xmrig | 4489ff33e7a91c7485a1c1dd8a6102868e385f74fd8b5dbdbf4b505bbe9193b3

Analysis

max time kernel
150s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
15/03/2024, 11:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

gfgghdh.exe
Size

5.0MB
MD5

b03c2d7df7eabc44f36397cb66ac3e77
SHA1

486f521d16d96878a74ff9212cf2da5b184e0430
SHA256

4489ff33e7a91c7485a1c1dd8a6102868e385f74fd8b5dbdbf4b505bbe9193b3
SHA512

5cffc7a0ba01e5db793a62a3fc1dc2454cbd5b768f66959adac11e1523958bc48ef4c1dd5ff074988c04b6269853671ab480074a117d30184631d9936c154051
SSDEEP

98304:22gWGh4M2YYF05TqTcAJ5ubzxFAvJWJkC0dLM658jmpMJAxmEjmiFDzQbTMo7KlJ:22gWGh4M2nF0pqTcA/gFonCu0SmEDFD5

Score

10^/10

xmrig miner upx

Malware Config

Signatures

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 13 IoCs

miner

resource	yara_rule
behavioral2/memory/2308-26-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral2/memory/2308-27-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral2/memory/2308-29-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral2/memory/2308-30-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral2/memory/2308-31-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral2/memory/2308-32-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral2/memory/2308-33-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral2/memory/2308-35-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral2/memory/2308-36-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral2/memory/2308-53-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral2/memory/2308-54-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral2/memory/2308-55-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral2/memory/2308-56-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\Control Panel\International\Geo\Nation	fgfdgd.exe
Key value queried	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\Control Panel\International\Geo\Nation	gfgghdh.exe
Key value queried	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\Control Panel\International\Geo\Nation	fgfdgd.exe

Executes dropped EXE 6 IoCs

pid	Process
1144	ghghghg.exe
4848	fgfdgd.exe
4388	fgfdgd.exe
624	ghghghg.exe
1708	fgfdgd.exe
64	ghghghg.exe

UPX packed file 18 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/2308-21-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral2/memory/2308-22-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral2/memory/2308-23-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral2/memory/2308-24-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral2/memory/2308-25-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral2/memory/2308-26-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral2/memory/2308-27-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral2/memory/2308-29-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral2/memory/2308-30-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral2/memory/2308-31-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral2/memory/2308-32-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral2/memory/2308-33-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral2/memory/2308-35-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral2/memory/2308-36-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral2/memory/2308-53-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral2/memory/2308-54-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral2/memory/2308-55-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral2/memory/2308-56-0x0000000140000000-0x0000000140848000-memory.dmp	upx

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1144 set thread context of 2308	1144	ghghghg.exe	118

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 3 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
3980	schtasks.exe
836	schtasks.exe
3400	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1144	ghghghg.exe
1144	ghghghg.exe
1144	ghghghg.exe
1144	ghghghg.exe
1144	ghghghg.exe
2308	explorer.exe
2308	explorer.exe
2308	explorer.exe
2308	explorer.exe
2308	explorer.exe
2308	explorer.exe
2308	explorer.exe
2308	explorer.exe
2308	explorer.exe
2308	explorer.exe
2308	explorer.exe
2308	explorer.exe
2308	explorer.exe
2308	explorer.exe
2308	explorer.exe
2308	explorer.exe
2308	explorer.exe
2308	explorer.exe
2308	explorer.exe
2308	explorer.exe
2308	explorer.exe
2308	explorer.exe
2308	explorer.exe
2308	explorer.exe
2308	explorer.exe
2308	explorer.exe
2308	explorer.exe
2308	explorer.exe
2308	explorer.exe
2308	explorer.exe
2308	explorer.exe
2308	explorer.exe
2308	explorer.exe
2308	explorer.exe
2308	explorer.exe
2308	explorer.exe
2308	explorer.exe
2308	explorer.exe
2308	explorer.exe
2308	explorer.exe
2308	explorer.exe
2308	explorer.exe
2308	explorer.exe
2308	explorer.exe
2308	explorer.exe
2308	explorer.exe
2308	explorer.exe
2308	explorer.exe
2308	explorer.exe
2308	explorer.exe
2308	explorer.exe
2308	explorer.exe
2308	explorer.exe
2308	explorer.exe
2308	explorer.exe
2308	explorer.exe
2308	explorer.exe
2308	explorer.exe
2308	explorer.exe

