agenttesla | cf1b38106e42989ddffb99e0163787135e7b294c5d5e88e3b47ca1b7cd0d6681

Analysis

max time kernel
151s
max time network
155s
platform
windows10_x64
resource
win10v20201028
submitted
25-11-2020 10:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0x000300000001ac9e-206.exe
Size

311KB
MD5

fdde60834af109d71f4c7d28b865c8a1
SHA1

4f721105161b74e07b5ccd762d32932989bfb03a
SHA256

b0296c0000c40d59a268b223015872d7e57c427358b5e95d1bd6e4ac40dd0f87
SHA512

fecd130a4431fa81a1cf9be8019464b55bfb173dde91ced3a5828516bd51db509fd547c12dd483c00cdf5ade878ab542ffb6371238ccf960622bb464187b5778

Score

10^/10

agenttesla smokeloader backdoor keylogger persistence spyware stealer trojan

Malware Config

Extracted

Family

smokeloader

Version

2019

http://10022020newfolder1002002131-service1002.space/

http://10022020newfolder1002002231-service1002.space/

http://10022020newfolder3100231-service1002.space/

http://10022020newfolder1002002431-service1002.space/

http://10022020newfolder1002002531-service1002.space/

http://10022020newfolder33417-01242510022020.space/

http://10022020test125831-service1002012510022020.space/

http://10022020test136831-service1002012510022020.space/

http://10022020test147831-service1002012510022020.space/

http://10022020test146831-service1002012510022020.space/

http://10022020test134831-service1002012510022020.space/

http://10022020est213531-service100201242510022020.ru/

http://10022020yes1t3481-service1002012510022020.ru/

http://10022020test13561-service1002012510022020.su/

http://10022020test14781-service1002012510022020.info/

http://10022020test13461-service1002012510022020.net/

http://10022020test15671-service1002012510022020.tech/

http://10022020test12671-service1002012510022020.online/

http://10022020utest1341-service1002012510022020.ru/

http://10022020uest71-service100201dom2510022020.ru/

rc4.i32

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla
SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
Suspicious use of NtCreateProcessExOtherParentProcess 1 IoCs

Processes:

WerFault.exe

description pid process target process

PID 416 created 3012 416 WerFault.exe Explorer.EXE

description	pid	process	target process
PID 416 created 3012	416	WerFault.exe	Explorer.EXE

AgentTesla Payload 2 IoCs

keylogger stealer

Processes:

resource	yara_rule
behavioral26/memory/1332-39-0x0000000006620000-0x0000000006644000-memory.dmp	agent_tesla
behavioral26/memory/1332-41-0x0000000008DD0000-0x0000000008DF2000-memory.dmp	agent_tesla

Executes dropped EXE 5 IoCs

Processes:

rhvdjwirhvdjwi1837.tmp.exe1AF7.tmp.exe1E82.tmp.exe

pid process

3440 rhvdjwi
3336 rhvdjwi
2984 1837.tmp.exe
3108 1AF7.tmp.exe
1332 1E82.tmp.exe
Modifies Installed Components in the registry 2 TTPs
persistence

Registry Run Keys / Startup Folder
T1060

Modify Registry
T1112
Deletes itself 1 IoCs

Processes:

Explorer.EXE

pid process

3012 Explorer.EXE
Loads dropped DLL 1 IoCs

Processes:

0x000300000001ac9e-206.exe

pid process

2896 0x000300000001ac9e-206.exe
Enumerates connected drives 3 TTPs 1 IoCs
Attempts to read the root path of hard drives other than the default C: drive.

Query Registry
T1012

Peripheral Device Discovery
T1120

System Information Discovery
T1082

Processes:

explorer.exe

description ioc process

File opened (read-only) \??\D: explorer.exe

pid	process
3440	rhvdjwi
3336	rhvdjwi
2984	1837.tmp.exe
3108	1AF7.tmp.exe
1332	1E82.tmp.exe

pid	process
2896	0x000300000001ac9e-206.exe

description	ioc	process
File opened (read-only)	\??\D:	explorer.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

0x000300000001ac9e-206.exerhvdjwi

description	pid	process	target process
PID 972 set thread context of 2896	972	0x000300000001ac9e-206.exe	0x000300000001ac9e-206.exe
PID 3440 set thread context of 3336	3440	rhvdjwi	rhvdjwi

