gozi | 22ab9e84557956259e6ff19ba005f3e4009cda1c52e1d7d7ec994103486dcacd

Analysis

max time kernel
141s
max time network
145s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
04-06-2023 21:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5b900e942a43ba237c55c40e-ea41-1fcb8ebcd4a3b18d405f455d8032a22b.exe
Size

43KB
MD5

6cfc839efb84296adb7230d036656d63
SHA1

0a6520a252c0d0e5530db01e61337a85a35f5d1c
SHA256

22ab9e84557956259e6ff19ba005f3e4009cda1c52e1d7d7ec994103486dcacd
SHA512

e32d608773ecb723577daea10cae59043b8f44785116842311a603d5e10132ed2a05f7ac8a57bce595c108e031dcf91dd2adff31c95ebbc9d8bded7a2de5a675
SSDEEP

768:AqH6jABB3QIMQr4G9DvcWjnC5x5D001EMlpXEtafscjT7u31GUOEfbG:ARATBMDSvnC57D0CFEtafFu3DS

Score

10^/10

gozi 1000 banker evasion isfb trojan upx

Malware Config

Extracted

Family

gozi

Extracted

Family

gozi

Botnet

1000

repeseparation.ru

Attributes

exe_type
worker
server_id
12

rsa_pubkey.plain

serpent.plain

Signatures

Gozi
Gozi is a well-known and widely distributed banking trojan.
banker trojan gozi
Enumerates VirtualBox registry keys 2 TTPs 1 IoCs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Processes:

winhlp64.exe

description ioc process

Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VBoxSF winhlp64.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VBoxSF	winhlp64.exe

Nirsoft 1 IoCs

Processes:

resource	yara_rule
behavioral2/memory/4000-275-0x0000000000400000-0x000000000041C000-memory.dmp	Nirsoft

Downloads MZ/PE file
Executes dropped EXE 3 IoCs

Processes:

winhlp64.exenircmd.exenircmd.exe

pid process

888 winhlp64.exe
4000 nircmd.exe
4380 nircmd.exe
Loads dropped DLL 6 IoCs

Processes:

winhlp64.exe

pid process

888 winhlp64.exe
888 winhlp64.exe
888 winhlp64.exe
888 winhlp64.exe
888 winhlp64.exe
888 winhlp64.exe

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\Windows\nircmd.exe	upx
C:\Windows\nircmd.exe	upx
behavioral2/memory/4000-274-0x0000000000400000-0x000000000041C000-memory.dmp	upx
behavioral2/memory/4000-275-0x0000000000400000-0x000000000041C000-memory.dmp	upx
C:\Windows\nircmd.exe	upx

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

52 myexternalip.com
53 myexternalip.com
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

Processes:

winhlp64.exe

pid process

888 winhlp64.exe
888 winhlp64.exe

flow	ioc
52	myexternalip.com
53	myexternalip.com

Drops file in Program Files directory 3 IoCs

Processes:

winhlp64.exe

description	ioc	process
File created	C:\Program Files (x86)\MTA San Andreas 1.5\MTA\bass_aa6c-1-6.dll	winhlp64.exe
File created	C:\Program Files (x86)\MTA San Andreas 1.5\MTA\basso3pus1-6.dll	winhlp64.exe
File created	C:\Program Files (x86)\MTA San Andreas 1.5\MTA\game_s5amta.dll	winhlp64.exe

Drops file in Windows directory 18 IoCs

Processes:

5b900e942a43ba237c55c40e-ea41-1fcb8ebcd4a3b18d405f455d8032a22b.exewinhlp64.exe

description	ioc	process
File created	C:\Windows\libsodium.dll	5b900e942a43ba237c55c40e-ea41-1fcb8ebcd4a3b18d405f455d8032a22b.exe
File created	C:\Windows\vulklan-1.exe	winhlp64.exe
File created	C:\Windows\ldplayers.exe	winhlp64.exe
File created	C:\Windows\Tasks\SA.txt	winhlp64.exe
File created	C:\Windows\AsmResolve2r.PE.dll	winhlp64.exe
File created	C:\Windows\dpp.dll	5b900e942a43ba237c55c40e-ea41-1fcb8ebcd4a3b18d405f455d8032a22b.exe
File created	C:\Windows\libssl-1_1.dll	5b900e942a43ba237c55c40e-ea41-1fcb8ebcd4a3b18d405f455d8032a22b.exe
File created	C:\Windows\opus.dll	5b900e942a43ba237c55c40e-ea41-1fcb8ebcd4a3b18d405f455d8032a22b.exe
File created	C:\Windows\lddll.exe	winhlp64.exe
File created	C:\Windows\AsmResolve1-6r.dll	winhlp64.exe
File created	C:\Windows\zlib1.dll	5b900e942a43ba237c55c40e-ea41-1fcb8ebcd4a3b18d405f455d8032a22b.exe
File created	C:\Windows\basswebmss.dll	winhlp64.exe
File created	C:\Windows\nircmd.exe	winhlp64.exe
File created	C:\Windows\Containers\serviced\WindowsDefenderApplicationGuard.txt	5b900e942a43ba237c55c40e-ea41-1fcb8ebcd4a3b18d405f455d8032a22b.exe
File created	C:\Windows\libcrypto-1_1.dll	5b900e942a43ba237c55c40e-ea41-1fcb8ebcd4a3b18d405f455d8032a22b.exe
File created	C:\Windows\winhlp64.exe	5b900e942a43ba237c55c40e-ea41-1fcb8ebcd4a3b18d405f455d8032a22b.exe
File created	C:\Windows\cguuiM.exe	winhlp64.exe
File created	C:\Windows\Sha3rprompt.dll	winhlp64.exe

