Analysis
-
max time kernel
151s -
max time network
158s -
platform
windows10_x64 -
resource
win10v20210410 -
submitted
25-08-2021 17:25
Static task
static1
Behavioral task
behavioral1
Sample
95edffa7a9fd43ba6798134ac6f97f113a9cbe05dc586a76f901970f22f76a08.exe
Resource
win10v20210410
General
-
Target
95edffa7a9fd43ba6798134ac6f97f113a9cbe05dc586a76f901970f22f76a08.exe
-
Size
272KB
-
MD5
482028487a6022770a2f43a58ed52bfe
-
SHA1
84020c2d4c41d2ccd0df9fca51ed25b5a70735e5
-
SHA256
95edffa7a9fd43ba6798134ac6f97f113a9cbe05dc586a76f901970f22f76a08
-
SHA512
37a29408d83d5daf39abb9dc06f48ccabccb95439847296e2e12304bd2b32848a838ac6cb37306d2ac6c35803aaeda9d0bb162524fc4c4fc416e78b94f1e68b2
Malware Config
Extracted
C:\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT
buran
Extracted
smokeloader
2020
http://readinglistforaugust1.xyz/
http://readinglistforaugust2.xyz/
http://readinglistforaugust3.xyz/
http://readinglistforaugust4.xyz/
http://readinglistforaugust5.xyz/
http://readinglistforaugust6.xyz/
http://readinglistforaugust7.xyz/
http://readinglistforaugust8.xyz/
http://readinglistforaugust9.xyz/
http://readinglistforaugust10.xyz/
http://readinglistforaugust1.site/
http://readinglistforaugust2.site/
http://readinglistforaugust3.site/
http://readinglistforaugust4.site/
http://readinglistforaugust5.site/
http://readinglistforaugust6.site/
http://readinglistforaugust7.site/
http://readinglistforaugust8.site/
http://readinglistforaugust9.site/
http://readinglistforaugust10.site/
http://readinglistforaugust1.club/
http://readinglistforaugust2.club/
http://readinglistforaugust3.club/
http://readinglistforaugust4.club/
http://readinglistforaugust5.club/
http://readinglistforaugust6.club/
http://readinglistforaugust7.club/
http://readinglistforaugust8.club/
http://readinglistforaugust9.club/
http://readinglistforaugust10.club/
Extracted
redline
190.2.145.47:80
Extracted
redline
@big_tastyyy
87.251.71.44:80
Signatures
-
Buran
Ransomware-as-a-service based on the VegaLocker family first identified in 2019.
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine Payload 5 IoCs
Processes:
resource yara_rule behavioral1/memory/1952-252-0x0000000004180000-0x00000000041B8000-memory.dmp family_redline behavioral1/memory/1952-254-0x0000000004330000-0x0000000004366000-memory.dmp family_redline behavioral1/memory/3940-259-0x000000000041A66E-mapping.dmp family_redline behavioral1/memory/3940-258-0x0000000000400000-0x0000000000420000-memory.dmp family_redline behavioral1/memory/3940-272-0x0000000004DD0000-0x00000000053D6000-memory.dmp family_redline -
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
-
Executes dropped EXE 10 IoCs
Processes:
BA8B.exeC03A.exeC1B2.exeC3A7.exeTrustedInstaller.exeElopingWipes_2021-08-25_06-25.exeQIQytlRs.exeEmbryulciaBrogues.exeTrustedInstaller.exeEmbryulciaBrogues.exepid process 3512 BA8B.exe 740 C03A.exe 1272 C1B2.exe 3872 C3A7.exe 2596 TrustedInstaller.exe 1952 ElopingWipes_2021-08-25_06-25.exe 4028 QIQytlRs.exe 2864 EmbryulciaBrogues.exe 988 TrustedInstaller.exe 3940 EmbryulciaBrogues.exe -
Checks BIOS information in registry 2 TTPs 4 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
C03A.exeBA8B.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C03A.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C03A.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion BA8B.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion BA8B.exe -
Deletes itself 1 IoCs
Processes:
pid process 2680 -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\BA8B.exe themida C:\Users\Admin\AppData\Local\Temp\BA8B.exe themida C:\Users\Admin\AppData\Local\Temp\C03A.exe themida behavioral1/memory/3512-125-0x00000000002A0000-0x00000000002A1000-memory.dmp themida C:\Users\Admin\AppData\Local\Temp\C03A.exe themida behavioral1/memory/740-144-0x0000000000260000-0x0000000000261000-memory.dmp themida -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
C3A7.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\TrustedInstaller.exe = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\TrustedInstaller.exe\" -start" C3A7.exe Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run C3A7.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Processes:
BA8B.exeC03A.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA BA8B.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C03A.exe -
Enumerates connected drives 3 TTPs 24 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
TrustedInstaller.exedescription ioc process File opened (read-only) \??\Q: TrustedInstaller.exe File opened (read-only) \??\P: TrustedInstaller.exe File opened (read-only) \??\H: TrustedInstaller.exe File opened (read-only) \??\G: TrustedInstaller.exe File opened (read-only) \??\B: TrustedInstaller.exe File opened (read-only) \??\R: TrustedInstaller.exe File opened (read-only) \??\W: TrustedInstaller.exe File opened (read-only) \??\T: TrustedInstaller.exe File opened (read-only) \??\O: TrustedInstaller.exe File opened (read-only) \??\K: TrustedInstaller.exe File opened (read-only) \??\J: TrustedInstaller.exe File opened (read-only) \??\F: TrustedInstaller.exe File opened (read-only) \??\E: TrustedInstaller.exe File opened (read-only) \??\Y: TrustedInstaller.exe File opened (read-only) \??\X: TrustedInstaller.exe File opened (read-only) \??\V: TrustedInstaller.exe File opened (read-only) \??\N: TrustedInstaller.exe File opened (read-only) \??\M: TrustedInstaller.exe File opened (read-only) \??\I: TrustedInstaller.exe File opened (read-only) \??\A: TrustedInstaller.exe File opened (read-only) \??\Z: TrustedInstaller.exe File opened (read-only) \??\S: TrustedInstaller.exe File opened (read-only) \??\L: TrustedInstaller.exe File opened (read-only) \??\U: TrustedInstaller.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 22 geoiptool.com -
