Overview
overview
10Static
static
3anhezkzllnds.exe
windows10-1703-x64
anhezkzllnds.exe
windows10-2004-x64
bghfldfyngmg.exe
windows10-1703-x64
bghfldfyngmg.exe
windows10-2004-x64
jldfefkrpayl.exe
windows10-1703-x64
jldfefkrpayl.exe
windows10-2004-x64
molbfgsxjpwv.exe
windows10-1703-x64
molbfgsxjpwv.exe
windows10-2004-x64
msxsbkvjyoho.exe
windows10-1703-x64
msxsbkvjyoho.exe
windows10-2004-x64
oboekjkdross.exe
windows10-1703-x64
oboekjkdross.exe
windows10-2004-x64
puugtqapzxao.exe
windows10-1703-x64
puugtqapzxao.exe
windows10-2004-x64
pyaxlaetvdvq.exe
windows10-1703-x64
pyaxlaetvdvq.exe
windows10-2004-x64
qywfpvbxbvih.exe
windows10-1703-x64
qywfpvbxbvih.exe
windows10-2004-x64
ylyxcgqrxdhu.exe
windows10-1703-x64
ylyxcgqrxdhu.exe
windows10-2004-x64
Analysis
-
max time kernel
756s -
max time network
762s -
platform
windows10-2004_x64 -
resource
win10v2004-20231222-en -
resource tags
arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system -
submitted
19-02-2024 15:26
Static task
static1
Behavioral task
behavioral1
Sample
anhezkzllnds.exe
Resource
win10-20240214-en
Behavioral task
behavioral2
Sample
anhezkzllnds.exe
Resource
win10v2004-20231215-en
Behavioral task
behavioral3
Sample
bghfldfyngmg.exe
Resource
win10-20240214-en
Behavioral task
behavioral4
Sample
bghfldfyngmg.exe
Resource
win10v2004-20231215-en
Behavioral task
behavioral5
Sample
jldfefkrpayl.exe
Resource
win10-20240214-en
Behavioral task
behavioral6
Sample
jldfefkrpayl.exe
Resource
win10v2004-20231215-en
Behavioral task
behavioral7
Sample
molbfgsxjpwv.exe
Resource
win10-20240214-en
Behavioral task
behavioral8
Sample
molbfgsxjpwv.exe
Resource
win10v2004-20231215-en
Behavioral task
behavioral9
Sample
msxsbkvjyoho.exe
Resource
win10-20240214-en
Behavioral task
behavioral10
Sample
msxsbkvjyoho.exe
Resource
win10v2004-20231215-en
Behavioral task
behavioral11
Sample
oboekjkdross.exe
Resource
win10-20240214-en
Behavioral task
behavioral12
Sample
oboekjkdross.exe
Resource
win10v2004-20231215-en
Behavioral task
behavioral13
Sample
puugtqapzxao.exe
Resource
win10-20240214-en
Behavioral task
behavioral14
Sample
puugtqapzxao.exe
Resource
win10v2004-20231215-en
Behavioral task
behavioral15
Sample
pyaxlaetvdvq.exe
Resource
win10-20240214-en
Behavioral task
behavioral16
Sample
pyaxlaetvdvq.exe
Resource
win10v2004-20231215-en
Behavioral task
behavioral17
Sample
qywfpvbxbvih.exe
Resource
win10-20240214-en
Behavioral task
behavioral18
Sample
qywfpvbxbvih.exe
Resource
win10v2004-20231222-en
Behavioral task
behavioral19
Sample
ylyxcgqrxdhu.exe
Resource
win10-20240214-en
Behavioral task
behavioral20
Sample
ylyxcgqrxdhu.exe
Resource
win10v2004-20231215-en
Errors
General
-
Target
qywfpvbxbvih.exe
-
Size
763KB
-
MD5
7487d47ee73f83579acea7333014b9eb
-
SHA1
d5826d492bf720306fbdab1d83047d3c8ee2c7cf
-
SHA256
4d33372e2991bc62a668eb682bb840fd6b02b95213ea849195e3fc688208379d
-
SHA512
5c45641e9e4c56653212bd6325163202c842c031c9a2d7843fffd7e6283c8b095843469a83a1ddef488df0c8aead269a4e64e7190be9874a884a33728555d08c
-
SSDEEP
12288:9yYV6aHOa4biYPVle8G3dNi4wixQQsGeOCxNfM3q9RNIwo:9FDunbil3dNi47QjN03qD
Malware Config
Extracted
njrat
0.7d
Lammer
8.tcp.ngrok.io:19346
bca7344ec33c4f045ea133b6b48694e2
-
reg_key
bca7344ec33c4f045ea133b6b48694e2
-
splitter
|'|'|
Signatures
-
Contains code to disable Windows Defender 1 IoCs
A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.
