agenttesla | cf1b38106e42989ddffb99e0163787135e7b294c5d5e88e3b47ca1b7cd0d6681

Analysis

max time kernel
147s
max time network
150s
platform
windows10_x64
resource
win10v20201028
submitted
25-11-2020 10:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0x000300000001ac9e-134.exe
Size

311KB
MD5

fdde60834af109d71f4c7d28b865c8a1
SHA1

4f721105161b74e07b5ccd762d32932989bfb03a
SHA256

b0296c0000c40d59a268b223015872d7e57c427358b5e95d1bd6e4ac40dd0f87
SHA512

fecd130a4431fa81a1cf9be8019464b55bfb173dde91ced3a5828516bd51db509fd547c12dd483c00cdf5ade878ab542ffb6371238ccf960622bb464187b5778

Score

10^/10

agenttesla raccoon smokeloader backdoor discovery keylogger persistence spyware stealer trojan

Malware Config

Extracted

Family

smokeloader

Version

2019

http://10022020newfolder1002002131-service1002.space/

http://10022020newfolder1002002231-service1002.space/

http://10022020newfolder3100231-service1002.space/

http://10022020newfolder1002002431-service1002.space/

http://10022020newfolder1002002531-service1002.space/

http://10022020newfolder33417-01242510022020.space/

http://10022020test125831-service1002012510022020.space/

http://10022020test136831-service1002012510022020.space/

http://10022020test147831-service1002012510022020.space/

http://10022020test146831-service1002012510022020.space/

http://10022020test134831-service1002012510022020.space/

http://10022020est213531-service100201242510022020.ru/

http://10022020yes1t3481-service1002012510022020.ru/

http://10022020test13561-service1002012510022020.su/

http://10022020test14781-service1002012510022020.info/

http://10022020test13461-service1002012510022020.net/

http://10022020test15671-service1002012510022020.tech/

http://10022020test12671-service1002012510022020.online/

http://10022020utest1341-service1002012510022020.ru/

http://10022020uest71-service100201dom2510022020.ru/

rc4.i32

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla
Raccoon
Simple but powerful infostealer which was very active in 2019.
stealer raccoon
SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
Suspicious use of NtCreateProcessExOtherParentProcess 1 IoCs

Processes:

WerFault.exe

description pid process target process

PID 2420 created 2756 2420 WerFault.exe Explorer.EXE

description	pid	process	target process
PID 2420 created 2756	2420	WerFault.exe	Explorer.EXE

AgentTesla Payload 2 IoCs

keylogger stealer

Processes:

resource	yara_rule
behavioral24/memory/1700-34-0x00000000066B0000-0x00000000066D4000-memory.dmp	agent_tesla
behavioral24/memory/1700-36-0x0000000008C90000-0x0000000008CB2000-memory.dmp	agent_tesla

Executes dropped EXE 5 IoCs

Processes:

fcrcjcffcrcjcfE88C.tmp.exeEB1D.tmp.exeEE7A.tmp.exe

pid process

3372 fcrcjcf
1540 fcrcjcf
2060 E88C.tmp.exe
4056 EB1D.tmp.exe
1700 EE7A.tmp.exe
Modifies Installed Components in the registry 2 TTPs
persistence

Registry Run Keys / Startup Folder
T1060

Modify Registry
T1112
Deletes itself 1 IoCs

Processes:

Explorer.EXE

pid process

2756 Explorer.EXE
Loads dropped DLL 7 IoCs

Processes:

0x000300000001ac9e-134.exeEB1D.tmp.exe

pid process

4044 0x000300000001ac9e-134.exe
4056 EB1D.tmp.exe
4056 EB1D.tmp.exe
4056 EB1D.tmp.exe
4056 EB1D.tmp.exe
4056 EB1D.tmp.exe
4056 EB1D.tmp.exe
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Enumerates connected drives 3 TTPs 1 IoCs
Attempts to read the root path of hard drives other than the default C: drive.

