raccoon | 52693062f8af884f53bc708c947256273d6362ba955b5b16653557f80150925c

Analysis

max time kernel
150s
max time network
128s
platform
windows7_x64
resource
win7v20201028
submitted
22-03-2021 16:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

PlayerUI.exe
Size

71KB
MD5

1bce563f5e72b35bc1d2b0c9429c503b
SHA1

0c1d555c2daddb0e6528a2800ff973ea8335f841
SHA256

52693062f8af884f53bc708c947256273d6362ba955b5b16653557f80150925c
SHA512

15b8af66bb7bd768d6333838cfc765c6a98217bfe7a7156d3865407ee8961cf4e3f7bbf4e3f72f5292d1fe46e9493c905dbcf8aa9c7074f81123f0da1e391aea

Score

10^/10

raccoon 2ce901d964b370c5ccda7e4d68354ba040db8218 c46f13f8aadc028907d65c627fd9163161661f6c persistence spyware stealer

Malware Config

Extracted

Family

raccoon

Botnet

c46f13f8aadc028907d65c627fd9163161661f6c

Attributes

url4cnc
https://telete.in/capibar

rc4.plain

Extracted

Family

raccoon

Botnet

2ce901d964b370c5ccda7e4d68354ba040db8218

Attributes

url4cnc
https://telete.in/tomarsjsmith3

rc4.plain

Signatures

Raccoon
Simple but powerful infostealer which was very active in 2019.
stealer raccoon

Executes dropped EXE 11 IoCs

Processes:

Cd0CypcOZND0VNCNsKblKVIv.exe64876084600.exe64876084600.exe92445027451.exe64876084600.exe0E41wdcVfdi1dEsX5cAopTwj.exelnAZzWWiJKWeJ7LCVnf2NAw5.exeSVyHMWDQLVWlxdTENniqVGM7.exe9BUUQZypguiLPrNCMeJuKoSM.exe4kd35uOdt6twoc8On5QZqrSP.exeI03dg3fA18pEglBEcxunlLPX.exe

pid	process
2052	Cd0CypcOZND0VNCNsKblKVIv.exe
2252	64876084600.exe
2296	64876084600.exe
2356	92445027451.exe
2488	64876084600.exe
2636	0E41wdcVfdi1dEsX5cAopTwj.exe
2624	lnAZzWWiJKWeJ7LCVnf2NAw5.exe
2684	SVyHMWDQLVWlxdTENniqVGM7.exe
2728	9BUUQZypguiLPrNCMeJuKoSM.exe
2768	4kd35uOdt6twoc8On5QZqrSP.exe
2792	I03dg3fA18pEglBEcxunlLPX.exe

Sets service image path in registry 2 TTPs
persistence

Registry Run Keys / Startup Folder
T1060

Modify Registry
T1112

Loads dropped DLL 20 IoCs

Processes:

PlayerUI.execmd.exe64876084600.execmd.exe64876084600.exeWerFault.exe

pid	process
776	PlayerUI.exe
776	PlayerUI.exe
2216	cmd.exe
2216	cmd.exe
2252	64876084600.exe
2312	cmd.exe
2312	cmd.exe
2296	64876084600.exe
776	PlayerUI.exe
776	PlayerUI.exe
776	PlayerUI.exe
776	PlayerUI.exe
776	PlayerUI.exe
776	PlayerUI.exe
776	PlayerUI.exe
776	PlayerUI.exe
5540	WerFault.exe
5540	WerFault.exe
5540	WerFault.exe
5540	WerFault.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