Suspicious use of AdjustPrivilegeToken 18 IoCs

description	pid	Process
Token: SeShutdownPrivilege	4020	powercfg.exe
Token: SeCreatePagefilePrivilege	4020	powercfg.exe
Token: SeShutdownPrivilege	2348	powercfg.exe
Token: SeCreatePagefilePrivilege	2348	powercfg.exe
Token: SeShutdownPrivilege	4592	powercfg.exe
Token: SeCreatePagefilePrivilege	4592	powercfg.exe
Token: SeShutdownPrivilege	1188	powercfg.exe
Token: SeCreatePagefilePrivilege	1188	powercfg.exe
Token: SeLockMemoryPrivilege	2308	explorer.exe
Token: SeLockMemoryPrivilege	2308	explorer.exe
Token: SeShutdownPrivilege	2148	powercfg.exe
Token: SeCreatePagefilePrivilege	2148	powercfg.exe
Token: SeShutdownPrivilege	2928	powercfg.exe
Token: SeCreatePagefilePrivilege	2928	powercfg.exe
Token: SeShutdownPrivilege	2708	powercfg.exe
Token: SeCreatePagefilePrivilege	2708	powercfg.exe
Token: SeShutdownPrivilege	2596	powercfg.exe
Token: SeCreatePagefilePrivilege	2596	powercfg.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
2308	explorer.exe
2308	explorer.exe
2308	explorer.exe
2308	explorer.exe
2308	explorer.exe
2308	explorer.exe
2308	explorer.exe
2308	explorer.exe
2308	explorer.exe
2308	explorer.exe
2308	explorer.exe
2308	explorer.exe
2308	explorer.exe
2308	explorer.exe
2308	explorer.exe
2308	explorer.exe
2308	explorer.exe
2308	explorer.exe
2308	explorer.exe
2308	explorer.exe
2308	explorer.exe
2308	explorer.exe
2308	explorer.exe
2308	explorer.exe
2308	explorer.exe
2308	explorer.exe
2308	explorer.exe
2308	explorer.exe
2308	explorer.exe
2308	explorer.exe
2308	explorer.exe
2308	explorer.exe
2308	explorer.exe
2308	explorer.exe
2308	explorer.exe
2308	explorer.exe
2308	explorer.exe
2308	explorer.exe
2308	explorer.exe
2308	explorer.exe
2308	explorer.exe
2308	explorer.exe
2308	explorer.exe
2308	explorer.exe
2308	explorer.exe
2308	explorer.exe
2308	explorer.exe
2308	explorer.exe
2308	explorer.exe
2308	explorer.exe
2308	explorer.exe
2308	explorer.exe
2308	explorer.exe
2308	explorer.exe
2308	explorer.exe
2308	explorer.exe
2308	explorer.exe
2308	explorer.exe
2308	explorer.exe
2308	explorer.exe
2308	explorer.exe
2308	explorer.exe
2308	explorer.exe
2308	explorer.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
2308	explorer.exe
2308	explorer.exe
2308	explorer.exe
2308	explorer.exe
2308	explorer.exe
2308	explorer.exe
2308	explorer.exe
2308	explorer.exe
2308	explorer.exe
2308	explorer.exe
2308	explorer.exe
2308	explorer.exe
2308	explorer.exe
2308	explorer.exe
2308	explorer.exe
2308	explorer.exe
2308	explorer.exe
2308	explorer.exe
2308	explorer.exe
2308	explorer.exe
2308	explorer.exe
2308	explorer.exe
2308	explorer.exe
2308	explorer.exe
2308	explorer.exe
2308	explorer.exe
2308	explorer.exe
2308	explorer.exe
2308	explorer.exe
2308	explorer.exe
2308	explorer.exe
2308	explorer.exe
2308	explorer.exe
2308	explorer.exe
2308	explorer.exe
2308	explorer.exe
2308	explorer.exe
2308	explorer.exe
2308	explorer.exe
2308	explorer.exe
2308	explorer.exe
2308	explorer.exe
2308	explorer.exe
2308	explorer.exe
2308	explorer.exe
2308	explorer.exe
2308	explorer.exe
2308	explorer.exe
2308	explorer.exe
2308	explorer.exe
2308	explorer.exe
2308	explorer.exe
2308	explorer.exe
2308	explorer.exe
2308	explorer.exe
2308	explorer.exe
2308	explorer.exe
2308	explorer.exe
2308	explorer.exe
2308	explorer.exe
2308	explorer.exe
2308	explorer.exe
2308	explorer.exe
2308	explorer.exe