Program crash 51 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
4612	888	WerFault.exe	winhlp64.exe
3772	888	WerFault.exe	winhlp64.exe
64	888	WerFault.exe	winhlp64.exe
4524	888	WerFault.exe	winhlp64.exe
4772	888	WerFault.exe	winhlp64.exe
1348	888	WerFault.exe	winhlp64.exe
1848	888	WerFault.exe	winhlp64.exe
1620	888	WerFault.exe	winhlp64.exe
4152	888	WerFault.exe	winhlp64.exe
4036	888	WerFault.exe	winhlp64.exe
5080	888	WerFault.exe	winhlp64.exe
4500	888	WerFault.exe	winhlp64.exe
368	888	WerFault.exe	winhlp64.exe
2008	888	WerFault.exe	winhlp64.exe
1516	888	WerFault.exe	winhlp64.exe
2232	888	WerFault.exe	winhlp64.exe
4792	888	WerFault.exe	winhlp64.exe
2000	888	WerFault.exe	winhlp64.exe
3660	888	WerFault.exe	winhlp64.exe
3764	888	WerFault.exe	winhlp64.exe
3908	888	WerFault.exe	winhlp64.exe
4252	888	WerFault.exe	winhlp64.exe
4728	888	WerFault.exe	winhlp64.exe
3400	888	WerFault.exe	winhlp64.exe
1008	888	WerFault.exe	winhlp64.exe
4056	888	WerFault.exe	winhlp64.exe
4452	888	WerFault.exe	winhlp64.exe
2324	888	WerFault.exe	winhlp64.exe
4760	888	WerFault.exe	winhlp64.exe
4356	888	WerFault.exe	winhlp64.exe
4752	888	WerFault.exe	winhlp64.exe
3016	888	WerFault.exe	winhlp64.exe
636	888	WerFault.exe	winhlp64.exe
2896	888	WerFault.exe	winhlp64.exe
4772	888	WerFault.exe	winhlp64.exe
1348	888	WerFault.exe	winhlp64.exe
1816	888	WerFault.exe	winhlp64.exe
1620	888	WerFault.exe	winhlp64.exe
2268	888	WerFault.exe	winhlp64.exe
1040	888	WerFault.exe	winhlp64.exe
3624	888	WerFault.exe	winhlp64.exe
1128	888	WerFault.exe	winhlp64.exe
1464	888	WerFault.exe	winhlp64.exe
3660	888	WerFault.exe	winhlp64.exe
3744	888	WerFault.exe	winhlp64.exe
1876	888	WerFault.exe	winhlp64.exe
4748	888	WerFault.exe	winhlp64.exe
4736	888	WerFault.exe	winhlp64.exe
3464	888	WerFault.exe	winhlp64.exe
3424	888	WerFault.exe	winhlp64.exe
4560	888	WerFault.exe	winhlp64.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

winhlp64.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	winhlp64.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	winhlp64.exe

Enumerates system info in registry 2 TTPs 10 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

winhlp64.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	winhlp64.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\BIOSVersion	winhlp64.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	winhlp64.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOSReleaseDate	winhlp64.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosDate	winhlp64.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\BIOSVendor	winhlp64.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	winhlp64.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemVersion	winhlp64.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	winhlp64.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	winhlp64.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

2536 PING.EXE

pid	process
2536	PING.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

winhlp64.exe

pid	process
888	winhlp64.exe
888	winhlp64.exe
888	winhlp64.exe
888	winhlp64.exe
888	winhlp64.exe
888	winhlp64.exe
888	winhlp64.exe
888	winhlp64.exe
888	winhlp64.exe
888	winhlp64.exe
888	winhlp64.exe
888	winhlp64.exe
888	winhlp64.exe
888	winhlp64.exe
888	winhlp64.exe
888	winhlp64.exe
888	winhlp64.exe
888	winhlp64.exe
888	winhlp64.exe
888	winhlp64.exe
888	winhlp64.exe
888	winhlp64.exe
888	winhlp64.exe
888	winhlp64.exe
888	winhlp64.exe
888	winhlp64.exe
888	winhlp64.exe
888	winhlp64.exe
888	winhlp64.exe
888	winhlp64.exe
888	winhlp64.exe
888	winhlp64.exe
888	winhlp64.exe
888	winhlp64.exe
888	winhlp64.exe
888	winhlp64.exe
888	winhlp64.exe
888	winhlp64.exe
888	winhlp64.exe
888	winhlp64.exe
888	winhlp64.exe
888	winhlp64.exe
888	winhlp64.exe
888	winhlp64.exe
888	winhlp64.exe
888	winhlp64.exe
888	winhlp64.exe
888	winhlp64.exe
888	winhlp64.exe
888	winhlp64.exe
888	winhlp64.exe
888	winhlp64.exe
888	winhlp64.exe
888	winhlp64.exe
888	winhlp64.exe
888	winhlp64.exe
888	winhlp64.exe
888	winhlp64.exe
888	winhlp64.exe
888	winhlp64.exe
888	winhlp64.exe
888	winhlp64.exe
888	winhlp64.exe
888	winhlp64.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

5b900e942a43ba237c55c40e-ea41-1fcb8ebcd4a3b18d405f455d8032a22b.execmd.exewinhlp64.exe

