Overview

overview

10

Static

static

7

DFIR.exe

windows10-1703-x64

10

Analysis

  • max time kernel
    66s
  • max time network
    68s
  • platform
    windows10-1703_x64
  • resource
    win10-20240404-en
  • resource tags

    arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
  • submitted
    26/04/2024, 09:54

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    DFIR.exe

  • Size

    2.8MB

  • MD5

    e372d1ba2d3a1936e3e8cdd3febf2038

  • SHA1

    06ed6e0be895945bc78adac9aa0283e50fc93349

  • SHA256

    137197636e52f813606d4d979a270447888336d3403d3c94fe39310a903a59f9

  • SHA512

    058da6b05b73ba3d0a72d9565d9e663cec8857da03f3361fd6b6557f181c000d7c9c9668fa46b609f1568bc77e4485e494aae825b5b33efed2c1bb3c93d87e70

  • SSDEEP

    49152:f5UX4uCXsw6rBbn0zdkfnDV/4TE6/lIKiebQ+LTq4ujYv9XiwuPNhO8NX:f5UX4JF6rBYzyfGTJ/lIVebQ+L2ZsVSR

Score
10/10
xmrigdiscoveryevasionminerpersistenceupx

Malware Config

Signatures

  • xmrig

    XMRig is a high performance, open source, cross platform CPU/GPU miner.

    minerxmrig
  • Contacts a large (29506) amount of remote hosts 1 TTPs

    This may indicate a network scan to discover remotely running services.

    discovery
  • Creates a large amount of network flows 1 TTPs

    This may indicate a network scan to discover remotely running services.

    discovery
  • XMRig Miner payload 8 IoCs
    miner
  • Creates new service(s) 1 TTPs
    persistence
  • Stops running service(s) 3 TTPs
    evasion
  • Loads dropped DLL 3 IoCs
  • UPX packed file 8 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Launches sc.exe 4 IoCs

    Sc.exe is a Windows utlilty to control services on the system.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Gathers network information 2 TTPs 1 IoCs

    Uses commandline utility to view network configuration.