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

416 3012 WerFault.exe Explorer.EXE

pid	pid_target	process	target process
416	3012	WerFault.exe	Explorer.EXE

Checks SCSI registry key(s) 3 TTPs 15 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

explorer.exe0x000300000001ac9e-206.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0003	explorer.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	0x000300000001ac9e-206.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\HardwareID	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0003	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\HardwareID	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\ConfigFlags	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Capabilities	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	0x000300000001ac9e-206.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	0x000300000001ac9e-206.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Capabilities	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\ConfigFlags	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064	explorer.exe

Enumerates system info in registry 2 TTPs 2 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

SearchUI.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	SearchUI.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	SearchUI.exe

Modifies Control Panel 5 IoCs

evasion

Processes:

explorer.exeSearchUI.exeShellExperienceHost.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Control Panel\Desktop\LastUpdated = "4294967295"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Control Panel\Colors	SearchUI.exe
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Control Panel\Colors	ShellExperienceHost.exe
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Control Panel\Desktop	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Control Panel\Desktop\TranscodedImageCount = "1"	explorer.exe

Modifies registry class 29 IoCs

Processes:

explorer.exeSearchUI.exe

description	ioc	process
Set value (data)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\TrayNotify\IconStreams = 14000000070000000100010005000000140000007b005300330038004f0053003400300034002d0031005100340033002d0034003200530032002d0039003300300035002d00360037005100520030004f003200380053005000320033007d005c0072006b006300790062006500720065002e0072006b0072000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000001c100000000000002000000e4070b004100720067006a006200650078000a005600610067007200650061007200670020006e007000700072006600660000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000074ae2078e323294282c1e41cb67d5b9c000000000000000000000000cb001c4221c3d60100000000000000000000000000000d20feb05a007600700065006200660062007300670020004a0076006100710062006a006600000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000020000007b005300330038004f0053003400300034002d0031005100340033002d0034003200530032002d0039003300300035002d00360037005100520030004f003200380053005000320033007d005c0072006b006300790062006500720065002e0072006b00720000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000640000000000000002000000e4070b004600630072006e0078007200650066003a002000360037002500000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000010000000100000073ae2078e323294282c1e41cb67d5b9c00000000000000000000000054330c4121c3d60100000000000000000000000000000d20feb05a007600700065006200660062007300670020004a0076006100710062006a006600000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000030000007b00360051003800300039003300370037002d0036004e00530030002d003400340034004f002d0038003900350037002d004e00330037003700330053003000320032003000300052007d005c004a0076006100710062006a0066002000510072007300720061007100720065005c005a0046004e00460050006800760059002e0072006b007200000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000640000000000000000000000e4070a004e0070006700760062006100660020006100720072007100720071002e00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000fffffffff9a6406d323dcb4f8a86be992e03dc760000000000000000000000005aa40d5557add60100000000000000000000000000000d20feb05a007600700065006200660062007300670020004a0076006100710062006a006600000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000007b005300330038004f0053003400300034002d0031005100340033002d0034003200530032002d0039003300300035002d00360037005100520030004f003200380053005000320033007d005c0072006b006300790062006500720065002e0072006b00720000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000002000000e4070a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff75ae2078e323294282c1e41cb67d5b9c000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000010000007b005300330038004f0053003400300034002d0031005100340033002d0034003200530032002d0039003300300035002d00360037005100520030004f003200380053005000320033007d005c0072006b006300790062006500720065002e0072006b00720000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000002000000e4070a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff81ae2078e323294282c1e41cb67d5b9c00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Settings\Cache\History\CachePrefix = "Visited:"	SearchUI.exe
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage	SearchUI.exe
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DomStorageState	SearchUI.exe
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\windows.cortana	SearchUI.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "152"	SearchUI.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Settings\Cache\Content\CachePrefix	SearchUI.exe
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.cortana	SearchUI.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.cortana\ = "56"	SearchUI.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\TrayNotify\UserStartTime = "132483827320340134"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:"	SearchUI.exe
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.cortana	SearchUI.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "185"	SearchUI.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.cortana\ = "23"	SearchUI.exe
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total	SearchUI.exe
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\microsoft.windows.cortana	SearchUI.exe
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\Total	SearchUI.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.cortana\Total = "56"	SearchUI.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.cortana\Total = "23"	SearchUI.exe
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\EdpDomStorage	SearchUI.exe
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\TrayNotify	explorer.exe

