redline | 26e94627a3abe752072319b8eca4f68029a27090f89de5b92d4f700fc0f4f0b2

Analysis

max time kernel
34s
max time network
165s
platform
windows7_x64
resource
win7v20210410
submitted
09-08-2021 02:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0337E24C1287C195321A477CB6B71AB3.exe
Size

15KB
MD5

0337e24c1287c195321a477cb6b71ab3
SHA1

145823c8665a1761c41b7b1c699b242badf553d5
SHA256

26e94627a3abe752072319b8eca4f68029a27090f89de5b92d4f700fc0f4f0b2
SHA512

97303432aaec89988991d8489868e92ad6153e7a2a9addac3af275e01671562fc71931d65d805ec17ef3379d72c56e313cea3fbf58b40b71d6a18e14ed3a5459

Score

10^/10

redline socelars upd discovery evasion infostealer persistence spyware stealer suricata trojan vmprotect

Malware Config

Extracted

Family

redline

Botnet

UPD

193.56.146.78:54955

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs
evasion trojan

Modify Registry
T1112

Modify Existing Service
T1031

Disabling Security Tools
T1089
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine Payload 2 IoCs

Processes:

resource	yara_rule
behavioral1/memory/620-122-0x0000000002D10000-0x0000000002D2C000-memory.dmp	family_redline
behavioral1/memory/620-129-0x0000000006EF0000-0x0000000006F0A000-memory.dmp	family_redline

Socelars
Socelars is an infostealer targeting browser cookies and credit card credentials.
stealer socelars

Socelars Payload 2 IoCs

Processes:

resource	yara_rule
\Users\Admin\Documents\3X1CKC5XPWN4QC0H0PKYHH8EQ.exe	family_socelars
C:\Users\Admin\Documents\3X1CKC5XPWN4QC0H0PKYHH8EQ.exe	family_socelars

suricata: ET MALWARE EXE Download Request To Wordpress Folder Likely Malicious
suricata: ET MALWARE EXE Download Request To Wordpress Folder Likely Malicious
suricata
suricata: ET MALWARE Observed Elysium Stealer Variant CnC Domain (all-brain-company .xyz in TLS SNI)
suricata: ET MALWARE Observed Elysium Stealer Variant CnC Domain (all-brain-company .xyz in TLS SNI)
suricata
Downloads MZ/PE file

Executes dropped EXE 12 IoCs

Processes:

B97Q72L7E4W6QOEDR4Q3PIFGE.exe3X1CKC5XPWN4QC0H0PKYHH8EQ.exeYMWCHFQUD990KMWPY9E05K7L2.exe8CNBC91GNYZFT221LCISK2H2W.exeXCYHUQISE08728OM107H4VHA1.exeXCYHUQISE08728OM107H4VHA1.exeOPQSM231MI93G9QIVFH8UOYKE.exe3001438.exe6045146.exe3340900.exe5321089.exeWinHoster.exe

pid	process
1676	B97Q72L7E4W6QOEDR4Q3PIFGE.exe
536	3X1CKC5XPWN4QC0H0PKYHH8EQ.exe
620	YMWCHFQUD990KMWPY9E05K7L2.exe
1476	8CNBC91GNYZFT221LCISK2H2W.exe
1300	XCYHUQISE08728OM107H4VHA1.exe
1616	XCYHUQISE08728OM107H4VHA1.exe
1720	OPQSM231MI93G9QIVFH8UOYKE.exe
768	3001438.exe
1768	6045146.exe
2040	3340900.exe
2100	5321089.exe
2268	WinHoster.exe

VMProtect packed file 9 IoCs

Detects executables packed with VMProtect commercial packer.

vmprotect

Processes:

resource	yara_rule
\Users\Admin\Documents\OPQSM231MI93G9QIVFH8UOYKE.exe	vmprotect
C:\Users\Admin\Documents\OPQSM231MI93G9QIVFH8UOYKE.exe	vmprotect
\Users\Admin\Documents\OPQSM231MI93G9QIVFH8UOYKE.exe	vmprotect
behavioral1/memory/1720-137-0x0000000000400000-0x000000000060D000-memory.dmp	vmprotect
\Users\Admin\Documents\OPQSM231MI93G9QIVFH8UOYKE.exe	vmprotect
C:\Users\Admin\Documents\OPQSM231MI93G9QIVFH8UOYKE.exe	vmprotect
\Users\Admin\Documents\OPQSM231MI93G9QIVFH8UOYKE.exe	vmprotect
\Users\Admin\Documents\OPQSM231MI93G9QIVFH8UOYKE.exe	vmprotect
\Users\Admin\Documents\OPQSM231MI93G9QIVFH8UOYKE.exe	vmprotect

Loads dropped DLL 18 IoCs

Processes:

0337E24C1287C195321A477CB6B71AB3.exeWerFault.exe6045146.exeWerFault.exe

pid	process
1072	0337E24C1287C195321A477CB6B71AB3.exe
1072	0337E24C1287C195321A477CB6B71AB3.exe
1072	0337E24C1287C195321A477CB6B71AB3.exe
1072	0337E24C1287C195321A477CB6B71AB3.exe
1072	0337E24C1287C195321A477CB6B71AB3.exe
1072	0337E24C1287C195321A477CB6B71AB3.exe
1072	0337E24C1287C195321A477CB6B71AB3.exe
1072	0337E24C1287C195321A477CB6B71AB3.exe
1648	WerFault.exe
1648	WerFault.exe
1648	WerFault.exe
1648	WerFault.exe
1768	6045146.exe
2820	WerFault.exe
2820	WerFault.exe
2820	WerFault.exe
2820	WerFault.exe
2820	WerFault.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

0337E24C1287C195321A477CB6B71AB3.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features	0337E24C1287C195321A477CB6B71AB3.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	0337E24C1287C195321A477CB6B71AB3.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

6045146.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\WinHost = "C:\\Users\\Admin\\AppData\\Roaming\\WinHost\\WinHoster.exe"	6045146.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 3 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exe

pid pid_target process target process

1648 1720 WerFault.exe OPQSM231MI93G9QIVFH8UOYKE.exe
2756 768 WerFault.exe 3001438.exe
2820 2100 WerFault.exe 5321089.exe
Kills process with taskkill 1 IoCs
evasion

Processes:

taskkill.exe

pid process

2504 taskkill.exe

pid	pid_target	process	target process
1648	1720	WerFault.exe	OPQSM231MI93G9QIVFH8UOYKE.exe
2756	768	WerFault.exe	3001438.exe
2820	2100	WerFault.exe	5321089.exe

pid	process
2504	taskkill.exe

Modifies system certificate store 2 TTPs 13 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