Suspicious use of NtSetInformationThreadHideFromDebugger 3 IoCs
Processes:
BA8B.exeC03A.exeQIQytlRs.exepid process 3512 BA8B.exe 740 C03A.exe 4028 QIQytlRs.exe -
Suspicious use of SetThreadContext 2 IoCs
Processes:
95edffa7a9fd43ba6798134ac6f97f113a9cbe05dc586a76f901970f22f76a08.exeEmbryulciaBrogues.exedescription pid process target process PID 1852 set thread context of 2940 1852 95edffa7a9fd43ba6798134ac6f97f113a9cbe05dc586a76f901970f22f76a08.exe 95edffa7a9fd43ba6798134ac6f97f113a9cbe05dc586a76f901970f22f76a08.exe PID 2864 set thread context of 3940 2864 EmbryulciaBrogues.exe EmbryulciaBrogues.exe -
Drops file in Program Files directory 64 IoCs
Processes:
TrustedInstaller.exedescription ioc process File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProjectPro2019R_Trial-ul-oob.xrm-ms.payfast290.420-786-9BC TrustedInstaller.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Messaging_3.26.24002.0_x64__8wekyb3d8bbwe\Assets\starttile.dualsim2.wink.scale-200.png TrustedInstaller.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MSPaint_1.1702.28017.0_x64__8wekyb3d8bbwe\Assets\Images\Stickers\Thumbnails\Sticker_Icon_OwlEye.png TrustedInstaller.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\SkypeApp\Designs\Flags\large\zm_60x42.png TrustedInstaller.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\js\plugins\convertpdf-tool-view.js TrustedInstaller.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\update_tracking\org-netbeans-api-visual.xml TrustedInstaller.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\PersonalPipcR_OEM_Perp-ppd.xrm-ms.payfast290.420-786-9BC TrustedInstaller.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.p2.updatechecker.nl_ja_4.4.0.v20140623020002.jar.payfast290.420-786-9BC TrustedInstaller.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\BOLDSTRI\BOLDSTRI.ELM TrustedInstaller.exe File opened for modification C:\Program Files\VideoLAN\VLC\lua\sd\icecast.luac TrustedInstaller.exe File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsSoundRecorder_10.1702.301.0_neutral_split.scale-200_8wekyb3d8bbwe\Assets\VoiceRecorderSmallTile.contrast-white_scale-200.png TrustedInstaller.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Messaging_3.26.24002.0_x64__8wekyb3d8bbwe\AppxMetadata\CodeIntegrity.cat TrustedInstaller.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.People_10.1.10531.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\PeopleAppList.scale-100.png TrustedInstaller.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\nl-nl\ui-strings.js.payfast290.420-786-9BC TrustedInstaller.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\icons\new-trigger-wiz.gif.payfast290.420-786-9BC TrustedInstaller.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\org-netbeans-modules-masterfs-nio2.jar.payfast290.420-786-9BC TrustedInstaller.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1702.312.0_x64__8wekyb3d8bbwe\Assets\CalculatorAppList.contrast-white_targetsize-24.png TrustedInstaller.exe File created C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1611.10393.0_x64__8wekyb3d8bbwe\AppCore\Location\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT TrustedInstaller.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_Retail2-ppd.xrm-ms.payfast290.420-786-9BC TrustedInstaller.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\officeappguardwin32.exe.payfast290.420-786-9BC TrustedInstaller.exe File created C:\Program Files\VideoLAN\VLC\lua\meta\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT TrustedInstaller.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\HowToPlay\Klondike\Tips_5.jpg TrustedInstaller.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\6416_20x20x32.png TrustedInstaller.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\config\Modules\org-netbeans-core-output2.xml_hidden TrustedInstaller.exe File opened for modification C:\Program Files\Microsoft Office\root\Integration\C2RManifest.wordmui.msi.16.en-us.xml TrustedInstaller.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_SubTest5-ppd.xrm-ms TrustedInstaller.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\STSLIST.CHM TrustedInstaller.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\SkypeApp\Designs\Flags\small\mr_16x11.png TrustedInstaller.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\s_reportabuse-default_18.svg.payfast290.420-786-9BC TrustedInstaller.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\selector.js.payfast290.420-786-9BC TrustedInstaller.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\search-summary\js\nls\fi-fi\ui-strings.js.payfast290.420-786-9BC TrustedInstaller.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\jarsigner.exe.payfast290.420-786-9BC TrustedInstaller.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\config\Modules\org-netbeans-spi-quicksearch.xml TrustedInstaller.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Multimedia\MPP\Flash.mpp TrustedInstaller.