Malware Analysis Report

2025-03-15 06:50

Sample ID 240107-x2bzhsccen
Target BlitzedGrabberV12exe.exe
SHA256 aaf544958a6ea995d6178f848ec7e52a63d58b2b5374611295c4b52f05140417
Tags
orcus agilenet persistence rat spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

aaf544958a6ea995d6178f848ec7e52a63d58b2b5374611295c4b52f05140417

Threat Level: Known bad

The file BlitzedGrabberV12exe.exe was found to be: Known bad.

Malicious Activity Summary

orcus agilenet persistence rat spyware stealer

Orcus

Orcus main payload

Orcurs Rat Executable

Loads dropped DLL

Checks computer location settings

Obfuscated with Agile.Net obfuscator

Executes dropped EXE

Adds Run key to start application

Drops desktop.ini file(s)

Drops file in System32 directory

Drops file in Windows directory

Unsigned PE

Enumerates physical storage devices

Uses Task Scheduler COM API

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Suspicious use of SetWindowsHookEx

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-01-07 19:20

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-01-07 19:20

Reported

2024-01-07 19:23

Platform

win7-20231129-en

Max time kernel

2s

Max time network

146s

Command Line

"C:\Users\Admin\AppData\Local\Temp\BlitzedGrabberV12exe.exe"

Signatures

Orcus

rat spyware stealer orcus

Orcus main payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Orcurs Rat Executable

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\mxfix.EXE N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\BlitzedGrabberV12exe.exe N/A

Obfuscated with Agile.Net obfuscator

agilenet
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\mxfix.EXE N/A

Enumerates physical storage devices

Processes

C:\Users\Admin\AppData\Local\Temp\BlitzedGrabberV12exe.exe

"C:\Users\Admin\AppData\Local\Temp\BlitzedGrabberV12exe.exe"

C:\Users\Admin\AppData\Local\Temp\UnityCrashHandlerV2.exe

"C:\Users\Admin\AppData\Local\Temp\UnityCrashHandlerV2.exe"

C:\Windows\SysWOW64\WindowsInput.exe

"C:\Windows\SysWOW64\WindowsInput.exe" --install

C:\Windows\SysWOW64\WindowsInput.exe

"C:\Windows\SysWOW64\WindowsInput.exe"

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES2627.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC2626.tmp"

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe

"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\_ykpzzff.cmdline"

C:\Users\Admin\AppData\Local\Temp\BlitzedGrabberV12.exe

"C:\Users\Admin\AppData\Local\Temp\BlitzedGrabberV12.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -ExecutionPolicy Bypass -File mxfixer.ps1

C:\Users\Admin\AppData\Local\Temp\mxfix.EXE

"C:\Users\Admin\AppData\Local\Temp\mxfix.EXE"

C:\ProgramData\Chrome\chromedriver.exe

"C:\ProgramData\Chrome\chromedriver.exe"

C:\Windows\system32\taskeng.exe

taskeng.exe {C6CAE797-C76D-41E6-BC05-2693DF9D6CD8} S-1-5-21-3627615824-4061627003-3019543961-1000:SCFGBRBT\Admin:Interactive:[1]

C:\ProgramData\Chrome\chromedriver.exe

C:\ProgramData\Chrome\chromedriver.exe

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe" /watchProcess "C:\ProgramData\Chrome\chromedriver.exe" 2372 "/protectFile"

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe" /launchSelfAndExit "C:\ProgramData\Chrome\chromedriver.exe" 2372 /protectFile

Network

Country Destination Domain Proto
US 209.25.141.181:40489 tcp
US 209.25.141.181:40489 tcp
US 209.25.141.181:40489 tcp
US 209.25.141.181:40489 tcp
US 209.25.141.181:40489 tcp
US 209.25.141.181:40489 tcp
US 209.25.141.181:40489 tcp
US 209.25.141.181:40489 tcp
US 209.25.141.181:40489 tcp
US 209.25.141.181:40489 tcp
US 209.25.141.181:40489 tcp

