danabot | 2ba0f2e22ed07ca3188c898a0c9256fd30e878916ebe669ed52b25cb18d5ccde

Analysis

max time kernel
139s
max time network
125s
platform
windows7_x64
resource
win7v200430
submitted
28-06-2020 07:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0ab5f0bee96577cb81bd9bc464d0ca85.exe
Size

908KB
MD5

0ab5f0bee96577cb81bd9bc464d0ca85
SHA1

e5e1f336d88b06a25754662f345bdec893c7c6ff
SHA256

2ba0f2e22ed07ca3188c898a0c9256fd30e878916ebe669ed52b25cb18d5ccde
SHA512

b00fb070ff0c178e40a833c8fc5c56873963d9d93e39544629da155d7dec217a2f62f6c14e33384433633f085b046700e2b012cd74e929a3750d4ee2ee1ad194

Score

10^/10

danabot banker botnet discovery evasion spyware stealer trojan vmprotect

Malware Config

Extracted

Family

danabot

92.204.160.126

37.120.145.243

195.133.147.230

185.227.138.52

rsa_pubkey.plain

Signatures

Danabot
Danabot is a modular banking Trojan that has been linked with other malware.
trojan banker danabot

Danabot x86 payload 6 IoCs

Detection of Danabot x86 payload, mapped in memory during the execution of its loader.

botnet

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Roaming\dfgdfg.dll	family_danabot
\Users\Admin\AppData\Roaming\dfgdfg.dll	family_danabot
\Users\Admin\AppData\Roaming\dfgdfg.dll	family_danabot
\Users\Admin\AppData\Roaming\dfgdfg.dll	family_danabot
\Users\Admin\AppData\Roaming\dfgdfg.dll	family_danabot
\Users\Admin\AppData\Roaming\dfgdfg.dll	family_danabot

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Blocklisted process makes network request 10 IoCs

Processes:

rundll32.exe

flow	pid	process
39	672	rundll32.exe
51	672	rundll32.exe
52	672	rundll32.exe
53	672	rundll32.exe
54	672	rundll32.exe
55	672	rundll32.exe
56	672	rundll32.exe
57	672	rundll32.exe
58	672	rundll32.exe
59	672	rundll32.exe

Executes dropped EXE 7 IoCs

Processes:

test.exe2_protected.exe1_protected.exedfgdfg.exetrhgdf.exerthgf.exeSmartClock.exe

pid process

1436 test.exe
1344 2_protected.exe
2008 1_protected.exe
644 dfgdfg.exe
1132 trhgdf.exe
1816 rthgf.exe
1636 SmartClock.exe

pid	process
1436	test.exe
1344	2_protected.exe
2008	1_protected.exe
644	dfgdfg.exe
1132	trhgdf.exe
1816	rthgf.exe
1636	SmartClock.exe

VMProtect packed file 6 IoCs

Detects executables packed with VMProtect commercial packer.

vmprotect

Processes:

resource	yara_rule
\Users\Admin\AppData\Roaming\rthgf.exe	vmprotect
C:\Users\Admin\AppData\Roaming\rthgf.exe	vmprotect
C:\Users\Admin\AppData\Roaming\rthgf.exe	vmprotect
\Users\Admin\AppData\Roaming\Smart Clock\SmartClock.exe	vmprotect
\Users\Admin\AppData\Roaming\Smart Clock\SmartClock.exe	vmprotect
C:\Users\Admin\AppData\Roaming\Smart Clock\SmartClock.exe	vmprotect

Checks BIOS information in registry 2 TTPs 6 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

1_protected.exetest.exe2_protected.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	1_protected.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	1_protected.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	test.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	test.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	2_protected.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	2_protected.exe

Drops startup file 1 IoCs

Processes:

rthgf.exe

description ioc process

File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SmartClock.lnk rthgf.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SmartClock.lnk	rthgf.exe

Identifies Wine through registry keys 2 TTPs 2 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

Processes:

test.exe1_protected.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000\Software\Wine	test.exe
Key opened	\REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000\Software\Wine	1_protected.exe

Loads dropped DLL 16 IoCs

Processes:

0ab5f0bee96577cb81bd9bc464d0ca85.exetest.exeregsvr32.exerundll32.exerthgf.exe

pid	process
1492	0ab5f0bee96577cb81bd9bc464d0ca85.exe
1436	test.exe
1436	test.exe
1436	test.exe
1436	test.exe
1436	test.exe
1436	test.exe
1424	regsvr32.exe
672	rundll32.exe
672	rundll32.exe
672	rundll32.exe
672	rundll32.exe
1436	test.exe
1436	test.exe
1816	rthgf.exe
1816	rthgf.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

42 ip-api.com
Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs

Processes:

test.exe1_protected.exetrhgdf.exe

pid process

1436 test.exe
2008 1_protected.exe
1132 trhgdf.exe
1132 trhgdf.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

flow	ioc
42	ip-api.com

pid	process
1436	test.exe
2008	1_protected.exe
1132	trhgdf.exe
1132	trhgdf.exe

Checks processor information in registry 2 TTPs 6 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

1_protected.exe2_protected.exe0ab5f0bee96577cb81bd9bc464d0ca85.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	1_protected.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	1_protected.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	2_protected.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	2_protected.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	0ab5f0bee96577cb81bd9bc464d0ca85.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	0ab5f0bee96577cb81bd9bc464d0ca85.exe