3X1CKC5XPWN4QC0H0PKYHH8EQ.exeB97Q72L7E4W6QOEDR4Q3PIFGE.exe0337E24C1287C195321A477CB6B71AB3.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436	3X1CKC5XPWN4QC0H0PKYHH8EQ.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	B97Q72L7E4W6QOEDR4Q3PIFGE.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13	0337E24C1287C195321A477CB6B71AB3.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 040000000100000010000000410352dc0ff7501b16f0028eba6f45c50f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131900000001000000100000006cf252fec3e8f20996de5d4dd9aef42420000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	0337E24C1287C195321A477CB6B71AB3.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\317A2AD07F2B335EF5A1C34E4B57E8B7D8F1FCA6	0337E24C1287C195321A477CB6B71AB3.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\317A2AD07F2B335EF5A1C34E4B57E8B7D8F1FCA6\Blob = 040000000100000010000000a923759bba49366e31c2dbf2e766ba870f000000010000001400000007eeabaf80a9ef4ae1b2cb9b4b5fc70d0428e6a953000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00b000000010000002e00000053007400610072006600690065006c006400200054006500630068006e006f006c006f0067006900650073000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000a848b4242fc6ea24a0d78e3cb93c5c78d79833e41d00000001000000100000005959ddbc9c7632ba0a05f06316846fe6030000000100000014000000317a2ad07f2b335ef5a1c34e4b57e8b7d8f1fca619000000010000001000000044ba5fd9039fc9b56fd8aadccd597ca62000000001000000eb020000308202e730820250020101300d06092a864886f70d01010505003081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d301e170d3939303632363030313935345a170d3139303632363030313935345a3081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d30819f300d06092a864886f70d010101050003818d0030818902818100ce3a71cae5abc8599255d7abd8740ef9eed9f655475965470e0555dceb98363c5c535dd330cf38ecbd4189ed254209246b0a5eb37cdd522d4ce6d4d67d5a59a965d449132d244d1c506fb5c185543bfe71e4d35c42f980e0911a0a5b393667f33f557c1b3fb45f647334e3b412bf8764f8da12ff3727c1b343bbef7b6e2e69f70203010001300d06092a864886f70d0101050500038181003b7f506f6f509499496238381f4bf8a5c83ea78281f62bc7e8c5cee83a1082cb18008e4dbda8587fa17900b5bbe98daf41d90f34ee218119a0324928f4c48e56d55233fd50d57e996c03e4c94cfccb6cab66b34a218ce5b50c323e10b2cc6ca1dc9a984c025bf3ceb99ea5720e4ab73f3ce61668f8beed744cbc5bd5621f43dd	0337E24C1287C195321A477CB6B71AB3.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AD7E1C28B064EF8F6003402014C3D0E3370EB58A	3X1CKC5XPWN4QC0H0PKYHH8EQ.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AD7E1C28B064EF8F6003402014C3D0E3370EB58A\Blob = 0f00000001000000140000000f6aad4c3fe04619cdc8b2bd655aa1a26042e6500b000000010000005400000053007400610072006600690065006c006400200043006c00610073007300200032002000430065007200740069006600690063006100740069006f006e00200041007500740068006f007200690074007900000053000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c009000000010000002a000000302806082b0601050507030106082b0601050507030206082b0601050507030406082b06010505070303140000000100000014000000bf5fb7d1cedd1f86f45b55acdcd710c20ea988e71d000000010000001000000090c4f4233b006b7bfaa6adcd8f577d77030000000100000014000000ad7e1c28b064ef8f6003402014c3d0e3370eb58a2000000001000000130400003082040f308202f7a003020102020100300d06092a864886f70d01010505003068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479301e170d3034303632393137333931365a170d3334303632393137333931365a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f7269747930820120300d06092a864886f70d01010105000382010d00308201080282010100b732c8fee971a60485ad0c1164dfce4defc80318873fa1abfb3ca69ff0c3a1dad4d86e2b5390fb24a43e84f09ee85fece52744f528a63f7bdee02af0c8af532f9eca0501931e8f661c39a74dfa5ab673042566eb777fe759c64a99251454eb26c7f37f19d530708fafb0462affadeb29edd79faa0487a3d4f989a5345fdb43918236d9663cb1b8b982fd9c3a3e10c83bef0665667a9b19183dff71513c302e5fbe3d7773b25d066cc323569a2b8526921ca702b3e43f0daf087982b8363dea9cd335b3bc69caf5cc9de8fd648d1780336e5e4a5d99c91e87b49d1ac0d56e1335235edf9b5f3defd6f776c2ea3ebb780d1c42676b04d8f8d6da6f8bf244a001ab020103a381c53081c2301d0603551d0e04160414bf5fb7d1cedd1f86f45b55acdcd710c20ea988e73081920603551d2304818a3081878014bf5fb7d1cedd1f86f45b55acdcd710c20ea988e7a16ca46a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479820100300c0603551d13040530030101ff300d06092a864886f70d01010505000382010100059d3f889dd1c91a55a1ac69f3f359da9b01871a4f57a9a179092adbf72fb21eccc75e6ad88387a197ef49353e7706415862bf8e58b80a673fecb3dd21661fc954fa72cc3d4c40d881af779e837abba2c7f534178ed91140f4fc2c2a4d157fa7625d2e25d3000b201a1d68f917b8f4bd8bed2859dd4d168b1783c8b265c72d7aa5aabc53866ddd57a4caf820410b68f0f4fb74be565d7a79f5f91d85e32d95bef5719043cc8d1f9a000a8729e95522580023eae31243295b4708dd8c416a6506a8e521aa41b4952195b97dd134ab13d6adbcdce23d39cdbd3e7570a1185903c922b48f9cd55e2ad7a5b6d40a6df8b74011469a1f790e62bf0f97ece02f1f1794	3X1CKC5XPWN4QC0H0PKYHH8EQ.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\317A2AD07F2B335EF5A1C34E4B57E8B7D8F1FCA6\Blob = 0f000000010000001400000007eeabaf80a9ef4ae1b2cb9b4b5fc70d0428e6a953000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00b000000010000002e00000053007400610072006600690065006c006400200054006500630068006e006f006c006f0067006900650073000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000a848b4242fc6ea24a0d78e3cb93c5c78d79833e41d00000001000000100000005959ddbc9c7632ba0a05f06316846fe6030000000100000014000000317a2ad07f2b335ef5a1c34e4b57e8b7d8f1fca62000000001000000eb020000308202e730820250020101300d06092a864886f70d01010505003081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d301e170d3939303632363030313935345a170d3139303632363030313935345a3081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d30819f300d06092a864886f70d010101050003818d0030818902818100ce3a71cae5abc8599255d7abd8740ef9eed9f655475965470e0555dceb98363c5c535dd330cf38ecbd4189ed254209246b0a5eb37cdd522d4ce6d4d67d5a59a965d449132d244d1c506fb5c185543bfe71e4d35c42f980e0911a0a5b393667f33f557c1b3fb45f647334e3b412bf8764f8da12ff3727c1b343bbef7b6e2e69f70203010001300d06092a864886f70d0101050500038181003b7f506f6f509499496238381f4bf8a5c83ea78281f62bc7e8c5cee83a1082cb18008e4dbda8587fa17900b5bbe98daf41d90f34ee218119a0324928f4c48e56d55233fd50d57e996c03e4c94cfccb6cab66b34a218ce5b50c323e10b2cc6ca1dc9a984c025bf3ceb99ea5720e4ab73f3ce61668f8beed744cbc5bd5621f43dd	0337E24C1287C195321A477CB6B71AB3.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\317A2AD07F2B335EF5A1C34E4B57E8B7D8F1FCA6\Blob = 19000000010000001000000044ba5fd9039fc9b56fd8aadccd597ca6030000000100000014000000317a2ad07f2b335ef5a1c34e4b57e8b7d8f1fca61d00000001000000100000005959ddbc9c7632ba0a05f06316846fe6140000000100000014000000a848b4242fc6ea24a0d78e3cb93c5c78d79833e4090000000100000016000000301406082b0601050507030406082b060105050703010b000000010000002e00000053007400610072006600690065006c006400200054006500630068006e006f006c006f006700690065007300000053000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00f000000010000001400000007eeabaf80a9ef4ae1b2cb9b4b5fc70d0428e6a92000000001000000eb020000308202e730820250020101300d06092a864886f70d01010505003081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d301e170d3939303632363030313935345a170d3139303632363030313935345a3081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d30819f300d06092a864886f70d010101050003818d0030818902818100ce3a71cae5abc8599255d7abd8740ef9eed9f655475965470e0555dceb98363c5c535dd330cf38ecbd4189ed254209246b0a5eb37cdd522d4ce6d4d67d5a59a965d449132d244d1c506fb5c185543bfe71e4d35c42f980e0911a0a5b393667f33f557c1b3fb45f647334e3b412bf8764f8da12ff3727c1b343bbef7b6e2e69f70203010001300d06092a864886f70d0101050500038181003b7f506f6f509499496238381f4bf8a5c83ea78281f62bc7e8c5cee83a1082cb18008e4dbda8587fa17900b5bbe98daf41d90f34ee218119a0324928f4c48e56d55233fd50d57e996c03e4c94cfccb6cab66b34a218ce5b50c323e10b2cc6ca1dc9a984c025bf3ceb99ea5720e4ab73f3ce61668f8beed744cbc5bd5621f43dd	0337E24C1287C195321A477CB6B71AB3.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436\Blob = 04000000010000001000000079e4a9840d7d3a96d7c04fe2434c892e0f0000000100000014000000b34ddd372ed92e8f2abfbb9e20a9d31f204f194b090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000003de503556d14cbb66f0a3e21b1bc397b23dd1550b00000001000000120000004400690067006900430065007200740000001d000000010000001000000059779e39e21a2e3dfced6857ed5c5fd9030000000100000014000000a8985d3a65e5e5c4b2d7d66d40c6dd2fb19c54361900000001000000100000000f3a0527d242de2dc98e5cfcb1e991ee2000000001000000b3030000308203af30820297a0030201020210083be056904246b1a1756ac95991c74a300d06092a864886f70d01010505003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e23be11172dea8a4d3a357aa50a28f0b7790c9a2a5ee12ce965b010920cc0193a74e30b753f743c46900579de28d22dd870640008109cece1b83bfdfcd3b7146e2d666c705b37627168f7b9e1e957deeb748a308dad6af7a0c3906657f4a5d1fbc17f8abbeee28d7747f7a78995985686e5c23324bbf4ec0e85a6de370bf7710bffc01f685d9a844105832a97518d5d1a2be47e2276af49a33f84908608bd45fb43a84bfa1aa4a4c7d3ecf4f5f6c765ea04b37919edc22e66dce141a8e6acbfecdb3146417c75b299e32bff2eefad30b42d4abb74132da0cd4eff881d5bb8d583fb51be84928a270da3104ddf7b216f24c0a4e07a8ed4a3d5eb57fa390c3af270203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041403de503556d14cbb66f0a3e21b1bc397b23dd155301f0603551d2304183016801403de503556d14cbb66f0a3e21b1bc397b23dd155300d06092a864886f70d01010505000382010100cb9c37aa4813120afadd449c4f52b0f4dfae04f5797908a32418fc4b2b84c02db9d5c7fef4c11f58cbb86d9c7a74e79829ab11b5e370a0a1cd4c8899938c9170e2ab0f1cbe93a9ff63d5e40760d3a3bf9d5b09f1d58ee353f48e63fa3fa7dbb466df6266d6d16e418df22db5ea774a9f9d58e22b59c04023ed2d2882453e7954922698e08048a837eff0d6796016deace80ecd6eac4417382f49dae1453e2ab93653cf3a5006f72ee8c457496c612118d504ad783c2c3a806ba7ebaf1514e9d889c1b9386ce2916c8aff64b977255730c01b24a3e1dce9df477cb5b424080530ec2dbd0bbf45bf50b9a9f3eb980112adc888c698345f8d0a3cc6e9d595956dde	3X1CKC5XPWN4QC0H0PKYHH8EQ.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AD7E1C28B064EF8F6003402014C3D0E3370EB58A\Blob = 190000000100000010000000fd960962ac6938e0d4b0769aa1a64e26030000000100000014000000ad7e1c28b064ef8f6003402014c3d0e3370eb58a1d000000010000001000000090c4f4233b006b7bfaa6adcd8f577d77140000000100000014000000bf5fb7d1cedd1f86f45b55acdcd710c20ea988e709000000010000002a000000302806082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030353000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00b000000010000005400000053007400610072006600690065006c006400200043006c00610073007300200032002000430065007200740069006600690063006100740069006f006e00200041007500740068006f00720069007400790000000f00000001000000140000000f6aad4c3fe04619cdc8b2bd655aa1a26042e6502000000001000000130400003082040f308202f7a003020102020100300d06092a864886f70d01010505003068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479301e170d3034303632393137333931365a170d3334303632393137333931365a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f7269747930820120300d06092a864886f70d01010105000382010d00308201080282010100b732c8fee971a60485ad0c1164dfce4defc80318873fa1abfb3ca69ff0c3a1dad4d86e2b5390fb24a43e84f09ee85fece52744f528a63f7bdee02af0c8af532f9eca0501931e8f661c39a74dfa5ab673042566eb777fe759c64a99251454eb26c7f37f19d530708fafb0462affadeb29edd79faa0487a3d4f989a5345fdb43918236d9663cb1b8b982fd9c3a3e10c83bef0665667a9b19183dff71513c302e5fbe3d7773b25d066cc323569a2b8526921ca702b3e43f0daf087982b8363dea9cd335b3bc69caf5cc9de8fd648d1780336e5e4a5d99c91e87b49d1ac0d56e1335235edf9b5f3defd6f776c2ea3ebb780d1c42676b04d8f8d6da6f8bf244a001ab020103a381c53081c2301d0603551d0e04160414bf5fb7d1cedd1f86f45b55acdcd710c20ea988e73081920603551d2304818a3081878014bf5fb7d1cedd1f86f45b55acdcd710c20ea988e7a16ca46a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479820100300c0603551d13040530030101ff300d06092a864886f70d01010505000382010100059d3f889dd1c91a55a1ac69f3f359da9b01871a4f57a9a179092adbf72fb21eccc75e6ad88387a197ef49353e7706415862bf8e58b80a673fecb3dd21661fc954fa72cc3d4c40d881af779e837abba2c7f534178ed91140f4fc2c2a4d157fa7625d2e25d3000b201a1d68f917b8f4bd8bed2859dd4d168b1783c8b265c72d7aa5aabc53866ddd57a4caf820410b68f0f4fb74be565d7a79f5f91d85e32d95bef5719043cc8d1f9a000a8729e95522580023eae31243295b4708dd8c416a6506a8e521aa41b4952195b97dd134ab13d6adbcdce23d39cdbd3e7570a1185903c922b48f9cd55e2ad7a5b6d40a6df8b74011469a1f790e62bf0f97ece02f1f1794	3X1CKC5XPWN4QC0H0PKYHH8EQ.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 040000000100000010000000497904b0eb8719ac47b0bc11519b74d00f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	B97Q72L7E4W6QOEDR4Q3PIFGE.exe

