Analysis

  • max time kernel
    146s
  • max time network
    159s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    26/11/2022, 23:36

General

  • Target

    4469537306c922ca46832b87beea15b460546f25f1de95ac2d2e74f551ed3cbb.exe

  • Size

    987KB

  • MD5

    0bbe2ae2d9b3cce70d2bd00eb9b72ec1

  • SHA1

    67d457d54b2a44b001170fde6a1b48a60511bc0d

  • SHA256

    4469537306c922ca46832b87beea15b460546f25f1de95ac2d2e74f551ed3cbb

  • SHA512

    3042d50ae0c4f71cde0c12444f6667393a8cec5f32a486ae295e01f5ab3fb280d2111b8aa520e376176ffc24cd1fbec8b300aef11068a519578d0d684688b6bb

  • SSDEEP

    24576:O2O/GlADY5OPqKoBoVYrvSL2raioaW3JVja7gh8/pIH+:aYUqKoBoV66L2r3WZVjaW8/p8+

Malware Config

Extracted

Family

nanocore

Version

1.2.1.1

C2

tooblaq1.ddns.net:2233

tooblaq2.ddns.net:2233

Mutex

722a6540-3583-410e-8546-79fbfc239905

Attributes
  • activate_away_mode

    false

  • backup_connection_host

    tooblaq2.ddns.net

  • backup_dns_server

  • buffer_size

    65535

  • build_time

    2014-09-30T12:55:59.665724036Z

  • bypass_user_account_control

    true

  • bypass_user_account_control_data

  • clear_access_control

    true

  • clear_zone_identifier

    false

  • connect_delay

    4000

  • connection_port

    2233

  • default_group

    Default

  • enable_debug_mode

    true

  • gc_threshold

    1.048576e+07

  • keep_alive_timeout

    30000

  • keyboard_logging

    false

  • lan_timeout

    2500

  • max_packet_size

    1.048576e+07

  • mutex

    722a6540-3583-410e-8546-79fbfc239905

  • mutex_timeout

    5000

  • prevent_system_sleep

    false

  • primary_connection_host

    tooblaq1.ddns.net

  • primary_dns_server

  • request_elevation

    true

  • restart_delay

    5000

  • run_delay

    0

  • run_on_startup

    true

  • set_critical_process

    true

  • timeout_interval

    5000

  • use_custom_dns_server

    false

  • version

    1.2.1.1

  • wan_timeout

    8000

Signatures

  • NanoCore

    NanoCore is a remote access tool (RAT) with a variety of capabilities.

  • Executes dropped EXE 2 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 5 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 14 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\4469537306c922ca46832b87beea15b460546f25f1de95ac2d2e74f551ed3cbb.exe
    "C:\Users\Admin\AppData\Local\Temp\4469537306c922ca46832b87beea15b460546f25f1de95ac2d2e74f551ed3cbb.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:4804
    • C:\Users\Admin\AppData\Roaming\rwxok\wcwrc.cmd
      "C:\Users\Admin\AppData\Roaming\rwxok\wcwrc.cmd" nvqme.cax
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:1208
      • C:\Users\Admin\AppData\Roaming\rwxok\wcwrc.cmd
        C:\Users\Admin\AppData\Roaming\rwxok\wcwrc.cmd C:\Users\Admin\AppData\Roaming\rwxok\WJRYK
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • Suspicious use of WriteProcessMemory
        PID:208
        • C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
          "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"
          4⤵
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious behavior: GetForegroundWindowSpam
          • Suspicious use of AdjustPrivilegeToken
          PID:4200

Network

        MITRE ATT&CK Enterprise v6

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Roaming\rwxok\WJRYK

          Filesize

          96KB

          MD5

          a2fcc3c8ed806da4a28fd3b11d121b78

          SHA1

          8505aa3c95eeff211612490206fcb150a064cd2d

          SHA256

          dcfb4ceedb10506fb2b3d8cfeb189f530b7b860a6b3dfbcd1c2171c34fe6ce60

          SHA512

          8da240f3857d9504e2189d1a61e791f3109699183a71ffd016848b1c48a003fef8951e37d2ed097fed16c1f4ebe0ee78f71e4853e2561386a74f34028d27ae48