Query Registry
T1012

Peripheral Device Discovery
T1120

System Information Discovery
T1082

Processes:

explorer.exe

description ioc process

File opened (read-only) \??\D: explorer.exe

pid	process
3372	fcrcjcf
1540	fcrcjcf
2060	E88C.tmp.exe
4056	EB1D.tmp.exe
1700	EE7A.tmp.exe

pid	process
4044	0x000300000001ac9e-134.exe
4056	EB1D.tmp.exe
4056	EB1D.tmp.exe
4056	EB1D.tmp.exe
4056	EB1D.tmp.exe
4056	EB1D.tmp.exe
4056	EB1D.tmp.exe

description	ioc	process
File opened (read-only)	\??\D:	explorer.exe

JavaScript code in executable 1 IoCs

Processes:

resource	yara_rule
\Users\Admin\AppData\LocalLow\nb98wqnehe8bw89hb\nss3.dll	js

Suspicious use of SetThreadContext 2 IoCs

Processes:

0x000300000001ac9e-134.exefcrcjcf

description	pid	process	target process
PID 4076 set thread context of 4044	4076	0x000300000001ac9e-134.exe	0x000300000001ac9e-134.exe
PID 3372 set thread context of 1540	3372	fcrcjcf	fcrcjcf

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

2420 2756 WerFault.exe Explorer.EXE

pid	pid_target	process	target process
2420	2756	WerFault.exe	Explorer.EXE

Checks SCSI registry key(s) 3 TTPs 15 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

0x000300000001ac9e-134.exeexplorer.exe

description	ioc	process
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	0x000300000001ac9e-134.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\HardwareID	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\HardwareID	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\ConfigFlags	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0003	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Capabilities	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\ConfigFlags	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0003	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	0x000300000001ac9e-134.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Capabilities	explorer.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	0x000300000001ac9e-134.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064	explorer.exe

Enumerates system info in registry 2 TTPs 2 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

SearchUI.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	SearchUI.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	SearchUI.exe

Modifies Control Panel 5 IoCs

evasion

Processes:

explorer.exeSearchUI.exeShellExperienceHost.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Control Panel\Desktop	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Control Panel\Desktop\TranscodedImageCount = "1"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Control Panel\Desktop\LastUpdated = "4294967295"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Control Panel\Colors	SearchUI.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Control Panel\Colors	ShellExperienceHost.exe

Modifies registry class 29 IoCs

Processes:

SearchUI.exeexplorer.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.cortana\ = "56"	SearchUI.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.cortana\Total = "56"	SearchUI.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "152"	SearchUI.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Settings\Cache\Content\CachePrefix	SearchUI.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage	SearchUI.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total	SearchUI.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:"	SearchUI.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DomStorageState	SearchUI.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.cortana	SearchUI.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.cortana\ = "23"	SearchUI.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\TrayNotify	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.cortana\Total = "23"	SearchUI.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\TrayNotify\UserStartTime = "132483821478966568"	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.cortana	SearchUI.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\Total	SearchUI.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\microsoft.windows.cortana	SearchUI.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "185"	SearchUI.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\TrayNotify\IconStreams = 14000000070000000100010005000000140000007b005300330038004f0053003400300034002d0031005100340033002d0034003200530032002d0039003300300035002d00360037005100520030004f003200380053005000320033007d005c0072006b006300790062006500720065002e0072006b0072000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000001c100000000000002000000e4070b004100720067006a006200650078000a005600610067007200650061007200670020006e007000700072006600660000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000010000000000000074ae2078e323294282c1e41cb67d5b9c00000000000000000000000020a281dc18c3d60100000000000000000000000000000d20feb05a007600700065006200660062007300670020004a0076006100710062006a006600000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000020000007b005300330038004f0053003400300034002d0031005100340033002d0034003200530032002d0039003300300035002d00360037005100520030004f003200380053005000320033007d005c0072006b006300790062006500720065002e0072006b00720000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000640000000000000002000000e4070b004600630072006e0078007200650066003a002000360037002500000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000010000000100000073ae2078e323294282c1e41cb67d5b9c00000000000000000000000037c13fdb18c3d60100000000000000000000000000000d20feb05a007600700065006200660062007300670020004a0076006100710062006a006600000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000030000007b00360051003800300039003300370037002d0036004e00530030002d003400340034004f002d0038003900350037002d004e00330037003700330053003000320032003000300052007d005c004a0076006100710062006a0066002000510072007300720061007100720065005c005a0046004e00460050006800760059002e0072006b007200000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000640000000000000000000000e4070a004e0070006700760062006100660020006100720072007100720071002e00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000fffffffff9a6406d323dcb4f8a86be992e03dc76000000000000000000000000a6fbb6b755add60100000000000000000000000000000d20feb05a007600700065006200660062007300670020004a0076006100710062006a006600000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000007b005300330038004f0053003400300034002d0031005100340033002d0034003200530032002d0039003300300035002d00360037005100520030004f003200380053005000320033007d005c0072006b006300790062006500720065002e0072006b00720000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000002000000e4070a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff75ae2078e323294282c1e41cb67d5b9c000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000010000007b005300330038004f0053003400300034002d0031005100340033002d0034003200530032002d0039003300300035002d00360037005100520030004f003200380053005000320033007d005c0072006b006300790062006500720065002e0072006b00720000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000002000000e4070a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff81ae2078e323294282c1e41cb67d5b9c00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\windows.cortana	SearchUI.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Settings\Cache\History\CachePrefix = "Visited:"	SearchUI.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\EdpDomStorage	SearchUI.exe

