Analysis Overview
SHA256
a5c263a5bf6522fcaaab2cf772e5d257644734d78a7149ae511fe338da350325
Threat Level: Known bad
The file 68288c29d8546aadc301eda4436def32 was found to be: Known bad.
Malicious Activity Summary
Ardamax
Modifies WinLogon for persistence
Darkcomet
Ardamax main executable
Sets file to hidden
Drops file in Drivers directory
Loads dropped DLL
Executes dropped EXE
Checks computer location settings
Checks installed software on the system
Adds Run key to start application
Suspicious use of SetThreadContext
Drops file in System32 directory
Drops file in Windows directory
Unsigned PE
Enumerates physical storage devices
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of FindShellTrayWindow
Suspicious use of AdjustPrivilegeToken
Modifies Internet Explorer settings
Suspicious use of WriteProcessMemory
Checks processor information in registry
Modifies registry class
Views/modifies file attributes
Suspicious use of SetWindowsHookEx
Suspicious behavior: EnumeratesProcesses
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-01-19 16:58
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-01-19 16:58
Reported
2024-01-19 17:01
Platform
win7-20231215-en
Max time kernel
125s
Max time network
120s
Command Line
Signatures
Ardamax
Ardamax main executable
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Darkcomet
Modifies WinLogon for persistence
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe" | C:\Windows\Microsoft.NET\Framework\v2.0.50727\HKCMB.exe | N/A |
Drops file in Drivers directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\system32\drivers\etc\hosts | C:\Windows\Microsoft.NET\Framework\v2.0.50727\HKCMB.exe | N/A |
Sets file to hidden
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\attrib.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\attrib.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Transaction mangement.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v2.0.50727\HKCMB.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\INSTALL.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\JHPMIJ\FQO.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\MSDCSC\msdcsc.exe | N/A |
Loads dropped DLL
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Windows\\system32\\MSDCSC\\msdcsc.exe" | C:\Windows\Microsoft.NET\Framework\v2.0.50727\HKCMB.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\FQO Start = "C:\\Windows\\SysWOW64\\JHPMIJ\\FQO.exe" | C:\Windows\SysWOW64\JHPMIJ\FQO.exe | N/A |
Checks installed software on the system
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\MSDCSC\msdcsc.exe | C:\Windows\Microsoft.NET\Framework\v2.0.50727\HKCMB.exe | N/A |
| File created | C:\Windows\SysWOW64\JHPMIJ\FQO.004 | C:\Users\Admin\AppData\Local\Temp\INSTALL.EXE | N/A |
| File created | C:\Windows\SysWOW64\JHPMIJ\FQO.001 | C:\Users\Admin\AppData\Local\Temp\INSTALL.EXE | N/A |
| File created | C:\Windows\SysWOW64\JHPMIJ\FQO.exe | C:\Users\Admin\AppData\Local\Temp\INSTALL.EXE | N/A |
| File opened for modification | C:\Windows\SysWOW64\MSDCSC\msdcsc.exe | C:\Windows\Microsoft.NET\Framework\v2.0.50727\HKCMB.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\MSDCSC\ | C:\Windows\Microsoft.NET\Framework\v2.0.50727\HKCMB.exe | N/A |
| File created | C:\Windows\SysWOW64\JHPMIJ\FQO.002 | C:\Users\Admin\AppData\Local\Temp\INSTALL.EXE | N/A |
| File created | C:\Windows\SysWOW64\JHPMIJ\AKV.exe | C:\Users\Admin\AppData\Local\Temp\INSTALL.EXE | N/A |