PlayerUI.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run\5RIu7nPPLjFCBFHlXem0iMcR2tsTayDA = "C:\\Users\\Admin\\Documents\\YSeHzh0MuC7Dl3fPxHYpXYyc.exe"	PlayerUI.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run\uzFyEfhG7sf5hmnmbIN9hLARjVk3WXtZ = "C:\\Users\\Admin\\Documents\\U3RadoT5K5zgA3tCVDgga5ii.exe"	PlayerUI.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run\mahsXHJGpE4sD7IerQGPMOGjeGRnpbrT = "C:\\Users\\Admin\\Documents\\ppw1vkHyLRS2Ntt0I9D3gWac.exe"	PlayerUI.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run\XQFDQopsUUM1QJAdlP8spbtocYEgygb7 = "C:\\Users\\Admin\\Documents\\mH6Y2a6wiSA6HytFztyuap0M.exe"	PlayerUI.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run\ID3pzJEhQI7x7o0JivPYVY4cwZxFokVC = "C:\\Users\\Admin\\Documents\\jozPe2P14NbKsoGzHFUfxgQj.exe"	PlayerUI.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run\km4Iv2PGOSVsgJbWbGjzgYgP2FnDuScR = "C:\\Users\\Admin\\Documents\\BxKcQzWYEfFsy6bsjiIF0tcQ.exe"	PlayerUI.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run\ncM7dEOxdAWcDMo8OKTb1W2L5mT3obWo = "C:\\Users\\Admin\\Documents\\S46riCeosUw2zwN3UXs4Xngs.exe"	PlayerUI.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run\F4UeA2k9O6HZ6hfNO07Gr2nqRNVcunpz = "C:\\Users\\Admin\\Documents\\mckTkKTiTOgBNIE8dOdbzx9D.exe"	PlayerUI.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run\qP2ZBEefP5AdsV1lIeU1U92rggBsWBbJ = "C:\\Users\\Admin\\Documents\\D5Wa4k36AlyqmVLlme1hf4jb.exe"	PlayerUI.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run\RPToESbVerPi1oq29Eea25PdEgCNkIAn = "C:\\Users\\Admin\\Documents\\r12qS6WstJQx6OkxwtxduDXf.exe"	PlayerUI.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run\ewXCWTxDhcyubnE0veYhB541DS9WMEq5 = "C:\\Users\\Admin\\Documents\\vXmn2zR3leVxxFmQRbC1p0PU.exe"	PlayerUI.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run\zEATIftE1yCvBynHpYF7TavI9GtNaW6B = "C:\\Users\\Admin\\Documents\\KSMUQawAflkfPTYuChe98IaW.exe"	PlayerUI.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run\LHgrHcFNFX0hyVzrcbkVhZ1xu5338NRi = "C:\\Users\\Admin\\Documents\\JbRhcumHthcGLLLmxyqvWkB2.exe"	PlayerUI.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run\7VFxJ8OU1gc6UWlTBhJYZ3DHqdsSpodM = "C:\\Users\\Admin\\Documents\\Db3brgOnF0SRKXWtoUgY818y.exe"	PlayerUI.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run\wym0WM79ukiaOaOQMGJRyhV29IHcr0Ft = "C:\\Users\\Admin\\Documents\\qbCcVx0pSMko5KabVxWox7j3.exe"	PlayerUI.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run\6tXQG6ojVMdw5GY6h7Pabnx0EGmaXELT = "C:\\Users\\Admin\\Documents\\GmIWSwdIoAUSk50X03AmNwsN.exe"	PlayerUI.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run\9iB1vsRP73nDrtGQZdKqxamJSCz8aGCi = "C:\\Users\\Admin\\Documents\\4tjzQVXn0mH0rsAkRTrmkVuj.exe"	PlayerUI.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run\XyxLVhtR5IHiTUb0tlK57H9dsnQQUtvk = "C:\\Users\\Admin\\Documents\\ul68VEdDlbX6fU4KzkVzeJ7j.exe"	PlayerUI.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run\QbUpo0bwJ8yrdpD3raGYKhrNPz5Thela = "C:\\Users\\Admin\\Documents\\cnXXmSEBUMV8FnsA3gz4QCXA.exe"	PlayerUI.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run\pAkvpXqpxFIG8e82WqxUlsrcyfgPYaUR = "C:\\Users\\Admin\\Documents\\rJzxi8zIR1fANEfoKT8i4afO.exe"	PlayerUI.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run\465cH10BWTt3RmP1BgsjYGHFSL3thD0q = "C:\\Users\\Admin\\Documents\\XuA6sX8H808tN2bcvLHlirdG.exe"	PlayerUI.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run\SQV7RuYMofrKNokl3IUtBjOMLvmtIvw7 = "C:\\Users\\Admin\\Documents\\NHZ6u5eVTNdKN6ITrYAwmPQE.exe"	PlayerUI.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run\MakeEv4VMqtkM9jkNHLipP5qxSQoh7lX = "C:\\Users\\Admin\\Documents\\R7KrlupuQ4bbYp9yY0v2M3MV.exe"	PlayerUI.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run\7e6bFqvjX1WWm9zbSzm2utvQnTtVMjz8 = "C:\\Users\\Admin\\Documents\\gfAPMsEXr5WObI8OVQpeDhww.exe"	PlayerUI.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run\ngTQ47A1qj8icCpFyehEIertvYmxwZqH = "C:\\Users\\Admin\\Documents\\d1Dvir137oFUaQzpNhFASVdE.exe"	PlayerUI.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run\Yi2qX68c5NIQ5EslcmmW4ZP5Gv7bQwJj = "C:\\Users\\Admin\\Documents\\dslnJwOCj8MNBy1Zg6SuR30o.exe"	PlayerUI.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run\as5IJS1pNIKhhRxKn9sGby8L9wdL5GJk = "C:\\Users\\Admin\\Documents\\XZJbmmh9Zs11SdyYyxi9ZwcX.exe"	PlayerUI.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run\LG4IkeLNguda1yrQVIMh0kVkqcvRBZp7 = "C:\\Users\\Admin\\Documents\\hVdyj7rS2X0l0zXfxPySKjqO.exe"	PlayerUI.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run\UGvurYC02IxUUHykYfYL60DUUKcsUB8U = "C:\\Users\\Admin\\Documents\\fmSPUEyGDo5u49QZTxdffLXC.exe"	PlayerUI.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run\Zac8tIGUTV3iVh09DBQ0NvuBh1GlDmb3 = "C:\\Users\\Admin\\Documents\\0z3ucpDD3u75IgJM8IXog7HB.exe"	PlayerUI.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run\BSwGIBBwWLx0wwdZJIWJpwdfambzHeK3 = "C:\\Users\\Admin\\Documents\\qvuuGhtlgChfS7XgSayXhwdU.exe"	PlayerUI.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run\AouVRusvpMuYML2r4lnCqAtvdgZVabLM = "C:\\Users\\Admin\\Documents\\9sl60Po1Z7WEeO7ulcaHYwwJ.exe"	PlayerUI.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run\y5CPoDFuEojcxnUTIjjRKM7NTggwhJzH = "C:\\Users\\Admin\\Documents\\U83FOPHr6dgi72y5sbozNNCH.exe"	PlayerUI.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run\wSBQl2HDzZ6CuvEUzlOHZO4YdbgpFRLw = "C:\\Users\\Admin\\Documents\\R5u8evESxQGr60Fznv998eLc.exe"	PlayerUI.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run\U7su1WOCaXABWrxuTtj0TxzP7OrEnOEJ = "C:\\Users\\Admin\\Documents\\0PXzBUgQ81SLjhz3PceUOrx7.exe"	PlayerUI.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run\QjBbuWziLGZf1TNQEQQdbqVxVQpQMGpN = "C:\\Users\\Admin\\Documents\\fnVuRfuYXQXzWpVQYw2MnRIK.exe"	PlayerUI.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run\AIizlNHvF4cTbssJfEyuNFRhFlI978xN = "C:\\Users\\Admin\\Documents\\OemZl3j3ZdhNw5zVmjLLAA1z.exe"	PlayerUI.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run\yg9sLiEWUHZAUqm1FuWdaFnkITHeVqv5 = "C:\\Users\\Admin\\Documents\\2vrgTUf73mnleNZ7h8tkf6wi.exe"	PlayerUI.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run\smkRnQLUnHNSI9ZG1abqzaFpic6zUHMs = "C:\\Users\\Admin\\Documents\\QY4ZFpsXoAHjgFXip2yPmhVq.exe"	PlayerUI.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run\tHETc3ilUMAAhXz4F2AkOPVur9625aVs = "C:\\Users\\Admin\\Documents\\NGkdOVZbGNNSQC9s4bvrZfA8.exe"	PlayerUI.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run\MOxCJdCVDo5tPIbUAKplS1PoFGUHgmIR = "C:\\Users\\Admin\\Documents\\82afVVr3BsJhKtH0XwDiXqvw.exe"	PlayerUI.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run\4t2WIXUUz3KctPoM9rK6ksY4HA45H5HZ = "C:\\Users\\Admin\\Documents\\GclHBOeeIRmqxWuWGMfnYr1n.exe"	PlayerUI.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run\Zfhqcfii18FaYRbp6vDqPsBLbSVxRgdS = "C:\\Users\\Admin\\Documents\\czZ0BHNuql9iK0ijEvpzuJkc.exe"	PlayerUI.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run\u1lEp6PPET5jFuTRYIuLrYMWBP4c5Wgk = "C:\\Users\\Admin\\Documents\\1gSJK1kzMehEiBAIqAB4cQ4t.exe"	PlayerUI.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run\98iEi7e7nHx2wdcV5DKuY9Pqad547KN8 = "C:\\Users\\Admin\\Documents\\l5VObrILN8LIygGeJM0kMmaX.exe"	PlayerUI.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run\ZlakYbrNwAfTnS9QOOMII0M5NZWewbFg = "C:\\Users\\Admin\\Documents\\qLHkRL7CVmipnuBShGWTpKgU.exe"	PlayerUI.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run\QtYqbrzhdObhjCUbe470z7u7BP8bn86W = "C:\\Users\\Admin\\Documents\\KDK4b6zBsZ82pZFLDbygkx47.exe"	PlayerUI.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run\0t8pmagL8FpPXYOGnZ7nzvVUheiiZ7ei = "C:\\Users\\Admin\\Documents\\CI3IYxbrilGVq16dKTZHAedN.exe"	PlayerUI.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run\Bbc6lnoJzXdAZ0qgRcFCs1UQ6z7LqtHm = "C:\\Users\\Admin\\Documents\\gArcMq6nFx1IQqv7asIYI3yp.exe"	PlayerUI.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run\XrsC0CqVV03nRwj9PJDKDDz1vIuBEaXF = "C:\\Users\\Admin\\Documents\\9Ve4EcMa6rfgV0oVDt6TR3bw.exe"	PlayerUI.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run\F78bx59hgd6jm7NJGHOW5uSyzqRGqSEX = "C:\\Users\\Admin\\Documents\\XzUI3IyrEMI4qtalKnIFSAU1.exe"	PlayerUI.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run\rkfrv2IM3t8rHZg4I6OSjcXyeXFy2iUD = "C:\\Users\\Admin\\Documents\\eACr9gn5NN29cmr2cRFPMb1Y.exe"	PlayerUI.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run\aJF0A9pHodSjtYbAhDtazzAUYt8ywkiR = "C:\\Users\\Admin\\Documents\\Mf3lELtZ5yPW6YOy7EvjU4ec.exe"	PlayerUI.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run\UtwXBCzCwPq1Tb2Jg7vFikDzvXJ0fhlC = "C:\\Users\\Admin\\Documents\\kxMZ0glpgr2qic9jgU3bahAv.exe"	PlayerUI.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run\tKzcn4JYc8nlV9geZLaT2S6QW3wdDjsB = "C:\\Users\\Admin\\Documents\\YmCGdAlsXplJY6QMdajmJXLl.exe"	PlayerUI.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run\blHgFpqD4GsEB1gM1ITghBX5eUnJkc3d = "C:\\Users\\Admin\\Documents\\sV2r8uJ8NVN3ss7uYtMERO7T.exe"	PlayerUI.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run\ZS0Hw6Xg8veRhBOdMJDCdW3NwLk4DI5G = "C:\\Users\\Admin\\Documents\\K9JNjDcORX2mIJPvLDMWQEGi.exe"	PlayerUI.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run\hqaWXQOmZZ9lhdyHhmqssln4NTS9Dl0B = "C:\\Users\\Admin\\Documents\\5rURGWlDTq7wt1wHFWgIC3AB.exe"	PlayerUI.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run\xqYluMVUSnaiPMav2DVoT1HARLfcEUAH = "C:\\Users\\Admin\\Documents\\DENTcAeJ85gOC22q9CV2Q6zR.exe"	PlayerUI.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run\isoNo7ZYEfy0AR8B7Ek1XcGKsFkP1W68 = "C:\\Users\\Admin\\Documents\\xlvnHB9RTDhp3hmEp7umTyfA.exe"	PlayerUI.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run\qklF2vHI7KQ5Bfjc4LKeRcqKWmvlhbOV = "C:\\Users\\Admin\\Documents\\b4dQMJU1ciyFzrPEzWuvlGgI.exe"	PlayerUI.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run\nL6jUvDEoC3CSucSQMYTHIjVql5r8A9j = "C:\\Users\\Admin\\Documents\\mbjYaXnYNamS7SHcnGIDICIC.exe"	PlayerUI.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run\7bR8hwSHOiKlOAxN4pIJerWyEc62WfR4 = "C:\\Users\\Admin\\Documents\\m5qqd6E9yPy4zbapaQHu3szA.exe"	PlayerUI.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run\5qaPGXL6ObRhtdCrCOUWSbLSe4ok1LxI = "C:\\Users\\Admin\\Documents\\5oTkUbQCrW2AbGqJikZEqwYT.exe"	PlayerUI.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Suspicious use of SetThreadContext 2 IoCs