        • C:\Users\Admin\AppData\Roaming\rwxok\YMQGIX

          Filesize

          19KB

          MD5

          6f35bdf3bfd6613a2ca33e5157c9d7ab

          SHA1

          869e796f034d8ff735c6f259e64f8457965b538e

          SHA256

          d87016e0c7372007e52399ca62c1a4ebd6b2e7a3d1bbd0a79de79c5948c739fa

          SHA512

          04adb7ba79f902a47316c1cfeeb74165a9deb9c1d383dc1a426125e238e7eef5c09946ac04cdeee9d43798e32cc17bdf556e0bdbec7da7f59c3e858715e750ba

        • C:\Users\Admin\AppData\Roaming\rwxok\bdlxe.jfd

          Filesize

          5B

          MD5

          a468f6268268627d431996ee7d75929d

          SHA1

          bf8d94b028cf34c0c0644c8ba2ead5059413f1d0

          SHA256

          e315c86e17001ee1c4ad5bf7574dbec7f80ed2d11fde41b1937a036f672023e6

          SHA512

          bff2e826c86717c0a7468062265a0322ed0d0d703400bccef5c1517e199a4b6cd64236ae4d2e0703e59db32eb7833f28d4600b7826470a38615fa600057a8d83

        • C:\Users\Admin\AppData\Roaming\rwxok\dxqer.oxx

          Filesize

          5B

          MD5

          6fadbab20e2a46bf37b1df27fbc4f9c1

          SHA1

          8b07b82e6f8cbb4103541f88922d9f7e20ac3fbc

          SHA256

          ba56a8102cec7508b0cf0342abd0abc1f9bb436fbc1aeaaff89efe8cc66faf08

          SHA512

          ffff13599e7c24b1cf8c7b433aa403d735d3fd153726fe0de7081d41d71c77fa95ce18c31839990b8fe90e2e6f7ef100323c4a41fb2e309860ddf713b571ab33

        • C:\Users\Admin\AppData\Roaming\rwxok\eumdj.tcg

          Filesize

          4B

          MD5

          07e350d725078b68c87da3af5c91facf

          SHA1

          dd48eb24368f5d9113125b908b516ebbc2a6170e

          SHA256

          d44976162b5c47b12f73628ff1ecf7e2a64fd4902027734362bc209cd15e8c7c

          SHA512

          656308b500d2fae3806d763822c4d7e39e5ca41dbd6462d46b209a3522e2b12028f07f55ab8aa107d5cff74a512fde47764a1609af75efd0659c9f8584fc9224

        • C:\Users\Admin\AppData\Roaming\rwxok\fqfth.dhp

          Filesize

          4B

          MD5

          a8331ea8b1187f23a1dd041afe18bc9f

          SHA1

          0cc14c421e8d7ee9acf78fd31d8fe7c1472ad10c

          SHA256

          382ef960c48a310130cab66d3eb52a4dd5eb29e78f910bcd274d4c2d4c87c114

          SHA512

          96fadd0e25a2d951d442bf1a325445c600f604b2e7ef7d6273a8826baff239084889a18e6d05ec05fac669d232f121a81f4bd75152c12268459c2a0df81cd870

        • C:\Users\Admin\AppData\Roaming\rwxok\gefbm.rrg

          Filesize

          4B

          MD5

          a3271cf0e143422346e6170dd14a55f1

          SHA1

          96b06496fb5a8812628218375d56f1fe1da392dd

          SHA256

          6ca00b183b6be536d3526f76a5058b8a35accad373e18ce42bccd806b002bc13

          SHA512

          512408fe950872357ce3bbed3930ac161da7a649d6f60780c940549341231d083a0acc5d3cd4d591a7fb7116373f2d292218deda180043a9a64e2c9dfa143cbd

        • C:\Users\Admin\AppData\Roaming\rwxok\hhrqa.dxi

          Filesize

          5B

          MD5

          7075094de0a585229df1a7ba36a1f250

          SHA1

          5f9230592cae5f08c488c6d63975ab2f9f42dc04

          SHA256

          4c035b5ecbe1697e81d6f64bc080e56d35c15d2436dd99f9acd65c4e0fdded37

          SHA512

          5356b0f73ad21ce59b8e27854cc6e537b5f9a9428d5e058d85e8685e1d2176eac4580fac7c848a46ad6d34f7646cb704aeb3405be701218e026f1bcd6fad228c