Suspicious behavior: EnumeratesProcesses 26 IoCs

Processes:

powershell.exeWerFault.exeYMWCHFQUD990KMWPY9E05K7L2.exe5321089.exe3001438.exeWerFault.exeWerFault.exe3340900.exe

pid	process
316	powershell.exe
316	powershell.exe
1648	WerFault.exe
1648	WerFault.exe
1648	WerFault.exe
1648	WerFault.exe
1648	WerFault.exe
1648	WerFault.exe
620	YMWCHFQUD990KMWPY9E05K7L2.exe
2100	5321089.exe
768	3001438.exe
2756	WerFault.exe
2756	WerFault.exe
2756	WerFault.exe
2756	WerFault.exe
2756	WerFault.exe
2756	WerFault.exe
2756	WerFault.exe
2820	WerFault.exe
2820	WerFault.exe
2820	WerFault.exe
2820	WerFault.exe
2820	WerFault.exe
2820	WerFault.exe
2820	WerFault.exe
2040	3340900.exe

Suspicious use of AdjustPrivilegeToken 45 IoCs

Processes:

powershell.exe0337E24C1287C195321A477CB6B71AB3.exe3X1CKC5XPWN4QC0H0PKYHH8EQ.exeB97Q72L7E4W6QOEDR4Q3PIFGE.exeYMWCHFQUD990KMWPY9E05K7L2.exeWerFault.exe3001438.exe3340900.exe5321089.exetaskkill.exeWerFault.exeWerFault.exe

description	pid	process
Token: SeDebugPrivilege	316	powershell.exe
Token: SeDebugPrivilege	1072	0337E24C1287C195321A477CB6B71AB3.exe
Token: SeCreateTokenPrivilege	536	3X1CKC5XPWN4QC0H0PKYHH8EQ.exe
Token: SeAssignPrimaryTokenPrivilege	536	3X1CKC5XPWN4QC0H0PKYHH8EQ.exe
Token: SeLockMemoryPrivilege	536	3X1CKC5XPWN4QC0H0PKYHH8EQ.exe
Token: SeIncreaseQuotaPrivilege	536	3X1CKC5XPWN4QC0H0PKYHH8EQ.exe
Token: SeMachineAccountPrivilege	536	3X1CKC5XPWN4QC0H0PKYHH8EQ.exe
Token: SeTcbPrivilege	536	3X1CKC5XPWN4QC0H0PKYHH8EQ.exe
Token: SeSecurityPrivilege	536	3X1CKC5XPWN4QC0H0PKYHH8EQ.exe
Token: SeTakeOwnershipPrivilege	536	3X1CKC5XPWN4QC0H0PKYHH8EQ.exe
Token: SeLoadDriverPrivilege	536	3X1CKC5XPWN4QC0H0PKYHH8EQ.exe
Token: SeSystemProfilePrivilege	536	3X1CKC5XPWN4QC0H0PKYHH8EQ.exe
Token: SeSystemtimePrivilege	536	3X1CKC5XPWN4QC0H0PKYHH8EQ.exe
Token: SeProfSingleProcessPrivilege	536	3X1CKC5XPWN4QC0H0PKYHH8EQ.exe
Token: SeIncBasePriorityPrivilege	536	3X1CKC5XPWN4QC0H0PKYHH8EQ.exe
Token: SeCreatePagefilePrivilege	536	3X1CKC5XPWN4QC0H0PKYHH8EQ.exe
Token: SeCreatePermanentPrivilege	536	3X1CKC5XPWN4QC0H0PKYHH8EQ.exe
Token: SeBackupPrivilege	536	3X1CKC5XPWN4QC0H0PKYHH8EQ.exe
Token: SeRestorePrivilege	536	3X1CKC5XPWN4QC0H0PKYHH8EQ.exe
Token: SeShutdownPrivilege	536	3X1CKC5XPWN4QC0H0PKYHH8EQ.exe
Token: SeDebugPrivilege	536	3X1CKC5XPWN4QC0H0PKYHH8EQ.exe
Token: SeAuditPrivilege	536	3X1CKC5XPWN4QC0H0PKYHH8EQ.exe
Token: SeSystemEnvironmentPrivilege	536	3X1CKC5XPWN4QC0H0PKYHH8EQ.exe
Token: SeChangeNotifyPrivilege	536	3X1CKC5XPWN4QC0H0PKYHH8EQ.exe
Token: SeRemoteShutdownPrivilege	536	3X1CKC5XPWN4QC0H0PKYHH8EQ.exe
Token: SeUndockPrivilege	536	3X1CKC5XPWN4QC0H0PKYHH8EQ.exe
Token: SeSyncAgentPrivilege	536	3X1CKC5XPWN4QC0H0PKYHH8EQ.exe
Token: SeEnableDelegationPrivilege	536	3X1CKC5XPWN4QC0H0PKYHH8EQ.exe
Token: SeManageVolumePrivilege	536	3X1CKC5XPWN4QC0H0PKYHH8EQ.exe
Token: SeImpersonatePrivilege	536	3X1CKC5XPWN4QC0H0PKYHH8EQ.exe
Token: SeCreateGlobalPrivilege	536	3X1CKC5XPWN4QC0H0PKYHH8EQ.exe
Token: 31	536	3X1CKC5XPWN4QC0H0PKYHH8EQ.exe
Token: 32	536	3X1CKC5XPWN4QC0H0PKYHH8EQ.exe
Token: 33	536	3X1CKC5XPWN4QC0H0PKYHH8EQ.exe
Token: 34	536	3X1CKC5XPWN4QC0H0PKYHH8EQ.exe
Token: 35	536	3X1CKC5XPWN4QC0H0PKYHH8EQ.exe
Token: SeDebugPrivilege	1676	B97Q72L7E4W6QOEDR4Q3PIFGE.exe
Token: SeDebugPrivilege	620	YMWCHFQUD990KMWPY9E05K7L2.exe
Token: SeDebugPrivilege	1648	WerFault.exe
Token: SeDebugPrivilege	768	3001438.exe
Token: SeDebugPrivilege	2040	3340900.exe
Token: SeDebugPrivilege	2100	5321089.exe
Token: SeDebugPrivilege	2504	taskkill.exe
Token: SeDebugPrivilege	2756	WerFault.exe
Token: SeDebugPrivilege	2820	WerFault.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