Processes:

64876084600.exe64876084600.exe

description	pid	process	target process
PID 2252 set thread context of 2296	2252	64876084600.exe	64876084600.exe
PID 2296 set thread context of 2488	2296	64876084600.exe	64876084600.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

5540 2488 WerFault.exe 64876084600.exe

pid	pid_target	process	target process
5540	2488	WerFault.exe	64876084600.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

92445027451.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	92445027451.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	92445027451.exe

Kills process with taskkill 2 IoCs
evasion

Processes:

taskkill.exetaskkill.exe

pid process

2424 taskkill.exe
3048 taskkill.exe

pid	process
2424	taskkill.exe
3048	taskkill.exe

Modifies system certificate store 2 TTPs 7 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

PlayerUI.exeCd0CypcOZND0VNCNsKblKVIv.exe64876084600.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	PlayerUI.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	PlayerUI.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f00000053000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	PlayerUI.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	Cd0CypcOZND0VNCNsKblKVIv.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 040000000100000010000000497904b0eb8719ac47b0bc11519b74d00f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	Cd0CypcOZND0VNCNsKblKVIv.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13	64876084600.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 040000000100000010000000410352dc0ff7501b16f0028eba6f45c50f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131900000001000000100000006cf252fec3e8f20996de5d4dd9aef42420000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	64876084600.exe

Suspicious behavior: EnumeratesProcesses 5 IoCs

Processes:

WerFault.exe

pid process

5540 WerFault.exe
5540 WerFault.exe
5540 WerFault.exe
5540 WerFault.exe
5540 WerFault.exe
Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

PlayerUI.exe

pid process

776 PlayerUI.exe

pid	process
5540	WerFault.exe
5540	WerFault.exe
5540	WerFault.exe
5540	WerFault.exe
5540	WerFault.exe

Suspicious behavior: LoadsDriver 6 IoCs

Processes:

4kd35uOdt6twoc8On5QZqrSP.exeSVyHMWDQLVWlxdTENniqVGM7.exe

pid	process
2768	4kd35uOdt6twoc8On5QZqrSP.exe
2768	4kd35uOdt6twoc8On5QZqrSP.exe
2768	4kd35uOdt6twoc8On5QZqrSP.exe
2684	SVyHMWDQLVWlxdTENniqVGM7.exe
2684	SVyHMWDQLVWlxdTENniqVGM7.exe
2684	SVyHMWDQLVWlxdTENniqVGM7.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

PlayerUI.exetaskkill.exe0E41wdcVfdi1dEsX5cAopTwj.exeI03dg3fA18pEglBEcxunlLPX.exe

description	pid	process
Token: SeDebugPrivilege	776	PlayerUI.exe
Token: SeDebugPrivilege	2424	taskkill.exe
Token: SeCreateTokenPrivilege	2636	0E41wdcVfdi1dEsX5cAopTwj.exe
Token: SeAssignPrimaryTokenPrivilege	2636	0E41wdcVfdi1dEsX5cAopTwj.exe
Token: SeLockMemoryPrivilege	2636	0E41wdcVfdi1dEsX5cAopTwj.exe
Token: SeIncreaseQuotaPrivilege	2636	0E41wdcVfdi1dEsX5cAopTwj.exe
Token: SeMachineAccountPrivilege	2636	0E41wdcVfdi1dEsX5cAopTwj.exe
Token: SeTcbPrivilege	2636	0E41wdcVfdi1dEsX5cAopTwj.exe
Token: SeSecurityPrivilege	2636	0E41wdcVfdi1dEsX5cAopTwj.exe
Token: SeTakeOwnershipPrivilege	2636	0E41wdcVfdi1dEsX5cAopTwj.exe
Token: SeLoadDriverPrivilege	2636	0E41wdcVfdi1dEsX5cAopTwj.exe
Token: SeSystemProfilePrivilege	2636	0E41wdcVfdi1dEsX5cAopTwj.exe
Token: SeSystemtimePrivilege	2636	0E41wdcVfdi1dEsX5cAopTwj.exe
Token: SeProfSingleProcessPrivilege	2636	0E41wdcVfdi1dEsX5cAopTwj.exe
Token: SeIncBasePriorityPrivilege	2636	0E41wdcVfdi1dEsX5cAopTwj.exe
Token: SeCreatePagefilePrivilege	2636	0E41wdcVfdi1dEsX5cAopTwj.exe
Token: SeCreatePermanentPrivilege	2636	0E41wdcVfdi1dEsX5cAopTwj.exe
Token: SeBackupPrivilege	2636	0E41wdcVfdi1dEsX5cAopTwj.exe
Token: SeRestorePrivilege	2636	0E41wdcVfdi1dEsX5cAopTwj.exe
Token: SeShutdownPrivilege	2636	0E41wdcVfdi1dEsX5cAopTwj.exe
Token: SeDebugPrivilege	2636	0E41wdcVfdi1dEsX5cAopTwj.exe
Token: SeAuditPrivilege	2636	0E41wdcVfdi1dEsX5cAopTwj.exe
Token: SeSystemEnvironmentPrivilege	2636	0E41wdcVfdi1dEsX5cAopTwj.exe
Token: SeChangeNotifyPrivilege	2636	0E41wdcVfdi1dEsX5cAopTwj.exe
Token: SeRemoteShutdownPrivilege	2636	0E41wdcVfdi1dEsX5cAopTwj.exe
Token: SeUndockPrivilege	2636	0E41wdcVfdi1dEsX5cAopTwj.exe
Token: SeSyncAgentPrivilege	2636	0E41wdcVfdi1dEsX5cAopTwj.exe
Token: SeEnableDelegationPrivilege	2636	0E41wdcVfdi1dEsX5cAopTwj.exe
Token: SeManageVolumePrivilege	2636	0E41wdcVfdi1dEsX5cAopTwj.exe
Token: SeImpersonatePrivilege	2636	0E41wdcVfdi1dEsX5cAopTwj.exe
Token: SeCreateGlobalPrivilege	2636	0E41wdcVfdi1dEsX5cAopTwj.exe
Token: 31	2636	0E41wdcVfdi1dEsX5cAopTwj.exe
Token: 32	2636	0E41wdcVfdi1dEsX5cAopTwj.exe
Token: 33	2636	0E41wdcVfdi1dEsX5cAopTwj.exe
Token: 34	2636	0E41wdcVfdi1dEsX5cAopTwj.exe
Token: 35	2636	0E41wdcVfdi1dEsX5cAopTwj.exe
Token: SeCreateTokenPrivilege	2792	I03dg3fA18pEglBEcxunlLPX.exe
Token: SeAssignPrimaryTokenPrivilege	2792	I03dg3fA18pEglBEcxunlLPX.exe
Token: SeLockMemoryPrivilege	2792	I03dg3fA18pEglBEcxunlLPX.exe
Token: SeIncreaseQuotaPrivilege	2792	I03dg3fA18pEglBEcxunlLPX.exe
Token: SeMachineAccountPrivilege	2792	I03dg3fA18pEglBEcxunlLPX.exe
Token: SeTcbPrivilege	2792	I03dg3fA18pEglBEcxunlLPX.exe
Token: SeSecurityPrivilege	2792	I03dg3fA18pEglBEcxunlLPX.exe
Token: SeTakeOwnershipPrivilege	2792	I03dg3fA18pEglBEcxunlLPX.exe
Token: SeLoadDriverPrivilege	2792	I03dg3fA18pEglBEcxunlLPX.exe
Token: SeSystemProfilePrivilege	2792	I03dg3fA18pEglBEcxunlLPX.exe
Token: SeSystemtimePrivilege	2792	I03dg3fA18pEglBEcxunlLPX.exe
Token: SeProfSingleProcessPrivilege	2792	I03dg3fA18pEglBEcxunlLPX.exe
Token: SeIncBasePriorityPrivilege	2792	I03dg3fA18pEglBEcxunlLPX.exe
Token: SeCreatePagefilePrivilege	2792	I03dg3fA18pEglBEcxunlLPX.exe
Token: SeCreatePermanentPrivilege	2792	I03dg3fA18pEglBEcxunlLPX.exe
Token: SeBackupPrivilege	2792	I03dg3fA18pEglBEcxunlLPX.exe
Token: SeRestorePrivilege	2792	I03dg3fA18pEglBEcxunlLPX.exe
Token: SeShutdownPrivilege	2792	I03dg3fA18pEglBEcxunlLPX.exe
Token: SeDebugPrivilege	2792	I03dg3fA18pEglBEcxunlLPX.exe
Token: SeAuditPrivilege	2792	I03dg3fA18pEglBEcxunlLPX.exe
Token: SeSystemEnvironmentPrivilege	2792	I03dg3fA18pEglBEcxunlLPX.exe
Token: SeChangeNotifyPrivilege	2792	I03dg3fA18pEglBEcxunlLPX.exe
Token: SeRemoteShutdownPrivilege	2792	I03dg3fA18pEglBEcxunlLPX.exe
Token: SeUndockPrivilege	2792	I03dg3fA18pEglBEcxunlLPX.exe
Token: SeSyncAgentPrivilege	2792	I03dg3fA18pEglBEcxunlLPX.exe
Token: SeEnableDelegationPrivilege	2792	I03dg3fA18pEglBEcxunlLPX.exe
Token: SeManageVolumePrivilege	2792	I03dg3fA18pEglBEcxunlLPX.exe
Token: SeImpersonatePrivilege	2792	I03dg3fA18pEglBEcxunlLPX.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

