Analysis
-
max time kernel
135s -
max time network
145s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
05-05-2023 19:23
Static task
static1
Behavioral task
behavioral1
Sample
C01DABDB1E0572151396954FD7BCD7334CEE5B1D64DE2.exe
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
C01DABDB1E0572151396954FD7BCD7334CEE5B1D64DE2.exe
Resource
win10v2004-20230220-en
General
-
Target
C01DABDB1E0572151396954FD7BCD7334CEE5B1D64DE2.exe
-
Size
1.3MB
-
MD5
a547e64045d30568aa7e3afd81b81594
-
SHA1
9806c99c6f77be88be0629a3c851e6002a5a0d05
-
SHA256
c01dabdb1e0572151396954fd7bcd7334cee5b1d64de29b7de21c14eafbd6416
-
SHA512
6d7bf8a3d7126312bd886319530f1576dfa1a98cdc3f71282b313b8854f5ea27a677d3b6c8cfdd4a7ee5260c21783c9f48cf2522002ad06b2de714e7eee89a02
-
SSDEEP
24576:rKPJPQ9i31L+VU7mqcZDvO78A649Po0Gb2rIbJpmZ/+fudAZRVG51iKZEUbr//eJ:rKxn3F7s9v46MhLIbJUZ/+fuyZR4/JPc
Malware Config
Extracted
pony
http://maxesupport.com/bless/gate.php
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
wscript.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2548970870-3691742953-3895070203-1000\Control Panel\International\Geo\Nation wscript.exe -
Drops startup file 1 IoCs
Processes:
fEKI.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\gWPBNZaBahSe.lnk fEKI.exe -
Executes dropped EXE 2 IoCs
Processes:
GVALQC~1.EXEfEKI.exepid process 3872 GVALQC~1.EXE 4464 fEKI.exe -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook accounts 1 TTPs 4 IoCs
Processes:
RegSvcs.exeRegSvcs.exeRegSvcs.exewscript.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2548970870-3691742953-3895070203-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts RegSvcs.exe Key opened \REGISTRY\USER\S-1-5-21-2548970870-3691742953-3895070203-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts RegSvcs.exe Key opened \REGISTRY\USER\S-1-5-21-2548970870-3691742953-3895070203-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts RegSvcs.exe Key opened \REGISTRY\USER\S-1-5-21-2548970870-3691742953-3895070203-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts wscript.exe -
Accesses Microsoft Outlook profiles 1 TTPs 4 IoCs
Processes:
RegSvcs.exeRegSvcs.exewscript.exeRegSvcs.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2548970870-3691742953-3895070203-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook RegSvcs.exe Key opened \REGISTRY\USER\S-1-5-21-2548970870-3691742953-3895070203-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook RegSvcs.exe Key opened \REGISTRY\USER\S-1-5-21-2548970870-3691742953-3895070203-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook wscript.exe Key opened \REGISTRY\USER\S-1-5-21-2548970870-3691742953-3895070203-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook RegSvcs.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
C01DABDB1E0572151396954FD7BCD7334CEE5B1D64DE2.exedescription ioc process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce C01DABDB1E0572151396954FD7BCD7334CEE5B1D64DE2.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C01DABDB1E0572151396954FD7BCD7334CEE5B1D64DE2.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
AutoIT Executable 2 IoCs
AutoIT scripts compiled to PE executables.