Suspicious behavior: EnumeratesProcesses 1582 IoCs

Processes:

Explorer.EXE

pid	process
3012	Explorer.EXE
3012	Explorer.EXE
3012	Explorer.EXE
3012	Explorer.EXE
3012	Explorer.EXE
3012	Explorer.EXE
3012	Explorer.EXE
3012	Explorer.EXE
3012	Explorer.EXE
3012	Explorer.EXE
3012	Explorer.EXE
3012	Explorer.EXE
3012	Explorer.EXE
3012	Explorer.EXE
3012	Explorer.EXE
3012	Explorer.EXE
3012	Explorer.EXE
3012	Explorer.EXE
3012	Explorer.EXE
3012	Explorer.EXE
3012	Explorer.EXE
3012	Explorer.EXE
3012	Explorer.EXE
3012	Explorer.EXE
3012	Explorer.EXE
3012	Explorer.EXE
3012	Explorer.EXE
3012	Explorer.EXE
3012	Explorer.EXE
3012	Explorer.EXE
3012	Explorer.EXE
3012	Explorer.EXE
3012	Explorer.EXE
3012	Explorer.EXE
3012	Explorer.EXE
3012	Explorer.EXE
3012	Explorer.EXE
3012	Explorer.EXE
3012	Explorer.EXE
3012	Explorer.EXE
3012	Explorer.EXE
3012	Explorer.EXE
3012	Explorer.EXE
3012	Explorer.EXE
3012	Explorer.EXE
3012	Explorer.EXE
3012	Explorer.EXE
3012	Explorer.EXE
3012	Explorer.EXE
3012	Explorer.EXE
3012	Explorer.EXE
3012	Explorer.EXE
3012	Explorer.EXE
3012	Explorer.EXE
3012	Explorer.EXE
3012	Explorer.EXE
3012	Explorer.EXE
3012	Explorer.EXE
3012	Explorer.EXE
3012	Explorer.EXE
3012	Explorer.EXE
3012	Explorer.EXE
3012	Explorer.EXE
3012	Explorer.EXE

Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

0x000300000001ac9e-206.exe

pid process

2896 0x000300000001ac9e-206.exe

pid	process
2896	0x000300000001ac9e-206.exe

Suspicious use of AdjustPrivilegeToken 45 IoCs

Processes:

Explorer.EXEWerFault.exeexplorer.exe

description	pid	process
Token: SeShutdownPrivilege	3012	Explorer.EXE
Token: SeCreatePagefilePrivilege	3012	Explorer.EXE
Token: SeShutdownPrivilege	3012	Explorer.EXE
Token: SeCreatePagefilePrivilege	3012	Explorer.EXE
Token: SeShutdownPrivilege	3012	Explorer.EXE
Token: SeCreatePagefilePrivilege	3012	Explorer.EXE
Token: SeDebugPrivilege	416	WerFault.exe
Token: SeShutdownPrivilege	3200	explorer.exe
Token: SeCreatePagefilePrivilege	3200	explorer.exe
Token: SeShutdownPrivilege	3200	explorer.exe
Token: SeCreatePagefilePrivilege	3200	explorer.exe
Token: SeShutdownPrivilege	3200	explorer.exe
Token: SeCreatePagefilePrivilege	3200	explorer.exe
Token: SeShutdownPrivilege	3200	explorer.exe
Token: SeCreatePagefilePrivilege	3200	explorer.exe
Token: SeShutdownPrivilege	3200	explorer.exe
Token: SeCreatePagefilePrivilege	3200	explorer.exe
Token: SeShutdownPrivilege	3200	explorer.exe
Token: SeCreatePagefilePrivilege	3200	explorer.exe
Token: SeShutdownPrivilege	3200	explorer.exe
Token: SeCreatePagefilePrivilege	3200	explorer.exe
Token: SeShutdownPrivilege	3200	explorer.exe
Token: SeCreatePagefilePrivilege	3200	explorer.exe
Token: SeShutdownPrivilege	3200	explorer.exe
Token: SeCreatePagefilePrivilege	3200	explorer.exe
Token: SeShutdownPrivilege	3200	explorer.exe
Token: SeCreatePagefilePrivilege	3200	explorer.exe
Token: SeShutdownPrivilege	3200	explorer.exe
Token: SeCreatePagefilePrivilege	3200	explorer.exe
Token: SeShutdownPrivilege	3200	explorer.exe
Token: SeCreatePagefilePrivilege	3200	explorer.exe
Token: SeShutdownPrivilege	3200	explorer.exe
Token: SeCreatePagefilePrivilege	3200	explorer.exe
Token: SeShutdownPrivilege	3200	explorer.exe
Token: SeCreatePagefilePrivilege	3200	explorer.exe
Token: SeShutdownPrivilege	3200	explorer.exe
Token: SeCreatePagefilePrivilege	3200	explorer.exe
Token: SeShutdownPrivilege	3200	explorer.exe
Token: SeCreatePagefilePrivilege	3200	explorer.exe
Token: SeShutdownPrivilege	3200	explorer.exe
Token: SeCreatePagefilePrivilege	3200	explorer.exe
Token: SeShutdownPrivilege	3200	explorer.exe
Token: SeCreatePagefilePrivilege	3200	explorer.exe
Token: SeShutdownPrivilege	3200	explorer.exe
Token: SeCreatePagefilePrivilege	3200	explorer.exe