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\s_folder-focus_32.svg.payfast290.420-786-9BC TrustedInstaller.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\win8-scrollbar\themes\dark\arrow-left-pressed.gif TrustedInstaller.exe File created C:\Program Files\Microsoft Office\root\Office16\SkypeSrv\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT TrustedInstaller.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\ECLIPSE\PREVIEW.GIF.payfast290.420-786-9BC TrustedInstaller.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftStickyNotes_1.4.101.0_x64__8wekyb3d8bbwe\Microsoft.StickyNotes.Views\Images\Loading.png TrustedInstaller.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\images\5311_24x24x32.png TrustedInstaller.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\HxCalendarAppList.targetsize-60.png TrustedInstaller.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1611.10393.0_x64__8wekyb3d8bbwe\Assets\SecondaryTiles\Place\LargeTile.scale-200.png TrustedInstaller.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\app-center\js\nls\pl-pl\ui-strings.js TrustedInstaller.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\images\rhp_world_icon_2x.png TrustedInstaller.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\AccessRuntimeR_PrepidBypass-ppd.xrm-ms.payfast290.420-786-9BC TrustedInstaller.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\pt_PT\LC_MESSAGES\vlc.mo TrustedInstaller.exe File created C:\Program Files\WindowsApps\Microsoft.Getstarted_4.5.6.0_x64__8wekyb3d8bbwe\Content\desktop\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT TrustedInstaller.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\images\7260_32x32x32.png TrustedInstaller.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\contrast-white\HxA-Advanced-Light.scale-250.png TrustedInstaller.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1611.10393.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\SecondaryTiles\TrafficHub\contrast-black\WideTile.scale-100.png TrustedInstaller.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\img\faf_field_grabber.png TrustedInstaller.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\org-openide-actions.jar.payfast290.420-786-9BC TrustedInstaller.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\AccessR_Trial-pl.xrm-ms TrustedInstaller.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Container.exe.payfast290.420-786-9BC TrustedInstaller.exe File opened for modification C:\Program Files\Microsoft Office\root\rsod\wordmui.msi.16.en-us.tree.dat TrustedInstaller.exe File created C:\Program Files\VideoLAN\VLC\locale\tl\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT TrustedInstaller.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\images\OneNoteSectionSmallTile.scale-150.png TrustedInstaller.exe File opened for modification C:\Program Files\Java\jre1.8.0_66\lib\security\blacklisted.certs.payfast290.420-786-9BC TrustedInstaller.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\PublisherR_Trial-pl.xrm-ms TrustedInstaller.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\LAYERS\LAYERS.INF.payfast290.420-786-9BC TrustedInstaller.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.10252.0_x64__8wekyb3d8bbwe\Assets\AppPackageBadgeLogo.scale-200.png TrustedInstaller.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsStore_11701.1001.87.0_x64__8wekyb3d8bbwe\WinStore\Resources\Assets\RT_Icons_Splat_42.png TrustedInstaller.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\ca-es\ui-strings.js TrustedInstaller.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\locale\org-netbeans-modules-sampler_zh_CN.jar.payfast290.420-786-9BC TrustedInstaller.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
95edffa7a9fd43ba6798134ac6f97f113a9cbe05dc586a76f901970f22f76a08.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 95edffa7a9fd43ba6798134ac6f97f113a9cbe05dc586a76f901970f22f76a08.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 95edffa7a9fd43ba6798134ac6f97f113a9cbe05dc586a76f901970f22f76a08.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 95edffa7a9fd43ba6798134ac6f97f113a9cbe05dc586a76f901970f22f76a08.exe -
Interacts with shadow copies 2 TTPs 2 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
vssadmin.exevssadmin.exepid process 4304 vssadmin.exe 3948 vssadmin.exe -
Processes:
C3A7.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349 C3A7.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 5c000000010000000400000000080000090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e C3A7.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
95edffa7a9fd43ba6798134ac6f97f113a9cbe05dc586a76f901970f22f76a08.exepid process 2940 95edffa7a9fd43ba6798134ac6f97f113a9cbe05dc586a76f901970f22f76a08.exe 2940 95edffa7a9fd43ba6798134ac6f97f113a9cbe05dc586a76f901970f22f76a08.exe 2680 2680 2680 2680 2680 2680 2680 2680 2680 2680 2680 2680 2680 2680 2680 2680 2680 2680 2680 2680 2680 2680 2680 2680 2680 2680 2680 2680 2680 2680 2680 2680 2680 2680 2680 2680 2680 2680 2680 2680 2680 2680 2680 2680 2680 2680 2680 2680 2680 2680 2680 2680 2680 2680 2680 2680 2680 2680 2680 2680 2680 2680 -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
pid process 2680 -
Suspicious behavior: MapViewOfSection 19 IoCs
Processes:
95edffa7a9fd43ba6798134ac6f97f113a9cbe05dc586a76f901970f22f76a08.exepid process 2940 95edffa7a9fd43ba6798134ac6f97f113a9cbe05dc586a76f901970f22f76a08.exe 2680 2680 2680 2680 2680 2680 2680 2680 2680 2680 2680 2680 2680 2680 2680 2680 2680 2680 -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
C3A7.exeC03A.exeBA8B.exeEmbryulciaBrogues.exeWMIC.exedescription pid process Token: SeShutdownPrivilege 2680 Token: SeCreatePagefilePrivilege 2680 Token: SeShutdownPrivilege 2680 Token: SeCreatePagefilePrivilege 2680 Token: SeShutdownPrivilege 2680 Token: SeCreatePagefilePrivilege 2680 Token: SeShutdownPrivilege 2680 Token: SeCreatePagefilePrivilege 2680 Token: SeShutdownPrivilege 2680 Token: SeCreatePagefilePrivilege 2680 Token: SeShutdownPrivilege 2680 Token: SeCreatePagefilePrivilege 2680 Token: SeShutdownPrivilege 2680 Token: SeCreatePagefilePrivilege 2680 Token: SeDebugPrivilege 3872 C3A7.exe Token: SeDebugPrivilege 3872 C3A7.exe Token: SeDebugPrivilege 740 C03A.exe Token: SeDebugPrivilege 3512 BA8B.exe Token: SeShutdownPrivilege 2680 Token: SeCreatePagefilePrivilege 2680 Token: SeShutdownPrivilege 2680 Token: SeCreatePagefilePrivilege 2680 Token: SeShutdownPrivilege 2680 Token: SeCreatePagefilePrivilege 2680 Token: SeShutdownPrivilege 2680 Token: SeCreatePagefilePrivilege 2680 Token: SeShutdownPrivilege 2680 Token: SeCreatePagefilePrivilege 2680 Token: SeShutdownPrivilege 2680 Token: SeCreatePagefilePrivilege 2680 Token: SeShutdownPrivilege 2680 Token: SeCreatePagefilePrivilege 2680 Token: SeShutdownPrivilege 2680 Token: SeCreatePagefilePrivilege 2680 Token: SeShutdownPrivilege 2680 Token: SeCreatePagefilePrivilege 2680 Token: SeShutdownPrivilege 2680 Token: SeCreatePagefilePrivilege 2680 Token: SeShutdownPrivilege 2680 Token: SeCreatePagefilePrivilege 2680 Token: SeShutdownPrivilege 2680 Token: SeCreatePagefilePrivilege 2680 Token: SeShutdownPrivilege 2680 Token: SeCreatePagefilePrivilege 2680 Token: SeShutdownPrivilege 2680 Token: SeCreatePagefilePrivilege 2680 Token: SeShutdownPrivilege 2680 Token: SeCreatePagefilePrivilege 2680 Token: SeDebugPrivilege 2864 EmbryulciaBrogues.exe Token: SeShutdownPrivilege 2680 Token: SeCreatePagefilePrivilege 2680 Token: SeShutdownPrivilege 2680 Token: SeCreatePagefilePrivilege 2680 Token: SeIncreaseQuotaPrivilege 4036 WMIC.exe Token: SeSecurityPrivilege 4036 WMIC.exe Token: SeTakeOwnershipPrivilege 4036 WMIC.exe Token: SeLoadDriverPrivilege 4036 WMIC.exe Token: SeSystemProfilePrivilege 4036 WMIC.exe Token: SeSystemtimePrivilege 4036 WMIC.exe Token: SeProfSingleProcessPrivilege 4036 WMIC.exe Token: SeIncBasePriorityPrivilege 4036 WMIC.exe Token: SeCreatePagefilePrivilege 4036 WMIC.exe Token: SeBackupPrivilege 4036 WMIC.exe Token: SeRestorePrivilege 4036 WMIC.exe -
Suspicious use of UnmapMainImage 1 IoCs
Processes:
pid process 2680 -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
95edffa7a9fd43ba6798134ac6f97f113a9cbe05dc586a76f901970f22f76a08.exeC3A7.exeC1B2.exedescription pid process target process PID 1852 wrote to memory of 2940 1852 95edffa7a9fd43ba6798134ac6f97f113a9cbe05dc586a76f901970f22f76a08.exe 95edffa7a9fd43ba6798134ac6f97f113a9cbe05dc586a76f901970f22f76a08.exe PID 1852 wrote to memory of 2940 1852 95edffa7a9fd43ba6798134ac6f97f113a9cbe05dc586a76f901970f22f76a08.exe 95edffa7a9fd43ba6798134ac6f97f113a9cbe05dc586a76f901970f22f76a08.exe PID 1852 wrote to memory of 2940 1852 95edffa7a9fd43ba6798134ac6f97f113a9cbe05dc586a76f901970f22f76a08.exe 95edffa7a9fd43ba6798134ac6f97f113a9cbe05dc586a76f901970f22f76a08.exe PID 1852 wrote to memory of 2940 1852 95edffa7a9fd43ba6798134ac6f97f113a9cbe05dc586a76f901970f22f76a08.exe 95edffa7a9fd43ba6798134ac6f97f113a9cbe05dc586a76f901970f22f76a08.exe PID 1852 wrote to memory of 2940 1852 95edffa7a9fd43ba6798134ac6f97f113a9cbe05dc586a76f901970f22f76a08.exe 95edffa7a9fd43ba6798134ac6f97f113a9cbe05dc586a76f901970f22f76a08.exe PID 1852 wrote to memory of 2940 1852 95edffa7a9fd43ba6798134ac6f97f113a9cbe05dc586a76f901970f22f76a08.exe 95edffa7a9fd43ba6798134ac6f97f113a9cbe05dc586a76f901970f22f76a08.exe PID 2680 wrote to memory of 3512 2680 BA8B.exe PID 2680 wrote to memory of 3512 2680 BA8B.exe PID 2680 wrote to memory of 3512 2680 BA8B.exe PID 2680 wrote to memory of 740 2680 C03A.exe PID 2680 wrote to memory of 740 2680 C03A.exe PID 2680 wrote to memory of 740 2680 C03A.exe PID 2680 wrote to memory of 1272 2680 C1B2.exe PID 2680 wrote to memory of 1272 2680 C1B2.exe PID 2680 wrote to memory of 3872 2680 C3A7.exe PID 2680 wrote to memory of 3872 2680 C3A7.exe PID 2680 wrote to memory of 3872 2680 C3A7.exe PID 2680 wrote to memory of 2300 2680 explorer.exe PID 2680 wrote to memory of 2300 2680 explorer.exe PID 2680 wrote to memory of 2300 2680 explorer.exe PID 2680 wrote to memory of 2300 2680 explorer.exe PID 2680 wrote to memory of 3612 2680 explorer.exe PID 2680 wrote to memory of 3612 2680 explorer.exe PID 2680 wrote to memory of 3612 2680 explorer.exe PID 2680 wrote to memory of 2420 2680 explorer.exe PID 2680 wrote to memory of 2420 2680 explorer.exe PID 2680 wrote to memory of 2420 2680 explorer.exe PID 2680 wrote to memory of 2420 2680 explorer.exe PID 2680 wrote to memory of 3760 2680 explorer.exe PID 2680 wrote to memory of 3760 2680 explorer.exe PID 2680 wrote to memory of 3760 2680 explorer.exe PID 3872 wrote to memory of 2596 3872 C3A7.exe TrustedInstaller.exe PID 3872 wrote to memory of 2596 3872 C3A7.exe TrustedInstaller.exe PID 3872 wrote to memory of 2596 3872 C3A7.exe