| File opened for modification | C:\Windows\SysWOW64\JHPMIJ\ | C:\Windows\SysWOW64\JHPMIJ\FQO.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2840 set thread context of 2800 | N/A | C:\Users\Admin\AppData\Local\Temp\Transaction mangement.exe | C:\Windows\Microsoft.NET\Framework\v2.0.50727\HKCMB.exe |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\Microsoft.NET\Framework\v2.0.50727\HKCMB.exe | C:\Users\Admin\AppData\Local\Temp\Transaction mangement.exe | N/A |
| File opened for modification | C:\Windows\Microsoft.NET\Framework\v2.0.50727\HKCMB.exe | C:\Users\Admin\AppData\Local\Temp\Transaction mangement.exe | N/A |
| File opened for modification | C:\Windows\Microsoft.NET\Framework\v2.0.50727 | C:\Windows\SysWOW64\attrib.exe | N/A |
| File opened for modification | C:\Windows\Microsoft.NET\Framework\v2.0.50727 | C:\Windows\SysWOW64\attrib.exe | N/A |
Enumerates physical storage devices
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\JHPMIJ\FQO.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\JHPMIJ\FQO.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\JHPMIJ\FQO.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\JHPMIJ\FQO.exe | N/A |
Suspicious use of WriteProcessMemory
Views/modifies file attributes
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\attrib.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\attrib.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\68288c29d8546aadc301eda4436def32.exe
"C:\Users\Admin\AppData\Local\Temp\68288c29d8546aadc301eda4436def32.exe"
C:\Users\Admin\AppData\Local\Temp\Transaction mangement.exe
"C:\Users\Admin\AppData\Local\Temp\Transaction mangement.exe"
C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\Transaction_mangement.pdf"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\HKCMB.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\HKCMB.exe
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmpcmd.bat" "
C:\Users\Admin\AppData\Local\Temp\INSTALL.EXE
"C:\Users\Admin\AppData\Local\Temp\INSTALL.EXE"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmpcmd.bat" "
C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\Microsoft.NET\Framework\v2.0.50727" +s +h
C:\Windows\SysWOW64\JHPMIJ\FQO.exe
"C:\Windows\system32\JHPMIJ\FQO.exe"
C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\Microsoft.NET\Framework\v2.0.50727" +s +h
C:\Windows\SysWOW64\MSDCSC\msdcsc.exe
"C:\Windows\system32\MSDCSC\msdcsc.exe"
Network
Files
\Users\Admin\AppData\Local\Temp\Transaction mangement.exe
| MD5 | 9a540f97fb137ff20426f30e8db62dc8 |
| SHA1 | 1cd77f98dc2797cceb083e6b949261e2ea49fe4e |
| SHA256 | d19447e7601934db1ce2038f15ad1a57835df5330d1f8780941b127fbde7cc59 |
| SHA512 | 467bdac8408f6e1b66b7075f5b9ff09ba141782209d90ff6570187e41f52e38bfb0c1dfd08b8b5366f9a25257090cd28f187506b6d2e823afcde74539fe6ba0d |
memory/2840-14-0x0000000073F30000-0x00000000744DB000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Transaction_mangement.pdf
| MD5 | 8764991d86c925a5f8bbe847cd0f3cb3 |
| SHA1 | 19e3f30d0baabc7c457fd61fecee8d1e8ab28d0e |
| SHA256 | 5e75cc26bca0932a6685e42e07d32b9e55c3eb3a4b4af5e2b80f0a48a4116f79 |
| SHA512 | f3f6f31f21935be78af1a792f45c481563a9653e624194588ff99e378cf7b0633fce7042e0b6dc01f04c14b4fa285964915e1b7ede8f29ae094b97cc15d11bdc |
\Windows\Microsoft.NET\Framework\v2.0.50727\HKCMB.exe
| MD5 | 34aa912defa18c2c129f1e09d75c1d7e |
| SHA1 | 9c3046324657505a30ecd9b1fdb46c05bde7d470 |
| SHA256 | 6df94b7fa33f1b87142adc39b3db0613fc520d9e7a5fd6a5301dd7f51f8d0386 |
