxamehe.exe

                Filesize

                358KB

                MD5

                7d742eb4667ab6dcf933fa6908b3fb98

                SHA1

                95dc2bdcf018074356a9dccdce4173b90649fd84

                SHA256

                ed72c7dd4305b314ecc097beca33750d40088072cbdca4f18b3e02c2b810e81c

                SHA512

                3df327ae1b405f2b12384315a8742544b78f9869e0d53bc3a58bb96065d651b1092576816512ff2866d0d32025739739f6380a6c1cd70b4b09eb2b7ac52de9b4

              • C:\Users\Admin\AppData\Local\Temp\cf-fd428-d2e-b29b3-64f0a6a6b84a3\Nytyxamehe.exe

                Filesize

                358KB

                MD5

                7d742eb4667ab6dcf933fa6908b3fb98

                SHA1

                95dc2bdcf018074356a9dccdce4173b90649fd84

                SHA256

                ed72c7dd4305b314ecc097beca33750d40088072cbdca4f18b3e02c2b810e81c

                SHA512

                3df327ae1b405f2b12384315a8742544b78f9869e0d53bc3a58bb96065d651b1092576816512ff2866d0d32025739739f6380a6c1cd70b4b09eb2b7ac52de9b4

              • C:\Users\Admin\AppData\Local\Temp\cf-fd428-d2e-b29b3-64f0a6a6b84a3\Nytyxamehe.exe.config

                Filesize

                1KB

                MD5

                98d2687aec923f98c37f7cda8de0eb19

                SHA1

                f6dcfcdcfe570340ecdbbd9e2a61f3cb4f281ba7

                SHA256

                8a94163256a722ef8cc140bcd115a5b8f8725c04fe158b129d47be81cb693465

                SHA512

                95c7290d59749df8df495e04789c1793265e0f34e0d091df5c0d4aefe1af4c8ac1f5460f1f198fc28c4c8c900827b8f22e2851957bbaea5914ea962b3a1d0590

              • C:\Users\Admin\AppData\Local\Temp\db.dat

                Filesize

                557KB

                MD5

                76c3dbb1e9fea62090cdf53dadcbe28e

                SHA1

                d44b32d04adc810c6df258be85dc6b62bd48a307

                SHA256

                556fd54e5595d222cfa2bd353afa66d8d4d1fbb3003afed604672fceae991860

                SHA512

                de4ea57497cf26237430880742f59e8d2a0ac7e7a0b09ed7be590f36fbd08c9ced0ffe46eb69ec2215a9cff55720f24fffcae752cd282250b4da6b75a30b3a1b

              • C:\Users\Admin\AppData\Local\Temp\db.dll

                Filesize

                52KB

                MD5

                845a5f94673e266f80fae41538a94db1

                SHA1

                a8ed5ba958b94eb55a44f20a4791a58b76e91f0c

                SHA256

                3d73e4425bb7294f20ef86096504ab96d288bd70d2bc6a8361b629903f3b1d01

                SHA512

                f01450a61a6b2daec92fab31c9f153c76574f169f3fef2c6d0cf9283cf730a099c9b7c0cbc4ac44cc4d3c067565a49b8135aa85b745ea340a9d5f8c9dc5c3f81

              • C:\Users\Admin\AppData\Local\Temp\is-BMTEE.tmp\file.tmp

                Filesize

                694KB

                MD5

                ffcf263a020aa7794015af0edee5df0b

                SHA1

                bce1eb5f0efb2c83f416b1782ea07c776666fdab

                SHA256

                1d07cfb7104b85fc0dffd761f6848ad176117e146bbb4079fe993efa06b94c64

                SHA512

                49f2b062adfb99c0c7f1012c56f0b52a8850d9f030cc32073b90025b372e4eb373f06a351e9b33264967427b8174c060c8a6110979f0eaf0872f7da6d5e4308a

              • C:\Users\Admin\AppData\Local\Temp\is-SKGQO.tmp\PowerOff.exe

                Filesize

                576KB

                MD5

                cfa7c46797e6d113d41adbd97fe38755

                SHA1

                96b1836c44b6aae601c05d547ebf4a79e6361e4b

                SHA256

                ccac7fb768ac6e7f1868de19d0f61454e355b319d332089382f256968dddeb5b

                SHA512

                8f748abb6124c7d2924507aba6239a383d7c170ee5fb1b0fe322c2f6d75f0fb959bab7a94ba99643cfda9bed8402fc3362881232a485d75e0ebee6cee758a6ad