Delays execution with timeout.exe 4 IoCs
evasion

Processes:

timeout.exetimeout.exetimeout.exetimeout.exe

pid process

1328 timeout.exe
644 timeout.exe
1544 timeout.exe
1656 timeout.exe

pid	process
1328	timeout.exe
644	timeout.exe
1544	timeout.exe
1656	timeout.exe

Modifies system certificate store 2 TTPs 9 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

test.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436	test.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436\Blob = 04000000010000001000000079e4a9840d7d3a96d7c04fe2434c892e0f0000000100000014000000b34ddd372ed92e8f2abfbb9e20a9d31f204f194b090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000003de503556d14cbb66f0a3e21b1bc397b23dd1550b00000001000000120000004400690067006900430065007200740000001d000000010000001000000059779e39e21a2e3dfced6857ed5c5fd9030000000100000014000000a8985d3a65e5e5c4b2d7d66d40c6dd2fb19c54361900000001000000100000000f3a0527d242de2dc98e5cfcb1e991ee2000000001000000b3030000308203af30820297a0030201020210083be056904246b1a1756ac95991c74a300d06092a864886f70d01010505003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e23be11172dea8a4d3a357aa50a28f0b7790c9a2a5ee12ce965b010920cc0193a74e30b753f743c46900579de28d22dd870640008109cece1b83bfdfcd3b7146e2d666c705b37627168f7b9e1e957deeb748a308dad6af7a0c3906657f4a5d1fbc17f8abbeee28d7747f7a78995985686e5c23324bbf4ec0e85a6de370bf7710bffc01f685d9a844105832a97518d5d1a2be47e2276af49a33f84908608bd45fb43a84bfa1aa4a4c7d3ecf4f5f6c765ea04b37919edc22e66dce141a8e6acbfecdb3146417c75b299e32bff2eefad30b42d4abb74132da0cd4eff881d5bb8d583fb51be84928a270da3104ddf7b216f24c0a4e07a8ed4a3d5eb57fa390c3af270203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041403de503556d14cbb66f0a3e21b1bc397b23dd155301f0603551d2304183016801403de503556d14cbb66f0a3e21b1bc397b23dd155300d06092a864886f70d01010505000382010100cb9c37aa4813120afadd449c4f52b0f4dfae04f5797908a32418fc4b2b84c02db9d5c7fef4c11f58cbb86d9c7a74e79829ab11b5e370a0a1cd4c8899938c9170e2ab0f1cbe93a9ff63d5e40760d3a3bf9d5b09f1d58ee353f48e63fa3fa7dbb466df6266d6d16e418df22db5ea774a9f9d58e22b59c04023ed2d2882453e7954922698e08048a837eff0d6796016deace80ecd6eac4417382f49dae1453e2ab93653cf3a5006f72ee8c457496c612118d504ad783c2c3a806ba7ebaf1514e9d889c1b9386ce2916c8aff64b977255730c01b24a3e1dce9df477cb5b424080530ec2dbd0bbf45bf50b9a9f3eb980112adc888c698345f8d0a3cc6e9d595956dde	test.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13	test.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 1900000001000000100000006cf252fec3e8f20996de5d4dd9aef4240f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c13040000000100000010000000410352dc0ff7501b16f0028eba6f45c520000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	test.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25	test.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703085300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc252000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	test.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 190000000100000010000000ba4f3972e7aed9dccdc210db59da13c90300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc251d00000001000000100000008f76b981d528ad4770088245e2031b630b0000000100000012000000440069006700690043006500720074000000140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc35300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a82000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	test.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 0f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c1320000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	test.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 040000000100000010000000410352dc0ff7501b16f0028eba6f45c5030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131d00000001000000100000004558d512eecb27464920897de7b66053140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc41560858910090000000100000016000000301406082b0601050507030406082b060105050703010b000000010000001e000000440053005400200052006f006f00740020004300410020005800330000000f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d20000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	test.exe

Script User-Agent 1 IoCs
Uses user-agent string associated with script host/environment.

Processes:

description flow ioc

HTTP User-Agent header 15 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

SmartClock.exe

pid process

1636 SmartClock.exe
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

test.exe1_protected.exe

pid process

1436 test.exe
2008 1_protected.exe

description	flow	ioc
HTTP User-Agent header	15	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

pid	process
1636	SmartClock.exe

pid	process
1436	test.exe
2008	1_protected.exe

Suspicious use of FindShellTrayWindow 13 IoCs

Processes:

1_protected.exe2_protected.exe

pid	process
2008	1_protected.exe
1344	2_protected.exe
1344	2_protected.exe
1344	2_protected.exe
1344	2_protected.exe
1344	2_protected.exe
1344	2_protected.exe
1344	2_protected.exe
1344	2_protected.exe
1344	2_protected.exe
1344	2_protected.exe
1344	2_protected.exe
1344	2_protected.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

trhgdf.exe

pid process

1132 trhgdf.exe

pid	process
1132	trhgdf.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

0ab5f0bee96577cb81bd9bc464d0ca85.exetest.exe1_protected.execmd.exedfgdfg.exeregsvr32.exetrhgdf.exe2_protected.execmd.exe

