Analysis

  • max time kernel
    595s
  • max time network
    559s
  • platform
    windows11-21h2_x64
  • resource
    win11-20240508-en
  • resource tags

    arch:x64arch:x86image:win11-20240508-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    09-05-2024 14:37

General

  • Target

    Expensive2.0 crack.exe

  • Size

    79KB

  • MD5

    863711c10c1844754fca2729ac0f0380

  • SHA1

    2836a5baebb141188c2f845453a2c7700ed6e40f

  • SHA256

    a441decf9cc4b9ac966e45c4127f253818f75328a30f2810acacf6551cd6f2bd

  • SHA512

    6aa41e7112b5edbc9e3a1d7ab5fb5fb5e26c5cde702f60f70715178a7acb59479f59d182afe5c42ba0b5ca6f5107934b47c19ecd6e99c34fbc7386804c2aa7d6

  • SSDEEP

    1536:YA2ixxSE7SX6TkIjnG18PyC+uF8iqUH3pbLYkDlGe4QDDa2OYoFpUrps24u:LgIu8PlxpbLYslNODF1u

Malware Config

Extracted

Family

xworm

Attributes
  • Install_directory

    %AppData%

  • install_file

    USB.exe

  • pastebin_url

    https://pastebin.com/raw/cVQrB6DR

Signatures

  • Detect Xworm Payload 2 IoCs
  • ModiLoader, DBatLoader

    ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.

  • Ramnit

    Ramnit is a versatile family that holds viruses, worms, and Trojans.

  • Xworm

    Xworm is a remote access trojan written in C#.

  • ModiLoader Second Stage 1 IoCs
  • Modifies Installed Components in the registry 2 TTPs 2 IoCs
  • Drops startup file 2 IoCs
  • Executes dropped EXE 10 IoCs
  • UPX packed file 11 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • Enumerates connected drives 3 TTPs 50 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 1 IoCs
  • Checks SCSI registry key(s) 3 TTPs 64 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Delays execution with timeout.exe 1 IoCs
  • Enumerates system info in registry 2 TTPs 4 IoCs
  • Modifies Internet Explorer settings 1 TTPs 2 IoCs
  • Modifies registry class 64 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 64 IoCs
  • Suspicious use of SendNotifyMessage 64 IoCs
  • Suspicious use of SetWindowsHookEx 11 IoCs
  • Suspicious use of WriteProcessMemory 38 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

  • Uses Volume Shadow Copy WMI provider

    The Volume Shadow Copy service is used to manage backups/snapshots.

