Analysis

  • max time kernel
    149s
  • max time network
    155s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    22/03/2025, 06:11

General

  • Target

    56a0fe76690153775e7d0af4698d0ef50c369cf078079269825f53cf2eec5b54.exe

  • Size

    622KB

  • MD5

    a1bc8a1b9cfd1ce7f226de09131c4cfc

  • SHA1

    6834f014436774bb6d720fffdd2656eb91193918

  • SHA256

    56a0fe76690153775e7d0af4698d0ef50c369cf078079269825f53cf2eec5b54

  • SHA512

    2c01b40db9a52dd7aaf316e0011d85f7e1484728a6b65139765b7525af665205a2dd1a3fad162fb6b8dc26d69ad4ff92e86908ef072af5440923c7894f1e5ab4

  • SSDEEP

    12288:pu5MOiV13I+DRKglWfsnoeWPSRNfcU5C8RMtBmEFPpu353e+dqMX2:pu5MOiX3I+DkSWkno/PSNkxOMHmEFPgS

Malware Config

Extracted

Family

nanocore

Version

1.2.2.0

C2

elroithegodofnsppd.duckdns.org:43366

elroithegodofnsppd.ddnsfree.com:43366

Mutex

4991469e-2d84-4048-8aed-20a53304961e

Attributes
  • activate_away_mode

    false

  • backup_connection_host

    elroithegodofnsppd.ddnsfree.com

  • backup_dns_server

  • buffer_size

    65538

  • build_time

    2024-12-06T15:16:37.862063536Z

  • bypass_user_account_control

    false

  • bypass_user_account_control_data

    PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTE2Ij8+DQo8VGFzayB2ZXJzaW9uPSIxLjIiIHhtbG5zPSJodHRwOi8vc2NoZW1hcy5taWNyb3NvZnQuY29tL3dpbmRvd3MvMjAwNC8wMi9taXQvdGFzayI+DQogIDxSZWdpc3RyYXRpb25JbmZvIC8+DQogIDxUcmlnZ2VycyAvPg0KICA8UHJpbmNpcGFscz4NCiAgICA8UHJpbmNpcGFsIGlkPSJBdXRob3IiPg0KICAgICAgPExvZ29uVHlwZT5JbnRlcmFjdGl2ZVRva2VuPC9Mb2dvblR5cGU+DQogICAgICA8UnVuTGV2ZWw+SGlnaGVzdEF2YWlsYWJsZTwvUnVuTGV2ZWw+DQogICAgPC9QcmluY2lwYWw+DQogIDwvUHJpbmNpcGFscz4NCiAgPFNldHRpbmdzPg0KICAgIDxNdWx0aXBsZUluc3RhbmNlc1BvbGljeT5QYXJhbGxlbDwvTXVsdGlwbGVJbnN0YW5jZXNQb2xpY3k+DQogICAgPERpc2FsbG93U3RhcnRJZk9uQmF0dGVyaWVzPmZhbHNlPC9EaXNhbGxvd1N0YXJ0SWZPbkJhdHRlcmllcz4NCiAgICA8U3RvcElmR29pbmdPbkJhdHRlcmllcz5mYWxzZTwvU3RvcElmR29pbmdPbkJhdHRlcmllcz4NCiAgICA8QWxsb3dIYXJkVGVybWluYXRlPnRydWU8L0FsbG93SGFyZFRlcm1pbmF0ZT4NCiAgICA8U3RhcnRXaGVuQXZhaWxhYmxlPmZhbHNlPC9TdGFydFdoZW5BdmFpbGFibGU+DQogICAgPFJ1bk9ubHlJZk5ldHdvcmtBdmFpbGFibGU+ZmFsc2U8L1J1bk9ubHlJZk5ldHdvcmtBdmFpbGFibGU+DQogICAgPElkbGVTZXR0aW5ncz4NCiAgICAgIDxTdG9wT25JZGxlRW5kPmZhbHNlPC9TdG9wT25JZGxlRW5kPg0KICAgICAgPFJlc3RhcnRPbklkbGU+ZmFsc2U8L1Jlc3RhcnRPbklkbGU+DQogICAgPC9JZGxlU2V0dGluZ3M+DQogICAgPEFsbG93U3RhcnRPbkRlbWFuZD50cnVlPC9BbGxvd1N0YXJ0T25EZW1hbmQ+DQogICAgPEVuYWJsZWQ+dHJ1ZTwvRW5hYmxlZD4NCiAgICA8SGlkZGVuPmZhbHNlPC9IaWRkZW4+DQogICAgPFJ1bk9ubHlJZklkbGU+ZmFsc2U8L1J1bk9ubHlJZklkbGU+DQogICAgPFdha2VUb1J1bj5mYWxzZTwvV2FrZVRvUnVuPg0KICAgIDxFeGVjdXRpb25UaW1lTGltaXQ+UFQwUzwvRXhlY3V0aW9uVGltZUxpbWl0Pg0KICAgIDxQcmlvcml0eT40PC9Qcmlvcml0eT4NCiAgPC9TZXR0aW5ncz4NCiAgPEFjdGlvbnMgQ29udGV4dD0iQXV0aG9yIj4NCiAgICA8RXhlYz4NCiAgICAgIDxDb21tYW5kPiIjRVhFQ1VUQUJMRVBBVEgiPC9Db21tYW5kPg0KICAgICAgPEFyZ3VtZW50cz4kKEFyZzApPC9Bcmd1bWVudHM+DQogICAgPC9FeGVjPg0KICA8L0FjdGlvbnM+DQo8L1Rhc2s+