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\GVALQC~1.EXE autoit_exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\GVALQC~1.EXE autoit_exe -
Suspicious use of SetThreadContext 4 IoCs
Processes:
fEKI.exedescription pid process target process PID 4464 set thread context of 2124 4464 fEKI.exe RegSvcs.exe PID 4464 set thread context of 864 4464 fEKI.exe RegSvcs.exe PID 4464 set thread context of 3776 4464 fEKI.exe RegSvcs.exe PID 4464 set thread context of 4576 4464 fEKI.exe wscript.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
GVALQC~1.EXEfEKI.exepid process 3872 GVALQC~1.EXE 3872 GVALQC~1.EXE 3872 GVALQC~1.EXE 3872 GVALQC~1.EXE 3872 GVALQC~1.EXE 3872 GVALQC~1.EXE 3872 GVALQC~1.EXE 3872 GVALQC~1.EXE 4464 fEKI.exe 4464 fEKI.exe 4464 fEKI.exe 4464 fEKI.exe 4464 fEKI.exe 4464 fEKI.exe 4464 fEKI.exe 4464 fEKI.exe 4464 fEKI.exe 4464 fEKI.exe 4464 fEKI.exe 4464 fEKI.exe 4464 fEKI.exe 4464 fEKI.exe 4464 fEKI.exe 4464 fEKI.exe 4464 fEKI.exe 4464 fEKI.exe 4464 fEKI.exe 4464 fEKI.exe 4464 fEKI.exe 4464 fEKI.exe 4464 fEKI.exe 4464 fEKI.exe 4464 fEKI.exe 4464 fEKI.exe 4464 fEKI.exe 4464 fEKI.exe 4464 fEKI.exe 4464 fEKI.exe 4464 fEKI.exe 4464 fEKI.exe 4464 fEKI.exe 4464 fEKI.exe 4464 fEKI.exe 4464 fEKI.exe 4464 fEKI.exe 4464 fEKI.exe 4464 fEKI.exe 4464 fEKI.exe 4464 fEKI.exe 4464 fEKI.exe 4464 fEKI.exe 4464 fEKI.exe 4464 fEKI.exe 4464 fEKI.exe 4464 fEKI.exe 4464 fEKI.exe 4464 fEKI.exe 4464 fEKI.exe 4464 fEKI.exe 4464 fEKI.exe 4464 fEKI.exe 4464 fEKI.exe 4464 fEKI.exe 4464 fEKI.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
RegSvcs.exeRegSvcs.exedescription pid process Token: SeImpersonatePrivilege 2124 RegSvcs.exe Token: SeTcbPrivilege 2124 RegSvcs.exe Token: SeChangeNotifyPrivilege 2124 RegSvcs.exe Token: SeCreateTokenPrivilege 2124 RegSvcs.exe Token: SeBackupPrivilege 2124 RegSvcs.exe Token: SeRestorePrivilege 2124 RegSvcs.exe Token: SeIncreaseQuotaPrivilege 2124 RegSvcs.exe Token: SeAssignPrimaryTokenPrivilege 2124 RegSvcs.exe Token: SeImpersonatePrivilege 2124 RegSvcs.exe Token: SeTcbPrivilege 2124 RegSvcs.exe Token: SeChangeNotifyPrivilege 2124 RegSvcs.exe Token: SeCreateTokenPrivilege 2124 RegSvcs.exe Token: SeBackupPrivilege 2124 RegSvcs.exe Token: SeRestorePrivilege 2124 RegSvcs.exe Token: SeIncreaseQuotaPrivilege 2124 RegSvcs.exe Token: SeAssignPrimaryTokenPrivilege 2124 RegSvcs.exe Token: SeImpersonatePrivilege 2124 RegSvcs.exe Token: SeTcbPrivilege 2124 RegSvcs.exe Token: SeChangeNotifyPrivilege 2124 RegSvcs.exe Token: SeCreateTokenPrivilege 2124 RegSvcs.exe Token: SeBackupPrivilege 2124 RegSvcs.exe Token: SeRestorePrivilege 2124 RegSvcs.exe Token: SeIncreaseQuotaPrivilege 2124 RegSvcs.exe Token: SeAssignPrimaryTokenPrivilege 2124 RegSvcs.exe Token: SeImpersonatePrivilege 2124 RegSvcs.exe Token: SeTcbPrivilege 