blackmoon | 34485abf8296df32bd577d221ac9540e7631e23f64454ad5d37f5e56dcbbb3b5

Analysis

max time kernel
33s
max time network
76s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
17-11-2024 04:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

34485abf8296df32bd577d221ac9540e7631e23f64454ad5d37f5e56dcbbb3b5.exe
Size

4.2MB
MD5

fbdf1a2c578681439220a0b44b216763
SHA1

fe240d313e410a7e34e2400d83b815658ea14040
SHA256

34485abf8296df32bd577d221ac9540e7631e23f64454ad5d37f5e56dcbbb3b5
SHA512

52da392ff02d9af10efccfe9a4aad462e4f0d0df47bf919606664f7c5a56d5ca4a35e160aae23ce8510ba4efa211ca64444a51a88a1aff5e5509e9e8ef921c6f
SSDEEP

49152:ogvUQRjHqNEODi4lyLAiaPK2eVn0a4FKW12k9hnOru+:PvUQRwx249iaMVn0vQWMkbnOS+

Score

10^/10

blackmoon xmrig banker defense_evasion discovery execution miner persistence trojan upx

Malware Config

Signatures

Blackmoon family
blackmoon
Blackmoon, KrBanker
Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
trojan banker blackmoon

Detect Blackmoon payload 2 IoCs

resource	yara_rule
behavioral1/memory/1256-3-0x0000000000400000-0x0000000000691000-memory.dmp	family_blackmoon
behavioral1/files/0x000b0000000195c5-4.dat	family_blackmoon

Suspicious use of NtCreateUserProcessOtherParentProcess 2 IoCs

description	pid	Process	procid_target
PID 2920 created 420	2920	powershell.EXE	5
PID 2836 created 420	2836	powershell.EXE	5

Xmrig family
xmrig
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 1 IoCs

miner

resource	yara_rule
behavioral1/memory/1484-580-0x000000013F820000-0x000000013FE3F000-memory.dmp	xmrig

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\drivers\etc\hosts	syocuda.exe

Event Triggered Execution: Image File Execution Options Injection 1 TTPs 4 IoCs

persistence

Image File Execution Options Injection

T1546.012

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regini.exe	syocuda.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regini.exe\Debugger = "svchost.exe"	syocuda.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\reg.exe	syocuda.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\reg.exe\Debugger = "svchost.exe"	syocuda.exe

Executes dropped EXE 3 IoCs

pid	Process
3012	syocuda.exe
2444	syocuda.exe
2856	wcdfia.exe

Loads dropped DLL 3 IoCs

pid	Process
2580	cmd.exe
2580	cmd.exe
2444	syocuda.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
2920	powershell.EXE
2836	powershell.EXE

Indicator Removal: Clear Persistence 1 TTPs 1 IoCs

Clear artifacts associated with previously established persistence like scheduletasks on a host.

defense_evasion

Clear Persistence

T1070.009

pid	Process
2292	cmd.exe

Power Settings 1 TTPs 7 IoCs

powercfg controls all configurable power system settings on a Windows system and can be abused to prevent an infected host from locking or shutting down.

persistence

Power Settings

T1653

pid	Process
2500	powercfg.exe
1280	cmd.exe
2416	cmd.exe
2844	powercfg.exe
2388	cmd.exe
1124	cmd.exe
2244	cmd.exe

Drops file in System32 directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	syocuda.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.EXE
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.EXE

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 2920 set thread context of 1344	2920	powershell.EXE	41
PID 2836 set thread context of 2608	2836	powershell.EXE	42

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x0008000000019d62-558.dat	upx
behavioral1/memory/1484-566-0x000000013F820000-0x000000013FE3F000-memory.dmp	upx
behavioral1/memory/1484-580-0x000000013F820000-0x000000013FE3F000-memory.dmp	upx

Drops file in Windows directory 18 IoCs

description	ioc	Process
File created	\??\c:\windows\fonts\znwufncr\bwfvech.exe	syocuda.exe
File opened for modification	C:\Windows\Tasks\$fzwemebbavawscxc.job	wcdfia.exe
File opened for modification	C:\Windows\Tasks\$fzwemebbavawscxc.job	svchost.exe
File opened for modification	\??\c:\windows\fonts\pdumjve\syocuda.exe	34485abf8296df32bd577d221ac9540e7631e23f64454ad5d37f5e56dcbbb3b5.exe
File created	\??\c:\windows\fonts\rchxsdey\WinRing0x64.sys	syocuda.exe
File opened for modification	C:\Windows\appcompat\programs\RecentFileCache.bcf	svchost.exe
File created	\??\c:\windows\fonts\pdumjve\BestPower.pow	syocuda.exe
File created	\??\c:\windows\fonts\pdumjve\HighPower.pow	syocuda.exe
File created	\??\c:\windows\fonts\pdumjve\syocuda.exe	34485abf8296df32bd577d221ac9540e7631e23f64454ad5d37f5e56dcbbb3b5.exe
File created	\??\c:\windows\fonts\rchxsdey\xcaqqy.exe	syocuda.exe
File created	C:\Windows\Tasks\$fzwemebbavawscxc.job	wcdfia.exe
File opened for modification	C:\Windows\Tasks\$fzwemebbpzzbfwzr.job	wcdfia.exe
File created	\??\c:\windows\ime\erwazp\izburq.exe	syocuda.exe
File opened for modification	\??\c:\windows\ime\erwazp\izburq.exe	syocuda.exe
File created	\??\c:\windows\fonts\rchxsdey\config.json	syocuda.exe
File opened for modification	\??\c:\windows\fonts\rchxsdey\xcaqqy.exe	syocuda.exe
File created	C:\Windows\Tasks\$fzwemebbpzzbfwzr.job	wcdfia.exe
File opened for modification	C:\Windows\Tasks\$fzwemebbpzzbfwzr.job	svchost.exe