  • clear_access_control

    false

  • clear_zone_identifier

    false

  • connect_delay

    4000

  • connection_port

    43366

  • default_group

    EROI MY GOD

  • enable_debug_mode

    true

  • gc_threshold

    1.0485772e+07

  • keep_alive_timeout

    30000

  • keyboard_logging

    false

  • lan_timeout

    2500

  • max_packet_size

    1.0485772e+07

  • mutex

    4991469e-2d84-4048-8aed-20a53304961e

  • mutex_timeout

    5000

  • prevent_system_sleep

    false

  • primary_connection_host

    elroithegodofnsppd.duckdns.org

  • primary_dns_server

  • request_elevation

    true

  • restart_delay

    5000

  • run_delay

    0

  • run_on_startup

    false

  • set_critical_process

    false

  • timeout_interval

    5000

  • use_custom_dns_server

    false

  • version

    1.2.2.0

  • wan_timeout

    8009

Extracted

Family

xworm

Version

5.0

C2

tunhost.duckdns.org:57891

wintun.freemyip.com:57891

87.249.134.68:57891

Attributes
  • install_file

    琀㴀Ā ☀☀ �䔗渀瘀椀爀漀渀洀攀渀琀�眍椀渀搀椀爀�瀝漀眀攀爀猀栀攀氀氀⸀攀砀攀�醀-C schtasks.exe

aes.plain

Signatures

  • Detect Xworm Payload 3 IoCs
  • NanoCore

    NanoCore is a remote access tool (RAT) with a variety of capabilities.

  • Nanocore family
  • UAC bypass 3 TTPs 1 IoCs
  • Xmrig family
  • Xworm

    Xworm is a remote access trojan written in C#.

  • Xworm family
  • xmrig

    XMRig is a high performance, open source, cross platform CPU/GPU miner.

  • XMRig Miner payload 9 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

  • Creates new service(s) 2 TTPs
  • Stops running service(s) 4 TTPs
  • Checks BIOS information in registry 2 TTPs 1 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Drops startup file 2 IoCs
  • Executes dropped EXE 7 IoCs
  • Loads dropped DLL 17 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Checks whether UAC is enabled 1 TTPs 2 IoCs
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
  • Looks up external IP address via web service 2 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Power Settings 1 TTPs 8 IoCs

    powercfg controls all configurable power system settings on a Windows system and can be abused to prevent an infected host from locking or shutting down.