  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

Processes

  • C:\Users\Admin\AppData\Local\Temp\Expensive2.0 crack.exe
    "C:\Users\Admin\AppData\Local\Temp\Expensive2.0 crack.exe"
    1⤵
    • Drops startup file
    • Adds Run key to start application
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1088
    • C:\Windows\System32\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "WindowsSecurity" /tr "C:\Users\Admin\AppData\Roaming\WindowsSecurity"
      2⤵
      • Creates scheduled task(s)
      PID:1604
    • C:\Users\Admin\AppData\Local\Temp\kpfnbq.exe
      "C:\Users\Admin\AppData\Local\Temp\kpfnbq.exe"
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:2264
      • C:\Windows\explorer.exe
        "C:\Windows\explorer.exe"
        3⤵
        • Modifies Installed Components in the registry
        • Enumerates connected drives
        • Checks SCSI registry key(s)
        • Modifies registry class
        • Suspicious behavior: GetForegroundWindowSpam
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:2960
        • C:\Windows\system32\taskmgr.exe
          "C:\Windows\system32\taskmgr.exe" /0
          4⤵
          • Checks SCSI registry key(s)
          • Checks processor information in registry
          • Suspicious use of FindShellTrayWindow
          PID:4756
    • C:\Users\Admin\AppData\Local\Temp\imkhbd.exe
      "C:\Users\Admin\AppData\Local\Temp\imkhbd.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of WriteProcessMemory
      PID:3584
      • C:\Users\Admin\AppData\Local\Temp\imkhbdSrv.exe
        C:\Users\Admin\AppData\Local\Temp\imkhbdSrv.exe
        3⤵
        • Executes dropped EXE
        PID:420
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 420 -s 324
          4⤵
          • Program crash
          PID:908
    • C:\Users\Admin\AppData\Local\Temp\jwkwjc.exe
      "C:\Users\Admin\AppData\Local\Temp\jwkwjc.exe"
      2⤵
      • Executes dropped EXE
      • Modifies registry class
      • Suspicious use of WriteProcessMemory
      PID:2748
      • C:\Windows\SysWOW64\WScript.exe
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\RarSFX0\play.vbs"
        3⤵
        • Enumerates connected drives
        PID:3448
    • C:\Users\Admin\AppData\Local\Temp\fbsxxc.exe
      "C:\Users\Admin\AppData\Local\Temp\fbsxxc.exe"
      2⤵
      • Executes dropped EXE
      • Modifies registry class
      • Suspicious use of WriteProcessMemory
      PID:1856
      • C:\Windows\SysWOW64\WScript.exe
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\RarSFX1\play.vbs"
        3⤵
        • Enumerates connected drives
        PID:844
    • C:\Users\Admin\AppData\Local\Temp\ensfae.exe
      "C:\Users\Admin\AppData\Local\Temp\ensfae.exe"
      2⤵
      • Executes dropped EXE
      PID:4256
    • C:\Windows\System32\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /delete /f /tn "WindowsSecurity"
      2⤵
        PID:4736
      • C:\Windows\system32\cmd.exe
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpE437.tmp.bat""
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:4864
        • C:\Windows\system32\timeout.exe
          timeout 3
          3⤵
          • Delays execution with timeout.exe
          PID:4756
    • C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe
      "C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe" -ServerName:MiniSearchUI.AppXj3y73at8fy1htwztzxs68sxx1v7cksp7.mca
      1⤵
      • Modifies registry class
      • Suspicious use of SetWindowsHookEx
      PID:1648
    • C:\Windows\system32\svchost.exe
      C:\Windows\system32\svchost.exe -k LocalService -p -s NPSMSvc
      1⤵
        PID:4556
      • C:\Users\Admin\AppData\Roaming\WindowsSecurity
        C:\Users\Admin\AppData\Roaming\WindowsSecurity
        1⤵
        • Executes dropped EXE
        • Suspicious use of AdjustPrivilegeToken
        PID:2592
      • C:\Windows\explorer.exe
        explorer.exe
        1⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:3408
      • C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe
        "C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe" -ServerName:CortanaUI.AppXstmwaab17q5s3y22tp6apqz7a45vwv65.mca
        1⤵
        • Enumerates system info in registry
        • Modifies Internet Explorer settings
        • Modifies registry class
        • Suspicious use of SetWindowsHookEx
        PID:4108
      • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
        "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
        1⤵
        • Modifies registry class
        • Suspicious use of SetWindowsHookEx
        PID:1744
      • C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe
        "C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe" -ServerName:MiniSearchUI.AppXj3y73at8fy1htwztzxs68sxx1v7cksp7.mca
        1⤵
        • Suspicious use of SetWindowsHookEx
        PID:1580
      • C:\Users\Admin\AppData\Roaming\WindowsSecurity
        C:\Users\Admin\AppData\Roaming\WindowsSecurity
        1⤵
        • Executes dropped EXE
        • Suspicious use of AdjustPrivilegeToken
        PID:1176
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 420 -ip 420
        1⤵
          PID:648
        • C:\Users\Admin\AppData\Roaming\WindowsSecurity
          C:\Users\Admin\AppData\Roaming\WindowsSecurity
          1⤵
          • Executes dropped EXE
          PID:484
        • C:\Windows\system32\AUDIODG.EXE
          C:\Windows\system32\AUDIODG.EXE 0x00000000000004CC 0x00000000000004D0
          1⤵
            PID:5048
          • C:\Users\Admin\AppData\Roaming\WindowsSecurity
            C:\Users\Admin\AppData\Roaming\WindowsSecurity
            1⤵
            • Executes dropped EXE
            PID:2836
          • C:\Windows\system32\sihost.exe
            sihost.exe
            1⤵
            • Suspicious use of WriteProcessMemory
            PID:3408
            • C:\Windows\explorer.exe
              explorer.exe /LOADSAVEDWINDOWS
              2⤵
              • Modifies Installed Components in the registry
              • Enumerates connected drives
              • Checks SCSI registry key(s)
              • Modifies registry class
              • Suspicious use of SetWindowsHookEx
              PID:4956
          • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
            "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
            1⤵
            • Modifies registry class
            • Suspicious use of SetWindowsHookEx
            PID:3588
          • C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe
            "C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe" -ServerName:CortanaUI.AppXstmwaab17q5s3y22tp6apqz7a45vwv65.mca
            1⤵
            • Enumerates system info in registry
            • Modifies Internet Explorer settings
            • Modifies registry class
            • Suspicious use of SetWindowsHookEx
            PID:2436