Files

memory/1736-0-0x00000000009E0000-0x0000000000C24000-memory.dmp

memory/1736-1-0x000007FEF5B80000-0x000007FEF656C000-memory.dmp

memory/1736-2-0x000000001B4B0000-0x000000001B530000-memory.dmp

memory/2220-26-0x0000000001E90000-0x0000000001E98000-memory.dmp

memory/2540-30-0x0000000000C10000-0x0000000000DBC000-memory.dmp

memory/2512-42-0x000007FEF2270000-0x000007FEF2C0D000-memory.dmp

memory/2220-45-0x0000000002E20000-0x0000000002EA0000-memory.dmp

memory/2512-53-0x0000000000830000-0x0000000000846000-memory.dmp

memory/2540-55-0x0000000005310000-0x0000000005502000-memory.dmp

memory/2512-65-0x000007FEF2270000-0x000007FEF2C0D000-memory.dmp

memory/2540-70-0x0000000004EC0000-0x0000000004F00000-memory.dmp

memory/2512-69-0x0000000000770000-0x0000000000778000-memory.dmp

memory/2540-68-0x0000000005310000-0x00000000054FE000-memory.dmp

memory/2540-72-0x0000000005310000-0x00000000054FE000-memory.dmp

memory/2540-74-0x0000000005310000-0x00000000054FE000-memory.dmp

memory/2540-67-0x0000000074F60000-0x0000000074F97000-memory.dmp

memory/2540-79-0x0000000005310000-0x00000000054FE000-memory.dmp

memory/2540-66-0x0000000005310000-0x00000000054FE000-memory.dmp

memory/2540-81-0x0000000005310000-0x00000000054FE000-memory.dmp

memory/2540-83-0x0000000005310000-0x00000000054FE000-memory.dmp

memory/2540-85-0x0000000005310000-0x00000000054FE000-memory.dmp

memory/2540-92-0x0000000005310000-0x00000000054FE000-memory.dmp

memory/2608-90-0x0000000000FE0000-0x0000000000FEC000-memory.dmp

memory/2540-95-0x0000000005310000-0x00000000054FE000-memory.dmp

memory/2540-101-0x0000000005310000-0x00000000054FE000-memory.dmp

memory/2540-106-0x0000000005310000-0x00000000054FE000-memory.dmp

memory/2540-110-0x0000000005310000-0x00000000054FE000-memory.dmp

memory/2540-123-0x0000000005310000-0x00000000054FE000-memory.dmp

memory/2540-131-0x0000000005310000-0x00000000054FE000-memory.dmp

memory/2900-133-0x0000000019920000-0x00000000199A0000-memory.dmp

memory/2540-140-0x0000000005310000-0x00000000054FE000-memory.dmp

memory/2540-146-0x0000000005310000-0x00000000054FE000-memory.dmp

memory/2540-144-0x0000000005310000-0x00000000054FE000-memory.dmp

memory/2540-142-0x0000000005310000-0x00000000054FE000-memory.dmp

memory/2540-138-0x0000000005310000-0x00000000054FE000-memory.dmp

memory/2540-136-0x0000000005310000-0x00000000054FE000-memory.dmp

memory/2540-134-0x0000000005310000-0x00000000054FE000-memory.dmp

memory/2540-129-0x0000000005310000-0x00000000054FE000-memory.dmp

memory/2900-127-0x000007FEF3510000-0x000007FEF3EFC000-memory.dmp

memory/2540-125-0x0000000005310000-0x00000000054FE000-memory.dmp

memory/2540-121-0x0000000005310000-0x00000000054FE000-memory.dmp

memory/2540-119-0x0000000005310000-0x00000000054FE000-memory.dmp

memory/2608-117-0x000007FEF3F00000-0x000007FEF48EC000-memory.dmp

memory/2540-116-0x0000000005310000-0x00000000054FE000-memory.dmp

memory/2540-113-0x0000000005310000-0x00000000054FE000-memory.dmp

memory/2540-108-0x0000000005310000-0x00000000054FE000-memory.dmp

memory/2540-104-0x0000000005310000-0x00000000054FE000-memory.dmp

memory/2608-103-0x0000000000530000-0x00000000005B0000-memory.dmp

memory/2540-99-0x0000000005310000-0x00000000054FE000-memory.dmp

memory/2540-97-0x0000000005310000-0x00000000054FE000-memory.dmp

memory/2608-93-0x000007FEF3F00000-0x000007FEF48EC000-memory.dmp

memory/2540-64-0x00000000744B0000-0x0000000074530000-memory.dmp

memory/2540-59-0x00000000746D0000-0x0000000074DBE000-memory.dmp

memory/2512-57-0x00000000005A0000-0x00000000005B2000-memory.dmp

memory/2220-47-0x0000000002E2B000-0x0000000002E92000-memory.dmp

memory/2220-46-0x000007FEF2270000-0x000007FEF2C0D000-memory.dmp

memory/2512-39-0x00000000020C0000-0x0000000002140000-memory.dmp

memory/2220-38-0x0000000002E20000-0x0000000002EA0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\mxfixer.ps1

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

memory/2220-33-0x000007FEF2270000-0x000007FEF2C0D000-memory.dmp

memory/2220-32-0x0000000002E20000-0x0000000002EA0000-memory.dmp

memory/2220-31-0x000007FEF2270000-0x000007FEF2C0D000-memory.dmp

memory/2512-29-0x0000000000190000-0x000000000019E000-memory.dmp

memory/2512-28-0x0000000002340000-0x000000000239C000-memory.dmp

memory/1736-27-0x000007FEF5B80000-0x000007FEF656C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\BlitzedGrabberV12.exe

MD5 228a69dc15032fd0fb7100ff8561185e
SHA1 f8dbc89fed8078da7f306cb78b92ce04a0bdeb00
SHA256 920bec9d500f6446b84399ab4c84858d0f0d7d1abb2e0377399ebbc4bafad709
SHA512 373621c4743fa72571b3c8375aa6f7852303a821558b016b002d2af07154787d978f66696db89eeed8fe41f4aed5d66b690d4f87469939f9b1dea2ac2b9101f1

memory/2220-24-0x000000001B690000-0x000000001B972000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\BlitzedGrabberV12.exe

MD5 bd04e16e4fbdb06186adda286e8bbb65
SHA1 60a28907b522f40617041d0b599add511aa2c728
SHA256 7ea67a48403bc9be1b97b18daa56184211024196f46e765424b53b26daefd8ad
SHA512 def9556207bf27a14f8827eef0fee215aa00a04ced6992bf6f15d84d8597eeb9e8006db7ecfa395a41db9fc900978611741a74ff61d622684c86b44e8a639570

C:\Users\Admin\AppData\Local\Temp\UnityCrashHandlerV2.exe

MD5 cf88c6fa9bccd19553b83a66ca5f2028
SHA1 5258369d7e63bbd061a0ab8f1c1f00ac461fd50e
SHA256 50824713da09e918dfb09fc4de93250eb0df3789bfec3563349991b1e7343a8c
SHA512 e99c6bd9cede49ac3da836969dc1e614498f7c4083b342e5e6ddff73fe27289bc32e720465702e08f2a7f2adbd31ddbfaf7321fbd214ec180d9904d8ec56a585