Processes:
resource yara_rule behavioral18/memory/3472-607-0x00000000016C0000-0x00000000016CA000-memory.dmp disable_win_def -
Modifies WinLogon for persistence 2 TTPs 1 IoCs
Processes:
qywfpvbxbvih.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\System32\\userinit.exe,C:\\Users\\Admin\\Documents\\Sub\\xdwdClient.exe" qywfpvbxbvih.exe -
Processes:
qywfpvbxbvih.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection qywfpvbxbvih.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" qywfpvbxbvih.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" qywfpvbxbvih.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" qywfpvbxbvih.exe -
Processes:
qywfpvbxbvih.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\consentpromptbehavioradmin = "0" qywfpvbxbvih.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\enablelua = "0" qywfpvbxbvih.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\promptonsecuredesktop = "0" qywfpvbxbvih.exe -
Modifies AppInit DLL entries 2 TTPs
-
Modifies Windows Firewall 2 TTPs 1 IoCs
Processes:
netsh.exepid process 952 netsh.exe -
Checks computer location settings 2 TTPs 4 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
0q3bbokd.5i5.exeTrojan.exeRegAsm.exeqywfpvbxbvih.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\Control Panel\International\Geo\Nation 0q3bbokd.5i5.exe Key value queried \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\Control Panel\International\Geo\Nation Trojan.exe Key value queried \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\Control Panel\International\Geo\Nation RegAsm.exe Key value queried \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\Control Panel\International\Geo\Nation qywfpvbxbvih.exe -
Drops startup file 2 IoCs
Processes:
Trojan.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bca7344ec33c4f045ea133b6b48694e2.exe Trojan.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bca7344ec33c4f045ea133b6b48694e2.exe Trojan.exe -
Executes dropped EXE 3 IoCs
Processes:
Trojan.exe0q3bbokd.5i5.exeTrojan.exepid process 3076 Trojan.exe 2396 0q3bbokd.5i5.exe 3664 Trojan.exe -
Loads dropped DLL 21 IoCs
Processes:
WmiApSrv.exepowershell.exepowershell.exemsedge.exemsedge.exemsedge.exeCompPkgSrv.exeCompPkgSrv.exemsedge.exepid process 4180 4684 664 3572 WmiApSrv.exe 2208 4864 3564 powershell.exe 1664 1720 640 3500 powershell.exe 2288 3668 2320 3548 msedge.exe 2580 msedge.exe 1288 msedge.exe 2812 4656 CompPkgSrv.exe 4088 CompPkgSrv.exe 3408 msedge.exe -
Processes:
qywfpvbxbvih.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" qywfpvbxbvih.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
qywfpvbxbvih.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SDLKFJHDLKHDkh = "C:\\Users\\Admin\\Documents\\Sub\\xdwdWatchDog.exe" qywfpvbxbvih.exe -
Processes:
qywfpvbxbvih.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\enablelua qywfpvbxbvih.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\enablelua = "0" qywfpvbxbvih.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 6 IoCs
Processes:
flow ioc 65 8.tcp.ngrok.io 145 8.tcp.ngrok.io 153 0.tcp.eu.ngrok.io 20 0.tcp.eu.ngrok.io 47 0.tcp.eu.ngrok.io 61 0.tcp.eu.ngrok.io -
Suspicious use of SetThreadContext 1 IoCs
Processes:
qywfpvbxbvih.exedescription pid process target process PID 3472 set thread context of 5060 3472 qywfpvbxbvih.exe RegAsm.exe -
Drops file in Windows directory 1 IoCs
Processes:
qywfpvbxbvih.exedescription ioc process File created C:\Windows\xdwd.dll qywfpvbxbvih.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
msedge.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe -
Suspicious behavior: EnumeratesProcesses 57 IoCs
Processes:
qywfpvbxbvih.exeWmiApSrv.exepowershell.exepowershell.exemsedge.exemsedge.exemsedge.exeCompPkgSrv.exeCompPkgSrv.exeidentity_helper.exemsedge.exepid process 3472 qywfpvbxbvih.exe 3472 qywfpvbxbvih.exe 3472 qywfpvbxbvih.exe 3472 qywfpvbxbvih.exe 3472 qywfpvbxbvih.exe 3472 qywfpvbxbvih.exe 3472 qywfpvbxbvih.exe 3472 qywfpvbxbvih.exe 3472 qywfpvbxbvih.exe 3472 qywfpvbxbvih.exe 3472 qywfpvbxbvih.exe 3472 qywfpvbxbvih.exe 3472 qywfpvbxbvih.exe 3472 qywfpvbxbvih.exe 3472 qywfpvbxbvih.exe 3472 qywfpvbxbvih.exe 3472 qywfpvbxbvih.exe 3472 qywfpvbxbvih.exe 3472 qywfpvbxbvih.exe 3472 qywfpvbxbvih.exe 3472 qywfpvbxbvih.exe 3472 qywfpvbxbvih.exe 3472 qywfpvbxbvih.exe 3472 qywfpvbxbvih.exe 3472 qywfpvbxbvih.exe 3472 qywfpvbxbvih.exe 3472 qywfpvbxbvih.exe 3572 WmiApSrv.exe 3572 WmiApSrv.exe 3564 powershell.exe 3564 powershell.exe 3564 powershell.exe 3564 powershell.exe 3500 powershell.exe 3500 powershell.exe 3500 powershell.exe 3500 powershell.exe 3548 msedge.exe 3548 msedge.exe 2580 msedge.exe 2580 msedge.exe 1288 msedge.exe 1288 msedge.exe 1288 msedge.exe 1288 msedge.exe 4656 CompPkgSrv.exe 2580 msedge.exe 2580 msedge.exe 4088 CompPkgSrv.exe 4056 identity_helper.exe 4056 identity_helper.exe 3408 msedge.exe 3408 msedge.exe 3408 msedge.exe 3408 msedge.exe 3408 msedge.exe 3408 msedge.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 8 IoCs
Processes:
msedge.exepid process 2580 msedge.exe 2580 msedge.exe 2580 msedge.exe 2580 msedge.exe 2580 msedge.exe 2580 msedge.exe 2580 msedge.exe 2580 msedge.exe -
Suspicious use of AdjustPrivilegeToken 62 IoCs
Processes:
qywfpvbxbvih.exepowershell.exepowershell.exeTrojan.exedescription pid process Token: SeDebugPrivilege 3472 qywfpvbxbvih.exe Token: SeDebugPrivilege 3564 powershell.exe Token: SeDebugPrivilege 3500 powershell.exe Token: SeDebugPrivilege 3664 Trojan.exe Token: 33 3664 Trojan.exe Token: SeIncBasePriorityPrivilege 3664 Trojan.exe Token: 33 3664 Trojan.exe Token: SeIncBasePriorityPrivilege 3664 Trojan.exe Token: 33 3664 Trojan.exe Token: SeIncBasePriorityPrivilege 3664 Trojan.exe Token: 33 3664 Trojan.exe Token: SeIncBasePriorityPrivilege 3664 Trojan.exe Token: 33 3664 Trojan.exe Token: SeIncBasePriorityPrivilege 3664 Trojan.exe Token: 33 3664 Trojan.exe Token: SeIncBasePriorityPrivilege 3664 Trojan.exe Token: 33 3664 Trojan.exe Token: SeIncBasePriorityPrivilege 3664 Trojan.exe Token: 33 3664 Trojan.exe Token: SeIncBasePriorityPrivilege 3664 Trojan.exe Token: 33 3664 Trojan.exe Token: SeIncBasePriorityPrivilege 3664 Trojan.exe Token: 33 3664 Trojan.exe Token: SeIncBasePriorityPrivilege 3664 Trojan.exe Token: 33 3664 Trojan.exe Token: SeIncBasePriorityPrivilege 3664 Trojan.exe Token: 33 3664 Trojan.exe Token: SeIncBasePriorityPrivilege 3664 Trojan.exe Token: 33 3664 Trojan.exe Token: SeIncBasePriorityPrivilege 3664 Trojan.exe Token: 33 3664 Trojan.exe Token: SeIncBasePriorityPrivilege 3664 Trojan.exe Token: 33 3664 Trojan.exe Token: SeIncBasePriorityPrivilege 3664 Trojan.exe Token: 33 3664 Trojan.exe Token: SeIncBasePriorityPrivilege 3664 Trojan.exe Token: 33 3664 Trojan.exe Token: SeIncBasePriorityPrivilege 3664 Trojan.exe Token: 33 3664 Trojan.exe Token: SeIncBasePriorityPrivilege 3664 Trojan.exe Token: 33 3664 Trojan.exe Token: SeIncBasePriorityPrivilege 3664 Trojan.exe Token: 33 3664 Trojan.exe Token: SeIncBasePriorityPrivilege 3664 Trojan.exe Token: 33 3664 Trojan.exe Token: SeIncBasePriorityPrivilege 3664 Trojan.exe Token: 33 3664 Trojan.exe Token: SeIncBasePriorityPrivilege 3664 Trojan.exe Token: 33 3664 Trojan.exe Token: SeIncBasePriorityPrivilege 3664 Trojan.exe Token: 33 3664 Trojan.exe Token: SeIncBasePriorityPrivilege 3664 Trojan.exe Token: 33 3664 Trojan.exe Token: SeIncBasePriorityPrivilege 3664 Trojan.exe Token: 33 3664 Trojan.exe Token: SeIncBasePriorityPrivilege 3664 Trojan.exe Token: 33 3664 Trojan.exe Token: SeIncBasePriorityPrivilege 3664 Trojan.exe Token: 33 3664 Trojan.exe Token: SeIncBasePriorityPrivilege 3664 Trojan.exe Token: 33 3664 Trojan.exe Token: SeIncBasePriorityPrivilege 3664 Trojan.exe -
Suspicious use of FindShellTrayWindow 25 IoCs
Processes:
msedge.exepid process 2580 msedge.exe 2580 msedge.exe 2580 msedge.exe 2580 msedge.exe 2580 msedge.exe 2580 msedge.exe 2580 msedge.exe 2580 msedge.exe 2580 msedge.exe 2580 msedge.exe 2580 msedge.exe 2580 msedge.exe 2580 msedge.exe 2580 msedge.exe 2580 msedge.exe 2580 msedge.exe 2580 msedge.exe 2580 msedge.exe 2580 msedge.exe 2580 msedge.exe 2580 msedge.exe 2580 msedge.exe 2580 msedge.exe 2580 msedge.exe 2580 msedge.exe -
Suspicious use of SendNotifyMessage 24 IoCs
Processes:
msedge.exepid process 2580 msedge.exe 2580 msedge.exe 2580 msedge.exe 2580 msedge.exe 2580 msedge.exe 2580 msedge.exe 2580 msedge.exe 2580 msedge.exe 2580 msedge.exe 2580 msedge.exe 2580 msedge.exe 2580 msedge.exe 2580 msedge.exe 2580 msedge.exe 2580 msedge.exe 2580 msedge.exe 2580 msedge.exe 2580 msedge.exe 2580 msedge.exe 2580 msedge.exe 2580 msedge.exe 2580 msedge.exe 2580 msedge.exe 2580 msedge.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
qywfpvbxbvih.exeRegAsm.execmd.exepowershell.exe0q3bbokd.5i5.exeTrojan.execmd.exemsedge.exedescription pid process target process PID 3472 wrote to memory of 3564 3472 qywfpvbxbvih.exe powershell.exe PID 3472 wrote to memory of 3564 3472 qywfpvbxbvih.exe powershell.exe PID 3472 wrote to memory of 5060 3472 qywfpvbxbvih.exe RegAsm.exe PID 3472 wrote to memory of 5060 3472 qywfpvbxbvih.exe RegAsm.exe PID 3472 wrote to memory of 5060 3472 qywfpvbxbvih.exe RegAsm.exe PID 3472 wrote to memory of 5060 3472 qywfpvbxbvih.exe RegAsm.exe PID 3472 wrote to memory of 5060 3472 qywfpvbxbvih.exe RegAsm.exe PID 3472 wrote to memory of 5060 3472 qywfpvbxbvih.exe RegAsm.exe PID 3472 wrote to memory of 5060 3472 qywfpvbxbvih.exe RegAsm.exe PID 3472 wrote to memory of 5060 3472 qywfpvbxbvih.exe RegAsm.exe PID 5060 wrote to memory of 3076 5060 RegAsm.exe Trojan.exe PID 5060 wrote to memory of 3076 5060 RegAsm.exe Trojan.exe PID 5060 wrote to memory of 3076 5060 RegAsm.exe Trojan.exe PID 3472 wrote to memory of 4736 3472 qywfpvbxbvih.exe cmd.exe PID 3472 wrote to memory of 4736 3472 qywfpvbxbvih.exe cmd.exe PID 4736 wrote to memory of 3500 4736 cmd.exe powershell.exe PID 4736 wrote to memory of 3500 4736 cmd.exe powershell.exe PID 3500 wrote to memory of 2396 3500 powershell.exe 0q3bbokd.5i5.exe PID 3500 wrote to memory of 2396 3500 powershell.exe 0q3bbokd.5i5.exe PID 3500 wrote to memory of 2396 3500 powershell.exe 0q3bbokd.5i5.exe PID 2396 wrote to memory of 3664 2396 0q3bbokd.5i5.exe Trojan.exe PID 2396 wrote to memory of 3664 2396 0q3bbokd.5i5.exe Trojan.exe PID 2396 wrote to memory of 3664 2396 0q3bbokd.5i5.exe Trojan.exe PID 3664 wrote to memory of 952 3664 Trojan.exe netsh.exe PID 3664 wrote to memory of 952 3664 Trojan.exe netsh.exe PID 3664 wrote to memory of 952 3664 Trojan.exe netsh.exe PID 3664 wrote to memory of 668 3664 Trojan.exe cmd.exe PID 3664 wrote to memory of 668 3664 Trojan.exe cmd.exe PID 3664 wrote to memory of 668 3664 Trojan.exe cmd.exe PID 668 wrote to memory of 2580 668 cmd.exe msedge.exe PID 668 wrote to memory of 2580 668 cmd.exe msedge.exe PID 2580 wrote to memory of 3548 2580 msedge.exe msedge.exe PID 2580 wrote to memory of 3548 2580 msedge.exe msedge.exe PID 2580 wrote to memory of 1948 2580 msedge.exe msedge.exe PID 2580 wrote to memory of 1948 2580 msedge.exe msedge.exe PID 2580 wrote to memory of 1948 2580 msedge.exe msedge.exe PID 2580 wrote to memory of 1948 2580 msedge.exe msedge.exe PID 2580 wrote to memory of 1948 2580 msedge.exe msedge.exe PID 2580 wrote to memory of 1948 2580 msedge.exe msedge.exe PID 2580 wrote to memory of 1948 2580 msedge.exe msedge.exe PID 2580 wrote to memory of 1948 2580 msedge.exe msedge.exe PID 2580 wrote to memory of 1948 2580 msedge.exe msedge.exe PID 2580 wrote to memory of 1948 2580 msedge.exe msedge.exe PID 2580 wrote to memory of 1948 2580 msedge.exe msedge.exe PID 2580 wrote to memory of 1948 2580 msedge.exe msedge.exe PID 2580 wrote to memory of 1948 2580 msedge.exe msedge.exe PID 2580 wrote to memory of 1948 2580 msedge.exe msedge.exe PID 2580 wrote to memory of 1948 2580 msedge.exe msedge.exe PID 2580 wrote to memory of 1948 2580 msedge.exe msedge.exe PID 2580 wrote to memory of 1948 2580 msedge.exe msedge.exe PID 2580 wrote to memory of 1948 2580 msedge.exe msedge.exe PID 2580 wrote to memory of 1948 2580 msedge.exe msedge.exe PID 2580 wrote to memory of 1948 2580 msedge.exe msedge.exe PID 2580 wrote to memory of 1948 2580 msedge.exe msedge.exe PID 2580 wrote to memory of 1948 2580 msedge.exe msedge.exe PID 2580 wrote to memory of 1948 2580 msedge.exe msedge.exe PID 2580 wrote to memory of 1948 2580 msedge.exe msedge.exe PID 2580 wrote to memory of 1948 2580 msedge.exe msedge.exe PID 2580 wrote to memory of 1948 2580 msedge.exe msedge.exe PID 2580 wrote to memory of 1948 2580 msedge.exe msedge.exe PID 2580 wrote to memory of 1948 2580 msedge.exe msedge.exe PID 2580 wrote to memory of 1948 2580 msedge.exe msedge.exe PID 2580 wrote to memory of 1948 2580 msedge.exe msedge.exe PID 2580 wrote to memory of 1948 2580 msedge.exe msedge.exe -