| SHA512 | d1ea9368f5d7166180612fd763c87afb647d088498887961f5e7fb0a10f4a808bd5928e8a3666d70ff794093c51ecca8816f75dd47652fd4eb23dce7f9aa1f98 |
memory/2800-20-0x0000000000400000-0x000000000062F000-memory.dmp
memory/2800-23-0x0000000000400000-0x000000000062F000-memory.dmp
memory/2800-22-0x0000000000400000-0x000000000062F000-memory.dmp
memory/2800-24-0x0000000000400000-0x000000000062F000-memory.dmp
memory/2800-25-0x0000000000400000-0x000000000062F000-memory.dmp
memory/2800-26-0x0000000000400000-0x000000000062F000-memory.dmp
memory/2800-27-0x0000000000400000-0x000000000062F000-memory.dmp
memory/2800-28-0x0000000000400000-0x000000000062F000-memory.dmp
memory/2800-29-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
memory/2800-31-0x0000000000400000-0x000000000062F000-memory.dmp
memory/2800-33-0x0000000000400000-0x000000000062F000-memory.dmp
memory/2800-34-0x0000000000400000-0x000000000062F000-memory.dmp
memory/2800-39-0x0000000000400000-0x000000000062F000-memory.dmp
memory/2840-40-0x0000000073F30000-0x00000000744DB000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\tmpcmd.bat
| MD5 | fce1348da4bb9cf3e1d986ef6497fe8c |
| SHA1 | 7f6b3383bd7e34ab31e82e1423a63a7776f147cf |
| SHA256 | e6ab6964d84756b18c24e05d442ca43805260d167757edd856c3203e735c0733 |
| SHA512 | 984cca90975f2b29dc2400532006700d765d0216b6e9c515a369548aa8835e476d963f4d95cbb3e04401c9a9ac94657bf1de3cf99dc455f67c0c2c4ec4c659be |
\Users\Admin\AppData\Local\Temp\INSTALL.EXE
| MD5 | 4766452f3b2d1952a671143d9b813585 |
| SHA1 | 169ba313c0ccc234e2a227a97c05976f968ad3e6 |
| SHA256 | 064a538b07c4722cdcec11bc6d04b8fecc44061c8d6472d9bb39d1a1848a0160 |
| SHA512 | 0a1e5d3841e3cadaefae31653069b8add53d096bb938b83c6a4fc9c50815ac65fcefe5e2218ee6297440ca09f52d72394a2956fe5990387408d39ca3dbfbc2c8 |
C:\Users\Admin\AppData\Local\Temp\tmpcmd.bat
| MD5 | c6abd7a109bb37ab773b9e79b91b7741 |
| SHA1 | 7933b8795914b27483d2afed35b3830e8bf5bdb6 |
| SHA256 | 8bc84b3ddfd9c295f555926bf1c311be423732423c585ca90796cdee7a245629 |
| SHA512 | 35d14c9b7366a4737e3685223d55d85c583c7fbe73274577424dc8d9960cc78c79a80a8b42a62f6d9d9962ddd60cf2a332411d4ac18196258dc9d5b0b575e3dc |
\Windows\SysWOW64\JHPMIJ\FQO.exe
| MD5 | 3cd29c0df98a7aeb69a9692843ca3edb |
| SHA1 | 7c86aea093f1979d18901bd1b89a2b02a60ac3e2 |
| SHA256 | 5a37cd66508fa3fc85ae547de3498e709bd45167cb57f5e9b271dc3a1cb71a32 |
| SHA512 | e78f3206b1878e8db1766d4038a375bbebcbcdb8d1b0a0cb9b0dc72c54881392b9c27e2864ad9118702da58f203f13e0ad5d230980ad1ef2370391a2c4acffc9 |
C:\Windows\SysWOW64\JHPMIJ\FQO.004
| MD5 | c419eadafd70c55f88b6235ccf3d14a0 |
| SHA1 | e04856391e275bfe54fdc6dfabdfe798f80d2afb |
| SHA256 | 76f3de81ac5a57b368786feffd51e82c49527298bd6ed554ae2cdac118043968 |
| SHA512 | 4b3e1e8d94f7e8bd9a32758fab27b2fed6299882a092fea578e1107655e9d5a7d9480eca2c205b3a85e897a1ae3ffd92587b7c4b9ccd3722bb84bfb45a30f683 |
C:\Windows\SysWOW64\JHPMIJ\FQO.002
| MD5 | 93df156c4bd9d7341f4c4a4847616a69 |
| SHA1 | c7663b32c3c8e247bc16b51aff87b45484652dc1 |
| SHA256 | e55b6eabf0f99b90bd4cf3777c25813bded7b6fc5c9955188c8aa5224d299c3e |
| SHA512 | ed2e98c5fd1f0d49e5bac8baa515d489c89f8d42772ae05e4b7a32da8f06d511adad27867034ca0865beae9f78223e95c7d0f826154fc663f2fab9bd61e36e35 |
C:\Windows\SysWOW64\JHPMIJ\FQO.001
| MD5 | 383d5f5d4240d590e7dec3f7312a4ac7 |
| SHA1 | f6bcade8d37afb80cf52a89b3e84683f4643fbce |
| SHA256 | 7e87f6817b17a75106d34ce9884c40ddfb381bf8f2013930916498d1df0a6422 |
| SHA512 | e652c41ec95d653940b869426bc2cbd8e5b3159110ffaab7d623e23eebe1f34ca65be6a9a9cdcd5f41aec7567469d6b4d6362d24ae92267cddb8940e1265806a |