0337E24C1287C195321A477CB6B71AB3.exeXCYHUQISE08728OM107H4VHA1.exeOPQSM231MI93G9QIVFH8UOYKE.exeB97Q72L7E4W6QOEDR4Q3PIFGE.exe6045146.exe3X1CKC5XPWN4QC0H0PKYHH8EQ.execmd.exe3001438.exe5321089.exe

description	pid	process	target process
PID 1072 wrote to memory of 316	1072	0337E24C1287C195321A477CB6B71AB3.exe	powershell.exe
PID 1072 wrote to memory of 316	1072	0337E24C1287C195321A477CB6B71AB3.exe	powershell.exe
PID 1072 wrote to memory of 316	1072	0337E24C1287C195321A477CB6B71AB3.exe	powershell.exe
PID 1072 wrote to memory of 316	1072	0337E24C1287C195321A477CB6B71AB3.exe	powershell.exe
PID 1072 wrote to memory of 1676	1072	0337E24C1287C195321A477CB6B71AB3.exe	B97Q72L7E4W6QOEDR4Q3PIFGE.exe
PID 1072 wrote to memory of 1676	1072	0337E24C1287C195321A477CB6B71AB3.exe	B97Q72L7E4W6QOEDR4Q3PIFGE.exe
PID 1072 wrote to memory of 1676	1072	0337E24C1287C195321A477CB6B71AB3.exe	B97Q72L7E4W6QOEDR4Q3PIFGE.exe
PID 1072 wrote to memory of 1676	1072	0337E24C1287C195321A477CB6B71AB3.exe	B97Q72L7E4W6QOEDR4Q3PIFGE.exe
PID 1072 wrote to memory of 536	1072	0337E24C1287C195321A477CB6B71AB3.exe	3X1CKC5XPWN4QC0H0PKYHH8EQ.exe
PID 1072 wrote to memory of 536	1072	0337E24C1287C195321A477CB6B71AB3.exe	3X1CKC5XPWN4QC0H0PKYHH8EQ.exe
PID 1072 wrote to memory of 536	1072	0337E24C1287C195321A477CB6B71AB3.exe	3X1CKC5XPWN4QC0H0PKYHH8EQ.exe
PID 1072 wrote to memory of 536	1072	0337E24C1287C195321A477CB6B71AB3.exe	3X1CKC5XPWN4QC0H0PKYHH8EQ.exe
PID 1072 wrote to memory of 620	1072	0337E24C1287C195321A477CB6B71AB3.exe	YMWCHFQUD990KMWPY9E05K7L2.exe
PID 1072 wrote to memory of 620	1072	0337E24C1287C195321A477CB6B71AB3.exe	YMWCHFQUD990KMWPY9E05K7L2.exe
PID 1072 wrote to memory of 620	1072	0337E24C1287C195321A477CB6B71AB3.exe	YMWCHFQUD990KMWPY9E05K7L2.exe
PID 1072 wrote to memory of 620	1072	0337E24C1287C195321A477CB6B71AB3.exe	YMWCHFQUD990KMWPY9E05K7L2.exe
PID 1072 wrote to memory of 1300	1072	0337E24C1287C195321A477CB6B71AB3.exe	XCYHUQISE08728OM107H4VHA1.exe
PID 1072 wrote to memory of 1300	1072	0337E24C1287C195321A477CB6B71AB3.exe	XCYHUQISE08728OM107H4VHA1.exe
PID 1072 wrote to memory of 1300	1072	0337E24C1287C195321A477CB6B71AB3.exe	XCYHUQISE08728OM107H4VHA1.exe
PID 1072 wrote to memory of 1300	1072	0337E24C1287C195321A477CB6B71AB3.exe	XCYHUQISE08728OM107H4VHA1.exe
PID 1300 wrote to memory of 1616	1300	XCYHUQISE08728OM107H4VHA1.exe	XCYHUQISE08728OM107H4VHA1.exe
PID 1300 wrote to memory of 1616	1300	XCYHUQISE08728OM107H4VHA1.exe	XCYHUQISE08728OM107H4VHA1.exe
PID 1300 wrote to memory of 1616	1300	XCYHUQISE08728OM107H4VHA1.exe	XCYHUQISE08728OM107H4VHA1.exe
PID 1300 wrote to memory of 1616	1300	XCYHUQISE08728OM107H4VHA1.exe	XCYHUQISE08728OM107H4VHA1.exe
PID 1072 wrote to memory of 1720	1072	0337E24C1287C195321A477CB6B71AB3.exe	OPQSM231MI93G9QIVFH8UOYKE.exe
PID 1072 wrote to memory of 1720	1072	0337E24C1287C195321A477CB6B71AB3.exe	OPQSM231MI93G9QIVFH8UOYKE.exe
PID 1072 wrote to memory of 1720	1072	0337E24C1287C195321A477CB6B71AB3.exe	OPQSM231MI93G9QIVFH8UOYKE.exe
PID 1072 wrote to memory of 1720	1072	0337E24C1287C195321A477CB6B71AB3.exe	OPQSM231MI93G9QIVFH8UOYKE.exe
PID 1720 wrote to memory of 1648	1720	OPQSM231MI93G9QIVFH8UOYKE.exe	WerFault.exe
PID 1720 wrote to memory of 1648	1720	OPQSM231MI93G9QIVFH8UOYKE.exe	WerFault.exe
PID 1720 wrote to memory of 1648	1720	OPQSM231MI93G9QIVFH8UOYKE.exe	WerFault.exe
PID 1720 wrote to memory of 1648	1720	OPQSM231MI93G9QIVFH8UOYKE.exe	WerFault.exe
PID 1676 wrote to memory of 768	1676	B97Q72L7E4W6QOEDR4Q3PIFGE.exe	3001438.exe
PID 1676 wrote to memory of 768	1676	B97Q72L7E4W6QOEDR4Q3PIFGE.exe	3001438.exe
PID 1676 wrote to memory of 768	1676	B97Q72L7E4W6QOEDR4Q3PIFGE.exe	3001438.exe
PID 1676 wrote to memory of 1768	1676	B97Q72L7E4W6QOEDR4Q3PIFGE.exe	6045146.exe
PID 1676 wrote to memory of 1768	1676	B97Q72L7E4W6QOEDR4Q3PIFGE.exe	6045146.exe
PID 1676 wrote to memory of 1768	1676	B97Q72L7E4W6QOEDR4Q3PIFGE.exe	6045146.exe
PID 1676 wrote to memory of 1768	1676	B97Q72L7E4W6QOEDR4Q3PIFGE.exe	6045146.exe
PID 1676 wrote to memory of 2040	1676	B97Q72L7E4W6QOEDR4Q3PIFGE.exe	3340900.exe
PID 1676 wrote to memory of 2040	1676	B97Q72L7E4W6QOEDR4Q3PIFGE.exe	3340900.exe
PID 1676 wrote to memory of 2040	1676	B97Q72L7E4W6QOEDR4Q3PIFGE.exe	3340900.exe
PID 1676 wrote to memory of 2040	1676	B97Q72L7E4W6QOEDR4Q3PIFGE.exe	3340900.exe
PID 1676 wrote to memory of 2100	1676	B97Q72L7E4W6QOEDR4Q3PIFGE.exe	5321089.exe
PID 1676 wrote to memory of 2100	1676	B97Q72L7E4W6QOEDR4Q3PIFGE.exe	5321089.exe
PID 1676 wrote to memory of 2100	1676	B97Q72L7E4W6QOEDR4Q3PIFGE.exe	5321089.exe
PID 1676 wrote to memory of 2100	1676	B97Q72L7E4W6QOEDR4Q3PIFGE.exe	5321089.exe
PID 1768 wrote to memory of 2268	1768	6045146.exe	WinHoster.exe
PID 1768 wrote to memory of 2268	1768	6045146.exe	WinHoster.exe
PID 1768 wrote to memory of 2268	1768	6045146.exe	WinHoster.exe
PID 1768 wrote to memory of 2268	1768	6045146.exe	WinHoster.exe
PID 536 wrote to memory of 2476	536	3X1CKC5XPWN4QC0H0PKYHH8EQ.exe	cmd.exe
PID 536 wrote to memory of 2476	536	3X1CKC5XPWN4QC0H0PKYHH8EQ.exe	cmd.exe
PID 536 wrote to memory of 2476	536	3X1CKC5XPWN4QC0H0PKYHH8EQ.exe	cmd.exe
PID 536 wrote to memory of 2476	536	3X1CKC5XPWN4QC0H0PKYHH8EQ.exe	cmd.exe
PID 2476 wrote to memory of 2504	2476	cmd.exe	taskkill.exe
PID 2476 wrote to memory of 2504	2476	cmd.exe	taskkill.exe
PID 2476 wrote to memory of 2504	2476	cmd.exe	taskkill.exe
PID 2476 wrote to memory of 2504	2476	cmd.exe	taskkill.exe
PID 768 wrote to memory of 2756	768	3001438.exe	WerFault.exe
PID 768 wrote to memory of 2756	768	3001438.exe	WerFault.exe
PID 768 wrote to memory of 2756	768	3001438.exe	WerFault.exe
PID 2100 wrote to memory of 2820	2100	5321089.exe	WerFault.exe
PID 2100 wrote to memory of 2820	2100	5321089.exe	WerFault.exe

