Vr.rar

General
Target

0x000300000001ac9e-134.exe

Filesize

311KB

Completed

25-11-2020 10:47

Score
10 /10
MD5

fdde60834af109d71f4c7d28b865c8a1

SHA1

4f721105161b74e07b5ccd762d32932989bfb03a

SHA256

b0296c0000c40d59a268b223015872d7e57c427358b5e95d1bd6e4ac40dd0f87

Malware Config

Extracted

Family smokeloader
Version 2019
C2

http://10022020newfolder1002002131-service1002.space/

http://10022020newfolder1002002231-service1002.space/

http://10022020newfolder3100231-service1002.space/

http://10022020newfolder1002002431-service1002.space/

http://10022020newfolder1002002531-service1002.space/

http://10022020newfolder33417-01242510022020.space/

http://10022020test125831-service1002012510022020.space/

http://10022020test136831-service1002012510022020.space/

http://10022020test147831-service1002012510022020.space/

http://10022020test146831-service1002012510022020.space/

http://10022020test134831-service1002012510022020.space/

http://10022020est213531-service100201242510022020.ru/

http://10022020yes1t3481-service1002012510022020.ru/

http://10022020test13561-service1002012510022020.su/

http://10022020test14781-service1002012510022020.info/

http://10022020test13461-service1002012510022020.net/

http://10022020test15671-service1002012510022020.tech/

http://10022020test12671-service1002012510022020.online/

http://10022020utest1341-service1002012510022020.ru/

http://10022020uest71-service100201dom2510022020.ru/

http://10022020test61-service1002012510022020.website/

http://10022020test51-service1002012510022020.xyz/

http://10022020test41-service100201pro2510022020.ru/

http://10022020yest31-service100201rus2510022020.ru/

http://10022020rest21-service1002012510022020.eu/

http://10022020test11-service1002012510022020.press/

http://10022020newfolder4561-service1002012510022020.ru/

http://10022020rustest213-service1002012510022020.ru/

http://10022020test281-service1002012510022020.ru/

http://10022020test261-service1002012510022020.space/

http://10022020yomtest251-service1002012510022020.ru/

http://10022020yirtest231-service1002012510022020.ru/
rc4.i32
rc4.i32
Signatures 28

Filter: none

Collection
Credential Access
Defense Evasion
Discovery
Persistence
  • AgentTesla

    Description

    Agent Tesla is a remote access tool (RAT) written in visual basic.

    Tags

  • Raccoon

    Description

    Simple but powerful infostealer which was very active in 2019.

    Tags

  • SmokeLoader

    Description

    Modular backdoor trojan in use since 2014.

    Tags

  • Suspicious use of NtCreateProcessExOtherParentProcess
    WerFault.exe

    Reported IOCs

    descriptionpidprocesstarget process
    PID 2420 created 27562420WerFault.exeExplorer.EXE
  • AgentTesla Payload

    Tags

    Reported IOCs

    resourceyara_rule
    behavioral24/memory/1700-34-0x00000000066B0000-0x00000000066D4000-memory.dmpagent_tesla
    behavioral24/memory/1700-36-0x0000000008C90000-0x0000000008CB2000-memory.dmpagent_tesla
  • Executes dropped EXE
    fcrcjcffcrcjcfE88C.tmp.exeEB1D.tmp.exeEE7A.tmp.exe

    Reported IOCs

    pidprocess
    3372fcrcjcf
    1540fcrcjcf
    2060E88C.tmp.exe
    4056EB1D.tmp.exe
    1700EE7A.tmp.exe
  • Modifies Installed Components in the registry

    Tags

    TTPs

    Registry Run Keys / Startup FolderModify Registry
  • Deletes itself
    Explorer.EXE

    Reported IOCs

    pidprocess
    2756Explorer.EXE
  • Loads dropped DLL
    0x000300000001ac9e-134.exeEB1D.tmp.exe

    Reported IOCs

    pidprocess
    40440x000300000001ac9e-134.exe
    4056EB1D.tmp.exe
    4056EB1D.tmp.exe
    4056EB1D.tmp.exe
    4056EB1D.tmp.exe
    4056EB1D.tmp.exe
    4056EB1D.tmp.exe
  • Reads user/profile data of local email clients

    Description

    Email clients store some user data on disk where infostealers will often target it.

    Tags

    TTPs

    Data from Local SystemCredentials in Files
  • Reads user/profile data of web browsers

    Description

    Infostealers often target stored browser data, which can include saved credentials etc.

    Tags

    TTPs

    Data from Local SystemCredentials in Files
  • Checks installed software on the system

    Description

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    Tags

    TTPs

    Query Registry
  • Enumerates connected drives
    explorer.exe

    Description

    Attempts to read the root path of hard drives other than the default C: drive.