        • C:\Users\Admin\AppData\Roaming\rwxok\hmdtx.gum

          Filesize

          5B

          MD5

          21e1fbb8318e89418899f4124f9a2d29

          SHA1

          4049b469f744874537dff6a805418c143e15d02f

          SHA256

          5abedb604b0c712e223a7b7d04a2fd34af04880b4b409546102017c2ae346b2e

          SHA512

          5ad47e5eec0f8a72ebb2dda65254f31d6f23cee048f8fc00543aad40f1ae9ebe750bf534e84804c23d3577e7e9b50713e906364438e52f0fd65f550dff37b9ca

        • C:\Users\Admin\AppData\Roaming\rwxok\ilxis.dlr

          Filesize

          4B

          MD5

          a35cb2a520fd34a5eaf3d38ee52c3d1d

          SHA1

          c0a1fba76b7e9d6f57159db6f3010b94d130729a

          SHA256

          df516e125219ea117dc1523db2eedf690b7149523e309d92b6d9d0fe1d7f19ca

          SHA512

          82bf93617320589fd08112888a6703c015a843202c2428011cfa4fdea9896bd87a20d38ca98ba7c3739cf9c679aa11f5f3eeaff8e917f50b4f3c925a3f1dce1c

        • C:\Users\Admin\AppData\Roaming\rwxok\ioorp.wff

          Filesize

          5B

          MD5

          3a4ee016e9bf2c3ee4e7d501921206d6

          SHA1

          d31c814421f272b4bdd49bd6d3abbc0c0ee70019

          SHA256

          936c81dea03d98d6cbe95b8ba03249fd45d99c64d05d5a00043d964d9c36e8bc

          SHA512

          b4c1719e1d0804a70bbc217750ee33cd3c009a9948f07a35a7bb9c562be4f5e94474a0936c441de325c6ffbbc4f43bbfeca1aed3cb29843d162a64526beda84d

        • C:\Users\Admin\AppData\Roaming\rwxok\jelbo.sqj

          Filesize

          4B

          MD5

          23c84b4ef0634d459290e7c7a781d883

          SHA1

          7f3f400da1885d4e8b2d1fd081fb6c73047241e7

          SHA256

          05ae8bec1d8671fdd86173312f4d9b22173a30cb0af5b704aed4150fda567876

          SHA512

          c7d7cee220fab65c765abe53b1541207709bfeebfd251983a65e53db5604f26a55ba7aced297459adbf85648fb9f79969905a26b87c507d86e8eedb211daa129

        • C:\Users\Admin\AppData\Roaming\rwxok\jffbf.tme

          Filesize

          5B

          MD5

          726981173cc61be3cd1025611dd6d43b

          SHA1

          f64a1eead53448967522a4713ed3d726a5850edf

          SHA256

          0bdad0dcf80956a2cfbefbdac795db7747f6e40756bee0853ed04b293457c0a3

          SHA512

          d9eed5c50b210edcb0c65e32c1c14329437d6588be714f4f5b89758fe69b666d12af91ebf9ddae56c5f8ebbc44a2c1beb320a5a20b782ea13223fa2a603088f0

        • C:\Users\Admin\AppData\Roaming\rwxok\jixji.hja

          Filesize

          5B

          MD5

          c81204be47b41630d20ef1410a96c443

          SHA1

          2bf3e88fd27d59b989ed8cd2656e566796b4c252

          SHA256

          171e3883819320e8bc3891662d93a878f19ef1c6dfffa591f6e161948c37b1a7

          SHA512

          086e3a5e80836789cae526594039b2ac98f6077cbfe73bf6724e05734c3c2a0c8bb6c94b8b0eec3b38d4b627103797dd7ef6cba8e872d7e5f0cf8757de09f3ab