C:\Users\Admin\AppData\Local\Temp\0337E24C1287C195321A477CB6B71AB3.exe
"C:\Users\Admin\AppData\Local\Temp\0337E24C1287C195321A477CB6B71AB3.exe"
1⤵
- Loads dropped DLL
- Windows security modification
- Modifies system certificate store
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1072

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"powershell" Get-MpPreference -verbose
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:316

C:\Users\Admin\Documents\B97Q72L7E4W6QOEDR4Q3PIFGE.exe
"C:\Users\Admin\Documents\B97Q72L7E4W6QOEDR4Q3PIFGE.exe"
2⤵
- Executes dropped EXE
- Modifies system certificate store
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1676

C:\Users\Admin\AppData\Roaming\3001438.exe
"C:\Users\Admin\AppData\Roaming\3001438.exe"
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:768

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 768 -s 1844
4⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2756

C:\Users\Admin\AppData\Roaming\6045146.exe
"C:\Users\Admin\AppData\Roaming\6045146.exe"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1768

C:\Users\Admin\AppData\Roaming\WinHost\WinHoster.exe
"C:\Users\Admin\AppData\Roaming\WinHost\WinHoster.exe"
4⤵
- Executes dropped EXE
PID:2268

C:\Users\Admin\AppData\Roaming\3340900.exe
"C:\Users\Admin\AppData\Roaming\3340900.exe"
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2040

C:\Users\Admin\AppData\Roaming\5321089.exe
"C:\Users\Admin\AppData\Roaming\5321089.exe"
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2100

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2100 -s 1724
4⤵
- Loads dropped DLL
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2820

C:\Users\Admin\Documents\3X1CKC5XPWN4QC0H0PKYHH8EQ.exe
"C:\Users\Admin\Documents\3X1CKC5XPWN4QC0H0PKYHH8EQ.exe"
2⤵
- Executes dropped EXE
- Modifies system certificate store
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:536

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im chrome.exe
3⤵
- Suspicious use of WriteProcessMemory
PID:2476

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im chrome.exe
4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2504

C:\Users\Admin\Documents\YMWCHFQUD990KMWPY9E05K7L2.exe
"C:\Users\Admin\Documents\YMWCHFQUD990KMWPY9E05K7L2.exe"
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:620

C:\Users\Admin\Documents\8CNBC91GNYZFT221LCISK2H2W.exe
"C:\Users\Admin\Documents\8CNBC91GNYZFT221LCISK2H2W.exe"
2⤵
- Executes dropped EXE
PID:1476

C:\Users\Admin\Documents\XCYHUQISE08728OM107H4VHA1.exe
"C:\Users\Admin\Documents\XCYHUQISE08728OM107H4VHA1.exe"
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1300

C:\Users\Admin\Documents\XCYHUQISE08728OM107H4VHA1.exe
"C:\Users\Admin\Documents\XCYHUQISE08728OM107H4VHA1.exe" -q
3⤵
- Executes dropped EXE
PID:1616

C:\Users\Admin\Documents\OPQSM231MI93G9QIVFH8UOYKE.exe
"C:\Users\Admin\Documents\OPQSM231MI93G9QIVFH8UOYKE.exe"
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1720

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1720 -s 176
3⤵
- Loads dropped DLL
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1648

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Disabling Security Tools

T1089

Install Root Certificate

T1130

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Web Service

T1102

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
MD5
2902de11e30dcc620b184e3bb0f0c1cb

SHA1
5d11d14a2558801a2688dc2d6dfad39ac294f222

SHA256
e6a7f1f8810e46a736e80ee5ac6187690f28f4d5d35d130d410e20084b2c1544

SHA512
efd415cde25b827ac2a7ca4d6486ce3a43cdcc1c31d3a94fd7944681aa3e83a4966625bf2e6770581c4b59d05e35ff9318d9adaddade9070f131076892af2fa0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
MD5
0a33931b047aa299a69268602d9b57a7

SHA1
ad4bf89010e05f34b11edea80d732515a017d1fb

SHA256
8e09ca96a545f51af8f4275be7c6594e69ed8640095a50616d9ee1dacaa5d1aa

SHA512
8eec3bb2300dba79df5efaf53eb877c89b070124991a3af35bf2e094ea18a10281265807b5898bc876457cc63c6ffe9f1f3f6f98c88f7956f945376ba9d1ee28

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
MD5
0a33931b047aa299a69268602d9b57a7

SHA1
ad4bf89010e05f34b11edea80d732515a017d1fb

SHA256
8e09ca96a545f51af8f4275be7c6594e69ed8640095a50616d9ee1dacaa5d1aa

SHA512
8eec3bb2300dba79df5efaf53eb877c89b070124991a3af35bf2e094ea18a10281265807b5898bc876457cc63c6ffe9f1f3f6f98c88f7956f945376ba9d1ee28

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
MD5
5d7c1776edb5da69d415a53fbc5967d4

SHA1
4a3ef9cf9a16410bcef5aef11674f84db0d0ff1a

SHA256
746bb2755ab77974dfc32e4e126a9ca7d2be1d9490f47d5a446f4b7fd3fef5e6

SHA512
bbac9d2cd66168ee83a2bc1586ebfba06cd9d6a5bda2b68aa902114a5c24065a519c21dde17a3c396a1fd1194cfed61457a1af005f840cf69adaeb6788b20c29

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
MD5
0166b600585430725ff8d3a55f624e84

SHA1
a7fea86097d0bfbac96cdbc4c12f33da91390285

SHA256
bad8ca85a197cb6e12b4b4c7ac85b90cb0f850a9266ffb66393ed54f5914b298

SHA512
1d2059e1b93df042350cfa68bb9bbd4e8d6fe43987019462e37bca8853eefe522cc60f8a1994efc9eed9dfecdf0ad80c93689d4f610ef26aa21d96821b01cc77

Download Submit
C:\Users\Admin\AppData\Roaming\3001438.exe
MD5
2d727bc338847fe133de57a38ab9f68f

SHA1
1d8b89846d2a6e11311f672a0550e73cac495eed

SHA256
9792cbe88daccd67ec3f24015b8b7a5693a85d6c0a91811bd384f566d06c15bd

SHA512
f11772f3c08a043573202193baa96790f7f8879650d1e152097011853341ff4a197f2f614bbe38c34b194380fe349bcbce149af1d18cf5db7da3ea5232505f93

Download Submit
C:\Users\Admin\AppData\Roaming\3001438.exe
MD5
2d727bc338847fe133de57a38ab9f68f

SHA1
1d8b89846d2a6e11311f672a0550e73cac495eed

SHA256
9792cbe88daccd67ec3f24015b8b7a5693a85d6c0a91811bd384f566d06c15bd

SHA512
f11772f3c08a043573202193baa96790f7f8879650d1e152097011853341ff4a197f2f614bbe38c34b194380fe349bcbce149af1d18cf5db7da3ea5232505f93

Download Submit
C:\Users\Admin\AppData\Roaming\3340900.exe
MD5
237a01f4ef3fd3cb900f6d90d151e358

SHA1
71c120fcc89de9353335ad739f4be3bd4adacda3

SHA256
fb88585498d6248539afed1619c9c004dc979c5daf98093602fe9b0ea28efd27

SHA512
2c5fa2f7bacf927cd04740ac8206bf886af329dfa64b0a5fd543ef235aa240483f6016d933a0c9aee14928383894452ee61decf802f672fe4815b74c42906e45