Suspicious behavior: EnumeratesProcesses 1604 IoCs

Processes:

Explorer.EXE

pid	process
2756	Explorer.EXE
2756	Explorer.EXE
2756	Explorer.EXE
2756	Explorer.EXE
2756	Explorer.EXE
2756	Explorer.EXE
2756	Explorer.EXE
2756	Explorer.EXE
2756	Explorer.EXE
2756	Explorer.EXE
2756	Explorer.EXE
2756	Explorer.EXE
2756	Explorer.EXE
2756	Explorer.EXE
2756	Explorer.EXE
2756	Explorer.EXE
2756	Explorer.EXE
2756	Explorer.EXE
2756	Explorer.EXE
2756	Explorer.EXE
2756	Explorer.EXE
2756	Explorer.EXE
2756	Explorer.EXE
2756	Explorer.EXE
2756	Explorer.EXE
2756	Explorer.EXE
2756	Explorer.EXE
2756	Explorer.EXE
2756	Explorer.EXE
2756	Explorer.EXE
2756	Explorer.EXE
2756	Explorer.EXE
2756	Explorer.EXE
2756	Explorer.EXE
2756	Explorer.EXE
2756	Explorer.EXE
2756	Explorer.EXE
2756	Explorer.EXE
2756	Explorer.EXE
2756	Explorer.EXE
2756	Explorer.EXE
2756	Explorer.EXE
2756	Explorer.EXE
2756	Explorer.EXE
2756	Explorer.EXE
2756	Explorer.EXE
2756	Explorer.EXE
2756	Explorer.EXE
2756	Explorer.EXE
2756	Explorer.EXE
2756	Explorer.EXE
2756	Explorer.EXE
2756	Explorer.EXE
2756	Explorer.EXE
2756	Explorer.EXE
2756	Explorer.EXE
2756	Explorer.EXE
2756	Explorer.EXE
2756	Explorer.EXE
2756	Explorer.EXE
2756	Explorer.EXE
2756	Explorer.EXE
2756	Explorer.EXE
2756	Explorer.EXE

Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

0x000300000001ac9e-134.exe

pid process

4044 0x000300000001ac9e-134.exe

pid	process
4044	0x000300000001ac9e-134.exe

Suspicious use of AdjustPrivilegeToken 66 IoCs

Processes:

Explorer.EXEWerFault.exeexplorer.exeEE7A.tmp.exe

description	pid	process
Token: SeShutdownPrivilege	2756	Explorer.EXE
Token: SeCreatePagefilePrivilege	2756	Explorer.EXE
Token: SeShutdownPrivilege	2756	Explorer.EXE
Token: SeCreatePagefilePrivilege	2756	Explorer.EXE
Token: SeShutdownPrivilege	2756	Explorer.EXE
Token: SeCreatePagefilePrivilege	2756	Explorer.EXE
Token: SeDebugPrivilege	2420	WerFault.exe
Token: SeShutdownPrivilege	2844	explorer.exe
Token: SeCreatePagefilePrivilege	2844	explorer.exe
Token: SeShutdownPrivilege	2844	explorer.exe
Token: SeCreatePagefilePrivilege	2844	explorer.exe
Token: SeShutdownPrivilege	2844	explorer.exe
Token: SeCreatePagefilePrivilege	2844	explorer.exe
Token: SeShutdownPrivilege	2844	explorer.exe
Token: SeCreatePagefilePrivilege	2844	explorer.exe
Token: SeShutdownPrivilege	2844	explorer.exe
Token: SeCreatePagefilePrivilege	2844	explorer.exe
Token: SeShutdownPrivilege	2844	explorer.exe
Token: SeCreatePagefilePrivilege	2844	explorer.exe
Token: SeShutdownPrivilege	2844	explorer.exe
Token: SeCreatePagefilePrivilege	2844	explorer.exe
Token: SeShutdownPrivilege	2844	explorer.exe
Token: SeCreatePagefilePrivilege	2844	explorer.exe
Token: SeShutdownPrivilege	2844	explorer.exe
Token: SeCreatePagefilePrivilege	2844	explorer.exe
Token: SeShutdownPrivilege	2844	explorer.exe
Token: SeCreatePagefilePrivilege	2844	explorer.exe
Token: SeShutdownPrivilege	2844	explorer.exe
Token: SeCreatePagefilePrivilege	2844	explorer.exe
Token: SeShutdownPrivilege	2844	explorer.exe
Token: SeCreatePagefilePrivilege	2844	explorer.exe
Token: SeShutdownPrivilege	2844	explorer.exe
Token: SeCreatePagefilePrivilege	2844	explorer.exe
Token: SeShutdownPrivilege	2844	explorer.exe
Token: SeCreatePagefilePrivilege	2844	explorer.exe
Token: SeShutdownPrivilege	2844	explorer.exe
Token: SeCreatePagefilePrivilege	2844	explorer.exe
Token: SeShutdownPrivilege	2844	explorer.exe
Token: SeCreatePagefilePrivilege	2844	explorer.exe
Token: SeShutdownPrivilege	2844	explorer.exe
Token: SeCreatePagefilePrivilege	2844	explorer.exe
Token: SeShutdownPrivilege	2844	explorer.exe
Token: SeCreatePagefilePrivilege	2844	explorer.exe
Token: SeShutdownPrivilege	2844	explorer.exe
Token: SeCreatePagefilePrivilege	2844	explorer.exe
Token: SeShutdownPrivilege	2844	explorer.exe
Token: SeCreatePagefilePrivilege	2844	explorer.exe
Token: SeShutdownPrivilege	2844	explorer.exe
Token: SeCreatePagefilePrivilege	2844	explorer.exe
Token: SeShutdownPrivilege	2844	explorer.exe
Token: SeCreatePagefilePrivilege	2844	explorer.exe
Token: SeShutdownPrivilege	2844	explorer.exe
Token: SeCreatePagefilePrivilege	2844	explorer.exe
Token: SeShutdownPrivilege	2844	explorer.exe
Token: SeCreatePagefilePrivilege	2844	explorer.exe
Token: SeShutdownPrivilege	2844	explorer.exe
Token: SeCreatePagefilePrivilege	2844	explorer.exe
Token: SeShutdownPrivilege	2844	explorer.exe
Token: SeCreatePagefilePrivilege	2844	explorer.exe
Token: SeShutdownPrivilege	2844	explorer.exe
Token: SeCreatePagefilePrivilege	2844	explorer.exe
Token: SeDebugPrivilege	1700	EE7A.tmp.exe
Token: SeShutdownPrivilege	2844	explorer.exe
Token: SeCreatePagefilePrivilege	2844	explorer.exe

Suspicious use of FindShellTrayWindow 45 IoCs

Processes:

explorer.exe

pid	process
2844	explorer.exe
2844	explorer.exe
2844	explorer.exe
2844	explorer.exe
2844	explorer.exe
2844	explorer.exe
2844	explorer.exe
2844	explorer.exe
2844	explorer.exe
2844	explorer.exe
2844	explorer.exe
2844	explorer.exe
2844	explorer.exe
2844	explorer.exe
2844	explorer.exe
2844	explorer.exe
2844	explorer.exe
2844	explorer.exe
2844	explorer.exe
2844	explorer.exe
2844	explorer.exe
2844	explorer.exe
2844	explorer.exe
2844	explorer.exe
2844	explorer.exe
2844	explorer.exe
2844	explorer.exe
2844	explorer.exe
2844	explorer.exe
2844	explorer.exe
2844	explorer.exe
2844	explorer.exe
2844	explorer.exe
2844	explorer.exe
2844	explorer.exe
2844	explorer.exe
2844	explorer.exe
2844	explorer.exe
2844	explorer.exe
2844	explorer.exe
2844	explorer.exe
2844	explorer.exe
2844	explorer.exe
2844	explorer.exe
2844	explorer.exe

Suspicious use of SendNotifyMessage 24 IoCs

Processes:

explorer.exe

pid	process
2844	explorer.exe
2844	explorer.exe
2844	explorer.exe
2844	explorer.exe
2844	explorer.exe
2844	explorer.exe
2844	explorer.exe
2844	explorer.exe
2844	explorer.exe
2844	explorer.exe
2844	explorer.exe
2844	explorer.exe
2844	explorer.exe
2844	explorer.exe
2844	explorer.exe
2844	explorer.exe
2844	explorer.exe
2844	explorer.exe
2844	explorer.exe
2844	explorer.exe
2844	explorer.exe
2844	explorer.exe
2844	explorer.exe
2844	explorer.exe