    TTPs

    Query RegistryPeripheral Device DiscoverySystem Information Discovery

    Reported IOCs

    descriptioniocprocess
    File opened (read-only)\??\D:explorer.exe
  • JavaScript code in executable

    Reported IOCs

    resourceyara_rule
    behavioral24/files/0x000100000001ab8a-41.datjs
  • Suspicious use of SetThreadContext
    0x000300000001ac9e-134.exefcrcjcf

    Reported IOCs

    descriptionpidprocesstarget process
    PID 4076 set thread context of 404440760x000300000001ac9e-134.exe0x000300000001ac9e-134.exe
    PID 3372 set thread context of 15403372fcrcjcffcrcjcf
  • Program crash
    WerFault.exe

    Reported IOCs

    pidpid_targetprocesstarget process
    24202756WerFault.exeExplorer.EXE
  • Checks SCSI registry key(s)
    0x000300000001ac9e-134.exeexplorer.exe

    Description

    SCSI information is often read in order to detect sandboxing environments.

    TTPs

    Query RegistryPeripheral Device DiscoverySystem Information Discovery

    Reported IOCs

    descriptioniocprocess
    Key queried\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI0x000300000001ac9e-134.exe
    Key value queried\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\HardwareIDexplorer.exe
    Key value queried\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\HardwareIDexplorer.exe
    Key value queried\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\ConfigFlagsexplorer.exe
    Key opened\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0003explorer.exe
    Key opened\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064explorer.exe
    Key value queried\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Capabilitiesexplorer.exe
    Key value queried\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\ConfigFlagsexplorer.exe
    Key opened\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0003explorer.exe
    Key opened\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI0x000300000001ac9e-134.exe
    Key value queried\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Capabilitiesexplorer.exe
    Key enumerated\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI0x000300000001ac9e-134.exe
    Key opened\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000explorer.exe
    Key opened\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000explorer.exe
    Key opened\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064explorer.exe
  • Enumerates system info in registry
    SearchUI.exe

    TTPs

    Query RegistrySystem Information Discovery

    Reported IOCs

    descriptioniocprocess
    Key opened\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOSSearchUI.exe
    Key value queried\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKUSearchUI.exe
  • Modifies Control Panel
    explorer.exeSearchUI.exeShellExperienceHost.exe

    Tags

    Reported IOCs

    descriptioniocprocess
    Key created\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Control Panel\Desktopexplorer.exe
    Set value (int)\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Control Panel\Desktop\TranscodedImageCount = "1"explorer.exe
    Set value (int)\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Control Panel\Desktop\LastUpdated = "4294967295"explorer.exe
    Key created\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Control Panel\ColorsSearchUI.exe
    Key created\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Control Panel\ColorsShellExperienceHost.exe
  • Modifies registry class
    SearchUI.exeexplorer.exe

    Reported IOCs

    descriptioniocprocess
    Set value (int)\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.cortana\ = "56"SearchUI.exe
    Set value (int)\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.cortana\Total = "56"SearchUI.exe
    Set value (int)\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "152"SearchUI.exe
    Set value (str)\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Settings\Cache\Content\CachePrefixSearchUI.exe
    Key created\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instanceexplorer.exe
    Key created\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorageSearchUI.exe
    Key created\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage\TotalSearchUI.exe
    Set value (str)\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:"SearchUI.exe
    Key created\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DomStorageStateSearchUI.exe
    Key created\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.cortanaSearchUI.exe
    Key created\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\Shellexplorer.exe
    Key created\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRUexplorer.exe
    Set value (int)\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.cortana\ = "23"SearchUI.exe
    Key created\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\TrayNotifyexplorer.exe
    Set value (int)\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.cortana\Total = "23"SearchUI.exe
    Set value (int)\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\TrayNotify\UserStartTime = "132483821478966568"explorer.exe
    Set value (data)\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffffexplorer.exe
    Key created\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instanceexplorer.exe
    Key created\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.cortanaSearchUI.exe
    Key created\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\TotalSearchUI.exe
    Key created\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instanceexplorer.exe
    Key created\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\microsoft.windows.cortanaSearchUI.exe
    Set value (int)\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "185"SearchUI.exe
    Set value (data)\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\TrayNotify\IconStreams = 14000000070000000100010005000000140000007b005300330038004f0053003400300034002d0031005100340033002d0034003200530032002d0039003300300035002d00360037005100520030004f003200380053005000320033007d005c0072006b006300790062006500720065002e0072006b0072000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000001c100000000000002000000e4070b004100720067006a006200650078000a005600610067007200650061007200670020006e007000700072006600660000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000010000000000000074ae2078e323294282c1e41cb67d5b9c00000000000000000000000020a281dc18c3d60100000000000000000000000000000d20feb05a007600700065006200660062007300670020004a0076006100710062006a006600000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000020000007b005300330038004f0053003400300034002d0031005100340033002d0034003200530032002d0039003300300035002d00360037005100520030004f003200380053005000320033007d005c0072006b006300790062006500720065002e0072006b00720000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000640000000000000002000000e4070b004600630072006e0078007200650066003a002000360037002500000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000010000000100000073ae2078e323294282c1e41cb67d5b9c00000000000000000000000037c13fdb18c3d60100000000000000000000000000000d20feb05a007600700065006200660062007300670020004a0076006100710062006a006600000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000030000007b00360051003800300039003300370037002d0036004e00530030002d003400340034004f002d0038003900350037002d004e00330037003700330053003000320032003000300052007d005c004a0076006100710062006a0066002000510072007300720061007100720065005c005a0046004e00460050006800760059002e0072006b007200000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000640000000000000000000000e4070a004e0070006700760062006100660020006100720072007100720071002e00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000fffffffff9a6406d323dcb4f8a86be992e03dc76000000000000000000000000a6fbb6b755add60100000000000000000000000000000d20feb05a007600700065006200660062007300670020004a0076006100710062006a006600000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000007b005300330038004f0053003400300034002d0031005100340033002d0034003200530032002d0039003300300035002d00360037005100520030004f003200380053005000320033007d005c0072006b006300790062006500720065002e0072006b00720000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000002000000e4070a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff75ae2078e323294282c1e41cb67d5b9c000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000010000007b005300330038004f0053003400300034002d0031005100340033002d0034003200530032002d0039003300300035002d00360037005100520030004f003200380053005000320033007d005c0072006b006300790062006500720065002e0072006b00720000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000002000000e4070a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff81ae2078e323294282c1e41cb67d5b9c00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000explorer.exe
    Key created\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settingsexplorer.exe
    Set value (data)\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02explorer.exe
    Key created\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\windows.cortanaSearchUI.exe
    Set value (str)\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Settings\Cache\History\CachePrefix = "Visited:"SearchUI.exe
    Key created\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\EdpDomStorageSearchUI.exe
  • Suspicious behavior: EnumeratesProcesses
    Explorer.EXE