              • C:\Users\Admin\AppData\Local\Temp\is-SKGQO.tmp\PowerOff.exe

                Filesize

                576KB

                MD5

                cfa7c46797e6d113d41adbd97fe38755

                SHA1

                96b1836c44b6aae601c05d547ebf4a79e6361e4b

                SHA256

                ccac7fb768ac6e7f1868de19d0f61454e355b319d332089382f256968dddeb5b

                SHA512

                8f748abb6124c7d2924507aba6239a383d7c170ee5fb1b0fe322c2f6d75f0fb959bab7a94ba99643cfda9bed8402fc3362881232a485d75e0ebee6cee758a6ad

              • C:\Users\Admin\AppData\Local\Temp\udscpxib.qvz\GcleanerEU.exe

                Filesize

                404KB

                MD5

                94cf983d41cc69f6a67371770a48c0ec

                SHA1

                76c27034dba34863a3cc6c3c6e9966cebec0990d

                SHA256

                73aa861f2ac4ba1af21d78bd169a2887c436941eb5a82baedbaed556c4583eb6

                SHA512

                b17b2fc672cc401e901289fe2873f6ce03c36f014392c040374f002bc76040a23c184731d7a37ad96c32b915d2ca091b881469cf164f50298a88b537572d91c8

              • C:\Users\Admin\AppData\Local\Temp\udscpxib.qvz\GcleanerEU.exe

                Filesize

                404KB

                MD5

                94cf983d41cc69f6a67371770a48c0ec

                SHA1

                76c27034dba34863a3cc6c3c6e9966cebec0990d

                SHA256

                73aa861f2ac4ba1af21d78bd169a2887c436941eb5a82baedbaed556c4583eb6

                SHA512

                b17b2fc672cc401e901289fe2873f6ce03c36f014392c040374f002bc76040a23c184731d7a37ad96c32b915d2ca091b881469cf164f50298a88b537572d91c8

              • C:\Users\Admin\AppData\Local\Temp\xw42u2b2.lle\gcleaner.exe

                Filesize

                404KB

                MD5

                94cf983d41cc69f6a67371770a48c0ec

                SHA1

                76c27034dba34863a3cc6c3c6e9966cebec0990d

                SHA256

                73aa861f2ac4ba1af21d78bd169a2887c436941eb5a82baedbaed556c4583eb6

                SHA512

                b17b2fc672cc401e901289fe2873f6ce03c36f014392c040374f002bc76040a23c184731d7a37ad96c32b915d2ca091b881469cf164f50298a88b537572d91c8

              • C:\Users\Admin\AppData\Local\Temp\xw42u2b2.lle\gcleaner.exe

                Filesize

                404KB

                MD5

                94cf983d41cc69f6a67371770a48c0ec

                SHA1

                76c27034dba34863a3cc6c3c6e9966cebec0990d

                SHA256

                73aa861f2ac4ba1af21d78bd169a2887c436941eb5a82baedbaed556c4583eb6

                SHA512

                b17b2fc672cc401e901289fe2873f6ce03c36f014392c040374f002bc76040a23c184731d7a37ad96c32b915d2ca091b881469cf164f50298a88b537572d91c8

              • C:\Users\Admin\AppData\Local\Temp\za0pi2sv.0t5\random.exe

                Filesize

                923KB

                MD5

                964da73180a995495797e2107c4b936a

                SHA1

                d941ec8cb8d06c07f77d1c5318abeda5f23ab730

                SHA256

                1ae013d4e99c5bc1b818e14963f275caada1f71fa0186834dc7680124aea8b8d

                SHA512

                6252c809c8aefa1ef8c6742a3099970c6af178a878eba3dd9ef557df62ce6903b9ccf00be534d2b9c1f9b8ffdb4cceed8cc6e5b257b2abe7efcd0a155fe7efa7

              • C:\Users\Admin\AppData\Local\Temp\za0pi2sv.0t5\random.exe

                Filesize

                923KB

                MD5

                964da73180a995495797e2107c4b936a

                SHA1

                d941ec8cb8d06c07f77d1c5318abeda5f23ab730

                SHA256

                1ae013d4e99c5bc1b818e14963f275caada1f71fa0186834dc7680124aea8b8d

                SHA512

                6252c809c8aefa1ef8c6742a3099970c6af178a878eba3dd9ef557df62ce6903b9ccf00be534d2b9c1f9b8ffdb4cceed8cc6e5b257b2abe7efcd0a155fe7efa7