2124 RegSvcs.exe Token: SeChangeNotifyPrivilege 2124 RegSvcs.exe Token: SeCreateTokenPrivilege 2124 RegSvcs.exe Token: SeBackupPrivilege 2124 RegSvcs.exe Token: SeRestorePrivilege 2124 RegSvcs.exe Token: SeIncreaseQuotaPrivilege 2124 RegSvcs.exe Token: SeAssignPrimaryTokenPrivilege 2124 RegSvcs.exe Token: SeImpersonatePrivilege 2124 RegSvcs.exe Token: SeTcbPrivilege 2124 RegSvcs.exe Token: SeChangeNotifyPrivilege 2124 RegSvcs.exe Token: SeCreateTokenPrivilege 2124 RegSvcs.exe Token: SeBackupPrivilege 2124 RegSvcs.exe Token: SeRestorePrivilege 2124 RegSvcs.exe Token: SeIncreaseQuotaPrivilege 2124 RegSvcs.exe Token: SeAssignPrimaryTokenPrivilege 2124 RegSvcs.exe Token: SeImpersonatePrivilege 2124 RegSvcs.exe Token: SeTcbPrivilege 2124 RegSvcs.exe Token: SeChangeNotifyPrivilege 2124 RegSvcs.exe Token: SeCreateTokenPrivilege 2124 RegSvcs.exe Token: SeBackupPrivilege 2124 RegSvcs.exe Token: SeRestorePrivilege 2124 RegSvcs.exe Token: SeIncreaseQuotaPrivilege 2124 RegSvcs.exe Token: SeAssignPrimaryTokenPrivilege 2124 RegSvcs.exe Token: SeImpersonatePrivilege 864 RegSvcs.exe Token: SeTcbPrivilege 864 RegSvcs.exe Token: SeChangeNotifyPrivilege 864 RegSvcs.exe Token: SeCreateTokenPrivilege 864 RegSvcs.exe Token: SeBackupPrivilege 864 RegSvcs.exe Token: SeRestorePrivilege 864 RegSvcs.exe Token: SeIncreaseQuotaPrivilege 864 RegSvcs.exe Token: SeAssignPrimaryTokenPrivilege 864 RegSvcs.exe Token: SeImpersonatePrivilege 864 RegSvcs.exe Token: SeTcbPrivilege 864 RegSvcs.exe Token: SeChangeNotifyPrivilege 864 RegSvcs.exe Token: SeCreateTokenPrivilege 864 RegSvcs.exe Token: SeBackupPrivilege 864 RegSvcs.exe Token: SeRestorePrivilege 864 RegSvcs.exe Token: SeIncreaseQuotaPrivilege 864 RegSvcs.exe Token: SeAssignPrimaryTokenPrivilege 864 RegSvcs.exe -
Suspicious use of WriteProcessMemory 38 IoCs
Processes:
C01DABDB1E0572151396954FD7BCD7334CEE5B1D64DE2.exeGVALQC~1.EXEfEKI.exeRegSvcs.exeRegSvcs.exeRegSvcs.exewscript.exedescription pid process target process PID 224 wrote to memory of 3872 224 C01DABDB1E0572151396954FD7BCD7334CEE5B1D64DE2.exe GVALQC~1.EXE PID 224 wrote to memory of 3872 224 C01DABDB1E0572151396954FD7BCD7334CEE5B1D64DE2.exe GVALQC~1.EXE PID 224 wrote to memory of 3872 224 C01DABDB1E0572151396954FD7BCD7334CEE5B1D64DE2.exe GVALQC~1.EXE PID 3872 wrote to memory of 4464 3872 GVALQC~1.EXE fEKI.exe PID 3872 wrote to memory of 4464 3872 GVALQC~1.EXE fEKI.exe PID 3872 wrote to memory of 4464 3872 GVALQC~1.EXE fEKI.exe PID 4464 wrote to memory of 2124 4464 fEKI.exe RegSvcs.exe PID 4464 wrote to memory of 2124 4464 fEKI.exe RegSvcs.exe PID 4464 wrote to memory of 2124 4464 fEKI.exe RegSvcs.exe PID 4464 wrote to memory of 2124 4464 fEKI.exe RegSvcs.exe PID 4464 wrote to memory of 2124 4464 fEKI.exe RegSvcs.exe PID 2124 wrote to memory of 2276 