    Reported IOCs

    pidprocess
    2756Explorer.EXE
    2756Explorer.EXE
    2756Explorer.EXE
    2756Explorer.EXE
    2756Explorer.EXE
    2756Explorer.EXE
    2756Explorer.EXE
    2756Explorer.EXE
    2756Explorer.EXE
    2756Explorer.EXE
    2756Explorer.EXE
    2756Explorer.EXE
    2756Explorer.EXE
    2756Explorer.EXE
    2756Explorer.EXE
    2756Explorer.EXE
    2756Explorer.EXE
    2756Explorer.EXE
    2756Explorer.EXE
    2756Explorer.EXE
    2756Explorer.EXE
    2756Explorer.EXE
    2756Explorer.EXE
    2756Explorer.EXE
    2756Explorer.EXE
    2756Explorer.EXE
    2756Explorer.EXE
    2756Explorer.EXE
    2756Explorer.EXE
    2756Explorer.EXE
    2756Explorer.EXE
    2756Explorer.EXE
    2756Explorer.EXE
    2756Explorer.EXE
    2756Explorer.EXE
    2756Explorer.EXE
    2756Explorer.EXE
    2756Explorer.EXE
    2756Explorer.EXE
    2756Explorer.EXE
    2756Explorer.EXE
    2756Explorer.EXE
    2756Explorer.EXE
    2756Explorer.EXE
    2756Explorer.EXE
    2756Explorer.EXE
    2756Explorer.EXE
    2756Explorer.EXE
    2756Explorer.EXE
    2756Explorer.EXE
    2756Explorer.EXE
    2756Explorer.EXE
    2756Explorer.EXE
    2756Explorer.EXE
    2756Explorer.EXE
    2756Explorer.EXE
    2756Explorer.EXE
    2756Explorer.EXE
    2756Explorer.EXE
    2756Explorer.EXE
    2756Explorer.EXE
    2756Explorer.EXE
    2756Explorer.EXE
    2756Explorer.EXE
  • Suspicious behavior: MapViewOfSection
    0x000300000001ac9e-134.exe

    Reported IOCs

    pidprocess
    40440x000300000001ac9e-134.exe
  • Suspicious use of AdjustPrivilegeToken
    Explorer.EXEWerFault.exeexplorer.exeEE7A.tmp.exe