        • C:\Users\Admin\AppData\Roaming\rwxok\jtgkl

          Filesize

          204KB

          MD5

          8b972a5d97dce6214e6f98f7c36ae62f

          SHA1

          fbb11c0cda9607792091719f4d6b07e60a1d8027

          SHA256

          25f182e19880784f63c62f0f2f8357d6986995ec54b4306724980653d6da94d1

          SHA512

          77473d57bed24523471e70e27c59a7ba851c4cacb4e733c4ca4c4ce35127218fa73d0d1d1bf6435620a6f7c94559a802eb2cdf47f78d6f086328f0dd30659ef1

        • C:\Users\Admin\AppData\Roaming\rwxok\kjblv.vhp

          Filesize

          5B

          MD5

          7a8713faacca9a23839d937eb1f12d58

          SHA1

          1a4b677cd8a669dbffdf189b6e2fe3f7bc7d9f8b

          SHA256

          8b98183b079fc4c2d2c791c32ca50086c4962da7b748df0df1e76c684345106f

          SHA512

          44adf98bf3be7f04f2b7efcc9b4c65b883953b627393a0634d821062be46bf999119113db06287c2cc5d58c846cbccc63e764a71466cb31779a3fa650880cb9c

        • C:\Users\Admin\AppData\Roaming\rwxok\lffhk.gpf

          Filesize

          4B

          MD5

          cbd436bbe6db5ee843359440ca80c689

          SHA1

          e373e9db75e8805f98416dcfaca81a6aa0c80adb

          SHA256

          eb0bef30067a4b404ab5b6db97d7f7e6953104caf9c05ea7d2e6fc16d17dd2f4

          SHA512

          6ba66ce4b24c6894b720e9037022570c1ec034edc11c830f1a6bac6741567e5cafd4b87f0827bdc8f01ae193a45b8e5fca3b75c93a2072a5c19359f29bda5057

        • C:\Users\Admin\AppData\Roaming\rwxok\macms.ndh

          Filesize

          4B

          MD5

          83779f76fe14f9adaa4ecdf72caf0b02

          SHA1

          9878fedea4404baea061e588cbd72a1035462ea2

          SHA256

          adb74894ff8f27a999e173c2e53adde8d47a0be11a3653672b800542b03dbcf3

          SHA512

          343b237723eebe6a84cce19a3b8fcd1d67bd40c9b091d6d14c3b4f927c932713db2de5f247f0e796db10487b1af318fafb9f43c8a356d76c8e10df0127e4d045

        • C:\Users\Admin\AppData\Roaming\rwxok\nqust.jbv

          Filesize

          5B

          MD5

          5abb1c90cae8ee967d7e30fc9707000f

          SHA1

          df15abd82b9fb9daaa4517c1e4e8ad5510943b5b

          SHA256

          efd3830fa426c5a31d7fc9eb50363936a8774cba480c0738d0177c1e93f1c3d4

          SHA512

          5bb17fec154a7d0e76ac134676d8e916aaae4b249fb3746df7397d48aa2f6f443f982d40773863a722d2bcf951fb6f9ef979dc5c8e49fbec9d1002d22db74c8d

        • C:\Users\Admin\AppData\Roaming\rwxok\nvqme.cax

          Filesize

          1.4MB

          MD5

          e752d28535b542697712aff0ba741e00

          SHA1

          cdada9d037000d8102929cb4f45239a8d736f70a

          SHA256

          d1ef83dd382057431b0822158b1628fa6918aab33e557170747e3914bd209340

          SHA512

          74ff03fa2404a3014631ada173a76ba218b21fe7c6262cadc87ead2afdcd7aea9a6cbe04194416411840233e365dff2ff4faac7ec061d07bb9b804ca33e15825

        • C:\Users\Admin\AppData\Roaming\rwxok\objjo.ulo

          Filesize

          4B

          MD5

          60b87dbdf025ae348f8286cafe999f2c

          SHA1

          c392468ae233b54f6e7d6d1556107df5896ee8a0

          SHA256

          4e9e3a751185d77bdc2e5df5fd5aafe64003d1e71fecfba0682269dde0e151c6

          SHA512

          dd10858c2bfce929a33bdd93bfa5e72108c190505f4b917ff82950dd99995b53e60e1a3e445121fd5925bb5bb49a943fbde5108a20d14fa22f67a570174b67f4