          Network

          MITRE ATT&CK Enterprise v15

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Users\Admin\AppData\Local\IconCache.db

            Filesize

            11KB

            MD5

            a5988f95fb59cbe59054912c195b54f8

            SHA1

            549194befcb747c8ac70ee5bb2f494089ce403b8

            SHA256

            82c750ded774faad83a21ddf40a52665ff4c83c2c75001779068e4fed90ecab2

            SHA512

            412b1c0ad067bfad6ef6018532e1eaf6a153ea3bb764e32c85e685e3b02bc0af89b19fa1812703ac4942c1b61af0e058b9d2a82b5a5560ff218eaeb761e7316d

          • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\WindowsSecurity.log

            Filesize

            654B

            MD5

            2cbbb74b7da1f720b48ed31085cbd5b8

            SHA1

            79caa9a3ea8abe1b9c4326c3633da64a5f724964

            SHA256

            e31b18f21621d9983bfdf1ea3e53884a9d58b8ffd79e0e5790da6f3a81a8b9d3

            SHA512

            ecf02d5240e0c1c005d3ab393aa7eff62bd498c2db5905157e2bf6d29e1b663228a9583950842629d1a4caef404c8941a0c7799b1a3bd1eb890a09fdb7efcff9

          • C:\Users\Admin\AppData\Local\Microsoft\Media Player\CurrentDatabase_400.wmdb

            Filesize

            64KB

            MD5

            bc1f6be3a8618717daf4ac98c485d55d

            SHA1

            1a7abc80d9b72f3f5af21082ebfdac989f71c029

            SHA256

            05f7eeedc319c0014a7f2da67900469fdad03e7e0f650039791b624f062d68d8

            SHA512

            5eee3c6f5cf1f325ea3dd99febe74b2bef6ae2b061273e54626811b9dd45f74c90c19226d868e34289d3620760fe4df92a5cc2f0968cbe6d5c7b81295c639670

          • C:\Users\Admin\AppData\Local\Microsoft\Media Player\CurrentDatabase_400.wmdb

            Filesize

            1024KB

            MD5

            4c830900b0d544c42f9e3f36a3ba3655

            SHA1

            947d80a3a5ffb52f197730e4f55da3a2db79718f

            SHA256

            2f8bd878a5abce1b7c11fe42343b78bab776d15e6ba2cda7cc4934bd61a1ab23

            SHA512

            3fe208d784823bcf87fe7438309e783026979474f5948ebd64860786dd2692e90d2d404ba07c16b9a443bada49afb2f9984995fd77947a35d84eab06b61cba12

          • C:\Users\Admin\AppData\Local\Microsoft\PenWorkspace\DiscoverCacheData.dat

            Filesize

            1022B

            MD5

            4fbf04f9cc217d8614040e6ea12010ef

            SHA1

            89541b730df821143f2df0d9cf8b111f46e9e963

            SHA256

            3d81b68a50be5c80cbfa2338879fe02fa2cfd078dfb78297e0e9160a9a72a6f6

            SHA512

            8fe3e2d09880f7a0dd27c147464088cafab5f56c91d42b8e7f91bf6c31ad4d5395cf035b9cef484979668a00078653a848781ed6f483ceeeae93951f86a7a091