  • Modifies Internet Explorer settings 1 TTPs 1 IoCs
    adwarespyware
  • Modifies registry class 42 IoCs
  • Suspicious behavior: EnumeratesProcesses 48 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: LoadsDriver 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 64 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\DFIR.exe
    "C:\Users\Admin\AppData\Local\Temp\DFIR.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:1452
    • C:\Windows\system32\cmd.exe
      cmd.exe /c "sc stop npf"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:4340
      • C:\Windows\system32\sc.exe
        sc stop npf
        3⤵
        • Launches sc.exe
        PID:3120
    • C:\Windows\system32\cmd.exe
      cmd.exe /c "sc delete npf"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:4788
      • C:\Windows\system32\sc.exe
        sc delete npf
        3⤵
        • Launches sc.exe
        PID:596
    • C:\Windows\system32\cmd.exe
      cmd.exe /c "sc create npf type= kernel start= auto binpath= C:\Users\Admin\AppData\Local\Temp\npf.sys"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:4836
      • C:\Windows\system32\sc.exe
        sc create npf type= kernel start= auto binpath= C:\Users\Admin\AppData\Local\Temp\npf.sys
        3⤵
        • Launches sc.exe
        PID:3240
    • C:\Windows\system32\cmd.exe
      cmd.exe /c "sc start npf"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:3572
      • C:\Windows\system32\sc.exe
        sc start npf
        3⤵
        • Launches sc.exe
        PID:3584
    • C:\Windows\system32\cmd.exe
      cmd.exe /c "netstat -ano | findstr TCP"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:3568
      • C:\Windows\system32\NETSTAT.EXE
        netstat -ano
        3⤵
        • Gathers network information
        • Suspicious use of AdjustPrivilegeToken
        PID:4776
      • C:\Windows\system32\findstr.exe
        findstr TCP
        3⤵
          PID:4212
      • C:\Windows\system32\cmd.exe
        cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\qll3kl\kthreaddk
        2⤵
        • Modifies registry class
        PID:68
      • C:\Windows\system32\cmd.exe
        cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\qll3kl\kthreaddk
        2⤵
        • Modifies registry class
        PID:3232
      • C:\Windows\system32\cmd.exe
        cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\qll3kl\kthreaddk
        2⤵
        • Modifies registry class
        PID:2036
      • C:\Windows\system32\cmd.exe
        cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\qll3kl\kthreaddk
        2⤵
        • Modifies registry class
        PID:2252
      • C:\Windows\system32\cmd.exe
        cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\qll3kl\kthreaddk
        2⤵
        • Modifies registry class
        PID:4356
      • C:\Windows\system32\cmd.exe
        cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\qll3kl\kthreaddk
        2⤵
        • Modifies registry class
        PID:4368
      • C:\Windows\system32\cmd.exe
        cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\qll3kl\kthreaddk
        2⤵
        • Modifies registry class
        PID:3028
      • C:\Windows\system32\cmd.exe
        cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\qll3kl\kthreaddk
        2⤵
        • Modifies registry class
        PID:3852
      • C:\Windows\system32\cmd.exe
        cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\qll3kl\kthreaddk
        2⤵
        • Modifies registry class
        PID:2168
      • C:\Windows\system32\cmd.exe
        cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\qll3kl\kthreaddk
        2⤵
        • Modifies registry class
        PID:2008
      • C:\Windows\system32\cmd.exe
        cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\qll3kl\kthreaddk
        2⤵
        • Modifies registry class
        PID:4152
      • C:\Windows\system32\cmd.exe
        cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\qll3kl\kthreaddk
        2⤵
        • Modifies registry class
        PID:4836
      • C:\Windows\system32\cmd.exe
        cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\qll3kl\kthreaddk
        2⤵
        • Modifies registry class
        PID:4028
      • C:\Windows\system32\cmd.exe
        cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\qll3kl\kthreaddk
        2⤵
        • Modifies registry class
        PID:2636
      • C:\Windows\system32\cmd.exe
        cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\qll3kl\kthreaddk
        2⤵
        • Modifies registry class
        PID:4348
      • C:\Windows\system32\cmd.exe
        cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\qll3kl\kthreaddk
        2⤵
        • Modifies registry class
        PID:2488
      • C:\Windows\system32\cmd.exe
        cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\qll3kl\kthreaddk
        2⤵
        • Modifies registry class
        PID:5096
      • C:\Windows\system32\cmd.exe
        cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\qll3kl\kthreaddk
        2⤵
        • Modifies registry class
        PID:4424
      • C:\Windows\system32\cmd.exe
        cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\qll3kl\kthreaddk
        2⤵
        • Modifies registry class
        PID:3896
      • C:\Windows\system32\cmd.exe
        cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\qll3kl\kthreaddk
        2⤵
        • Modifies registry class
        PID:3044
      • C:\Windows\system32\cmd.exe
        cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\qll3kl\kthreaddk
        2⤵
        • Modifies registry class
        PID:2940
    • C:\Windows\system32\OpenWith.exe
      C:\Windows\system32\OpenWith.exe -Embedding
      1⤵
      • Modifies registry class
      • Suspicious use of SetWindowsHookEx
      PID:1472