TrustedInstaller.exe PID 3872 wrote to memory of 1944 3872 C3A7.exe notepad.exe PID 3872 wrote to memory of 1944 3872 C3A7.exe notepad.exe PID 3872 wrote to memory of 1944 3872 C3A7.exe notepad.exe PID 3872 wrote to memory of 1944 3872 C3A7.exe notepad.exe PID 3872 wrote to memory of 1944 3872 C3A7.exe notepad.exe PID 3872 wrote to memory of 1944 3872 C3A7.exe notepad.exe PID 2680 wrote to memory of 2200 2680 explorer.exe PID 2680 wrote to memory of 2200 2680 explorer.exe PID 2680 wrote to memory of 2200 2680 explorer.exe PID 2680 wrote to memory of 2200 2680 explorer.exe PID 2680 wrote to memory of 800 2680 explorer.exe PID 2680 wrote to memory of 800 2680 explorer.exe PID 2680 wrote to memory of 800 2680 explorer.exe PID 2680 wrote to memory of 3800 2680 explorer.exe PID 2680 wrote to memory of 3800 2680 explorer.exe PID 2680 wrote to memory of 3800 2680 explorer.exe PID 2680 wrote to memory of 3800 2680 explorer.exe PID 2680 wrote to memory of 1596 2680 explorer.exe PID 2680 wrote to memory of 1596 2680 explorer.exe PID 2680 wrote to memory of 1596 2680 explorer.exe PID 2680 wrote to memory of 3364 2680 explorer.exe PID 2680 wrote to memory of 3364 2680 explorer.exe PID 2680 wrote to memory of 3364 2680 explorer.exe PID 2680 wrote to memory of 3364 2680 explorer.exe PID 1272 wrote to memory of 1952 1272 C1B2.exe ElopingWipes_2021-08-25_06-25.exe PID 1272 wrote to memory of 1952 1272 C1B2.exe ElopingWipes_2021-08-25_06-25.exe PID 1272 wrote to memory of 1952 1272 C1B2.exe ElopingWipes_2021-08-25_06-25.exe PID 1272 wrote to memory of 4028 1272 C1B2.exe QIQytlRs.exe PID 1272 wrote to memory of 4028 1272 C1B2.exe QIQytlRs.exe PID 1272 wrote to memory of 4028 1272 C1B2.exe QIQytlRs.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\95edffa7a9fd43ba6798134ac6f97f113a9cbe05dc586a76f901970f22f76a08.exe"C:\Users\Admin\AppData\Local\Temp\95edffa7a9fd43ba6798134ac6f97f113a9cbe05dc586a76f901970f22f76a08.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\95edffa7a9fd43ba6798134ac6f97f113a9cbe05dc586a76f901970f22f76a08.exe"C:\Users\Admin\AppData\Local\Temp\95edffa7a9fd43ba6798134ac6f97f113a9cbe05dc586a76f901970f22f76a08.exe"2⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
-
C:\Users\Admin\AppData\Local\Temp\BA8B.exeC:\Users\Admin\AppData\Local\Temp\BA8B.exe1⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\C03A.exeC:\Users\Admin\AppData\Local\Temp\C03A.exe1⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\C1B2.exeC:\Users\Admin\AppData\Local\Temp\C1B2.exe1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\ElopingWipes_2021-08-25_06-25.exe"C:\Users\Admin\AppData\Local\Temp\ElopingWipes_2021-08-25_06-25.exe"2⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\QIQytlRs.exe"C:\Users\Admin\AppData\Local\Temp\QIQytlRs.exe"2⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Users\Admin\AppData\Local\Temp\EmbryulciaBrogues.exe"C:\Users\Admin\AppData\Local\Temp\EmbryulciaBrogues.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\EmbryulciaBrogues.exeC:\Users\Admin\AppData\Local\Temp\EmbryulciaBrogues.exe3⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\C3A7.exeC:\Users\Admin\AppData\Local\Temp\C3A7.exe1⤵
- Executes dropped EXE
- Adds Run key to start application
- Modifies system certificate store
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\TrustedInstaller.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\TrustedInstaller.exe" -start2⤵
- Executes dropped EXE
- Enumerates connected drives
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C wmic shadowcopy delete3⤵
-
C:\Windows\SysWOW64\Wbem\WMIC.exewmic shadowcopy delete4⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C bcdedit /set {default} recoveryenabled no3⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C wbadmin delete catalog -quiet3⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C vssadmin delete shadows /all /quiet3⤵
-
C:\Windows\SysWOW64\vssadmin.exevssadmin delete shadows /all /quiet4⤵
- Interacts with shadow copies
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\TrustedInstaller.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\TrustedInstaller.exe" -agent 03⤵
- Executes dropped EXE
- Drops file in Program Files directory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C C:\Users\Admin\AppData\Local\Temp\~temp001.bat3⤵
-
C:\Windows\SysWOW64\Wbem\WMIC.exewmic shadowcopy delete4⤵
-
C:\Windows\SysWOW64\vssadmin.exevssadmin delete shadows /all /quiet4⤵
- Interacts with shadow copies
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C bcdedit /set {default} bootstatuspolicy ignoreallfailures3⤵
-
C:\Windows\SysWOW64\notepad.exenotepad.exe2⤵
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵
-
C:\Windows\explorer.exeC:\Windows\explorer.exe1⤵
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵
-
C:\Windows\explorer.exeC:\Windows\explorer.exe1⤵
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵
-
C:\Windows\explorer.exeC:\Windows\explorer.exe1⤵
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵
-
C:\Windows\explorer.exeC:\Windows\explorer.exe1⤵
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\07CEF2F654E3ED6050FFC9B6EB844250_3F26ED5DE6B4E859CCCA6035ECB8D9CBMD5
a54d2ad67b52a694e7fc3158dca2b185
SHA179f87e1feb4d6b1ddb850862a8a3abb2861195df
SHA25688bacb41d6c732ef48eb221567dbef84958f7e716a5522195d20c8eddb8622b6