          • C:\Users\Admin\AppData\Local\Microsoft\Windows Media\12.0\WMSDKNS.XML

            Filesize

            9KB

            MD5

            7050d5ae8acfbe560fa11073fef8185d

            SHA1

            5bc38e77ff06785fe0aec5a345c4ccd15752560e

            SHA256

            cb87767c4a384c24e4a0f88455f59101b1ae7b4fb8de8a5adb4136c5f7ee545b

            SHA512

            a7a295ac8921bb3dde58d4bcde9372ed59def61d4b7699057274960fa8c1d1a1daff834a93f7a0698e9e5c16db43af05e9fd2d6d7c9232f7d26ffcff5fc5900b

          • C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\LocalState\start.bin

            Filesize

            5KB

            MD5

            e56e82c2b2a3c119b762c9bfd77dea0a

            SHA1

            d8bb04fdd18c6fcbddb7c249d1bfebb3b0158aef

            SHA256

            fc9bf2d285ce9c53c686fe6d0791a683d4e0508e129daa7d81761bb2342a0db8

            SHA512

            284dfa2516153ecae4b10905cd611d452c6a99f2822b00a3b51157df32155cea1f2024960e95108f8e56d4e9cf070a313ed126620abd8e27b754944a1e9b74e0

          • C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\BZR8QJW7\www.bing[1].xml

            Filesize

            2KB

            MD5

            aeee6f155aaf3dec03de83457dddca7e

            SHA1

            8950acdc9097318c2df8489b0173f1ff0f3adff0

            SHA256

            00c01d3ff8214f5d258d70e9bd9910a6a7821a487b5a182bb6d3600a6b77b2ce

            SHA512

            f3012691cd495f1ab99c7bc4dbfb3f108cb5910e938d05cc3bd2434d1302a699da2bc2c52e34a8a25b45759e7bc5e4622c9102ccabeaee4db2cd5ebd13a46a8e

          • C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\BZR8QJW7\www.bing[1].xml

            Filesize

            17KB

            MD5

            49303d6b565553b889f34454fcbbf487

            SHA1

            c7631ee9f3aa47d7ddb10fdaacfa730ea964f520

            SHA256

            cfe90cf775977eb5162e2a2813d5ef80178d8664829cd32db2b4428f3136c86f

            SHA512

            daf0dd57893d0f6528f4cc4eabf0a8b53f87e1fc98846536bd63ec52cc6e59219e14e7b16c9329d88eec620b2edb622a5b14e9bbfd0b514cde68cf5488fe12d7

          • C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\BZR8QJW7\www.bing[1].xml

            Filesize

            17KB

            MD5

            edec80c19d3c04841c53c0566d4a7fc2

            SHA1

            5c8b62e3553f56feb07f79f40358bc0879677a4e

            SHA256

            d52ce9a73c2da1cccd455c6579b827ca4657089fe6d7b3469a130449ecdbd579

            SHA512

            c04bdc4ce8dbfb6c15184f9118ede6c96033685d2bca5af9d15d098fc0062b9f58ac6818c4d879dde711d5f9c398c53e4027370dfac851246baf9e7a781633d6

          • C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TempState\SearchHoverUnifiedTileModelCache.dat

            Filesize

            11KB

            MD5

            cd56e155edf53e5728c46b6c9eb9c413

            SHA1

            14b1b0f090803c9ee39797aed4af13dc7849566d

            SHA256

            70a6cf268c013fb4d907bedc12af3e5f802f179f0cc8353c7b8227dde840d31a

            SHA512

            a4ada455d44a89fd2baa505aa9266b70913967b839522ef5da8d7afd31af6662c3ad96ac3e3531d82a72be7d019c9d88f1ce391c5b5fa0e4422a634c51491165

          • C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TempState\SearchHoverUnifiedTileModelCache.dat

            Filesize

            11KB

            MD5

            3569ff1aa5310102ef02c312ca4dbe9a

            SHA1

            4124b1e805d5c487bf86182d19ed22bed6cf44ac

            SHA256

            3ce1168408eb889f65cd4d45c12c58842a4291356c835cfb1877d017b6768a9b

            SHA512

            c966ebf69abce51aa4fbec1e53f43485786cbeb5fb6cea18eb3407b7d4c7a212a6843b69965de9f577c483c6139840d0f7fe56d69fc8c97e6b0884b75b7aed8d