    • C:\Windows\system32\OpenWith.exe
      C:\Windows\system32\OpenWith.exe -Embedding
      1⤵
      • Modifies registry class
      • Suspicious use of SetWindowsHookEx
      PID:520
    • C:\Windows\system32\OpenWith.exe
      C:\Windows\system32\OpenWith.exe -Embedding
      1⤵
      • Modifies registry class
      • Suspicious use of SetWindowsHookEx
      PID:976
    • C:\Windows\system32\OpenWith.exe
      C:\Windows\system32\OpenWith.exe -Embedding
      1⤵
      • Modifies registry class
      • Suspicious use of SetWindowsHookEx
      PID:4908
    • C:\Windows\system32\OpenWith.exe
      C:\Windows\system32\OpenWith.exe -Embedding
      1⤵
      • Modifies registry class
      • Suspicious use of SetWindowsHookEx
      PID:392
    • C:\Windows\system32\OpenWith.exe
      C:\Windows\system32\OpenWith.exe -Embedding
      1⤵
      • Modifies registry class
      • Suspicious use of SetWindowsHookEx
      PID:2300
    • C:\Windows\system32\OpenWith.exe
      C:\Windows\system32\OpenWith.exe -Embedding
      1⤵
      • Modifies registry class
      • Suspicious use of SetWindowsHookEx
      PID:4664
    • C:\Windows\system32\OpenWith.exe
      C:\Windows\system32\OpenWith.exe -Embedding
      1⤵
      • Modifies registry class
      • Suspicious use of SetWindowsHookEx
      PID:3132
    • C:\Windows\system32\OpenWith.exe
      C:\Windows\system32\OpenWith.exe -Embedding
      1⤵
      • Modifies registry class
      • Suspicious use of SetWindowsHookEx
      PID:4800
    • C:\Windows\system32\OpenWith.exe
      C:\Windows\system32\OpenWith.exe -Embedding
      1⤵
      • Modifies registry class
      • Suspicious use of SetWindowsHookEx
      PID:4164
    • C:\Windows\system32\OpenWith.exe
      C:\Windows\system32\OpenWith.exe -Embedding
      1⤵
      • Modifies registry class
      • Suspicious use of SetWindowsHookEx
      PID:3296
    • C:\Windows\system32\OpenWith.exe
      C:\Windows\system32\OpenWith.exe -Embedding
      1⤵
      • Modifies registry class
      • Suspicious use of SetWindowsHookEx
      PID:1880
    • C:\Windows\system32\OpenWith.exe
      C:\Windows\system32\OpenWith.exe -Embedding
      1⤵
      • Modifies registry class
      • Suspicious use of SetWindowsHookEx
      PID:2444
    • C:\Windows\system32\OpenWith.exe
      C:\Windows\system32\OpenWith.exe -Embedding
      1⤵
      • Modifies registry class
      • Suspicious use of SetWindowsHookEx
      PID:4600
    • C:\Windows\system32\OpenWith.exe
      C:\Windows\system32\OpenWith.exe -Embedding
      1⤵
      • Modifies registry class
      • Suspicious use of SetWindowsHookEx
      PID:1872
    • C:\Windows\system32\OpenWith.exe
      C:\Windows\system32\OpenWith.exe -Embedding
      1⤵
      • Modifies registry class
      • Suspicious use of SetWindowsHookEx
      PID:4328
    • C:\Windows\system32\OpenWith.exe
      C:\Windows\system32\OpenWith.exe -Embedding
      1⤵
      • Modifies registry class
      • Suspicious use of SetWindowsHookEx
      PID:4752
    • C:\Windows\system32\OpenWith.exe
      C:\Windows\system32\OpenWith.exe -Embedding
      1⤵
      • Modifies registry class
      • Suspicious use of SetWindowsHookEx
      PID:3364
    • C:\Windows\system32\OpenWith.exe
      C:\Windows\system32\OpenWith.exe -Embedding
      1⤵
      • Modifies registry class
      • Suspicious use of SetWindowsHookEx
      PID:3028
    • C:\Windows\system32\OpenWith.exe
      C:\Windows\system32\OpenWith.exe -Embedding
      1⤵
      • Modifies registry class
      • Suspicious use of SetWindowsHookEx
      PID:4080
    • C:\Windows\system32\OpenWith.exe
      C:\Windows\system32\OpenWith.exe -Embedding
      1⤵
      • Modifies registry class
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of SetWindowsHookEx
      PID:2148
      • C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\qll3kl\kthreaddk"
        2⤵
        • Checks processor information in registry
        • Modifies Internet Explorer settings
        • Suspicious use of FindShellTrayWindow
        PID:4792
        • C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
          "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=16514043
          3⤵
            PID:4156
            • C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
              "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=B2CCF1CE02C684FE7F31364BB051AA7C --mojo-platform-channel-handle=1608 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
              4⤵
                PID:596
              • C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
                "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=0A863E995D1A8F20F382A44E1C1B2133 --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=0A863E995D1A8F20F382A44E1C1B2133 --renderer-client-id=2 --mojo-platform-channel-handle=1636 --allow-no-sandbox-job /prefetch:1
                4⤵
                  PID:312
                • C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
                  "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=B7485B9FCDA4E8F02BBABA8AF66DACF4 --mojo-platform-channel-handle=1864 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
                  4⤵
                    PID:2328
                  • C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
                    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=D469FAC08201D89244DA5B014D935B3C --mojo-platform-channel-handle=1604 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
                    4⤵
                      PID:1892
                    • C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
                      "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=C87C9322748F09A8427611EC45735FA5 --mojo-platform-channel-handle=2316 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
                      4⤵
                        PID:3848

