fa31734c4a27cb245c57d4ea9e68271714e10aea39a39ec849c29933cbd37e62

Analysis

max time kernel
122s
max time network
152s
platform
windows7_x64
resource
win7-20230831-en
resource tags

arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
submitted
11/10/2023, 13:07

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

CG_Loader.exe
Size

3.7MB
MD5

376ddb3002bdde090c62b900a040437c
SHA1

97e44c84d2a12730c1ca19b6bfefbb9e11a7e8bb
SHA256

fa31734c4a27cb245c57d4ea9e68271714e10aea39a39ec849c29933cbd37e62
SHA512

669ed5461a9887e09c086146f56e2f129cad5c21699b2769231ff123af0449b10ef0888913c6bf3c4997a2038b900017a1f9aace531f8ae4b0daa54d9af57b06
SSDEEP

98304:Wxp8jKhbUiGEHmx0/cZ3uFtffOW9Ixb7JXTh:WxbhUiGWJ0EFtffA1D

Score

8^/10

evasion persistence upx

Malware Config

Signatures

Drops file in Drivers directory 3 IoCs

description	ioc	Process
File created	C:\Windows\system32\drivers\etc\hosts.ics	cmd.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	cmd.exe
File created	C:\Windows\system32\Drivers\netapp.sys	EQKMMIFH.dll

Sets service image path in registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\netapp\ImagePath = "\\SystemRoot\\system32\\drivers\\netapp.sys"	EQKMMIFH.dll

Stops running service(s) 3 TTPs
evasion

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Executes dropped EXE 9 IoCs

pid	Process
788	EQKMMIFH.dll
1208	EQKMMIFH.dll
2144	EQKMMIFH.dll
1548	EQKMMIFH.dll
1760	EQKMMIFH.dll
2440	EQKMMIFH.dll
2708	EQKMMIFH.dll
2800	EQKMMIFH.dll
2780	EQKMMIFH.dll

Loads dropped DLL 1 IoCs

pid	Process
2232	CG_Loader.exe

UPX packed file 29 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x000600000001621f-45.dat	upx
behavioral1/files/0x000600000001621f-46.dat	upx
behavioral1/memory/2176-47-0x0000000002200000-0x0000000002A48000-memory.dmp	upx
behavioral1/memory/788-48-0x0000000000E30000-0x0000000001678000-memory.dmp	upx
behavioral1/memory/788-70-0x0000000000E30000-0x0000000001678000-memory.dmp	upx
behavioral1/files/0x000600000001621f-97.dat	upx
behavioral1/memory/1208-133-0x00000000013D0000-0x0000000001C18000-memory.dmp	upx
behavioral1/memory/1208-135-0x00000000013D0000-0x0000000001C18000-memory.dmp	upx
behavioral1/files/0x000600000001621f-278.dat	upx
behavioral1/memory/2144-279-0x00000000013D0000-0x0000000001C18000-memory.dmp	upx
behavioral1/memory/2144-563-0x00000000013D0000-0x0000000001C18000-memory.dmp	upx
behavioral1/files/0x000600000001621f-574.dat	upx
behavioral1/memory/1548-575-0x00000000013D0000-0x0000000001C18000-memory.dmp	upx
behavioral1/memory/1548-603-0x00000000013D0000-0x0000000001C18000-memory.dmp	upx
behavioral1/files/0x000600000001621f-614.dat	upx
behavioral1/memory/1760-615-0x00000000013D0000-0x0000000001C18000-memory.dmp	upx
behavioral1/memory/1760-616-0x00000000013D0000-0x0000000001C18000-memory.dmp	upx
behavioral1/files/0x000600000001621f-626.dat	upx
behavioral1/memory/2440-636-0x00000000013D0000-0x0000000001C18000-memory.dmp	upx
behavioral1/memory/2440-648-0x00000000013D0000-0x0000000001C18000-memory.dmp	upx
behavioral1/files/0x000600000001621f-665.dat	upx
behavioral1/memory/2708-675-0x00000000013D0000-0x0000000001C18000-memory.dmp	upx
behavioral1/memory/2708-676-0x00000000013D0000-0x0000000001C18000-memory.dmp	upx
behavioral1/files/0x000600000001621f-677.dat	upx
behavioral1/memory/2800-678-0x00000000013D0000-0x0000000001C18000-memory.dmp	upx
behavioral1/memory/2800-679-0x00000000013D0000-0x0000000001C18000-memory.dmp	upx
behavioral1/files/0x000600000001621f-680.dat	upx
behavioral1/memory/2780-681-0x00000000013D0000-0x0000000001C18000-memory.dmp	upx
behavioral1/memory/2780-682-0x00000000013D0000-0x0000000001C18000-memory.dmp	upx

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
4	ip-api.com

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\EQKMMIFH.dll	CG_Loader.exe

Launches sc.exe 1 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
592	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
2524	timeout.exe

Gathers network information 2 TTPs 1 IoCs

Uses commandline utility to view network configuration.

System Information Discovery

T1082

Command and Scripting Interpreter

T1059

pid	Process
2264	ipconfig.exe

Modifies Internet Explorer settings 1 TTPs 34 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{B38F4F01-6897-11EE-9DA4-5A71798CFAF9} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000bbd2da6efca7814e97bd67c6ea97aa8b000000000200000000001066000000010000200000005ba3bfeeee87a91e4d1c9faeabd8e9a5358a636069925569c8eaf83c8e4cf8cd000000000e80000000020000200000001e6ea2327b56c4f25c3a91afc14e80bb15e59571369d35a690144a80cd4cef76900000005e776a6d0f3a201e79d54e29f11f2fff9e078e5dacaf925a5ced6714bee63bbf90e510841ee33c2628d8660e8328b03a7f47e4e6044cb9965a8c13856a17bbdde009a4f18b16da5f1968a152a14a304500ca6357324cf530903c4f84e09f6cd97a524e60486d248f75d7cce8f65b20304258d61dc0bd5971356f8cf77c25597172c092436f210731523d2d822771886e400000008471bd015354a0e88e9ad5382ef6ffc1f6552eacd71809adca15fba7d0636d213ed3139d4b421181cd6c0d60307a3d87f24276d409abf75d2e7ef4460b585d17	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = d05fe68aa4fcd901	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000bbd2da6efca7814e97bd67c6ea97aa8b00000000020000000000106600000001000020000000207ea984136b1b80951ee50eac42314ead350d0a009853acff763577db782b2a000000000e8000000002000020000000b323f696f01cd2d712e31ea17c8dfdeff20be907dd8bba72ebb8828aac86c3ba200000009f36ec0b9c494b1e4b710723fb6add2cf21f3319deaeb42bb30581493bbb678340000000c136dea116c1e9cd1348e0bd7cf4cc9dac391b6b62862df970dc83f69fa3259ce1283bcc71f8e160f3f14c9f52e0c6d31ee0512320443a9def6fe46996d993b1	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "403232995"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe

Modifies registry class 9 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\fd9f8db3	EQKMMIFH.dll
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\fd9f8db3	EQKMMIFH.dll
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\fd9f8db3	EQKMMIFH.dll
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\fd9f8db3	EQKMMIFH.dll
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\fd9f8db3	EQKMMIFH.dll
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\fd9f8db3	EQKMMIFH.dll
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\fd9f8db3	EQKMMIFH.dll
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\fd9f8db3	EQKMMIFH.dll
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\fd9f8db3	EQKMMIFH.dll