          • C:\Users\Admin\AppData\Local\Temp\RarSFX0\lucky1.wav

            Filesize

            2.1MB

            MD5

            0a2821ba1b31a27a3fcb33c38f455c55

            SHA1

            03ba640291b1bd74f5468130407be97ee6b1aaa2

            SHA256

            31036d9a96e64187a451e75629669c54a22f4a62a434953b6295aa48e0f888e5

            SHA512

            e6ea6d01afbf3bef23701bdd620b6e2d09342b59a63e5c0473b5b5b81e7a8bf77f92dd7d1a334049466b047a7695a1441621e6fd83ac3ce83c90cf39d3c74fea

          • C:\Users\Admin\AppData\Local\Temp\RarSFX0\play.vbs

            Filesize

            237B

            MD5

            943fbf2e322c3947a95e5b65f037830a

            SHA1

            6f542e4bce155627aacbd5ffa5d2676bd4ac582c

            SHA256

            80b5238faedc84f7a8fa7151b03c968fd6693c37e7f9e9a116614e5d18edb7bf

            SHA512

            72af92a519740c7238df7a0645f5891fd8a19b1af05d11acd855d096b493e79b0b1da69fbd1cbcf49d71cdc220d6ef44894c65dcbc56e877a71e44f2a2e66777

          • C:\Users\Admin\AppData\Local\Temp\ensfae.exe

            Filesize

            7.4MB

            MD5

            3c3d1168fc2724c551837a505ea4374e

            SHA1

            86c913a12067fd2c1bbc31fb64a5b5d056175841

            SHA256

            f91c14c328544a2d4cc216c7c2115283806fa3201d40bd3c7c5d79dccd025b09

            SHA512

            0f181c9753a3f55e4f4a434ea3e972e00b46fb7319d95a4b7a5c7d09888537df4a8fc4c2c5e0232f96b441727e45a595eed42721ff8c7799302e4d3f13156a8e

          • C:\Users\Admin\AppData\Local\Temp\imkhbd.exe

            Filesize

            76KB

            MD5

            6d7f5d02d25e289cb29cc23b8e90e484

            SHA1

            15a5d3b93a149689df3c396ce2243ba4d027f0b3

            SHA256

            cd5dfdde4767c1f70756f5ffb8bfcca701ed62a96bfa6a007e32e5916b5021e6

            SHA512

            8af7188fa6ae5d03ae60929744c852e14151d411b83c62297185229f6ab3ebff562b09426393995427d05f19bbef3b6cbee1e483255b91e0adb429d421c297fa

          • C:\Users\Admin\AppData\Local\Temp\imkhbdSrv.exe

            Filesize

            55KB

            MD5

            ff5e1f27193ce51eec318714ef038bef

            SHA1

            b4fa74a6f4dab3a7ba702b6c8c129f889db32ca6

            SHA256

            fd6c69c345f1e32924f0a5bb7393e191b393a78d58e2c6413b03ced7482f2320

            SHA512

            c9d654ead35f40eea484a3dc5b5d0a44294b9e7b41a9bacdafdd463d3de9daa2a43237a5f113f6a9c8ea5e1366823fd3d83da18cd8197aa69a55e9f345512a7a

          • C:\Users\Admin\AppData\Local\Temp\jwkwjc.exe

            Filesize

            2.0MB

            MD5

            1bad0e088a9f975004c2e8c28286e9a3

            SHA1

            890e7201e47a3f0c697bbe51cf2bfcab5de2f72a

            SHA256

            94b7776aaa8809f1799ef1cb5ddeb57bb6af67482f95203c0f385cc42100466c

            SHA512

            93110f321afc1d10b1129232b98b75663916b56fbd68411284da204e12a3c692cd50880abcdbf46077928107b6279ee718ce9724f30504bff152c9b7dc6337a2