2124 RegSvcs.exe cmd.exe PID 2124 wrote to memory of 2276 2124 RegSvcs.exe cmd.exe PID 2124 wrote to memory of 2276 2124 RegSvcs.exe cmd.exe PID 4464 wrote to memory of 864 4464 fEKI.exe RegSvcs.exe PID 4464 wrote to memory of 864 4464 fEKI.exe RegSvcs.exe PID 4464 wrote to memory of 864 4464 fEKI.exe RegSvcs.exe PID 4464 wrote to memory of 864 4464 fEKI.exe RegSvcs.exe PID 4464 wrote to memory of 864 4464 fEKI.exe RegSvcs.exe PID 864 wrote to memory of 2328 864 RegSvcs.exe cmd.exe PID 864 wrote to memory of 2328 864 RegSvcs.exe cmd.exe PID 864 wrote to memory of 2328 864 RegSvcs.exe cmd.exe PID 4464 wrote to memory of 3776 4464 fEKI.exe RegSvcs.exe PID 4464 wrote to memory of 3776 4464 fEKI.exe RegSvcs.exe PID 4464 wrote to memory of 3776 4464 fEKI.exe RegSvcs.exe PID 4464 wrote to memory of 3776 4464 fEKI.exe RegSvcs.exe PID 4464 wrote to memory of 3776 4464 fEKI.exe RegSvcs.exe PID 3776 wrote to memory of 5088 3776 RegSvcs.exe cmd.exe PID 3776 wrote to memory of 5088 3776 RegSvcs.exe cmd.exe PID 3776 wrote to memory of 5088 3776 RegSvcs.exe cmd.exe PID 4464 wrote to memory of 4576 4464 fEKI.exe wscript.exe PID 4464 wrote to memory of 4576 4464 fEKI.exe wscript.exe PID 4464 wrote to memory of 4576 4464 fEKI.exe wscript.exe PID 4464 wrote to memory of 4576 4464 fEKI.exe wscript.exe PID 4464 wrote to memory of 4576 4464 fEKI.exe wscript.exe PID 4576 wrote to memory of 4592 4576 wscript.exe cmd.exe PID 4576 wrote to memory of 4592 4576 wscript.exe cmd.exe PID 4576 wrote to memory of 4592 4576 wscript.exe cmd.exe -
outlook_win_path 1 IoCs
Processes:
wscript.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2548970870-3691742953-3895070203-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook wscript.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\C01DABDB1E0572151396954FD7BCD7334CEE5B1D64DE2.exe"C:\Users\Admin\AppData\Local\Temp\C01DABDB1E0572151396954FD7BCD7334CEE5B1D64DE2.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\GVALQC~1.EXEC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\GVALQC~1.EXE2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\fEKI.exe"C:\Users\Admin\AppData\Roaming\fEKI.exe" "C:\Users\Admin\AppData\Roaming\ZSbPN"3⤵
- Drops startup file
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"4⤵
- Accesses Microsoft Outlook accounts
- Accesses Microsoft Outlook profiles
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\240553140.bat" "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe" "5⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"4⤵
- Accesses Microsoft Outlook accounts
- Accesses Microsoft Outlook profiles
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\240554640.bat" "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe" "5⤵
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"4⤵