                Network

                MITRE ATT&CK Enterprise v15

                Replay Monitor

                Loading Replay Monitor...

                Downloads

                • C:\Users\Admin\AppData\Local\Temp\qll3kl\WinRing0x64.sys
                  Filesize

                  14KB

                  MD5

                  0c0195c48b6b8582fa6f6373032118da

                  SHA1

                  d25340ae8e92a6d29f599fef426a2bc1b5217299

                  SHA256

                  11bd2c9f9e2397c9a16e0990e4ed2cf0679498fe0fd418a3dfdac60b5c160ee5

                  SHA512

                  ab28e99659f219fec553155a0810de90f0c5b07dc9b66bda86d7686499fb0ec5fddeb7cd7a3c5b77dccb5e865f2715c2d81f4d40df4431c92ac7860c7e01720d

                  Download Submit

                • C:\Users\Admin\AppData\Local\Temp\qll3kl\config.json
                  Filesize

                  1KB

                  MD5

                  8afbb1177ab70f9d24dacd22a6793ee4

                  SHA1

                  b7ba0a4bd964868922143bedb93470202c0bfef4

                  SHA256

                  54f0d371f9918c81e3ce7a557d6da1ac4639995c5a6e409822f0e496d3a1d290

                  SHA512

                  2d05fb6e7e39b499b27aed4a7adf77fce1dcedc335d969be157dec91a78ed7b839ba50887d5a6de1b6f3635ae7d35dc6cd1ec064590ef76fe3ae8443fdaa5624

                  Download Submit

                • C:\Users\Admin\AppData\Local\Temp\qll3kl\kthreaddk
                  Filesize

                  2.0MB

                  MD5

                  a7013a2c7fd3a6168a7c0d9eed825c32

                  SHA1

                  a3b6cf6090a425466606125aa881fdf56c1c2a67

                  SHA256

                  a2f3ecd329d2713855257bf922b8a092cbb1193327ba197351804275286df7dd

                  SHA512

                  e2e6e447806adb5d27c77f8dc32772fc49ba5532e255e1a38e92a404efccbc8f3d820d4d674a51968e5c3c1079cb834253232bf13e6ff9d437c7d0e2551ba49d

                  Download Submit

                • \Users\Admin\AppData\Local\Temp\Packet.dll
                  Filesize

                  105KB

                  MD5

                  899a5bf1669610cdb78d322ac8d9358b

                  SHA1

                  80a2e420b99ffe294a523c6c6d87ed09dfc8d82b

                  SHA256

                  ab3cce674f5216895fd26a073771f82b05d4c8b214a89f0f288a59774a06b14b

                  SHA512

                  41f2459793ac04e433d8471780e770417afac499dc3c5413877d4a4499656c9669c069d24e638d0aaf43af178a763acb656ffd34d710eb5e3c94682db1559056

                  Download Submit

                • \Users\Admin\AppData\Local\Temp\wpcap.dll
                  Filesize

                  361KB

                  MD5

                  a672f1cf00fa5ac3f4f59577f77d8c86

                  SHA1

                  b68e64401d91c75cafa810086a35cd0838c61a4b

                  SHA256

                  35aab6caaaf1720a4d888ae0de9e2a8e19604f3ea0e4dd882c3eeae4f39af117

                  SHA512

                  a566e7571437be765279c915dd6e13f72203eff0dc3838a154fc137ed828e05644d650fd8432d1fb4c1e1d84ee00ef9bde90225c68c3ca8a5da349065e7ebfd6

                  Download Submit

                • memory/1452-10-0x00000000017B0000-0x00000000017CF000-memory.dmp

                  Filesize

                  124KB

                  Download

                • memory/1452-0-0x0000000000400000-0x000000000152F000-memory.dmp

                  Filesize

                  17.2MB

                  Download

                • memory/1452-57-0x0000000000400000-0x000000000152F000-memory.dmp

                  Filesize

                  17.2MB

                  Download

                • memory/1452-104-0x0000000000400000-0x000000000152F000-memory.dmp

                  Filesize

                  17.2MB

                  Download

                • memory/1452-105-0x0000000000400000-0x000000000152F000-memory.dmp

                  Filesize

                  17.2MB

                  Download

                • memory/1452-138-0x0000000000400000-0x000000000152F000-memory.dmp

                  Filesize

                  17.2MB

                  Download

                • memory/1452-139-0x0000000000400000-0x000000000152F000-memory.dmp

                  Filesize

                  17.2MB

                  Download

                • memory/1452-140-0x0000000000400000-0x000000000152F000-memory.dmp

                  Filesize

                  17.2MB

                  Download

                • memory/1452-180-0x0000000000400000-0x000000000152F000-memory.dmp

                  Filesize

                  17.2MB

                  Download