C:\Users\Admin\AppData\Local\Temp\UnityCrashHandlerV2.exe

MD5 f16b48c9bbe6101e156ccb95000d8dab
SHA1 5d66c71bb8889bd6516aeab28a56f9c907b703cd
SHA256 dae3b2e93d885407151e76e323b70f96dff6ce171f6a294bf667ecc0257ac9ec
SHA512 2111202ba8b27ff5c3e007cf41c65a5143d29cef05de11064a1f356b23baa1e10f858217917e5463103dd86b823151553e785cd74e6984c99a757b43ac992486

\Users\Admin\AppData\Local\Temp\mxfix.EXE

MD5 b4ec612c441786aa614ce5f32edae475
SHA1 3a264f8daeec9b156ddb5ed576d490dd8fbd8e7d
SHA256 e18ba6573b9aa2d139ed5c30f18ac2ece3ce8287d1651db4bc632dbc816f53bd
SHA512 c6800371cdc2b571061e6e755a2c95f49dcb233c3999976f180cb7cf95fa2c62d03b52a3c497a2cd7ae46ec72eaf823db25bd291ca676724194c05966f2bce16

memory/2372-974-0x000007FEF3510000-0x000007FEF3EFC000-memory.dmp

memory/2372-976-0x0000000000050000-0x000000000014C000-memory.dmp

memory/2372-983-0x00000000023B0000-0x0000000002430000-memory.dmp

memory/2512-968-0x000007FEF2270000-0x000007FEF2C0D000-memory.dmp

memory/2372-1164-0x0000000002290000-0x00000000022DE000-memory.dmp

memory/2372-1212-0x0000000002360000-0x0000000002378000-memory.dmp

memory/2540-1240-0x00000000746D0000-0x0000000074DBE000-memory.dmp

memory/2372-1242-0x00000000023B0000-0x0000000002430000-memory.dmp

memory/2540-1316-0x0000000074F60000-0x0000000074F97000-memory.dmp

memory/2612-1320-0x000007FEF3510000-0x000007FEF3EFC000-memory.dmp

memory/852-1326-0x00000000746D0000-0x0000000074DBE000-memory.dmp

memory/2612-1328-0x000000001AE10000-0x000000001AE90000-memory.dmp

memory/2372-1327-0x000000001A8D0000-0x000000001A8E0000-memory.dmp

memory/2540-1325-0x0000000004EC0000-0x0000000004F00000-memory.dmp

memory/2624-1330-0x00000000746D0000-0x0000000074DBE000-memory.dmp

memory/852-1331-0x00000000746D0000-0x0000000074DBE000-memory.dmp

memory/852-1324-0x0000000000A20000-0x0000000000A28000-memory.dmp

memory/2900-1332-0x000007FEF3510000-0x000007FEF3EFC000-memory.dmp

memory/2612-1333-0x000007FEF3510000-0x000007FEF3EFC000-memory.dmp

memory/2900-1334-0x0000000019920000-0x00000000199A0000-memory.dmp

memory/2372-1335-0x000007FEF3510000-0x000007FEF3EFC000-memory.dmp

memory/2372-1336-0x00000000023B0000-0x0000000002430000-memory.dmp

memory/2372-1337-0x00000000023B0000-0x0000000002430000-memory.dmp

memory/2624-1338-0x00000000746D0000-0x0000000074DBE000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-01-07 19:20

Reported

2024-01-07 19:23

Platform

win10v2004-20231215-en

Max time kernel

173s

Max time network

188s

Command Line

"C:\Users\Admin\AppData\Local\Temp\BlitzedGrabberV12exe.exe"

Signatures

Orcus

rat spyware stealer orcus

Orcus main payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Orcurs Rat Executable

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-996941297-2279405024-2328152752-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\WindowsInput.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-996941297-2279405024-2328152752-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\UnityCrashHandlerV2.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-996941297-2279405024-2328152752-1000\Control Panel\International\Geo\Nation C:\ProgramData\Chrome\chromedriver.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-996941297-2279405024-2328152752-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\svchost.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\BlitzedGrabberV12.exe N/A

Obfuscated with Agile.Net obfuscator

agilenet
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\mxfix.EXE N/A

Drops desktop.ini file(s)

Description Indicator Process Target
File created C:\Windows\assembly\Desktop.ini C:\Users\Admin\AppData\Local\Temp\UnityCrashHandlerV2.exe N/A
File opened for modification C:\Windows\assembly\Desktop.ini C:\Users\Admin\AppData\Local\Temp\UnityCrashHandlerV2.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\WindowsInput.exe C:\Users\Admin\AppData\Local\Temp\UnityCrashHandlerV2.exe N/A
File created C:\Windows\SysWOW64\WindowsInput.exe.config C:\Users\Admin\AppData\Local\Temp\UnityCrashHandlerV2.exe N/A
File created C:\Windows\SysWOW64\WindowsInput.InstallState C:\Windows\SysWOW64\WindowsInput.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\assembly\Desktop.ini C:\Users\Admin\AppData\Local\Temp\UnityCrashHandlerV2.exe N/A
File opened for modification C:\Windows\assembly C:\Users\Admin\AppData\Local\Temp\UnityCrashHandlerV2.exe N/A
File created C:\Windows\assembly\Desktop.ini C:\Users\Admin\AppData\Local\Temp\UnityCrashHandlerV2.exe N/A