    Reported IOCs

    descriptionpidprocess
    Token: SeShutdownPrivilege2756Explorer.EXE
    Token: SeCreatePagefilePrivilege2756Explorer.EXE
    Token: SeShutdownPrivilege2756Explorer.EXE
    Token: SeCreatePagefilePrivilege2756Explorer.EXE
    Token: SeShutdownPrivilege2756Explorer.EXE
    Token: SeCreatePagefilePrivilege2756Explorer.EXE
    Token: SeDebugPrivilege2420WerFault.exe
    Token: SeShutdownPrivilege2844explorer.exe
    Token: SeCreatePagefilePrivilege2844explorer.exe
    Token: SeShutdownPrivilege2844explorer.exe
    Token: SeCreatePagefilePrivilege2844explorer.exe
    Token: SeShutdownPrivilege2844explorer.exe
    Token: SeCreatePagefilePrivilege2844explorer.exe
    Token: SeShutdownPrivilege2844explorer.exe
    Token: SeCreatePagefilePrivilege2844explorer.exe
    Token: SeShutdownPrivilege2844explorer.exe
    Token: SeCreatePagefilePrivilege2844explorer.exe
    Token: SeShutdownPrivilege2844explorer.exe
    Token: SeCreatePagefilePrivilege2844explorer.exe
    Token: SeShutdownPrivilege2844explorer.exe
    Token: SeCreatePagefilePrivilege2844explorer.exe
    Token: SeShutdownPrivilege2844explorer.exe
    Token: SeCreatePagefilePrivilege2844explorer.exe
    Token: SeShutdownPrivilege2844explorer.exe
    Token: SeCreatePagefilePrivilege2844explorer.exe
    Token: SeShutdownPrivilege2844explorer.exe
    Token: SeCreatePagefilePrivilege2844explorer.exe
    Token: SeShutdownPrivilege2844explorer.exe
    Token: SeCreatePagefilePrivilege2844explorer.exe
    Token: SeShutdownPrivilege2844explorer.exe
    Token: SeCreatePagefilePrivilege2844explorer.exe
    Token: SeShutdownPrivilege2844explorer.exe
    Token: SeCreatePagefilePrivilege2844explorer.exe
    Token: SeShutdownPrivilege2844explorer.exe
    Token: SeCreatePagefilePrivilege2844explorer.exe
    Token: SeShutdownPrivilege2844explorer.exe
    Token: SeCreatePagefilePrivilege2844explorer.exe
    Token: SeShutdownPrivilege2844explorer.exe
    Token: SeCreatePagefilePrivilege2844explorer.exe
    Token: SeShutdownPrivilege2844explorer.exe
    Token: SeCreatePagefilePrivilege2844explorer.exe
    Token: SeShutdownPrivilege2844explorer.exe
    Token: SeCreatePagefilePrivilege2844explorer.exe
    Token: SeShutdownPrivilege2844explorer.exe
    Token: SeCreatePagefilePrivilege2844explorer.exe
    Token: SeShutdownPrivilege2844explorer.exe
    Token: SeCreatePagefilePrivilege2844explorer.exe
    Token: SeShutdownPrivilege2844explorer.exe
    Token: SeCreatePagefilePrivilege2844explorer.exe
    Token: SeShutdownPrivilege2844explorer.exe
    Token: SeCreatePagefilePrivilege2844explorer.exe
    Token: SeShutdownPrivilege2844explorer.exe
    Token: SeCreatePagefilePrivilege2844explorer.exe
    Token: SeShutdownPrivilege2844explorer.exe
    Token: SeCreatePagefilePrivilege2844explorer.exe
    Token: SeShutdownPrivilege2844explorer.exe
    Token: SeCreatePagefilePrivilege2844explorer.exe
    Token: SeShutdownPrivilege2844explorer.exe
    Token: SeCreatePagefilePrivilege2844explorer.exe
    Token: SeShutdownPrivilege2844explorer.exe
    Token: SeCreatePagefilePrivilege2844explorer.exe
    Token: SeDebugPrivilege1700EE7A.tmp.exe
    Token: SeShutdownPrivilege2844explorer.exe
    Token: SeCreatePagefilePrivilege2844explorer.exe
  • Suspicious use of FindShellTrayWindow
    explorer.exe

    Reported IOCs

    pidprocess
    2844explorer.exe
    2844explorer.exe
    2844explorer.exe
    2844explorer.exe
    2844explorer.exe
    2844explorer.exe
    2844explorer.exe
    2844explorer.exe
    2844explorer.exe
    2844explorer.exe
    2844explorer.exe
    2844explorer.exe
    2844explorer.exe
    2844explorer.exe
    2844explorer.exe
    2844explorer.exe
    2844explorer.exe
    2844explorer.exe
    2844explorer.exe
    2844explorer.exe
    2844explorer.exe
    2844explorer.exe
    2844explorer.exe
    2844explorer.exe
    2844explorer.exe
    2844explorer.exe
    2844explorer.exe
    2844explorer.exe
    2844explorer.exe
    2844explorer.exe
    2844explorer.exe
    2844explorer.exe
    2844explorer.exe
    2844explorer.exe
    2844explorer.exe
    2844explorer.exe
    2844explorer.exe
    2844explorer.exe
    2844explorer.exe
    2844explorer.exe
    2844explorer.exe
    2844explorer.exe
    2844explorer.exe
    2844explorer.exe
    2844explorer.exe
  • Suspicious use of SendNotifyMessage
    explorer.exe

    Reported IOCs

    pidprocess
    2844explorer.exe
    2844explorer.exe
    2844explorer.exe
    2844explorer.exe
    2844explorer.exe
    2844explorer.exe
    2844explorer.exe
    2844explorer.exe
    2844explorer.exe
    2844explorer.exe
    2844explorer.exe
    2844explorer.exe
    2844explorer.exe
    2844explorer.exe
    2844explorer.exe
    2844explorer.exe
    2844explorer.exe
    2844explorer.exe
    2844explorer.exe
    2844explorer.exe
    2844explorer.exe
    2844explorer.exe
    2844explorer.exe
    2844explorer.exe
  • Suspicious use of SetWindowsHookEx
    E88C.tmp.exeShellExperienceHost.exeSearchUI.exe