PlayerUI.exeCd0CypcOZND0VNCNsKblKVIv.execmd.exe64876084600.execmd.execmd.exe64876084600.exe

description	pid	process	target process
PID 776 wrote to memory of 2052	776	PlayerUI.exe	Cd0CypcOZND0VNCNsKblKVIv.exe
PID 776 wrote to memory of 2052	776	PlayerUI.exe	Cd0CypcOZND0VNCNsKblKVIv.exe
PID 776 wrote to memory of 2052	776	PlayerUI.exe	Cd0CypcOZND0VNCNsKblKVIv.exe
PID 776 wrote to memory of 2052	776	PlayerUI.exe	Cd0CypcOZND0VNCNsKblKVIv.exe
PID 2052 wrote to memory of 2216	2052	Cd0CypcOZND0VNCNsKblKVIv.exe	cmd.exe
PID 2052 wrote to memory of 2216	2052	Cd0CypcOZND0VNCNsKblKVIv.exe	cmd.exe
PID 2052 wrote to memory of 2216	2052	Cd0CypcOZND0VNCNsKblKVIv.exe	cmd.exe
PID 2052 wrote to memory of 2216	2052	Cd0CypcOZND0VNCNsKblKVIv.exe	cmd.exe
PID 2216 wrote to memory of 2252	2216	cmd.exe	64876084600.exe
PID 2216 wrote to memory of 2252	2216	cmd.exe	64876084600.exe
PID 2216 wrote to memory of 2252	2216	cmd.exe	64876084600.exe
PID 2216 wrote to memory of 2252	2216	cmd.exe	64876084600.exe
PID 2252 wrote to memory of 2296	2252	64876084600.exe	64876084600.exe
PID 2252 wrote to memory of 2296	2252	64876084600.exe	64876084600.exe
PID 2252 wrote to memory of 2296	2252	64876084600.exe	64876084600.exe
PID 2252 wrote to memory of 2296	2252	64876084600.exe	64876084600.exe
PID 2252 wrote to memory of 2296	2252	64876084600.exe	64876084600.exe
PID 2252 wrote to memory of 2296	2252	64876084600.exe	64876084600.exe
PID 2252 wrote to memory of 2296	2252	64876084600.exe	64876084600.exe
PID 2252 wrote to memory of 2296	2252	64876084600.exe	64876084600.exe
PID 2252 wrote to memory of 2296	2252	64876084600.exe	64876084600.exe
PID 2252 wrote to memory of 2296	2252	64876084600.exe	64876084600.exe
PID 2052 wrote to memory of 2312	2052	Cd0CypcOZND0VNCNsKblKVIv.exe	cmd.exe
PID 2052 wrote to memory of 2312	2052	Cd0CypcOZND0VNCNsKblKVIv.exe	cmd.exe
PID 2052 wrote to memory of 2312	2052	Cd0CypcOZND0VNCNsKblKVIv.exe	cmd.exe
PID 2052 wrote to memory of 2312	2052	Cd0CypcOZND0VNCNsKblKVIv.exe	cmd.exe
PID 2312 wrote to memory of 2356	2312	cmd.exe	92445027451.exe
PID 2312 wrote to memory of 2356	2312	cmd.exe	92445027451.exe
PID 2312 wrote to memory of 2356	2312	cmd.exe	92445027451.exe
PID 2312 wrote to memory of 2356	2312	cmd.exe	92445027451.exe
PID 2052 wrote to memory of 2384	2052	Cd0CypcOZND0VNCNsKblKVIv.exe	cmd.exe
PID 2052 wrote to memory of 2384	2052	Cd0CypcOZND0VNCNsKblKVIv.exe	cmd.exe
PID 2052 wrote to memory of 2384	2052	Cd0CypcOZND0VNCNsKblKVIv.exe	cmd.exe
PID 2052 wrote to memory of 2384	2052	Cd0CypcOZND0VNCNsKblKVIv.exe	cmd.exe
PID 2384 wrote to memory of 2424	2384	cmd.exe	taskkill.exe
PID 2384 wrote to memory of 2424	2384	cmd.exe	taskkill.exe
PID 2384 wrote to memory of 2424	2384	cmd.exe	taskkill.exe
PID 2384 wrote to memory of 2424	2384	cmd.exe	taskkill.exe
PID 2296 wrote to memory of 2488	2296	64876084600.exe	64876084600.exe
PID 2296 wrote to memory of 2488	2296	64876084600.exe	64876084600.exe
PID 2296 wrote to memory of 2488	2296	64876084600.exe	64876084600.exe
PID 2296 wrote to memory of 2488	2296	64876084600.exe	64876084600.exe
PID 2296 wrote to memory of 2488	2296	64876084600.exe	64876084600.exe
PID 2296 wrote to memory of 2488	2296	64876084600.exe	64876084600.exe
PID 2296 wrote to memory of 2488	2296	64876084600.exe	64876084600.exe
PID 2296 wrote to memory of 2488	2296	64876084600.exe	64876084600.exe
PID 2296 wrote to memory of 2488	2296	64876084600.exe	64876084600.exe
PID 2296 wrote to memory of 2488	2296	64876084600.exe	64876084600.exe
PID 776 wrote to memory of 2624	776	PlayerUI.exe	lnAZzWWiJKWeJ7LCVnf2NAw5.exe
PID 776 wrote to memory of 2624	776	PlayerUI.exe	lnAZzWWiJKWeJ7LCVnf2NAw5.exe
PID 776 wrote to memory of 2624	776	PlayerUI.exe	lnAZzWWiJKWeJ7LCVnf2NAw5.exe
PID 776 wrote to memory of 2624	776	PlayerUI.exe	lnAZzWWiJKWeJ7LCVnf2NAw5.exe
PID 776 wrote to memory of 2636	776	PlayerUI.exe	0E41wdcVfdi1dEsX5cAopTwj.exe
PID 776 wrote to memory of 2636	776	PlayerUI.exe	0E41wdcVfdi1dEsX5cAopTwj.exe
PID 776 wrote to memory of 2636	776	PlayerUI.exe	0E41wdcVfdi1dEsX5cAopTwj.exe
PID 776 wrote to memory of 2636	776	PlayerUI.exe	0E41wdcVfdi1dEsX5cAopTwj.exe
PID 776 wrote to memory of 2684	776	PlayerUI.exe	SVyHMWDQLVWlxdTENniqVGM7.exe
PID 776 wrote to memory of 2684	776	PlayerUI.exe	SVyHMWDQLVWlxdTENniqVGM7.exe
PID 776 wrote to memory of 2684	776	PlayerUI.exe	SVyHMWDQLVWlxdTENniqVGM7.exe
PID 776 wrote to memory of 2684	776	PlayerUI.exe	SVyHMWDQLVWlxdTENniqVGM7.exe
PID 776 wrote to memory of 2728	776	PlayerUI.exe	9BUUQZypguiLPrNCMeJuKoSM.exe
PID 776 wrote to memory of 2728	776	PlayerUI.exe	9BUUQZypguiLPrNCMeJuKoSM.exe
PID 776 wrote to memory of 2728	776	PlayerUI.exe	9BUUQZypguiLPrNCMeJuKoSM.exe
PID 776 wrote to memory of 2728	776	PlayerUI.exe	9BUUQZypguiLPrNCMeJuKoSM.exe