description	pid	process	target process
PID 4596 wrote to memory of 1768	4596	5b900e942a43ba237c55c40e-ea41-1fcb8ebcd4a3b18d405f455d8032a22b.exe	cmd.exe
PID 4596 wrote to memory of 1768	4596	5b900e942a43ba237c55c40e-ea41-1fcb8ebcd4a3b18d405f455d8032a22b.exe	cmd.exe
PID 4596 wrote to memory of 1768	4596	5b900e942a43ba237c55c40e-ea41-1fcb8ebcd4a3b18d405f455d8032a22b.exe	cmd.exe
PID 4596 wrote to memory of 2024	4596	5b900e942a43ba237c55c40e-ea41-1fcb8ebcd4a3b18d405f455d8032a22b.exe	cmd.exe
PID 4596 wrote to memory of 2024	4596	5b900e942a43ba237c55c40e-ea41-1fcb8ebcd4a3b18d405f455d8032a22b.exe	cmd.exe
PID 4596 wrote to memory of 2024	4596	5b900e942a43ba237c55c40e-ea41-1fcb8ebcd4a3b18d405f455d8032a22b.exe	cmd.exe
PID 4596 wrote to memory of 1784	4596	5b900e942a43ba237c55c40e-ea41-1fcb8ebcd4a3b18d405f455d8032a22b.exe	cmd.exe
PID 4596 wrote to memory of 1784	4596	5b900e942a43ba237c55c40e-ea41-1fcb8ebcd4a3b18d405f455d8032a22b.exe	cmd.exe
PID 4596 wrote to memory of 1784	4596	5b900e942a43ba237c55c40e-ea41-1fcb8ebcd4a3b18d405f455d8032a22b.exe	cmd.exe
PID 4596 wrote to memory of 1904	4596	5b900e942a43ba237c55c40e-ea41-1fcb8ebcd4a3b18d405f455d8032a22b.exe	cmd.exe
PID 4596 wrote to memory of 1904	4596	5b900e942a43ba237c55c40e-ea41-1fcb8ebcd4a3b18d405f455d8032a22b.exe	cmd.exe
PID 4596 wrote to memory of 1904	4596	5b900e942a43ba237c55c40e-ea41-1fcb8ebcd4a3b18d405f455d8032a22b.exe	cmd.exe
PID 4596 wrote to memory of 4624	4596	5b900e942a43ba237c55c40e-ea41-1fcb8ebcd4a3b18d405f455d8032a22b.exe	cmd.exe
PID 4596 wrote to memory of 4624	4596	5b900e942a43ba237c55c40e-ea41-1fcb8ebcd4a3b18d405f455d8032a22b.exe	cmd.exe
PID 4596 wrote to memory of 4624	4596	5b900e942a43ba237c55c40e-ea41-1fcb8ebcd4a3b18d405f455d8032a22b.exe	cmd.exe
PID 4596 wrote to memory of 4704	4596	5b900e942a43ba237c55c40e-ea41-1fcb8ebcd4a3b18d405f455d8032a22b.exe	cmd.exe
PID 4596 wrote to memory of 4704	4596	5b900e942a43ba237c55c40e-ea41-1fcb8ebcd4a3b18d405f455d8032a22b.exe	cmd.exe
PID 4596 wrote to memory of 4704	4596	5b900e942a43ba237c55c40e-ea41-1fcb8ebcd4a3b18d405f455d8032a22b.exe	cmd.exe
PID 4596 wrote to memory of 848	4596	5b900e942a43ba237c55c40e-ea41-1fcb8ebcd4a3b18d405f455d8032a22b.exe	cmd.exe
PID 4596 wrote to memory of 848	4596	5b900e942a43ba237c55c40e-ea41-1fcb8ebcd4a3b18d405f455d8032a22b.exe	cmd.exe
PID 4596 wrote to memory of 848	4596	5b900e942a43ba237c55c40e-ea41-1fcb8ebcd4a3b18d405f455d8032a22b.exe	cmd.exe
PID 4596 wrote to memory of 4496	4596	5b900e942a43ba237c55c40e-ea41-1fcb8ebcd4a3b18d405f455d8032a22b.exe	cmd.exe
PID 4596 wrote to memory of 4496	4596	5b900e942a43ba237c55c40e-ea41-1fcb8ebcd4a3b18d405f455d8032a22b.exe	cmd.exe
PID 4596 wrote to memory of 4496	4596	5b900e942a43ba237c55c40e-ea41-1fcb8ebcd4a3b18d405f455d8032a22b.exe	cmd.exe
PID 4596 wrote to memory of 4780	4596	5b900e942a43ba237c55c40e-ea41-1fcb8ebcd4a3b18d405f455d8032a22b.exe	cmd.exe
PID 4596 wrote to memory of 4780	4596	5b900e942a43ba237c55c40e-ea41-1fcb8ebcd4a3b18d405f455d8032a22b.exe	cmd.exe
PID 4596 wrote to memory of 4780	4596	5b900e942a43ba237c55c40e-ea41-1fcb8ebcd4a3b18d405f455d8032a22b.exe	cmd.exe
PID 4780 wrote to memory of 2536	4780	cmd.exe	PING.EXE
PID 4780 wrote to memory of 2536	4780	cmd.exe	PING.EXE
PID 4780 wrote to memory of 2536	4780	cmd.exe	PING.EXE
PID 4780 wrote to memory of 888	4780	cmd.exe	winhlp64.exe
PID 4780 wrote to memory of 888	4780	cmd.exe	winhlp64.exe
PID 4780 wrote to memory of 888	4780	cmd.exe	winhlp64.exe
PID 888 wrote to memory of 3980	888	winhlp64.exe	cmd.exe
PID 888 wrote to memory of 3980	888	winhlp64.exe	cmd.exe
PID 888 wrote to memory of 3980	888	winhlp64.exe	cmd.exe
PID 888 wrote to memory of 520	888	winhlp64.exe	cmd.exe
PID 888 wrote to memory of 520	888	winhlp64.exe	cmd.exe
PID 888 wrote to memory of 520	888	winhlp64.exe	cmd.exe
PID 888 wrote to memory of 1456	888	winhlp64.exe	cmd.exe
PID 888 wrote to memory of 1456	888	winhlp64.exe	cmd.exe
PID 888 wrote to memory of 1456	888	winhlp64.exe	cmd.exe
PID 888 wrote to memory of 2472	888	winhlp64.exe	cmd.exe
PID 888 wrote to memory of 2472	888	winhlp64.exe	cmd.exe
PID 888 wrote to memory of 2472	888	winhlp64.exe	cmd.exe
PID 888 wrote to memory of 3232	888	winhlp64.exe	cmd.exe
PID 888 wrote to memory of 3232	888	winhlp64.exe	cmd.exe
PID 888 wrote to memory of 3232	888	winhlp64.exe	cmd.exe
PID 888 wrote to memory of 876	888	winhlp64.exe	cmd.exe
PID 888 wrote to memory of 876	888	winhlp64.exe	cmd.exe
PID 888 wrote to memory of 876	888	winhlp64.exe	cmd.exe
PID 888 wrote to memory of 4736	888	winhlp64.exe	cmd.exe
PID 888 wrote to memory of 4736	888	winhlp64.exe	cmd.exe
PID 888 wrote to memory of 4736	888	winhlp64.exe	cmd.exe
PID 888 wrote to memory of 4176	888	winhlp64.exe	cmd.exe
PID 888 wrote to memory of 4176	888	winhlp64.exe	cmd.exe
PID 888 wrote to memory of 4176	888	winhlp64.exe	cmd.exe
PID 888 wrote to memory of 3952	888	winhlp64.exe	cmd.exe
PID 888 wrote to memory of 3952	888	winhlp64.exe	cmd.exe
PID 888 wrote to memory of 3952	888	winhlp64.exe	cmd.exe
PID 888 wrote to memory of 2364	888	winhlp64.exe	cmd.exe
PID 888 wrote to memory of 2364	888	winhlp64.exe	cmd.exe
PID 888 wrote to memory of 2364	888	winhlp64.exe	cmd.exe
PID 888 wrote to memory of 2420	888	winhlp64.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\5b900e942a43ba237c55c40e-ea41-1fcb8ebcd4a3b18d405f455d8032a22b.exe
"C:\Users\Admin\AppData\Local\Temp\5b900e942a43ba237c55c40e-ea41-1fcb8ebcd4a3b18d405f455d8032a22b.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:4596