Modifies system certificate store 2 TTPs 3 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474	CG_Loader.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 0f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f0b0000000100000034000000420061006c00740069006d006f007200650020004300790062006500720054007200750073007400200052006f006f007400000053000000010000002400000030223020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c0140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df01d0000000100000010000000918ad43a9475f78bb5243de886d8103c09000000010000000c000000300a06082b06010505070301030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae47420000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9	CG_Loader.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 19000000010000001000000068cb42b035ea773e52ef50ecf50ec529030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae47409000000010000000c000000300a06082b060105050703011d0000000100000010000000918ad43a9475f78bb5243de886d8103c140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df053000000010000002400000030223020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c00b0000000100000034000000420061006c00740069006d006f007200650020004300790062006500720054007200750073007400200052006f006f00740000000f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f20000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9	CG_Loader.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2232	CG_Loader.exe
2232	CG_Loader.exe
2232	CG_Loader.exe
2232	CG_Loader.exe
2232	CG_Loader.exe
2232	CG_Loader.exe
2232	CG_Loader.exe
2232	CG_Loader.exe
2232	CG_Loader.exe
2232	CG_Loader.exe
2232	CG_Loader.exe
2232	CG_Loader.exe
2232	CG_Loader.exe
2232	CG_Loader.exe
2232	CG_Loader.exe
2232	CG_Loader.exe
2232	CG_Loader.exe
2232	CG_Loader.exe
2232	CG_Loader.exe
2232	CG_Loader.exe
2232	CG_Loader.exe
2232	CG_Loader.exe
2232	CG_Loader.exe
2232	CG_Loader.exe
2232	CG_Loader.exe
2232	CG_Loader.exe
2232	CG_Loader.exe
2232	CG_Loader.exe
2232	CG_Loader.exe
2232	CG_Loader.exe
2232	CG_Loader.exe
2232	CG_Loader.exe
2232	CG_Loader.exe
2232	CG_Loader.exe
2232	CG_Loader.exe
2232	CG_Loader.exe
2232	CG_Loader.exe
2232	CG_Loader.exe
2232	CG_Loader.exe
2232	CG_Loader.exe
2232	CG_Loader.exe
2232	CG_Loader.exe
2232	CG_Loader.exe
2232	CG_Loader.exe
2232	CG_Loader.exe
2232	CG_Loader.exe
2232	CG_Loader.exe
2232	CG_Loader.exe
2232	CG_Loader.exe
2232	CG_Loader.exe
2232	CG_Loader.exe
2232	CG_Loader.exe
2232	CG_Loader.exe
2232	CG_Loader.exe
2232	CG_Loader.exe
2232	CG_Loader.exe
2232	CG_Loader.exe
2232	CG_Loader.exe
2232	CG_Loader.exe
2232	CG_Loader.exe
2232	CG_Loader.exe
2232	CG_Loader.exe
2232	CG_Loader.exe
2232	CG_Loader.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
468	Process not Found
2144	EQKMMIFH.dll

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	2232	CG_Loader.exe
Token: SeIncreaseQuotaPrivilege	788	EQKMMIFH.dll
Token: SeSecurityPrivilege	788	EQKMMIFH.dll
Token: SeTakeOwnershipPrivilege	788	EQKMMIFH.dll
Token: SeLoadDriverPrivilege	788	EQKMMIFH.dll
Token: SeSystemProfilePrivilege	788	EQKMMIFH.dll
Token: SeSystemtimePrivilege	788	EQKMMIFH.dll
Token: SeProfSingleProcessPrivilege	788	EQKMMIFH.dll
Token: SeIncBasePriorityPrivilege	788	EQKMMIFH.dll
Token: SeCreatePagefilePrivilege	788	EQKMMIFH.dll
Token: SeBackupPrivilege	788	EQKMMIFH.dll
Token: SeRestorePrivilege	788	EQKMMIFH.dll
Token: SeShutdownPrivilege	788	EQKMMIFH.dll
Token: SeDebugPrivilege	788	EQKMMIFH.dll
Token: SeSystemEnvironmentPrivilege	788	EQKMMIFH.dll
Token: SeChangeNotifyPrivilege	788	EQKMMIFH.dll
Token: SeRemoteShutdownPrivilege	788	EQKMMIFH.dll
Token: SeUndockPrivilege	788	EQKMMIFH.dll
Token: SeManageVolumePrivilege	788	EQKMMIFH.dll
Token: SeImpersonatePrivilege	788	EQKMMIFH.dll
Token: SeCreateGlobalPrivilege	788	EQKMMIFH.dll
Token: 33	788	EQKMMIFH.dll
Token: 34	788	EQKMMIFH.dll
Token: 35	788	EQKMMIFH.dll
Token: SeIncreaseQuotaPrivilege	1208	EQKMMIFH.dll
Token: SeSecurityPrivilege	1208	EQKMMIFH.dll
Token: SeTakeOwnershipPrivilege	1208	EQKMMIFH.dll
Token: SeLoadDriverPrivilege	1208	EQKMMIFH.dll
Token: SeSystemProfilePrivilege	1208	EQKMMIFH.dll
Token: SeSystemtimePrivilege	1208	EQKMMIFH.dll
Token: SeProfSingleProcessPrivilege	1208	EQKMMIFH.dll
Token: SeIncBasePriorityPrivilege	1208	EQKMMIFH.dll
Token: SeCreatePagefilePrivilege	1208	EQKMMIFH.dll
Token: SeBackupPrivilege	1208	EQKMMIFH.dll
Token: SeRestorePrivilege	1208	EQKMMIFH.dll
Token: SeShutdownPrivilege	1208	EQKMMIFH.dll
Token: SeDebugPrivilege	1208	EQKMMIFH.dll
Token: SeSystemEnvironmentPrivilege	1208	EQKMMIFH.dll
Token: SeChangeNotifyPrivilege	1208	EQKMMIFH.dll
Token: SeRemoteShutdownPrivilege	1208	EQKMMIFH.dll
Token: SeUndockPrivilege	1208	EQKMMIFH.dll
Token: SeManageVolumePrivilege	1208	EQKMMIFH.dll
Token: SeImpersonatePrivilege	1208	EQKMMIFH.dll
Token: SeCreateGlobalPrivilege	1208	EQKMMIFH.dll
Token: 33	1208	EQKMMIFH.dll
Token: 34	1208	EQKMMIFH.dll
Token: 35	1208	EQKMMIFH.dll
Token: SeIncreaseQuotaPrivilege	2144	EQKMMIFH.dll
Token: SeSecurityPrivilege	2144	EQKMMIFH.dll
Token: SeTakeOwnershipPrivilege	2144	EQKMMIFH.dll
Token: SeLoadDriverPrivilege	2144	EQKMMIFH.dll
Token: SeSystemProfilePrivilege	2144	EQKMMIFH.dll
Token: SeSystemtimePrivilege	2144	EQKMMIFH.dll
Token: SeProfSingleProcessPrivilege	2144	EQKMMIFH.dll
Token: SeIncBasePriorityPrivilege	2144	EQKMMIFH.dll
Token: SeCreatePagefilePrivilege	2144	EQKMMIFH.dll
Token: SeBackupPrivilege	2144	EQKMMIFH.dll
Token: SeRestorePrivilege	2144	EQKMMIFH.dll
Token: SeShutdownPrivilege	2144	EQKMMIFH.dll
Token: SeDebugPrivilege	2144	EQKMMIFH.dll
Token: SeSystemEnvironmentPrivilege	2144	EQKMMIFH.dll
Token: SeChangeNotifyPrivilege	2144	EQKMMIFH.dll
Token: SeRemoteShutdownPrivilege	2144	EQKMMIFH.dll
Token: SeUndockPrivilege	2144	EQKMMIFH.dll