    Reported IOCs

    pidprocess
    2060E88C.tmp.exe
    2680ShellExperienceHost.exe
    2460SearchUI.exe
    2680ShellExperienceHost.exe
  • Suspicious use of UnmapMainImage
    Explorer.EXE

    Reported IOCs

    pidprocess
    2756Explorer.EXE
  • Suspicious use of WriteProcessMemory
    0x000300000001ac9e-134.exefcrcjcfExplorer.EXE

    Reported IOCs

    descriptionpidprocesstarget process
    PID 4076 wrote to memory of 404440760x000300000001ac9e-134.exe0x000300000001ac9e-134.exe
    PID 4076 wrote to memory of 404440760x000300000001ac9e-134.exe0x000300000001ac9e-134.exe
    PID 4076 wrote to memory of 404440760x000300000001ac9e-134.exe0x000300000001ac9e-134.exe
    PID 4076 wrote to memory of 404440760x000300000001ac9e-134.exe0x000300000001ac9e-134.exe
    PID 4076 wrote to memory of 404440760x000300000001ac9e-134.exe0x000300000001ac9e-134.exe
    PID 4076 wrote to memory of 404440760x000300000001ac9e-134.exe0x000300000001ac9e-134.exe
    PID 3372 wrote to memory of 15403372fcrcjcffcrcjcf
    PID 3372 wrote to memory of 15403372fcrcjcffcrcjcf
    PID 3372 wrote to memory of 15403372fcrcjcffcrcjcf
    PID 3372 wrote to memory of 15403372fcrcjcffcrcjcf
    PID 3372 wrote to memory of 15403372fcrcjcffcrcjcf
    PID 3372 wrote to memory of 15403372fcrcjcffcrcjcf
    PID 2756 wrote to memory of 20602756Explorer.EXEE88C.tmp.exe
    PID 2756 wrote to memory of 20602756Explorer.EXEE88C.tmp.exe
    PID 2756 wrote to memory of 20602756Explorer.EXEE88C.tmp.exe
    PID 2756 wrote to memory of 40562756Explorer.EXEEB1D.tmp.exe
    PID 2756 wrote to memory of 40562756Explorer.EXEEB1D.tmp.exe
    PID 2756 wrote to memory of 40562756Explorer.EXEEB1D.tmp.exe
    PID 2756 wrote to memory of 17002756Explorer.EXEEE7A.tmp.exe
    PID 2756 wrote to memory of 17002756Explorer.EXEEE7A.tmp.exe
    PID 2756 wrote to memory of 17002756Explorer.EXEEE7A.tmp.exe
Processes 12
  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    Deletes itself
    Suspicious behavior: EnumeratesProcesses
    Suspicious use of AdjustPrivilegeToken
    Suspicious use of UnmapMainImage
    Suspicious use of WriteProcessMemory
    PID:2756
    • C:\Users\Admin\AppData\Local\Temp\0x000300000001ac9e-134.exe
      "C:\Users\Admin\AppData\Local\Temp\0x000300000001ac9e-134.exe"
      Suspicious use of SetThreadContext
      Suspicious use of WriteProcessMemory
      PID:4076
      • C:\Users\Admin\AppData\Local\Temp\0x000300000001ac9e-134.exe
        "C:\Users\Admin\AppData\Local\Temp\0x000300000001ac9e-134.exe"
        Loads dropped DLL
        Checks SCSI registry key(s)
        Suspicious behavior: MapViewOfSection
        PID:4044
    • C:\Users\Admin\AppData\Local\Temp\E88C.tmp.exe
      C:\Users\Admin\AppData\Local\Temp\E88C.tmp.exe
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:2060
    • C:\Users\Admin\AppData\Local\Temp\EB1D.tmp.exe
      C:\Users\Admin\AppData\Local\Temp\EB1D.tmp.exe
      Executes dropped EXE
      Loads dropped DLL
      PID:4056
    • C:\Users\Admin\AppData\Local\Temp\EE7A.tmp.exe
      C:\Users\Admin\AppData\Local\Temp\EE7A.tmp.exe
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      PID:1700
    • C:\Windows\system32\WerFault.exe
      C:\Windows\system32\WerFault.exe -u -p 2756 -s 2484
      Suspicious use of NtCreateProcessExOtherParentProcess
      Program crash
      Suspicious use of AdjustPrivilegeToken
      PID:2420
  • C:\Users\Admin\AppData\Roaming\fcrcjcf
    C:\Users\Admin\AppData\Roaming\fcrcjcf
    Executes dropped EXE
    Suspicious use of SetThreadContext
    Suspicious use of WriteProcessMemory
    PID:3372
    • C:\Users\Admin\AppData\Roaming\fcrcjcf
      C:\Users\Admin\AppData\Roaming\fcrcjcf
      Executes dropped EXE
      PID:1540
  • C:\Windows\explorer.exe
    explorer.exe
    Enumerates connected drives
    Checks SCSI registry key(s)
    Modifies Control Panel
    Modifies registry class
    Suspicious use of AdjustPrivilegeToken
    Suspicious use of FindShellTrayWindow
    Suspicious use of SendNotifyMessage
    PID:2844
  • C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe
    "C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe" -ServerName:App.AppXtk181tbxbce2qsex02s8tw7hfxa9xb3t.mca
    Modifies Control Panel
    Suspicious use of SetWindowsHookEx
    PID:2680
  • C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe
    "C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe" -ServerName:CortanaUI.AppXa50dqqa5gqv4a428c9y1jjw7m3btvepj.mca
    Enumerates system info in registry
    Modifies Control Panel
    Modifies registry class
    Suspicious use of SetWindowsHookEx
    PID:2460
Network
MITRE ATT&CK Matrix
Collection
Command and Control
    Credential Access
    Defense Evasion
    Discovery
    Execution
      Exfiltration
        Impact
          Initial Access
            Lateral Movement
              Persistence
              Privilege Escalation
                Replay Monitor
                00:00 00:00
                Downloads