- Accesses Microsoft Outlook accounts
- Accesses Microsoft Outlook profiles
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\240555953.bat" "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe" "5⤵
-
C:\Windows\SysWOW64\wscript.exe"C:\Windows\SysWOW64\wscript.exe"4⤵
- Checks computer location settings
- Accesses Microsoft Outlook accounts
- Accesses Microsoft Outlook profiles
- Suspicious use of WriteProcessMemory
- outlook_win_path
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\240557312.bat" "C:\Windows\SysWOW64\wscript.exe" "5⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\240553140.batFilesize
94B
MD53880eeb1c736d853eb13b44898b718ab
SHA14eec9d50360cd815211e3c4e6bdd08271b6ec8e6
SHA256936d9411d5226b7c5a150ecaf422987590a8870c8e095e1caa072273041a86e7
SHA5123eaa3dddd7a11942e75acd44208fbe3d3ff8f4006951cd970fb9ab748c160739409803450d28037e577443504707fc310c634e9dc54d0c25e8cfe6094f017c6b
-
C:\Users\Admin\AppData\Local\Temp\240554640.batFilesize
94B
MD53880eeb1c736d853eb13b44898b718ab
SHA14eec9d50360cd815211e3c4e6bdd08271b6ec8e6
SHA256936d9411d5226b7c5a150ecaf422987590a8870c8e095e1caa072273041a86e7
SHA5123eaa3dddd7a11942e75acd44208fbe3d3ff8f4006951cd970fb9ab748c160739409803450d28037e577443504707fc310c634e9dc54d0c25e8cfe6094f017c6b
-
C:\Users\Admin\AppData\Local\Temp\240554640.batFilesize
94B
MD53880eeb1c736d853eb13b44898b718ab
SHA14eec9d50360cd815211e3c4e6bdd08271b6ec8e6
SHA256936d9411d5226b7c5a150ecaf422987590a8870c8e095e1caa072273041a86e7
SHA5123eaa3dddd7a11942e75acd44208fbe3d3ff8f4006951cd970fb9ab748c160739409803450d28037e577443504707fc310c634e9dc54d0c25e8cfe6094f017c6b
-
C:\Users\Admin\AppData\Local\Temp\240555953.batFilesize
94B
MD53880eeb1c736d853eb13b44898b718ab
SHA14eec9d50360cd815211e3c4e6bdd08271b6ec8e6
SHA256936d9411d5226b7c5a150ecaf422987590a8870c8e095e1caa072273041a86e7
SHA5123eaa3dddd7a11942e75acd44208fbe3d3ff8f4006951cd970fb9ab748c160739409803450d28037e577443504707fc310c634e9dc54d0c25e8cfe6094f017c6b
-
C:\Users\Admin\AppData\Local\Temp\240557312.batFilesize
94B
MD53880eeb1c736d853eb13b44898b718ab
SHA14eec9d50360cd815211e3c4e6bdd08271b6ec8e6
SHA256936d9411d5226b7c5a150ecaf422987590a8870c8e095e1caa072273041a86e7
SHA5123eaa3dddd7a11942e75acd44208fbe3d3ff8f4006951cd970fb9ab748c160739409803450d28037e577443504707fc310c634e9dc54d0c25e8cfe6094f017c6b
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\GVALQC~1.EXEFilesize
1.5MB
MD5358d759171a9f0da115c2a81cc9a2833
SHA1a88fa8db32eaa5c3eca34b6c4fb480ecba13689d
SHA2569a6faf9a3ef2e705abd3f284ff6deda392a7ad1e66f2214a7ee07e19eead0af2
SHA5120eb48799fd59d83cbfe0d0f5ab6302efd953fd146ee09cd890b66f90458f756f703c8792a97fc773fd2c75700e1ffd9bff4b9495a5fd48beb65fd09422d95f84
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\GVALQC~1.EXEFilesize
1.5MB