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2952	iexplore.exe

Suspicious use of SetWindowsHookEx 7 IoCs

pid	Process
2952	iexplore.exe
2952	iexplore.exe
1976	IEXPLORE.EXE
1976	IEXPLORE.EXE
1208	EQKMMIFH.dll
1976	IEXPLORE.EXE
1976	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2232 wrote to memory of 2392	2232	CG_Loader.exe	28
PID 2232 wrote to memory of 2392	2232	CG_Loader.exe	28
PID 2232 wrote to memory of 2392	2232	CG_Loader.exe	28
PID 2232 wrote to memory of 2392	2232	CG_Loader.exe	28
PID 2392 wrote to memory of 2856	2392	cmd.exe	30
PID 2392 wrote to memory of 2856	2392	cmd.exe	30
PID 2392 wrote to memory of 2856	2392	cmd.exe	30
PID 2392 wrote to memory of 2856	2392	cmd.exe	30
PID 2392 wrote to memory of 2544	2392	cmd.exe	31
PID 2392 wrote to memory of 2544	2392	cmd.exe	31
PID 2392 wrote to memory of 2544	2392	cmd.exe	31
PID 2392 wrote to memory of 2544	2392	cmd.exe	31
PID 2392 wrote to memory of 2832	2392	cmd.exe	32
PID 2392 wrote to memory of 2832	2392	cmd.exe	32
PID 2392 wrote to memory of 2832	2392	cmd.exe	32
PID 2392 wrote to memory of 2832	2392	cmd.exe	32
PID 2392 wrote to memory of 3004	2392	cmd.exe	33
PID 2392 wrote to memory of 3004	2392	cmd.exe	33
PID 2392 wrote to memory of 3004	2392	cmd.exe	33
PID 2392 wrote to memory of 3004	2392	cmd.exe	33
PID 2232 wrote to memory of 1308	2232	CG_Loader.exe	34
PID 2232 wrote to memory of 1308	2232	CG_Loader.exe	34
PID 2232 wrote to memory of 1308	2232	CG_Loader.exe	34
PID 2232 wrote to memory of 1308	2232	CG_Loader.exe	34
PID 1308 wrote to memory of 2824	1308	cmd.exe	36
PID 1308 wrote to memory of 2824	1308	cmd.exe	36
PID 1308 wrote to memory of 2824	1308	cmd.exe	36
PID 1308 wrote to memory of 2824	1308	cmd.exe	36
PID 2232 wrote to memory of 2952	2232	CG_Loader.exe	38
PID 2232 wrote to memory of 2952	2232	CG_Loader.exe	38
PID 2232 wrote to memory of 2952	2232	CG_Loader.exe	38
PID 2232 wrote to memory of 2952	2232	CG_Loader.exe	38
PID 2952 wrote to memory of 1976	2952	iexplore.exe	40
PID 2952 wrote to memory of 1976	2952	iexplore.exe	40
PID 2952 wrote to memory of 1976	2952	iexplore.exe	40
PID 2952 wrote to memory of 1976	2952	iexplore.exe	40
PID 2232 wrote to memory of 1628	2232	CG_Loader.exe	41
PID 2232 wrote to memory of 1628	2232	CG_Loader.exe	41
PID 2232 wrote to memory of 1628	2232	CG_Loader.exe	41
PID 2232 wrote to memory of 1628	2232	CG_Loader.exe	41
PID 2232 wrote to memory of 2176	2232	CG_Loader.exe	43
PID 2232 wrote to memory of 2176	2232	CG_Loader.exe	43
PID 2232 wrote to memory of 2176	2232	CG_Loader.exe	43
PID 2232 wrote to memory of 2176	2232	CG_Loader.exe	43
PID 1628 wrote to memory of 576	1628	cmd.exe	45
PID 1628 wrote to memory of 576	1628	cmd.exe	45
PID 1628 wrote to memory of 576	1628	cmd.exe	45
PID 1628 wrote to memory of 576	1628	cmd.exe	45
PID 2176 wrote to memory of 704	2176	cmd.exe	47
PID 2176 wrote to memory of 704	2176	cmd.exe	47
PID 2176 wrote to memory of 704	2176	cmd.exe	47
PID 2176 wrote to memory of 704	2176	cmd.exe	47
PID 1628 wrote to memory of 592	1628	cmd.exe	96
PID 1628 wrote to memory of 592	1628	cmd.exe	96
PID 1628 wrote to memory of 592	1628	cmd.exe	96
PID 1628 wrote to memory of 592	1628	cmd.exe	96
PID 2176 wrote to memory of 788	2176	cmd.exe	48
PID 2176 wrote to memory of 788	2176	cmd.exe	48
PID 2176 wrote to memory of 788	2176	cmd.exe	48
PID 2176 wrote to memory of 788	2176	cmd.exe	48
PID 2176 wrote to memory of 3052	2176	cmd.exe	49
PID 2176 wrote to memory of 3052	2176	cmd.exe	49
PID 2176 wrote to memory of 3052	2176	cmd.exe	49
PID 2176 wrote to memory of 3052	2176	cmd.exe	49

Views/modifies file attributes 1 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
2824	attrib.exe