description	pid	process	target process
PID 1492 wrote to memory of 1436	1492	0ab5f0bee96577cb81bd9bc464d0ca85.exe	test.exe
PID 1492 wrote to memory of 1436	1492	0ab5f0bee96577cb81bd9bc464d0ca85.exe	test.exe
PID 1492 wrote to memory of 1436	1492	0ab5f0bee96577cb81bd9bc464d0ca85.exe	test.exe
PID 1492 wrote to memory of 1436	1492	0ab5f0bee96577cb81bd9bc464d0ca85.exe	test.exe
PID 1436 wrote to memory of 1344	1436	test.exe	2_protected.exe
PID 1436 wrote to memory of 1344	1436	test.exe	2_protected.exe
PID 1436 wrote to memory of 1344	1436	test.exe	2_protected.exe
PID 1436 wrote to memory of 1344	1436	test.exe	2_protected.exe
PID 1436 wrote to memory of 2008	1436	test.exe	1_protected.exe
PID 1436 wrote to memory of 2008	1436	test.exe	1_protected.exe
PID 1436 wrote to memory of 2008	1436	test.exe	1_protected.exe
PID 1436 wrote to memory of 2008	1436	test.exe	1_protected.exe
PID 2008 wrote to memory of 1796	2008	1_protected.exe	cmd.exe
PID 2008 wrote to memory of 1796	2008	1_protected.exe	cmd.exe
PID 2008 wrote to memory of 1796	2008	1_protected.exe	cmd.exe
PID 2008 wrote to memory of 1796	2008	1_protected.exe	cmd.exe
PID 1796 wrote to memory of 1328	1796	cmd.exe	timeout.exe
PID 1796 wrote to memory of 1328	1796	cmd.exe	timeout.exe
PID 1796 wrote to memory of 1328	1796	cmd.exe	timeout.exe
PID 1796 wrote to memory of 1328	1796	cmd.exe	timeout.exe
PID 1436 wrote to memory of 644	1436	test.exe	dfgdfg.exe
PID 1436 wrote to memory of 644	1436	test.exe	dfgdfg.exe
PID 1436 wrote to memory of 644	1436	test.exe	dfgdfg.exe
PID 1436 wrote to memory of 644	1436	test.exe	dfgdfg.exe
PID 644 wrote to memory of 1424	644	dfgdfg.exe	regsvr32.exe
PID 644 wrote to memory of 1424	644	dfgdfg.exe	regsvr32.exe
PID 644 wrote to memory of 1424	644	dfgdfg.exe	regsvr32.exe
PID 644 wrote to memory of 1424	644	dfgdfg.exe	regsvr32.exe
PID 644 wrote to memory of 1424	644	dfgdfg.exe	regsvr32.exe
PID 644 wrote to memory of 1424	644	dfgdfg.exe	regsvr32.exe
PID 644 wrote to memory of 1424	644	dfgdfg.exe	regsvr32.exe
PID 1424 wrote to memory of 672	1424	regsvr32.exe	rundll32.exe
PID 1424 wrote to memory of 672	1424	regsvr32.exe	rundll32.exe
PID 1424 wrote to memory of 672	1424	regsvr32.exe	rundll32.exe
PID 1424 wrote to memory of 672	1424	regsvr32.exe	rundll32.exe
PID 1424 wrote to memory of 672	1424	regsvr32.exe	rundll32.exe
PID 1424 wrote to memory of 672	1424	regsvr32.exe	rundll32.exe
PID 1424 wrote to memory of 672	1424	regsvr32.exe	rundll32.exe
PID 1436 wrote to memory of 1132	1436	test.exe	trhgdf.exe
PID 1436 wrote to memory of 1132	1436	test.exe	trhgdf.exe
PID 1436 wrote to memory of 1132	1436	test.exe	trhgdf.exe
PID 1436 wrote to memory of 1132	1436	test.exe	trhgdf.exe
PID 1436 wrote to memory of 1132	1436	test.exe	trhgdf.exe
PID 1436 wrote to memory of 1132	1436	test.exe	trhgdf.exe
PID 1436 wrote to memory of 1132	1436	test.exe	trhgdf.exe
PID 1436 wrote to memory of 1816	1436	test.exe	rthgf.exe
PID 1436 wrote to memory of 1816	1436	test.exe	rthgf.exe
PID 1436 wrote to memory of 1816	1436	test.exe	rthgf.exe
PID 1436 wrote to memory of 1816	1436	test.exe	rthgf.exe
PID 1436 wrote to memory of 1816	1436	test.exe	rthgf.exe
PID 1436 wrote to memory of 1816	1436	test.exe	rthgf.exe
PID 1436 wrote to memory of 1816	1436	test.exe	rthgf.exe
PID 1132 wrote to memory of 1272	1132	trhgdf.exe	cmd.exe
PID 1132 wrote to memory of 1272	1132	trhgdf.exe	cmd.exe
PID 1132 wrote to memory of 1272	1132	trhgdf.exe	cmd.exe
PID 1132 wrote to memory of 1272	1132	trhgdf.exe	cmd.exe
PID 1132 wrote to memory of 1272	1132	trhgdf.exe	cmd.exe
PID 1132 wrote to memory of 1272	1132	trhgdf.exe	cmd.exe
PID 1132 wrote to memory of 1272	1132	trhgdf.exe	cmd.exe
PID 1344 wrote to memory of 1244	1344	2_protected.exe	cmd.exe
PID 1344 wrote to memory of 1244	1344	2_protected.exe	cmd.exe
PID 1344 wrote to memory of 1244	1344	2_protected.exe	cmd.exe
PID 1244 wrote to memory of 644	1244	cmd.exe	timeout.exe
PID 1244 wrote to memory of 644	1244	cmd.exe	timeout.exe

C:\Users\Admin\AppData\Local\Temp\0ab5f0bee96577cb81bd9bc464d0ca85.exe
"C:\Users\Admin\AppData\Local\Temp\0ab5f0bee96577cb81bd9bc464d0ca85.exe"
1⤵
- Loads dropped DLL
- Checks processor information in registry
- Suspicious use of WriteProcessMemory
PID:1492

C:\Users\Admin\AppData\Roaming\indepoped\test.exe
test.exe
2⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1436

C:\ProgramData\sde\2_protected.exe
C:\ProgramData\sde\2_protected.exe
3⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks processor information in registry
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:1344

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c rd /s /q C:\ProgramData\VXPi5wxqfVJv & timeout 1 & del /f /q "C:\ProgramData\sde\2_protected.exe"
4⤵
- Suspicious use of WriteProcessMemory
PID:1244

C:\Windows\system32\timeout.exe
timeout 1
5⤵
- Delays execution with timeout.exe
PID:644

C:\ProgramData\sde\1_protected.exe
C:\ProgramData\sde\1_protected.exe
3⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2008

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c rd /s /q C:\ProgramData\kAlHMqh4 & timeout 2 & del /f /q "C:\ProgramData\sde\1_protected.exe"
4⤵
- Suspicious use of WriteProcessMemory
PID:1796

C:\Windows\SysWOW64\timeout.exe
timeout 2
5⤵
- Delays execution with timeout.exe
PID:1328

C:\Users\Admin\AppData\Roaming\dfgdfg.exe
dfgdfg.exe
3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:644

C:\Windows\SysWOW64\regsvr32.exe
C:\Windows\system32\regsvr32.exe -s C:\Users\Admin\AppData\Roaming\dfgdfg.dll f1 C:\Users\Admin\AppData\Roaming\dfgdfg.exe@644
4⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1424