C:\Windows\SysWOW64\JHPMIJ\AKV.exe
| MD5 | 51507d91d43683b9c4b8fafeb4d888f8 |
| SHA1 | ead2f68338da7af4720378cd46133589fc9405ba |
| SHA256 | 71b3aecefd36e4855a369019ac5871c544d39f8889d23cd455466a24cdecce6b |
| SHA512 | a5a7ff3f8ffb72719b7e2c9dc2719c99ea32bd68994918ea027c0d7d54cfe0c80bfd34486dd8d3cdd390376bc4c8d1f7d97de4b98b7d39a3e10c3e2682c07d1c |
memory/2800-98-0x0000000000400000-0x000000000062F000-memory.dmp
C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents
| MD5 | a0963651a0491a4605091d5c8ac1510e |
| SHA1 | aebf0848edfc4e84e5c3e100f01aadd875051a13 |
| SHA256 | 14b06cbc6623e94da6c2f8a8079b3a0771b8787d8bf527fdf6cc7998e3d245de |
| SHA512 | 3d467d25e31eccdfc9760b0b95e99539c39cdb5e32352e1bbe2013ac44178cccbb48131146d1deeb69268f988aeb1eb2ff73c39c59209fc214186c8275ad55bd |
Analysis: behavioral2
Detonation Overview
Submitted
2024-01-19 16:58
Reported
2024-01-19 17:01
Platform
win10v2004-20231215-en
Max time kernel
141s
Max time network
136s
Command Line
Signatures
Ardamax
Ardamax main executable
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Darkcomet
Modifies WinLogon for persistence
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe" | C:\Windows\Microsoft.NET\Framework\v2.0.50727\HKCMB.exe | N/A |
Drops file in Drivers directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\system32\drivers\etc\hosts | C:\Windows\Microsoft.NET\Framework\v2.0.50727\HKCMB.exe | N/A |
Sets file to hidden
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\attrib.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\attrib.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\68288c29d8546aadc301eda4436def32.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\Control Panel\International\Geo\Nation | C:\Windows\Microsoft.NET\Framework\v2.0.50727\HKCMB.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\INSTALL.EXE | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Transaction mangement.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v2.0.50727\HKCMB.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\INSTALL.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\JHPMIJ\FQO.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\MSDCSC\msdcsc.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\JHPMIJ\FQO.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Windows\\system32\\MSDCSC\\msdcsc.exe" | C:\Windows\Microsoft.NET\Framework\v2.0.50727\HKCMB.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\FQO Start = "C:\\Windows\\SysWOW64\\JHPMIJ\\FQO.exe" | C:\Windows\SysWOW64\JHPMIJ\FQO.exe | N/A |
Checks installed software on the system
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\SysWOW64\MSDCSC\msdcsc.exe | C:\Windows\Microsoft.NET\Framework\v2.0.50727\HKCMB.exe | N/A |
| File created | C:\Windows\SysWOW64\JHPMIJ\AKV.exe | C:\Users\Admin\AppData\Local\Temp\INSTALL.EXE | N/A |
| File created | C:\Windows\SysWOW64\JHPMIJ\FQO.exe | C:\Users\Admin\AppData\Local\Temp\INSTALL.EXE | N/A |
| File opened for modification | C:\Windows\SysWOW64\JHPMIJ\ | C:\Windows\SysWOW64\JHPMIJ\FQO.exe | N/A |
| File created | C:\Windows\SysWOW64\MSDCSC\msdcsc.exe | C:\Windows\Microsoft.NET\Framework\v2.0.50727\HKCMB.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\MSDCSC\ | C:\Windows\Microsoft.NET\Framework\v2.0.50727\HKCMB.exe | N/A |
| File created | C:\Windows\SysWOW64\JHPMIJ\FQO.004 | C:\Users\Admin\AppData\Local\Temp\INSTALL.EXE | N/A |