C:\Users\Admin\AppData\Local\Temp\CG_Loader.exe
"C:\Users\Admin\AppData\Local\Temp\CG_Loader.exe"
1⤵
- Loads dropped DLL
- Drops file in Windows directory
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2232
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c echo y|cacls "C:\Users\Admin\AppData\Local\Temp\IObitUnlocker.sys" /P everyone:f & echo y|cacls "C:\Users\Admin\AppData\Local\Temp\IObitUnlocker.dll" /P everyone:f
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2392
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo y"
    3⤵
    PID:2856
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\Admin\AppData\Local\Temp\IObitUnlocker.sys" /P everyone:f
    3⤵
    PID:2544
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo y"
    3⤵
    PID:2832
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\Admin\AppData\Local\Temp\IObitUnlocker.dll" /P everyone:f
    3⤵
    PID:3004
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c attrib +h -s -a C:\CG_Files
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1308
- - C:\Windows\SysWOW64\attrib.exe
    attrib +h -s -a C:\CG_Files
    3⤵
    - Views/modifies file attributes
    PID:2824
- C:\Program Files\Internet Explorer\iexplore.exe
  "C:\Program Files\Internet Explorer\iexplore.exe" https://href.li/?https://cheatglobal.com/ui/
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2952
- - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2952 CREDAT:275457 /prefetch:2
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of SetWindowsHookEx
    PID:1976
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c echo|sc stop IObitUnlocker
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1628
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo"
    3⤵
    PID:576
- - C:\Windows\SysWOW64\sc.exe
    sc stop IObitUnlocker
    3⤵
    - Launches sc.exe
    PID:592
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c echo|%windir%\EQKMMIFH.dll /protection off & echo|%windir%\EQKMMIFH.dll /op:uninstall_app & echo y|cacls "%windir%\system32\drivers\etc\hosts" /P %username% & echo y|cacls "%windir%\system32\drivers\etc\hosts.ics" /P %username%:f & echo y|cacls "%windir%\system32\drivers\etc\hosts" /P alla:f & echo y|cacls "%windir%\system32\drivers\etc\hosts.ics" /P alla:f & echo y|cacls "%windir%\system32\drivers\etc\hosts" /P everyone:f & echo y|cacls "%windir%\system32\drivers\etc\hosts.ics" /P everyone:f & echo y|cacls "C:\CG_Files" /P alla:f & echo y|cacls "C:\CG_Files" /P %username%:f & echo y|cacls "C:\CG_Files" /P everyone:f & echo y|cacls "C:\CG_Files\*.*" /P alla:f & echo y|cacls "C:\CG_Files\*.*" /P %username%:f & echo y|cacls "C:\CG_Files\*.*" /P everyone:f & echo y|cacls "C:\Users\Admin\AppData\Local\Temp\IObitUnlocker.dll" /P %username%:f & echo y|cacls "C:\Users\Admin\AppData\Local\Temp\IObitUnlocker.dll" /P alla:f & echo y|cacls "C:\Users\Admin\AppData\Local\Temp\IObitUnlocker.dll" /P everyone:f & echo y|cacls "C:\Users\Admin\AppData\Local\Temp\IObitUnlocker.sys" /P %username%:f & echo y|cacls "C:\Users\Admin\AppData\Local\Temp\IObitUnlocker.sys" /P alla:f & echo y|cacls "C:\Users\Admin\AppData\Local\Temp\IObitUnlocker.sys" /P everyone:f & echo y|cacls "C:\Windows\System32\drivers\etc" /P %username%:f & echo y|cacls "C:\Windows\System32\drivers\etc" /P alla:f & echo y|cacls "C:\Windows\System32\drivers\etc" /P everyone:f & echo y|cacls "%windir%\system32\drivers\etc" /P %username%:f & echo y|cacls "%windir%\system32\drivers\etc" /P alla:f & echo y|cacls "%windir%\system32\drivers\etc" /P everyone:f
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2176
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo"
    3⤵
    PID:704
- - C:\Windows\EQKMMIFH.dll
    C:\Windows\EQKMMIFH.dll /protection off
    3⤵
    - Executes dropped EXE
    - Modifies registry class
    - Suspicious use of AdjustPrivilegeToken
    PID:788
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo"
    3⤵
    PID:3052
- - C:\Windows\EQKMMIFH.dll
    C:\Windows\EQKMMIFH.dll /op:uninstall_app
    3⤵
    - Executes dropped EXE
    - Modifies registry class
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    PID:1208
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo y"
    3⤵
    PID:1744
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Windows\system32\drivers\etc\hosts" /P Admin
    3⤵
    PID:2412
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo y"
    3⤵
    PID:2420
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Windows\system32\drivers\etc\hosts.ics" /P Admin:f
    3⤵
    PID:1776
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo y"
    3⤵
    PID:2000
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Windows\system32\drivers\etc\hosts" /P alla:f
    3⤵
    PID:1536
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Windows\system32\drivers\etc\hosts.ics" /P alla:f
    3⤵
    PID:1012
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo y"
    3⤵
    PID:1360
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Windows\system32\drivers\etc\hosts" /P everyone:f
    3⤵
    PID:1420
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo y"
    3⤵
    PID:1072
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Windows\system32\drivers\etc\hosts.ics" /P everyone:f
    3⤵
    PID:2944
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo y"
    3⤵
    PID:812
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo y"
    3⤵
    PID:1740
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\CG_Files" /P alla:f
    3⤵
    PID:2032
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\CG_Files" /P Admin:f
    3⤵
    PID:1076
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo y"
    3⤵
    PID:2960
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\CG_Files" /P everyone:f
    3⤵
    PID:2488
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo y"
    3⤵
    PID:1236
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\CG_Files\*.*" /P alla:f
    3⤵
    PID:320
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo y"
    3⤵
    PID:1172
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\CG_Files\*.*" /P Admin:f
    3⤵
    PID:1588
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo y"
    3⤵
    PID:2120
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo y"
    3⤵
    PID:1608
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\CG_Files\*.*" /P everyone:f
    3⤵
    PID:1604
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\Admin\AppData\Local\Temp\IObitUnlocker.dll" /P Admin:f
    3⤵
    PID:2612
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo y"
    3⤵
    PID:2492
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo y"
    3⤵
    PID:1212
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\Admin\AppData\Local\Temp\IObitUnlocker.dll" /P alla:f
    3⤵
    PID:1268
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\Admin\AppData\Local\Temp\IObitUnlocker.dll" /P everyone:f
    3⤵
    PID:2188
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\Admin\AppData\Local\Temp\IObitUnlocker.sys" /P Admin:f
    3⤵
    PID:2680
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo y"
    3⤵
    PID:2336
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo y"
    3⤵
    PID:2856
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\Admin\AppData\Local\Temp\IObitUnlocker.sys" /P alla:f
    3⤵
    PID:2800
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo y"
    3⤵
    PID:2532
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\Admin\AppData\Local\Temp\IObitUnlocker.sys" /P everyone:f
    3⤵
    PID:2228
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo y"
    3⤵
    PID:2536
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Windows\System32\drivers\etc" /P Admin:f
    3⤵
    PID:2596
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Windows\System32\drivers\etc" /P alla:f
    3⤵
    PID:2976
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo y"
    3⤵
    PID:2256
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Windows\System32\drivers\etc" /P everyone:f
    3⤵
    PID:1096
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo y"
    3⤵
    PID:2868
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo y"
    3⤵
    PID:1244
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Windows\system32\drivers\etc" /P Admin:f
    3⤵
    PID:1964
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo y"
    3⤵
    PID:268
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Windows\system32\drivers\etc" /P alla:f
    3⤵
    PID:592
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo y"
    3⤵
    PID:1988
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Windows\system32\drivers\etc" /P everyone:f
    3⤵
    PID:2808
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo y"
    3⤵
    PID:2720
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c echo|type "%appdata%\EQKMMIFH.txt" > "%windir%\system32\drivers\etc\hosts.ics" & echo|type "%appdata%\EQKMMIFH.txt" > "%windir%\system32\drivers\etc\hosts" & echo|ipconfig /flushdns
  2⤵
  PID:1480
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo"
    3⤵
    PID:816
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" type "C:\Users\Admin\AppData\Roaming\EQKMMIFH.txt" 1>"C:\Windows\system32\drivers\etc\hosts.ics""
    3⤵
    - Drops file in Drivers directory
    PID:1940
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo"
    3⤵
    PID:1816
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" type "C:\Users\Admin\AppData\Roaming\EQKMMIFH.txt" 1>"C:\Windows\system32\drivers\etc\hosts""
    3⤵
    - Drops file in Drivers directory
    PID:1620
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo"
    3⤵
    PID:1704
- - C:\Windows\SysWOW64\ipconfig.exe
    ipconfig /flushdns
    3⤵
    - Gathers network information
    PID:2264
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c echo|"C:\Windows\EQKMMIFH.dll" /op:install_driver_registry & echo|"C:\Windows\EQKMMIFH.dll" /setitem "C:\Windows\System32\drivers\etc\hosts" Read-only & echo|"C:\Windows\EQKMMIFH.dll" /setitem "C:\Windows\System32\drivers\etc\hosts.ics" Read-only & echo|"C:\Windows\EQKMMIFH.dll" /settrusted "C:\Windows\System32\cmd.exe" Disabled & echo|"C:\Windows\EQKMMIFH.dll" /settrusted "C:\Windows\System32\conhost.exe" Disabled & echo|"C:\Windows\EQKMMIFH.dll" /settrusted "C:\Users\Admin\AppData\Local\Temp\CG_Loader.exe" Enabled & echo|"C:\Windows\EQKMMIFH.dll" /protection on & TIMEOUT /T 3 & echo|DEL /F /Q /A "%appdata%\EQKMMIFH.txt" & echo|RD /S /Q "%appdata%\EQKMMIFH.txt" & echo|DEL /F /Q /A "%windir%\EQKMMIFH.dll" & echo|RD /S /Q "%windir%\EQKMMIFH.dll"
  2⤵
  PID:2404
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo"
    3⤵
    PID:3032
- - C:\Windows\EQKMMIFH.dll
    "C:\Windows\EQKMMIFH.dll" /op:install_driver_registry
    3⤵
    - Drops file in Drivers directory
    - Sets service image path in registry
    - Executes dropped EXE
    - Suspicious behavior: LoadsDriver
    - Suspicious use of AdjustPrivilegeToken
    PID:2144
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo"
    3⤵
    PID:1028
- - C:\Windows\EQKMMIFH.dll
    "C:\Windows\EQKMMIFH.dll" /setitem "C:\Windows\System32\drivers\etc\hosts" Read-only
    3⤵
    - Executes dropped EXE
    - Modifies registry class
    PID:1548
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo"
    3⤵
    PID:936
- - C:\Windows\EQKMMIFH.dll
    "C:\Windows\EQKMMIFH.dll" /setitem "C:\Windows\System32\drivers\etc\hosts.ics" Read-only
    3⤵
    - Executes dropped EXE
    - Modifies registry class
    PID:1760
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo"
    3⤵
    PID:2448
- - C:\Windows\EQKMMIFH.dll
    "C:\Windows\EQKMMIFH.dll" /settrusted "C:\Windows\System32\cmd.exe" Disabled
    3⤵
    - Executes dropped EXE
    - Modifies registry class
    PID:2440
- - C:\Windows\EQKMMIFH.dll
    "C:\Windows\EQKMMIFH.dll" /settrusted "C:\Windows\System32\conhost.exe" Disabled
    3⤵
    - Executes dropped EXE
    - Modifies registry class
    PID:2708
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo"
    3⤵
    PID:2712
- - C:\Windows\EQKMMIFH.dll
    "C:\Windows\EQKMMIFH.dll" /settrusted "C:\Users\Admin\AppData\Local\Temp\CG_Loader.exe" Enabled
    3⤵
    - Executes dropped EXE
    - Modifies registry class
    PID:2800
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo"
    3⤵
    PID:2632
- - C:\Windows\SysWOW64\timeout.exe
    TIMEOUT /T 3
    3⤵
    - Delays execution with timeout.exe
    PID:2524
- - C:\Windows\EQKMMIFH.dll
    "C:\Windows\EQKMMIFH.dll" /protection on
    3⤵
    - Executes dropped EXE
    - Modifies registry class
    PID:2780
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo"
    3⤵
    PID:2964
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo"
    3⤵
    PID:2976
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" DEL /F /Q /A "C:\Users\Admin\AppData\Roaming\EQKMMIFH.txt" "
    3⤵
    PID:1968
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" RD /S /Q "C:\Users\Admin\AppData\Roaming\EQKMMIFH.txt" "
    3⤵
    PID:2164
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo"
    3⤵
    PID:2256
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo"
    3⤵
    PID:1356
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo"
    3⤵
    PID:1988
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" DEL /F /Q /A "C:\Windows\EQKMMIFH.dll" "
    3⤵
    PID:2808
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" RD /S /Q "C:\Windows\EQKMMIFH.dll""
    3⤵
    PID:1896