SHA5127ec88b1b696bf8be7d1ff2600c8ad734dd9f653eb30a62f44316bf94d8ef82841ccd3f6cb8f3b56ac300a2e033d480165d376c5ab4a6b2e3450716eb3d6dac1b
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\204C1AA6F6114E6A513754A2AB5760FA_0673414C08DE7F919AE3F6C4CC65AEEEMD5
5ee99536c83aebc66fc2a2b54373ea37
SHA1949eeed463cde7329ecc755b1c3f1430647e5845
SHA25615a854d29d800333c46b6f1d9f696dd2b231ece90bed6f5e5f100fd0adbda006
SHA512ff90853bd79e8cb6354574fe7b18ac1b980caa232e04e7ddc5bf42e68b55c6c02da5899bd919f01be7082d5b02b3b80025cf3a2825482f940930c55996a9bd20
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711EMD5
c666571cee2bfa75d13073f6a38718bd
SHA1f78e3cd32b11d662c241518b3e608499ea8b0784
SHA256dc46ca8ba3fafcf14ad91b267401a7f85188329423d564c9e0348379b533b2aa
SHA512388263b6917d478ce2bed8b45aa2974fa9aa51776eee6ad5ec08b38b70442874b153c86797723e59bb8871ab574ed7120e097ce9000b7e12cc3802d53ea6f5f2
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\07CEF2F654E3ED6050FFC9B6EB844250_3F26ED5DE6B4E859CCCA6035ECB8D9CBMD5
7cce94f423beeb496eea23926f0e0183
SHA10272711f82243c7516edf8470cf3848e299c9c8b
SHA256c86e24eed0a7ee8e6087e6b6193eec1696de29f6e0a30ab0a225fb85fbdc8394
SHA512874cc05ea5b6a45eb6236f102fcbf9145e68c866ed8cd836affaf0e883302e237fcb248024ff2b7d1f40547624218b34e3c347e3baaf12bcdf2767f1a57d1cee
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\204C1AA6F6114E6A513754A2AB5760FA_0673414C08DE7F919AE3F6C4CC65AEEEMD5
427d3c97ffa0e45f766bc06ac6f738f6
SHA1e63b74028436648151e291ae639f48c45ce1b882
SHA256cc5c53e4d812ae7045e60ae06f98f6da000440a0fb9339e2538e3fdb9e99f603
SHA51250dd1700a2dcaf6db2cb86cd3b4b82940899b17821022d57ecfcbbede5fdc5ebd1cf8bab6e730a3e1ffde99ee6bbf3b4bd66aaa37aa199e0ecc67dd22169f09c
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711EMD5
9748d28f2649e5ebf41530bfccdb6c00
SHA1c594a9dfa1c49791f129be08966c7a32f25d2d17
SHA256fea0e7cb3bec2aa20a0e3b9a759919f6c8a1fc9c8bf39e583f38dad9b3264b43
SHA5122e00db3a274320247072b5db772e7e9517d2b22d3134015e295e7e4bd10a12dd145f6c810aef4166d36a6239f0d11422e51cc3278d945e0cdb95fbc7c028b411
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\EmbryulciaBrogues.exe.logMD5
7438b57da35c10c478469635b79e33e1
SHA15ffcbdfbfd800f67d6d9d6ee46de2eb13fcbb9a5
SHA256b253c066d4a6604aaa5204b09c1edde92c410b0af351f3760891f5e56c867f70
SHA5125887796f8ceb1c5ae790caff0020084df49ea8d613b78656a47dc9a569c5c86a9b16ec2ebe0d6f34c5e3001026385bb1282434cc3ffc7bda99427c154c04b45a
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\U0EJMF7X\VM19N5QA.htmMD5
b1cd7c031debba3a5c77b39b6791c1a7
SHA1e5d91e14e9c685b06f00e550d9e189deb2075f76
SHA25657ba053f075e0b80f747f3102ed985687c16a8754d109e7c4d33633269a36aaa
SHA512d2bbefdc1effb52a38964c4cec5990a5a226248eca36f99e446c0c5704436f666bf1cb514e73b8991411d497d3325ecc646cbd5065c364e92ab6b9c5f1ad4a72
-
C:\Users\Admin\AppData\Local\Temp\BA8B.exeMD5
47205c3698b9f436a800c2520210f700
SHA12134d6663b6177b4432abc1f114ea5bbfd848052
SHA256c44b8d4e7c026d1485ba2058936835b6ef9b458d590b05c0d113e58978921ffc
SHA512cc310b6347b2d4d8c66d57af9a76e3e715a86d39a355f7cb738d6d30ebd91cdbe87ea6d39e1b19fddc8a536b9860d19becbca85e82aaade558ee99f1f30248ef
-
C:\Users\Admin\AppData\Local\Temp\BA8B.exeMD5
47205c3698b9f436a800c2520210f700
SHA12134d6663b6177b4432abc1f114ea5bbfd848052
SHA256c44b8d4e7c026d1485ba2058936835b6ef9b458d590b05c0d113e58978921ffc
SHA512cc310b6347b2d4d8c66d57af9a76e3e715a86d39a355f7cb738d6d30ebd91cdbe87ea6d39e1b19fddc8a536b9860d19becbca85e82aaade558ee99f1f30248ef
-
C:\Users\Admin\AppData\Local\Temp\C03A.exeMD5
fead6bbf07f24cc42e5bf9a9dd026f74
SHA10e81378b656a66c75826edfe962d22a0fae6670d
SHA256b60bb1e1c45030e45581c11e31b1e308afe02252d90cddc935abf0d851323c66
SHA5126190d264257166d006531d74cb7b503d12637af61657f15aa217b7c719c94ffbd61883156470dc9305aed6ec17a1d442ff17d18834f3045ba3a2a915be0e9363
-
C:\Users\Admin\AppData\Local\Temp\C03A.exeMD5
fead6bbf07f24cc42e5bf9a9dd026f74
SHA10e81378b656a66c75826edfe962d22a0fae6670d
SHA256b60bb1e1c45030e45581c11e31b1e308afe02252d90cddc935abf0d851323c66
SHA5126190d264257166d006531d74cb7b503d12637af61657f15aa217b7c719c94ffbd61883156470dc9305aed6ec17a1d442ff17d18834f3045ba3a2a915be0e9363
-
C:\Users\Admin\AppData\Local\Temp\C1B2.exeMD5
79c2644b6900df6336a9feddde98eae4
SHA13717e912455e85d0262356aebccc937f0a4790d2
SHA256bed4c9f14696cc59c90575c491b4b60208c9cb602da5b29a63cdabbf448135fe
SHA5129e3f644519c36d7001c6a89f6f5191d4b8d2de5371f9336671eb5639313fb711e66dca89fd72bea94962c69ce30085833006ee3e21d47a787ab8f03eaf885d11
-
C:\Users\Admin\AppData\Local\Temp\C1B2.exeMD5
79c2644b6900df6336a9feddde98eae4
SHA13717e912455e85d0262356aebccc937f0a4790d2
SHA256bed4c9f14696cc59c90575c491b4b60208c9cb602da5b29a63cdabbf448135fe
SHA5129e3f644519c36d7001c6a89f6f5191d4b8d2de5371f9336671eb5639313fb711e66dca89fd72bea94962c69ce30085833006ee3e21d47a787ab8f03eaf885d11
-
C:\Users\Admin\AppData\Local\Temp\C3A7.exeMD5
bdfde890a781bf135e6eb4339ff9424f
SHA1a5bfca4601242d3ff52962432efb15ab9202217f
SHA256b7972505fc2b3b41383bc9022824130ef912145ff1d858555536df477c3a59f5
SHA5127af519bbda4994a15789520a56b4a961187aa64ef284830a0e8a083cb5257f9606a7e4647278ce9e2c01995f627dc83aa0750b9f7a1273218618f65af0f2a15b
-
C:\Users\Admin\AppData\Local\Temp\C3A7.exeMD5
bdfde890a781bf135e6eb4339ff9424f
SHA1a5bfca4601242d3ff52962432efb15ab9202217f
SHA256b7972505fc2b3b41383bc9022824130ef912145ff1d858555536df477c3a59f5
SHA5127af519bbda4994a15789520a56b4a961187aa64ef284830a0e8a083cb5257f9606a7e4647278ce9e2c01995f627dc83aa0750b9f7a1273218618f65af0f2a15b