| File created | C:\Windows\SysWOW64\JHPMIJ\FQO.001 | C:\Users\Admin\AppData\Local\Temp\INSTALL.EXE | N/A |
| File created | C:\Windows\SysWOW64\JHPMIJ\FQO.002 | C:\Users\Admin\AppData\Local\Temp\INSTALL.EXE | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 3272 set thread context of 3940 | N/A | C:\Users\Admin\AppData\Local\Temp\Transaction mangement.exe | C:\Windows\Microsoft.NET\Framework\v2.0.50727\HKCMB.exe |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\Microsoft.NET\Framework\v2.0.50727 | C:\Windows\SysWOW64\attrib.exe | N/A |
| File created | C:\Windows\Microsoft.NET\Framework\v2.0.50727\HKCMB.exe | C:\Users\Admin\AppData\Local\Temp\Transaction mangement.exe | N/A |
| File opened for modification | C:\Windows\Microsoft.NET\Framework\v2.0.50727\HKCMB.exe | C:\Users\Admin\AppData\Local\Temp\Transaction mangement.exe | N/A |
| File opened for modification | C:\Windows\Microsoft.NET\Framework\v2.0.50727 | C:\Windows\SysWOW64\attrib.exe | N/A |
Enumerates physical storage devices
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe | N/A |
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ | C:\Windows\Microsoft.NET\Framework\v2.0.50727\HKCMB.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000_Classes\Local Settings | C:\Users\Admin\AppData\Local\Temp\68288c29d8546aadc301eda4436def32.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\JHPMIJ\FQO.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\JHPMIJ\FQO.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\JHPMIJ\FQO.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\JHPMIJ\FQO.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe | N/A |
Suspicious use of WriteProcessMemory
Views/modifies file attributes
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\attrib.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\attrib.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\68288c29d8546aadc301eda4436def32.exe
"C:\Users\Admin\AppData\Local\Temp\68288c29d8546aadc301eda4436def32.exe"
C:\Users\Admin\AppData\Local\Temp\Transaction mangement.exe
"C:\Users\Admin\AppData\Local\Temp\Transaction mangement.exe"
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\Transaction_mangement.pdf"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\HKCMB.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\HKCMB.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpcmd.bat" "
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpcmd.bat" "
C:\Users\Admin\AppData\Local\Temp\INSTALL.EXE
"C:\Users\Admin\AppData\Local\Temp\INSTALL.EXE"
C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\Microsoft.NET\Framework\v2.0.50727" +s +h
C:\Windows\SysWOW64\JHPMIJ\FQO.exe
"C:\Windows\system32\JHPMIJ\FQO.exe"
C:\Windows\SysWOW64\MSDCSC\msdcsc.exe
"C:\Windows\system32\MSDCSC\msdcsc.exe"
C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\Microsoft.NET\Framework\v2.0.50727" +s +h
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=16514043
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=85340AD4C11A02DA1B6D36C623A90319 --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=85340AD4C11A02DA1B6D36C623A90319 --renderer-client-id=2 --mojo-platform-channel-handle=1756 --allow-no-sandbox-job /prefetch:1