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
N/A N/A C:\ProgramData\Chrome\chromedriver.exe N/A
N/A N/A C:\ProgramData\Chrome\chromedriver.exe N/A
N/A N/A C:\ProgramData\Chrome\chromedriver.exe N/A
N/A N/A C:\ProgramData\Chrome\chromedriver.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
N/A N/A C:\ProgramData\Chrome\chromedriver.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
N/A N/A C:\ProgramData\Chrome\chromedriver.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
N/A N/A C:\ProgramData\Chrome\chromedriver.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
N/A N/A C:\ProgramData\Chrome\chromedriver.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
N/A N/A C:\ProgramData\Chrome\chromedriver.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
N/A N/A C:\ProgramData\Chrome\chromedriver.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
N/A N/A C:\ProgramData\Chrome\chromedriver.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
N/A N/A C:\ProgramData\Chrome\chromedriver.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
N/A N/A C:\ProgramData\Chrome\chromedriver.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
N/A N/A C:\ProgramData\Chrome\chromedriver.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
N/A N/A C:\ProgramData\Chrome\chromedriver.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
N/A N/A C:\ProgramData\Chrome\chromedriver.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
N/A N/A C:\ProgramData\Chrome\chromedriver.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
N/A N/A C:\ProgramData\Chrome\chromedriver.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
N/A N/A C:\ProgramData\Chrome\chromedriver.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
N/A N/A C:\ProgramData\Chrome\chromedriver.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
N/A N/A C:\ProgramData\Chrome\chromedriver.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
N/A N/A C:\ProgramData\Chrome\chromedriver.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
N/A N/A C:\ProgramData\Chrome\chromedriver.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
N/A N/A C:\ProgramData\Chrome\chromedriver.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
N/A N/A C:\ProgramData\Chrome\chromedriver.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
N/A N/A C:\ProgramData\Chrome\chromedriver.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
N/A N/A C:\ProgramData\Chrome\chromedriver.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
N/A N/A C:\ProgramData\Chrome\chromedriver.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
N/A N/A C:\ProgramData\Chrome\chromedriver.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
N/A N/A C:\ProgramData\Chrome\chromedriver.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
N/A N/A C:\ProgramData\Chrome\chromedriver.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\ProgramData\Chrome\chromedriver.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\ProgramData\Chrome\chromedriver.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BlitzedGrabberV12.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BlitzedGrabberV12.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1680 wrote to memory of 2184 N/A C:\Windows\SysWOW64\WindowsInput.exe C:\Users\Admin\AppData\Local\Temp\mxfix.EXE
PID 1680 wrote to memory of 2184 N/A C:\Windows\SysWOW64\WindowsInput.exe C:\Users\Admin\AppData\Local\Temp\mxfix.EXE
PID 2184 wrote to memory of 4132 N/A C:\Users\Admin\AppData\Local\Temp\mxfix.EXE C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2184 wrote to memory of 4132 N/A C:\Users\Admin\AppData\Local\Temp\mxfix.EXE C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1680 wrote to memory of 3888 N/A C:\Windows\SysWOW64\WindowsInput.exe C:\Users\Admin\AppData\Local\Temp\UnityCrashHandlerV2.exe
PID 1680 wrote to memory of 3888 N/A C:\Windows\SysWOW64\WindowsInput.exe C:\Users\Admin\AppData\Local\Temp\UnityCrashHandlerV2.exe
PID 1680 wrote to memory of 3476 N/A C:\Windows\SysWOW64\WindowsInput.exe C:\Users\Admin\AppData\Local\Temp\BlitzedGrabberV12.exe
PID 1680 wrote to memory of 3476 N/A C:\Windows\SysWOW64\WindowsInput.exe C:\Users\Admin\AppData\Local\Temp\BlitzedGrabberV12.exe
PID 1680 wrote to memory of 3476 N/A C:\Windows\SysWOW64\WindowsInput.exe C:\Users\Admin\AppData\Local\Temp\BlitzedGrabberV12.exe
PID 3888 wrote to memory of 1528 N/A C:\Users\Admin\AppData\Local\Temp\UnityCrashHandlerV2.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
PID 3888 wrote to memory of 1528 N/A C:\Users\Admin\AppData\Local\Temp\UnityCrashHandlerV2.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
PID 1528 wrote to memory of 3932 N/A C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
PID 1528 wrote to memory of 3932 N/A C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
PID 3888 wrote to memory of 916 N/A C:\Users\Admin\AppData\Local\Temp\UnityCrashHandlerV2.exe C:\Windows\SysWOW64\WindowsInput.exe
PID 3888 wrote to memory of 916 N/A C:\Users\Admin\AppData\Local\Temp\UnityCrashHandlerV2.exe C:\Windows\SysWOW64\WindowsInput.exe
PID 3888 wrote to memory of 3216 N/A C:\Users\Admin\AppData\Local\Temp\UnityCrashHandlerV2.exe C:\ProgramData\Chrome\chromedriver.exe
PID 3888 wrote to memory of 3216 N/A C:\Users\Admin\AppData\Local\Temp\UnityCrashHandlerV2.exe C:\ProgramData\Chrome\chromedriver.exe
PID 3216 wrote to memory of 3920 N/A C:\ProgramData\Chrome\chromedriver.exe C:\Users\Admin\AppData\Roaming\svchost.exe
PID 3216 wrote to memory of 3920 N/A C:\ProgramData\Chrome\chromedriver.exe C:\Users\Admin\AppData\Roaming\svchost.exe
PID 3216 wrote to memory of 3920 N/A C:\ProgramData\Chrome\chromedriver.exe C:\Users\Admin\AppData\Roaming\svchost.exe
PID 3920 wrote to memory of 3088 N/A C:\Users\Admin\AppData\Roaming\svchost.exe C:\Users\Admin\AppData\Roaming\svchost.exe
PID 3920 wrote to memory of 3088 N/A C:\Users\Admin\AppData\Roaming\svchost.exe C:\Users\Admin\AppData\Roaming\svchost.exe
PID 3920 wrote to memory of 3088 N/A C:\Users\Admin\AppData\Roaming\svchost.exe C:\Users\Admin\AppData\Roaming\svchost.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\BlitzedGrabberV12exe.exe