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c title
2⤵
PID:1768

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c rename C:\Windows\dpp.dll dpp.dll
2⤵
PID:2024

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c rename C:\Windows\libssl-1_1.dll libssl-1_1.dll
2⤵
PID:1784

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c rename C:\Windows\opus.dll opus.dll
2⤵
PID:1904

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c rename C:\Windows\zlib1.dll zlib1.dll
2⤵
PID:4624

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c rename C:\Windows\libcrypto-1_1.dll libcrypto-1_1.dll
2⤵
PID:4704

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c rename C:\Windows\libsodium.dll libsodium.dll
2⤵
PID:848

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c rename C:\Windows\winhlp64.exe winhlp64.exe
2⤵
PID:4496

C:\Windows\SysWOW64\cmd.exe
cmd /c ping 1.1.1.1 -n 1 -w 300 > nul && start C:\Windows\winhlp64.exe qbw3f2j1lE0j2K7265K2p6l621927x6u5Urd1xlt61z295h2dglKWyrEt32r7o24 ch1726636xGdnU2rAdcg8e612S12C1x66gd3Kl56d1nkG7212UOIx71S5dc2k111 5b900e942a43ba237c55c40e-ea41-1fcb8ebcd4a3b18d405f455d8032a22b.exe
2⤵
- Suspicious use of WriteProcessMemory
PID:4780

C:\Windows\SysWOW64\PING.EXE
ping 1.1.1.1 -n 1 -w 300
3⤵
- Runs ping.exe
PID:2536

C:\Windows\winhlp64.exe
C:\Windows\winhlp64.exe qbw3f2j1lE0j2K7265K2p6l621927x6u5Urd1xlt61z295h2dglKWyrEt32r7o24 ch1726636xGdnU2rAdcg8e612S12C1x66gd3Kl56d1nkG7212UOIx71S5dc2k111 5b900e942a43ba237c55c40e-ea41-1fcb8ebcd4a3b18d405f455d8032a22b.exe
3⤵
- Enumerates VirtualBox registry keys
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Program Files directory
- Drops file in Windows directory
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:888

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 888 -s 552
4⤵
- Program crash
PID:4612

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c title
4⤵
PID:3980

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c cls
4⤵
PID:520

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 888 -s 556
4⤵
- Program crash
PID:3772

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 888 -s 900
4⤵
- Program crash
PID:64

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 888 -s 908
4⤵
- Program crash
PID:4524

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 888 -s 600
4⤵
- Program crash
PID:4772

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 888 -s 944
4⤵
- Program crash
PID:1348

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 888 -s 964
4⤵
- Program crash
PID:1848

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 888 -s 1140
4⤵
- Program crash
PID:1620

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 888 -s 1140
4⤵
- Program crash
PID:4152

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 888 -s 1304
4⤵
- Program crash
PID:4036

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 888 -s 1536
4⤵
- Program crash
PID:5080

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 888 -s 1540
4⤵
- Program crash
PID:4500

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 888 -s 1632
4⤵
- Program crash
PID:368

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 888 -s 1660
4⤵
- Program crash
PID:2008

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c rename C:\Program Files (x86)\MTA San Andreas 1.5\MTA\bass_aa6c-1-6.dll bass_aa6c-1-6.dll > nul
4⤵
PID:1456

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c rename C:\Program Files (x86)\MTA San Andreas 1.5\MTA\basso3pus1-6.dll basso3pus1-6.dll > nul
4⤵
PID:2472

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c cls
4⤵
PID:3232

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c rename C:\Windows\cguuiM.exe cguuiM.exe > nul
4⤵
PID:876

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c rename C:\Windows\vulklan-1.exe vulklan-1.exe > nul
4⤵
PID:4736

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c rename C:\Windows\basswebmss.dll basswebmss.dll > nul
4⤵
PID:4176

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c rename C:\Users\%username%\Documents\AS098s01.exe AS098s01.exe > nul
4⤵
PID:3952

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c cls
4⤵
PID:2364

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c title
4⤵
PID:2420

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c rename C:\Windows\ldplayers.exe ldplayers.exe > nul
4⤵
PID:3424

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c rename C:\Windows\lddll.exe lddll.exe > nul
4⤵
PID:932

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c rename C:\Windows\AsmResolve1-6r.dll AsmResolve1-6r.dll > nul
4⤵
PID:2012

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c rename C:\Windows\AsmResolve2r.PE.dll AsmResolve2r.PE.dll > nul
4⤵
PID:1028

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c rename C:\Windows\Sha3rprompt.dll Sha3rprompt.dll > nul
4⤵
PID:2208

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 888 -s 1864
4⤵
- Program crash
PID:1516

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 888 -s 1848
4⤵
- Program crash
PID:2232

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 888 -s 1868
4⤵
- Program crash
PID:4792

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 888 -s 1960
4⤵
- Program crash
PID:2000

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c rename C:\Windows\nircmd.exe nircmd.exe > nul
4⤵
PID:1196

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c cmd /c cd C:\Windows && nircmd savescreenshot C:\Users\Admin\AppData\Local\Discord\packages\SquirrelTemp\Discord-1.0.9007.png && exit
4⤵
PID:3416

C:\Windows\SysWOW64\cmd.exe
cmd /c cd C:\Windows
5⤵
PID:4196

C:\Windows\nircmd.exe
nircmd savescreenshot C:\Users\Admin\AppData\Local\Discord\packages\SquirrelTemp\Discord-1.0.9007.png
5⤵
- Executes dropped EXE
PID:4000