System Location Discovery: System Language Discovery 1 TTPs 23 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powercfg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	syocuda.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wcdfia.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WMIC.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	34485abf8296df32bd577d221ac9540e7631e23f64454ad5d37f5e56dcbbb3b5.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WMIC.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WMIC.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dllhost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WMIC.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powercfg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
2580	cmd.exe
2200	PING.EXE

Modifies data under HKEY_USERS 26 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:"	syocuda.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	syocuda.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\66-df-c4-54-10-ec	syocuda.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\66-df-c4-54-10-ec\WpadDecision = "0"	syocuda.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	syocuda.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f008c000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	syocuda.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	syocuda.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1"	syocuda.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	syocuda.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix	syocuda.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:"	syocuda.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	syocuda.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{8FBA2267-5B78-41C0-829C-7B4F4A793E39}\WpadDecisionTime = 8051804da538db01	syocuda.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{8FBA2267-5B78-41C0-829C-7B4F4A793E39}\WpadNetworkName = "Network 3"	syocuda.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\66-df-c4-54-10-ec\WpadDecisionReason = "1"	syocuda.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage\StartMenu_Start_Time = 40f0014fa538db01	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings	syocuda.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{8FBA2267-5B78-41C0-829C-7B4F4A793E39}	syocuda.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{8FBA2267-5B78-41C0-829C-7B4F4A793E39}\66-df-c4-54-10-ec	syocuda.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\66-df-c4-54-10-ec\WpadDecisionTime = 8051804da538db01	syocuda.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{8FBA2267-5B78-41C0-829C-7B4F4A793E39}\WpadDecision = "0"	syocuda.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage	powershell.EXE
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0"	syocuda.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad	syocuda.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0"	syocuda.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{8FBA2267-5B78-41C0-829C-7B4F4A793E39}\WpadDecisionReason = "1"	syocuda.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
2200	PING.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
3060	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1256	34485abf8296df32bd577d221ac9540e7631e23f64454ad5d37f5e56dcbbb3b5.exe
3012	syocuda.exe
2444	syocuda.exe
2444	syocuda.exe
2920	powershell.EXE
2836	powershell.EXE
2920	powershell.EXE
1344	dllhost.exe
1344	dllhost.exe
1344	dllhost.exe
1344	dllhost.exe
1344	dllhost.exe
1344	dllhost.exe
1344	dllhost.exe
1344	dllhost.exe
1344	dllhost.exe
1344	dllhost.exe
1344	dllhost.exe
1344	dllhost.exe
1344	dllhost.exe
1344	dllhost.exe
1344	dllhost.exe
1344	dllhost.exe
1344	dllhost.exe
1344	dllhost.exe