Suspicious use of SetWindowsHookEx 4 IoCs

Processes:

E88C.tmp.exeShellExperienceHost.exeSearchUI.exe

pid process

2060 E88C.tmp.exe
2680 ShellExperienceHost.exe
2460 SearchUI.exe
2680 ShellExperienceHost.exe
Suspicious use of UnmapMainImage 1 IoCs

Processes:

Explorer.EXE

pid process

2756 Explorer.EXE

pid	process
2060	E88C.tmp.exe
2680	ShellExperienceHost.exe
2460	SearchUI.exe
2680	ShellExperienceHost.exe

Suspicious use of WriteProcessMemory 21 IoCs

Processes:

0x000300000001ac9e-134.exefcrcjcfExplorer.EXE

description	pid	process	target process
PID 4076 wrote to memory of 4044	4076	0x000300000001ac9e-134.exe	0x000300000001ac9e-134.exe
PID 4076 wrote to memory of 4044	4076	0x000300000001ac9e-134.exe	0x000300000001ac9e-134.exe
PID 4076 wrote to memory of 4044	4076	0x000300000001ac9e-134.exe	0x000300000001ac9e-134.exe
PID 4076 wrote to memory of 4044	4076	0x000300000001ac9e-134.exe	0x000300000001ac9e-134.exe
PID 4076 wrote to memory of 4044	4076	0x000300000001ac9e-134.exe	0x000300000001ac9e-134.exe
PID 4076 wrote to memory of 4044	4076	0x000300000001ac9e-134.exe	0x000300000001ac9e-134.exe
PID 3372 wrote to memory of 1540	3372	fcrcjcf	fcrcjcf
PID 3372 wrote to memory of 1540	3372	fcrcjcf	fcrcjcf
PID 3372 wrote to memory of 1540	3372	fcrcjcf	fcrcjcf
PID 3372 wrote to memory of 1540	3372	fcrcjcf	fcrcjcf
PID 3372 wrote to memory of 1540	3372	fcrcjcf	fcrcjcf
PID 3372 wrote to memory of 1540	3372	fcrcjcf	fcrcjcf
PID 2756 wrote to memory of 2060	2756	Explorer.EXE	E88C.tmp.exe
PID 2756 wrote to memory of 2060	2756	Explorer.EXE	E88C.tmp.exe
PID 2756 wrote to memory of 2060	2756	Explorer.EXE	E88C.tmp.exe
PID 2756 wrote to memory of 4056	2756	Explorer.EXE	EB1D.tmp.exe
PID 2756 wrote to memory of 4056	2756	Explorer.EXE	EB1D.tmp.exe
PID 2756 wrote to memory of 4056	2756	Explorer.EXE	EB1D.tmp.exe
PID 2756 wrote to memory of 1700	2756	Explorer.EXE	EE7A.tmp.exe
PID 2756 wrote to memory of 1700	2756	Explorer.EXE	EE7A.tmp.exe
PID 2756 wrote to memory of 1700	2756	Explorer.EXE	EE7A.tmp.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Deletes itself
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:2756

C:\Users\Admin\AppData\Local\Temp\0x000300000001ac9e-134.exe
"C:\Users\Admin\AppData\Local\Temp\0x000300000001ac9e-134.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4076

C:\Users\Admin\AppData\Local\Temp\0x000300000001ac9e-134.exe
"C:\Users\Admin\AppData\Local\Temp\0x000300000001ac9e-134.exe"
3⤵
- Loads dropped DLL
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
PID:4044

C:\Users\Admin\AppData\Local\Temp\E88C.tmp.exe
C:\Users\Admin\AppData\Local\Temp\E88C.tmp.exe
2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2060

C:\Users\Admin\AppData\Local\Temp\EB1D.tmp.exe
C:\Users\Admin\AppData\Local\Temp\EB1D.tmp.exe
2⤵
- Executes dropped EXE
- Loads dropped DLL
PID:4056

C:\Users\Admin\AppData\Local\Temp\EE7A.tmp.exe
C:\Users\Admin\AppData\Local\Temp\EE7A.tmp.exe
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1700

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 2756 -s 2484
2⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Program crash
- Suspicious use of AdjustPrivilegeToken
PID:2420

C:\Users\Admin\AppData\Roaming\fcrcjcf
C:\Users\Admin\AppData\Roaming\fcrcjcf
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3372

C:\Users\Admin\AppData\Roaming\fcrcjcf
C:\Users\Admin\AppData\Roaming\fcrcjcf
2⤵
- Executes dropped EXE
PID:1540