Suspicious use of WriteProcessMemory 35 IoCs

description	pid	Process	procid_target
PID 3648 wrote to memory of 1144	3648	gfgghdh.exe	87
PID 3648 wrote to memory of 1144	3648	gfgghdh.exe	87
PID 3648 wrote to memory of 1372	3648	gfgghdh.exe	88
PID 3648 wrote to memory of 1372	3648	gfgghdh.exe	88
PID 3648 wrote to memory of 4296	3648	gfgghdh.exe	89
PID 3648 wrote to memory of 4296	3648	gfgghdh.exe	89
PID 3648 wrote to memory of 2372	3648	gfgghdh.exe	91
PID 3648 wrote to memory of 2372	3648	gfgghdh.exe	91
PID 4296 wrote to memory of 836	4296	cmd.exe	94
PID 4296 wrote to memory of 836	4296	cmd.exe	94
PID 1144 wrote to memory of 2308	1144	ghghghg.exe	118
PID 1144 wrote to memory of 2308	1144	ghghghg.exe	118
PID 1144 wrote to memory of 2308	1144	ghghghg.exe	118
PID 1144 wrote to memory of 2308	1144	ghghghg.exe	118
PID 1144 wrote to memory of 2308	1144	ghghghg.exe	118
PID 4388 wrote to memory of 624	4388	fgfdgd.exe	124
PID 4388 wrote to memory of 624	4388	fgfdgd.exe	124
PID 4388 wrote to memory of 2064	4388	fgfdgd.exe	125
PID 4388 wrote to memory of 2064	4388	fgfdgd.exe	125
PID 4388 wrote to memory of 4656	4388	fgfdgd.exe	126
PID 4388 wrote to memory of 4656	4388	fgfdgd.exe	126
PID 4388 wrote to memory of 3312	4388	fgfdgd.exe	128
PID 4388 wrote to memory of 3312	4388	fgfdgd.exe	128
PID 4656 wrote to memory of 3400	4656	cmd.exe	131
PID 4656 wrote to memory of 3400	4656	cmd.exe	131
PID 1708 wrote to memory of 64	1708	fgfdgd.exe	149
PID 1708 wrote to memory of 64	1708	fgfdgd.exe	149
PID 1708 wrote to memory of 1272	1708	fgfdgd.exe	150
PID 1708 wrote to memory of 1272	1708	fgfdgd.exe	150
PID 1708 wrote to memory of 2796	1708	fgfdgd.exe	151
PID 1708 wrote to memory of 2796	1708	fgfdgd.exe	151
PID 1708 wrote to memory of 3232	1708	fgfdgd.exe	152
PID 1708 wrote to memory of 3232	1708	fgfdgd.exe	152
PID 2796 wrote to memory of 3980	2796	cmd.exe	156
PID 2796 wrote to memory of 3980	2796	cmd.exe	156