C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\wmiprvse.exe -Embedding
1⤵
PID:2596

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Impair Defenses

T1562

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\{CF93D06A-43BB-4aa4-A4FB-99880124E1AC}.log

Filesize
1KB

MD5
97397da5246a731124f1abc6cc3e2b63

SHA1
10a32ab103229217f3f0c71017ce12d59838d156

SHA256
3691d2d7161f4be5e1779d0cf8cf1d0329f0d883251a522e3eab34183d3259d9

SHA512
d363bff30fae5cab2ea805c10f03b45565ef8171ac5f78211038652d22906882e37fd5220e598672c769f506357c23bc049056633aec7bf2df6e7b133fca41f6

Download Submit
C:\ProgramData\{CF93D06A-43BB-4aa4-A4FB-99880124E1AC}.log

Filesize
1KB

MD5
fca287136b784af5840cfd980d6d52e1

SHA1
f9e5d4603ce56c1a4c20283fa462322d06113580

SHA256
71162febbcd6f9f0081472876de20a1d44a7090c484606ca1bc791c5beabc45d

SHA512
945be2ede127033443a3e71974e233e9c219eb7296b5ad2d7a4a6a836a8130f9919b5476fa5b42100e1243388aa64f9771d6c1183f9b51071840101a6905e345

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\3C428B1A3E5F57D887EC4B864FAC5DCC

Filesize
914B

MD5
e4a68ac854ac5242460afd72481b2a44

SHA1
df3c24f9bfd666761b268073fe06d1cc8d4f82a4

SHA256
cb3ccbb76031e5e0138f8dd39a23f9de47ffc35e43c1144cea27d46a5ab1cb5f

SHA512
5622207e1ba285f172756f6019af92ac808ed63286e24dfecc1e79873fb5d140f1ceb7133f2476e89a5f75f711f9813a9fbb8fd5287f64adfdcc53b864f9bdc5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
1KB

MD5
a266bb7dcc38a562631361bbf61dd11b

SHA1
3b1efd3a66ea28b16697394703a72ca340a05bd5

SHA256
df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e

SHA512
0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\3C428B1A3E5F57D887EC4B864FAC5DCC

Filesize
252B

MD5
7d4b8810da3af00c7f09a5efed7df6ca

SHA1
d5e4015b0b907947aa1a1db29f018fe0ef02dbc1

SHA256
7eafebcd4a76a2bda0e768f3f46b6d18bdaaf6ff4910e5ae01af9c56bcb811ea

SHA512
b55f54519133a28471473590ff06d367782127129f3bd1031c1b85bbf6324b0ea67c46698cbb04291eb711d83a3f657a55d8d47651b34a4d495d22ce85fe1c6d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
a0cc62e87a9ea471a3d568fee791dbac

SHA1
d6e08ddf372f778ee68ce6270008feab1198db4d

SHA256
fba3f60f439f0245ef7b3b6c13922219fb154d3479ce6c395b0d0d9e4c5721ac

SHA512
e45dde746d351ed95de91c8f579027f0ed409f7cb30582dbfe467ebbb16b8139e8b786988eb023e5798d88388265dd162cc2809ab7d1f3781a4e16d2fd79eff2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
198721a8e95f39b15e8e68f0bb8c7450

SHA1
8bca653286d3bfde3eb589f11ef1035be55ab172

SHA256
151d77575e4e6249a7bed2ef93cb04b265a9c50b4f877fabf7c2858597d581fd

SHA512
e21fce6c939ff794b8ba02ca28eb91855aa659439b63aadf2fa3dc4db04ff16e7a3cb0a104ca0c685f40f3f01a4ef5fec03ff674c26b7708113dc430ffa45fb1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
198721a8e95f39b15e8e68f0bb8c7450

SHA1
8bca653286d3bfde3eb589f11ef1035be55ab172

SHA256
151d77575e4e6249a7bed2ef93cb04b265a9c50b4f877fabf7c2858597d581fd

SHA512
e21fce6c939ff794b8ba02ca28eb91855aa659439b63aadf2fa3dc4db04ff16e7a3cb0a104ca0c685f40f3f01a4ef5fec03ff674c26b7708113dc430ffa45fb1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
ba8325a6559749c065ddd48df9567def