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=5C7622C5E1F07C5F48786BF0BBF11347 --mojo-platform-channel-handle=1748 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=2772703EBFB8628EA6113825C968FF58 --mojo-platform-channel-handle=2296 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=A6FF96F05B876190CCC176DA1436CB03 --mojo-platform-channel-handle=1728 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=93D4C9705B246535359ECD58320FFC6E --mojo-platform-channel-handle=2408 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=A4ADE1607807ED08AC9C227EC6C44B62 --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=A4ADE1607807ED08AC9C227EC6C44B62 --renderer-client-id=7 --mojo-platform-channel-handle=2532 --allow-no-sandbox-job /prefetch:1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 185.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 132.4.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 17.134.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.134.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 200.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 48.229.111.52.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\Transaction mangement.exe
| MD5 | 6c58047349d13f37471744ad30af5539 |
| SHA1 | 7e69840ae228e8f1029d6089105639f8ccec3f56 |
| SHA256 | 23d1c8b8f6f7db5b69dc499a8de082400f5f3809928d03f2c24e801a802ff280 |
| SHA512 | 45545337ecf3225074e18c3dbb3d68fa0ef4c3c8bf73dd833340fb2f34cddf7fea767415fe3ed030ebec20f3bce897f0b5c9fdfe3d7abc6edec5698f1ae2d2fd |
C:\Users\Admin\AppData\Local\Temp\Transaction mangement.exe
| MD5 | 009fd709361f51148155eacfef69856f |
| SHA1 | 482a8c72bf1d212bf0b6f7645ac35c247fcf14b6 |
| SHA256 | 24fefa2f793911625e7fea6a74d829b9fbc1cca14c73f0a00df8f4591e3aa73e |
| SHA512 | 561ede300274abbef1af9607a73b30af93fbabf01081b048d157906e029438db8c37831d31b8061753a97f519c6c68419bd83e26dc8832b3961dd481026274ca |
C:\Users\Admin\AppData\Local\Temp\Transaction mangement.exe
| MD5 | c28b3d4c70515403f5bb588464f4eeb1 |
| SHA1 | a410f952eb24324e7051a3f8d075ca5b86efe903 |
| SHA256 | c7ebbe42703666f219bb8143c6bc90f99aec38dce5df656f562e9c05122323e7 |
| SHA512 | a9b3d1f51212686e48a5e97d13194691b25b910c5dcac4aa8351d1c5d8bb69f72bb0c4f8eaec1d01f6d3d95b537f25a4e336c0fa611f5bdfba8a150cc62b2654 |
memory/3272-13-0x0000000073180000-0x0000000073731000-memory.dmp
memory/3272-14-0x0000000073180000-0x0000000073731000-memory.dmp
memory/3272-15-0x00000000014E0000-0x00000000014F0000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Transaction_mangement.pdf
| MD5 | 8764991d86c925a5f8bbe847cd0f3cb3 |
| SHA1 | 19e3f30d0baabc7c457fd61fecee8d1e8ab28d0e |
| SHA256 | 5e75cc26bca0932a6685e42e07d32b9e55c3eb3a4b4af5e2b80f0a48a4116f79 |
| SHA512 | f3f6f31f21935be78af1a792f45c481563a9653e624194588ff99e378cf7b0633fce7042e0b6dc01f04c14b4fa285964915e1b7ede8f29ae094b97cc15d11bdc |
memory/3940-22-0x0000000000400000-0x000000000062F000-memory.dmp
C:\Windows\Microsoft.NET\Framework\v2.0.50727\HKCMB.exe
| MD5 | ce620d1884d571ed9835cde11dac40e1 |
| SHA1 | 3cc5f239c812dbdad7a2bd2a3b5774bb09ed806f |
| SHA256 | 7576490f0ab71953d0e78d17e4c3590a404924bfe3b41fb048ccdae967b48333 |
| SHA512 | 6a14e0ee9a9575ab1226a21f53902cb5b0302e072c086250eac09e0bc6ec097a861edb4d02ef29451f1dc022683419f5f0ca4068aa73fdf8e3926d87d3375ce0 |
C:\Windows\Microsoft.NET\Framework\v2.0.50727\HKCMB.exe
| MD5 | ee9e5392c1cce16262c6db98feab3ab0 |
| SHA1 | 5f21604d761b21e3c16fad01de54736612ec1477 |
| SHA256 | 1ce6b25307e1bb4ca75cf44c92958cd95773462331b66a5ab8240e1d570a24b4 |
| SHA512 | eebf3249c1b7014f454841b975a5fc5e22dcf69e120ac0ff16f875eff7b0ee27886b8af523f59d75b6f223989d6999acfa6eec3ad99ff2cc53cea3ad5581fdeb |
memory/3272-26-0x0000000073180000-0x0000000073731000-memory.dmp