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\gfgghdh.exe
"C:\Users\Admin\AppData\Local\Temp\gfgghdh.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3648
- C:\Users\Admin\AppData\Local\Temp\ghghghg.exe
  "C:\Users\Admin\AppData\Local\Temp\ghghghg.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:1144
- - C:\Windows\system32\powercfg.exe
    C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:4020
- - C:\Windows\system32\powercfg.exe
    C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2348
- - C:\Windows\system32\powercfg.exe
    C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1188
- - C:\Windows\system32\powercfg.exe
    C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:4592
- - C:\Windows\explorer.exe
    explorer.exe
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    PID:2308
- C:\Windows\SYSTEM32\cmd.exe
  "cmd" /c mkdir "C:\Users\Admin\AppData\Roaming\fgfdgd"
  2⤵
  PID:1372
- C:\Windows\SYSTEM32\cmd.exe
  "cmd" /c schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\fgfdgd\fgfdgd.exe'" /f
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4296
- - C:\Windows\system32\schtasks.exe
    schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\fgfdgd\fgfdgd.exe'" /f
    3⤵
    - Creates scheduled task(s)
    PID:836
- C:\Windows\SYSTEM32\cmd.exe
  "cmd" /c copy "C:\Users\Admin\AppData\Local\Temp\gfgghdh.exe" "C:\Users\Admin\AppData\Roaming\fgfdgd\fgfdgd.exe"
  2⤵
  PID:2372

C:\Users\Admin\AppData\Roaming\fgfdgd\fgfdgd.exe
C:\Users\Admin\AppData\Roaming\fgfdgd\fgfdgd.exe
1⤵
- Executes dropped EXE
PID:4848

C:\Users\Admin\AppData\Roaming\fgfdgd\fgfdgd.exe
C:\Users\Admin\AppData\Roaming\fgfdgd\fgfdgd.exe
1⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4388
- C:\Users\Admin\AppData\Local\Temp\ghghghg.exe
  "C:\Users\Admin\AppData\Local\Temp\ghghghg.exe"
  2⤵
  - Executes dropped EXE
  PID:624
- - C:\Windows\system32\powercfg.exe
    C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2148
- - C:\Windows\system32\powercfg.exe
    C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2928
- - C:\Windows\system32\powercfg.exe
    C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2596
- - C:\Windows\system32\powercfg.exe
    C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2708
- C:\Windows\system32\cmd.exe
  "cmd" /c mkdir "C:\Users\Admin\AppData\Roaming\fgfdgd"
  2⤵
  PID:2064
- C:\Windows\system32\cmd.exe
  "cmd" /c schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\fgfdgd\fgfdgd.exe'" /f
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4656
- - C:\Windows\system32\schtasks.exe
    schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\fgfdgd\fgfdgd.exe'" /f
    3⤵
    - Creates scheduled task(s)
    PID:3400
- C:\Windows\system32\cmd.exe
  "cmd" /c copy "C:\Users\Admin\AppData\Roaming\fgfdgd\fgfdgd.exe" "C:\Users\Admin\AppData\Roaming\fgfdgd\fgfdgd.exe"
  2⤵
  PID:3312

C:\Users\Admin\AppData\Roaming\fgfdgd\fgfdgd.exe
C:\Users\Admin\AppData\Roaming\fgfdgd\fgfdgd.exe
1⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1708
- C:\Users\Admin\AppData\Local\Temp\ghghghg.exe
  "C:\Users\Admin\AppData\Local\Temp\ghghghg.exe"
  2⤵
  - Executes dropped EXE
  PID:64
- C:\Windows\system32\cmd.exe
  "cmd" /c mkdir "C:\Users\Admin\AppData\Roaming\fgfdgd"
  2⤵
  PID:1272
- C:\Windows\system32\cmd.exe
  "cmd" /c schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\fgfdgd\fgfdgd.exe'" /f
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2796
- - C:\Windows\system32\schtasks.exe
    schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\fgfdgd\fgfdgd.exe'" /f
    3⤵
    - Creates scheduled task(s)
    PID:3980
- C:\Windows\system32\cmd.exe
  "cmd" /c copy "C:\Users\Admin\AppData\Roaming\fgfdgd\fgfdgd.exe" "C:\Users\Admin\AppData\Roaming\fgfdgd\fgfdgd.exe"
  2⤵
  PID:3232