Download Submit
C:\Users\Admin\AppData\Roaming\3340900.exe
MD5
237a01f4ef3fd3cb900f6d90d151e358

SHA1
71c120fcc89de9353335ad739f4be3bd4adacda3

SHA256
fb88585498d6248539afed1619c9c004dc979c5daf98093602fe9b0ea28efd27

SHA512
2c5fa2f7bacf927cd04740ac8206bf886af329dfa64b0a5fd543ef235aa240483f6016d933a0c9aee14928383894452ee61decf802f672fe4815b74c42906e45

Download Submit
C:\Users\Admin\AppData\Roaming\5321089.exe
MD5
65c7a654420fa25cac71c6ff3e135ed6

SHA1
9df0f0146cb1f6a8217289f68b81d520c2fc07cf

SHA256
076c2bfb41f22b6c035970397345b4e7df19a366064d7f1d6b506fb6352b9ed6

SHA512
69ce21d549a51720d01b80ad0913b7a828164e304ce8a75615cfe769f9acf3a211ce669bb57c8ce72e07ad190185d728bfc3662220db43acbae29e4296eebbfb

Download Submit
C:\Users\Admin\AppData\Roaming\5321089.exe
MD5
65c7a654420fa25cac71c6ff3e135ed6

SHA1
9df0f0146cb1f6a8217289f68b81d520c2fc07cf

SHA256
076c2bfb41f22b6c035970397345b4e7df19a366064d7f1d6b506fb6352b9ed6

SHA512
69ce21d549a51720d01b80ad0913b7a828164e304ce8a75615cfe769f9acf3a211ce669bb57c8ce72e07ad190185d728bfc3662220db43acbae29e4296eebbfb

Download Submit
C:\Users\Admin\AppData\Roaming\6045146.exe
MD5
1d095bc417db73c6bc6e4c4e7b43106f

SHA1
db7e49df1fb5a0a665976f98ff7128aeba40c5f3

SHA256
b529e11f2a855b7e7bca65ac994be9dc81191c7fe1b720addb90b98da33e7fee

SHA512
3d255ee420aa7eb0f5f28e060d968bf4369f4be3fc8f07bd32c5482fea055e8103347440d41d17d847c5b2b2d3fb2e3a40356db1a33911c0b25828739a88a097

Download Submit
C:\Users\Admin\AppData\Roaming\6045146.exe
MD5
1d095bc417db73c6bc6e4c4e7b43106f

SHA1
db7e49df1fb5a0a665976f98ff7128aeba40c5f3

SHA256
b529e11f2a855b7e7bca65ac994be9dc81191c7fe1b720addb90b98da33e7fee

SHA512
3d255ee420aa7eb0f5f28e060d968bf4369f4be3fc8f07bd32c5482fea055e8103347440d41d17d847c5b2b2d3fb2e3a40356db1a33911c0b25828739a88a097

Download Submit
C:\Users\Admin\AppData\Roaming\WinHost\WinHoster.exe
MD5
1d095bc417db73c6bc6e4c4e7b43106f

SHA1
db7e49df1fb5a0a665976f98ff7128aeba40c5f3

SHA256
b529e11f2a855b7e7bca65ac994be9dc81191c7fe1b720addb90b98da33e7fee

SHA512
3d255ee420aa7eb0f5f28e060d968bf4369f4be3fc8f07bd32c5482fea055e8103347440d41d17d847c5b2b2d3fb2e3a40356db1a33911c0b25828739a88a097

Download Submit
C:\Users\Admin\AppData\Roaming\WinHost\WinHoster.exe
MD5
1d095bc417db73c6bc6e4c4e7b43106f

SHA1
db7e49df1fb5a0a665976f98ff7128aeba40c5f3

SHA256
b529e11f2a855b7e7bca65ac994be9dc81191c7fe1b720addb90b98da33e7fee

SHA512
3d255ee420aa7eb0f5f28e060d968bf4369f4be3fc8f07bd32c5482fea055e8103347440d41d17d847c5b2b2d3fb2e3a40356db1a33911c0b25828739a88a097

Download Submit
C:\Users\Admin\Documents\3X1CKC5XPWN4QC0H0PKYHH8EQ.exe
MD5
09bbb3e275b933030e970564ac22fe77

SHA1
a26b0b1fa8085aba01f4215af7c3347ae5ebd53c

SHA256
e5f67dca4decc6164f5fa50bb6343ee98ae743e6d04bfdb42d790feef2e4e565

SHA512
9d2300c8aebab886310e97916bfb07e1858151eb88910c7d892b7c5519aaec6a2027ee6b8f46e76b121254ac95591d98bc5b0995b99d28d2a622fcb860d19be7

Download Submit
C:\Users\Admin\Documents\8CNBC91GNYZFT221LCISK2H2W.exe
MD5
f3ff94b8971f889bb8555e94b56f58ab

SHA1
22a606a18a767474a6e69c799d06b1d53ad15c5e

SHA256
ca23812eecb2698b18ec9e22417776f425a94ef5df1cdb644d3a3c5dfcec1c4d

SHA512
0201e6e9ccc8fb04beee5b51d3b28160d20720aba2bc671f629af35a46da7c2ef8bf6a96a72d2b306c98949c16423ae7083fd7b4112a142992aaf0c044f77046

Download Submit
C:\Users\Admin\Documents\B97Q72L7E4W6QOEDR4Q3PIFGE.exe
MD5
bbf20f907ca5473e50b1727701a84686

SHA1
79a7f093dd5edfbf2920774f83beb2d9b97bb77c

SHA256
97a11f799b8aae5ff085e6c21ca81e21c2e5756ff85b33482d57c9afd0d31e99

SHA512
0d3de2e1f06b4f44c68d4be18e2e3855c6ab4348cb5fe2e6c097a44e145824380b511a016a85e64e0fd723d3af7ed7250f51e1e5f117698d4cbd02c5b1b46ffd

Download Submit
C:\Users\Admin\Documents\B97Q72L7E4W6QOEDR4Q3PIFGE.exe
MD5
bbf20f907ca5473e50b1727701a84686

SHA1
79a7f093dd5edfbf2920774f83beb2d9b97bb77c

SHA256
97a11f799b8aae5ff085e6c21ca81e21c2e5756ff85b33482d57c9afd0d31e99

SHA512
0d3de2e1f06b4f44c68d4be18e2e3855c6ab4348cb5fe2e6c097a44e145824380b511a016a85e64e0fd723d3af7ed7250f51e1e5f117698d4cbd02c5b1b46ffd

Download Submit
C:\Users\Admin\Documents\OPQSM231MI93G9QIVFH8UOYKE.exe
MD5
8e33397689414f30209a555b0ae1fe5c

SHA1
b915a1cb575c181c01b11a0f6b8a5e00e946e9c3

SHA256
45b8610362cb8b8948f0a3a193daaeca16a13798921573cd708450f478079976

SHA512
f8bfab698890515c7df76d6147e423faacd0e6d58b9e5ba9b891b56c5b62e0d1798165d510fa22b9a453e80a7e9eb511418c00158126b89aacbd7c7a43873b84

Download Submit
C:\Users\Admin\Documents\OPQSM231MI93G9QIVFH8UOYKE.exe
MD5
8e33397689414f30209a555b0ae1fe5c

SHA1
b915a1cb575c181c01b11a0f6b8a5e00e946e9c3

SHA256
45b8610362cb8b8948f0a3a193daaeca16a13798921573cd708450f478079976

SHA512
f8bfab698890515c7df76d6147e423faacd0e6d58b9e5ba9b891b56c5b62e0d1798165d510fa22b9a453e80a7e9eb511418c00158126b89aacbd7c7a43873b84

Download Submit
C:\Users\Admin\Documents\XCYHUQISE08728OM107H4VHA1.exe
MD5
4412eaa3c2dbe82ac9cf982b1229548d

SHA1
5a129bbd71b1d07234a47e376b1d3afc7cfca8dc

SHA256
fdcfcab9289bcfc6ae67590a2995a8a5fedb19338d9eeac1ddf61acefbd36e56

SHA512
c5b60affc5564747785452776ec7b6ecdd3ebbbb6f4285dd5fb39a4abafdb78a4e554796395fc2a4ba1334d7b950bc5f91ec0a44b57d78397c6cc2e696505bbd

Download Submit
C:\Users\Admin\Documents\XCYHUQISE08728OM107H4VHA1.exe
MD5
4412eaa3c2dbe82ac9cf982b1229548d

SHA1
5a129bbd71b1d07234a47e376b1d3afc7cfca8dc

SHA256
fdcfcab9289bcfc6ae67590a2995a8a5fedb19338d9eeac1ddf61acefbd36e56

SHA512
c5b60affc5564747785452776ec7b6ecdd3ebbbb6f4285dd5fb39a4abafdb78a4e554796395fc2a4ba1334d7b950bc5f91ec0a44b57d78397c6cc2e696505bbd