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c cmd /c cd C:\Windows && nircmd savescreenshotfull C:\Users\Admin\AppData\Local\Discord\packages\SquirrelTemp\Discord-1.0.9007-full.png && exit
4⤵
PID:2260

C:\Windows\SysWOW64\cmd.exe
cmd /c cd C:\Windows
5⤵
PID:4468

C:\Windows\nircmd.exe
nircmd savescreenshotfull C:\Users\Admin\AppData\Local\Discord\packages\SquirrelTemp\Discord-1.0.9007-full.png
5⤵
- Executes dropped EXE
PID:4380

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del /Q /F "%userprofile%\AppData\Roaming\Microsoft\Windows\Recent\*.*" > nul
4⤵
PID:2812

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 888 -s 1860
4⤵
- Program crash
PID:3660

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 888 -s 1912
4⤵
- Program crash
PID:3764

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 888 -s 1944
4⤵
- Program crash
PID:3908

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 888 -s 656
4⤵
- Program crash
PID:4252

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 888 -s 1908
4⤵
- Program crash
PID:4728

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 888 -s 1912
4⤵
- Program crash
PID:3400

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 888 -s 932
4⤵
- Program crash
PID:1008

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 888 -s 1944
4⤵
- Program crash
PID:4056

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 888 -s 1948
4⤵
- Program crash
PID:4452

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 888 -s 592
4⤵
- Program crash
PID:2324

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 888 -s 656
4⤵
- Program crash
PID:4760

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 888 -s 764
4⤵
- Program crash
PID:4356

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 888 -s 1640
4⤵
- Program crash
PID:4752

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 888 -s 1976
4⤵
- Program crash
PID:3016

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 888 -s 1860
4⤵
- Program crash
PID:636

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 888 -s 1916
4⤵
- Program crash
PID:2896

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 888 -s 1908
4⤵
- Program crash
PID:4772

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 888 -s 1920
4⤵
- Program crash
PID:1348

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 888 -s 1984
4⤵
- Program crash
PID:1816

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 888 -s 1916
4⤵
- Program crash
PID:1620

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 888 -s 1848
4⤵
- Program crash
PID:2268

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 888 -s 1996
4⤵
- Program crash
PID:1040

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 888 -s 1980
4⤵
- Program crash
PID:3624

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 888 -s 1916
4⤵
- Program crash
PID:1128

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 888 -s 1780
4⤵
- Program crash
PID:1464

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 888 -s 1664
4⤵
- Program crash
PID:3660

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 888 -s 1860
4⤵
- Program crash
PID:3744

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 888 -s 1876
4⤵
- Program crash
PID:1876

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 888 -s 1664
4⤵
- Program crash
PID:4748

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 888 -s 1992
4⤵
- Program crash
PID:4736

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 888 -s 1900
4⤵
- Program crash
PID:3464

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 888 -s 1664
4⤵
- Program crash
PID:3424

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 888 -s 176
4⤵
- Program crash
PID:4560

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 888 -ip 888
1⤵
PID:924

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 888 -ip 888
1⤵
PID:4512

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 400 -p 888 -ip 888
1⤵
PID:3748

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 888 -ip 888
1⤵
PID:4616

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 888 -ip 888
1⤵
PID:3308

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 492 -p 888 -ip 888
1⤵
PID:3936

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 888 -ip 888
1⤵
PID:3408

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 888 -ip 888
1⤵
PID:4808

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 888 -ip 888
1⤵
PID:3204

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 888 -ip 888
1⤵
PID:3956

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 888 -ip 888
1⤵
PID:4124

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 888 -ip 888
1⤵
PID:1340

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 888 -ip 888
1⤵
PID:2052

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 888 -ip 888
1⤵
PID:1536

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 888 -ip 888
1⤵
PID:2896

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 888 -ip 888
1⤵
PID:3800

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 888 -ip 888
1⤵
PID:3408

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 888 -ip 888
1⤵
PID:4808

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 888 -ip 888
1⤵
PID:648

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 888 -ip 888
1⤵
PID:4104

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 888 -ip 888
1⤵
PID:3808

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 888 -ip 888
1⤵
PID:2616

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 888 -ip 888
1⤵
PID:4640

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 400 -p 888 -ip 888
1⤵
PID:1284

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 888 -ip 888
1⤵
PID:1236

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 596 -p 888 -ip 888
1⤵
PID:4236

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 888 -ip 888
1⤵
PID:688

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 616 -p 888 -ip 888
1⤵
PID:2004

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 888 -ip 888
1⤵
PID:932

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 608 -p 888 -ip 888
1⤵
PID:5052

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 632 -p 888 -ip 888
1⤵
PID:2012

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 888 -ip 888
1⤵
PID:380

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 628 -p 888 -ip 888
1⤵
PID:1108

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 620 -p 888 -ip 888
1⤵
PID:4616

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 636 -p 888 -ip 888
1⤵
PID:3324

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 592 -p 888 -ip 888
1⤵
PID:4092

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 604 -p 888 -ip 888
1⤵
PID:3408

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 620 -p 888 -ip 888
1⤵
PID:2992

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 640 -p 888 -ip 888
1⤵
PID:3968

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 628 -p 888 -ip 888
1⤵
PID:3292

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 600 -p 888 -ip 888
1⤵
PID:784

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 888 -ip 888
1⤵
PID:4124

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 592 -p 888 -ip 888
1⤵
PID:2260

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 888 -ip 888
1⤵
PID:1532

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 400 -p 888 -ip 888
1⤵
PID:1600

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 624 -p 888 -ip 888
1⤵
PID:3000

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 600 -p 888 -ip 888
1⤵
PID:2236

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 888 -ip 888
1⤵
PID:3028

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 592 -p 888 -ip 888
1⤵
PID:1584

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 588 -p 888 -ip 888
1⤵
PID:2256

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 620 -p 888 -ip 888
1⤵
PID:4112

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

System Information Discovery

T1082

Remote System Discovery

T1018

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

T1102

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\39K1WZBJ\appack[1].exe
Filesize
82KB