memory/3940-27-0x0000000002440000-0x0000000002441000-memory.dmp
memory/3940-25-0x0000000000400000-0x000000000062F000-memory.dmp
memory/3940-24-0x0000000000400000-0x000000000062F000-memory.dmp
memory/3940-19-0x0000000000400000-0x000000000062F000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\INSTALL.EXE
| MD5 | 8f1f35ebd6d8a23d95614fc173fae640 |
| SHA1 | d3a92ca9fb040322cbe316976c4f4caf5db8b867 |
| SHA256 | b3aba174d32a10d58408acde596470c1328da50401e817ece9c53ec697bf6cbc |
| SHA512 | 42711c108e23b965a69c74953353c6058bb6b970b5b394676484583d87df32032f9ddf0a003aa245ca8ee10d2ca7fb59d4c3285e43db45b54d81d49a0037bfd2 |
C:\Users\Admin\AppData\Local\Temp\INSTALL.EXE
| MD5 | 46ba14c15ef3a6587e010e6de77aa161 |
| SHA1 | 92b618981ae4bbd3ff0f4ff1b5b179ecffe65a52 |
| SHA256 | ab9bc601048db186963e3858a4fd58c8572e1a18ef59239863e3c4dc3c8e548e |
| SHA512 | 1f905922105c24f43d66fdfa80d819c7c246a1813b56e553e9998cc7baac80e9b11a1472406d942769c01b9f3adf3f20507b451370326b81ee1bc613b572a10b |
C:\Windows\SysWOW64\JHPMIJ\FQO.exe
| MD5 | 70b8a9881f9f80ebc4d1194d5e018916 |
| SHA1 | 18860f479ce8c3905eaa56c648071cfee1ed3085 |
| SHA256 | 5d5b61340f8f838eebbafb97c137a3d8d8152bdb59f3ff2dcfc73e55d3b5dbc4 |
| SHA512 | 317d5df27894a90284ef0bdf05626568ce38561117d094230aa6b102bc1073041f2ea7164dac7e14ec875b32f047d2411b2d438c6b5604e86b37087abb2ba1ea |
memory/4864-63-0x0000000000A30000-0x0000000000A31000-memory.dmp
C:\Windows\SysWOW64\JHPMIJ\FQO.004
| MD5 | c419eadafd70c55f88b6235ccf3d14a0 |
| SHA1 | e04856391e275bfe54fdc6dfabdfe798f80d2afb |
| SHA256 | 76f3de81ac5a57b368786feffd51e82c49527298bd6ed554ae2cdac118043968 |
| SHA512 | 4b3e1e8d94f7e8bd9a32758fab27b2fed6299882a092fea578e1107655e9d5a7d9480eca2c205b3a85e897a1ae3ffd92587b7c4b9ccd3722bb84bfb45a30f683 |
memory/3708-67-0x0000000003F00000-0x0000000003F15000-memory.dmp
C:\Windows\SysWOW64\JHPMIJ\FQO.001
| MD5 | 383d5f5d4240d590e7dec3f7312a4ac7 |
| SHA1 | f6bcade8d37afb80cf52a89b3e84683f4643fbce |
| SHA256 | 7e87f6817b17a75106d34ce9884c40ddfb381bf8f2013930916498d1df0a6422 |
| SHA512 | e652c41ec95d653940b869426bc2cbd8e5b3159110ffaab7d623e23eebe1f34ca65be6a9a9cdcd5f41aec7567469d6b4d6362d24ae92267cddb8940e1265806a |
C:\Windows\SysWOW64\JHPMIJ\FQO.002
| MD5 | 93df156c4bd9d7341f4c4a4847616a69 |
| SHA1 | c7663b32c3c8e247bc16b51aff87b45484652dc1 |
| SHA256 | e55b6eabf0f99b90bd4cf3777c25813bded7b6fc5c9955188c8aa5224d299c3e |
| SHA512 | ed2e98c5fd1f0d49e5bac8baa515d489c89f8d42772ae05e4b7a32da8f06d511adad27867034ca0865beae9f78223e95c7d0f826154fc663f2fab9bd61e36e35 |
C:\Windows\SysWOW64\MSDCSC\msdcsc.exe
| MD5 | 5e5f53c95487752cf30844f55dc7d8a2 |
| SHA1 | b267a1ba15b7dc079c4ad70b43700d120e8bfc95 |
| SHA256 | 65539e73e3465270358d77325207c1171ee64e8c5ad475c9772dda775b00f69f |
| SHA512 | 859fc67be296439d9537a98bcf449514d378a78332203a6975d1de89818f9e58b29e17e9a5e150c3bd5ae6f99f4b28ca82b3daeeece17e8671fc3be411ccbab3 |
C:\Windows\SysWOW64\JHPMIJ\AKV.exe
| MD5 | 52d00c57abcec3235a283ddeb8cd4b71 |
| SHA1 | e8c21e1628ec749da790085522d4e499d4466729 |
| SHA256 | 95fb0178ba32c157e92c60c3d562ffc99dab661577b8844839d1f3a3e5e76703 |
| SHA512 | 6c0cba5f60faffa7df934d5f442feb54b596728e60a49e8f30e21f0fb165f4a2021d36fbaa6244473c8cbdcb13a9eaca159cafb4a414157c3c795c910da2d65c |
C:\Windows\SysWOW64\JHPMIJ\FQO.exe
| MD5 | b13698c8ad363eba26a2ce14c6f42dd7 |
| SHA1 | 0a9a81549d82cfdd86d311807593492d512d1a17 |
| SHA256 | 56f251ba6a2f44fce7978bbff27f5c2ffa966283d7095f9d7da58f48d9d8dc33 |