C:\Users\Admin\AppData\Local\Temp\PlayerUI.exe
"C:\Users\Admin\AppData\Local\Temp\PlayerUI.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Modifies system certificate store
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:776

C:\Users\Admin\Documents\Cd0CypcOZND0VNCNsKblKVIv.exe
"C:\Users\Admin\Documents\Cd0CypcOZND0VNCNsKblKVIv.exe"
2⤵
- Executes dropped EXE
- Modifies system certificate store
- Suspicious use of WriteProcessMemory
PID:2052

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c start /I "" "C:\Users\Admin\AppData\Local\Temp\{xTQT-wwYP2-c5GZ-fWDbN}\64876084600.exe"
3⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2216

C:\Users\Admin\AppData\Local\Temp\{xTQT-wwYP2-c5GZ-fWDbN}\64876084600.exe
"C:\Users\Admin\AppData\Local\Temp\{xTQT-wwYP2-c5GZ-fWDbN}\64876084600.exe"
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2252

C:\Users\Admin\AppData\Local\Temp\{xTQT-wwYP2-c5GZ-fWDbN}\64876084600.exe
"C:\Users\Admin\AppData\Local\Temp\{xTQT-wwYP2-c5GZ-fWDbN}\64876084600.exe"
5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2296

C:\Users\Admin\AppData\Local\Temp\{xTQT-wwYP2-c5GZ-fWDbN}\64876084600.exe
"C:\Users\Admin\AppData\Local\Temp\{xTQT-wwYP2-c5GZ-fWDbN}\64876084600.exe"
6⤵
- Executes dropped EXE
- Modifies system certificate store
PID:2488

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2488 -s 916
7⤵
- Loads dropped DLL
- Program crash
- Suspicious behavior: EnumeratesProcesses
PID:5540

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c start /I "" "C:\Users\Admin\AppData\Local\Temp\{xTQT-wwYP2-c5GZ-fWDbN}\92445027451.exe" /mix
3⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2312

C:\Users\Admin\AppData\Local\Temp\{xTQT-wwYP2-c5GZ-fWDbN}\92445027451.exe
"C:\Users\Admin\AppData\Local\Temp\{xTQT-wwYP2-c5GZ-fWDbN}\92445027451.exe" /mix
4⤵
- Executes dropped EXE
- Checks processor information in registry
PID:2356

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c taskkill /im "Cd0CypcOZND0VNCNsKblKVIv.exe" /f & erase "C:\Users\Admin\Documents\Cd0CypcOZND0VNCNsKblKVIv.exe" & exit
3⤵
- Suspicious use of WriteProcessMemory
PID:2384

C:\Users\Admin\Documents\0E41wdcVfdi1dEsX5cAopTwj.exe
"C:\Users\Admin\Documents\0E41wdcVfdi1dEsX5cAopTwj.exe"
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2636

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im chrome.exe
3⤵
PID:3004

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im chrome.exe
4⤵
- Kills process with taskkill
PID:3048

C:\Users\Admin\Documents\lnAZzWWiJKWeJ7LCVnf2NAw5.exe
"C:\Users\Admin\Documents\lnAZzWWiJKWeJ7LCVnf2NAw5.exe"
2⤵
- Executes dropped EXE
PID:2624

C:\Users\Admin\Documents\SVyHMWDQLVWlxdTENniqVGM7.exe
"C:\Users\Admin\Documents\SVyHMWDQLVWlxdTENniqVGM7.exe"
2⤵
- Executes dropped EXE
- Suspicious behavior: LoadsDriver
PID:2684

C:\Users\Admin\Documents\9BUUQZypguiLPrNCMeJuKoSM.exe
"C:\Users\Admin\Documents\9BUUQZypguiLPrNCMeJuKoSM.exe"
2⤵
- Executes dropped EXE
PID:2728

C:\Users\Admin\Documents\4kd35uOdt6twoc8On5QZqrSP.exe
"C:\Users\Admin\Documents\4kd35uOdt6twoc8On5QZqrSP.exe"
2⤵
- Executes dropped EXE
- Suspicious behavior: LoadsDriver
PID:2768

C:\Users\Admin\Documents\I03dg3fA18pEglBEcxunlLPX.exe
"C:\Users\Admin\Documents\I03dg3fA18pEglBEcxunlLPX.exe"
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2792

C:\Windows\SysWOW64\taskkill.exe
taskkill /im "Cd0CypcOZND0VNCNsKblKVIv.exe" /f
1⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2424

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Install Root Certificate

T1130

Credential Access

Credentials in Files

T1081

Discovery

System Information Discovery

T1082

Query Registry

T1012

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Web Service

T1102

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
MD5
61a03d15cf62612f50b74867090dbe79

SHA1
15228f34067b4b107e917bebaf17cc7c3c1280a8

SHA256
f9e23dc21553daa34c6eb778cd262831e466ce794f4bea48150e8d70d3e6af6d

SHA512
5fece89ccbbf994e4f1e3ef89a502f25a72f359d445c034682758d26f01d9f3aa20a43010b9a87f2687da7ba201476922aa46d4906d442d56eb59b2b881259d3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
MD5
d0723ec4a9d0b015e7a48c14543285ee

SHA1
0ed56442c486ecc9551c52e723b2c1bc9c0227d9

SHA256
d4b4f57df962cb1b2e572066206a3b69136a8f874670d9450e0ce04b25efbda5

SHA512
0ee781dc79377ffaa8b9ef9f2285b9aa803a0dfe8b41d189798a4090d388e0e9c180b4985fcaa45dff224a2ba02ad6e7068c09ce927111649d012be6a197d44c

Download Submit
C:\Users\Admin\AppData\Local\Temp\{xTQT-wwYP2-c5GZ-fWDbN}\64876084600.exe
MD5
1204fd2475463856ee1e4b7e8bbc8a97

SHA1
9808fdb378aefed2bd85edf544dda0dd1c3ca90e

SHA256
8c2b2f56415981557ec7e2f321decb4cc3e7514d7e1007370e082ada9fae702c

SHA512
dad6ba60d8463d27754a61061826c14c107953ae8ac4727dfab59c2702bdd2c9806cf910bb10853b563924a3c40d51976292595e6d359b297c383e0cb1e45c3f

Download Submit
C:\Users\Admin\AppData\Local\Temp\{xTQT-wwYP2-c5GZ-fWDbN}\64876084600.exe
MD5
1204fd2475463856ee1e4b7e8bbc8a97

SHA1
9808fdb378aefed2bd85edf544dda0dd1c3ca90e

SHA256
8c2b2f56415981557ec7e2f321decb4cc3e7514d7e1007370e082ada9fae702c

SHA512
dad6ba60d8463d27754a61061826c14c107953ae8ac4727dfab59c2702bdd2c9806cf910bb10853b563924a3c40d51976292595e6d359b297c383e0cb1e45c3f

Download Submit
C:\Users\Admin\AppData\Local\Temp\{xTQT-wwYP2-c5GZ-fWDbN}\64876084600.exe
MD5
1204fd2475463856ee1e4b7e8bbc8a97

SHA1
9808fdb378aefed2bd85edf544dda0dd1c3ca90e

SHA256
8c2b2f56415981557ec7e2f321decb4cc3e7514d7e1007370e082ada9fae702c

SHA512
dad6ba60d8463d27754a61061826c14c107953ae8ac4727dfab59c2702bdd2c9806cf910bb10853b563924a3c40d51976292595e6d359b297c383e0cb1e45c3f

Download Submit
C:\Users\Admin\AppData\Local\Temp\{xTQT-wwYP2-c5GZ-fWDbN}\64876084600.exe
MD5
1204fd2475463856ee1e4b7e8bbc8a97