MD5
390a7337b163b819cb99eabe0e8825a4

SHA1
f34cc80fff864ffaa367be573420d8f5a8e2d341

SHA256
6b29a1de3d3d2cacd1200c3c1bd6fe5a7afdb4724aaba76b77965ae2a82836de

SHA512
d4502bb4ce045e350f814fc16445f4cf03adda5640a9dcfd1c1ea647fed724cf1540ac96d6e6b91de09e9bee78e5f86ea942a8852a9b8840511dd1808b900f4d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\U4IULL1L\DETTAMROFNIW[1].exe
Filesize
30KB

MD5
e4af667e09e7ad32c3957c34fc154220

SHA1
a67bb737528dc79165670006e0fa9e561814a3f0

SHA256
0b5c12b954df405b4ec966e53a0a4f345d911e9a78bffbf3ed6607feeee104fb

SHA512
dc5cd94c894c6ead6cca5cfbd3f5635783d99d147494c0fb47934d34e1a4f8ef4782c0f5e975b25e4a3efc6e7b9dbd5c71b589dadf7be2fa167671da468619cd

Download Submit
C:\Windows\AsmResolve1-6r.dll
Filesize
1015KB

MD5
c4dfbbd29f479ff9d9fc482022fbc43a

SHA1
b41a7f08625508a15c1ac085fe9fa136a04f0ed3

SHA256
afbdedbe1ab06a4161fcf7b97de98862b7f7f553812eabb4c4566487511b6634

SHA512
13217a44961ffaf4d1ca1f956a579b2806c474a4552b8ae4f27b78ac48bf87804641647cc11506a2e9b5edc7f362de732070931fa44d1f6b997925c3a6860d0e

Download Submit
C:\Windows\AsmResolve1-6r.dll
Filesize
1015KB

MD5
c4dfbbd29f479ff9d9fc482022fbc43a

SHA1
b41a7f08625508a15c1ac085fe9fa136a04f0ed3

SHA256
afbdedbe1ab06a4161fcf7b97de98862b7f7f553812eabb4c4566487511b6634

SHA512
13217a44961ffaf4d1ca1f956a579b2806c474a4552b8ae4f27b78ac48bf87804641647cc11506a2e9b5edc7f362de732070931fa44d1f6b997925c3a6860d0e

Download Submit
C:\Windows\AsmResolve2r.PE.dll
Filesize
1015KB

MD5
c4dfbbd29f479ff9d9fc482022fbc43a

SHA1
b41a7f08625508a15c1ac085fe9fa136a04f0ed3

SHA256
afbdedbe1ab06a4161fcf7b97de98862b7f7f553812eabb4c4566487511b6634

SHA512
13217a44961ffaf4d1ca1f956a579b2806c474a4552b8ae4f27b78ac48bf87804641647cc11506a2e9b5edc7f362de732070931fa44d1f6b997925c3a6860d0e

Download Submit
C:\Windows\Containers\serviced\WindowsDefenderApplicationGuard.txt
Filesize
13KB

MD5
513ca7cdc416eb00de0566c15576145a

SHA1
d54ad82e93ae2eb642d538e9a0cee839499773f3

SHA256
f81856c34e08e9a9ea27adab9aa19880090c44726085ce7ba6e9444dd3a4fcfb

SHA512
014420f4db507c188851b7634415a519dbfa6001f0eebb9b3736c6aca697e8311097f0924ced08f52ed81a85a855e3642d764783dafb28efea84ac553ea4224c

Download Submit
C:\Windows\Sha3rprompt.dll
Filesize
1.0MB

MD5
e3ff9908672ec666d3060fd41d7b8e42

SHA1
18b9806453a2251c3059a74e8fb1b87859835ea0

SHA256
4805eb11c3cfe443b506ceabdcd7267148aafea1bba3f9b39e0bc5ba2f896263

SHA512
df3775df8a18e0b1070a0d26adf77ab4c4596767ad2049107fe02ca0cb5344040a32853fa0ab1c8683a64d396cb89dda3f9accc4503f75695313a11d01c77b72

Download Submit
C:\Windows\Sha3rprompt.dll
Filesize
1.0MB

MD5
e3ff9908672ec666d3060fd41d7b8e42

SHA1
18b9806453a2251c3059a74e8fb1b87859835ea0

SHA256
4805eb11c3cfe443b506ceabdcd7267148aafea1bba3f9b39e0bc5ba2f896263

SHA512
df3775df8a18e0b1070a0d26adf77ab4c4596767ad2049107fe02ca0cb5344040a32853fa0ab1c8683a64d396cb89dda3f9accc4503f75695313a11d01c77b72

Download Submit
C:\Windows\Tasks\SA.txt
Filesize
1KB

MD5
c7435c74a647b69a8618961bc27401fc

SHA1
52acfc3de5fbabe7c17ab7f726e29f121a8b5f14

SHA256
7175e4a95e3d6b4d1f52f098cdb9e486136f17ff027912731e0b6597fe10ef48

SHA512
42d52d9b5fb193d260db856b11fd130e3f68ecf4c6b7e1d85c5ccfc7ecfcfabf5f49a090fb5166fadeb3184df33eb848d307cde37647cc751a8a826b73a3633c

Download Submit
C:\Windows\Temp\WinSAT-334.txt
Filesize
530B

MD5
a4cec68f52b444d12032e0f166a9cd6f

SHA1
207d3d8a5b02a4f325cbea134e84f797f6919bcf

SHA256
68a9adf1d1cc364ab2ff06fc12f788056be7f5c0b760e840c1815fb9c0b1766c

SHA512
1d75faeb94d040e4c2ecbe8c13c7828e0200919599b099f08e3e24a2b8b442ae5d1b0bd120684378bdbff8910011eb4c0b341acef25d0bc3a865a56492af6374

Download Submit
C:\Windows\Temp\WinSAT-334.txt
Filesize
12B

MD5
0146b97f1bf748301734071d33706ba1

SHA1
4fe8ed756a2e7d09499d962cb3ffd9a7d3e20495

SHA256
c3af235b5b9c8f8c0657cab7c8c85f85d97100c7d13cb4fb6626c667e06b697f

SHA512
34e2df58d22ddbc3b5d4355394232e71b8ec68c389d2a21d99981200ba80e3f90e4af3c56aef2d50b5042796d658e6ac9007450d4e32f0d8db43d167a59f0cfb