1344	dllhost.exe
1344	dllhost.exe
1344	dllhost.exe
1344	dllhost.exe
1344	dllhost.exe
1344	dllhost.exe
1344	dllhost.exe
1344	dllhost.exe
1344	dllhost.exe
1344	dllhost.exe
1344	dllhost.exe
1344	dllhost.exe
1344	dllhost.exe
1344	dllhost.exe
2836	powershell.EXE
1344	dllhost.exe
1344	dllhost.exe
2608	dllhost.exe
2608	dllhost.exe
2608	dllhost.exe
2608	dllhost.exe
1344	dllhost.exe
1344	dllhost.exe
2608	dllhost.exe
2608	dllhost.exe
1344	dllhost.exe
1344	dllhost.exe
2608	dllhost.exe
2608	dllhost.exe
1344	dllhost.exe
1344	dllhost.exe
2608	dllhost.exe
2608	dllhost.exe
1344	dllhost.exe
1344	dllhost.exe
2608	dllhost.exe
2608	dllhost.exe
1344	dllhost.exe
1344	dllhost.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
1256	34485abf8296df32bd577d221ac9540e7631e23f64454ad5d37f5e56dcbbb3b5.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	1256	34485abf8296df32bd577d221ac9540e7631e23f64454ad5d37f5e56dcbbb3b5.exe
Token: SeDebugPrivilege	3012	syocuda.exe
Token: SeDebugPrivilege	2444	syocuda.exe
Token: SeDebugPrivilege	2444	syocuda.exe
Token: SeDebugPrivilege	2920	powershell.EXE
Token: SeDebugPrivilege	2836	powershell.EXE
Token: SeDebugPrivilege	2920	powershell.EXE
Token: SeDebugPrivilege	1344	dllhost.exe
Token: SeDebugPrivilege	2836	powershell.EXE
Token: SeDebugPrivilege	2608	dllhost.exe
Token: SeShutdownPrivilege	2500	powercfg.exe
Token: SeAssignPrimaryTokenPrivilege	2304	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2304	WMIC.exe
Token: SeSecurityPrivilege	2304	WMIC.exe
Token: SeTakeOwnershipPrivilege	2304	WMIC.exe
Token: SeLoadDriverPrivilege	2304	WMIC.exe
Token: SeSystemtimePrivilege	2304	WMIC.exe
Token: SeBackupPrivilege	2304	WMIC.exe
Token: SeRestorePrivilege	2304	WMIC.exe
Token: SeShutdownPrivilege	2304	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2304	WMIC.exe
Token: SeUndockPrivilege	2304	WMIC.exe
Token: SeManageVolumePrivilege	2304	WMIC.exe
Token: SeRestorePrivilege	592	svchost.exe
Token: SeBackupPrivilege	592	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	2304	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2304	WMIC.exe
Token: SeSecurityPrivilege	2304	WMIC.exe
Token: SeTakeOwnershipPrivilege	2304	WMIC.exe
Token: SeLoadDriverPrivilege	2304	WMIC.exe
Token: SeSystemtimePrivilege	2304	WMIC.exe
Token: SeBackupPrivilege	2304	WMIC.exe
Token: SeRestorePrivilege	2304	WMIC.exe
Token: SeShutdownPrivilege	2304	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2304	WMIC.exe
Token: SeUndockPrivilege	2304	WMIC.exe
Token: SeManageVolumePrivilege	2304	WMIC.exe
Token: SeAssignPrimaryTokenPrivilege	2964	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2964	WMIC.exe
Token: SeSecurityPrivilege	2964	WMIC.exe
Token: SeTakeOwnershipPrivilege	2964	WMIC.exe
Token: SeLoadDriverPrivilege	2964	WMIC.exe
Token: SeSystemtimePrivilege	2964	WMIC.exe
Token: SeBackupPrivilege	2964	WMIC.exe
Token: SeRestorePrivilege	2964	WMIC.exe
Token: SeShutdownPrivilege	2964	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2964	WMIC.exe
Token: SeUndockPrivilege	2964	WMIC.exe
Token: SeManageVolumePrivilege	2964	WMIC.exe
Token: SeShutdownPrivilege	2844	powercfg.exe
Token: SeAssignPrimaryTokenPrivilege	2756	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2756	WMIC.exe
Token: SeSecurityPrivilege	2756	WMIC.exe
Token: SeTakeOwnershipPrivilege	2756	WMIC.exe
Token: SeLoadDriverPrivilege	2756	WMIC.exe
Token: SeSystemtimePrivilege	2756	WMIC.exe
Token: SeBackupPrivilege	2756	WMIC.exe
Token: SeRestorePrivilege	2756	WMIC.exe
Token: SeShutdownPrivilege	2756	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2756	WMIC.exe
Token: SeUndockPrivilege	2756	WMIC.exe
Token: SeManageVolumePrivilege	2756	WMIC.exe
Token: SeAssignPrimaryTokenPrivilege	2964	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2964	WMIC.exe