              • C:\Users\Admin\AppData\Local\Temp\za0pi2sv.0t5\random.exe

                Filesize

                923KB

                MD5

                964da73180a995495797e2107c4b936a

                SHA1

                d941ec8cb8d06c07f77d1c5318abeda5f23ab730

                SHA256

                1ae013d4e99c5bc1b818e14963f275caada1f71fa0186834dc7680124aea8b8d

                SHA512

                6252c809c8aefa1ef8c6742a3099970c6af178a878eba3dd9ef557df62ce6903b9ccf00be534d2b9c1f9b8ffdb4cceed8cc6e5b257b2abe7efcd0a155fe7efa7

              • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\XBHFWKII.txt

                Filesize

                603B

                MD5

                7a55c18ab46f89c79b5f38e9efa48b03

                SHA1

                9f5b1a6742d68b13f491e9192b634f709fe83fbe

                SHA256

                a045e10b4fe362483e994fed8f8d06bf1214aca5dd31574f8e30368638081395

                SHA512

                b5b6546ec77b72fd00f7d876f85a5e70e8d428cd9f762929b71dbd1999702ea8398e241de03e795c32055cb173049e9c2a0b029facc7c9851731de30ca004321

              • \Users\Admin\AppData\Local\Temp\5jwc2z02.t2c\pb1117.exe

                Filesize

                3.5MB

                MD5

                cdea279da102299e2bafb4ecc16b6c58

                SHA1

                732fede49b6e97859389b36895a07bea5d9ad9b9

                SHA256

                e2ad80fc97e02a207df083a6ed19776397bc7024456f1b3a6effdf2d13ac3284

                SHA512

                876075209ce64f71addb70ab9ba27a0cc142d4e1d43d23e10073d06f0bca3dd4a5b41800872f3a3b7044e96f6ed593c42ed32fd799cd825aefa6239694d6b1a4

              • \Users\Admin\AppData\Local\Temp\5jwc2z02.t2c\pb1117.exe

                Filesize

                3.5MB

                MD5

                cdea279da102299e2bafb4ecc16b6c58

                SHA1

                732fede49b6e97859389b36895a07bea5d9ad9b9

                SHA256

                e2ad80fc97e02a207df083a6ed19776397bc7024456f1b3a6effdf2d13ac3284

                SHA512

                876075209ce64f71addb70ab9ba27a0cc142d4e1d43d23e10073d06f0bca3dd4a5b41800872f3a3b7044e96f6ed593c42ed32fd799cd825aefa6239694d6b1a4

              • \Users\Admin\AppData\Local\Temp\5jwc2z02.t2c\pb1117.exe

                Filesize

                3.5MB

                MD5

                cdea279da102299e2bafb4ecc16b6c58

                SHA1

                732fede49b6e97859389b36895a07bea5d9ad9b9

                SHA256

                e2ad80fc97e02a207df083a6ed19776397bc7024456f1b3a6effdf2d13ac3284

                SHA512

                876075209ce64f71addb70ab9ba27a0cc142d4e1d43d23e10073d06f0bca3dd4a5b41800872f3a3b7044e96f6ed593c42ed32fd799cd825aefa6239694d6b1a4

              • \Users\Admin\AppData\Local\Temp\5jwc2z02.t2c\pb1117.exe

                Filesize

                3.5MB

                MD5

                cdea279da102299e2bafb4ecc16b6c58

                SHA1

                732fede49b6e97859389b36895a07bea5d9ad9b9

                SHA256

                e2ad80fc97e02a207df083a6ed19776397bc7024456f1b3a6effdf2d13ac3284

                SHA512

                876075209ce64f71addb70ab9ba27a0cc142d4e1d43d23e10073d06f0bca3dd4a5b41800872f3a3b7044e96f6ed593c42ed32fd799cd825aefa6239694d6b1a4

              • \Users\Admin\AppData\Local\Temp\db.dll

                Filesize

                52KB

                MD5

                845a5f94673e266f80fae41538a94db1

                SHA1

                a8ed5ba958b94eb55a44f20a4791a58b76e91f0c

                SHA256

                3d73e4425bb7294f20ef86096504ab96d288bd70d2bc6a8361b629903f3b1d01

                SHA512

                f01450a61a6b2daec92fab31c9f153c76574f169f3fef2c6d0cf9283cf730a099c9b7c0cbc4ac44cc4d3c067565a49b8135aa85b745ea340a9d5f8c9dc5c3f81

              • \Users\Admin\AppData\Local\Temp\db.dll

                Filesize

                52KB

                MD5

                845a5f94673e266f80fae41538a94db1

                SHA1

                a8ed5ba958b94eb55a44f20a4791a58b76e91f0c

                SHA256

                3d73e4425bb7294f20ef86096504ab96d288bd70d2bc6a8361b629903f3b1d01

                SHA512

                f01450a61a6b2daec92fab31c9f153c76574f169f3fef2c6d0cf9283cf730a099c9b7c0cbc4ac44cc4d3c067565a49b8135aa85b745ea340a9d5f8c9dc5c3f81