SHA1
9808fdb378aefed2bd85edf544dda0dd1c3ca90e

SHA256
8c2b2f56415981557ec7e2f321decb4cc3e7514d7e1007370e082ada9fae702c

SHA512
dad6ba60d8463d27754a61061826c14c107953ae8ac4727dfab59c2702bdd2c9806cf910bb10853b563924a3c40d51976292595e6d359b297c383e0cb1e45c3f

Download Submit
C:\Users\Admin\AppData\Local\Temp\{xTQT-wwYP2-c5GZ-fWDbN}\92445027451.exe
MD5
6f5b1279d943e548259d62f00650044a

SHA1
367d5ff6ee971fcac30cf8b453eea8f47a936264

SHA256
118f24dab3dce4a5ae6e3ab078551cbc628b475abeeafa07a5972622aaa38812

SHA512
75e655e6df832bccafca641f0af62165da644a92ce3055d30b12b2dd0d241df4b43ea4de4429e3719b9e7f198882c5a0b3f44ab45900797d41787fdaf60988fe

Download Submit
C:\Users\Admin\AppData\Local\Temp\{xTQT-wwYP2-c5GZ-fWDbN}\92445027451.exe
MD5
6f5b1279d943e548259d62f00650044a

SHA1
367d5ff6ee971fcac30cf8b453eea8f47a936264

SHA256
118f24dab3dce4a5ae6e3ab078551cbc628b475abeeafa07a5972622aaa38812

SHA512
75e655e6df832bccafca641f0af62165da644a92ce3055d30b12b2dd0d241df4b43ea4de4429e3719b9e7f198882c5a0b3f44ab45900797d41787fdaf60988fe

Download Submit
C:\Users\Admin\Documents\0E41wdcVfdi1dEsX5cAopTwj.exe
MD5
06035c751a095a6cbcd82229c8df63f9

SHA1
0c751f6b5ad619d4ac85ad70045b2e806913c6dc

SHA256
d345f33223ebaab130427ade2f259a25978fd96218b6cb81f7cb87e0d3597835

SHA512
eeb0c21f2f43ddcee7f8e9245161ca3cbb13bd11bbc77decabe6862eeda79e3214df465d36b515598e2dbdc23c426131ac2a0dc185120b4b73f57019cd31435d

Download Submit
C:\Users\Admin\Documents\4kd35uOdt6twoc8On5QZqrSP.exe
MD5
f0bc65a05ad0a598375cfcd88cebf2f7

SHA1
a293f92d4f7377b31e06ee0377d4f8069d923938

SHA256
cfce285cacd32aaa2b142c7cb7c23643a8d57825daaa51ea69df4d61ff3a819f

SHA512
b24ded01b55a90781a7a14e39b8ab9e44816e5fae8fd8a212ef89c42cf5f53876586af5653fb992579fe5d7ecfaae3b83e3f5a153d2f2cabf2b5a011bd9ae873

Download Submit
C:\Users\Admin\Documents\9BUUQZypguiLPrNCMeJuKoSM.exe
MD5
2c81352d9b21d98d34f6db0f95c6f8ba

SHA1
11eef38c83e76696eaf746ff3b82e1b9a3b7d417

SHA256
3e86a5bd67c6f546deedd91f4d737d22007a950c841195e2195124df585884ea

SHA512
7fad429d3d16094658d90ac1d4e3fa556fb430d1dacb28620899f9d33a7cd0593b2f49cb206d1b0c0ee16076f2d24d36f38efd083e01ce39f36b7e98d0ddc739

Download Submit
C:\Users\Admin\Documents\Cd0CypcOZND0VNCNsKblKVIv.exe
MD5
b22f601e1c1e2400a0fcd0e9835f03ed

SHA1
d23a32d7a9ac91a8bcc701b147e334ae47cc802a

SHA256
c23d42a1c5b99920c37bb46a6b64ef68b686255a915a0e8cf1942f3f65335268

SHA512
f2e9266248f9812bececa281f5218962ed37ea3ac4405d11e2220ec51a9e52ffab84d87c5cfa6b7f3ce7249e009cc0ed2a742b1e93d1b908c9e2dfd9f4b5295c

Download Submit
C:\Users\Admin\Documents\Cd0CypcOZND0VNCNsKblKVIv.exe
MD5
b22f601e1c1e2400a0fcd0e9835f03ed

SHA1
d23a32d7a9ac91a8bcc701b147e334ae47cc802a

SHA256
c23d42a1c5b99920c37bb46a6b64ef68b686255a915a0e8cf1942f3f65335268

SHA512
f2e9266248f9812bececa281f5218962ed37ea3ac4405d11e2220ec51a9e52ffab84d87c5cfa6b7f3ce7249e009cc0ed2a742b1e93d1b908c9e2dfd9f4b5295c

Download Submit
C:\Users\Admin\Documents\I03dg3fA18pEglBEcxunlLPX.exe
MD5
06035c751a095a6cbcd82229c8df63f9

SHA1
0c751f6b5ad619d4ac85ad70045b2e806913c6dc

SHA256
d345f33223ebaab130427ade2f259a25978fd96218b6cb81f7cb87e0d3597835

SHA512
eeb0c21f2f43ddcee7f8e9245161ca3cbb13bd11bbc77decabe6862eeda79e3214df465d36b515598e2dbdc23c426131ac2a0dc185120b4b73f57019cd31435d

Download Submit
C:\Users\Admin\Documents\SVyHMWDQLVWlxdTENniqVGM7.exe
MD5
f0bc65a05ad0a598375cfcd88cebf2f7

SHA1
a293f92d4f7377b31e06ee0377d4f8069d923938

SHA256
cfce285cacd32aaa2b142c7cb7c23643a8d57825daaa51ea69df4d61ff3a819f

SHA512
b24ded01b55a90781a7a14e39b8ab9e44816e5fae8fd8a212ef89c42cf5f53876586af5653fb992579fe5d7ecfaae3b83e3f5a153d2f2cabf2b5a011bd9ae873

Download Submit
C:\Users\Admin\Documents\lnAZzWWiJKWeJ7LCVnf2NAw5.exe
MD5
2c81352d9b21d98d34f6db0f95c6f8ba

SHA1
11eef38c83e76696eaf746ff3b82e1b9a3b7d417

SHA256
3e86a5bd67c6f546deedd91f4d737d22007a950c841195e2195124df585884ea

SHA512
7fad429d3d16094658d90ac1d4e3fa556fb430d1dacb28620899f9d33a7cd0593b2f49cb206d1b0c0ee16076f2d24d36f38efd083e01ce39f36b7e98d0ddc739

Download Submit
\Users\Admin\AppData\Local\Temp\{xTQT-wwYP2-c5GZ-fWDbN}\64876084600.exe
MD5
1204fd2475463856ee1e4b7e8bbc8a97

SHA1
9808fdb378aefed2bd85edf544dda0dd1c3ca90e

SHA256
8c2b2f56415981557ec7e2f321decb4cc3e7514d7e1007370e082ada9fae702c

SHA512
dad6ba60d8463d27754a61061826c14c107953ae8ac4727dfab59c2702bdd2c9806cf910bb10853b563924a3c40d51976292595e6d359b297c383e0cb1e45c3f

Download Submit
\Users\Admin\AppData\Local\Temp\{xTQT-wwYP2-c5GZ-fWDbN}\64876084600.exe
MD5
1204fd2475463856ee1e4b7e8bbc8a97

SHA1
9808fdb378aefed2bd85edf544dda0dd1c3ca90e

SHA256
8c2b2f56415981557ec7e2f321decb4cc3e7514d7e1007370e082ada9fae702c

SHA512
dad6ba60d8463d27754a61061826c14c107953ae8ac4727dfab59c2702bdd2c9806cf910bb10853b563924a3c40d51976292595e6d359b297c383e0cb1e45c3f

Download Submit
\Users\Admin\AppData\Local\Temp\{xTQT-wwYP2-c5GZ-fWDbN}\64876084600.exe
MD5
1204fd2475463856ee1e4b7e8bbc8a97

SHA1
9808fdb378aefed2bd85edf544dda0dd1c3ca90e

SHA256
8c2b2f56415981557ec7e2f321decb4cc3e7514d7e1007370e082ada9fae702c

SHA512
dad6ba60d8463d27754a61061826c14c107953ae8ac4727dfab59c2702bdd2c9806cf910bb10853b563924a3c40d51976292595e6d359b297c383e0cb1e45c3f

Download Submit
\Users\Admin\AppData\Local\Temp\{xTQT-wwYP2-c5GZ-fWDbN}\64876084600.exe
MD5
1204fd2475463856ee1e4b7e8bbc8a97