                • C:\Users\Admin\AppData\Local\Temp\4DD3.tmp

                  MD5

                  50741b3f2d7debf5d2bed63d88404029

                  SHA1

                  56210388a627b926162b36967045be06ffb1aad3

                  SHA256

                  f2f8732ae464738372ff274b7e481366cecdd2337210d4a3cbcd089c958a730c

                  SHA512

                  fac6bfe35b1ee08b3d42d330516a260d9cdb4a90bbb0491411a583029b92a59d20af3552372ea8fb3f59442b3945bf524ef284127f397ae7179467080be8e9b3

                  Download Submit

                • C:\Users\Admin\AppData\Local\Temp\E88C.tmp.exe

                  MD5

                  a69e12607d01237460808fa1709e5e86

                  SHA1

                  4a12f82aee1c90e70cdf6be863ce1a749c8ae411

                  SHA256

                  188e05efb42c1f7fdb5c910a6614f710a87ae642b23ac9ffe3f75246744865bc

                  SHA512

                  7533e6da6bac0405fc8b608da8020b54b6ee02592e6fd40ea342e130a8a876ae5ef4a1fd636d95e76339dbf8be45cecbd22ca2d0a4635b055ffafec3d7e15284

                  Download Submit

                • C:\Users\Admin\AppData\Local\Temp\E88C.tmp.exe

                  MD5

                  a69e12607d01237460808fa1709e5e86

                  SHA1

                  4a12f82aee1c90e70cdf6be863ce1a749c8ae411

                  SHA256

                  188e05efb42c1f7fdb5c910a6614f710a87ae642b23ac9ffe3f75246744865bc

                  SHA512

                  7533e6da6bac0405fc8b608da8020b54b6ee02592e6fd40ea342e130a8a876ae5ef4a1fd636d95e76339dbf8be45cecbd22ca2d0a4635b055ffafec3d7e15284

                  Download Submit

                • C:\Users\Admin\AppData\Local\Temp\EB1D.tmp.exe

                  MD5

                  4d58af2acb8147d09c1d1874860755e6

                  SHA1

                  04d466ae9c5bc0a8d6720b21447f056420c92bde

                  SHA256

                  e8012f7e8dcb980e8db82ac0158fb8f2be76388052ef74802e1bfae266d9b861

                  SHA512

                  e7b77629ad8299353e7698011c1fa04de9623897ad3aa2cd60e9125c68da0adf14911517ecf39f6f5396bf40792fa0ca14feef80ab4c8c722ce97db07e9574ad

                  Download Submit

                • C:\Users\Admin\AppData\Local\Temp\EB1D.tmp.exe

                  MD5

                  4d58af2acb8147d09c1d1874860755e6

                  SHA1

                  04d466ae9c5bc0a8d6720b21447f056420c92bde

                  SHA256

                  e8012f7e8dcb980e8db82ac0158fb8f2be76388052ef74802e1bfae266d9b861

                  SHA512

                  e7b77629ad8299353e7698011c1fa04de9623897ad3aa2cd60e9125c68da0adf14911517ecf39f6f5396bf40792fa0ca14feef80ab4c8c722ce97db07e9574ad

                  Download Submit

                • C:\Users\Admin\AppData\Local\Temp\EE7A.tmp.exe

                  MD5

                  f2b4b6c26a03a1be0c3b85c0482a8c30

                  SHA1

                  b39eabd2d680440847baf150d4c9423515fea7d5

                  SHA256

                  501614b9f1d98a5b2ca1b11b251c61e05f1225aa5a344788375df28812a6232f

                  SHA512

                  0e5fe73e6c981986df1299cf0dfa88cc3b78532b83d6b93e671487de67c5dea16724a882dd61a6208b78b866250d0dc5f2cad872b1b39942bf9fd15cd8c4a5b4