C:\Windows\explorer.exe
explorer.exe
1⤵
- Enumerates connected drives
- Checks SCSI registry key(s)
- Modifies Control Panel
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2844

C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe
"C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe" -ServerName:App.AppXtk181tbxbce2qsex02s8tw7hfxa9xb3t.mca
1⤵
- Modifies Control Panel
- Suspicious use of SetWindowsHookEx
PID:2680

C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe
"C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe" -ServerName:CortanaUI.AppXa50dqqa5gqv4a428c9y1jjw7m3btvepj.mca
1⤵
- Enumerates system info in registry
- Modifies Control Panel
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:2460

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\4DD3.tmp
MD5
50741b3f2d7debf5d2bed63d88404029

SHA1
56210388a627b926162b36967045be06ffb1aad3

SHA256
f2f8732ae464738372ff274b7e481366cecdd2337210d4a3cbcd089c958a730c

SHA512
fac6bfe35b1ee08b3d42d330516a260d9cdb4a90bbb0491411a583029b92a59d20af3552372ea8fb3f59442b3945bf524ef284127f397ae7179467080be8e9b3

Download Submit
C:\Users\Admin\AppData\Local\Temp\E88C.tmp.exe
MD5
a69e12607d01237460808fa1709e5e86

SHA1
4a12f82aee1c90e70cdf6be863ce1a749c8ae411

SHA256
188e05efb42c1f7fdb5c910a6614f710a87ae642b23ac9ffe3f75246744865bc

SHA512
7533e6da6bac0405fc8b608da8020b54b6ee02592e6fd40ea342e130a8a876ae5ef4a1fd636d95e76339dbf8be45cecbd22ca2d0a4635b055ffafec3d7e15284

Download Submit
C:\Users\Admin\AppData\Local\Temp\E88C.tmp.exe
MD5
a69e12607d01237460808fa1709e5e86

SHA1
4a12f82aee1c90e70cdf6be863ce1a749c8ae411

SHA256
188e05efb42c1f7fdb5c910a6614f710a87ae642b23ac9ffe3f75246744865bc

SHA512
7533e6da6bac0405fc8b608da8020b54b6ee02592e6fd40ea342e130a8a876ae5ef4a1fd636d95e76339dbf8be45cecbd22ca2d0a4635b055ffafec3d7e15284

Download Submit
C:\Users\Admin\AppData\Local\Temp\EB1D.tmp.exe
MD5
4d58af2acb8147d09c1d1874860755e6

SHA1
04d466ae9c5bc0a8d6720b21447f056420c92bde

SHA256
e8012f7e8dcb980e8db82ac0158fb8f2be76388052ef74802e1bfae266d9b861

SHA512
e7b77629ad8299353e7698011c1fa04de9623897ad3aa2cd60e9125c68da0adf14911517ecf39f6f5396bf40792fa0ca14feef80ab4c8c722ce97db07e9574ad

Download Submit
C:\Users\Admin\AppData\Local\Temp\EB1D.tmp.exe
MD5
4d58af2acb8147d09c1d1874860755e6

SHA1
04d466ae9c5bc0a8d6720b21447f056420c92bde

SHA256
e8012f7e8dcb980e8db82ac0158fb8f2be76388052ef74802e1bfae266d9b861

SHA512
e7b77629ad8299353e7698011c1fa04de9623897ad3aa2cd60e9125c68da0adf14911517ecf39f6f5396bf40792fa0ca14feef80ab4c8c722ce97db07e9574ad

Download Submit
C:\Users\Admin\AppData\Local\Temp\EE7A.tmp.exe
MD5
f2b4b6c26a03a1be0c3b85c0482a8c30

SHA1
b39eabd2d680440847baf150d4c9423515fea7d5

SHA256
501614b9f1d98a5b2ca1b11b251c61e05f1225aa5a344788375df28812a6232f

SHA512
0e5fe73e6c981986df1299cf0dfa88cc3b78532b83d6b93e671487de67c5dea16724a882dd61a6208b78b866250d0dc5f2cad872b1b39942bf9fd15cd8c4a5b4

Download Submit
C:\Users\Admin\AppData\Local\Temp\EE7A.tmp.exe
MD5
f2b4b6c26a03a1be0c3b85c0482a8c30

SHA1
b39eabd2d680440847baf150d4c9423515fea7d5

SHA256
501614b9f1d98a5b2ca1b11b251c61e05f1225aa5a344788375df28812a6232f

SHA512
0e5fe73e6c981986df1299cf0dfa88cc3b78532b83d6b93e671487de67c5dea16724a882dd61a6208b78b866250d0dc5f2cad872b1b39942bf9fd15cd8c4a5b4