Download Submit
C:\Users\Admin\Documents\XCYHUQISE08728OM107H4VHA1.exe
MD5
4412eaa3c2dbe82ac9cf982b1229548d

SHA1
5a129bbd71b1d07234a47e376b1d3afc7cfca8dc

SHA256
fdcfcab9289bcfc6ae67590a2995a8a5fedb19338d9eeac1ddf61acefbd36e56

SHA512
c5b60affc5564747785452776ec7b6ecdd3ebbbb6f4285dd5fb39a4abafdb78a4e554796395fc2a4ba1334d7b950bc5f91ec0a44b57d78397c6cc2e696505bbd

Download Submit
C:\Users\Admin\Documents\YMWCHFQUD990KMWPY9E05K7L2.exe
MD5
f947d6a85933040df750747cb102ca4b

SHA1
91e1dcb82c7174a8ffc912623efd7721714161ff

SHA256
65968ced8e381ae06e600dd18e46826c342bc57e4eb28cc97784e0976ce057b7

SHA512
ba2f72c82ef49d1dda200b84c865776d563b314df5523cb2fd628533e6e93d1a92af3c4f2b85be716f0d3a3e4c728920bba4521a52d283cd4f1388e1149a010f

Download Submit
\Users\Admin\AppData\Roaming\5321089.exe
MD5
65c7a654420fa25cac71c6ff3e135ed6

SHA1
9df0f0146cb1f6a8217289f68b81d520c2fc07cf

SHA256
076c2bfb41f22b6c035970397345b4e7df19a366064d7f1d6b506fb6352b9ed6

SHA512
69ce21d549a51720d01b80ad0913b7a828164e304ce8a75615cfe769f9acf3a211ce669bb57c8ce72e07ad190185d728bfc3662220db43acbae29e4296eebbfb

Download Submit
\Users\Admin\AppData\Roaming\5321089.exe
MD5
65c7a654420fa25cac71c6ff3e135ed6

SHA1
9df0f0146cb1f6a8217289f68b81d520c2fc07cf

SHA256
076c2bfb41f22b6c035970397345b4e7df19a366064d7f1d6b506fb6352b9ed6

SHA512
69ce21d549a51720d01b80ad0913b7a828164e304ce8a75615cfe769f9acf3a211ce669bb57c8ce72e07ad190185d728bfc3662220db43acbae29e4296eebbfb

Download Submit
\Users\Admin\AppData\Roaming\5321089.exe
MD5
65c7a654420fa25cac71c6ff3e135ed6

SHA1
9df0f0146cb1f6a8217289f68b81d520c2fc07cf

SHA256
076c2bfb41f22b6c035970397345b4e7df19a366064d7f1d6b506fb6352b9ed6

SHA512
69ce21d549a51720d01b80ad0913b7a828164e304ce8a75615cfe769f9acf3a211ce669bb57c8ce72e07ad190185d728bfc3662220db43acbae29e4296eebbfb

Download Submit
\Users\Admin\AppData\Roaming\5321089.exe
MD5
65c7a654420fa25cac71c6ff3e135ed6

SHA1
9df0f0146cb1f6a8217289f68b81d520c2fc07cf

SHA256
076c2bfb41f22b6c035970397345b4e7df19a366064d7f1d6b506fb6352b9ed6

SHA512
69ce21d549a51720d01b80ad0913b7a828164e304ce8a75615cfe769f9acf3a211ce669bb57c8ce72e07ad190185d728bfc3662220db43acbae29e4296eebbfb

Download Submit
\Users\Admin\AppData\Roaming\5321089.exe
MD5
65c7a654420fa25cac71c6ff3e135ed6

SHA1
9df0f0146cb1f6a8217289f68b81d520c2fc07cf

SHA256
076c2bfb41f22b6c035970397345b4e7df19a366064d7f1d6b506fb6352b9ed6

SHA512
69ce21d549a51720d01b80ad0913b7a828164e304ce8a75615cfe769f9acf3a211ce669bb57c8ce72e07ad190185d728bfc3662220db43acbae29e4296eebbfb

Download Submit
\Users\Admin\AppData\Roaming\WinHost\WinHoster.exe
MD5
1d095bc417db73c6bc6e4c4e7b43106f

SHA1
db7e49df1fb5a0a665976f98ff7128aeba40c5f3

SHA256
b529e11f2a855b7e7bca65ac994be9dc81191c7fe1b720addb90b98da33e7fee

SHA512
3d255ee420aa7eb0f5f28e060d968bf4369f4be3fc8f07bd32c5482fea055e8103347440d41d17d847c5b2b2d3fb2e3a40356db1a33911c0b25828739a88a097

Download Submit
\Users\Admin\Documents\3X1CKC5XPWN4QC0H0PKYHH8EQ.exe
MD5
09bbb3e275b933030e970564ac22fe77

SHA1
a26b0b1fa8085aba01f4215af7c3347ae5ebd53c

SHA256
e5f67dca4decc6164f5fa50bb6343ee98ae743e6d04bfdb42d790feef2e4e565

SHA512
9d2300c8aebab886310e97916bfb07e1858151eb88910c7d892b7c5519aaec6a2027ee6b8f46e76b121254ac95591d98bc5b0995b99d28d2a622fcb860d19be7

Download Submit
\Users\Admin\Documents\B97Q72L7E4W6QOEDR4Q3PIFGE.exe
MD5
bbf20f907ca5473e50b1727701a84686

SHA1
79a7f093dd5edfbf2920774f83beb2d9b97bb77c

SHA256
97a11f799b8aae5ff085e6c21ca81e21c2e5756ff85b33482d57c9afd0d31e99

SHA512
0d3de2e1f06b4f44c68d4be18e2e3855c6ab4348cb5fe2e6c097a44e145824380b511a016a85e64e0fd723d3af7ed7250f51e1e5f117698d4cbd02c5b1b46ffd

Download Submit
\Users\Admin\Documents\OPQSM231MI93G9QIVFH8UOYKE.exe
MD5
8e33397689414f30209a555b0ae1fe5c

SHA1
b915a1cb575c181c01b11a0f6b8a5e00e946e9c3

SHA256
45b8610362cb8b8948f0a3a193daaeca16a13798921573cd708450f478079976

SHA512
f8bfab698890515c7df76d6147e423faacd0e6d58b9e5ba9b891b56c5b62e0d1798165d510fa22b9a453e80a7e9eb511418c00158126b89aacbd7c7a43873b84

Download Submit
\Users\Admin\Documents\OPQSM231MI93G9QIVFH8UOYKE.exe
MD5
8e33397689414f30209a555b0ae1fe5c

SHA1
b915a1cb575c181c01b11a0f6b8a5e00e946e9c3

SHA256
45b8610362cb8b8948f0a3a193daaeca16a13798921573cd708450f478079976

SHA512
f8bfab698890515c7df76d6147e423faacd0e6d58b9e5ba9b891b56c5b62e0d1798165d510fa22b9a453e80a7e9eb511418c00158126b89aacbd7c7a43873b84

Download Submit
\Users\Admin\Documents\OPQSM231MI93G9QIVFH8UOYKE.exe
MD5
8e33397689414f30209a555b0ae1fe5c

SHA1
b915a1cb575c181c01b11a0f6b8a5e00e946e9c3

SHA256
45b8610362cb8b8948f0a3a193daaeca16a13798921573cd708450f478079976

SHA512
f8bfab698890515c7df76d6147e423faacd0e6d58b9e5ba9b891b56c5b62e0d1798165d510fa22b9a453e80a7e9eb511418c00158126b89aacbd7c7a43873b84

Download Submit
\Users\Admin\Documents\OPQSM231MI93G9QIVFH8UOYKE.exe
MD5
8e33397689414f30209a555b0ae1fe5c

SHA1
b915a1cb575c181c01b11a0f6b8a5e00e946e9c3

SHA256
45b8610362cb8b8948f0a3a193daaeca16a13798921573cd708450f478079976

SHA512
f8bfab698890515c7df76d6147e423faacd0e6d58b9e5ba9b891b56c5b62e0d1798165d510fa22b9a453e80a7e9eb511418c00158126b89aacbd7c7a43873b84

Download Submit
\Users\Admin\Documents\OPQSM231MI93G9QIVFH8UOYKE.exe
MD5
8e33397689414f30209a555b0ae1fe5c

SHA1
b915a1cb575c181c01b11a0f6b8a5e00e946e9c3

SHA256
45b8610362cb8b8948f0a3a193daaeca16a13798921573cd708450f478079976

SHA512
f8bfab698890515c7df76d6147e423faacd0e6d58b9e5ba9b891b56c5b62e0d1798165d510fa22b9a453e80a7e9eb511418c00158126b89aacbd7c7a43873b84

Download Submit
\Users\Admin\Documents\OPQSM231MI93G9QIVFH8UOYKE.exe
MD5
8e33397689414f30209a555b0ae1fe5c