Suspicious use of SetWindowsHookEx 8 IoCs

pid	Process
1256	34485abf8296df32bd577d221ac9540e7631e23f64454ad5d37f5e56dcbbb3b5.exe
3012	syocuda.exe
2444	syocuda.exe
756	conhost.exe
2884	conhost.exe
2644	conhost.exe
2752	conhost.exe
2856	conhost.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1256 wrote to memory of 2580	1256	34485abf8296df32bd577d221ac9540e7631e23f64454ad5d37f5e56dcbbb3b5.exe	30
PID 1256 wrote to memory of 2580	1256	34485abf8296df32bd577d221ac9540e7631e23f64454ad5d37f5e56dcbbb3b5.exe	30
PID 1256 wrote to memory of 2580	1256	34485abf8296df32bd577d221ac9540e7631e23f64454ad5d37f5e56dcbbb3b5.exe	30
PID 1256 wrote to memory of 2580	1256	34485abf8296df32bd577d221ac9540e7631e23f64454ad5d37f5e56dcbbb3b5.exe	30
PID 2580 wrote to memory of 2200	2580	cmd.exe	32
PID 2580 wrote to memory of 2200	2580	cmd.exe	32
PID 2580 wrote to memory of 2200	2580	cmd.exe	32
PID 2580 wrote to memory of 2200	2580	cmd.exe	32
PID 2580 wrote to memory of 3012	2580	cmd.exe	33
PID 2580 wrote to memory of 3012	2580	cmd.exe	33
PID 2580 wrote to memory of 3012	2580	cmd.exe	33
PID 2580 wrote to memory of 3012	2580	cmd.exe	33
PID 2444 wrote to memory of 2856	2444	syocuda.exe	35
PID 2444 wrote to memory of 2856	2444	syocuda.exe	35
PID 2444 wrote to memory of 2856	2444	syocuda.exe	35
PID 2444 wrote to memory of 2856	2444	syocuda.exe	35
PID 2908 wrote to memory of 2920	2908	taskeng.exe	37
PID 2908 wrote to memory of 2920	2908	taskeng.exe	37
PID 2908 wrote to memory of 2920	2908	taskeng.exe	37
PID 2908 wrote to memory of 2836	2908	taskeng.exe	39
PID 2908 wrote to memory of 2836	2908	taskeng.exe	39
PID 2908 wrote to memory of 2836	2908	taskeng.exe	39
PID 2908 wrote to memory of 2836	2908	taskeng.exe	39
PID 2920 wrote to memory of 1344	2920	powershell.EXE	41
PID 2920 wrote to memory of 1344	2920	powershell.EXE	41
PID 2920 wrote to memory of 1344	2920	powershell.EXE	41
PID 2920 wrote to memory of 1344	2920	powershell.EXE	41
PID 2920 wrote to memory of 1344	2920	powershell.EXE	41
PID 2920 wrote to memory of 1344	2920	powershell.EXE	41
PID 2920 wrote to memory of 1344	2920	powershell.EXE	41
PID 2920 wrote to memory of 1344	2920	powershell.EXE	41
PID 2920 wrote to memory of 1344	2920	powershell.EXE	41
PID 2920 wrote to memory of 1344	2920	powershell.EXE	41
PID 2920 wrote to memory of 1344	2920	powershell.EXE	41
PID 2920 wrote to memory of 1344	2920	powershell.EXE	41
PID 1344 wrote to memory of 420	1344	dllhost.exe	5
PID 1344 wrote to memory of 464	1344	dllhost.exe	6
PID 1344 wrote to memory of 476	1344	dllhost.exe	7
PID 1344 wrote to memory of 484	1344	dllhost.exe	8
PID 1344 wrote to memory of 592	1344	dllhost.exe	9
PID 1344 wrote to memory of 672	1344	dllhost.exe	10
PID 1344 wrote to memory of 748	1344	dllhost.exe	11
PID 1344 wrote to memory of 820	1344	dllhost.exe	12
PID 1344 wrote to memory of 860	1344	dllhost.exe	13
PID 1344 wrote to memory of 996	1344	dllhost.exe	15
PID 1344 wrote to memory of 300	1344	dllhost.exe	16
PID 1344 wrote to memory of 656	1344	dllhost.exe	17
PID 1344 wrote to memory of 1080	1344	dllhost.exe	18
PID 1344 wrote to memory of 1100	1344	dllhost.exe	19
PID 1344 wrote to memory of 1168	1344	dllhost.exe	20
PID 1344 wrote to memory of 1196	1344	dllhost.exe	21
PID 1344 wrote to memory of 1192	1344	dllhost.exe	23
PID 1344 wrote to memory of 1376	1344	dllhost.exe	24
PID 1344 wrote to memory of 1580	1344	dllhost.exe	25
PID 1344 wrote to memory of 2008	1344	dllhost.exe	26
PID 1344 wrote to memory of 844	1344	dllhost.exe	27
PID 1344 wrote to memory of 2908	1344	dllhost.exe	36
PID 1344 wrote to memory of 2724	1344	dllhost.exe	40
PID 2836 wrote to memory of 2608	2836	powershell.EXE	42
PID 2836 wrote to memory of 2608	2836	powershell.EXE	42
PID 2836 wrote to memory of 2608	2836	powershell.EXE	42
PID 2836 wrote to memory of 2608	2836	powershell.EXE	42
PID 2836 wrote to memory of 2608	2836	powershell.EXE	42
PID 2836 wrote to memory of 2608	2836	powershell.EXE	42

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
PID:420
- C:\Windows\System32\dllhost.exe
  C:\Windows\System32\dllhost.exe /Processid:{01184dd5-9a55-4be8-8b3b-061fd4c5a294}
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1344
- C:\Windows\SysWOW64\dllhost.exe
  C:\Windows\SysWOW64\dllhost.exe /Processid:{a86811f5-cdce-4760-a9fd-8449a181fd73}
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2608