-
C:\Users\Admin\AppData\Local\Temp\ElopingWipes_2021-08-25_06-25.exeMD5
318c869e2886127dddb2a220988cf599
SHA1c46432e774f29bae1ceff19811a6677bdbc6c1b6
SHA256711d639857ca6c94d659089a21d9abc021b7ca5280d93b0f0c9d8c19eb9c8764
SHA512460ac5fa165e7a139e2794a85f57ddd664b69671a6673950214158748ac18688c3f0807ecf3d2612a47078b89223e76e25438670f5834978ba075c64454f89a4
-
C:\Users\Admin\AppData\Local\Temp\ElopingWipes_2021-08-25_06-25.exeMD5
318c869e2886127dddb2a220988cf599
SHA1c46432e774f29bae1ceff19811a6677bdbc6c1b6
SHA256711d639857ca6c94d659089a21d9abc021b7ca5280d93b0f0c9d8c19eb9c8764
SHA512460ac5fa165e7a139e2794a85f57ddd664b69671a6673950214158748ac18688c3f0807ecf3d2612a47078b89223e76e25438670f5834978ba075c64454f89a4
-
C:\Users\Admin\AppData\Local\Temp\EmbryulciaBrogues.exeMD5
7f47e20941352fca134e8deeac04272e
SHA1a9208a7c524e2b89552031a120b4a08ecf42ef52
SHA256be00573c3c61abe2e6adc4e9a547d3d85b0d763e2ac528ab2865592a89d1f5ba
SHA512f23b610735966b4e651cdc7233f23aaf1b1bb791f934b5d639123bb76dda6242feb2b45b4f9b6556c47ac9d3dd798b801b09e84b6d03ce2c216236096aab2f63
-
C:\Users\Admin\AppData\Local\Temp\EmbryulciaBrogues.exeMD5
7f47e20941352fca134e8deeac04272e
SHA1a9208a7c524e2b89552031a120b4a08ecf42ef52
SHA256be00573c3c61abe2e6adc4e9a547d3d85b0d763e2ac528ab2865592a89d1f5ba
SHA512f23b610735966b4e651cdc7233f23aaf1b1bb791f934b5d639123bb76dda6242feb2b45b4f9b6556c47ac9d3dd798b801b09e84b6d03ce2c216236096aab2f63
-
C:\Users\Admin\AppData\Local\Temp\EmbryulciaBrogues.exeMD5
7f47e20941352fca134e8deeac04272e
SHA1a9208a7c524e2b89552031a120b4a08ecf42ef52
SHA256be00573c3c61abe2e6adc4e9a547d3d85b0d763e2ac528ab2865592a89d1f5ba
SHA512f23b610735966b4e651cdc7233f23aaf1b1bb791f934b5d639123bb76dda6242feb2b45b4f9b6556c47ac9d3dd798b801b09e84b6d03ce2c216236096aab2f63
-
C:\Users\Admin\AppData\Local\Temp\QIQytlRs.exeMD5
2761c51aea2b127686a8b27770dc4170
SHA15719cf591f3883a0b6f4b74263256c1930b073b6
SHA256f0dcac79c7f0978978beaab834c504bf2e97d0aef5c200f7ac91cd43f9b9503f
SHA512edc33a2682613237c8214a908837cd8aee154cdab34fcdd182069db0d143a0aee5f1dc5e972a3613f8861e5de8922bf32c7bb31e3a43ed10d4772d2e93ed3bec
-
C:\Users\Admin\AppData\Local\Temp\QIQytlRs.exeMD5
2761c51aea2b127686a8b27770dc4170
SHA15719cf591f3883a0b6f4b74263256c1930b073b6
SHA256f0dcac79c7f0978978beaab834c504bf2e97d0aef5c200f7ac91cd43f9b9503f
SHA512edc33a2682613237c8214a908837cd8aee154cdab34fcdd182069db0d143a0aee5f1dc5e972a3613f8861e5de8922bf32c7bb31e3a43ed10d4772d2e93ed3bec
-
C:\Users\Admin\AppData\Local\Temp\~temp001.batMD5
ef572e2c7b1bbd57654b36e8dcfdc37a
SHA1b84c4db6d0dfd415c289d0c8ae099aea4001e3b7
SHA256e6e609db3f387f42bfd16dd9e5695ddc2b73d86ae12baf4f0dfc4edda4a96a64
SHA512b8c014b242e8e8f42da37b75fe96c52cd25ebd366d0b5103bcba5ac041806d13142a62351edecdee583d494d2a120f9b330f6229b1b5fe820e1c7d98981089e9
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\TrustedInstaller.exeMD5
bdfde890a781bf135e6eb4339ff9424f
SHA1a5bfca4601242d3ff52962432efb15ab9202217f
SHA256b7972505fc2b3b41383bc9022824130ef912145ff1d858555536df477c3a59f5
SHA5127af519bbda4994a15789520a56b4a961187aa64ef284830a0e8a083cb5257f9606a7e4647278ce9e2c01995f627dc83aa0750b9f7a1273218618f65af0f2a15b
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\TrustedInstaller.exeMD5
bdfde890a781bf135e6eb4339ff9424f
SHA1a5bfca4601242d3ff52962432efb15ab9202217f
SHA256b7972505fc2b3b41383bc9022824130ef912145ff1d858555536df477c3a59f5
SHA5127af519bbda4994a15789520a56b4a961187aa64ef284830a0e8a083cb5257f9606a7e4647278ce9e2c01995f627dc83aa0750b9f7a1273218618f65af0f2a15b
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\TrustedInstaller.exeMD5
bdfde890a781bf135e6eb4339ff9424f
SHA1a5bfca4601242d3ff52962432efb15ab9202217f
SHA256b7972505fc2b3b41383bc9022824130ef912145ff1d858555536df477c3a59f5
SHA5127af519bbda4994a15789520a56b4a961187aa64ef284830a0e8a083cb5257f9606a7e4647278ce9e2c01995f627dc83aa0750b9f7a1273218618f65af0f2a15b
-
memory/420-232-0x0000000000000000-mapping.dmp
-
memory/740-155-0x00000000013E0000-0x00000000013E1000-memory.dmpFilesize
4KB
-
memory/740-192-0x0000000007070000-0x0000000007071000-memory.dmpFilesize
4KB
-
memory/740-122-0x0000000000000000-mapping.dmp
-
memory/740-195-0x0000000007FD0000-0x0000000007FD1000-memory.dmpFilesize
4KB
-
memory/740-142-0x00000000777D0000-0x000000007795E000-memory.dmpFilesize
1.6MB
-
memory/740-144-0x0000000000260000-0x0000000000261000-memory.dmpFilesize
4KB
-
memory/800-181-0x0000000000750000-0x000000000075C000-memory.dmpFilesize
48KB
-
memory/800-180-0x0000000000760000-0x0000000000766000-memory.dmpFilesize
24KB
-
memory/800-179-0x0000000000000000-mapping.dmp
-
memory/988-241-0x0000000000000000-mapping.dmp
-
memory/1272-128-0x0000000000000000-mapping.dmp
-
memory/1272-131-0x0000000000810000-0x0000000000811000-memory.dmpFilesize
4KB
-
memory/1596-185-0x0000000000000000-mapping.dmp
-
memory/1596-186-0x0000000000730000-0x0000000000735000-memory.dmpFilesize
20KB
-
memory/1596-187-0x0000000000720000-0x0000000000729000-memory.dmpFilesize
36KB
-
memory/1852-116-0x00000000023B0000-0x00000000024FA000-memory.dmpFilesize
1.3MB
-
memory/1944-165-0x0000000000000000-mapping.dmp
-
memory/1944-176-0x0000000000930000-0x0000000000931000-memory.dmpFilesize
4KB
-
memory/1952-249-0x00000000023D0000-0x000000000251A000-memory.dmpFilesize
1.3MB
-
memory/1952-269-0x0000000000400000-0x00000000023C8000-memory.dmpFilesize
31.8MB
-
memory/1952-275-0x0000000006B43000-0x0000000006B44000-memory.dmpFilesize
4KB
-