SHA1
b915a1cb575c181c01b11a0f6b8a5e00e946e9c3

SHA256
45b8610362cb8b8948f0a3a193daaeca16a13798921573cd708450f478079976

SHA512
f8bfab698890515c7df76d6147e423faacd0e6d58b9e5ba9b891b56c5b62e0d1798165d510fa22b9a453e80a7e9eb511418c00158126b89aacbd7c7a43873b84

Download Submit
\Users\Admin\Documents\XCYHUQISE08728OM107H4VHA1.exe
MD5
4412eaa3c2dbe82ac9cf982b1229548d

SHA1
5a129bbd71b1d07234a47e376b1d3afc7cfca8dc

SHA256
fdcfcab9289bcfc6ae67590a2995a8a5fedb19338d9eeac1ddf61acefbd36e56

SHA512
c5b60affc5564747785452776ec7b6ecdd3ebbbb6f4285dd5fb39a4abafdb78a4e554796395fc2a4ba1334d7b950bc5f91ec0a44b57d78397c6cc2e696505bbd

Download Submit
\Users\Admin\Documents\XCYHUQISE08728OM107H4VHA1.exe
MD5
4412eaa3c2dbe82ac9cf982b1229548d

SHA1
5a129bbd71b1d07234a47e376b1d3afc7cfca8dc

SHA256
fdcfcab9289bcfc6ae67590a2995a8a5fedb19338d9eeac1ddf61acefbd36e56

SHA512
c5b60affc5564747785452776ec7b6ecdd3ebbbb6f4285dd5fb39a4abafdb78a4e554796395fc2a4ba1334d7b950bc5f91ec0a44b57d78397c6cc2e696505bbd

Download Submit
\Users\Admin\Documents\YMWCHFQUD990KMWPY9E05K7L2.exe
MD5
f947d6a85933040df750747cb102ca4b

SHA1
91e1dcb82c7174a8ffc912623efd7721714161ff

SHA256
65968ced8e381ae06e600dd18e46826c342bc57e4eb28cc97784e0976ce057b7

SHA512
ba2f72c82ef49d1dda200b84c865776d563b314df5523cb2fd628533e6e93d1a92af3c4f2b85be716f0d3a3e4c728920bba4521a52d283cd4f1388e1149a010f

Download Submit
\Users\Admin\Documents\YMWCHFQUD990KMWPY9E05K7L2.exe
MD5
f947d6a85933040df750747cb102ca4b

SHA1
91e1dcb82c7174a8ffc912623efd7721714161ff

SHA256
65968ced8e381ae06e600dd18e46826c342bc57e4eb28cc97784e0976ce057b7

SHA512
ba2f72c82ef49d1dda200b84c865776d563b314df5523cb2fd628533e6e93d1a92af3c4f2b85be716f0d3a3e4c728920bba4521a52d283cd4f1388e1149a010f

Download Submit
memory/316-84-0x00000000057E0000-0x00000000057E1000-memory.dmp

Filesize
4KB

Download
memory/316-99-0x0000000006320000-0x0000000006321000-memory.dmp

Filesize
4KB

Download
memory/316-83-0x00000000062A0000-0x00000000062A1000-memory.dmp

Filesize
4KB

Download
memory/316-75-0x0000000005750000-0x0000000005751000-memory.dmp

Filesize
4KB

Download
memory/316-88-0x000000007EF30000-0x000000007EF31000-memory.dmp

Filesize
4KB

Download
memory/316-70-0x0000000005710000-0x0000000005711000-memory.dmp

Filesize
4KB

Download
memory/316-67-0x0000000005260000-0x0000000005261000-memory.dmp

Filesize
4KB

Download
memory/316-76-0x00000000061E0000-0x00000000061E1000-memory.dmp

Filesize
4KB

Download
memory/316-66-0x0000000002600000-0x0000000002601000-memory.dmp

Filesize
4KB

Download
memory/316-65-0x0000000001F10000-0x0000000002B5A000-memory.dmp

Filesize
12.3MB

Download
memory/316-64-0x00000000046F0000-0x00000000046F1000-memory.dmp

Filesize
4KB

Download
memory/316-63-0x0000000000430000-0x0000000000431000-memory.dmp

Filesize
4KB

Download
memory/316-62-0x00000000752F1000-0x00000000752F3000-memory.dmp

Filesize
8KB

Download
memory/316-61-0x0000000000000000-mapping.dmp

Download
memory/316-100-0x0000000006330000-0x0000000006331000-memory.dmp

Filesize
4KB

Download
memory/536-107-0x0000000000000000-mapping.dmp

Download
memory/620-143-0x0000000000400000-0x0000000002C87000-memory.dmp

Filesize
40.5MB

Download
memory/620-147-0x0000000006F44000-0x0000000006F46000-memory.dmp

Filesize
8KB

Download
memory/620-129-0x0000000006EF0000-0x0000000006F0A000-memory.dmp

Filesize
104KB

Download
memory/620-145-0x0000000006F42000-0x0000000006F43000-memory.dmp

Filesize
4KB

Download
memory/620-122-0x0000000002D10000-0x0000000002D2C000-memory.dmp

Filesize
112KB

Download
memory/620-121-0x00000000002D0000-0x00000000002FF000-memory.dmp

Filesize
188KB

Download
memory/620-144-0x0000000006F41000-0x0000000006F42000-memory.dmp

Filesize
4KB

Download
memory/620-114-0x0000000000000000-mapping.dmp

Download
memory/620-146-0x0000000006F43000-0x0000000006F44000-memory.dmp

Filesize
4KB

Download
memory/768-156-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/768-158-0x0000000000290000-0x0000000000291000-memory.dmp

Filesize
4KB

Download
memory/768-157-0x0000000000250000-0x0000000000281000-memory.dmp

Filesize
196KB

Download
memory/768-173-0x000000001B030000-0x000000001B032000-memory.dmp

Filesize
8KB

Download
memory/768-153-0x0000000000AD0000-0x0000000000AD1000-memory.dmp

Filesize
4KB

Download
memory/768-150-0x0000000000000000-mapping.dmp

Download
memory/1072-59-0x00000000011D0000-0x00000000011D1000-memory.dmp

Filesize
4KB

Download
memory/1072-101-0x0000000004CA0000-0x0000000004CA1000-memory.dmp

Filesize
4KB

Download
memory/1300-125-0x0000000000000000-mapping.dmp

Download
memory/1616-130-0x0000000000000000-mapping.dmp

Download
memory/1648-138-0x0000000000000000-mapping.dmp

Download
memory/1648-155-0x0000000000500000-0x0000000000501000-memory.dmp

Filesize
4KB

Download
memory/1676-117-0x0000000000260000-0x000000000027B000-memory.dmp

Filesize
108KB

Download
memory/1676-120-0x000000001ACD0000-0x000000001ACD2000-memory.dmp

Filesize
8KB

Download
memory/1676-103-0x0000000000000000-mapping.dmp

Download
memory/1676-110-0x0000000000F70000-0x0000000000F71000-memory.dmp

Filesize
4KB

Download
memory/1676-115-0x0000000000250000-0x0000000000251000-memory.dmp

Filesize
4KB

Download
memory/1676-118-0x0000000000280000-0x0000000000281000-memory.dmp

Filesize
4KB

Download
memory/1720-134-0x0000000000000000-mapping.dmp

Download
memory/1720-137-0x0000000000400000-0x000000000060D000-memory.dmp

Filesize
2.1MB

Download
memory/1768-178-0x00000000003B0000-0x00000000003B7000-memory.dmp

Filesize
28KB

Download
memory/1768-164-0x0000000000B80000-0x0000000000B81000-memory.dmp

Filesize
4KB

Download
memory/1768-159-0x0000000000000000-mapping.dmp

Download
memory/2040-162-0x0000000000000000-mapping.dmp

Download
memory/2040-174-0x00000000011C0000-0x00000000011C1000-memory.dmp

Filesize
4KB

Download
memory/2040-189-0x00000000049D0000-0x00000000049D1000-memory.dmp

Filesize
4KB

Download
memory/2100-190-0x0000000004C10000-0x0000000004C11000-memory.dmp

Filesize
4KB

Download
memory/2100-177-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/2100-172-0x0000000000140000-0x0000000000141000-memory.dmp

Filesize
4KB

Download
memory/2100-168-0x0000000000000000-mapping.dmp

Download
memory/2268-194-0x0000000004AE0000-0x0000000004AE1000-memory.dmp

Filesize
4KB

Download
memory/2268-183-0x0000000000000000-mapping.dmp

Download
memory/2476-195-0x0000000000000000-mapping.dmp

Download
memory/2504-196-0x0000000000000000-mapping.dmp

Download
memory/2756-197-0x0000000000000000-mapping.dmp

Download
memory/2756-205-0x00000000001E0000-0x00000000001E1000-memory.dmp

Filesize
4KB

Download
memory/2820-199-0x0000000000000000-mapping.dmp

Download
memory/2820-206-0x0000000000510000-0x0000000000511000-memory.dmp

Filesize
4KB

Download