C:\Windows\system32\services.exe
C:\Windows\system32\services.exe
1⤵
PID:464
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe -k DcomLaunch
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:592
- - C:\Windows\system32\wbem\wmiprvse.exe
    C:\Windows\system32\wbem\wmiprvse.exe
    3⤵
    PID:1376
- - C:\Windows\system32\DllHost.exe
    C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
    3⤵
    PID:1580
- - C:\Windows\system32\wbem\wmiprvse.exe
    C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
    3⤵
    PID:324
- - C:\Windows\system32\wbem\wmiprvse.exe
    C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
    3⤵
    PID:1740
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe -k RPCSS
  2⤵
  PID:672
- C:\Windows\System32\svchost.exe
  C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
  2⤵
  PID:748
- C:\Windows\System32\svchost.exe
  C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
  2⤵
  PID:820
- - C:\Windows\system32\Dwm.exe
    "C:\Windows\system32\Dwm.exe"
    3⤵
    PID:1168
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe -k netsvcs
  2⤵
  - Drops file in Windows directory
  PID:860
- - C:\Windows\system32\taskeng.exe
    taskeng.exe {30A066CD-FD3D-4595-908D-68FCCC798951} S-1-5-18:NT AUTHORITY\System:Service:
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2908
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
      C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE "[Reflection.Assembly]::Load([Microsoft.Win32.Registry]::LocalMachine.OpenSubkey('SOFTWARE').GetValue('$fzwemebbstager')).EntryPoint.Invoke($Null,$Null)"
      4⤵
      Suspicious use of NtCreateUserProcessOtherParentProcess
      Command and Scripting Interpreter: PowerShell
      Drops file in System32 directory
      Suspicious use of SetThreadContext
      Modifies data under HKEY_USERS
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2920
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.EXE
      C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.EXE "[Reflection.Assembly]::Load([Microsoft.Win32.Registry]::LocalMachine.OpenSubkey('SOFTWARE').GetValue('$fzwemebbstager')).EntryPoint.Invoke($Null,$Null)"
      4⤵
      Suspicious use of NtCreateUserProcessOtherParentProcess
      Command and Scripting Interpreter: PowerShell
      Drops file in System32 directory
      Suspicious use of SetThreadContext
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2836
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe -k LocalService
  2⤵
  PID:996
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe -k NetworkService
  2⤵
  PID:300
- C:\Windows\System32\spoolsv.exe
  C:\Windows\System32\spoolsv.exe
  2⤵
  PID:656
- C:\Windows\system32\taskhost.exe
  "taskhost.exe"
  2⤵
  PID:1080
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
  2⤵
  PID:1100
- C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE
  "C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE"
  2⤵
  PID:1192
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
  2⤵
  PID:2008
- C:\Windows\system32\sppsvc.exe
  C:\Windows\system32\sppsvc.exe
  2⤵
  PID:844
- \??\c:\windows\fonts\pdumjve\syocuda.exe
  c:\windows\fonts\pdumjve\syocuda.exe
  2⤵
  - Drops file in Drivers directory
  - Event Triggered Execution: Image File Execution Options Injection
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2444
- - C:\Windows\TEMP\dupdueqm\wcdfia.exe
    C:\Windows\TEMP\dupdueqm\wcdfia.exe
    3⤵
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    PID:2856
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c wmic /NAMESPACE:"\\root\subscription" PATH __EventFilter WHERE Name="ffdunjiu" DELETE & wmic /NAMESPACE:"\\root\subscription" PATH CommandLineEventConsumer WHERE Name="fubuudag" DELETE & wmic /NAMESPACE:"\\root\subscription" PATH __FilterToConsumerBinding WHERE Filter="__EventFilter.Name='ffdunjiu'" DELETE
    3⤵
    - System Location Discovery: System Language Discovery
    PID:924
  - - C:\Windows\SysWOW64\Wbem\WMIC.exe
      wmic /NAMESPACE:"\\root\subscription" PATH __EventFilter WHERE Name="ffdunjiu" DELETE
      4⤵
      PID:2372
  - - C:\Windows\SysWOW64\Wbem\WMIC.exe
      wmic /NAMESPACE:"\\root\subscription" PATH CommandLineEventConsumer WHERE Name="fubuudag" DELETE
      4⤵
      PID:1372
  - - C:\Windows\SysWOW64\Wbem\WMIC.exe
      wmic /NAMESPACE:"\\root\subscription" PATH __FilterToConsumerBinding WHERE Filter="__EventFilter.Name='ffdunjiu'" DELETE
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:2964
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c wmic /NAMESPACE:"\\root\subscription" PATH __EventFilter CREATE Name="ffdunjiu", EventNameSpace="root\cimv2",QueryLanguage="WQL", Query="SELECT * FROM __InstanceModificationEvent WITHIN 30 WHERE TargetInstance ISA 'Win32_PerfFormattedData_PerfOS_System'" & wmic /NAMESPACE:"\\root\subscription" PATH CommandLineEventConsumer CREATE Name="fubuudag",CommandLineTemplate="c:\windows\ime\erwazp\izburq.exe" & wmic /NAMESPACE:"\\root\subscription" PATH __FilterToConsumerBinding CREATE Filter="__EventFilter.Name="ffdunjiu"", Consumer="CommandLineEventConsumer.Name="fubuudag""
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1892
  - - C:\Windows\SysWOW64\Wbem\WMIC.exe
      wmic /NAMESPACE:"\\root\subscription" PATH __EventFilter CREATE Name="ffdunjiu", EventNameSpace="root\cimv2",QueryLanguage="WQL", Query="SELECT * FROM __InstanceModificationEvent WITHIN 30 WHERE TargetInstance ISA 'Win32_PerfFormattedData_PerfOS_System'"
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:2304
  - - C:\Windows\SysWOW64\Wbem\WMIC.exe
      wmic /NAMESPACE:"\\root\subscription" PATH CommandLineEventConsumer CREATE Name="fubuudag",CommandLineTemplate="c:\windows\ime\erwazp\izburq.exe"
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:2756
  - - C:\Windows\SysWOW64\Wbem\WMIC.exe
      wmic /NAMESPACE:"\\root\subscription" PATH __FilterToConsumerBinding CREATE Filter="__EventFilter.Name="ffdunjiu"", Consumer="CommandLineEventConsumer.Name="fubuudag""
      4⤵
      System Location Discovery: System Language Discovery
      PID:3000
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c schtasks /DELETE /TN wyupunba /F
    3⤵
    - Indicator Removal: Clear Persistence
    - System Location Discovery: System Language Discovery
    PID:2292
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks /DELETE /TN wyupunba /F
      4⤵
      System Location Discovery: System Language Discovery
      PID:2632
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c echo Y|schtasks /create /sc minute /mo 30 /tn "wyupunba" /ru system /tr "c:\windows\ime\erwazp\izburq.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1056
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /S /D /c" echo Y"
      4⤵
      System Location Discovery: System Language Discovery
      PID:1880
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks /create /sc minute /mo 30 /tn "wyupunba" /ru system /tr "c:\windows\ime\erwazp\izburq.exe"
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:3060
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe /c cmd /c powercfg -import c:\windows\fonts\pdumjve\BestPower.pow
    3⤵
    - Power Settings
    - System Location Discovery: System Language Discovery
    PID:1124
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c powercfg -import c:\windows\fonts\pdumjve\BestPower.pow
      4⤵
      Power Settings
      System Location Discovery: System Language Discovery
      PID:2244
    - - C:\Windows\SysWOW64\powercfg.exe
        