        • C:\Users\Admin\AppData\Roaming\rwxok\ogott.psf

          Filesize

          5B

          MD5

          26021334e307ea1a517a133d42bb6368

          SHA1

          e6f24c318fd4571b1a075aabd0b2f1536b21a3b7

          SHA256

          0b217195c52409b0bf35c783dabe8800d0e7deb4ada5c5d8c35d6c2cfcdc19f8

          SHA512

          de03ef9ccebd8d740a309763062563e0c9f72ebb2b21345e488f4413cb17b86335d8902f9d17d0c1f511c60d6a97bc600d20c347e8dd6e2e2274389d960fa4ef

        • C:\Users\Admin\AppData\Roaming\rwxok\olsjv.gdq

          Filesize

          4B

          MD5

          b06f9ab88a550a9664ac4e6c15a8802f

          SHA1

          c425f114dd897362e671009e1becbb9bb7c34ac9

          SHA256

          e4a1ec2873df4494a36beaef8a0ee57ab3f4380ccb2b91a976e64844d4ce671a

          SHA512

          c40bb6c1589e90d1262f1dac53bbad8c90fbfbc3c2a3a9a3b8601f13f38c553b44dbe35a8fdd09227dbe362f0d7c140d7bda733269b9e6c2c452c9830da52a44

        • C:\Users\Admin\AppData\Roaming\rwxok\pnptt.how

          Filesize

          5B

          MD5

          3e2a35fdb69dadda458db6014fa8bf2b

          SHA1

          c4ffde6a4874d30a89f4f270fde29409c8922802

          SHA256

          bba7d20b7a562203298491945da0ea8984d6d177bf0c1782a9cb1afe35611afb

          SHA512

          bdb3d1c6071f836351a3a10c35ce64ac6cede5bbb669311b2749a123883739208b69c95564cbdbda0b6405c3ec161134ca150fc6bc0ace93b2c9473ec516bbed

        • C:\Users\Admin\AppData\Roaming\rwxok\pwwek.txw

          Filesize

          4B

          MD5

          00865d413600d26adb36d2f55973559f

          SHA1

          d5ac50815d4487c4de04caac1ceb500b9fd12a5d

          SHA256

          5393f44a4c0c05ae0a25bc80b83ac9d462f074625eea50658e1f20cb5f2c2704

          SHA512

          7222d0e8f1a2c10dd9ddc831922cad6b8da4fc437eb647483668ccaf8fb31d2d396488865dae32414ce322dba5d32e43c360950396577ab07df3ca4fa91299cc

        • C:\Users\Admin\AppData\Roaming\rwxok\qigcj.bap

          Filesize

          5B

          MD5

          e81a0db95cc18a649b6d0b4df190718a

          SHA1

          347b32a9b6251d1a14f8ca2d755a3cba93a5753b

          SHA256

          ea422e0e3f8d95fe2487ddaabf78515491936292af50fefe0391f7fe26a59a3c

          SHA512

          18ca5da100f1d0df06aa59cb76089fd81bc3a82e52fb99be8ffe7258e803be8f2c3107fff43543d22eb06cf62bab29d2247f19e6ec6806d7f572b2d3c4e2a73c

        • C:\Users\Admin\AppData\Roaming\rwxok\rbwtp.fvv

          Filesize

          4B

          MD5

          89605141142db62278e965ba599449e9

          SHA1

          3998a650acc23d9090bd1b7fd8a9b7fbbca40ec2

          SHA256

          f56b462d166ab80d2713d765d8c3b963d9b30597e7e0b17a500ecab658043067

          SHA512

          9dd2e9197e47562b69b12d7c4a1d63143ae0f0e2c0540f6f392f2930d1761613a9ee5995a5cceb1c7c27055ed3b8a20e78176e0e68891ad7cfdc097f481f3022

        • C:\Users\Admin\AppData\Roaming\rwxok\rubjc.kud

          Filesize

          4B

          MD5

          30b4fa92afd8a6924821f2fb3fd70bfe

          SHA1

          c433bc86a36cd0a1771bd411f9626b86e042328f

          SHA256

          91a387a05d08348372c7a45feba7b6b2d7e97b7ef1c632cb4c3491a66639798c

          SHA512

          e5327273c4f99426f505ce3e1577161b3f01ba27ec372ca1053169bf313a3ebb4994c7f0a49adeab9f7d26091f7faa75bf0495ea9977bb0e1845bc5b12063f93