SHA1
9808fdb378aefed2bd85edf544dda0dd1c3ca90e

SHA256
8c2b2f56415981557ec7e2f321decb4cc3e7514d7e1007370e082ada9fae702c

SHA512
dad6ba60d8463d27754a61061826c14c107953ae8ac4727dfab59c2702bdd2c9806cf910bb10853b563924a3c40d51976292595e6d359b297c383e0cb1e45c3f

Download Submit
\Users\Admin\AppData\Local\Temp\{xTQT-wwYP2-c5GZ-fWDbN}\64876084600.exe
MD5
1204fd2475463856ee1e4b7e8bbc8a97

SHA1
9808fdb378aefed2bd85edf544dda0dd1c3ca90e

SHA256
8c2b2f56415981557ec7e2f321decb4cc3e7514d7e1007370e082ada9fae702c

SHA512
dad6ba60d8463d27754a61061826c14c107953ae8ac4727dfab59c2702bdd2c9806cf910bb10853b563924a3c40d51976292595e6d359b297c383e0cb1e45c3f

Download Submit
\Users\Admin\AppData\Local\Temp\{xTQT-wwYP2-c5GZ-fWDbN}\64876084600.exe
MD5
1204fd2475463856ee1e4b7e8bbc8a97

SHA1
9808fdb378aefed2bd85edf544dda0dd1c3ca90e

SHA256
8c2b2f56415981557ec7e2f321decb4cc3e7514d7e1007370e082ada9fae702c

SHA512
dad6ba60d8463d27754a61061826c14c107953ae8ac4727dfab59c2702bdd2c9806cf910bb10853b563924a3c40d51976292595e6d359b297c383e0cb1e45c3f

Download Submit
\Users\Admin\AppData\Local\Temp\{xTQT-wwYP2-c5GZ-fWDbN}\64876084600.exe
MD5
1204fd2475463856ee1e4b7e8bbc8a97

SHA1
9808fdb378aefed2bd85edf544dda0dd1c3ca90e

SHA256
8c2b2f56415981557ec7e2f321decb4cc3e7514d7e1007370e082ada9fae702c

SHA512
dad6ba60d8463d27754a61061826c14c107953ae8ac4727dfab59c2702bdd2c9806cf910bb10853b563924a3c40d51976292595e6d359b297c383e0cb1e45c3f

Download Submit
\Users\Admin\AppData\Local\Temp\{xTQT-wwYP2-c5GZ-fWDbN}\64876084600.exe
MD5
1204fd2475463856ee1e4b7e8bbc8a97

SHA1
9808fdb378aefed2bd85edf544dda0dd1c3ca90e

SHA256
8c2b2f56415981557ec7e2f321decb4cc3e7514d7e1007370e082ada9fae702c

SHA512
dad6ba60d8463d27754a61061826c14c107953ae8ac4727dfab59c2702bdd2c9806cf910bb10853b563924a3c40d51976292595e6d359b297c383e0cb1e45c3f

Download Submit
\Users\Admin\AppData\Local\Temp\{xTQT-wwYP2-c5GZ-fWDbN}\92445027451.exe
MD5
6f5b1279d943e548259d62f00650044a

SHA1
367d5ff6ee971fcac30cf8b453eea8f47a936264

SHA256
118f24dab3dce4a5ae6e3ab078551cbc628b475abeeafa07a5972622aaa38812

SHA512
75e655e6df832bccafca641f0af62165da644a92ce3055d30b12b2dd0d241df4b43ea4de4429e3719b9e7f198882c5a0b3f44ab45900797d41787fdaf60988fe

Download Submit
\Users\Admin\AppData\Local\Temp\{xTQT-wwYP2-c5GZ-fWDbN}\92445027451.exe
MD5
6f5b1279d943e548259d62f00650044a

SHA1
367d5ff6ee971fcac30cf8b453eea8f47a936264

SHA256
118f24dab3dce4a5ae6e3ab078551cbc628b475abeeafa07a5972622aaa38812

SHA512
75e655e6df832bccafca641f0af62165da644a92ce3055d30b12b2dd0d241df4b43ea4de4429e3719b9e7f198882c5a0b3f44ab45900797d41787fdaf60988fe

Download Submit
\Users\Admin\Documents\0E41wdcVfdi1dEsX5cAopTwj.exe
MD5
06035c751a095a6cbcd82229c8df63f9

SHA1
0c751f6b5ad619d4ac85ad70045b2e806913c6dc

SHA256
d345f33223ebaab130427ade2f259a25978fd96218b6cb81f7cb87e0d3597835

SHA512
eeb0c21f2f43ddcee7f8e9245161ca3cbb13bd11bbc77decabe6862eeda79e3214df465d36b515598e2dbdc23c426131ac2a0dc185120b4b73f57019cd31435d

Download Submit
\Users\Admin\Documents\4kd35uOdt6twoc8On5QZqrSP.exe
MD5
f0bc65a05ad0a598375cfcd88cebf2f7

SHA1
a293f92d4f7377b31e06ee0377d4f8069d923938

SHA256
cfce285cacd32aaa2b142c7cb7c23643a8d57825daaa51ea69df4d61ff3a819f

SHA512
b24ded01b55a90781a7a14e39b8ab9e44816e5fae8fd8a212ef89c42cf5f53876586af5653fb992579fe5d7ecfaae3b83e3f5a153d2f2cabf2b5a011bd9ae873

Download Submit
\Users\Admin\Documents\9BUUQZypguiLPrNCMeJuKoSM.exe
MD5
2c81352d9b21d98d34f6db0f95c6f8ba

SHA1
11eef38c83e76696eaf746ff3b82e1b9a3b7d417

SHA256
3e86a5bd67c6f546deedd91f4d737d22007a950c841195e2195124df585884ea

SHA512
7fad429d3d16094658d90ac1d4e3fa556fb430d1dacb28620899f9d33a7cd0593b2f49cb206d1b0c0ee16076f2d24d36f38efd083e01ce39f36b7e98d0ddc739

Download Submit
\Users\Admin\Documents\9BUUQZypguiLPrNCMeJuKoSM.exe
MD5
2c81352d9b21d98d34f6db0f95c6f8ba

SHA1
11eef38c83e76696eaf746ff3b82e1b9a3b7d417

SHA256
3e86a5bd67c6f546deedd91f4d737d22007a950c841195e2195124df585884ea

SHA512
7fad429d3d16094658d90ac1d4e3fa556fb430d1dacb28620899f9d33a7cd0593b2f49cb206d1b0c0ee16076f2d24d36f38efd083e01ce39f36b7e98d0ddc739

Download Submit
\Users\Admin\Documents\Cd0CypcOZND0VNCNsKblKVIv.exe
MD5
b22f601e1c1e2400a0fcd0e9835f03ed

SHA1
d23a32d7a9ac91a8bcc701b147e334ae47cc802a

SHA256
c23d42a1c5b99920c37bb46a6b64ef68b686255a915a0e8cf1942f3f65335268

SHA512
f2e9266248f9812bececa281f5218962ed37ea3ac4405d11e2220ec51a9e52ffab84d87c5cfa6b7f3ce7249e009cc0ed2a742b1e93d1b908c9e2dfd9f4b5295c

Download Submit
\Users\Admin\Documents\Cd0CypcOZND0VNCNsKblKVIv.exe
MD5
b22f601e1c1e2400a0fcd0e9835f03ed

SHA1
d23a32d7a9ac91a8bcc701b147e334ae47cc802a

SHA256
c23d42a1c5b99920c37bb46a6b64ef68b686255a915a0e8cf1942f3f65335268

SHA512
f2e9266248f9812bececa281f5218962ed37ea3ac4405d11e2220ec51a9e52ffab84d87c5cfa6b7f3ce7249e009cc0ed2a742b1e93d1b908c9e2dfd9f4b5295c

Download Submit
\Users\Admin\Documents\I03dg3fA18pEglBEcxunlLPX.exe
MD5
06035c751a095a6cbcd82229c8df63f9

SHA1
0c751f6b5ad619d4ac85ad70045b2e806913c6dc

SHA256
d345f33223ebaab130427ade2f259a25978fd96218b6cb81f7cb87e0d3597835

SHA512
eeb0c21f2f43ddcee7f8e9245161ca3cbb13bd11bbc77decabe6862eeda79e3214df465d36b515598e2dbdc23c426131ac2a0dc185120b4b73f57019cd31435d