Download Submit
C:\Users\Admin\AppData\Roaming\fcrcjcf
MD5
fdde60834af109d71f4c7d28b865c8a1

SHA1
4f721105161b74e07b5ccd762d32932989bfb03a

SHA256
b0296c0000c40d59a268b223015872d7e57c427358b5e95d1bd6e4ac40dd0f87

SHA512
fecd130a4431fa81a1cf9be8019464b55bfb173dde91ced3a5828516bd51db509fd547c12dd483c00cdf5ade878ab542ffb6371238ccf960622bb464187b5778

Download Submit
C:\Users\Admin\AppData\Roaming\fcrcjcf
MD5
fdde60834af109d71f4c7d28b865c8a1

SHA1
4f721105161b74e07b5ccd762d32932989bfb03a

SHA256
b0296c0000c40d59a268b223015872d7e57c427358b5e95d1bd6e4ac40dd0f87

SHA512
fecd130a4431fa81a1cf9be8019464b55bfb173dde91ced3a5828516bd51db509fd547c12dd483c00cdf5ade878ab542ffb6371238ccf960622bb464187b5778

Download Submit
C:\Users\Admin\AppData\Roaming\fcrcjcf
MD5
fdde60834af109d71f4c7d28b865c8a1

SHA1
4f721105161b74e07b5ccd762d32932989bfb03a

SHA256
b0296c0000c40d59a268b223015872d7e57c427358b5e95d1bd6e4ac40dd0f87

SHA512
fecd130a4431fa81a1cf9be8019464b55bfb173dde91ced3a5828516bd51db509fd547c12dd483c00cdf5ade878ab542ffb6371238ccf960622bb464187b5778

Download Submit
\Users\Admin\AppData\LocalLow\nb98wqnehe8bw89hb\freebl3.dll
MD5
60acd24430204ad2dc7f148b8cfe9bdc

SHA1
989f377b9117d7cb21cbe92a4117f88f9c7693d9

SHA256
9876c53134dbbec4dcca67581f53638eba3fea3a15491aa3cf2526b71032da97

SHA512
626c36e9567f57fa8ec9c36d96cbadede9c6f6734a7305ecfb9f798952bbacdfa33a1b6c4999ba5b78897dc2ec6f91870f7ec25b2ceacbaee4be942fe881db01

Download Submit
\Users\Admin\AppData\LocalLow\nb98wqnehe8bw89hb\freebl3.dll
MD5
60acd24430204ad2dc7f148b8cfe9bdc

SHA1
989f377b9117d7cb21cbe92a4117f88f9c7693d9

SHA256
9876c53134dbbec4dcca67581f53638eba3fea3a15491aa3cf2526b71032da97

SHA512
626c36e9567f57fa8ec9c36d96cbadede9c6f6734a7305ecfb9f798952bbacdfa33a1b6c4999ba5b78897dc2ec6f91870f7ec25b2ceacbaee4be942fe881db01

Download Submit
\Users\Admin\AppData\LocalLow\nb98wqnehe8bw89hb\mozglue.dll
MD5
eae9273f8cdcf9321c6c37c244773139

SHA1
8378e2a2f3635574c106eea8419b5eb00b8489b0

SHA256
a0c6630d4012ae0311ff40f4f06911bcf1a23f7a4762ce219b8dffa012d188cc

SHA512
06e43e484a89cea9ba9b9519828d38e7c64b040f44cdaeb321cbda574e7551b11fea139ce3538f387a0a39a3d8c4cba7f4cf03e4a3c98db85f8121c2212a9097

Download Submit
\Users\Admin\AppData\LocalLow\nb98wqnehe8bw89hb\nss3.dll
MD5
02cc7b8ee30056d5912de54f1bdfc219

SHA1
a6923da95705fb81e368ae48f93d28522ef552fb

SHA256
1989526553fd1e1e49b0fea8036822ca062d3d39c4cab4a37846173d0f1753d5

SHA512
0d5dfcf4fb19b27246fa799e339d67cd1b494427783f379267fb2d10d615ffb734711bab2c515062c078f990a44a36f2d15859b1dacd4143dcc35b5c0cee0ef5

Download Submit
\Users\Admin\AppData\LocalLow\nb98wqnehe8bw89hb\softokn3.dll
MD5
4e8df049f3459fa94ab6ad387f3561ac