"C:\Users\Admin\AppData\Local\Temp\BlitzedGrabberV12exe.exe"

C:\Users\Admin\AppData\Local\Temp\mxfix.EXE

"C:\Users\Admin\AppData\Local\Temp\mxfix.EXE"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -ExecutionPolicy Bypass -File mxfixer.ps1

C:\Users\Admin\AppData\Local\Temp\UnityCrashHandlerV2.exe

"C:\Users\Admin\AppData\Local\Temp\UnityCrashHandlerV2.exe"

C:\Users\Admin\AppData\Local\Temp\BlitzedGrabberV12.exe

"C:\Users\Admin\AppData\Local\Temp\BlitzedGrabberV12.exe"

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe

"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\esu4opsq.cmdline"

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES3F4.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC3E3.tmp"

C:\Windows\SysWOW64\WindowsInput.exe

"C:\Windows\SysWOW64\WindowsInput.exe" --install

C:\Windows\SysWOW64\WindowsInput.exe

"C:\Windows\SysWOW64\WindowsInput.exe"

C:\ProgramData\Chrome\chromedriver.exe

"C:\ProgramData\Chrome\chromedriver.exe"

C:\ProgramData\Chrome\chromedriver.exe

C:\ProgramData\Chrome\chromedriver.exe

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe" /launchSelfAndExit "C:\ProgramData\Chrome\chromedriver.exe" 3216 /protectFile

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe" /watchProcess "C:\ProgramData\Chrome\chromedriver.exe" 3216 "/protectFile"

Network

Country Destination Domain Proto
NL 52.142.223.178:80 tcp
US 8.8.8.8:53 21.177.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 158.240.127.40.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 209.25.141.181:40489 tcp
US 8.8.8.8:53 140.71.91.104.in-addr.arpa udp
US 209.25.141.181:40489 tcp
US 209.25.141.181:40489 tcp
US 209.25.141.181:40489 tcp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp
US 209.25.141.181:40489 tcp
US 209.25.141.181:40489 tcp
US 209.25.141.181:40489 tcp
US 209.25.141.181:40489 tcp
US 8.8.8.8:53 213.143.182.52.in-addr.arpa udp
US 209.25.141.181:40489 tcp
US 209.25.141.181:40489 tcp
US 8.8.8.8:53 146.78.124.51.in-addr.arpa udp
US 209.25.141.181:40489 tcp

Files

memory/1680-0-0x0000000000E50000-0x0000000001094000-memory.dmp

memory/1680-1-0x00007FF993CA0000-0x00007FF994761000-memory.dmp

memory/1680-3-0x000000001BD60000-0x000000001BD70000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\mxfix.EXE

MD5 b4ec612c441786aa614ce5f32edae475
SHA1 3a264f8daeec9b156ddb5ed576d490dd8fbd8e7d
SHA256 e18ba6573b9aa2d139ed5c30f18ac2ece3ce8287d1651db4bc632dbc816f53bd
SHA512 c6800371cdc2b571061e6e755a2c95f49dcb233c3999976f180cb7cf95fa2c62d03b52a3c497a2cd7ae46ec72eaf823db25bd291ca676724194c05966f2bce16

C:\Users\Admin\AppData\Local\Temp\UnityCrashHandlerV2.exe

MD5 d6574b9fd9dbf745f7ab2c8b5ecfd839
SHA1 c64967edc7d79ff9aea29c073b3318f88813477b
SHA256 1a26f5e7bf18d84cb7da5bce5cc85dac379d1154a61e7fa4fae5c365dfb3c074
SHA512 7b845adbf979d1b9e8effd99b9cf85265bd406d0621af8f4aa793512952e3b891ef6d41bdddf7a4eb54d39eb9654b6d08607273b735cebe2ac91c78796c12bd0

C:\Users\Admin\AppData\Local\Temp\UnityCrashHandlerV2.exe

MD5 53ef08805f8703c67f990711c72ccf64
SHA1 50691dc4270a73f0562ebb33a0d7ed0f3a07592f
SHA256 c8f42747d4e80567b2a55eeb2aab4e6cb818d208389a603a362cd4fc1c60b9ce
SHA512 643d1adb95a92f9180a01d1ec8dcddb8d909f81be416e6da619703b093d82964325d778ce0fc2806b31cda835d2c29075fb0583590298c2f61f461aeacf7495f

C:\Users\Admin\AppData\Local\Temp\UnityCrashHandlerV2.exe

MD5 9a9714e794fb71ce3c95a6e1cb247e10
SHA1 024594c2ff638b3e140e03063448cd3c7f74a492
SHA256 47f11f63a476bfd37067b413055a4a02c44344854dabc385ef534b92f36867da
SHA512 963357aefc67ace4c42126d904ee3b33eb0d2a1074d159b78ffd5a84ebcd5701f500fc3f82316a5378586c196085a323a525d3c17454761198ce019598824445

C:\Users\Admin\AppData\Local\Temp\BlitzedGrabberV12.exe

MD5 c40ba4e403b2a7e161c2dddf65ef74b4
SHA1 9afebab0ed86b0e1876c38f2034b945348aeb45e
SHA256 5fbebccbe9c7bea6170abb2bbbe47e164dd42678fbd65537021561e91f0feafd
SHA512 c3b705b2f0e2d7460b01d6bd5e9cf2479ba7bf7e6309c1fd090625b6071e1230473f34fb5db2312a829e976ffffb45e868ead54dcb1be87e9bb9faeb7255aacb

memory/4132-34-0x00007FF993CA0000-0x00007FF994761000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_mid5udic.gio.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/4132-46-0x000001DC794B0000-0x000001DC794D2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\BlitzedGrabberV12.exe