Download Submit
\Users\Admin\Documents\SVyHMWDQLVWlxdTENniqVGM7.exe
MD5
f0bc65a05ad0a598375cfcd88cebf2f7

SHA1
a293f92d4f7377b31e06ee0377d4f8069d923938

SHA256
cfce285cacd32aaa2b142c7cb7c23643a8d57825daaa51ea69df4d61ff3a819f

SHA512
b24ded01b55a90781a7a14e39b8ab9e44816e5fae8fd8a212ef89c42cf5f53876586af5653fb992579fe5d7ecfaae3b83e3f5a153d2f2cabf2b5a011bd9ae873

Download Submit
\Users\Admin\Documents\lnAZzWWiJKWeJ7LCVnf2NAw5.exe
MD5
2c81352d9b21d98d34f6db0f95c6f8ba

SHA1
11eef38c83e76696eaf746ff3b82e1b9a3b7d417

SHA256
3e86a5bd67c6f546deedd91f4d737d22007a950c841195e2195124df585884ea

SHA512
7fad429d3d16094658d90ac1d4e3fa556fb430d1dacb28620899f9d33a7cd0593b2f49cb206d1b0c0ee16076f2d24d36f38efd083e01ce39f36b7e98d0ddc739

Download Submit
\Users\Admin\Documents\lnAZzWWiJKWeJ7LCVnf2NAw5.exe
MD5
2c81352d9b21d98d34f6db0f95c6f8ba

SHA1
11eef38c83e76696eaf746ff3b82e1b9a3b7d417

SHA256
3e86a5bd67c6f546deedd91f4d737d22007a950c841195e2195124df585884ea

SHA512
7fad429d3d16094658d90ac1d4e3fa556fb430d1dacb28620899f9d33a7cd0593b2f49cb206d1b0c0ee16076f2d24d36f38efd083e01ce39f36b7e98d0ddc739

Download Submit
memory/776-7-0x0000000004BC6000-0x0000000004BC7000-memory.dmp

Filesize
4KB

Download
memory/776-8-0x0000000001E80000-0x0000000001E83000-memory.dmp

Filesize
12KB

Download
memory/776-6-0x0000000004BB5000-0x0000000004BC6000-memory.dmp

Filesize
68KB

Download
memory/776-2-0x0000000073F20000-0x000000007460E000-memory.dmp

Filesize
6.9MB

Download
memory/776-5-0x0000000004BB0000-0x0000000004BB1000-memory.dmp

Filesize
4KB

Download
memory/776-3-0x0000000000320000-0x0000000000321000-memory.dmp

Filesize
4KB

Download
memory/2052-14-0x0000000076071000-0x0000000076073000-memory.dmp

Filesize
8KB

Download
memory/2052-13-0x0000000000D80000-0x0000000000D91000-memory.dmp

Filesize
68KB

Download
memory/2052-11-0x0000000000000000-mapping.dmp

Download
memory/2052-15-0x0000000000220000-0x000000000024D000-memory.dmp

Filesize
180KB

Download
memory/2052-16-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2168-17-0x000007FEF6200000-0x000007FEF647A000-memory.dmp

Filesize
2.5MB

Download
memory/2216-18-0x0000000000000000-mapping.dmp

Download
memory/2252-27-0x0000000000D50000-0x0000000000D61000-memory.dmp

Filesize
68KB

Download
memory/2252-22-0x0000000000000000-mapping.dmp

Download
memory/2252-24-0x0000000000B30000-0x0000000000B41000-memory.dmp

Filesize
68KB

Download
memory/2252-25-0x0000000000B30000-0x0000000000C09000-memory.dmp

Filesize
868KB

Download
memory/2252-26-0x0000000000400000-0x00000000008D0000-memory.dmp

Filesize
4.8MB

Download
memory/2252-33-0x0000000000D50000-0x0000000000E24000-memory.dmp

Filesize
848KB

Download
memory/2296-55-0x0000000002EB0000-0x0000000002F5C000-memory.dmp

Filesize
688KB

Download
memory/2296-45-0x0000000002D70000-0x0000000002E1C000-memory.dmp

Filesize
688KB

Download
memory/2296-49-0x0000000002FA0000-0x0000000002FB1000-memory.dmp

Filesize
68KB

Download
memory/2296-29-0x0000000000400000-0x0000000002B75000-memory.dmp

Filesize
39.5MB

Download
memory/2296-31-0x0000000000401F10-mapping.dmp

Download
memory/2296-46-0x0000000000400000-0x00000000008A2000-memory.dmp

Filesize
4.6MB

Download
memory/2296-38-0x0000000000400000-0x0000000002B75000-memory.dmp

Filesize
39.5MB

Download
memory/2296-42-0x0000000002D70000-0x0000000002D81000-memory.dmp

Filesize
68KB

Download
memory/2312-30-0x0000000000000000-mapping.dmp

Download
memory/2356-43-0x0000000000A20000-0x0000000000A31000-memory.dmp

Filesize
68KB

Download
memory/2356-37-0x0000000000000000-mapping.dmp

Download
memory/2356-48-0x0000000000400000-0x00000000004E3000-memory.dmp

Filesize
908KB

Download
memory/2356-47-0x0000000000A20000-0x0000000000AFF000-memory.dmp

Filesize
892KB

Download
memory/2384-39-0x0000000000000000-mapping.dmp

Download
memory/2424-41-0x0000000000000000-mapping.dmp

Download
memory/2488-62-0x0000000002B50000-0x0000000002BE1000-memory.dmp

Filesize
580KB

Download
memory/2488-63-0x0000000000400000-0x0000000000492000-memory.dmp

Filesize
584KB

Download
memory/2488-57-0x0000000002DA0000-0x0000000002DB1000-memory.dmp

Filesize
68KB

Download
memory/2488-60-0x0000000000220000-0x00000000002AD000-memory.dmp

Filesize
564KB

Download
memory/2488-51-0x0000000000400000-0x0000000002B44000-memory.dmp

Filesize
39.3MB

Download
memory/2488-56-0x0000000000400000-0x0000000002B44000-memory.dmp

Filesize
39.3MB

Download
memory/2488-53-0x0000000000403B90-mapping.dmp

Download
memory/2488-61-0x0000000000400000-0x0000000002B2D000-memory.dmp

Filesize
39.2MB

Download
memory/2624-89-0x0000000000A80000-0x0000000000A91000-memory.dmp

Filesize
68KB

Download
memory/2624-94-0x0000000000880000-0x0000000000911000-memory.dmp

Filesize
580KB

Download
memory/2624-95-0x0000000000400000-0x0000000000492000-memory.dmp

Filesize
584KB

Download
memory/2624-67-0x0000000000000000-mapping.dmp

Download
memory/2636-68-0x0000000000000000-mapping.dmp

Download
memory/2684-90-0x0000000002C50000-0x000000000355F000-memory.dmp

Filesize
9.1MB

Download
memory/2684-88-0x0000000002350000-0x00000000027C6000-memory.dmp

Filesize
4.5MB

Download
memory/2684-98-0x0000000002C50000-0x000000000355F000-memory.dmp

Filesize
9.1MB

Download
memory/2684-73-0x0000000000000000-mapping.dmp

Download
memory/2728-96-0x0000000000AB0000-0x0000000000AC1000-memory.dmp

Filesize
68KB

Download
memory/2728-78-0x0000000000000000-mapping.dmp

Download
memory/2768-92-0x0000000002330000-0x00000000027A6000-memory.dmp

Filesize
4.5MB

Download
memory/2768-99-0x0000000002C30000-0x000000000353F000-memory.dmp

Filesize
9.1MB

Download
memory/2768-93-0x0000000002C30000-0x000000000353F000-memory.dmp

Filesize
9.1MB

Download
memory/2768-81-0x0000000000000000-mapping.dmp

Download
memory/2792-83-0x0000000000000000-mapping.dmp

Download
memory/3004-104-0x0000000000000000-mapping.dmp

Download
memory/3048-105-0x0000000000000000-mapping.dmp

Download
memory/5540-106-0x0000000000000000-mapping.dmp

Download
memory/5540-107-0x0000000001F40000-0x0000000001F51000-memory.dmp

Filesize
68KB

Download
memory/5540-109-0x0000000001F40000-0x0000000001F51000-memory.dmp

Filesize
68KB

Download
memory/5540-115-0x0000000000300000-0x0000000000301000-memory.dmp

Filesize
4KB

Download