        • C:\Users\Admin\AppData\Roaming\rwxok\sxoqa.tta

          Filesize

          4B

          MD5

          7c84ac85efa969f559677e6a172f76ed

          SHA1

          bbac0ad19e24b5d391e60c99651b8745e0a82ebd

          SHA256

          61cf364416927ca0eb80d26e1d26beb435a7802143252dc5c164a9db27c6f087

          SHA512

          9a044e4e4910ca039905aaa53c0f8f4502faa3373463e0ab6ce3e29b97d2882834366dc14fdf8d8f6b3e1d3bddcf80c9176eca9fa7e78b22ebc6f7d2a9f46a4c

        • C:\Users\Admin\AppData\Roaming\rwxok\tamij.mcp

          Filesize

          5B

          MD5

          90b6ad2959b858be4148d68b8dc6a490

          SHA1

          07e256fbff17c1fe8762f16263322ecfa5791dc6

          SHA256

          28c62c3c8ed6be61fc5408444119969d143b17b6360640b91d77487f0f83df39

          SHA512

          0355cae4c71e40ed41e249faf5eb8f8c1e35f999796b026edf9d72b3afab419c6f116c230d98a6206ad77f624accf54ab1078765e8d271c8427926537d0224ea

        • C:\Users\Admin\AppData\Roaming\rwxok\tbaui.tve

          Filesize

          4B

          MD5

          750d69619fdac5dd1e97961b061ba4bd

          SHA1

          238ee34e89b6b5eb1cf1fbfa6463a16eb09f1c9d

          SHA256

          8f32593a506a5bd86fa4e40dfad538234df090c542ea95d068a9fa1f6c8c12cf

          SHA512

          f7b1d4acae339f453386c2d734b914917cd4592abd5241841a3a5fd4b35580db81da0c7133c31a2cddbb691d72e8b281301f1b656b9c415f5362abd353d15215

        • C:\Users\Admin\AppData\Roaming\rwxok\ttbjt.phf

          Filesize

          4B

          MD5

          4e503909473860cc7a34068d02caeb99

          SHA1

          0a03e77c43223d5721224ac473517ae42806d4ac

          SHA256

          656190a374354d9a2edec1d82030299e08652ea6ba7aeda3494d541e1afe1c8e

          SHA512

          e872aaa337060d461d58f3b5febec07c4b16aafd23fe37666f1edf30252dc8acbcb3c4b8ba439ca5bcd06b1f5f79d35e62b1ee1da54cc32635fec1ec1ee01fd2

        • C:\Users\Admin\AppData\Roaming\rwxok\upvcp.vls

          Filesize

          4B

          MD5

          0c10eb920c3c7be5de3dad0312ac4a2c

          SHA1

          2dc0f353e236de30423f3d7db6864d94c36b353e

          SHA256

          3034dd386c48550c71fbf5c424cfa0933cbc4ef825939c6c1f224ae6c903c052

          SHA512

          53ed5307f510f74cff99a1befc557f8eb85d4ae629bd37eaa5bf1a546db12699db84bcc87d30592e0d6be678fd6dcbd923d4a91715e7f7d044d31342d78e8f41

        • C:\Users\Admin\AppData\Roaming\rwxok\vbunm.etw

          Filesize

          4B

          MD5

          466c9d4e4677ab32b848260c134f29ce

          SHA1

          f2861ddaea047161f1e304a2e9e31567dbb25421

          SHA256

          dfba06a42ad6a6b40940f3bcb8435f08efe5d546ff1e95976774ac2e86453bac

          SHA512

          d197d4e5f493ea6c0d3c627c1638d8191a57a52f82a48bfaf56371e19126d26b2242a203f290320a9b59ddbf3e9955e05ec4702c8e3fb1cf36f0ee436d047dbe