System policy modification 1 TTPs 3 IoCs
Processes:
qywfpvbxbvih.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\consentpromptbehavioradmin = "0" qywfpvbxbvih.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\enablelua = "0" qywfpvbxbvih.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\promptonsecuredesktop = "0" qywfpvbxbvih.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\qywfpvbxbvih.exe"C:\Users\Admin\AppData\Local\Temp\qywfpvbxbvih.exe"1⤵
- Modifies WinLogon for persistence
- Modifies Windows Defender Real-time Protection settings
- UAC bypass
- Checks computer location settings
- Windows security modification
- Adds Run key to start application
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" Get-MpPreference -verbose2⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"2⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Trojan.exe"C:\Users\Admin\AppData\Local\Temp\Trojan.exe"3⤵
- Executes dropped EXE
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c start /b powershell –ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\0q3bbokd.5i5.exe"' & exit2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell –ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\0q3bbokd.5i5.exe"'3⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\0q3bbokd.5i5.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\0q3bbokd.5i5.exe"4⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Trojan.exe"C:\Users\Admin\AppData\Local\Temp\Trojan.exe"5⤵
- Checks computer location settings
- Drops startup file
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\Trojan.exe" "Trojan.exe" ENABLE6⤵
- Modifies Windows Firewall
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpC405.tmp.bat" "6⤵
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://www.redtube.com/7⤵
- Loads dropped DLL
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2044,7896315559704307141,10735194922672906513,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2168 /prefetch:38⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2044,7896315559704307141,10735194922672906513,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2960 /prefetch:88⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2044,7896315559704307141,10735194922672906513,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2060 /prefetch:28⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2044,7896315559704307141,10735194922672906513,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3308 /prefetch:18⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2044,7896315559704307141,10735194922672906513,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3352 /prefetch:18⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2044,7896315559704307141,10735194922672906513,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4848 /prefetch:18⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2044,7896315559704307141,10735194922672906513,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4216 /prefetch:18⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2044,7896315559704307141,10735194922672906513,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5524 /prefetch:88⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2044,7896315559704307141,10735194922672906513,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5524 /prefetch:88⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2044,7896315559704307141,10735194922672906513,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5544 /prefetch:18⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2044,7896315559704307141,10735194922672906513,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5600 /prefetch:18⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2044,7896315559704307141,10735194922672906513,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4980 /prefetch:18⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2044,7896315559704307141,10735194922672906513,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3908 /prefetch:18⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2044,7896315559704307141,10735194922672906513,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1292 /prefetch:28⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2044,7896315559704307141,10735194922672906513,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5412 /prefetch:18⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2044,7896315559704307141,10735194922672906513,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5920 /prefetch:18⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c Shutdown /s /f /t 002⤵
-
C:\Windows\system32\shutdown.exeShutdown /s /f /t 003⤵
-
C:\Windows\system32\wbem\WmiApSrv.exeC:\Windows\system32\wbem\WmiApSrv.exe1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x120,0x124,0x128,0x11c,0x12c,0x7ff8393546f8,0x7ff839354708,0x7ff8393547181⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\system32\LogonUI.exe"LogonUI.exe" /flags:0x4 /state0:0xa396c855 /state1:0x41c64e6d1⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Persistence
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Create or Modify System Process
2Windows Service
2Privilege Escalation
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Create or Modify System Process
2Windows Service
2Abuse Elevation Control Mechanism
1Bypass User Account Control
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.logFilesize
2KB
MD5d85ba6ff808d9e5444a4b369f5bc2730
SHA131aa9d96590fff6981b315e0b391b575e4c0804a
SHA25684739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f
SHA5128c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD53e71d66ce903fcba6050e4b99b624fa7
SHA1139d274762405b422eab698da8cc85f405922de5
SHA25653b34e24e3fbb6a7f473192fc4dec2ae668974494f5636f0359b6ca27d7c65e3
SHA51217e2f1400000dd6c54c8dc067b31bcb0a3111e44a9d2c5c779f484a51ada92d88f5b6e6847270faae8ff881117b7ceaaf8dfe9df427cbb8d9449ceacd0480388
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent StateFilesize
1KB
MD577d662d25e06e3b6b1bd50d6ac973144
SHA16b26e8a4b2d0d07349e0d15aca676503bfebcc4e
SHA256c4a0c70cd153183e7e0a33e043e30d3cc24cc5b862c5aaef5ae3dbb1e5484917
SHA51222a27940ad4cc59e3b6c52f3ad5cc7b1fbb9ec7474e32c81f7298a3790782b53355689a7182a6a515a7b8ab0c8efcd2660ed7c0223774feb007f88169ab79da9
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
6KB
MD5fe243e85c24ae3ba6d2ecb12d8160107
SHA1f1173e4dc7678a64dc7b1510ae9009e6c54774e5
SHA2563f0654cd7143e8d9bad3a75f2845b8382de07210c957c96cc640d3c59c4c38e7
SHA512a9f0083644d869fd4c7071f00e130f1a7de7b359cbb90a1ada6fe1b2de7839712e9db458da1b52f00b97441247e4dd9aeedbbe390951a14ea7054983293479cb
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
5KB
MD55883cd5e092248dcf24195f766d2cfd2
SHA1bc2fecb311b18c6350b38c3bf13ed9dea019ca67
SHA2567b33b839c24c50930039d670d991397203121c84137d9faa947357fecbe127a5
SHA512ef372da63e35d98d41a740680e211e87c46c27e2ff02d5e05e1b096bfeabfc7cd413dc75128d50d91da8d80980184eadb95f4b522a4e184b8e9e6c2f885b6363
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure PreferencesFilesize
24KB
MD51b1b142e24215f033793d1311e24f6e6
SHA174e23cffbf03f3f0c430e6f4481e740c55a48587
SHA2563dca3ec65d1f4109c6b66a1a47b2477afaf8d15306a523f297283da0eccbe8b1
SHA512a569385710e3a0dc0d6366476c457927a847a2b2298c839e423c485f7dcce2468a58d20133f6dc81913056fb579957e67f63cf1e20b910d61816210447cd1f1f
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-indexFilesize
168B
MD57bddda99db80f482c60e22406c758476
SHA1d2adfcc49af6316f5812b89c5235ce7ebc96bfa4
SHA2563d43b0ba9a1de896e03df63f9b6d9aab9c0a7f1c7c663d22cd2b730683009937
SHA512fd9cc647cc404101426461a0bbbd719f025041c1842de05aa22079b25f262404b29066a6e42f398a1d43e44df82eaeb09644432802c3da44b4d219f7b3c90839
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe6027c0.TMPFilesize
48B
MD5f314d44f4d66b1b8ffbf81f2a82c8e4f
SHA1ebc43cb7a0ce3a161bada72f43ce36f5b7a541d9