              • \Users\Admin\AppData\Local\Temp\db.dll

                Filesize

                52KB

                MD5

                845a5f94673e266f80fae41538a94db1

                SHA1

                a8ed5ba958b94eb55a44f20a4791a58b76e91f0c

                SHA256

                3d73e4425bb7294f20ef86096504ab96d288bd70d2bc6a8361b629903f3b1d01

                SHA512

                f01450a61a6b2daec92fab31c9f153c76574f169f3fef2c6d0cf9283cf730a099c9b7c0cbc4ac44cc4d3c067565a49b8135aa85b745ea340a9d5f8c9dc5c3f81

              • \Users\Admin\AppData\Local\Temp\db.dll

                Filesize

                52KB

                MD5

                845a5f94673e266f80fae41538a94db1

                SHA1

                a8ed5ba958b94eb55a44f20a4791a58b76e91f0c

                SHA256

                3d73e4425bb7294f20ef86096504ab96d288bd70d2bc6a8361b629903f3b1d01

                SHA512

                f01450a61a6b2daec92fab31c9f153c76574f169f3fef2c6d0cf9283cf730a099c9b7c0cbc4ac44cc4d3c067565a49b8135aa85b745ea340a9d5f8c9dc5c3f81

              • \Users\Admin\AppData\Local\Temp\is-BMTEE.tmp\file.tmp

                Filesize

                694KB

                MD5

                ffcf263a020aa7794015af0edee5df0b

                SHA1

                bce1eb5f0efb2c83f416b1782ea07c776666fdab

                SHA256

                1d07cfb7104b85fc0dffd761f6848ad176117e146bbb4079fe993efa06b94c64

                SHA512

                49f2b062adfb99c0c7f1012c56f0b52a8850d9f030cc32073b90025b372e4eb373f06a351e9b33264967427b8174c060c8a6110979f0eaf0872f7da6d5e4308a

              • \Users\Admin\AppData\Local\Temp\is-SKGQO.tmp\PowerOff.exe

                Filesize

                576KB

                MD5

                cfa7c46797e6d113d41adbd97fe38755

                SHA1

                96b1836c44b6aae601c05d547ebf4a79e6361e4b

                SHA256

                ccac7fb768ac6e7f1868de19d0f61454e355b319d332089382f256968dddeb5b

                SHA512

                8f748abb6124c7d2924507aba6239a383d7c170ee5fb1b0fe322c2f6d75f0fb959bab7a94ba99643cfda9bed8402fc3362881232a485d75e0ebee6cee758a6ad

              • \Users\Admin\AppData\Local\Temp\is-SKGQO.tmp\_isetup\_shfoldr.dll

                Filesize

                22KB

                MD5

                92dc6ef532fbb4a5c3201469a5b5eb63

                SHA1

                3e89ff837147c16b4e41c30d6c796374e0b8e62c

                SHA256

                9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87

                SHA512

                9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

              • \Users\Admin\AppData\Local\Temp\is-SKGQO.tmp\_isetup\_shfoldr.dll

                Filesize

                22KB

                MD5

                92dc6ef532fbb4a5c3201469a5b5eb63

                SHA1

                3e89ff837147c16b4e41c30d6c796374e0b8e62c

                SHA256

                9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87

                SHA512

                9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

              • \Users\Admin\AppData\Local\Temp\is-SKGQO.tmp\idp.dll

                Filesize

                216KB

                MD5

                8f995688085bced38ba7795f60a5e1d3

                SHA1

                5b1ad67a149c05c50d6e388527af5c8a0af4343a

                SHA256

                203d7b61eac96de865ab3b586160e72c78d93ab5532b13d50ef27174126fd006

                SHA512

                043d41947ab69fc9297dcb5ad238acc2c35250d1172869945ed1a56894c10f93855f0210cbca41ceee9efb55fd56a35a4ec03c77e252409edc64bfb5fb821c35

              • \Users\Admin\AppData\Local\Temp\za0pi2sv.0t5\random.exe

                Filesize

                923KB

                MD5

                964da73180a995495797e2107c4b936a

                SHA1

                d941ec8cb8d06c07f77d1c5318abeda5f23ab730

                SHA256

                1ae013d4e99c5bc1b818e14963f275caada1f71fa0186834dc7680124aea8b8d

                SHA512

                6252c809c8aefa1ef8c6742a3099970c6af178a878eba3dd9ef557df62ce6903b9ccf00be534d2b9c1f9b8ffdb4cceed8cc6e5b257b2abe7efcd0a155fe7efa7