memory/1952-252-0x0000000004180000-0x00000000041B8000-memory.dmpFilesize
224KB
-
memory/1952-276-0x0000000006B44000-0x0000000006B46000-memory.dmpFilesize
8KB
-
memory/1952-206-0x0000000000000000-mapping.dmp
-
memory/1952-270-0x0000000006B40000-0x0000000006B41000-memory.dmpFilesize
4KB
-
memory/1952-254-0x0000000004330000-0x0000000004366000-memory.dmpFilesize
216KB
-
memory/1952-274-0x0000000006B42000-0x0000000006B43000-memory.dmpFilesize
4KB
-
memory/2064-237-0x0000000000000000-mapping.dmp
-
memory/2200-178-0x0000000002C20000-0x0000000002C29000-memory.dmpFilesize
36KB
-
memory/2200-177-0x0000000002C30000-0x0000000002C35000-memory.dmpFilesize
20KB
-
memory/2200-175-0x0000000000000000-mapping.dmp
-
memory/2268-233-0x0000000000000000-mapping.dmp
-
memory/2300-153-0x0000000002E80000-0x0000000002EF4000-memory.dmpFilesize
464KB
-
memory/2300-154-0x0000000002E10000-0x0000000002E7B000-memory.dmpFilesize
428KB
-
memory/2300-139-0x0000000000000000-mapping.dmp
-
memory/2420-160-0x0000000003290000-0x000000000329B000-memory.dmpFilesize
44KB
-
memory/2420-159-0x00000000032A0000-0x00000000032A7000-memory.dmpFilesize
28KB
-
memory/2420-158-0x0000000000000000-mapping.dmp
-
memory/2524-239-0x0000000000000000-mapping.dmp
-
memory/2544-235-0x0000000000000000-mapping.dmp
-
memory/2596-162-0x0000000000000000-mapping.dmp
-
memory/2612-240-0x0000000000000000-mapping.dmp
-
memory/2680-117-0x00000000013D0000-0x00000000013E6000-memory.dmpFilesize
88KB
-
memory/2864-238-0x0000000005080000-0x0000000005081000-memory.dmpFilesize
4KB
-
memory/2864-225-0x00000000006B0000-0x00000000006B1000-memory.dmpFilesize
4KB
-
memory/2864-211-0x0000000000000000-mapping.dmp
-
memory/2940-114-0x0000000000400000-0x0000000000409000-memory.dmpFilesize
36KB
-
memory/2940-115-0x0000000000402FAB-mapping.dmp
-
memory/3364-194-0x0000000000000000-mapping.dmp
-
memory/3364-199-0x00000000029F0000-0x00000000029F5000-memory.dmpFilesize
20KB
-
memory/3364-200-0x00000000029E0000-0x00000000029E9000-memory.dmpFilesize
36KB
-
memory/3512-140-0x0000000003640000-0x0000000003641000-memory.dmpFilesize
4KB
-
memory/3512-198-0x0000000007850000-0x0000000007851000-memory.dmpFilesize
4KB
-
memory/3512-188-0x00000000073B0000-0x00000000073B1000-memory.dmpFilesize
4KB
-
memory/3512-141-0x00000000059C0000-0x00000000059C1000-memory.dmpFilesize
4KB
-
memory/3512-147-0x0000000005A00000-0x0000000005A01000-memory.dmpFilesize
4KB
-
memory/3512-135-0x0000000005A90000-0x0000000005A91000-memory.dmpFilesize
4KB
-
memory/3512-118-0x0000000000000000-mapping.dmp
-
memory/3512-190-0x0000000007AB0000-0x0000000007AB1000-memory.dmpFilesize
4KB
-
memory/3512-124-0x00000000777D0000-0x000000007795E000-memory.dmpFilesize
1.6MB
-
memory/3512-125-0x00000000002A0000-0x00000000002A1000-memory.dmpFilesize
4KB
-
memory/3512-205-0x00000000079F0000-0x00000000079F1000-memory.dmpFilesize
4KB
-
memory/3512-134-0x0000000005960000-0x0000000005961000-memory.dmpFilesize
4KB
-
memory/3512-196-0x0000000007730000-0x0000000007731000-memory.dmpFilesize
4KB
-
memory/3512-132-0x0000000005F50000-0x0000000005F51000-memory.dmpFilesize
4KB
-
memory/3512-203-0x0000000007950000-0x0000000007951000-memory.dmpFilesize
4KB
-
memory/3612-152-0x0000000000000000-mapping.dmp
-
memory/3612-156-0x0000000000740000-0x0000000000747000-memory.dmpFilesize
28KB
-
memory/3612-157-0x0000000000730000-0x000000000073C000-memory.dmpFilesize
48KB
-
memory/3760-166-0x0000000000C80000-0x0000000000C89000-memory.dmpFilesize
36KB
-
memory/3760-161-0x0000000000000000-mapping.dmp
-
memory/3760-167-0x00000000009F0000-0x00000000009FF000-memory.dmpFilesize
60KB
-
memory/3800-184-0x0000000000190000-0x0000000000199000-memory.dmpFilesize
36KB
-
memory/3800-183-0x00000000001A0000-0x00000000001A4000-memory.dmpFilesize
16KB
-
memory/3800-182-0x0000000000000000-mapping.dmp
-
memory/3872-136-0x0000000000000000-mapping.dmp
-
memory/3940-272-0x0000000004DD0000-0x00000000053D6000-memory.dmpFilesize
6.0MB
-
memory/3940-259-0x000000000041A66E-mapping.dmp
-
memory/3940-258-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB
-
memory/3948-248-0x0000000000000000-mapping.dmp
-
memory/4028-217-0x00000000023E0000-0x0000000002426000-memory.dmpFilesize
280KB
-
memory/4028-208-0x0000000000000000-mapping.dmp
-
memory/4028-245-0x0000000004CB0000-0x0000000004CB1000-memory.dmpFilesize
4KB
-
memory/4028-251-0x000000007E820000-0x000000007E821000-memory.dmpFilesize
4KB
-
memory/4028-243-0x0000000004C60000-0x0000000004C61000-memory.dmpFilesize
4KB
-
memory/4028-244-0x0000000072060000-0x00000000720AB000-memory.dmpFilesize
300KB
-
memory/4028-234-0x0000000075410000-0x0000000076758000-memory.dmpFilesize
19.3MB
-
memory/4028-236-0x0000000004BE0000-0x00000000051E6000-memory.dmpFilesize
6.0MB
-
memory/4028-231-0x0000000074E80000-0x0000000075404000-memory.dmpFilesize
5.5MB
-
memory/4028-214-0x0000000000050000-0x0000000000051000-memory.dmpFilesize
4KB
-
memory/4028-218-0x0000000000D70000-0x0000000000D71000-memory.dmpFilesize
4KB
-
memory/4028-221-0x0000000072470000-0x00000000724F0000-memory.dmpFilesize
512KB
-
memory/4028-219-0x00000000008B0000-0x00000000008B1000-memory.dmpFilesize
4KB
-
memory/4028-216-0x0000000076790000-0x0000000076881000-memory.dmpFilesize
964KB
-
memory/4028-215-0x0000000074C50000-0x0000000074E12000-memory.dmpFilesize
1.8MB
-
memory/4036-247-0x0000000000000000-mapping.dmp
-
memory/4256-277-0x0000000000000000-mapping.dmp
-
memory/4304-278-0x0000000000000000-mapping.dmp