  • Suspicious use of SetThreadContext 3 IoCs
  • UPX packed file 14 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Drops file in Program Files directory 2 IoCs
  • Launches sc.exe 4 IoCs

    Sc.exe is a Windows utlilty to control services on the system.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 11 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Enumerates system info in registry 2 TTPs 2 IoCs
  • Modifies registry key 1 TTPs 1 IoCs
  • Modifies system certificate store 2 TTPs 13 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 4 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious behavior: EnumeratesProcesses 53 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 2 IoCs
  • Suspicious behavior: SetClipboardViewer 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 19 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\56a0fe76690153775e7d0af4698d0ef50c369cf078079269825f53cf2eec5b54.exe
    "C:\Users\Admin\AppData\Local\Temp\56a0fe76690153775e7d0af4698d0ef50c369cf078079269825f53cf2eec5b54.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2072
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\56a0fe76690153775e7d0af4698d0ef50c369cf078079269825f53cf2eec5b54.exe"
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2684
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\DXxJPGhu.exe"
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2740
    • C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\DXxJPGhu" /XML "C:\Users\Admin\AppData\Local\Temp\tmpFCA7.tmp"
      2⤵
      • System Location Discovery: System Language Discovery
      • Scheduled Task/Job: Scheduled Task
      PID:2792
    • C:\Users\Admin\AppData\Local\Temp\56a0fe76690153775e7d0af4698d0ef50c369cf078079269825f53cf2eec5b54.exe
      "C:\Users\Admin\AppData\Local\Temp\56a0fe76690153775e7d0af4698d0ef50c369cf078079269825f53cf2eec5b54.exe"
      2⤵
      • Drops startup file
      • Loads dropped DLL
      • Adds Run key to start application
      • Checks whether UAC is enabled
      • Drops file in Program Files directory
      • System Location Discovery: System Language Discovery
      • Modifies system certificate store
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2908
      • C:\Windows\SysWOW64\schtasks.exe
        "schtasks.exe" /create /f /tn "SCSI Host" /xml "C:\Users\Admin\AppData\Local\Temp\tmpFDEE.tmp"
        3⤵
        • System Location Discovery: System Language Discovery
        • Scheduled Task/Job: Scheduled Task
        PID:2664
      • C:\Windows\SysWOW64\schtasks.exe
        "schtasks.exe" /create /f /tn "SCSI Host Task" /xml "C:\Users\Admin\AppData\Local\Temp\tmpFE3D.tmp"
        3⤵
        • System Location Discovery: System Language Discovery
        • Scheduled Task/Job: Scheduled Task
        PID:1840
      • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\winlogon.exe
        "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\winlogon.exe"
        3⤵
        • Checks BIOS information in registry
        • Executes dropped EXE
        • Checks whether UAC is enabled
        • System Location Discovery: System Language Discovery
        • Enumerates system info in registry
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: GetForegroundWindowSpam
        • Suspicious behavior: SetClipboardViewer
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:988
        • C:\Windows\SysWOW64\schtasks.exe
          "schtasks.exe" /delete /f /tn "Microsoft\Windows\Client Server Runtime Process"
          4⤵
          • System Location Discovery: System Language Discovery
          PID:2856
        • C:\Windows\SysWOW64\schtasks.exe
          "schtasks.exe" /create /f /tn "Microsoft\Windows\Client Server Runtime Process" /xml "C:\Users\Admin\AppData\Local\Temp\tmp2BE1.tmp"
          4⤵
          • System Location Discovery: System Language Discovery
          • Scheduled Task/Job: Scheduled Task
          PID:2880
      • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\wanhost.exe