Suspicious use of FindShellTrayWindow 44 IoCs

Processes:

explorer.exe

pid	process
3200	explorer.exe
3200	explorer.exe
3200	explorer.exe
3200	explorer.exe
3200	explorer.exe
3200	explorer.exe
3200	explorer.exe
3200	explorer.exe
3200	explorer.exe
3200	explorer.exe
3200	explorer.exe
3200	explorer.exe
3200	explorer.exe
3200	explorer.exe
3200	explorer.exe
3200	explorer.exe
3200	explorer.exe
3200	explorer.exe
3200	explorer.exe
3200	explorer.exe
3200	explorer.exe
3200	explorer.exe
3200	explorer.exe
3200	explorer.exe
3200	explorer.exe
3200	explorer.exe
3200	explorer.exe
3200	explorer.exe
3200	explorer.exe
3200	explorer.exe
3200	explorer.exe
3200	explorer.exe
3200	explorer.exe
3200	explorer.exe
3200	explorer.exe
3200	explorer.exe
3200	explorer.exe
3200	explorer.exe
3200	explorer.exe
3200	explorer.exe
3200	explorer.exe
3200	explorer.exe
3200	explorer.exe
3200	explorer.exe

Suspicious use of SendNotifyMessage 23 IoCs

Processes:

explorer.exe

pid	process
3200	explorer.exe
3200	explorer.exe
3200	explorer.exe
3200	explorer.exe
3200	explorer.exe
3200	explorer.exe
3200	explorer.exe
3200	explorer.exe
3200	explorer.exe
3200	explorer.exe
3200	explorer.exe
3200	explorer.exe
3200	explorer.exe
3200	explorer.exe
3200	explorer.exe
3200	explorer.exe
3200	explorer.exe
3200	explorer.exe
3200	explorer.exe
3200	explorer.exe
3200	explorer.exe
3200	explorer.exe
3200	explorer.exe

Suspicious use of SetWindowsHookEx 4 IoCs

Processes:

1837.tmp.exeSearchUI.exeShellExperienceHost.exe

pid process

2984 1837.tmp.exe
196 SearchUI.exe
1428 ShellExperienceHost.exe
1428 ShellExperienceHost.exe
Suspicious use of UnmapMainImage 1 IoCs

Processes:

Explorer.EXE

pid process

3012 Explorer.EXE

pid	process
2984	1837.tmp.exe
196	SearchUI.exe
1428	ShellExperienceHost.exe
1428	ShellExperienceHost.exe

Suspicious use of WriteProcessMemory 21 IoCs

Processes:

0x000300000001ac9e-206.exerhvdjwiExplorer.EXE

description	pid	process	target process
PID 972 wrote to memory of 2896	972	0x000300000001ac9e-206.exe	0x000300000001ac9e-206.exe
PID 972 wrote to memory of 2896	972	0x000300000001ac9e-206.exe	0x000300000001ac9e-206.exe
PID 972 wrote to memory of 2896	972	0x000300000001ac9e-206.exe	0x000300000001ac9e-206.exe
PID 972 wrote to memory of 2896	972	0x000300000001ac9e-206.exe	0x000300000001ac9e-206.exe
PID 972 wrote to memory of 2896	972	0x000300000001ac9e-206.exe	0x000300000001ac9e-206.exe
PID 972 wrote to memory of 2896	972	0x000300000001ac9e-206.exe	0x000300000001ac9e-206.exe
PID 3440 wrote to memory of 3336	3440	rhvdjwi	rhvdjwi
PID 3440 wrote to memory of 3336	3440	rhvdjwi	rhvdjwi
PID 3440 wrote to memory of 3336	3440	rhvdjwi	rhvdjwi
PID 3440 wrote to memory of 3336	3440	rhvdjwi	rhvdjwi
PID 3440 wrote to memory of 3336	3440	rhvdjwi	rhvdjwi
PID 3440 wrote to memory of 3336	3440	rhvdjwi	rhvdjwi
PID 3012 wrote to memory of 2984	3012	Explorer.EXE	1837.tmp.exe
PID 3012 wrote to memory of 2984	3012	Explorer.EXE	1837.tmp.exe
PID 3012 wrote to memory of 2984	3012	Explorer.EXE	1837.tmp.exe
PID 3012 wrote to memory of 3108	3012	Explorer.EXE	1AF7.tmp.exe
PID 3012 wrote to memory of 3108	3012	Explorer.EXE	1AF7.tmp.exe
PID 3012 wrote to memory of 3108	3012	Explorer.EXE	1AF7.tmp.exe
PID 3012 wrote to memory of 1332	3012	Explorer.EXE	1E82.tmp.exe
PID 3012 wrote to memory of 1332	3012	Explorer.EXE	1E82.tmp.exe
PID 3012 wrote to memory of 1332	3012	Explorer.EXE	1E82.tmp.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Deletes itself
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:3012

C:\Users\Admin\AppData\Local\Temp\0x000300000001ac9e-206.exe
"C:\Users\Admin\AppData\Local\Temp\0x000300000001ac9e-206.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:972

C:\Users\Admin\AppData\Local\Temp\0x000300000001ac9e-206.exe
"C:\Users\Admin\AppData\Local\Temp\0x000300000001ac9e-206.exe"
3⤵
- Loads dropped DLL
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
PID:2896

C:\Users\Admin\AppData\Local\Temp\1837.tmp.exe
C:\Users\Admin\AppData\Local\Temp\1837.tmp.exe
2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2984

C:\Users\Admin\AppData\Local\Temp\1AF7.tmp.exe
C:\Users\Admin\AppData\Local\Temp\1AF7.tmp.exe
2⤵
- Executes dropped EXE
PID:3108

C:\Users\Admin\AppData\Local\Temp\1E82.tmp.exe
C:\Users\Admin\AppData\Local\Temp\1E82.tmp.exe
2⤵
- Executes dropped EXE
PID:1332

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 3012 -s 8136
2⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Program crash
- Suspicious use of AdjustPrivilegeToken
PID:416

C:\Users\Admin\AppData\Roaming\rhvdjwi
C:\Users\Admin\AppData\Roaming\rhvdjwi
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3440

C:\Users\Admin\AppData\Roaming\rhvdjwi
C:\Users\Admin\AppData\Roaming\rhvdjwi
2⤵
- Executes dropped EXE
PID:3336

C:\Windows\explorer.exe
explorer.exe
1⤵
- Enumerates connected drives
- Checks SCSI registry key(s)
- Modifies Control Panel
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3200

C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe
"C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe" -ServerName:CortanaUI.AppXa50dqqa5gqv4a428c9y1jjw7m3btvepj.mca
1⤵
- Enumerates system info in registry
- Modifies Control Panel
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:196

C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe
"C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe" -ServerName:App.AppXtk181tbxbce2qsex02s8tw7hfxa9xb3t.mca
1⤵
- Modifies Control Panel
- Suspicious use of SetWindowsHookEx
PID:1428

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\1837.tmp.exe
MD5
a69e12607d01237460808fa1709e5e86

SHA1
4a12f82aee1c90e70cdf6be863ce1a749c8ae411

SHA256
188e05efb42c1f7fdb5c910a6614f710a87ae642b23ac9ffe3f75246744865bc

SHA512
7533e6da6bac0405fc8b608da8020b54b6ee02592e6fd40ea342e130a8a876ae5ef4a1fd636d95e76339dbf8be45cecbd22ca2d0a4635b055ffafec3d7e15284