SHA1
06ed392bc29ad9d5fc05ee254c2625fd65925114

SHA256
25a4dae37120426ab060ebb39b7030b3e7c1093cc34b0877f223b6843b651871

SHA512
3dd4a86f83465989b2b30c240a7307edd1b92d5c1d5c57d47eff287dc9daa7bace157017908d82e00be90f08ff5badb68019ffc9d881440229dcea5038f61cd6

Download Submit
\Users\Admin\AppData\LocalLow\sqlite3.dll
MD5
f964811b68f9f1487c2b41e1aef576ce

SHA1
b423959793f14b1416bc3b7051bed58a1034025f

SHA256
83bc57dcf282264f2b00c21ce0339eac20fcb7401f7c5472c0cd0c014844e5f7

SHA512
565b1a7291c6fcb63205907fcd9e72fc2e11ca945afc4468c378edba882e2f314c2ac21a7263880ff7d4b84c2a1678024c1ac9971ac1c1de2bfa4248ec0f98c4

Download Submit
\Users\Admin\AppData\Local\Temp\4DD3.tmp
MD5
50741b3f2d7debf5d2bed63d88404029

SHA1
56210388a627b926162b36967045be06ffb1aad3

SHA256
f2f8732ae464738372ff274b7e481366cecdd2337210d4a3cbcd089c958a730c

SHA512
fac6bfe35b1ee08b3d42d330516a260d9cdb4a90bbb0491411a583029b92a59d20af3552372ea8fb3f59442b3945bf524ef284127f397ae7179467080be8e9b3

Download Submit
memory/1540-10-0x0000000000402A38-mapping.dmp

Download
memory/1700-39-0x0000000008D80000-0x0000000008D81000-memory.dmp

Filesize
4KB

Download
memory/1700-46-0x0000000009A70000-0x0000000009A71000-memory.dmp

Filesize
4KB

Download
memory/1700-40-0x0000000009900000-0x0000000009901000-memory.dmp

Filesize
4KB

Download
memory/1700-21-0x0000000000000000-mapping.dmp

Download
memory/1700-38-0x0000000008D40000-0x0000000008D41000-memory.dmp

Filesize
4KB

Download
memory/1700-37-0x00000000092F0000-0x00000000092F1000-memory.dmp

Filesize
4KB

Download
memory/1700-36-0x0000000008C90000-0x0000000008CB2000-memory.dmp

Filesize
136KB

Download
memory/1700-30-0x0000000006480000-0x0000000006481000-memory.dmp

Filesize
4KB

Download
memory/1700-31-0x00000000065F0000-0x00000000065F1000-memory.dmp

Filesize
4KB

Download
memory/1700-32-0x00000000732E0000-0x00000000739CE000-memory.dmp

Filesize
6.9MB

Download
memory/1700-35-0x0000000008DF0000-0x0000000008DF1000-memory.dmp

Filesize
4KB

Download
memory/1700-34-0x00000000066B0000-0x00000000066D4000-memory.dmp

Filesize
144KB

Download
memory/2060-13-0x0000000000000000-mapping.dmp

Download
memory/2420-47-0x0000022F80000000-0x0000022F80001000-memory.dmp

Filesize
4KB

Download
memory/2420-28-0x0000022FFF5C0000-0x0000022FFF5C1000-memory.dmp

Filesize
4KB

Download
memory/2420-27-0x0000022FFF5C0000-0x0000022FFF5C1000-memory.dmp

Filesize
4KB

Download
memory/2420-24-0x0000022FFE850000-0x0000022FFE851000-memory.dmp

Filesize
4KB

Download
memory/2420-25-0x0000022FFE850000-0x0000022FFE851000-memory.dmp

Filesize
4KB

Download
memory/2420-49-0x0000022F80000000-0x0000022F80001000-memory.dmp

Filesize
4KB

Download
memory/2420-48-0x0000022F866F0000-0x0000022F866F1000-memory.dmp

Filesize
4KB

Download
memory/2756-4-0x0000000000CE0000-0x0000000000CF7000-memory.dmp

Filesize
92KB

Download
memory/3372-7-0x00000000063F0000-0x00000000063F1000-memory.dmp

Filesize
4KB

Download
memory/4044-2-0x0000000000402A38-mapping.dmp

Download
memory/4044-1-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/4056-29-0x0000000006480000-0x0000000006481000-memory.dmp

Filesize
4KB

Download
memory/4056-18-0x0000000000000000-mapping.dmp

Download
memory/4076-0-0x0000000006310000-0x0000000006311000-memory.dmp

Filesize
4KB

Download