        "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\wanhost.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious use of AdjustPrivilegeToken
        PID:2700
      • C:\Windows\SysWOW64\reg.exe
        "reg.exe" ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
        3⤵
        • UAC bypass
        • System Location Discovery: System Language Discovery
        • Modifies registry key
        PID:2804
      • C:\Users\Admin\AppData\Local\system32.exe
        "C:\Users\Admin\AppData\Local\system32.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1964
        • C:\Windows\system32\powercfg.exe
          C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
          4⤵
          • Power Settings
          • Suspicious use of AdjustPrivilegeToken
          PID:1696
        • C:\Windows\system32\powercfg.exe
          C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
          4⤵
          • Power Settings
          • Suspicious use of AdjustPrivilegeToken
          PID:1996
        • C:\Windows\system32\powercfg.exe
          C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
          4⤵
          • Power Settings
          • Suspicious use of AdjustPrivilegeToken
          PID:496
        • C:\Windows\system32\powercfg.exe
          C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
          4⤵
          • Power Settings
          • Suspicious use of AdjustPrivilegeToken
          PID:1924
        • C:\Windows\system32\sc.exe
          C:\Windows\system32\sc.exe delete "AHMOQNZH"
          4⤵
          • Launches sc.exe
          PID:1648
        • C:\Windows\system32\sc.exe
          C:\Windows\system32\sc.exe create "AHMOQNZH" binpath= "C:\ProgramData\ipbodjvyupmv\qshtkbttphgg.exe" start= "auto"
          4⤵
          • Launches sc.exe
          PID:2960
        • C:\Windows\system32\sc.exe
          C:\Windows\system32\sc.exe stop eventlog
          4⤵
          • Launches sc.exe
          PID:984
        • C:\Windows\system32\sc.exe
          C:\Windows\system32\sc.exe start "AHMOQNZH"
          4⤵
          • Launches sc.exe
          PID:2580
      • C:\Users\Admin\AppData\Local\system32-checker.exe
        "C:\Users\Admin\AppData\Local\system32-checker.exe"
        3⤵
        • Executes dropped EXE
        PID:2312
        • C:\Windows\system32\WerFault.exe
          C:\Windows\system32\WerFault.exe -u -p 2312 -s 660
          4⤵
          • Loads dropped DLL
          PID:3040
      • C:\Users\Admin\AppData\Local\system32-checker.exe
        "C:\Users\Admin\AppData\Local\system32-checker.exe"
        3⤵
        • Executes dropped EXE
        PID:2696
        • C:\Windows\system32\WerFault.exe
          C:\Windows\system32\WerFault.exe -u -p 2696 -s 648
          4⤵
          • Loads dropped DLL
          PID:2884
  • C:\ProgramData\ipbodjvyupmv\qshtkbttphgg.exe
    C:\ProgramData\ipbodjvyupmv\qshtkbttphgg.exe
    1⤵
    • Executes dropped EXE
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2468
    • C:\Windows\system32\powercfg.exe
      C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
      2⤵
      • Power Settings
      • Suspicious use of AdjustPrivilegeToken
      PID:2548
    • C:\Windows\system32\powercfg.exe
      C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
      2⤵
      • Power Settings
      • Suspicious use of AdjustPrivilegeToken
      PID:2088
    • C:\Windows\system32\powercfg.exe
      C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
      2⤵
      • Power Settings
      • Suspicious use of AdjustPrivilegeToken
      PID:1552
    • C:\Windows\system32\powercfg.exe
      C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
      2⤵
      • Power Settings
      • Suspicious use of AdjustPrivilegeToken
      PID:484
    • C:\Windows\system32\conhost.exe
      C:\Windows\system32\conhost.exe
      2⤵
        PID:1856
      • C:\Windows\explorer.exe
        explorer.exe
        2⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:776