          • C:\Users\Admin\AppData\Local\Temp\kpfnbq.exe

            Filesize

            156KB

            MD5

            cebf7851fd4cc566431aaa066c1ede52

            SHA1

            9595c96e8486ba2f0d5c92f68a6968c816318402

            SHA256

            8b3f46100c6d67ed88887f82e089686c1055e323a35c9cf16002286ad5c8c518

            SHA512

            abe0923751d4e95de5caf859a7357f54a38c256c0a47ca9c563be359b6cfb4a0febf48274bca141b1145ec40ad87f546d9320407af983290e4429773a652b5d3

          • C:\Users\Admin\AppData\Local\Temp\tmpE437.tmp.bat

            Filesize

            170B

            MD5

            a3c8c2af83a3dc41f70c6a2a82946ebb

            SHA1

            d31f1b6178de40679fa46988b1dcbe9755932672

            SHA256

            f436872c6df630697be00147c28b7995596706bf7b37bb1bd983e200377fd30b

            SHA512

            da0bf1bcb88553bd566ce5373718c49ae31aaa2bb1bebf018bbd2c99fdb1798db0963cdb5aebc8c409a7425bb032bf9d7b7dbaf3aa1796bb9e4b5e13f4e44dab

          • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WindowsSecurity.lnk

            Filesize

            789B

            MD5

            ef75ffa97108a6057a94b56010bfbc08

            SHA1

            b0b2b005f2309276c97e02ace06667af3235d15f

            SHA256

            52aa8b2680da551f42c13833f55e63a9d1e5ae266f60b069900508250ebe2e54

            SHA512

            ec4c3e43a313c25947c551d5db08a019f62532e949a7e177de16890e2a7c19e38fd0bc544c711b0988fb7db79cb1281c6a2a51eb48c92004764b8c3ba6c462d2

          • C:\Users\Admin\AppData\Roaming\WindowsSecurity

            Filesize

            79KB

            MD5

            863711c10c1844754fca2729ac0f0380

            SHA1

            2836a5baebb141188c2f845453a2c7700ed6e40f

            SHA256

            a441decf9cc4b9ac966e45c4127f253818f75328a30f2810acacf6551cd6f2bd

            SHA512

            6aa41e7112b5edbc9e3a1d7ab5fb5fb5e26c5cde702f60f70715178a7acb59479f59d182afe5c42ba0b5ca6f5107934b47c19ecd6e99c34fbc7386804c2aa7d6