SHA2560195e0abe9b533d7c14c6531b97110196782736136fe92e5fd956376b8a19a81
SHA512288bdd0ee39867a4fb2c536ddb602d48181a36e7bf1293b6ad72e65538fb9bf94ec591e563e5ef3981ccf72b7ecb2b5e15dcea038d25e8ebb1f6d36828d2484f
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENTFilesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateFilesize
1KB
MD54bd9232bd8d2da78f0c43fe57a720d4b
SHA166e4f661c5171965d86af7f4541d14f5471f86e2
SHA256bd76a8fb5337bf3e9b2ff641e88bd53577c9b8710ea198dd7371ac4bc682ac6b
SHA51261904c1e94f63a7f7ffbfef4175324ce02c09629698861f77605a7349f6a435fe23a2dc6f15e12767057b00d74b8582a84d3ad6befbbca4482b49ecc29d13256
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
944B
MD56d42b6da621e8df5674e26b799c8e2aa
SHA1ab3ce1327ea1eeedb987ec823d5e0cb146bafa48
SHA2565ab6a1726f425c6d0158f55eb8d81754ddedd51e651aa0a899a29b7a58619c4c
SHA51253faffbda8a835bc1143e894c118c15901a5fd09cfc2224dd2f754c06dc794897315049a579b9a8382d4564f071576045aaaf824019b7139d939152dca38ce29
-
C:\Users\Admin\AppData\Local\Temp\Trojan.exeFilesize
63KB
MD50d5df43af2916f47d00c1573797c1a13
SHA1230ab5559e806574d26b4c20847c368ed55483b0
SHA256c066aee7aa3aa83f763ebc5541daa266ed6c648fbffcde0d836a13b221bb2adc
SHA512f96cf9e1890746b12daf839a6d0f16f062b72c1b8a40439f96583f242980f10f867720232a6fa0f7d4d7ac0a7a6143981a5a130d6417ea98b181447134c7cfe2
-
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_tr1umiba.fyu.ps1Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
C:\Users\Admin\AppData\Local\Temp\tmpC405.tmp.batFilesize
37B
MD5f5726d253fe5d4ecc9568bd9999883ca
SHA18fec12574c36283782076dd020fe67bbd6c49b8b
SHA2561ede0c20a3dc0fd37285a36f19be95d0770f162e199e3514713301ecc8d05687
SHA5122bc5d23a1eac45030c181f585c1a44b74386779d1e6e9448e190210d4eae4f98273923b7e055985d06c17e629429098fa78fa11a365d40fc93406cf6a13c9ee6
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\0q3bbokd.5i5.exeFilesize
23KB
MD52c16e91ad2c6bdd99a1c2d419fbb0ec3
SHA1f9b7ff51da9f9010fe3c9ab9cdcbc0febdb137da
SHA2565b7d0d117902bffd1821b5d5cf7b0ace5061c0913f546e7bebd3e6a62c65e6ed
SHA512ecd2ff0e6fa203daac5e51e814fa8c46b049857c15f90edfa6e9da8903bed72d9cdd4e98bc471e104cd2ee6b79dc780f361bf85aa7a8e2351a1e5099c73974cc
-
C:\Users\Admin\Documents\Sub\xdwdClient.exeFilesize
763KB
MD57487d47ee73f83579acea7333014b9eb
SHA1d5826d492bf720306fbdab1d83047d3c8ee2c7cf
SHA2564d33372e2991bc62a668eb682bb840fd6b02b95213ea849195e3fc688208379d
SHA5125c45641e9e4c56653212bd6325163202c842c031c9a2d7843fffd7e6283c8b095843469a83a1ddef488df0c8aead269a4e64e7190be9874a884a33728555d08c
-
C:\Windows\xdwd.dllFilesize
136KB
MD516e5a492c9c6ae34c59683be9c51fa31
SHA197031b41f5c56f371c28ae0d62a2df7d585adaba
SHA25635c8d022e1d917f1aabdceae98097ccc072161b302f84c768ca63e4b32ac2b66
SHA51220fd369172ef5e3e2fde388666b42e8fe5f0c2bfa338c0345f45e98af6561a249ba3ecc48c3f16efcc73f02ecb67b3ddb1e2e8f0e77d18fa00ac34e6379e50b6
-
C:\Windows\xdwd.dllFilesize
108KB
MD5e2834e76bdd3e3a4072a6a36fcd32694
SHA17dfcba13be2278a48df1bff8c1dce5862a5c1d1d
SHA256186ee797450d2162b0a9b54cfb377b65e8f53c533b558852b28707b42e9f318a
SHA5120fe664e3d4da9544a8df547c0f8d869cc4c26e40155c0585012ae783ac340467c56496bc200681a929d97b605f86f969cb28a5751b2160c9f064f24a94f93b08
-
C:\Windows\xdwd.dllFilesize
133KB
MD50ce0e2b4b89d92e4f7041002bedbd42d
SHA121842cca58d4052933bf6762a041642b87f05cb5
SHA256460499c94176001c29c1378fb12fa54d1e223cb3a765501b8342d34032d6f4db
SHA5128b1b94e121d690b3d4ac4119aa685663fe2eedc6c0e6552bf9e0fa7e481c1d49658c2b1346a43c949b47a31d6dcea4835b91465d159c97c784822337530b7518
-
C:\Windows\xdwd.dllFilesize
116KB
MD58cdd0cbc0cad03b4a1ceecdf6b3e14f0
SHA1ca5081b53b46ea7a3d7ae22b219a662feaeb4d4f
SHA25618c2df450a2f5fda6e1e5df9be12d013e69417d7d7a3407985e1310b5a2cfcd0
SHA5122a6a7ec649e1a86844b5163b6cfed4850440c8c712faa08dc39bd43fbe3313499897b91f0f44cd6bccbdcdfebf8b0100d626b2dfab93820e20cc1d99d7bf39f9
-
\??\pipe\LOCAL\crashpad_2580_FRJJIWZCOBFZSMOMMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
memory/2396-4207-0x00000000755A0000-0x0000000075B51000-memory.dmpFilesize
5.7MB
-
memory/2396-4205-0x00000000755A0000-0x0000000075B51000-memory.dmpFilesize
5.7MB
-
memory/2396-4273-0x00000000755A0000-0x0000000075B51000-memory.dmpFilesize
5.7MB
-