MD5 05352082df40d1e288f6a1740e0fe6ac
SHA1 996642f6619336b559105d538aeb5b35a61ddb4f
SHA256 d5aafedbbdb74b7eeb9460bc378fc2ac04697ac7a7b37e7d0cf790f9ca14963d
SHA512 1924302ce6b5769acce4a478901452b54b89c44374ce58f65762442e8ae099bf17acf21f96e121aca7bdfbc5ea2766aeb8270a65a2756af5c2106c08e403a20d

memory/4132-45-0x000001DC76C60000-0x000001DC76C70000-memory.dmp

memory/4132-44-0x000001DC76C60000-0x000001DC76C70000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\mxfixer.ps1

MD5 5d792fc7c4e2fd3eb595fce4883dcb2d
SHA1 ee2a88f769ad746f119e144bd06832cb55ef1e0f
SHA256 41eccaa8649345b33e57f5d494429276e9f2eb23ca981f018da33a34aabfd8eb
SHA512 4b85fe8205c705914867227c97aa1333421970d8e6f11b2ac6be8e95fef1a0f31f985547eafe52e382f13c2a16afa05462bd614b75bee250464c50734d59a92e

C:\Users\Admin\AppData\Local\Temp\BlitzedGrabberV12.exe

MD5 d38585fe44f3f4264b5e27a27143b423
SHA1 b4ac8673626248487b38b09b4022ca39e8c9c90d
SHA256 d2af0d1de136b609e7c517be6b382a5d0ab7c5ce3487aa8017cd3420f61158ba
SHA512 aff200b5f5a1735e5549142c36e68ab54364d41dd955069762d97000dc14e69dd843e72def33823219ecebbf883869fcf967e1e5b906d49e778de740e7f53e16

memory/3888-52-0x00007FF9900C0000-0x00007FF990A61000-memory.dmp

memory/4132-53-0x000001DC76C60000-0x000001DC76C70000-memory.dmp

memory/3888-54-0x000000001BEE0000-0x000000001BF3C000-memory.dmp

memory/3888-59-0x000000001C0B0000-0x000000001C0BE000-memory.dmp

memory/3476-61-0x0000000000400000-0x00000000005AC000-memory.dmp

memory/4132-62-0x00007FF993CA0000-0x00007FF994761000-memory.dmp

memory/3476-60-0x0000000074C20000-0x00000000753D0000-memory.dmp

memory/3888-64-0x000000001C590000-0x000000001CA5E000-memory.dmp

memory/3888-63-0x0000000001900000-0x0000000001910000-memory.dmp

memory/3888-65-0x00007FF9900C0000-0x00007FF990A61000-memory.dmp

memory/3888-66-0x000000001CB00000-0x000000001CB9C000-memory.dmp

memory/3476-67-0x0000000005800000-0x0000000005DA4000-memory.dmp

memory/3476-68-0x0000000004F80000-0x0000000005012000-memory.dmp

memory/3476-69-0x0000000005240000-0x0000000005250000-memory.dmp

memory/3476-70-0x0000000004F60000-0x0000000004F6A000-memory.dmp

memory/3476-71-0x0000000005440000-0x0000000005632000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\dcfb00f9-5ae7-4197-ba59-e48107e40d35\GunaDotNetRT.dll

MD5 d2cd6cc0fef15230f84c2dc280d9c831
SHA1 da4fba977b83c5384077e0b61ccfc33105f43738
SHA256 3a73acf592e39fae894a712d02a76cb71fc875b4d171cd40b3bcec29007d346e
SHA512 f8a3f7f944495e9c4b9702ce03fceb02d19d0e85a8a1a7334c6d3af17890aa7315a180462a45f9fd8026e616b23c08ab7b7b34bd63f24212bdd3c2cfbe3e5ffa

C:\Users\Admin\AppData\Local\Temp\dcfb00f9-5ae7-4197-ba59-e48107e40d35\GunaDotNetRT.dll

MD5 9af5eb006bb0bab7f226272d82c896c7
SHA1 c2a5bb42a5f08f4dc821be374b700652262308f0
SHA256 77dc05a6bda90757f66552ee3f469b09f1e00732b4edca0f542872fb591ed9db
SHA512 7badd41be4c1039302fda9bba19d374ec9446ce24b7db33b66bee4ef38180d1abcd666d2aea468e7e452aa1e1565eedfefed582bf1c2fe477a4171d99d48772a

memory/3476-81-0x0000000005440000-0x000000000562E000-memory.dmp

memory/3476-82-0x0000000005440000-0x000000000562E000-memory.dmp

memory/3476-80-0x0000000073630000-0x00000000736B9000-memory.dmp

memory/3476-79-0x0000000071320000-0x0000000071357000-memory.dmp

memory/3476-84-0x0000000005440000-0x000000000562E000-memory.dmp

memory/3476-91-0x0000000005440000-0x000000000562E000-memory.dmp

memory/3476-93-0x0000000005440000-0x000000000562E000-memory.dmp

memory/3476-88-0x0000000005440000-0x000000000562E000-memory.dmp

memory/3476-97-0x0000000005440000-0x000000000562E000-memory.dmp

memory/3476-95-0x0000000005440000-0x000000000562E000-memory.dmp

memory/3476-99-0x0000000005440000-0x000000000562E000-memory.dmp

memory/3476-101-0x0000000005440000-0x000000000562E000-memory.dmp

memory/3476-107-0x0000000005440000-0x000000000562E000-memory.dmp

memory/3476-105-0x0000000005440000-0x000000000562E000-memory.dmp

memory/3476-109-0x0000000005440000-0x000000000562E000-memory.dmp

\??\c:\Users\Admin\AppData\Local\Temp\esu4opsq.cmdline

MD5 837ee0633ef138cba72293b8d9bab709
SHA1 ae38e68d4cc0c3906c04cb07dc9f364f9ad9d39b
SHA256 f5ed84f4b85db9c7ab42b8b1181d47f68ad1a55c4aa5a1638dc04c70be597a74
SHA512 dfe47d6c5388c1e1679974c073583214fb016b6c366727ec51289be4f6b129bccb789324f26587e711ad10405e671646ce3856b9cc14d8035262ab7ecf198bf9