C:\Windows\SysWOW64\rundll32.exe
C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Roaming\dfgdfg.dll,f0
5⤵
- Blocklisted process makes network request
- Loads dropped DLL
PID:672

C:\Users\Admin\AppData\Roaming\trhgdf.exe
trhgdf.exe
3⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1132

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c rd /s /q C:\ProgramData\rgntwwkuijub & timeout 2 & del /f /q "C:\Users\Admin\AppData\Roaming\trhgdf.exe"
4⤵
PID:1272

C:\Windows\SysWOW64\timeout.exe
timeout 2
5⤵
- Delays execution with timeout.exe
PID:1544

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c rd /s /q C:\ProgramData\rgntwwkuijub & timeout 2 & del /f /q "C:\Users\Admin\AppData\Roaming\trhgdf.exe"
4⤵
PID:1440

C:\Windows\SysWOW64\timeout.exe
timeout 2
5⤵
- Delays execution with timeout.exe
PID:1656

C:\Users\Admin\AppData\Roaming\rthgf.exe
rthgf.exe
3⤵
- Executes dropped EXE
- Drops startup file
- Loads dropped DLL
PID:1816

C:\Users\Admin\AppData\Roaming\Smart Clock\SmartClock.exe
"C:\Users\Admin\AppData\Roaming\Smart Clock\SmartClock.exe"
4⤵
- Executes dropped EXE
- Suspicious behavior: AddClipboardFormatListener
PID:1636

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

T1497

Install Root Certificate

T1130

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Web Service

T1102

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\VXPi5wxqfVJv\1723651.txt
MD5
550cc6486c1ac1d65c8f1b14517a8294

SHA1
6f7b60b1f5b90ac815ab56c78cd7a5de05311fe1

SHA256
176bf49d4a7f854a30e1fb19acc33650ad5531a95bba23a9b7108b0129d15e9b

SHA512
eb29aefebe6d2ce5d06082c9ea8750de5cf5141e51ecc39457362bd4e8c1ec0313801f805b8b7ef6eaaf24d3e6b5d3ed2912216728ed5308165c00b17dc6f726

Download Submit
C:\ProgramData\VXPi5wxqfVJv\435612~1.TXT
MD5
b8e5d6b80acdf20cc06d7382396b077c

SHA1
b4da897d5852d64708f5876fc8c634f816afcdcd

SHA256
4a53fb1eaa27664d8c0b93da6d87ae601e8c0fdc11af8571bc31ae7c31d18662

SHA512
3122641ebbc91e45eaca1fdd9cc2949ab003c24b29169e3b1aeac1a1298019e7565f7242928d5bbf7ca8df15d0cdc5024be518f8cddd03c51edab82cc6d866a6

Download Submit
C:\ProgramData\VXPi5wxqfVJv\Files\COOKIE~1.TXT
MD5
ecaa88f7fa0bf610a5a26cf545dcd3aa

SHA1
57218c316b6921e2cd61027a2387edc31a2d9471

SHA256
f1945cd6c19e56b3c1c78943ef5ec18116907a4ca1efc40a57d48ab1db7adfc5

SHA512
37c783b80b1d458b89e712c2dfe2777050eff0aefc9f6d8beedee77807d9aeb2e27d14815cf4f0229b1d36c186bb5f2b5ef55e632b108cc41e9fb964c39b42a5

Download Submit
C:\ProgramData\VXPi5wxqfVJv\Files\Cookies\MOZILL~1.TXT
MD5
ecaa88f7fa0bf610a5a26cf545dcd3aa

SHA1
57218c316b6921e2cd61027a2387edc31a2d9471

SHA256
f1945cd6c19e56b3c1c78943ef5ec18116907a4ca1efc40a57d48ab1db7adfc5

SHA512
37c783b80b1d458b89e712c2dfe2777050eff0aefc9f6d8beedee77807d9aeb2e27d14815cf4f0229b1d36c186bb5f2b5ef55e632b108cc41e9fb964c39b42a5

Download Submit
C:\ProgramData\VXPi5wxqfVJv\Files\INFORM~1.TXT
MD5
96324364189d55e816edf8cc330f2bbe

SHA1
2fa9d188e7de5af2373dddf09dd66cd674c776f0

SHA256
27cbf0f207c6c81e597db4c76bccb2a5cd29b26a5f5429e446100f73303b162e

SHA512
07a41f9b0dec87837566c142632231f53816652c0bf480d5c4d331c7b054da8b9bf4443312a449c624833ce32635bfdf58b42cf7cd1053727231f2efb7fd754e

Download Submit
C:\ProgramData\VXPi5wxqfVJv\Files\SCREEN~1.JPG
MD5
aa4d0915b31d8ae39fe516477699c73f

SHA1
da726ff5e9fc22c827112510d8f5c51e156348a5

SHA256
f4c8d86f16a20a6ae57d9aa7309a6eb40f877a5eedf5f84ad50494a64a8d68d5

SHA512
030b804f2eda0fe6dc585ec04b1f10fd84701c442e662cce473c36dfb2b9ecba8d7e1492151a0f48e65b3ac160e358371df5585dccb7ba1baf130eb89de92311

Download Submit
C:\ProgramData\VXPi5wxqfVJv\MOZ_CO~1.DB
MD5
89d4b62651fa5c864b12f3ea6b1521cb

SHA1
570d48367b6b66ade9900a9f22d67d67a8fb2081

SHA256
22f1159db346d2cc8f4fa544796cc9d243a5737110a17d8e3755a2448404ce70

SHA512
e6d3109c5e2aef98a63f42eebe3b10feedb1a8c81d7823380553f84d2d6585f328c18f02e72c3e5c98ace7ffedfb6214a4ea6c87e85cefceada8e630f8df61ff

Download Submit
C:\ProgramData\VXPi5wxqfVJv\NL___2~1.ZIP
MD5
3f3092b345d93c90fc15733b0aa2fde2

SHA1
b082c8702f7a5f9c0b544aea60cb23ef832d0669

SHA256
1f443f52f307813c62ca9e977f7182eabb0e26aa71b142f9b8be22cbb0a9f9b0

SHA512
86aacd158b4f4c73f9b3c69b394afdb6561a33f65af887b4cefab8a9f859ac454c6e3927f475d950ca1412d1add4ecd790c3ece76b6ef2c6b5a60bbf247dffa6