memory/2396-4206-0x0000000001650000-0x0000000001660000-memory.dmpFilesize
64KB
-
memory/3076-3758-0x0000000075450000-0x0000000075C00000-memory.dmpFilesize
7.7MB
-
memory/3076-3757-0x0000000000560000-0x0000000000572000-memory.dmpFilesize
72KB
-
memory/3076-3760-0x0000000075450000-0x0000000075C00000-memory.dmpFilesize
7.7MB
-
memory/3472-6570-0x00007FF82D2C0000-0x00007FF82DD81000-memory.dmpFilesize
10.8MB
-
memory/3472-67-0x00007FF82D2C0000-0x00007FF82DD81000-memory.dmpFilesize
10.8MB
-
memory/3472-608-0x000000001C120000-0x000000001C13E000-memory.dmpFilesize
120KB
-
memory/3472-33-0x000000001C140000-0x000000001C150000-memory.dmpFilesize
64KB
-
memory/3472-3682-0x00000000015B0000-0x00000000015BC000-memory.dmpFilesize
48KB
-
memory/3472-6535-0x0000000001690000-0x0000000001698000-memory.dmpFilesize
32KB
-
memory/3472-212-0x000000001C140000-0x000000001C150000-memory.dmpFilesize
64KB
-
memory/3472-1-0x00007FF82D2C0000-0x00007FF82DD81000-memory.dmpFilesize
10.8MB
-
memory/3472-0-0x0000000000D30000-0x0000000000DF6000-memory.dmpFilesize
792KB
-
memory/3472-606-0x000000001D850000-0x000000001D8C6000-memory.dmpFilesize
472KB
-
memory/3472-607-0x00000000016C0000-0x00000000016CA000-memory.dmpFilesize
40KB
-
memory/3500-4189-0x00000177EE5F0000-0x00000177EE600000-memory.dmpFilesize
64KB
-
memory/3500-4186-0x00007FF84B7F0000-0x00007FF84B9E5000-memory.dmpFilesize
2.0MB
-
memory/3500-4188-0x00007FF82D2C0000-0x00007FF82DD81000-memory.dmpFilesize
10.8MB
-
memory/3500-4187-0x00007FF84B7F0000-0x00007FF84B9E5000-memory.dmpFilesize
2.0MB
-
memory/3500-4204-0x00007FF82D2C0000-0x00007FF82DD81000-memory.dmpFilesize
10.8MB
-
memory/3500-4203-0x00007FF84B7F0000-0x00007FF84B9E5000-memory.dmpFilesize
2.0MB
-
memory/3564-680-0x0000019F34A60000-0x0000019F34A70000-memory.dmpFilesize
64KB
-
memory/3564-667-0x00007FF84B7F0000-0x00007FF84B9E5000-memory.dmpFilesize
2.0MB
-
memory/3564-668-0x00007FF84B7F0000-0x00007FF84B9E5000-memory.dmpFilesize
2.0MB
-
memory/3564-681-0x0000019F34A60000-0x0000019F34A70000-memory.dmpFilesize
64KB
-
memory/3564-684-0x00007FF84B7F0000-0x00007FF84B9E5000-memory.dmpFilesize
2.0MB
-
memory/3564-679-0x00007FF82D2C0000-0x00007FF82DD81000-memory.dmpFilesize
10.8MB
-
memory/3564-685-0x00007FF82D2C0000-0x00007FF82DD81000-memory.dmpFilesize
10.8MB
-
memory/3564-678-0x0000019F4D0A0000-0x0000019F4D0C2000-memory.dmpFilesize
136KB
-
memory/3572-70-0x00007FF84B7E0000-0x00007FF84B7E1000-memory.dmpFilesize
4KB
-
memory/3572-71-0x00007FF84B7F0000-0x00007FF84B9E5000-memory.dmpFilesize
2.0MB
-
memory/3572-69-0x00007FF84B7F0000-0x00007FF84B9E5000-memory.dmpFilesize
2.0MB
-
memory/3664-4559-0x0000000000DC0000-0x0000000000DD0000-memory.dmpFilesize
64KB
-
memory/3664-4446-0x00000000755A0000-0x0000000075B51000-memory.dmpFilesize
5.7MB
-
memory/3664-6569-0x00000000755A0000-0x0000000075B51000-memory.dmpFilesize
5.7MB
-
memory/3664-4274-0x00000000755A0000-0x0000000075B51000-memory.dmpFilesize
5.7MB
-
memory/3664-4361-0x0000000000DC0000-0x0000000000DD0000-memory.dmpFilesize
64KB
-
memory/4088-4663-0x00007FF84B7F0000-0x00007FF84B9E5000-memory.dmpFilesize
2.0MB
-
memory/4088-4662-0x00007FF84B7F0000-0x00007FF84B9E5000-memory.dmpFilesize
2.0MB
-
memory/4088-4664-0x00007FF84B7F0000-0x00007FF84B9E5000-memory.dmpFilesize
2.0MB
-
memory/4280-6539-0x00007FF84B7F0000-0x00007FF84B9E5000-memory.dmpFilesize
2.0MB
-
memory/4656-4645-0x00007FF84B7F0000-0x00007FF84B9E5000-memory.dmpFilesize
2.0MB
-
memory/4656-4644-0x00007FF84B7F0000-0x00007FF84B9E5000-memory.dmpFilesize
2.0MB
-
memory/4656-4661-0x00007FF84B7F0000-0x00007FF84B9E5000-memory.dmpFilesize
2.0MB
-
memory/4816-6541-0x00007FF84B7F0000-0x00007FF84B9E5000-memory.dmpFilesize
2.0MB
-
memory/4816-6540-0x00007FF84B7F0000-0x00007FF84B9E5000-memory.dmpFilesize
2.0MB
-
memory/5060-3686-0x00000000058D0000-0x0000000005E74000-memory.dmpFilesize
5.6MB
-
memory/5060-3755-0x0000000075070000-0x0000000075820000-memory.dmpFilesize
7.7MB
-
memory/5060-3684-0x0000000005280000-0x000000000531C000-memory.dmpFilesize
624KB
-
memory/5060-3685-0x0000000075070000-0x0000000075820000-memory.dmpFilesize
7.7MB
-
memory/5060-3683-0x0000000000400000-0x000000000040C000-memory.dmpFilesize
48KB