Download Submit
C:\Windows\basswebmss.dll
Filesize
198KB

MD5
30abd72a6d7ec19ce9d76a176728e039

SHA1
d50f09e30fb2f8e953f1322aa39d70a6fff9e418

SHA256
ac62d72d9c27bf2371c1faf44f622083162eeca362ba54748f793b74cc1cadcd

SHA512
b384a0f3b0c02bf7769bc5ef47667e21a03c22a641ae050567712303309bdce46816cb94b4aac50cfb6227712019fd311e67ba3deba5c8a374accce2f189ec2b

Download Submit
C:\Windows\cguuiM.exe
Filesize
82KB

MD5
390a7337b163b819cb99eabe0e8825a4

SHA1
f34cc80fff864ffaa367be573420d8f5a8e2d341

SHA256
6b29a1de3d3d2cacd1200c3c1bd6fe5a7afdb4724aaba76b77965ae2a82836de

SHA512
d4502bb4ce045e350f814fc16445f4cf03adda5640a9dcfd1c1ea647fed724cf1540ac96d6e6b91de09e9bee78e5f86ea942a8852a9b8840511dd1808b900f4d

Download Submit
C:\Windows\dpp.dll
Filesize
1.9MB

MD5
692026ff118997f30b9c314df54bce25

SHA1
a09c770f410ad4df8e78c6d0723f70521cfb63f1

SHA256
75c5725344092eb7a9f0c2c74c85a98f73d7d4c8201a677b206c35655c2e33d8

SHA512
60d5b1b29e19150636a0b7c593e95bac2bc42c0cc2dd6335cc45794f64fc5f64044f64365a9ef742616ffc025e121f2455425808a44add02bb28173394b87e36

Download Submit
C:\Windows\dpp.dll
Filesize
1.9MB

MD5
692026ff118997f30b9c314df54bce25

SHA1
a09c770f410ad4df8e78c6d0723f70521cfb63f1

SHA256
75c5725344092eb7a9f0c2c74c85a98f73d7d4c8201a677b206c35655c2e33d8

SHA512
60d5b1b29e19150636a0b7c593e95bac2bc42c0cc2dd6335cc45794f64fc5f64044f64365a9ef742616ffc025e121f2455425808a44add02bb28173394b87e36

Download Submit
C:\Windows\lddll.exe
Filesize
123KB

MD5
f3a820ed62ff4b46f4c784bb9a30ea35

SHA1
1c6509dd11d4309dd16a82b5fd547fe897528d48

SHA256
6b053331bde2c3d55d8bfb7d3a4d761cec3fb076b46c4b4c9e8f7022eae01b80

SHA512
cae640fff1608222601d52da19f902f6c6b7d92f5bed11b5a91ac9f9f923f96c442cbe415dc06eaa4233642eaa5314d4c2ca2c3612b88e3dce7575b4e5100358

Download Submit
C:\Windows\ldplayers.exe
Filesize
125KB

MD5
1c06063c8b264df1d6ad2b14ae7e5309

SHA1
77538cbb4e684dbe891cac50d811dbb7d3c26cec

SHA256
0c9b2b222cdd42a185f5abcff1e6672f981ed2a01c9149ea49f0cef0813ce864

SHA512
a2d8b01d0a63bdea2be7abd1080ac4a070457d637b081fdec91237284cac9e61fa7753b0a5637dc53ae96f694161e5437f52cbffbfea3df9357cf9572a7ab56a

Download Submit
C:\Windows\libcrypto-1_1.dll
Filesize
2.5MB

MD5
31643a6540ba24cf98a97cef42634048

SHA1
0206d691eaa40885713327c11e000cb771a21703

SHA256
e36557189986f864b35c4f3d66b3356ce242c73217ec9ec5c3d66453c480633f

SHA512
5f5c74fecacb723126ff099ad7303af500b5125ecef2966fb3104d3668d07e836266680a7628a63a5a26200f6139bed77e7f5c7533a9934cb81be9857800de41

Download Submit
C:\Windows\libcrypto-1_1.dll
Filesize
2.5MB

MD5
31643a6540ba24cf98a97cef42634048

SHA1
0206d691eaa40885713327c11e000cb771a21703

SHA256
e36557189986f864b35c4f3d66b3356ce242c73217ec9ec5c3d66453c480633f

SHA512
5f5c74fecacb723126ff099ad7303af500b5125ecef2966fb3104d3668d07e836266680a7628a63a5a26200f6139bed77e7f5c7533a9934cb81be9857800de41

Download Submit
C:\Windows\libsodium.dll
Filesize
329KB

MD5
be8a4636d7dd224ef4774065189ce7ff

SHA1
6aadb8d601333a3136647cb8a96480e277798d9e

SHA256
84fa23e1bd52d64265d6eb31b72fb40bb539856110633a6e0583003290e5f61a

SHA512
2fe3b94f473f81e6e8834455789d9401dcd4650b66a24a57d9f923ca9487e3cccbaf9caeb9033ef63bbb287a4c41776587776b2acf3281fa99d7f285d0bf27a9

Download Submit
C:\Windows\libsodium.dll
Filesize
329KB

MD5
be8a4636d7dd224ef4774065189ce7ff

SHA1
6aadb8d601333a3136647cb8a96480e277798d9e

SHA256
84fa23e1bd52d64265d6eb31b72fb40bb539856110633a6e0583003290e5f61a

SHA512
2fe3b94f473f81e6e8834455789d9401dcd4650b66a24a57d9f923ca9487e3cccbaf9caeb9033ef63bbb287a4c41776587776b2acf3281fa99d7f285d0bf27a9

Download Submit
C:\Windows\libssl-1_1.dll
Filesize
523KB

MD5
46c50a365a8a11627137ad52e4ab2f94

SHA1
6d02dc794a756c077233f074bd85c4b8241c24df

SHA256
187b33ab7a95d4722ff7dc6e2a0e6f121f68fd034b708a946b76748ec2a39b83

SHA512
3e2bdb912e77c249950d3dac3d3937d716e982fa9dfa3aeb48760219e53e99e70292294cc80992095bb18ee62329aac69c253dea2ae6037c9e80e1500a32b1c0