Download Submit
C:\ProgramData\kAlHMqh4\TFRYAH~1.ZIP
MD5
f92d28dc66f50f6da1d4b10035453684

SHA1
fa7cdff024cb0484d8e77c0a6170b8e7d1f95304

SHA256
a778d7907f01d8fc786d3c04d9c3d5f994f5573cae7e61af1f258521d102a2fb

SHA512
9af2dcfc99679e216a7f6329cf4880854dcb98264dd1de86dcac2c791d09a84faaaf94705c6c6de8bc4f8267abe5a7f75bdc9c24e074e0338db93b6ed31d0fae

Download Submit
C:\ProgramData\kAlHMqh4\_Files\_INFOR~1.TXT
MD5
797d51c91f22be0d224aa906b2623a17

SHA1
d934fc74b46cda76d5b0ca5c4675d2e3bf7a6dcc

SHA256
9a633aafa558a0f5040179daeb9e35a9d201992ac918f8a06ee259cd6876af68

SHA512
688db811bdbee5667023394fb04158ebee4a447ff5d58461102adbcb50af9fee001caac01df811110776468f12355039f4508051e7051e914944886eadfc832c

Download Submit
C:\ProgramData\kAlHMqh4\_Files\_SCREE~1.JPE
MD5
af96502087469077263ad0b6e78861a8

SHA1
ade328c5b311fc4912b27eaa8dec4ca703115e9e

SHA256
fe0f7f86395d83371b3d5161ba257a291b0e79752cc923706f28e2bf475ee19f

SHA512
1f7cedbe7f6d9dd7ff9aba9d7ab57ecb5cb3200015d252da3c995e48e29e30458e3210f152ba80134fcf04b873afd4d3c28de2f7759d090743438b569438e8d5

Download Submit
C:\ProgramData\rgntwwkuijub\46173476.txt
MD5
005f70f7040289d50a14db2128d7cdf3

SHA1
7cbc75bcb838f507021a480b556afa430f4987df

SHA256
3c5dd6c05fa0009d238cee780a9dbb1bfe86ec46e663f281bffa537a583c2596

SHA512
0b0c69897eca61a2b3e06c07cba26cdd873284e4422e2f8fe9557a720275ba97e84388d7b01679a8163d09fdfd3623c2bd5e291261cab7b64a5af7ca8e897cc9

Download Submit
C:\ProgramData\rgntwwkuijub\8372422.txt
MD5
550cc6486c1ac1d65c8f1b14517a8294

SHA1
6f7b60b1f5b90ac815ab56c78cd7a5de05311fe1

SHA256
176bf49d4a7f854a30e1fb19acc33650ad5531a95bba23a9b7108b0129d15e9b

SHA512
eb29aefebe6d2ce5d06082c9ea8750de5cf5141e51ecc39457362bd4e8c1ec0313801f805b8b7ef6eaaf24d3e6b5d3ed2912216728ed5308165c00b17dc6f726

Download Submit
C:\ProgramData\rgntwwkuijub\Files\_INFOR~1.TXT
MD5
fffc98b9ca7f694c12310a92ca008a43

SHA1
645d30dda18fba634f7422b388dba1b73a6bff91

SHA256
bedf12d70311aedafbb0ff6eca874592f23a4fec3bdc60c67d50068aad114e25

SHA512
d79760fc6f8af5cfdbcd24b6f7e2f408efd65baa1b8c2385c2f5de83bcf835581193ed2bc4337628ce23963ba104ceb4427cb1b2e8770d99c1afc4867b3d1cd5

Download Submit
C:\ProgramData\rgntwwkuijub\NL_202~1.ZIP
MD5
eb2e2366eccf9e1153fe93594b0abbab

SHA1
c786fda00b296dc3cd076617e4bbbe0caf0f85f7

SHA256
d1868d5ce46449c99575386f8161f47e8181412ac572dc0a767b50d9605d9862

SHA512
7929d2d15373447f0e7da7ca0189e8f04fd2c93e14d17700c92a9cbe121c7f8589dffe075adeeb23264cb4970cd75415138f2a502b5a6bf4fb48ccdcd62dd014

Download Submit
C:\ProgramData\sde\1_protected.exe
MD5
3752f4636ff709f8c54fe404e206b296

SHA1
da3f986927d3e6b2851848516f7e9074117e6186

SHA256
24efd97ca09841327e297a04da88301a5c99b89f07a79c92b75c7eafdde2f72b

SHA512
7e67308b721c4359f10b11507cb528a0309f48d04265ab430e86c6a428602901d1c49c9b96beb9dcaf7293ffb36b1cd6a63078c10f661c2b704c1cdfb10cf7ab

Download Submit
C:\ProgramData\sde\1_protected.exe
MD5
3752f4636ff709f8c54fe404e206b296

SHA1
da3f986927d3e6b2851848516f7e9074117e6186

SHA256
24efd97ca09841327e297a04da88301a5c99b89f07a79c92b75c7eafdde2f72b

SHA512
7e67308b721c4359f10b11507cb528a0309f48d04265ab430e86c6a428602901d1c49c9b96beb9dcaf7293ffb36b1cd6a63078c10f661c2b704c1cdfb10cf7ab

Download Submit
C:\ProgramData\sde\2_protected.exe
MD5
faf5882cc5f51c2c9d17a7b6bfdb2214

SHA1
d020ed9432211a772f9216677807568bf72757ce

SHA256
db3abc3b678697579ce46af4041abb675c03bd16e78806f02e9e76e3ab9a224f

SHA512
8d049aaa4608a5703b88cc87e3b064ea662649e1a3a1f8c9752027d39cb49c6b558a50732b9f778edfa7bd229757f4ad36fe9612425ff403d9433285ccde9af1

Download Submit
C:\ProgramData\sde\2_protected.exe
MD5
faf5882cc5f51c2c9d17a7b6bfdb2214