SHA1
22c713901912011626f3d431f15440937e1462de

SHA256
d267c200049e4f2177f57eb4aacf90607b71fbfffe54786b3d494921911e30a8

SHA512
7da34a3250b28e08ec8af59fd21b761cad7d19a90e5db7bcf52fa45050a9b5db78cf7c21ad9db4d2c76d03b6ebd5bdbe809b07b2d4b0e1588acafdc79b54cf21

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
4dc8b850dd3add92458b5fe8bd97ca53

SHA1
0f8ddc7127d4fdf203df7decde06c27b0c7f91fa

SHA256
1858323254fc3577887f675dab8a9bafefe019fb19db047fc71078fc0f9f0e20

SHA512
60a2ac94edc52b0ddfcd330c34697d3312880ec6b2519482e702ca908624776dbce4726790b759ec1b48ea4aaea81d25e6429d8aaea41be395eeaa2a7456e155

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
202afd5d8717b414f538528cbf036e00

SHA1
f4ccec656613ed722341458deb7cf4c5c95aa465

SHA256
f26f9f196b005e67f755c36739b29bcc128f4e10225e166bc2e8a82655b5b82c

SHA512
e7d408837415c2bacda30a4181dfa3f9ee46ababffef7ae626ebfcf086fcdef0e8c8f3118afce4fd30cd27986d42565cdc949f46fd386d9fdbc69d2ec97e555a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
e7ab00bc8a476c7e83144de8ce8f3330

SHA1
a6faeb4d398a3e06e53ea604a935a1fb379392c9

SHA256
4d2e960ecff930cb380d147620b69bfe97ea734afb1ef809f7889e34477344d0

SHA512
331ba91ece6509d59f7fa44a50617d002f6138b8ad34914a13a607ec25dc09b2a940bc33371ab44f72e5e3d2ee3f2dc556e4497d3e4390489c2ad96479c072e9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
cc072ee5b7ff49eda8eedf61c9edc9af

SHA1
d2c6d5e01f3f9631077d1ffe732b0f4c4f7da6c4

SHA256
d1bce2950ebccb77510ce6bad5c790d9126ac7d10f1f3c3bc8901563028f8633

SHA512
d7e52146631b290d3d7d527c994886936c6a622797c878ad1b9bb86cd02c772af806eda4b5ff5edffc672f5b68d204f89e7256dc35ebd4baa2c881656a88c1ec

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
0bacf73f17c9312737401a01e69d172b

SHA1
4dbca1c81689f1e6f6c350d6fe7c5ba826967e78

SHA256
e27ee4f66998716a7a2c4c017dc2bf656c8524e8307e38e4befc717edfd11e83

SHA512
4e1c9e52364de2de1ee84331c67d0ff7ca574403533daebd87ccb4c3bc0c880d30b545eefcedebdf14254869a38b7ae954e9e93bbe380a67e178a1e531eebd2e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
4c7b435ca19536b44dba9ac129fbf054

SHA1
339fd197f2fbfee75772059cdb33388add3ac009

SHA256
7c0f183a467ebbb54f5988794cdb57847373b53549dcb6e72b41bf0e7bb856d2

SHA512
d822116637116d9acc819bf8854a7230754a8fd09999846e1b779f091037127540505d3d6fc6f4cd911d0f6ad1b1d24e3bee0ab0b6986d1dedac8f14bf8c55d7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
5c07c1df1b0241bd93d5025571524ede

SHA1
480020e3f940619cbdaba2c09db50bfb88788f19

SHA256
72fe2b55558ca338d7f5c3442370005e9b0c2ac71bda46cf939f3bf8f824423f

SHA512
66defe5aefccdc8c8ff1badab7b846d6c88d11a4a6ae54ef5c9e4be0e19c9a5efc7ff3afc98d2b7f9b20eea53101bd4245335cbe98a98d9138751b83be610c46

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
35868db1ee64163e2b87bfe5700a76d3

SHA1
2bccb04418c1fd4051f93a1383b8212b8fbb8e31

SHA256
11f6bcc609debeef294acfe853d78b92edc4e444c1c8b6fb72fce55b2235b2ce

SHA512
a0fa80c7b0e5fde6a5643547a7096bc6d717b6fddae58060e0aced9977f6c447c473c32418e17e9831e949620a357850d0d9a61cb696178655285c4d66260a51

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
bad9fcfb9a56f08785689fa03672cfe5

SHA1
33c070b9c115895b2c7db70ba19b6bc7dc0a4e48

SHA256
e44052609028b494aac4e893c04fa76b8f111ade637faadce6488d6a84d55643

SHA512
8825aa833c7c40e151a8e44d63fc56166b5aece92773ea315920421449adc1aaadab8022a557de55ab1732ae8f7abdd7bd7a62c85c533a0314d84ef62fc39dac

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
7e645db92e02763d3cdd6bda5bd07a6e

SHA1
53d4c463c1b732b01dba9f1e5bf880ff416cbb2f

SHA256
46897bd0f63903ca165576472c115105b1a1db39ae5974c4ffed067991c3f124

SHA512
a11571d91683797b42d4af68973cc4e2745602de57e2b37450194318344d348da34ebc47afcd93c6214e944a497fb29cb62cb2d0b10430746318957959d3745e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
810cfb1119cf7d71fa025794d594645d

SHA1
8bc1820b6893640ba80a37d2fee2f2d106a6c77d

SHA256
29ec434d301cab0c7691441fc04e6a101ba000f8bd5e7937245aa4820ce1ef19

SHA512
d587853a5caeaeeb54cb865cb881f883a1a2981b0e5dac41ec62b8f1633037a6dff4ac7b2871f91cab52b6ced94bbe2ec554916fff1e6bafaf2f702a284d5b14

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
cbe1fe0448c4c59ee5d768e3f37c985d

SHA1
74a4a8d6f92330bd652abc01e97a101bbf7453c9

SHA256
bb1e70b4b4e1f4855a3229eedeb88b3346db4f73c76d6ff5f3dcc027b48720fd

SHA512
4ef9d74a7e608dbbb5caffcfbdd47f8bd49286a00f5634f5d46fc7f76ad77bf164e71525e7e34e7d7eb1e58537fbbc2872389cd5f2b1df0404212b0c62e6f6f5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
34284324585dd2923af364401644291a

SHA1
deca280da16a76cabfae5ccd24fbf12ce81be4be

SHA256
a8f1b513f61e37d0e08d1f891f4d79801075b1d544d37839867aaf6f7c22b24d

SHA512
f45bcf5c6241bfd292a7c4c2648f911acaca646f4eca6ff0faf990e612c7d62159f8fa99c2e637711f8785dd7ea63608e4786c07426280e1e6b410f4136c1170

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
3b3e8ace267f414ac0176ae57376635b

SHA1
f62f6c50e0f0777d5bf858737a83b5a9ce1b02f8

SHA256
a5c8422955d1b9eed62829e07183a5e49ff44227e113c85cbde8ef623d53292a

SHA512
020bba43e82cd657ce1162a2fb77162583cb756ce64365d7e772c4521e92f98bad4a43352cbd5d147cdc68e9d9078246ba9ca6a7205e25a7013d8e87b8028e15

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
b04a8323bbf75f3b573cf767e3f9e2d5

SHA1
06e4dcee9986d62115f0baa7d32974922e2e862c

SHA256
e1cc345d44b4b441c5d5de9d9ae671c52393cba59b2ebaf9102ebb1f771b90c9

SHA512
e05ef013f668654b5edae9ac78cfb2a7d639145fb347b5c0e25c80cbf88fbfb6aac433a96f77ac169f58bb2f5142876b75f6f338221ec96d5d33660ba4c2937b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
43121c8bea5d3df9748cf4ddb7326b9a