                  Download Submit

                • C:\Users\Admin\AppData\Local\Temp\EE7A.tmp.exe

                  MD5

                  f2b4b6c26a03a1be0c3b85c0482a8c30

                  SHA1

                  b39eabd2d680440847baf150d4c9423515fea7d5

                  SHA256

                  501614b9f1d98a5b2ca1b11b251c61e05f1225aa5a344788375df28812a6232f

                  SHA512

                  0e5fe73e6c981986df1299cf0dfa88cc3b78532b83d6b93e671487de67c5dea16724a882dd61a6208b78b866250d0dc5f2cad872b1b39942bf9fd15cd8c4a5b4

                  Download Submit

                • C:\Users\Admin\AppData\Roaming\fcrcjcf

                  MD5

                  fdde60834af109d71f4c7d28b865c8a1

                  SHA1

                  4f721105161b74e07b5ccd762d32932989bfb03a

                  SHA256

                  b0296c0000c40d59a268b223015872d7e57c427358b5e95d1bd6e4ac40dd0f87

                  SHA512

                  fecd130a4431fa81a1cf9be8019464b55bfb173dde91ced3a5828516bd51db509fd547c12dd483c00cdf5ade878ab542ffb6371238ccf960622bb464187b5778

                  Download Submit

                • C:\Users\Admin\AppData\Roaming\fcrcjcf

                  MD5

                  fdde60834af109d71f4c7d28b865c8a1

                  SHA1

                  4f721105161b74e07b5ccd762d32932989bfb03a

                  SHA256

                  b0296c0000c40d59a268b223015872d7e57c427358b5e95d1bd6e4ac40dd0f87

                  SHA512

                  fecd130a4431fa81a1cf9be8019464b55bfb173dde91ced3a5828516bd51db509fd547c12dd483c00cdf5ade878ab542ffb6371238ccf960622bb464187b5778

                  Download Submit

                • C:\Users\Admin\AppData\Roaming\fcrcjcf

                  MD5

                  fdde60834af109d71f4c7d28b865c8a1

                  SHA1

                  4f721105161b74e07b5ccd762d32932989bfb03a

                  SHA256

                  b0296c0000c40d59a268b223015872d7e57c427358b5e95d1bd6e4ac40dd0f87

                  SHA512

                  fecd130a4431fa81a1cf9be8019464b55bfb173dde91ced3a5828516bd51db509fd547c12dd483c00cdf5ade878ab542ffb6371238ccf960622bb464187b5778

                  Download Submit

                • \Users\Admin\AppData\LocalLow\nb98wqnehe8bw89hb\freebl3.dll

                  MD5

                  60acd24430204ad2dc7f148b8cfe9bdc

                  SHA1

                  989f377b9117d7cb21cbe92a4117f88f9c7693d9

                  SHA256

                  9876c53134dbbec4dcca67581f53638eba3fea3a15491aa3cf2526b71032da97

                  SHA512

                  626c36e9567f57fa8ec9c36d96cbadede9c6f6734a7305ecfb9f798952bbacdfa33a1b6c4999ba5b78897dc2ec6f91870f7ec25b2ceacbaee4be942fe881db01

                  Download Submit

                • \Users\Admin\AppData\LocalLow\nb98wqnehe8bw89hb\freebl3.dll

                  MD5

                  60acd24430204ad2dc7f148b8cfe9bdc

                  SHA1

                  989f377b9117d7cb21cbe92a4117f88f9c7693d9

                  SHA256

                  9876c53134dbbec4dcca67581f53638eba3fea3a15491aa3cf2526b71032da97

                  SHA512

                  626c36e9567f57fa8ec9c36d96cbadede9c6f6734a7305ecfb9f798952bbacdfa33a1b6c4999ba5b78897dc2ec6f91870f7ec25b2ceacbaee4be942fe881db01

                  Download Submit

                • \Users\Admin\AppData\LocalLow\nb98wqnehe8bw89hb\mozglue.dll

                  MD5

                  eae9273f8cdcf9321c6c37c244773139

                  SHA1

                  8378e2a2f3635574c106eea8419b5eb00b8489b0

                  SHA256

                  a0c6630d4012ae0311ff40f4f06911bcf1a23f7a4762ce219b8dffa012d188cc

                  SHA512

                  06e43e484a89cea9ba9b9519828d38e7c64b040f44cdaeb321cbda574e7551b11fea139ce3538f387a0a39a3d8c4cba7f4cf03e4a3c98db85f8121c2212a9097

                  Download Submit

                • \Users\Admin\AppData\LocalLow\nb98wqnehe8bw89hb\nss3.dll

                  MD5

                  02cc7b8ee30056d5912de54f1bdfc219

                  SHA1

                  a6923da95705fb81e368ae48f93d28522ef552fb

                  SHA256

                  1989526553fd1e1e49b0fea8036822ca062d3d39c4cab4a37846173d0f1753d5

                  SHA512

                  0d5dfcf4fb19b27246fa799e339d67cd1b494427783f379267fb2d10d615ffb734711bab2c515062c078f990a44a36f2d15859b1dacd4143dcc35b5c0cee0ef5