SHA1
d020ed9432211a772f9216677807568bf72757ce

SHA256
db3abc3b678697579ce46af4041abb675c03bd16e78806f02e9e76e3ab9a224f

SHA512
8d049aaa4608a5703b88cc87e3b064ea662649e1a3a1f8c9752027d39cb49c6b558a50732b9f778edfa7bd229757f4ad36fe9612425ff403d9433285ccde9af1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
MD5
a6ae1529822f87a98b1c36a59381c88b

SHA1
f5275f395bf562cc2724b88138601f3ca727b198

SHA256
d12dd18018f984aaa88f7611d4f93314a5625e4a9fc0f78bc207bdd53bb8a799

SHA512
6b9c5aa26d04e8d5cfabfd02eff6d6d69f70dd800a0d209e0c14785cc5b16a86266ab1e3c49053d43231d16c524da63443cb019cf88c882ebbf82338af70b579

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
MD5
06815d0cc90aced287b11c8f486eefe4

SHA1
32eed814f44b927b1ce94a31ff5243a5738fa915

SHA256
5f584a216f73448fdc6a131e27f0200898a1726eacdfbc5eea2d25c0289086ea

SHA512
f61a2e06a6a50ae7e9faa43683e644e6501c598a41a74c6b15f8df83902b2a828792e9202baa1ed62d3bb7acac3be3fd008b536010ae99ce6acc12213663561c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\G6PZ2T8A\line[1].txt
MD5
550cc6486c1ac1d65c8f1b14517a8294

SHA1
6f7b60b1f5b90ac815ab56c78cd7a5de05311fe1

SHA256
176bf49d4a7f854a30e1fb19acc33650ad5531a95bba23a9b7108b0129d15e9b

SHA512
eb29aefebe6d2ce5d06082c9ea8750de5cf5141e51ecc39457362bd4e8c1ec0313801f805b8b7ef6eaaf24d3e6b5d3ed2912216728ed5308165c00b17dc6f726

Download Submit
C:\Users\Admin\AppData\Roaming\Smart Clock\SmartClock.exe
MD5
6a243284c22977437ee1937367fabce8

SHA1
e1d2dcfcc243ab3b6c998990ef0d2859a05dac2c

SHA256
4b3ceae68f6d8a8ec7ecf95684491bb867cc3fc23cde3d7225da1d94bbcf7342

SHA512
24d5100607aa211b86056e61e528fa24c76a839746b2b1698bcb1dcae1c2c185ed6b807461c5ecaf49a3a8200fe8450722a250fe26cb5352de8e0c78fbb8b3f1

Download Submit
C:\Users\Admin\AppData\Roaming\dfgdfg.dll
MD5
659d88b593d74a9349d410046689d8e5

SHA1
0467f5ba5f21ac6ac618a7ac3a24e14cc99eef2e

SHA256
fa23608138a370733034d40cdf40f994834a78ccd4bd8e69341d40963e2a270f

SHA512
e09168b9ca47a60748c026f015b66464a53bcf09e43153c50ad6ea7b687964c01cb52b01d47b0864ac35af662dda721dd98ed925e1817f75a88f2012241531cc

Download Submit
C:\Users\Admin\AppData\Roaming\dfgdfg.exe
MD5
e68f382d32ecf93ddb5b76179fd9d42f

SHA1
4a6f15366f6c35e530d3e71136ddcb3efab838aa

SHA256
cd38d232ca87e0f0cda669f8840e06163a4786119edd28f0164a85fd77b16498

SHA512
6007220d7fda5d88862197d2dbb4ec45598756933bff782f821c6a5e0757452a323be3df7d68eb0fbfee2aaf2f1b1c808b2bb7cc482e2a6aec14f0f31b2196d9

Download Submit
C:\Users\Admin\AppData\Roaming\indepoped\test.exe
MD5
0edb4d751ca93495901b5367a0546ae7

SHA1
147b2a2f9e3d6b82dfdb56554e6032d11e141e1b

SHA256
b4a6db1ed343e961dd9a012fcf724bc0b6e7774c3d107907b538a4beb20f6753

SHA512
2ee862023f9cd8d0820db63e0720b3debf1cad4ba99756c4c0f774768efb8901e537ef9d6e19df497cc1cf4f18063f652f9f0a514f0232d778d31ebee846862a

Download Submit
C:\Users\Admin\AppData\Roaming\rthgf.exe
MD5
6a243284c22977437ee1937367fabce8

SHA1
e1d2dcfcc243ab3b6c998990ef0d2859a05dac2c

SHA256
4b3ceae68f6d8a8ec7ecf95684491bb867cc3fc23cde3d7225da1d94bbcf7342

SHA512
24d5100607aa211b86056e61e528fa24c76a839746b2b1698bcb1dcae1c2c185ed6b807461c5ecaf49a3a8200fe8450722a250fe26cb5352de8e0c78fbb8b3f1

Download Submit
C:\Users\Admin\AppData\Roaming\rthgf.exe
MD5
6a243284c22977437ee1937367fabce8

SHA1
e1d2dcfcc243ab3b6c998990ef0d2859a05dac2c

SHA256
4b3ceae68f6d8a8ec7ecf95684491bb867cc3fc23cde3d7225da1d94bbcf7342

SHA512
24d5100607aa211b86056e61e528fa24c76a839746b2b1698bcb1dcae1c2c185ed6b807461c5ecaf49a3a8200fe8450722a250fe26cb5352de8e0c78fbb8b3f1

Download Submit
C:\Users\Admin\AppData\Roaming\trhgdf.exe
MD5
5962593fc72416f6482a40902f5a0364

SHA1
95cbfd8528c48815fe940ca6d34a6b9caf9d947c

SHA256
d9847357c2a4b36382ca602a855d6f75e5b5784d25a72511bdfbf9682900ef60

SHA512
5afedd73b5cef29214e8eb69970c76e847565a98733fcab0ed7d7fdf6c3483074a65f04f319b60dbe732bf164ef937d082c3776cf47158d7abe20efc9fc2f5e0