memory/3476-114-0x0000000005440000-0x000000000562E000-memory.dmp

memory/3476-117-0x0000000005440000-0x000000000562E000-memory.dmp

memory/1528-119-0x0000000000AA0000-0x0000000000AB0000-memory.dmp

memory/3476-122-0x0000000005440000-0x000000000562E000-memory.dmp

memory/3476-132-0x0000000005440000-0x000000000562E000-memory.dmp

memory/3476-136-0x0000000005440000-0x000000000562E000-memory.dmp

memory/3476-140-0x0000000005440000-0x000000000562E000-memory.dmp

memory/3476-143-0x0000000005440000-0x000000000562E000-memory.dmp

memory/3476-145-0x0000000005440000-0x000000000562E000-memory.dmp

memory/3476-147-0x0000000005440000-0x000000000562E000-memory.dmp

memory/3476-149-0x0000000005440000-0x000000000562E000-memory.dmp

memory/3476-151-0x0000000005440000-0x000000000562E000-memory.dmp

memory/3476-156-0x0000000005440000-0x000000000562E000-memory.dmp

memory/3888-159-0x00000000018C0000-0x00000000018C8000-memory.dmp

memory/3476-158-0x0000000005440000-0x000000000562E000-memory.dmp

memory/3888-155-0x00000000018E0000-0x00000000018F2000-memory.dmp

memory/3476-153-0x0000000005440000-0x000000000562E000-memory.dmp

memory/3888-169-0x000000001D200000-0x000000001D220000-memory.dmp

memory/3888-139-0x000000001D1C0000-0x000000001D1D6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\esu4opsq.dll

MD5 ec27e6e36d568380915d830417b1c36f
SHA1 1a4c36df5c3b29031d58f723c4fcb595de0911b9
SHA256 3a4f7fc32bd8cc711afa11af53f944d2773ebdee30607aa52cef571f1ee3a2bb
SHA512 9df28454352737045343ae16dc49fe7bf652333c7334f27e86c59e472b9a70f24d04949052811a8080c7b9bd44d53a45539365d27a87b29c9e6c33ea6e851864

C:\Windows\SysWOW64\WindowsInput.exe

MD5 e6fcf516d8ed8d0d4427f86e08d0d435
SHA1 c7691731583ab7890086635cb7f3e4c22ca5e409
SHA256 8dbe814359391ed6b0b5b182039008cf1d00964da9fbc4747f46242a95c24337
SHA512 c496cf8e2e222fe1e19051b291e6860f31aae39f54369c1c5e8c9758c4b56e8af904e3e536e743a0a6fdbbf8478afba4baee92e13fc1b3073376ac6bf4a7948e

C:\Windows\SysWOW64\WindowsInput.exe.config

MD5 a2b76cea3a59fa9af5ea21ff68139c98
SHA1 35d76475e6a54c168f536e30206578babff58274
SHA256 f99ef5bf79a7c43701877f0bb0b890591885bb0a3d605762647cc8ffbf10c839
SHA512 b52608b45153c489419228864ecbcb92be24c644d470818dfe15f8c7e661a7bcd034ea13ef401f2b84ad5c29a41c9b4c7d161cc33ae3ef71659bc2bca1a8c4ad

memory/1680-200-0x00007FF993CA0000-0x00007FF994761000-memory.dmp

memory/916-197-0x0000000000220000-0x000000000022C000-memory.dmp

memory/916-204-0x00007FF993670000-0x00007FF994131000-memory.dmp

memory/916-206-0x000000001AF70000-0x000000001AF80000-memory.dmp

memory/916-209-0x00000000023F0000-0x0000000002402000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\RES3F4.tmp

MD5 a06b0218943aa8d150100aaebcb6117a
SHA1 632c37bf2915f37e651c702bd0c6b8763d9c92af
SHA256 ce444ce829e3135feb68cc2fc95e5019652a5a5983fb2c36f1591546798269ed
SHA512 d3b4a234877f5aa8de40f704b984e4d98a745e05449803928df22f6d745f180c407d752f53780a3c2e19f6fa5e5efd96055d434a280caf009bcf80bd0a058c28

\??\c:\Users\Admin\AppData\Local\Temp\CSC3E3.tmp

MD5 e8a15bb40b8b382c333220a4b80b4497
SHA1 95c1ad8d1a5d64c739180193e9c80cd4e844c806
SHA256 f1918d9498fee42003a267b577bbff3cf91cc26b75a4ac0db5154a92061703d4
SHA512 182de30c6238d165e36390fb1dd063089eaa5bb65e72c3129480739955ed4b29e0934ab2609b52687d89ce6d5a8c18df4cc9e694b1440b76d147beb0d73d8f29

memory/3476-128-0x0000000005440000-0x000000000562E000-memory.dmp

memory/916-217-0x0000000002450000-0x000000000248C000-memory.dmp

memory/3476-124-0x0000000005440000-0x000000000562E000-memory.dmp

memory/3476-120-0x0000000005440000-0x000000000562E000-memory.dmp

\??\c:\Users\Admin\AppData\Local\Temp\esu4opsq.0.cs

MD5 0f4bacc7a4d4670dd9825c0b77562038
SHA1 24501b3416acf1f1bb73ac08d57a67b5a5368e0c
SHA256 d3844a28a64079996f31094ee4585a692bce306b7889c52824a0556fcfa7d069
SHA512 f56425201661ffd693251db57ef7e861e5cf9bb63b1a3e259113e7de7ee2636da448b007f9818bcd6dad2b37d2897d638918e72d38009bca8a33c3002b386044