| SHA512 | d4f06b280856cfd29c17f048f0595b0e5960eedea584bcdf188797584282f60b12bf63c3b7cba07cc7caccda28f3e4d8599ced3f7b110c5ab489aad4fd7504b0 |
C:\Windows\SysWOW64\JHPMIJ\FQO.exe
| MD5 | c3bd8843e0b1026ff63f0bd11cda5535 |
| SHA1 | 91f9027410a1d6c5ab28db5493a380fc30e20990 |
| SHA256 | 4e5983b0c7e7e532880384dfd4ccd7441a1655dea3327c74d6f6507d444fee5d |
| SHA512 | 48ccab3d7a7108a8793c5b4e05a83fcae4927a246a6410e216f5484d0b3c9b4ef993b21164fc4acd9681e5258d160a91bb7c4aecd5b08fad19132454d165aec9 |
memory/3940-125-0x0000000000400000-0x000000000062F000-memory.dmp
C:\Windows\SysWOW64\MSDCSC\msdcsc.exe
| MD5 | 4e0e7263a352f0499720c8ead0181f5e |
| SHA1 | a7809630466217cc40ac4935062ba59d4f3864b3 |
| SHA256 | f24165ed94589e65a32653ff32d80263326a01df5840c6f22643dabac4e7748c |
| SHA512 | a05c25c56d3641575602fc893b4135d7dac9f46ff623aae7185fd530fdeb82645a8760b959befe3351d4ae0fb4c694dd7d3359ac5232499755d27216cc3dc2cc |
C:\Windows\SysWOW64\MSDCSC\msdcsc.exe
| MD5 | e3c70284d42ac664e5da7899e32c8ac2 |
| SHA1 | df65ec95135cc617a71e2bb260120b2e9c8b66ac |
| SHA256 | e8ddcc11c89717129a68efa88b40d8eae202ab992b2d6896391f0fb086fa2d29 |
| SHA512 | 798217a22b299acbe87a7bf0346bf9b3c1aa351338af5c6c1c1d584e14eaa72cbebf4811f43d673f7569544b2fd7b39acd432c31d5fa982bafd2dcbea34870aa |
C:\Users\Admin\AppData\Local\Temp\tmpcmd.bat
| MD5 | c6abd7a109bb37ab773b9e79b91b7741 |
| SHA1 | 7933b8795914b27483d2afed35b3830e8bf5bdb6 |
| SHA256 | 8bc84b3ddfd9c295f555926bf1c311be423732423c585ca90796cdee7a245629 |
| SHA512 | 35d14c9b7366a4737e3685223d55d85c583c7fbe73274577424dc8d9960cc78c79a80a8b42a62f6d9d9962ddd60cf2a332411d4ac18196258dc9d5b0b575e3dc |
C:\Users\Admin\AppData\Local\Temp\INSTALL.EXE
| MD5 | 83036a6442d3e5a1b25196b214cb6986 |
| SHA1 | 41a02628607b914e2c8dcc844fe88398260228a1 |
| SHA256 | 83bbca140ce724f0217f245eef7d17e8d0e1e574ff210b7bf92c56beef55cfe5 |
| SHA512 | 0d451555a5d376d1f80049cb08e4e98e7d63f8334b20933ee9ca011794ea8b075c4f7645cac8fcf5d1d74a94b3c9e649b673ead3f08c9b56bdfa35874988744b |
C:\Windows\system32\drivers\etc\hosts
| MD5 | ea1a1fb9ccfd94175ac7949b7c0937fd |
| SHA1 | 19f49e082f0bfbe697a30a283a8d96e5f2c96f97 |
| SHA256 | 2f741dca98c6bb003b57a004523cd3ed6fc1d9c629ba27bb9ae065da2691e904 |
| SHA512 | b79bc17c026c5bb9804252fd09ef05f3c1400b5a81c3776c812de832e13d251adfa5ba9b301c9fb1126d9e55fb348f69978e2397cb9dcfc29bdfda89ba2461c8 |
C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages
| MD5 | b30d3becc8731792523d599d949e63f5 |
| SHA1 | 19350257e42d7aee17fb3bf139a9d3adb330fad4 |
| SHA256 | b1b77e96279ead2b460de3de70e2ea4f5ad1b853598a4e27a5caf3f1a32cc4f3 |
| SHA512 | 523f54895fb07f62b9a5f72c8b62e83d4d9506bda57b183818615f6eb7286e3b9c5a50409bc5c5164867c3ccdeae88aa395ecca6bc7e36d991552f857510792e |
C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages
| MD5 | 752a1f26b18748311b691c7d8fc20633 |
| SHA1 | c1f8e83eebc1cc1e9b88c773338eb09ff82ab862 |
| SHA256 | 111dac2948e4cecb10b0d2e10d8afaa663d78d643826b592d6414a1fd77cc131 |
| SHA512 | a2f5f262faf2c3e9756da94b2c47787ce3a9391b5bd53581578aa9a764449e114836704d6dec4aadc097fed4c818831baa11affa1eb25be2bfad9349bb090fe5 |
C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages
| MD5 | 4a0e0d232ff8ced817d90772e691bc31 |
| SHA1 | 8ba2c91a7e547cf5ca3e7d5eddabbae491d1623f |
| SHA256 | 981ac6a0ebcf07be43459955800daacd309dcb4619e32df16d0d5dbd31b780de |
| SHA512 | 99771023229afc86bf4bc7364e6bffcd39e2f575934a6bdaec5362fccb5ef8ff2121481b929b099b3755625a5f09ef00e30cf35006bfedcfab656035b64a4050 |
memory/4864-257-0x0000000000A30000-0x0000000000A31000-memory.dmp