Download Submit
\??\c:\users\admin\appdata\roaming\trhgdf.exe
MD5
5962593fc72416f6482a40902f5a0364

SHA1
95cbfd8528c48815fe940ca6d34a6b9caf9d947c

SHA256
d9847357c2a4b36382ca602a855d6f75e5b5784d25a72511bdfbf9682900ef60

SHA512
5afedd73b5cef29214e8eb69970c76e847565a98733fcab0ed7d7fdf6c3483074a65f04f319b60dbe732bf164ef937d082c3776cf47158d7abe20efc9fc2f5e0

Download Submit
\ProgramData\sde\1_protected.exe
MD5
3752f4636ff709f8c54fe404e206b296

SHA1
da3f986927d3e6b2851848516f7e9074117e6186

SHA256
24efd97ca09841327e297a04da88301a5c99b89f07a79c92b75c7eafdde2f72b

SHA512
7e67308b721c4359f10b11507cb528a0309f48d04265ab430e86c6a428602901d1c49c9b96beb9dcaf7293ffb36b1cd6a63078c10f661c2b704c1cdfb10cf7ab

Download Submit
\ProgramData\sde\1_protected.exe
MD5
3752f4636ff709f8c54fe404e206b296

SHA1
da3f986927d3e6b2851848516f7e9074117e6186

SHA256
24efd97ca09841327e297a04da88301a5c99b89f07a79c92b75c7eafdde2f72b

SHA512
7e67308b721c4359f10b11507cb528a0309f48d04265ab430e86c6a428602901d1c49c9b96beb9dcaf7293ffb36b1cd6a63078c10f661c2b704c1cdfb10cf7ab

Download Submit
\ProgramData\sde\2_protected.exe
MD5
faf5882cc5f51c2c9d17a7b6bfdb2214

SHA1
d020ed9432211a772f9216677807568bf72757ce

SHA256
db3abc3b678697579ce46af4041abb675c03bd16e78806f02e9e76e3ab9a224f

SHA512
8d049aaa4608a5703b88cc87e3b064ea662649e1a3a1f8c9752027d39cb49c6b558a50732b9f778edfa7bd229757f4ad36fe9612425ff403d9433285ccde9af1

Download Submit
\ProgramData\sde\2_protected.exe
MD5
faf5882cc5f51c2c9d17a7b6bfdb2214

SHA1
d020ed9432211a772f9216677807568bf72757ce

SHA256
db3abc3b678697579ce46af4041abb675c03bd16e78806f02e9e76e3ab9a224f

SHA512
8d049aaa4608a5703b88cc87e3b064ea662649e1a3a1f8c9752027d39cb49c6b558a50732b9f778edfa7bd229757f4ad36fe9612425ff403d9433285ccde9af1

Download Submit
\Users\Admin\AppData\Roaming\Smart Clock\SmartClock.exe
MD5
6a243284c22977437ee1937367fabce8

SHA1
e1d2dcfcc243ab3b6c998990ef0d2859a05dac2c

SHA256
4b3ceae68f6d8a8ec7ecf95684491bb867cc3fc23cde3d7225da1d94bbcf7342

SHA512
24d5100607aa211b86056e61e528fa24c76a839746b2b1698bcb1dcae1c2c185ed6b807461c5ecaf49a3a8200fe8450722a250fe26cb5352de8e0c78fbb8b3f1

Download Submit
\Users\Admin\AppData\Roaming\Smart Clock\SmartClock.exe
MD5
6a243284c22977437ee1937367fabce8

SHA1
e1d2dcfcc243ab3b6c998990ef0d2859a05dac2c

SHA256
4b3ceae68f6d8a8ec7ecf95684491bb867cc3fc23cde3d7225da1d94bbcf7342

SHA512
24d5100607aa211b86056e61e528fa24c76a839746b2b1698bcb1dcae1c2c185ed6b807461c5ecaf49a3a8200fe8450722a250fe26cb5352de8e0c78fbb8b3f1

Download Submit
\Users\Admin\AppData\Roaming\dfgdfg.dll
MD5
659d88b593d74a9349d410046689d8e5

SHA1
0467f5ba5f21ac6ac618a7ac3a24e14cc99eef2e

SHA256
fa23608138a370733034d40cdf40f994834a78ccd4bd8e69341d40963e2a270f

SHA512
e09168b9ca47a60748c026f015b66464a53bcf09e43153c50ad6ea7b687964c01cb52b01d47b0864ac35af662dda721dd98ed925e1817f75a88f2012241531cc

Download Submit
\Users\Admin\AppData\Roaming\dfgdfg.dll
MD5
659d88b593d74a9349d410046689d8e5

SHA1
0467f5ba5f21ac6ac618a7ac3a24e14cc99eef2e

SHA256
fa23608138a370733034d40cdf40f994834a78ccd4bd8e69341d40963e2a270f

SHA512
e09168b9ca47a60748c026f015b66464a53bcf09e43153c50ad6ea7b687964c01cb52b01d47b0864ac35af662dda721dd98ed925e1817f75a88f2012241531cc

Download Submit
\Users\Admin\AppData\Roaming\dfgdfg.dll
MD5
659d88b593d74a9349d410046689d8e5

SHA1
0467f5ba5f21ac6ac618a7ac3a24e14cc99eef2e

SHA256
fa23608138a370733034d40cdf40f994834a78ccd4bd8e69341d40963e2a270f

SHA512
e09168b9ca47a60748c026f015b66464a53bcf09e43153c50ad6ea7b687964c01cb52b01d47b0864ac35af662dda721dd98ed925e1817f75a88f2012241531cc

Download Submit
\Users\Admin\AppData\Roaming\dfgdfg.dll
MD5
659d88b593d74a9349d410046689d8e5

SHA1
0467f5ba5f21ac6ac618a7ac3a24e14cc99eef2e

SHA256
fa23608138a370733034d40cdf40f994834a78ccd4bd8e69341d40963e2a270f

SHA512
e09168b9ca47a60748c026f015b66464a53bcf09e43153c50ad6ea7b687964c01cb52b01d47b0864ac35af662dda721dd98ed925e1817f75a88f2012241531cc