          • memory/420-341-0x0000000000400000-0x000000000042E000-memory.dmp

            Filesize

            184KB

          • memory/420-342-0x0000000000400000-0x000000000042E000-memory.dmp

            Filesize

            184KB

          • memory/844-414-0x0000000003F00000-0x0000000003F10000-memory.dmp

            Filesize

            64KB

          • memory/844-417-0x0000000003F00000-0x0000000003F10000-memory.dmp

            Filesize

            64KB

          • memory/844-416-0x0000000003F00000-0x0000000003F10000-memory.dmp

            Filesize

            64KB

          • memory/844-415-0x0000000003F00000-0x0000000003F10000-memory.dmp

            Filesize

            64KB

          • memory/844-419-0x0000000003F00000-0x0000000003F10000-memory.dmp

            Filesize

            64KB

          • memory/844-418-0x0000000003F00000-0x0000000003F10000-memory.dmp

            Filesize

            64KB

          • memory/844-446-0x0000000003F00000-0x0000000003F10000-memory.dmp

            Filesize

            64KB

          • memory/1088-44-0x00000000008C0000-0x00000000008CC000-memory.dmp

            Filesize

            48KB

          • memory/1088-0-0x00007FF949803000-0x00007FF949805000-memory.dmp

            Filesize

            8KB

          • memory/1088-1-0x00000000000E0000-0x00000000000FA000-memory.dmp

            Filesize

            104KB

          • memory/1088-469-0x00007FF949800000-0x00007FF94A2C2000-memory.dmp

            Filesize

            10.8MB

          • memory/1088-8-0x00007FF949800000-0x00007FF94A2C2000-memory.dmp

            Filesize

            10.8MB

          • memory/1088-37-0x00007FF949800000-0x00007FF94A2C2000-memory.dmp

            Filesize

            10.8MB

          • memory/2264-53-0x0000000000400000-0x000000000046F000-memory.dmp

            Filesize

            444KB

          • memory/2264-59-0x0000000000400000-0x000000000046F000-memory.dmp

            Filesize

            444KB

          • memory/3448-396-0x0000000005660000-0x0000000005670000-memory.dmp

            Filesize

            64KB

          • memory/3448-433-0x0000000005660000-0x0000000005670000-memory.dmp

            Filesize

            64KB

          • memory/3448-392-0x0000000005660000-0x0000000005670000-memory.dmp

            Filesize

            64KB

          • memory/3448-394-0x0000000005660000-0x0000000005670000-memory.dmp

            Filesize

            64KB

          • memory/3448-393-0x0000000005660000-0x0000000005670000-memory.dmp

            Filesize

            64KB

          • memory/3448-391-0x0000000005660000-0x0000000005670000-memory.dmp

            Filesize

            64KB

          • memory/3448-395-0x0000000005660000-0x0000000005670000-memory.dmp

            Filesize

            64KB

          • memory/3584-343-0x0000000000400000-0x0000000000421000-memory.dmp

            Filesize

            132KB

          • memory/3584-337-0x0000000000400000-0x0000000000421000-memory.dmp

            Filesize

            132KB

          • memory/3584-344-0x0000000000400000-0x0000000000421000-memory.dmp

            Filesize

            132KB

          • memory/3584-345-0x0000000000400000-0x0000000000421000-memory.dmp

            Filesize

            132KB

          • memory/4108-134-0x0000023D25A40000-0x0000023D25A60000-memory.dmp

            Filesize

            128KB

          • memory/4108-114-0x0000023D25B60000-0x0000023D25C60000-memory.dmp

            Filesize

            1024KB

          • memory/4108-69-0x0000023D03690000-0x0000023D03790000-memory.dmp

            Filesize

            1024KB

          • memory/4108-70-0x0000023D02F00000-0x0000023D03000000-memory.dmp

            Filesize

            1024KB

          • memory/4108-87-0x0000023D24D70000-0x0000023D24E70000-memory.dmp

            Filesize

            1024KB

          • memory/4108-89-0x0000023D24EF0000-0x0000023D24F10000-memory.dmp

            Filesize

            128KB

          • memory/4108-124-0x0000023D24F30000-0x0000023D24F50000-memory.dmp

            Filesize

            128KB

          • memory/4108-133-0x0000023D25980000-0x0000023D259A0000-memory.dmp

            Filesize

            128KB

          • memory/4256-460-0x0000000000FE0000-0x0000000001740000-memory.dmp

            Filesize

            7.4MB

          • memory/4256-463-0x00000000061E0000-0x00000000061EA000-memory.dmp

            Filesize

            40KB

          • memory/4256-462-0x0000000006270000-0x0000000006302000-memory.dmp

            Filesize

            584KB

          • memory/4256-461-0x0000000006820000-0x0000000006DC6000-memory.dmp

            Filesize

            5.6MB

          • memory/4756-353-0x000001886ABB0000-0x000001886ABB1000-memory.dmp

            Filesize

            4KB

          • memory/4756-347-0x000001886ABB0000-0x000001886ABB1000-memory.dmp

            Filesize

            4KB

          • memory/4756-346-0x000001886ABB0000-0x000001886ABB1000-memory.dmp

            Filesize

            4KB

          • memory/4756-348-0x000001886ABB0000-0x000001886ABB1000-memory.dmp

            Filesize

            4KB

          • memory/4756-352-0x000001886ABB0000-0x000001886ABB1000-memory.dmp

            Filesize

            4KB

          • memory/4756-358-0x000001886ABB0000-0x000001886ABB1000-memory.dmp

            Filesize

            4KB

          • memory/4756-357-0x000001886ABB0000-0x000001886ABB1000-memory.dmp

            Filesize

            4KB

          • memory/4756-356-0x000001886ABB0000-0x000001886ABB1000-memory.dmp

            Filesize

            4KB

          • memory/4756-355-0x000001886ABB0000-0x000001886ABB1000-memory.dmp

            Filesize

            4KB

          • memory/4756-354-0x000001886ABB0000-0x000001886ABB1000-memory.dmp

            Filesize

            4KB