              • memory/888-151-0x0000000000F00000-0x0000000000F72000-memory.dmp

                Filesize

                456KB

              • memory/1188-70-0x0000000000680000-0x00000000006E8000-memory.dmp

                Filesize

                416KB

              • memory/1188-69-0x00000000011C0000-0x0000000001254000-memory.dmp

                Filesize

                592KB

              • memory/1188-71-0x0000000000410000-0x000000000046E000-memory.dmp

                Filesize

                376KB

              • memory/1364-87-0x000007FEED020000-0x000007FEEDA43000-memory.dmp

                Filesize

                10.1MB

              • memory/1364-90-0x000000001D650000-0x000000001D94F000-memory.dmp

                Filesize

                3.0MB

              • memory/1364-178-0x0000000000586000-0x00000000005A5000-memory.dmp

                Filesize

                124KB

              • memory/1364-88-0x000007FEF5970000-0x000007FEF6A06000-memory.dmp

                Filesize

                16.6MB

              • memory/1364-92-0x0000000000586000-0x00000000005A5000-memory.dmp

                Filesize

                124KB

              • memory/1596-79-0x000000001CDC0000-0x000000001D0BF000-memory.dmp

                Filesize

                3.0MB

              • memory/1596-76-0x000007FEED020000-0x000007FEEDA43000-memory.dmp

                Filesize

                10.1MB

              • memory/1716-145-0x0000000000980000-0x0000000000A81000-memory.dmp

                Filesize

                1.0MB

              • memory/1716-147-0x00000000008C0000-0x000000000091E000-memory.dmp

                Filesize

                376KB

              • memory/2004-64-0x0000000000400000-0x0000000000414000-memory.dmp

                Filesize

                80KB

              • memory/2004-55-0x0000000000400000-0x0000000000414000-memory.dmp

                Filesize

                80KB

              • memory/2004-86-0x0000000000400000-0x0000000000414000-memory.dmp

                Filesize

                80KB

              • memory/2004-54-0x0000000075831000-0x0000000075833000-memory.dmp

                Filesize

                8KB

              • memory/2184-194-0x0000000000230000-0x0000000000250000-memory.dmp

                Filesize

                128KB

              • memory/2184-184-0x00000000004E0000-0x0000000000552000-memory.dmp

                Filesize

                456KB

              • memory/2184-190-0x000007FEFC1B1000-0x000007FEFC1B3000-memory.dmp

                Filesize

                8KB

              • memory/2184-148-0x0000000000060000-0x00000000000AD000-memory.dmp

                Filesize

                308KB

              • memory/2184-192-0x0000000000180000-0x000000000019B000-memory.dmp

                Filesize

                108KB

              • memory/2184-193-0x0000000002FC0000-0x00000000030CA000-memory.dmp

                Filesize

                1.0MB

              • memory/2184-195-0x0000000000250000-0x000000000026B000-memory.dmp

                Filesize

                108KB

              • memory/2184-172-0x00000000004E0000-0x0000000000552000-memory.dmp

                Filesize

                456KB

              • memory/2184-171-0x0000000000060000-0x00000000000AD000-memory.dmp

                Filesize

                308KB

              • memory/2184-208-0x0000000002FC0000-0x00000000030CA000-memory.dmp

                Filesize

                1.0MB

              • memory/6804-113-0x0000000000400000-0x0000000000869000-memory.dmp

                Filesize

                4.4MB

              • memory/6804-102-0x0000000000289000-0x00000000002AF000-memory.dmp

                Filesize

                152KB

              • memory/6804-103-0x0000000000870000-0x00000000008B0000-memory.dmp

                Filesize

                256KB

              • memory/6804-141-0x0000000000400000-0x0000000000869000-memory.dmp

                Filesize

                4.4MB

              • memory/6804-139-0x0000000000289000-0x00000000002AF000-memory.dmp

                Filesize

                152KB

              • memory/6856-143-0x0000000000400000-0x0000000000869000-memory.dmp

                Filesize

                4.4MB

              • memory/6856-116-0x0000000000400000-0x0000000000869000-memory.dmp

                Filesize

                4.4MB

              • memory/6856-140-0x0000000000979000-0x000000000099F000-memory.dmp

                Filesize

                152KB

              • memory/6856-114-0x0000000000979000-0x000000000099F000-memory.dmp

                Filesize

                152KB

              • memory/6856-115-0x0000000000220000-0x0000000000260000-memory.dmp

                Filesize

                256KB

              • memory/7148-121-0x0000000140000000-0x0000000140615000-memory.dmp

                Filesize

                6.1MB