        powercfg -import c:\windows\fonts\pdumjve\BestPower.pow
        5⤵
        Power Settings
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:2500
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe /c cmd /c powercfg -setactive 15136104-c4af-4210-8450-6c966b64be87
    3⤵
    - Power Settings
    - System Location Discovery: System Language Discovery
    PID:1280
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c powercfg -setactive 15136104-c4af-4210-8450-6c966b64be87
      4⤵
      Power Settings
      System Location Discovery: System Language Discovery
      PID:2416
    - - C:\Windows\SysWOW64\powercfg.exe
        
        powercfg -setactive 15136104-c4af-4210-8450-6c966b64be87
        5⤵
        Power Settings
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:2844
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c powercfg -h off
    3⤵
    - Power Settings
    PID:2388
- - \??\c:\windows\fonts\rchxsdey\xcaqqy.exe
    c:\windows\fonts\rchxsdey\xcaqqy.exe
    3⤵
    PID:1484
- C:\Windows\system32\wbem\WmiApSrv.exe
  C:\Windows\system32\wbem\WmiApSrv.exe
  2⤵
  PID:1488
- C:\Windows\system32\wbem\WmiApSrv.exe
  C:\Windows\system32\wbem\WmiApSrv.exe
  2⤵
  PID:2764

C:\Windows\system32\lsass.exe
C:\Windows\system32\lsass.exe
1⤵
PID:476

C:\Windows\system32\lsm.exe
C:\Windows\system32\lsm.exe
1⤵
PID:484

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1196
- C:\Users\Admin\AppData\Local\Temp\34485abf8296df32bd577d221ac9540e7631e23f64454ad5d37f5e56dcbbb3b5.exe
  "C:\Users\Admin\AppData\Local\Temp\34485abf8296df32bd577d221ac9540e7631e23f64454ad5d37f5e56dcbbb3b5.exe"
  2⤵
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: RenamesItself
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1256
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ping 127.0.0.1 -n 5 & Start c:\windows\fonts\pdumjve\syocuda.exe
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - System Network Configuration Discovery: Internet Connection Discovery
    - Suspicious use of WriteProcessMemory
    PID:2580
  - - C:\Windows\SysWOW64\PING.EXE
      ping 127.0.0.1 -n 5
      4⤵
      System Location Discovery: System Language Discovery
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:2200
  - - \??\c:\windows\fonts\pdumjve\syocuda.exe
      c:\windows\fonts\pdumjve\syocuda.exe
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      PID:3012