Download Submit
C:\Users\Admin\AppData\Local\Temp\1837.tmp.exe
MD5
a69e12607d01237460808fa1709e5e86

SHA1
4a12f82aee1c90e70cdf6be863ce1a749c8ae411

SHA256
188e05efb42c1f7fdb5c910a6614f710a87ae642b23ac9ffe3f75246744865bc

SHA512
7533e6da6bac0405fc8b608da8020b54b6ee02592e6fd40ea342e130a8a876ae5ef4a1fd636d95e76339dbf8be45cecbd22ca2d0a4635b055ffafec3d7e15284

Download Submit
C:\Users\Admin\AppData\Local\Temp\1AF7.tmp.exe
MD5
4d58af2acb8147d09c1d1874860755e6

SHA1
04d466ae9c5bc0a8d6720b21447f056420c92bde

SHA256
e8012f7e8dcb980e8db82ac0158fb8f2be76388052ef74802e1bfae266d9b861

SHA512
e7b77629ad8299353e7698011c1fa04de9623897ad3aa2cd60e9125c68da0adf14911517ecf39f6f5396bf40792fa0ca14feef80ab4c8c722ce97db07e9574ad

Download Submit
C:\Users\Admin\AppData\Local\Temp\1AF7.tmp.exe
MD5
4d58af2acb8147d09c1d1874860755e6

SHA1
04d466ae9c5bc0a8d6720b21447f056420c92bde

SHA256
e8012f7e8dcb980e8db82ac0158fb8f2be76388052ef74802e1bfae266d9b861

SHA512
e7b77629ad8299353e7698011c1fa04de9623897ad3aa2cd60e9125c68da0adf14911517ecf39f6f5396bf40792fa0ca14feef80ab4c8c722ce97db07e9574ad

Download Submit
C:\Users\Admin\AppData\Local\Temp\1E82.tmp.exe
MD5
f2b4b6c26a03a1be0c3b85c0482a8c30

SHA1
b39eabd2d680440847baf150d4c9423515fea7d5

SHA256
501614b9f1d98a5b2ca1b11b251c61e05f1225aa5a344788375df28812a6232f

SHA512
0e5fe73e6c981986df1299cf0dfa88cc3b78532b83d6b93e671487de67c5dea16724a882dd61a6208b78b866250d0dc5f2cad872b1b39942bf9fd15cd8c4a5b4

Download Submit
C:\Users\Admin\AppData\Local\Temp\1E82.tmp.exe
MD5
f2b4b6c26a03a1be0c3b85c0482a8c30

SHA1
b39eabd2d680440847baf150d4c9423515fea7d5

SHA256
501614b9f1d98a5b2ca1b11b251c61e05f1225aa5a344788375df28812a6232f

SHA512
0e5fe73e6c981986df1299cf0dfa88cc3b78532b83d6b93e671487de67c5dea16724a882dd61a6208b78b866250d0dc5f2cad872b1b39942bf9fd15cd8c4a5b4

Download Submit
C:\Users\Admin\AppData\Local\Temp\4DD3.tmp
MD5
50741b3f2d7debf5d2bed63d88404029

SHA1
56210388a627b926162b36967045be06ffb1aad3

SHA256
f2f8732ae464738372ff274b7e481366cecdd2337210d4a3cbcd089c958a730c

SHA512
fac6bfe35b1ee08b3d42d330516a260d9cdb4a90bbb0491411a583029b92a59d20af3552372ea8fb3f59442b3945bf524ef284127f397ae7179467080be8e9b3

Download Submit
C:\Users\Admin\AppData\Roaming\rhvdjwi
MD5
fdde60834af109d71f4c7d28b865c8a1

SHA1
4f721105161b74e07b5ccd762d32932989bfb03a

SHA256
b0296c0000c40d59a268b223015872d7e57c427358b5e95d1bd6e4ac40dd0f87

SHA512
fecd130a4431fa81a1cf9be8019464b55bfb173dde91ced3a5828516bd51db509fd547c12dd483c00cdf5ade878ab542ffb6371238ccf960622bb464187b5778

Download Submit
C:\Users\Admin\AppData\Roaming\rhvdjwi
MD5
fdde60834af109d71f4c7d28b865c8a1