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

      Filesize

      71KB

      MD5

      83142242e97b8953c386f988aa694e4a

      SHA1

      833ed12fc15b356136dcdd27c61a50f59c5c7d50

      SHA256

      d72761e1a334a754ce8250e3af7ea4bf25301040929fd88cf9e50b4a9197d755

      SHA512

      bb6da177bd16d163f377d9b4c63f6d535804137887684c113cc2f643ceab4f34338c06b5a29213c23d375e95d22ef417eac928822dfb3688ce9e2de9d5242d10

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

      Filesize

      344B

      MD5

      ef49d617f6cbf273228f8eac16b78eaa

      SHA1

      de54ddf71f03144aa41cd020f1ccb2a11abd7fa3

      SHA256

      725e10e96334d7c8fc78f0b38b837f9ef1bc512520c3e2df516b25a221743a06

      SHA512

      5c29ffd9c5238f33f6459ab88b9d1538ab01cd0090ca613b065f5730b27e63cbadfb8b870f9f9446464f2b31a0d29d07c53d617708f25c935f21d95a0dd0883c

    • C:\Users\Admin\AppData\Local\Temp\Tar28CE.tmp

      Filesize

      183KB

      MD5

      109cab5505f5e065b63d01361467a83b

      SHA1

      4ed78955b9272a9ed689b51bf2bf4a86a25e53fc

      SHA256

      ea6b7f51e85835c09259d9475a7d246c3e764ad67c449673f9dc97172c351673

      SHA512

      753a6da5d6889dd52f40208e37f2b8c185805ef81148682b269fff5aa84a46d710fe0ebfe05bce625da2e801e1c26745998a41266fa36bf47bc088a224d730cc

    • C:\Users\Admin\AppData\Local\Temp\tmp2BE1.tmp

      Filesize

      1KB

      MD5

      55f737e134714dd479fb8d4417a14df5

      SHA1

      4195b4131fb1215140baaaf5a6d8e26f305572af

      SHA256

      f306ee4e70a9dd3281131c476541b78f8cbe387a8a507f3b98a48ef34ecf2835

      SHA512

      446fa2af1cfb7057fd96fbaa26b4dcec67427399c8859c85ed11d5fb7b64f6abca39581faa2f17ca32c5e57759a448266d4be6af39e730d5e596cc41701fd1bf

    • C:\Users\Admin\AppData\Local\Temp\tmpFCA7.tmp

      Filesize

      1KB

      MD5

      65168ca7ec640f447fe20f0f9b892e23

      SHA1

      a0aee17f8c1f211bf0644b8de753a2a506ceed9c

      SHA256

      280e5211613dcd546618730da1abcd76aba0a3ad103cfb022c066a5efeb6739a

      SHA512

      80d306b535ab62a66cd273e4799e7dcc7bb32891daba0ac451e7a090e7f87807cedf53e17ee3caf70cea597caf0f4f2d94d609b92467ec79c8cf8e8eb8bae981

    • C:\Users\Admin\AppData\Local\Temp\tmpFDEE.tmp

      Filesize

      1KB

      MD5

      c0d5a98f8925527303b275c45309b9e9

      SHA1

      186323b4717647925f59f698569922035094b95b

      SHA256

      209e9f3a3fc7030c5f246abc5a644e4308959773e8a8751fb6a4aa4004bf6ba2

      SHA512

      050b95bc1e510ffa3831f1c936887f383072e816b82ad99042fbaaa122b11ab6a1c7bee75a829888e35697dc34cee49481b7294507769b566b4ee59b19172706

    • C:\Users\Admin\AppData\Local\Temp\tmpFE3D.tmp

      Filesize

      1KB

      MD5

      9a559f229be0944bc3dc813cde333f50

      SHA1

      0e97c97eea032b499ff060e799581e32beeceb09

      SHA256

      a63d853679aa655cced3b62a10855c56f9efd9b50770738b408d728008f73330

      SHA512

      4cbb2f77283500e86ecf79fd2cbd31d10c3af2fcf6c9a557ee0b1edead229dc07d63a5030b60df57458d52ef8c2a42ec199d2d4cdca387400d047df25b593c68

    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

      Filesize

      7KB

      MD5

      70d707929bb5803052f08dcf82c970e9

      SHA1

      861c2008f45b71946e42191969198733ed96d7c2

      SHA256

      454be13978028f0fdd38c3e16af74197e9ed0694bc425f881fb722a73e17faa7

      SHA512

      471b3ec909abefd32f2daef5f1c24af054e670199730a19d2bacb7433f1ef2396a63ab3ddf696170d8a3c26bdd49ddde6ad65927dbd104b7c235675888d9b226