Download Submit
C:\Windows\libssl-1_1.dll
Filesize
523KB

MD5
46c50a365a8a11627137ad52e4ab2f94

SHA1
6d02dc794a756c077233f074bd85c4b8241c24df

SHA256
187b33ab7a95d4722ff7dc6e2a0e6f121f68fd034b708a946b76748ec2a39b83

SHA512
3e2bdb912e77c249950d3dac3d3937d716e982fa9dfa3aeb48760219e53e99e70292294cc80992095bb18ee62329aac69c253dea2ae6037c9e80e1500a32b1c0

Download Submit
C:\Windows\nircmd.exe
Filesize
44KB

MD5
a1cd6a64e8f8ad5d4b6c07dc4113c7ec

SHA1
60e2f48a51c061bba72a08f34be781354f87aa49

SHA256
b994ae5cbfb5ad308656e9a8bf7a4a866fdeb9e23699f89f048d7f92e6bb8577

SHA512
87a42901a63793653d49f1c6d410a429cabb470b4c340c4553cbd9eccacb38d8543f85455465e0a432d737e950c590175dad744094861f7c3e575446a65b41e8

Download Submit
C:\Windows\nircmd.exe
Filesize
44KB

MD5
a1cd6a64e8f8ad5d4b6c07dc4113c7ec

SHA1
60e2f48a51c061bba72a08f34be781354f87aa49

SHA256
b994ae5cbfb5ad308656e9a8bf7a4a866fdeb9e23699f89f048d7f92e6bb8577

SHA512
87a42901a63793653d49f1c6d410a429cabb470b4c340c4553cbd9eccacb38d8543f85455465e0a432d737e950c590175dad744094861f7c3e575446a65b41e8

Download Submit
C:\Windows\nircmd.exe
Filesize
44KB

MD5
a1cd6a64e8f8ad5d4b6c07dc4113c7ec

SHA1
60e2f48a51c061bba72a08f34be781354f87aa49

SHA256
b994ae5cbfb5ad308656e9a8bf7a4a866fdeb9e23699f89f048d7f92e6bb8577

SHA512
87a42901a63793653d49f1c6d410a429cabb470b4c340c4553cbd9eccacb38d8543f85455465e0a432d737e950c590175dad744094861f7c3e575446a65b41e8

Download Submit
C:\Windows\opus.dll
Filesize
307KB

MD5
a4c7c50ebed6a72ead1baa4cb3057c81

SHA1
21ae7d92ce5f6684c2bb091a780830fb7e2263c0

SHA256
0d518b2def8d3e2d6a1d221ddc6d66a338ab1ba6068461d1cf5f3b7d39c97793

SHA512
1d679f5d0805907ada13a79b5d673ff1262334fbed6bdda2812a4c183aea7dd1d775f847048d5c5d06aa920b76936b61ad7426e77502807935a93ec953e03071

Download Submit
C:\Windows\opus.dll
Filesize
307KB

MD5
a4c7c50ebed6a72ead1baa4cb3057c81

SHA1
21ae7d92ce5f6684c2bb091a780830fb7e2263c0

SHA256
0d518b2def8d3e2d6a1d221ddc6d66a338ab1ba6068461d1cf5f3b7d39c97793

SHA512
1d679f5d0805907ada13a79b5d673ff1262334fbed6bdda2812a4c183aea7dd1d775f847048d5c5d06aa920b76936b61ad7426e77502807935a93ec953e03071

Download Submit
C:\Windows\vulklan-1.exe
Filesize
125KB

MD5
1c06063c8b264df1d6ad2b14ae7e5309

SHA1
77538cbb4e684dbe891cac50d811dbb7d3c26cec

SHA256
0c9b2b222cdd42a185f5abcff1e6672f981ed2a01c9149ea49f0cef0813ce864

SHA512
a2d8b01d0a63bdea2be7abd1080ac4a070457d637b081fdec91237284cac9e61fa7753b0a5637dc53ae96f694161e5437f52cbffbfea3df9357cf9572a7ab56a

Download Submit
C:\Windows\winhlp64.exe
Filesize
368KB

MD5
ec88a477340500a675d3d488ff1a8aa1

SHA1
58ae48ed1da866ec5a55e6d9baad7817813936f6

SHA256
322570b200015030b63f1605bfc0580c3aaa5e68a104ffc683f67001923c4bf4

SHA512
1b3afc68ee0ae029b926f2cab707eeed659cd72bf344e2765f384a2acdc7404a5a4a578586a5876eb4a17f5b78a343cf68495b10db0c29a19c8312f5c4b28c25

Download Submit
C:\Windows\winhlp64.exe
Filesize
368KB

MD5
ec88a477340500a675d3d488ff1a8aa1

SHA1
58ae48ed1da866ec5a55e6d9baad7817813936f6

SHA256
322570b200015030b63f1605bfc0580c3aaa5e68a104ffc683f67001923c4bf4

SHA512
1b3afc68ee0ae029b926f2cab707eeed659cd72bf344e2765f384a2acdc7404a5a4a578586a5876eb4a17f5b78a343cf68495b10db0c29a19c8312f5c4b28c25

Download Submit
C:\Windows\zlib1.dll
Filesize
73KB

MD5
05bf83777d5b6c7bf74a512f51f34a7b

SHA1
5c177218220a9c1df6eff2fc46bf3dd512986222

SHA256
0d2a785476bf5ab1906f4738e92df18a2c438e27225c1c1cac9afe77417c0b46

SHA512
0249ac76f843b3d46120da665ebe3b361f120477997f3809b88188d1afeffa2a789f5a990930441f54729d1e806c2ce005893ac77a88dd87d302e2ee49eba941

Download Submit
C:\Windows\zlib1.dll
Filesize
73KB

MD5
05bf83777d5b6c7bf74a512f51f34a7b

SHA1
5c177218220a9c1df6eff2fc46bf3dd512986222

SHA256
0d2a785476bf5ab1906f4738e92df18a2c438e27225c1c1cac9afe77417c0b46

SHA512
0249ac76f843b3d46120da665ebe3b361f120477997f3809b88188d1afeffa2a789f5a990930441f54729d1e806c2ce005893ac77a88dd87d302e2ee49eba941

Download Submit
memory/4000-274-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/4000-275-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download

pid	process
888	winhlp64.exe
4000	nircmd.exe
4380	nircmd.exe