SHA1
4f721105161b74e07b5ccd762d32932989bfb03a

SHA256
b0296c0000c40d59a268b223015872d7e57c427358b5e95d1bd6e4ac40dd0f87

SHA512
fecd130a4431fa81a1cf9be8019464b55bfb173dde91ced3a5828516bd51db509fd547c12dd483c00cdf5ade878ab542ffb6371238ccf960622bb464187b5778

Download Submit
C:\Users\Admin\AppData\Roaming\rhvdjwi
MD5
fdde60834af109d71f4c7d28b865c8a1

SHA1
4f721105161b74e07b5ccd762d32932989bfb03a

SHA256
b0296c0000c40d59a268b223015872d7e57c427358b5e95d1bd6e4ac40dd0f87

SHA512
fecd130a4431fa81a1cf9be8019464b55bfb173dde91ced3a5828516bd51db509fd547c12dd483c00cdf5ade878ab542ffb6371238ccf960622bb464187b5778

Download Submit
\Users\Admin\AppData\Local\Temp\4DD3.tmp
MD5
50741b3f2d7debf5d2bed63d88404029

SHA1
56210388a627b926162b36967045be06ffb1aad3

SHA256
f2f8732ae464738372ff274b7e481366cecdd2337210d4a3cbcd089c958a730c

SHA512
fac6bfe35b1ee08b3d42d330516a260d9cdb4a90bbb0491411a583029b92a59d20af3552372ea8fb3f59442b3945bf524ef284127f397ae7179467080be8e9b3

Download Submit
memory/416-24-0x000002A26B840000-0x000002A26B841000-memory.dmp

Filesize
4KB

Download
memory/416-29-0x000002A26C6B0000-0x000002A26C6B1000-memory.dmp

Filesize
4KB

Download
memory/416-28-0x000002A26C6B0000-0x000002A26C6B1000-memory.dmp

Filesize
4KB

Download
memory/416-27-0x000002A26C6B0000-0x000002A26C6B1000-memory.dmp

Filesize
4KB

Download
memory/416-25-0x000002A26B840000-0x000002A26B841000-memory.dmp

Filesize
4KB

Download
memory/972-0-0x0000000006470000-0x0000000006471000-memory.dmp

Filesize
4KB

Download
memory/1332-38-0x0000000073370000-0x0000000073A5E000-memory.dmp

Filesize
6.9MB

Download
memory/1332-42-0x0000000009470000-0x0000000009471000-memory.dmp

Filesize
4KB

Download
memory/1332-46-0x0000000009BB0000-0x0000000009BB1000-memory.dmp

Filesize
4KB

Download
memory/1332-21-0x0000000000000000-mapping.dmp

Download
memory/1332-45-0x0000000008F10000-0x0000000008F11000-memory.dmp

Filesize
4KB

Download
memory/1332-44-0x0000000008EC0000-0x0000000008EC1000-memory.dmp

Filesize
4KB

Download
memory/1332-43-0x0000000008E80000-0x0000000008E81000-memory.dmp

Filesize
4KB

Download
memory/1332-41-0x0000000008DD0000-0x0000000008DF2000-memory.dmp

Filesize
136KB

Download
memory/1332-40-0x0000000008F70000-0x0000000008F71000-memory.dmp

Filesize
4KB

Download
memory/1332-35-0x0000000006390000-0x0000000006391000-memory.dmp

Filesize
4KB

Download
memory/1332-36-0x0000000006390000-0x00000000063C1000-memory.dmp

Filesize
196KB

Download
memory/1332-37-0x0000000006690000-0x0000000006691000-memory.dmp

Filesize
4KB

Download
memory/1332-39-0x0000000006620000-0x0000000006644000-memory.dmp

Filesize
144KB

Download
memory/2896-2-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/2896-3-0x0000000000402A38-mapping.dmp

Download
memory/2984-13-0x0000000000000000-mapping.dmp

Download
memory/3012-5-0x0000000000E80000-0x0000000000E97000-memory.dmp

Filesize
92KB

Download
memory/3108-33-0x0000000006430000-0x0000000006431000-memory.dmp

Filesize
4KB

Download
memory/3108-18-0x0000000000000000-mapping.dmp

Download
memory/3200-47-0x0000000009C40000-0x0000000009C41000-memory.dmp

Filesize
4KB

Download
memory/3336-10-0x0000000000402A38-mapping.dmp

Download
memory/3440-8-0x00000000063C0000-0x00000000063C1000-memory.dmp

Filesize
4KB

Download