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\fgfdgd.exe.log

Filesize
660B

MD5
1c5e1d0ff3381486370760b0f2eb656b

SHA1
f9df6be8804ef611063f1ff277e323b1215372de

SHA256
f424c891fbc7385e9826beed2dd8755aeac5495744b5de0a1e370891a7beaf7a

SHA512
78f5fc40a185d04c9e4a02a3d1b10b4bd684c579a45a0d1e8f49f8dee9018ed7bc8875cbf21f98632f93ead667214a41904226ce54817b85caeeb4b0de54a743

Download Submit
C:\Users\Admin\AppData\Local\Temp\ghghghg.exe

Filesize
1.0MB

MD5
2a0b68256076519235455d12c8679447

SHA1
9d09d4af47544ab330094760992e5c28b5beec71

SHA256
c297d92e362020b8b875221a9f9f14ea4125d2335fc8ac083d9fcbe30221340c

SHA512
f959e76bcb8a3b23a3c07e837c5f28f69524ed8702bda1561335835926e6a7e154fa681240dd86df87d9ead6e2a1a9303c28c93af2e8eb4229ea4bfb942d86a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\ghghghg.exe

Filesize
5.0MB

MD5
d3cd8232d7097dc4953b61b86afd7fd2

SHA1
e1733674bc7c3c7aa5b156b66049dbfd3191bd11

SHA256
6fd8206d1f38ac41c23a6c9dead21eb3ff7421200f6185edf63c70da8fbb398c

SHA512
2404a989b0d400d621056e7326d465c6a5646cac175920d0cb9bc2e7c0aa6d5b08996c42db963c2b5e5c7d14814616986d985a15f3ea1d84f4ca23720ff1e95c

Download Submit
C:\Users\Admin\AppData\Local\Temp\ghghghg.exe

Filesize
1.4MB

MD5
67d9c954e7486cfc49c724a5b47e64e4

SHA1
b671347f50fef5e116ee154426037356f7610ad9

SHA256
b767db3febec00cf005269f00b01a846dd120cf947609ec98a263861d1d24d5e

SHA512
5379a5a9aaf6170ee0301a36e8f17859658ee1688d54d0e9849364b8bba49cd79c5aa226e9361c51d7e1b2ac73496d162e84c2f56b3643fad993324d1a1865e5

Download Submit
C:\Users\Admin\AppData\Local\Temp\ghghghg.exe

Filesize
1.4MB

MD5
d26e122ceb5e3ee4fd759a32c9a85d10

SHA1
ed0d805a20b6f3a9951359015ec34f44b49d658d

SHA256
3034d5c9cac8f144db78279ff68113675e28858e0bbed25ba0da59053a60b10f

SHA512
622f510bfb5e2d7060a487042d614d91c1683a903dc82076191fa4af206f6953322aca63064124c2530edbc3f69e7a5557f6d496e5fd6a46596201ec31c41aa6

Download Submit
C:\Users\Admin\AppData\Local\Temp\haaczrnyavrj.sys

Filesize
14KB

MD5
0c0195c48b6b8582fa6f6373032118da

SHA1
d25340ae8e92a6d29f599fef426a2bc1b5217299

SHA256
11bd2c9f9e2397c9a16e0990e4ed2cf0679498fe0fd418a3dfdac60b5c160ee5

SHA512
ab28e99659f219fec553155a0810de90f0c5b07dc9b66bda86d7686499fb0ec5fddeb7cd7a3c5b77dccb5e865f2715c2d81f4d40df4431c92ac7860c7e01720d