memory/3476-112-0x0000000005440000-0x000000000562E000-memory.dmp

memory/916-235-0x00007FF993670000-0x00007FF994131000-memory.dmp

memory/3476-103-0x0000000005440000-0x000000000562E000-memory.dmp

memory/1680-243-0x00007FF993670000-0x00007FF994131000-memory.dmp

memory/1680-247-0x0000000019FE0000-0x0000000019FF0000-memory.dmp

memory/1680-265-0x000000001ADB0000-0x000000001AEBA000-memory.dmp

C:\ProgramData\Chrome\chromedriver.exe

MD5 60985623a24c734755c117dedd01aa1d
SHA1 31d6b3f99f0bba22554633cd96609267d316c258
SHA256 876869c0778f5c58eab817a9a234c698a5dcd0cb2c3176535f1b25cedab7512a
SHA512 67de7f0a1b7dd891958a084ad308fe3a1066d379eb0d4f428a20ef49302312e441062ef5f4c5fbab008e09cd33f0781cd43b026c7942d553b5e6f1bdbf57079c

C:\ProgramData\Chrome\chromedriver.exe

MD5 479f009c2edd0197f6378b4cbce03862
SHA1 e71c5ee955646b84063db6819847737baaa2373d
SHA256 4674b8846f6fa613e03f83a69e2c25c9c72cfe7c920507a97f21d27c9a792077
SHA512 183dffcec4d82966a0fe41dfd308d16ea4cc5c57af28cf69e70034628eb9920ca447a5d6feee93a3504321cc5bea498ec70d2ef80180929c59da871c81a42190

memory/3888-340-0x00007FF9900C0000-0x00007FF990A61000-memory.dmp

memory/3888-341-0x00007FF9900C0000-0x00007FF990A61000-memory.dmp

memory/3216-342-0x0000000000F10000-0x000000000100C000-memory.dmp

memory/3216-345-0x00007FF993670000-0x00007FF994131000-memory.dmp

memory/3216-349-0x000000001B9A0000-0x000000001B9B0000-memory.dmp

memory/3476-347-0x0000000074C20000-0x00000000753D0000-memory.dmp

memory/3216-359-0x000000001B990000-0x000000001B9A2000-memory.dmp

memory/3216-362-0x000000001C860000-0x000000001C8AE000-memory.dmp

memory/3216-564-0x000000001CA20000-0x000000001CA38000-memory.dmp

memory/3216-566-0x000000001B9A0000-0x000000001B9B0000-memory.dmp

memory/3216-571-0x000000001CD30000-0x000000001CEF2000-memory.dmp

memory/3476-575-0x0000000005240000-0x0000000005250000-memory.dmp

memory/3216-573-0x000000001CB50000-0x000000001CB60000-memory.dmp

C:\Users\Admin\AppData\Roaming\svchost.exe

MD5 913967b216326e36a08010fb70f9dba3
SHA1 7b6f8c2eb5b443e03c212b85c2f0edb9c76ad2bf
SHA256 8d880758549220154d2ff4ee578f2b49527c5fb76a07d55237b61e30bcc09e3a
SHA512 c6fcb98d9fd509e9834fc3fba143bd36d41869cc104fbce5354951f0a6756156e34a30796baaa130dd45de3ed96e039ec14716716f6da4569915c7ef2d2b6c33

memory/3920-606-0x0000000000AD0000-0x0000000000AD8000-memory.dmp

memory/3920-610-0x0000000074C20000-0x00000000753D0000-memory.dmp

memory/3476-607-0x0000000071320000-0x0000000071357000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\svchost.exe.log

MD5 4eaca4566b22b01cd3bc115b9b0b2196
SHA1 e743e0792c19f71740416e7b3c061d9f1336bf94
SHA256 34ba0ab8d1850e7825763f413142a333ccbc05fa2b5499a28a7d27b8a1c5b4bb
SHA512 bc2b1bf45203e3bb3009a7d37617b8f0f7ffa613680b32de2b963e39d2cf1650614d7035a0cf78f35a4f5cb17a2a439e2e07deaefd2a4275a62efd0a5c0184a1

memory/3920-635-0x0000000074C20000-0x00000000753D0000-memory.dmp

memory/3088-637-0x0000000074C20000-0x00000000753D0000-memory.dmp

C:\ProgramData\Chrome\chromedriver.exe

MD5 862922e84b377ae0544720d38a731088
SHA1 aa43bb7df258e80b8ff16674406d5ca1e7613df0
SHA256 cb1b6f5176c824a271a1348cda507428b8bc0adf0ad228b2566ede150b5ea945
SHA512 0343a4c9d969bc0c8ec70394644356f73259d028227ba1a14f79dec13d89a5763c54c6dcd6f97cbe9bf1fabf0220834094cdfd9ab0258052a1166f42be68cc07

memory/1812-907-0x00007FF993670000-0x00007FF994131000-memory.dmp

memory/1680-1134-0x00007FF993670000-0x00007FF994131000-memory.dmp

memory/1680-1358-0x0000000019FE0000-0x0000000019FF0000-memory.dmp

memory/3216-1586-0x00007FF993670000-0x00007FF994131000-memory.dmp

memory/3216-1826-0x000000001B9A0000-0x000000001B9B0000-memory.dmp

memory/3216-2063-0x000000001B9A0000-0x000000001B9B0000-memory.dmp

memory/3216-2298-0x000000001B9A0000-0x000000001B9B0000-memory.dmp