    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\wanhost.exe

      Filesize

      32KB

      MD5

      bb88af07d7f92e77086eb2a090b508fd

      SHA1

      2fcf43147b61ed5c8e1d7d46398eb3749e649e78

      SHA256

      77ce6f10d6034a1d7ab7768278cf8322b719729f612e6afe8cff72cb637cd6ec

      SHA512

      7a41def72de640dbf057c41971b02213e75202a1863b41491e36644da17bcbfb16c41ae6c6af121b5b2f7fee4f0608f867a404f1bbbf8db5dc9444978868f7c3

    • \Users\Admin\AppData\Local\system32-checker.exe

      Filesize

      6KB

      MD5

      7c1867586dfd01366878ae08415c612c

      SHA1

      4526353fbb9b8be77f3c0f46778a740f84882f83

      SHA256

      521f29dd7236b22daba7ea9537ef6be31057a08eec9526805b4685d7970e1372

      SHA512

      ef4ff7128de21fcdec5019322247ae958b46c2ff20b36d65f32fd6921e2f7c7bd018168fb3a7c0c728f071160057c790b3d5b691aad24cd5ebd975e7abc409ba

    • \Users\Admin\AppData\Local\system32.exe

      Filesize

      2.5MB

      MD5

      a5c4e57922031e587bf09fb90453d73e

      SHA1

      4bc3a265800ef4f7df8402292d8218553b2860b6

      SHA256

      3720ffed8da2ba9d4cabbe64331f939f36e750e7dd3d5b9ff4d937325b35543b

      SHA512

      0fd81c9ca1ea8587fa33f2da3f45896b9d22e9f8a014513316274674a4256a4f04654462ed4ed87021e999964c895734aa2814e5a37f23a2010c594ad113a491

    • \Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\winlogon.exe

      Filesize

      191KB

      MD5

      ed3b00caa7c83ab730df4a14aeb5d6bf

      SHA1

      453eeebd3cd4a0faf5e7eca63ea6cdb0ed96971a

      SHA256

      456b4cf130884ff7283aa415425ff6e3f6c610211bc7504e41bba9346dacd827

      SHA512

      fb64f0d53215cfcbd18f9de977e2f41323192b9329e67f7c26f53692970a2688f0a6a80f836c073945404e84364620f49790b22499bbf65c904341b90ccba954