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-295235150-2027033974-13271971911742789653885345871593642711-17350048172005199969"
1⤵
PID:2724

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-19045950821050180961-1438513816384240715510995166037603-1371661696-1694241361"
1⤵
- Suspicious use of SetWindowsHookEx
PID:756

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "718282649-985901862-649529604-5855666792044616403168189989-97643233492761947"
1⤵
- Suspicious use of SetWindowsHookEx
PID:2884

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-302153666-1068215699469247074842153069-5826411401464206066608405737-1092615725"
1⤵
- Suspicious use of SetWindowsHookEx
PID:2752

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-318953943245057449-685519964684977519-7716935714912817832788608661012702096"
1⤵
- Suspicious use of SetWindowsHookEx
PID:2644

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "568498147-130693874-653589686-1605285463276962639397665471-14199049882089352801"
1⤵
- Suspicious use of SetWindowsHookEx
PID:2856

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1505133344-2030372539-3460965691218674927641077796263059521415052458990040022"
1⤵
PID:472

\??\c:\windows\ime\erwazp\izburq.exe
c:\windows\ime\erwazp\izburq.exe
1⤵
PID:2284

\??\c:\windows\ime\erwazp\izburq.exe
c:\windows\ime\erwazp\izburq.exe
1⤵
PID:2876

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Event Triggered Execution

T1546

Image File Execution Options Injection

T1546.012

Power Settings

T1653

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Event Triggered Execution

T1546

Image File Execution Options Injection

T1546.012

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Indicator Removal

T1070

Clear Persistence

T1070.009

Credential Access

Discovery

Remote System Discovery

T1018

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\Tasks\$fzwemebbavawscxc.job

Filesize
572B

MD5
ba474f3fde5a0deaa767fe751734e204

SHA1
2d2d47ed284bb58ef795bb7706da633dbdd8fe0c

SHA256
d51f40f9bf70469210e8d6f6af1f9df2071fa06b2cc9e1eb7abbf6fd8d8c1d41

SHA512
94e37568264b206b7f688bf5ec47d852731ca9bd9ef63cae26f4c9e786f86285bcadd90d52f3518c56bd2b3c130987547c840d00b104309d9681bd049f85b292

Download Submit
C:\Windows\Tasks\$fzwemebbpzzbfwzr.job

Filesize
486B

MD5
77a587ae46920e60b033f1a16ac923d1

SHA1
cd147a76cb2f355bc41ae4b07c891214aaa368e7

SHA256
b0d55fa23cb030a10c5053494cd7de4a08b75e3a8c0d1ad3a64a65339fb2be39

SHA512
ab2ff402b2e480a34ddfc166df491334cf665f895ced22602864d543cf57371ba595db1b8852b39fcea20d5736c879357904cbdc5b15894892c2f58c99dd1f55

Download Submit
\??\c:\windows\fonts\pdumjve\BestPower.pow

Filesize
8KB

MD5
183887e994658a630e7810755723ec20

SHA1
a094da22e2363dbbb5880666b44c077aae0ef62e

SHA256
5920e1aa24762daa5e49a924e90f42a4b1ae4588ab38514cc74d4499396ded44

SHA512
72b3ee12b2cb14aaf1d7453226c6e8bdda69915fb1c65f9bc22aa5960dad2f3a7c355a0512f806d75801196e23897a0f2bebcb038e6fcab917f0fa4a3f170953

Download Submit
\??\c:\windows\fonts\rchxsdey\config.json

Filesize
355B

MD5
34edaaa8430ae81f6f5ad438c4022148

SHA1
f3188a1e9784bb033220ca052fa925db8de52ae1

SHA256
3a57224d9dd364d682123cb5bd5b0f68135b519ec988a37204643478be89a324

SHA512
f8d2c9794622759cd314ed299d84b5f74541ad8b0802faf5bcb0ec331e8930eff0bc774d93a804de6f0ff50d581ac33d2ef0b38f0f4c1e45324c98cf4f103159

Download Submit
\Windows\Fonts\pdumjve\syocuda.exe

Filesize
4.2MB

MD5
bdd5d3d1f3d671d0b877a0f5f32f59bc

SHA1
eb52a5e49cce4506b844caa35e0d8d6b2c50f721

SHA256
0e03053d9cc419258325d0ae57b42350a7af9164acfc42768198d1a9d0469c29

SHA512
c8fb438a08e2fe40b1a7702666d46d6540ba2554524aaa3c40b7d9446f3062af0c774eaeb4d916ede9173f30d81613bfd8ff9880a28a195138a3dbb22b5751f9

Download Submit
\Windows\Fonts\rchxsdey\xcaqqy.exe

Filesize
1.4MB

MD5
cc986ed368f13b76c21c580615944b0a

SHA1
fa6c9181dda91a495cd0e141dba5b4f68f112ea4

SHA256
59b1cff79bafa968b3f7ae01db171f81d72ec20fd2e420f6ba187eaf9571ae00

SHA512
045c4e00e466a672a3d9d2d0c12832a2e9fb8fd5dcd7e04c92d2a128a17dc572e225715e5646832f7cee803a5d09ed00c28284fc524f321dc981f42dfb17659b