Download Submit
\Users\Admin\AppData\Roaming\dfgdfg.dll
MD5
659d88b593d74a9349d410046689d8e5

SHA1
0467f5ba5f21ac6ac618a7ac3a24e14cc99eef2e

SHA256
fa23608138a370733034d40cdf40f994834a78ccd4bd8e69341d40963e2a270f

SHA512
e09168b9ca47a60748c026f015b66464a53bcf09e43153c50ad6ea7b687964c01cb52b01d47b0864ac35af662dda721dd98ed925e1817f75a88f2012241531cc

Download Submit
\Users\Admin\AppData\Roaming\dfgdfg.exe
MD5
e68f382d32ecf93ddb5b76179fd9d42f

SHA1
4a6f15366f6c35e530d3e71136ddcb3efab838aa

SHA256
cd38d232ca87e0f0cda669f8840e06163a4786119edd28f0164a85fd77b16498

SHA512
6007220d7fda5d88862197d2dbb4ec45598756933bff782f821c6a5e0757452a323be3df7d68eb0fbfee2aaf2f1b1c808b2bb7cc482e2a6aec14f0f31b2196d9

Download Submit
\Users\Admin\AppData\Roaming\dfgdfg.exe
MD5
e68f382d32ecf93ddb5b76179fd9d42f

SHA1
4a6f15366f6c35e530d3e71136ddcb3efab838aa

SHA256
cd38d232ca87e0f0cda669f8840e06163a4786119edd28f0164a85fd77b16498

SHA512
6007220d7fda5d88862197d2dbb4ec45598756933bff782f821c6a5e0757452a323be3df7d68eb0fbfee2aaf2f1b1c808b2bb7cc482e2a6aec14f0f31b2196d9

Download Submit
\Users\Admin\AppData\Roaming\indepoped\test.exe
MD5
0edb4d751ca93495901b5367a0546ae7

SHA1
147b2a2f9e3d6b82dfdb56554e6032d11e141e1b

SHA256
b4a6db1ed343e961dd9a012fcf724bc0b6e7774c3d107907b538a4beb20f6753

SHA512
2ee862023f9cd8d0820db63e0720b3debf1cad4ba99756c4c0f774768efb8901e537ef9d6e19df497cc1cf4f18063f652f9f0a514f0232d778d31ebee846862a

Download Submit
\Users\Admin\AppData\Roaming\rthgf.exe
MD5
6a243284c22977437ee1937367fabce8

SHA1
e1d2dcfcc243ab3b6c998990ef0d2859a05dac2c

SHA256
4b3ceae68f6d8a8ec7ecf95684491bb867cc3fc23cde3d7225da1d94bbcf7342

SHA512
24d5100607aa211b86056e61e528fa24c76a839746b2b1698bcb1dcae1c2c185ed6b807461c5ecaf49a3a8200fe8450722a250fe26cb5352de8e0c78fbb8b3f1

Download Submit
\Users\Admin\AppData\Roaming\trhgdf.exe
MD5
5962593fc72416f6482a40902f5a0364

SHA1
95cbfd8528c48815fe940ca6d34a6b9caf9d947c

SHA256
d9847357c2a4b36382ca602a855d6f75e5b5784d25a72511bdfbf9682900ef60

SHA512
5afedd73b5cef29214e8eb69970c76e847565a98733fcab0ed7d7fdf6c3483074a65f04f319b60dbe732bf164ef937d082c3776cf47158d7abe20efc9fc2f5e0

Download Submit
memory/644-25-0x0000000000000000-mapping.dmp

Download
memory/644-60-0x0000000000000000-mapping.dmp

Download
memory/644-27-0x0000000002090000-0x0000000002307000-memory.dmp

Filesize
2.5MB

Download
memory/644-28-0x0000000002310000-0x0000000002321000-memory.dmp

Filesize
68KB

Download
memory/672-32-0x0000000000000000-mapping.dmp

Download
memory/1132-42-0x0000000003D60000-0x0000000003D71000-memory.dmp

Filesize
68KB

Download
memory/1132-41-0x00000000039F0000-0x0000000003A01000-memory.dmp

Filesize
68KB

Download
memory/1132-38-0x0000000000000000-mapping.dmp

Download
memory/1244-50-0x0000000000000000-mapping.dmp

Download
memory/1272-48-0x00000000000E0000-0x00000000000E1000-memory.dmp

Filesize
4KB

Download
memory/1272-51-0x0000000000000000-mapping.dmp

Download
memory/1272-49-0x0000000000000000-mapping.dmp

Download
memory/1328-19-0x0000000000000000-mapping.dmp

Download
memory/1344-7-0x0000000000000000-mapping.dmp

Download
memory/1424-29-0x0000000000000000-mapping.dmp

Download
memory/1436-1-0x0000000000000000-mapping.dmp

Download
memory/1436-4-0x00000000091C0000-0x00000000091D1000-memory.dmp

Filesize
68KB

Download
memory/1436-3-0x0000000008DB0000-0x0000000008DC1000-memory.dmp

Filesize
68KB

Download
memory/1440-74-0x0000000000000000-mapping.dmp

Download
memory/1440-69-0x0000000000000000-mapping.dmp

Download
memory/1544-70-0x0000000000000000-mapping.dmp

Download
memory/1544-68-0x0000000000000000-mapping.dmp

Download
memory/1636-73-0x0000000000000000-mapping.dmp

Download
memory/1656-77-0x0000000000000000-mapping.dmp

Download
memory/1656-78-0x0000000000000000-mapping.dmp

Download
memory/1796-15-0x0000000000000000-mapping.dmp

Download
memory/1816-45-0x0000000000000000-mapping.dmp

Download
memory/2008-11-0x0000000000000000-mapping.dmp

Download
memory/2008-14-0x0000000004CB0000-0x0000000004CC1000-memory.dmp

Filesize
68KB

Download
memory/2008-13-0x00000000048A0000-0x00000000048B1000-memory.dmp

Filesize
68KB

Download