                  Download Submit

                • \Users\Admin\AppData\LocalLow\nb98wqnehe8bw89hb\softokn3.dll

                  MD5

                  4e8df049f3459fa94ab6ad387f3561ac

                  SHA1

                  06ed392bc29ad9d5fc05ee254c2625fd65925114

                  SHA256

                  25a4dae37120426ab060ebb39b7030b3e7c1093cc34b0877f223b6843b651871

                  SHA512

                  3dd4a86f83465989b2b30c240a7307edd1b92d5c1d5c57d47eff287dc9daa7bace157017908d82e00be90f08ff5badb68019ffc9d881440229dcea5038f61cd6

                  Download Submit

                • \Users\Admin\AppData\LocalLow\sqlite3.dll

                  MD5

                  f964811b68f9f1487c2b41e1aef576ce

                  SHA1

                  b423959793f14b1416bc3b7051bed58a1034025f

                  SHA256

                  83bc57dcf282264f2b00c21ce0339eac20fcb7401f7c5472c0cd0c014844e5f7

                  SHA512

                  565b1a7291c6fcb63205907fcd9e72fc2e11ca945afc4468c378edba882e2f314c2ac21a7263880ff7d4b84c2a1678024c1ac9971ac1c1de2bfa4248ec0f98c4

                  Download Submit

                • \Users\Admin\AppData\Local\Temp\4DD3.tmp

                  MD5

                  50741b3f2d7debf5d2bed63d88404029

                  SHA1

                  56210388a627b926162b36967045be06ffb1aad3

                  SHA256

                  f2f8732ae464738372ff274b7e481366cecdd2337210d4a3cbcd089c958a730c

                  SHA512

                  fac6bfe35b1ee08b3d42d330516a260d9cdb4a90bbb0491411a583029b92a59d20af3552372ea8fb3f59442b3945bf524ef284127f397ae7179467080be8e9b3

                  Download Submit

                • memory/1540-10-0x0000000000402A38-mapping.dmp

                  Download

                • memory/1700-40-0x0000000009900000-0x0000000009901000-memory.dmp

                  Download

                • memory/1700-21-0x0000000000000000-mapping.dmp

                  Download

                • memory/1700-38-0x0000000008D40000-0x0000000008D41000-memory.dmp

                  Download

                • memory/1700-37-0x00000000092F0000-0x00000000092F1000-memory.dmp

                  Download

                • memory/1700-46-0x0000000009A70000-0x0000000009A71000-memory.dmp

                  Download

                • memory/1700-36-0x0000000008C90000-0x0000000008CB2000-memory.dmp

                  Download

                • memory/1700-35-0x0000000008DF0000-0x0000000008DF1000-memory.dmp

                  Download

                • memory/1700-30-0x0000000006480000-0x0000000006481000-memory.dmp

                  Download

                • memory/1700-31-0x00000000065F0000-0x00000000065F1000-memory.dmp

                  Download

                • memory/1700-34-0x00000000066B0000-0x00000000066D4000-memory.dmp

                  Download

                • memory/1700-32-0x00000000732E0000-0x00000000739CE000-memory.dmp

                  Download

                • memory/1700-39-0x0000000008D80000-0x0000000008D81000-memory.dmp

                  Download

                • memory/2060-13-0x0000000000000000-mapping.dmp

                  Download

                • memory/2420-28-0x0000022FFF5C0000-0x0000022FFF5C1000-memory.dmp

                  Download

                • memory/2420-24-0x0000022FFE850000-0x0000022FFE851000-memory.dmp

                  Download

                • memory/2420-25-0x0000022FFE850000-0x0000022FFE851000-memory.dmp

                  Download

                • memory/2420-49-0x0000022F80000000-0x0000022F80001000-memory.dmp

                  Download

                • memory/2420-47-0x0000022F80000000-0x0000022F80001000-memory.dmp

                  Download

                • memory/2420-48-0x0000022F866F0000-0x0000022F866F1000-memory.dmp

                  Download

                • memory/2420-27-0x0000022FFF5C0000-0x0000022FFF5C1000-memory.dmp

                  Download

                • memory/2756-4-0x0000000000CE0000-0x0000000000CF7000-memory.dmp

                  Download

                • memory/3372-7-0x00000000063F0000-0x00000000063F1000-memory.dmp

                  Download

                • memory/4044-2-0x0000000000402A38-mapping.dmp

                  Download

                • memory/4044-1-0x0000000000400000-0x000000000040C000-memory.dmp

                  Download

                • memory/4056-18-0x0000000000000000-mapping.dmp

                  Download

                • memory/4056-29-0x0000000006480000-0x0000000006481000-memory.dmp

                  Download

                • memory/4076-0-0x0000000006310000-0x0000000006311000-memory.dmp

                  Download