SHA1
88fd483e294b0c8a46409ff2f65ca7d814f94a6c

SHA256
e7f360d70c58c145544b1cae20a7e21986ce915b75019a35b26b0e369716a277

SHA512
6ebc79d869f44d750e4cf884620149b7f0fab180ba0e916b36fc36c0477d1db7697debf57ea2b5008553431572db3c103081bcd088aa0dc25468e98ab1bbfe45

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
755184fadf6180e6a934445f5458c60c

SHA1
0e5bb35ed9c24e881b594173d2ce37cc02cab5c0

SHA256
044f1c436eb496185e8d64a87955cdc513ad9ad54e99dbceb1802e2070cb9dd4

SHA512
5b2004b4077173b7ce91ddb642a8ccb476c8752bb517039a579ecdd04ca77b462c2133096835d014d1ab7b72c06b4dd215b7e1f6303de58e0eaa10483b3e2d45

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
3ccc93eb7e1a50da77a7867954634499

SHA1
58fdaa6ad67f45e16c94cba7af740f75a6aa0092

SHA256
efe4fea6a9f43f8342dbecfdf472d041a0dac869618d29672b50a56d567991f2

SHA512
28aefea6884a800b1436a46b456e577b122a50854556e821350487cb1074b4147ed8631d7fc8ee6a7f2ebcd54037c948e204a7c526b8258057488a435095e84b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
242B

MD5
980464bfbbd4cdbbbbf6f4510e4f5065

SHA1
03dfccc66fe9483dcfc579ea569294d68d1bd7d0

SHA256
5479beba296557387818594890763b3e4ebb67332f219b7446b95b3ab8a1508c

SHA512
94573218d0d52bdc7e2dcf8e2958f4a80e51736f046451dab1c77e410765988df1275eaef6984572127c67afbf4cb202cc0a59fa394dbf792039cad145cb5f8f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
242B

MD5
30e00a4aaba2c06366f9e9e5f0970eef

SHA1
1cd6bb9e2c975f0120836fd5237f080b6dc0610c

SHA256
ca87a6d0e69d28a52e2583616613a2c6efcd57f859b1004d029595bb2facc227

SHA512
be3cf1a079c12d5b0ae84a549a4b8526532d12fb3a55a1aba2f1f959bf48c9e4928a6dc8ebe26c05631716d42ff7ff4633e2116bbbb97dbca068347cde9c91d3

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab9DF6.tmp

Filesize
61KB

MD5
f3441b8572aae8801c04f3060b550443

SHA1
4ef0a35436125d6821831ef36c28ffaf196cda15

SHA256
6720349e7d82ee0a8e73920d3c2b7cb2912d9fcf2edb6fd98f2f12820158b0bf

SHA512
5ba01ba421b50030e380ae6bbcd2f681f2a91947fe7fedb3c8e6b5f24dce9517abf57b1cf26cc6078d4bb53bde6fcfb2561591337c841f8f2cb121a3d71661b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\IObitUnlocker.dll

Filesize
77KB

MD5
69cdc240b3f2ad30b989e2c6cf705383

SHA1
07f3508c44d503d39fb4b7924ededaab2a9768be

SHA256
e42526f348de6a97f9746686e8409e396b42ce0c552dfdbe34855455c837b805

SHA512
25ea3582470e9fc42e7d4a8a652b8ba37b726cc03a1ab40dcac60b7c695bf9714f501be50b01775a6344d09856ca8d2b3a030f5a27efb34a7d9dc98a68eadbca

Download Submit
C:\Users\Admin\AppData\Local\Temp\IObitUnlocker.sys

Filesize
65KB

MD5
47aa03a10ac3a407f8f30f1088edcbc9

SHA1
b5d78a1d3ae93bd343c6d65e64c0945d1d558758

SHA256
c79a2bb050af6436b10b58ef04dbc7082df1513cec5934432004eb56fba05e66

SHA512
3402ca68b00ffd9e2551f97b3895990ee0274f14f117505c3588ea76c716488860ac2da07c1d9275bbc43eb87b88893c52fb04d15f1afe7b7bf7d9a524961101

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar9E38.tmp

Filesize
163KB

MD5
9441737383d21192400eca82fda910ec

SHA1
725e0d606a4fc9ba44aa8ffde65bed15e65367e4

SHA256
bc3a6e84e41faeb57e7c21aa3b60c2a64777107009727c5b7c0ed8fe658909e5

SHA512
7608dd653a66cd364392a78d4711b48d1707768d36996e4d38871c6843b5714e1d7da4b4cc6db969e6000cfa182bcb74216ef6823d1063f036fc5c3413fb8dcf

Download Submit
C:\Users\Admin\AppData\Roaming\EQKMMIFH.txt

Filesize
3KB

MD5
27d48a5a561e6fcf054322933b6c3fa8

SHA1
06d63ec608aa5febb7e60801bee56f1b25204a7c

SHA256
8730b54f7bf111cccf4743d5e7a67685f084d59c995170aa7c5d31fa3c90a820

SHA512
b81f07a88ac6266086d964612e24ae80e6fc5a46d6631cc25ae6d3b2598beea8e5d563b85bb45f065d8845012a181a483368047d9198a90a16ba5bff7818f468

Download Submit
C:\Windows\EQKMMIFH.dll

Filesize
3.1MB

MD5
cd0f62e60245969c8f32684686969d9f

SHA1
72d70e6cbe9feb04ccebcaf17136cdbca2289c49

SHA256
295c6bd993a5ece971b032a3f5f7be68146172b9e1bda920e96fd3d4fc682e3f

SHA512
e29d76bc35c7209f9a81e9bbe1e178c5c725147a2b753f36d4b5f4e931df084d57822b8dcf9614f585824dc7c65754aa8543e621bce1e1d8bad617be357db951

Download Submit
C:\Windows\EQKMMIFH.dll

Filesize
3.1MB

MD5
cd0f62e60245969c8f32684686969d9f

SHA1
72d70e6cbe9feb04ccebcaf17136cdbca2289c49

SHA256
295c6bd993a5ece971b032a3f5f7be68146172b9e1bda920e96fd3d4fc682e3f

SHA512
e29d76bc35c7209f9a81e9bbe1e178c5c725147a2b753f36d4b5f4e931df084d57822b8dcf9614f585824dc7c65754aa8543e621bce1e1d8bad617be357db951

Download Submit
C:\Windows\EQKMMIFH.dll

Filesize
3.1MB

MD5
cd0f62e60245969c8f32684686969d9f

SHA1
72d70e6cbe9feb04ccebcaf17136cdbca2289c49

SHA256
295c6bd993a5ece971b032a3f5f7be68146172b9e1bda920e96fd3d4fc682e3f

SHA512
e29d76bc35c7209f9a81e9bbe1e178c5c725147a2b753f36d4b5f4e931df084d57822b8dcf9614f585824dc7c65754aa8543e621bce1e1d8bad617be357db951

Download Submit
C:\Windows\EQKMMIFH.dll

Filesize
3.1MB

MD5
cd0f62e60245969c8f32684686969d9f

SHA1
72d70e6cbe9feb04ccebcaf17136cdbca2289c49

SHA256
295c6bd993a5ece971b032a3f5f7be68146172b9e1bda920e96fd3d4fc682e3f

SHA512
e29d76bc35c7209f9a81e9bbe1e178c5c725147a2b753f36d4b5f4e931df084d57822b8dcf9614f585824dc7c65754aa8543e621bce1e1d8bad617be357db951