MD5358d759171a9f0da115c2a81cc9a2833
SHA1a88fa8db32eaa5c3eca34b6c4fb480ecba13689d
SHA2569a6faf9a3ef2e705abd3f284ff6deda392a7ad1e66f2214a7ee07e19eead0af2
SHA5120eb48799fd59d83cbfe0d0f5ab6302efd953fd146ee09cd890b66f90458f756f703c8792a97fc773fd2c75700e1ffd9bff4b9495a5fd48beb65fd09422d95f84
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ZSbPNFilesize
186KB
MD5514d4e6cc207fb321467fd3ddb6ae93a
SHA1fcf9f8d1d69ccdb06108e454e76884297fde6fc2
SHA2567300b6db420ba1c9b2bb22bfd0fff91910d7ec8f66720a6a21a2dff96a9f32e7
SHA51257fc890726f1bdd536552a08ae29f43632ae68dff60caa5a11f989fa02c170006196e282dc006a6c255f944a082284c6efbee2d0df6ca37645543a2d6dc6e3b5
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\fEKI.exeFilesize
915KB
MD5b06e67f9767e5023892d9698703ad098
SHA1acc07666f4c1d4461d3e1c263cf6a194a8dd1544
SHA2568498900e57a490404e7ec4d8159bee29aed5852ae88bd484141780eaadb727bb
SHA5127972c78acebdd86c57d879c12cb407120155a24a52fda23ddb7d9e181dd59dac1eb74f327817adbc364d37c8dc704f8236f3539b4d3ee5a022814924a1616943
-
C:\Users\Admin\AppData\Roaming\ZSbPNFilesize
140KB
MD555e1225df75cf2c505656a70d994023d
SHA121cdae71eda791d607532262d97841eef097e71c
SHA2568031fd75799c001d511bb0a80148ec85d3d30c83c2f29fce2703f5330237eb48
SHA5126ccc47f8dbb2e92f4a3246032f0c6beb1fa54153eb061598ca1a274f51d86e87a32ae224480f6fc51893a82ea52f344ad6d13ad6c99ee5c2774eb5f1648a8eff
-
C:\Users\Admin\AppData\Roaming\fEKI.exeFilesize
915KB
MD5b06e67f9767e5023892d9698703ad098
SHA1acc07666f4c1d4461d3e1c263cf6a194a8dd1544
SHA2568498900e57a490404e7ec4d8159bee29aed5852ae88bd484141780eaadb727bb
SHA5127972c78acebdd86c57d879c12cb407120155a24a52fda23ddb7d9e181dd59dac1eb74f327817adbc364d37c8dc704f8236f3539b4d3ee5a022814924a1616943
-
C:\Users\Admin\AppData\Roaming\fEKI.exeFilesize
915KB
MD5b06e67f9767e5023892d9698703ad098
SHA1acc07666f4c1d4461d3e1c263cf6a194a8dd1544
SHA2568498900e57a490404e7ec4d8159bee29aed5852ae88bd484141780eaadb727bb
SHA5127972c78acebdd86c57d879c12cb407120155a24a52fda23ddb7d9e181dd59dac1eb74f327817adbc364d37c8dc704f8236f3539b4d3ee5a022814924a1616943
-
C:\Users\Admin\AppData\Roaming\fEKI.exeFilesize
915KB
MD5b06e67f9767e5023892d9698703ad098
SHA1acc07666f4c1d4461d3e1c263cf6a194a8dd1544
SHA2568498900e57a490404e7ec4d8159bee29aed5852ae88bd484141780eaadb727bb
SHA5127972c78acebdd86c57d879c12cb407120155a24a52fda23ddb7d9e181dd59dac1eb74f327817adbc364d37c8dc704f8236f3539b4d3ee5a022814924a1616943
-
memory/864-171-0x0000000000400000-0x0000000000419000-memory.dmpFilesize
100KB
-
memory/864-168-0x0000000000400000-0x0000000000419000-memory.dmpFilesize
100KB
-
memory/864-166-0x0000000000400000-0x0000000000419000-memory.dmpFilesize
100KB
-
memory/3776-180-0x0000000000400000-0x0000000000419000-memory.dmpFilesize
100KB
-
memory/4576-188-0x0000000000400000-0x0000000000419000-memory.dmpFilesize
100KB