Download Submit
\Windows\Temp\dupdueqm\wcdfia.exe

Filesize
539KB

MD5
94da70b09bf2f7e281a624dbba769479

SHA1
8f2beae87cbe8249b676f38a146f25317a1a31ee

SHA256
5ca416d019f6c1c94f886266564bd099864deac7819936ff6779091842f8da6d

SHA512
4bfc2c41fa990cb0c93a1891894fc232eb94c54431fc97a179f0a0ab82ed5711f9288e798475573e7cc523bd1f08c66afc67b8030009a45850b508bd1a95c7f4

Download Submit
memory/420-55-0x000007FEBE990000-0x000007FEBE9A0000-memory.dmp

Filesize
64KB

Download
memory/420-42-0x00000000007A0000-0x00000000007C4000-memory.dmp

Filesize
144KB

Download
memory/420-53-0x00000000007D0000-0x00000000007FC000-memory.dmp

Filesize
176KB

Download
memory/420-44-0x00000000007A0000-0x00000000007C4000-memory.dmp

Filesize
144KB

Download
memory/420-57-0x00000000371F0000-0x0000000037200000-memory.dmp

Filesize
64KB

Download
memory/464-66-0x00000000371F0000-0x0000000037200000-memory.dmp

Filesize
64KB

Download
memory/464-65-0x000007FEBE990000-0x000007FEBE9A0000-memory.dmp

Filesize
64KB

Download
memory/464-64-0x0000000000AD0000-0x0000000000AFC000-memory.dmp

Filesize
176KB

Download
memory/476-68-0x00000000001A0000-0x00000000001CC000-memory.dmp

Filesize
176KB

Download
memory/476-69-0x000007FEBE990000-0x000007FEBE9A0000-memory.dmp

Filesize
64KB

Download
memory/476-70-0x00000000371F0000-0x0000000037200000-memory.dmp

Filesize
64KB

Download
memory/484-74-0x00000000371F0000-0x0000000037200000-memory.dmp

Filesize
64KB

Download
memory/484-72-0x0000000000320000-0x000000000034C000-memory.dmp

Filesize
176KB

Download
memory/484-73-0x000007FEBE990000-0x000007FEBE9A0000-memory.dmp

Filesize
64KB

Download
memory/672-76-0x00000000002F0000-0x000000000031C000-memory.dmp

Filesize
176KB

Download
memory/672-77-0x000007FEBE990000-0x000007FEBE9A0000-memory.dmp

Filesize
64KB

Download
memory/672-78-0x00000000371F0000-0x0000000037200000-memory.dmp

Filesize
64KB

Download
memory/748-84-0x000007FEBE990000-0x000007FEBE9A0000-memory.dmp

Filesize
64KB

Download
memory/748-85-0x00000000371F0000-0x0000000037200000-memory.dmp

Filesize
64KB

Download
memory/748-83-0x00000000008F0000-0x000000000091C000-memory.dmp

Filesize
176KB

Download
memory/1256-3-0x0000000000400000-0x0000000000691000-memory.dmp

Filesize
2.6MB

Download
memory/1344-39-0x0000000077090000-0x00000000771AF000-memory.dmp

Filesize
1.1MB

Download
memory/1344-40-0x0000000140000000-0x0000000140043000-memory.dmp

Filesize
268KB

Download
memory/1344-36-0x0000000140000000-0x0000000140043000-memory.dmp

Filesize
268KB

Download
memory/1344-37-0x0000000140000000-0x0000000140043000-memory.dmp

Filesize
268KB

Download
memory/1344-38-0x00000000771B0000-0x0000000077359000-memory.dmp

Filesize
1.7MB

Download
memory/1484-566-0x000000013F820000-0x000000013FE3F000-memory.dmp

Filesize
6.1MB

Download
memory/1484-580-0x000000013F820000-0x000000013FE3F000-memory.dmp

Filesize
6.1MB

Download
memory/2444-562-0x0000000002000000-0x000000000261F000-memory.dmp

Filesize
6.1MB

Download
memory/2444-578-0x0000000002000000-0x000000000261F000-memory.dmp

Filesize
6.1MB

Download
memory/2920-34-0x00000000771B0000-0x0000000077359000-memory.dmp

Filesize
1.7MB

Download
memory/2920-33-0x0000000019B20000-0x0000000019B98000-memory.dmp

Filesize
480KB

Download
memory/2920-32-0x0000000000D90000-0x0000000000D98000-memory.dmp

Filesize
32KB

Download
memory/2920-35-0x0000000077090000-0x00000000771AF000-memory.dmp

Filesize
1.1MB

Download
memory/2920-31-0x0000000019C60000-0x0000000019F42000-memory.dmp

Filesize
2.9MB

Download