Download Submit
C:\Windows\EQKMMIFH.dll

Filesize
3.1MB

MD5
cd0f62e60245969c8f32684686969d9f

SHA1
72d70e6cbe9feb04ccebcaf17136cdbca2289c49

SHA256
295c6bd993a5ece971b032a3f5f7be68146172b9e1bda920e96fd3d4fc682e3f

SHA512
e29d76bc35c7209f9a81e9bbe1e178c5c725147a2b753f36d4b5f4e931df084d57822b8dcf9614f585824dc7c65754aa8543e621bce1e1d8bad617be357db951

Download Submit
C:\Windows\EQKMMIFH.dll

Filesize
3.1MB

MD5
cd0f62e60245969c8f32684686969d9f

SHA1
72d70e6cbe9feb04ccebcaf17136cdbca2289c49

SHA256
295c6bd993a5ece971b032a3f5f7be68146172b9e1bda920e96fd3d4fc682e3f

SHA512
e29d76bc35c7209f9a81e9bbe1e178c5c725147a2b753f36d4b5f4e931df084d57822b8dcf9614f585824dc7c65754aa8543e621bce1e1d8bad617be357db951

Download Submit
C:\Windows\EQKMMIFH.dll

Filesize
3.1MB

MD5
cd0f62e60245969c8f32684686969d9f

SHA1
72d70e6cbe9feb04ccebcaf17136cdbca2289c49

SHA256
295c6bd993a5ece971b032a3f5f7be68146172b9e1bda920e96fd3d4fc682e3f

SHA512
e29d76bc35c7209f9a81e9bbe1e178c5c725147a2b753f36d4b5f4e931df084d57822b8dcf9614f585824dc7c65754aa8543e621bce1e1d8bad617be357db951

Download Submit
C:\Windows\EQKMMIFH.dll

Filesize
3.1MB

MD5
cd0f62e60245969c8f32684686969d9f

SHA1
72d70e6cbe9feb04ccebcaf17136cdbca2289c49

SHA256
295c6bd993a5ece971b032a3f5f7be68146172b9e1bda920e96fd3d4fc682e3f

SHA512
e29d76bc35c7209f9a81e9bbe1e178c5c725147a2b753f36d4b5f4e931df084d57822b8dcf9614f585824dc7c65754aa8543e621bce1e1d8bad617be357db951

Download Submit
C:\Windows\EQKMMIFH.dll

Filesize
3.1MB

MD5
cd0f62e60245969c8f32684686969d9f

SHA1
72d70e6cbe9feb04ccebcaf17136cdbca2289c49

SHA256
295c6bd993a5ece971b032a3f5f7be68146172b9e1bda920e96fd3d4fc682e3f

SHA512
e29d76bc35c7209f9a81e9bbe1e178c5c725147a2b753f36d4b5f4e931df084d57822b8dcf9614f585824dc7c65754aa8543e621bce1e1d8bad617be357db951

Download Submit
C:\Windows\EQKMMIFH.dll

Filesize
3.1MB

MD5
cd0f62e60245969c8f32684686969d9f

SHA1
72d70e6cbe9feb04ccebcaf17136cdbca2289c49

SHA256
295c6bd993a5ece971b032a3f5f7be68146172b9e1bda920e96fd3d4fc682e3f

SHA512
e29d76bc35c7209f9a81e9bbe1e178c5c725147a2b753f36d4b5f4e931df084d57822b8dcf9614f585824dc7c65754aa8543e621bce1e1d8bad617be357db951

Download Submit
\Users\Admin\AppData\Local\Temp\IObitUnlocker.dll

Filesize
77KB

MD5
69cdc240b3f2ad30b989e2c6cf705383

SHA1
07f3508c44d503d39fb4b7924ededaab2a9768be

SHA256
e42526f348de6a97f9746686e8409e396b42ce0c552dfdbe34855455c837b805

SHA512
25ea3582470e9fc42e7d4a8a652b8ba37b726cc03a1ab40dcac60b7c695bf9714f501be50b01775a6344d09856ca8d2b3a030f5a27efb34a7d9dc98a68eadbca

Download Submit
memory/788-48-0x0000000000E30000-0x0000000001678000-memory.dmp

Filesize
8.3MB

Download
memory/788-70-0x0000000000E30000-0x0000000001678000-memory.dmp

Filesize
8.3MB

Download
memory/1208-133-0x00000000013D0000-0x0000000001C18000-memory.dmp

Filesize
8.3MB

Download
memory/1208-135-0x00000000013D0000-0x0000000001C18000-memory.dmp

Filesize
8.3MB

Download
memory/1548-603-0x00000000013D0000-0x0000000001C18000-memory.dmp

Filesize
8.3MB

Download
memory/1548-575-0x00000000013D0000-0x0000000001C18000-memory.dmp

Filesize
8.3MB

Download
memory/1760-615-0x00000000013D0000-0x0000000001C18000-memory.dmp

Filesize
8.3MB

Download
memory/1760-616-0x00000000013D0000-0x0000000001C18000-memory.dmp

Filesize
8.3MB

Download
memory/2144-563-0x00000000013D0000-0x0000000001C18000-memory.dmp

Filesize
8.3MB

Download
memory/2144-279-0x00000000013D0000-0x0000000001C18000-memory.dmp

Filesize
8.3MB

Download
memory/2176-47-0x0000000002200000-0x0000000002A48000-memory.dmp

Filesize
8.3MB

Download
memory/2232-9-0x0000000004D00000-0x0000000004D40000-memory.dmp

Filesize
256KB

Download
memory/2232-6-0x0000000074230000-0x000000007491E000-memory.dmp

Filesize
6.9MB

Download
memory/2232-1-0x0000000000A50000-0x0000000000DFE000-memory.dmp

Filesize
3.7MB

Download
memory/2232-2-0x0000000004D00000-0x0000000004D40000-memory.dmp

Filesize
256KB

Download
memory/2232-3-0x0000000006280000-0x000000000668C000-memory.dmp

Filesize
4.0MB

Download
memory/2232-0-0x0000000074230000-0x000000007491E000-memory.dmp

Filesize
6.9MB

Download
memory/2232-4-0x00000000044A0000-0x00000000044E4000-memory.dmp

Filesize
272KB

Download
memory/2232-7-0x0000000004D00000-0x0000000004D40000-memory.dmp

Filesize
256KB

Download
memory/2232-5-0x0000000004BB0000-0x0000000004BDC000-memory.dmp

Filesize
176KB

Download
memory/2232-8-0x0000000004D00000-0x0000000004D40000-memory.dmp

Filesize
256KB

Download
memory/2440-636-0x00000000013D0000-0x0000000001C18000-memory.dmp

Filesize
8.3MB

Download
memory/2440-648-0x00000000013D0000-0x0000000001C18000-memory.dmp

Filesize
8.3MB

Download
memory/2708-675-0x00000000013D0000-0x0000000001C18000-memory.dmp

Filesize
8.3MB

Download
memory/2708-676-0x00000000013D0000-0x0000000001C18000-memory.dmp

Filesize
8.3MB

Download
memory/2780-682-0x00000000013D0000-0x0000000001C18000-memory.dmp

Filesize
8.3MB

Download
memory/2780-681-0x00000000013D0000-0x0000000001C18000-memory.dmp

Filesize
8.3MB

Download
memory/2800-679-0x00000000013D0000-0x0000000001C18000-memory.dmp

Filesize
8.3MB

Download
memory/2800-678-0x00000000013D0000-0x0000000001C18000-memory.dmp

Filesize
8.3MB

Download