        • C:\Users\Admin\AppData\Roaming\rwxok\vfgjo.lvb

          Filesize

          4B

          MD5

          b1ff5189c52d1aa4fadf7ebf2dcdee0d

          SHA1

          da50bd0967dfb9cc57a2cef2962e915c87a20c79

          SHA256

          3edd70ff685a2224dfe73eb428f5165186ddc04c76e48bd83a92025f7bbb5bed

          SHA512

          7d42185c8e138e2b26fac5f68163b2286ab0f5c19df20270979df4f52eb06c74f591c53bdd81644aebffc1a0bb8f2ec152d82ce8baf7a134d03bd8506a9ed9d8

        • C:\Users\Admin\AppData\Roaming\rwxok\wcwrc.cmd

          Filesize

          732KB

          MD5

          71d8f6d5dc35517275bc38ebcc815f9f

          SHA1

          cae4e8c730de5a01d30aabeb3e5cb2136090ed8d

          SHA256

          fb73a819b37523126c7708a1d06f3b8825fa60c926154ab2d511ba668f49dc4b

          SHA512

          4826f45000ea50d9044e3ef11e83426281fbd5f3f5a25f9786c2e487b4cf26b04f6f900ca6e70440644c9d75f700a4c908ab6f398f59c65ee1bff85dfef4ce59

        • C:\Users\Admin\AppData\Roaming\rwxok\wcwrc.cmd

          Filesize

          732KB

          MD5

          71d8f6d5dc35517275bc38ebcc815f9f

          SHA1

          cae4e8c730de5a01d30aabeb3e5cb2136090ed8d

          SHA256

          fb73a819b37523126c7708a1d06f3b8825fa60c926154ab2d511ba668f49dc4b

          SHA512

          4826f45000ea50d9044e3ef11e83426281fbd5f3f5a25f9786c2e487b4cf26b04f6f900ca6e70440644c9d75f700a4c908ab6f398f59c65ee1bff85dfef4ce59

        • C:\Users\Admin\AppData\Roaming\rwxok\wcwrc.cmd

          Filesize

          732KB

          MD5

          71d8f6d5dc35517275bc38ebcc815f9f

          SHA1

          cae4e8c730de5a01d30aabeb3e5cb2136090ed8d

          SHA256

          fb73a819b37523126c7708a1d06f3b8825fa60c926154ab2d511ba668f49dc4b

          SHA512

          4826f45000ea50d9044e3ef11e83426281fbd5f3f5a25f9786c2e487b4cf26b04f6f900ca6e70440644c9d75f700a4c908ab6f398f59c65ee1bff85dfef4ce59

        • C:\Users\Admin\AppData\Roaming\rwxok\wjcok.giu

          Filesize

          96KB

          MD5

          276253d9360c147e55b7dd175d0ea37e

          SHA1

          3c76fb9f4bc1735c5a064c97398fd6d34471c7d2

          SHA256

          0442adf7a873a806e7b31af671fda6d7a5eb7cef028811a4412cda265384bbc6

          SHA512

          a5f0fcfc3dc6d18328c30ab9d1f7f99b147369235f3c17ce9cdfe7f27f21a839367c597738cd04715868a7709ead0bbcb75227f0af598c229b44c2eb0e8ff305

        • C:\Users\Admin\AppData\Roaming\rwxok\wtwtb.kbk

          Filesize

          4B

          MD5

          6ee656e8042e7ac9eef60cdbb52f69b1

          SHA1

          76dcd0eb88d0178c16c4f630d64f15fcfe231bd5

          SHA256

          e149f1034b243178b067d4f539ebc1b1c3eaf70421b91b9b3611522eee8e61f3

          SHA512

          c94c552a6de746c800bd39e6f54e31c413fcf4e7ed52b360af4e23229f5044bf6bd116b5071deca318ff88252eb158fb12ad9a919db5c1fd6f9509e771b5c226

        • memory/4200-175-0x0000000000400000-0x0000000000438000-memory.dmp

          Filesize

          224KB

        • memory/4200-176-0x00000000735C0000-0x0000000073B71000-memory.dmp

          Filesize

          5.7MB

        • memory/4200-177-0x00000000735C0000-0x0000000073B71000-memory.dmp

          Filesize

          5.7MB