Download Submit
C:\Users\Admin\AppData\Roaming\fgfdgd\fgfdgd.exe

Filesize
5.0MB

MD5
b03c2d7df7eabc44f36397cb66ac3e77

SHA1
486f521d16d96878a74ff9212cf2da5b184e0430

SHA256
4489ff33e7a91c7485a1c1dd8a6102868e385f74fd8b5dbdbf4b505bbe9193b3

SHA512
5cffc7a0ba01e5db793a62a3fc1dc2454cbd5b768f66959adac11e1523958bc48ef4c1dd5ff074988c04b6269853671ab480074a117d30184631d9936c154051

Download Submit
C:\Users\Admin\AppData\Roaming\fgfdgd\fgfdgd.exe

Filesize
647KB

MD5
4911b0057552e07dda9f175987c3bb81

SHA1
4b062057b0b0f84eeb8d3d29d3143f1ce1add4c8

SHA256
e38bc34b426e51dd113f2575a204dc3fa9aa7100439983556c1af11ceff6e36d

SHA512
5bca9a7284b5175f40c840f9c20f938f09606e0acb148192b4770e3ebaa5a2f1d4ccf78b353ee915f304c141582b4040c293d964a7cab93b5577fdb9d1204487

Download Submit
memory/1708-73-0x00007FFBCA690000-0x00007FFBCB151000-memory.dmp

Filesize
10.8MB

Download
memory/1708-64-0x00000000028A0000-0x00000000028B0000-memory.dmp

Filesize
64KB

Download
memory/1708-62-0x00007FFBCA690000-0x00007FFBCB151000-memory.dmp

Filesize
10.8MB

Download
memory/2308-34-0x0000000013530000-0x0000000013550000-memory.dmp

Filesize
128KB

Download
memory/2308-55-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/2308-24-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/2308-25-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/2308-26-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/2308-27-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/2308-28-0x0000000001660000-0x0000000001680000-memory.dmp

Filesize
128KB

Download
memory/2308-29-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/2308-30-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/2308-31-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/2308-32-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/2308-33-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/2308-61-0x0000000013EA0000-0x0000000013EC0000-memory.dmp

Filesize
128KB

Download
memory/2308-35-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/2308-36-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/2308-37-0x0000000013A70000-0x0000000013A90000-memory.dmp

Filesize
128KB

Download
memory/2308-22-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/2308-60-0x0000000013A70000-0x0000000013A90000-memory.dmp

Filesize
128KB

Download
memory/2308-58-0x0000000013EA0000-0x0000000013EC0000-memory.dmp

Filesize
128KB

Download
memory/2308-21-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/2308-57-0x0000000013A70000-0x0000000013A90000-memory.dmp

Filesize
128KB

Download
memory/2308-50-0x0000000013A70000-0x0000000013A90000-memory.dmp

Filesize
128KB

Download
memory/2308-56-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/2308-53-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/2308-54-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/2308-23-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/3648-0-0x0000000000A50000-0x0000000000F50000-memory.dmp

Filesize
5.0MB

Download
memory/3648-14-0x00007FFBCC4E0000-0x00007FFBCCFA1000-memory.dmp

Filesize
10.8MB

Download
memory/3648-3-0x000000001BBA0000-0x000000001BBB0000-memory.dmp

Filesize
64KB

Download
memory/3648-1-0x00007FFBCC4E0000-0x00007FFBCCFA1000-memory.dmp

Filesize
10.8MB

Download
memory/4388-49-0x00007FFBCA450000-0x00007FFBCAF11000-memory.dmp

Filesize
10.8MB

Download
memory/4388-40-0x000000001B540000-0x000000001B550000-memory.dmp

Filesize
64KB

Download
memory/4388-39-0x00007FFBCA450000-0x00007FFBCAF11000-memory.dmp

Filesize
10.8MB

Download
memory/4848-19-0x00007FFBCA450000-0x00007FFBCAF11000-memory.dmp

Filesize
10.8MB

Download
memory/4848-18-0x000000001BCB0000-0x000000001BCC0000-memory.dmp

Filesize
64KB

Download
memory/4848-17-0x00007FFBCA450000-0x00007FFBCAF11000-memory.dmp

Filesize
10.8MB

Download