    • memory/776-287-0x0000000140000000-0x0000000140835000-memory.dmp

      Filesize

      8.2MB

    • memory/776-286-0x0000000140000000-0x0000000140835000-memory.dmp

      Filesize

      8.2MB

    • memory/776-290-0x0000000140000000-0x0000000140835000-memory.dmp

      Filesize

      8.2MB

    • memory/776-291-0x0000000140000000-0x0000000140835000-memory.dmp

      Filesize

      8.2MB

    • memory/776-277-0x0000000140000000-0x0000000140835000-memory.dmp

      Filesize

      8.2MB

    • memory/776-279-0x0000000140000000-0x0000000140835000-memory.dmp

      Filesize

      8.2MB

    • memory/776-289-0x0000000140000000-0x0000000140835000-memory.dmp

      Filesize

      8.2MB

    • memory/776-280-0x0000000140000000-0x0000000140835000-memory.dmp

      Filesize

      8.2MB

    • memory/776-282-0x0000000140000000-0x0000000140835000-memory.dmp

      Filesize

      8.2MB

    • memory/776-283-0x0000000140000000-0x0000000140835000-memory.dmp

      Filesize

      8.2MB

    • memory/776-285-0x0000000140000000-0x0000000140835000-memory.dmp

      Filesize

      8.2MB

    • memory/776-278-0x0000000140000000-0x0000000140835000-memory.dmp

      Filesize

      8.2MB

    • memory/776-288-0x0000000140000000-0x0000000140835000-memory.dmp

      Filesize

      8.2MB

    • memory/776-284-0x00000000000B0000-0x00000000000D0000-memory.dmp

      Filesize

      128KB

    • memory/776-281-0x0000000140000000-0x0000000140835000-memory.dmp

      Filesize

      8.2MB

    • memory/1856-268-0x0000000140000000-0x000000014000D000-memory.dmp

      Filesize

      52KB

    • memory/1856-275-0x0000000140000000-0x000000014000D000-memory.dmp

      Filesize

      52KB

    • memory/1856-269-0x0000000140000000-0x000000014000D000-memory.dmp

      Filesize

      52KB

    • memory/1856-270-0x0000000140000000-0x000000014000D000-memory.dmp

      Filesize

      52KB

    • memory/1856-271-0x0000000140000000-0x000000014000D000-memory.dmp

      Filesize

      52KB

    • memory/1856-272-0x0000000140000000-0x000000014000D000-memory.dmp

      Filesize

      52KB

    • memory/2072-2-0x00000000743C0000-0x0000000074AAE000-memory.dmp

      Filesize

      6.9MB

    • memory/2072-0-0x00000000743CE000-0x00000000743CF000-memory.dmp

      Filesize

      4KB

    • memory/2072-4-0x00000000743CE000-0x00000000743CF000-memory.dmp

      Filesize

      4KB

    • memory/2072-5-0x00000000743C0000-0x0000000074AAE000-memory.dmp

      Filesize

      6.9MB

    • memory/2072-6-0x0000000005E90000-0x0000000005F0E000-memory.dmp

      Filesize

      504KB

    • memory/2072-1-0x00000000008B0000-0x0000000000950000-memory.dmp

      Filesize

      640KB

    • memory/2072-32-0x00000000743C0000-0x0000000074AAE000-memory.dmp

      Filesize

      6.9MB

    • memory/2072-3-0x00000000003D0000-0x00000000003E0000-memory.dmp

      Filesize

      64KB

    • memory/2312-296-0x000000013F320000-0x000000013F326000-memory.dmp

      Filesize

      24KB

    • memory/2696-303-0x000000013F5B0000-0x000000013F5B6000-memory.dmp

      Filesize

      24KB

    • memory/2700-191-0x0000000000D80000-0x0000000000D8E000-memory.dmp

      Filesize

      56KB

    • memory/2908-46-0x0000000000880000-0x000000000089A000-memory.dmp

      Filesize

      104KB

    • memory/2908-23-0x0000000000400000-0x0000000000438000-memory.dmp

      Filesize

      224KB

    • memory/2908-48-0x0000000002160000-0x000000000216E000-memory.dmp

      Filesize

      56KB

    • memory/2908-45-0x0000000000830000-0x0000000000842000-memory.dmp

      Filesize

      72KB

    • memory/2908-42-0x0000000000520000-0x000000000052A000-memory.dmp

      Filesize

      40KB

    • memory/2908-41-0x0000000000500000-0x000000000051E000-memory.dmp

      Filesize

      120KB

    • memory/2908-40-0x00000000004B0000-0x00000000004BA000-memory.dmp

      Filesize

      40KB

    • memory/2908-47-0x0000000000A30000-0x0000000000A42000-memory.dmp

      Filesize

      72KB

    • memory/2908-28-0x0000000000400000-0x0000000000438000-memory.dmp

      Filesize

      224KB

    • memory/2908-49-0x0000000004C50000-0x0000000004C94000-memory.dmp

      Filesize

      272KB

    • memory/2908-29-0x0000000000400000-0x0000000000438000-memory.dmp

      Filesize

      224KB

    • memory/2908-25-0x0000000000400000-0x0000000000438000-memory.dmp

      Filesize

      224KB

    • memory/2908-27-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

      Filesize

      4KB

    • memory/2908-21-0x0000000000400000-0x0000000000438000-memory.dmp

      Filesize

      224KB

    • memory/2908-20-0x0000000000400000-0x0000000000438000-memory.dmp

      Filesize

      224KB

    • memory/2908-31-0x0000000000400000-0x0000000000438000-memory.dmp

      Filesize

      224KB