djvu | 8050946d45275d1d9a207b61e1e7c69f906193fe120b111497bb15960f9ca379

Analysis

max time kernel
179s
max time network
166s
platform
windows10_x64
resource
win10-en
submitted
10-09-2021 21:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Fri19870e2febf5544.exe
Size

152KB
MD5

29bfd17aa35ed0486dfb5ae655514a66
SHA1

f3d8abf6736e0c79a09e2969b78cd3fcd2dfc96f
SHA256

940fcd65f551869d96be42d253572e657f5493de4454229a6430814abb862e49
SHA512

90f8756378196095ac5405d5055a3041b7e5bba033a83d614a7a3b5fc70872311169cd434b8576137bc7c8edc56b2b0c6b3b7d97bcc527d0dcde91e25a4e85cd

Score

10^/10

djvu raccoon redline smokeloader vidar 517 backdoor discovery evasion infostealer persistence ransomware spyware stealer suricata themida trojan

Malware Config

Extracted

Family

smokeloader

Version

2020

http://varmisende.com/upload/

http://fernandomayol.com/upload/

http://nextlytm.com/upload/

http://people4jan.com/upload/

http://asfaltwerk.com/upload/

rc4.i32

Extracted

Family

redline

185.215.113.29:8678

Extracted

Family

vidar

Version

40.5

Botnet

517

https://gheorghip.tumblr.com/

Attributes

profile_id
517

Signatures

Detected Djvu ransomware 6 IoCs

Processes:

resource	yara_rule
behavioral16/memory/3496-144-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral16/memory/3496-145-0x0000000000424141-mapping.dmp	family_djvu
behavioral16/memory/3496-150-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral16/memory/1968-149-0x0000000003F30000-0x000000000404B000-memory.dmp	family_djvu
behavioral16/memory/2296-154-0x0000000000424141-mapping.dmp	family_djvu
behavioral16/memory/2296-160-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu

Djvu Ransomware
Ransomware which is a variant of the STOP family.
ransomware djvu
Raccoon
Simple but powerful infostealer which was very active in 2019.
stealer raccoon
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine Payload 2 IoCs

Processes:

resource	yara_rule
behavioral16/memory/4052-123-0x0000000003EC0000-0x0000000003EDD000-memory.dmp	family_redline
behavioral16/memory/4052-125-0x00000000040A0000-0x00000000040BC000-memory.dmp	family_redline

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
Vidar
Vidar is an infostealer based on Arkei stealer.
stealer vidar
suricata: ET MALWARE Potential Dridex.Maldoc Minimal Executable Request
suricata: ET MALWARE Potential Dridex.Maldoc Minimal Executable Request
suricata
suricata: ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt)
suricata: ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt)
suricata
suricata: ET MALWARE Vidar/Arkei Stealer Client Data Upload
suricata: ET MALWARE Vidar/Arkei Stealer Client Data Upload
suricata
suricata: ET MALWARE Vidar/Arkei/Megumin/Oski Stealer Data Exfil
suricata: ET MALWARE Vidar/Arkei/Megumin/Oski Stealer Data Exfil
suricata
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Vidar Stealer 4 IoCs

stealer

Processes:

resource	yara_rule
behavioral16/memory/520-170-0x0000000000400000-0x00000000004D5000-memory.dmp	family_vidar
behavioral16/memory/520-171-0x000000000049EC7D-mapping.dmp	family_vidar
behavioral16/memory/2272-173-0x0000000002490000-0x0000000002562000-memory.dmp	family_vidar
behavioral16/memory/520-174-0x0000000000400000-0x00000000004D5000-memory.dmp	family_vidar

Downloads MZ/PE file

Executes dropped EXE 14 IoCs

Processes:

C411.exeEE5E.exeEE5E.exeEE5E.exeEE5E.exebuild2.exe1688.exebuild3.exebuild2.exebuild3.exezQrIY5gSN5.exesihost.exeA26E.exeD7D7.exe

pid	process
4052	C411.exe
1968	EE5E.exe
3496	EE5E.exe
3324	EE5E.exe
2296	EE5E.exe
2272	build2.exe
2124	1688.exe
2604	build3.exe
520	build2.exe
392	build3.exe
1928	zQrIY5gSN5.exe
908	sihost.exe
2612	A26E.exe
2376	D7D7.exe

Checks BIOS information in registry 2 TTPs 4 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

A26E.exeD7D7.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	A26E.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	A26E.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	D7D7.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	D7D7.exe

Deletes itself 1 IoCs

Processes:

pid process

2372
Loads dropped DLL 7 IoCs

Processes:

1688.exebuild2.exe

pid process

2124 1688.exe
520 build2.exe
520 build2.exe
2124 1688.exe
2124 1688.exe
2124 1688.exe
2124 1688.exe
Modifies file permissions 1 TTPs 1 IoCs
discovery

File Permissions Modification
T1222

Processes:

icacls.exe

pid process

3400 icacls.exe
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

pid	process
2372

pid	process
2124	1688.exe
520	build2.exe
520	build2.exe
2124	1688.exe
2124	1688.exe
2124	1688.exe
2124	1688.exe

pid	process
3400	icacls.exe

Themida packer 6 IoCs

Detects Themida, an advanced Windows software protection system.

themida

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\A26E.exe	themida
C:\Users\Admin\AppData\Local\Temp\A26E.exe	themida
behavioral16/memory/2612-216-0x0000000000A00000-0x0000000000A01000-memory.dmp	themida
C:\Users\Admin\AppData\Local\Temp\D7D7.exe	themida
C:\Users\Admin\AppData\Local\Temp\D7D7.exe	themida
behavioral16/memory/2376-237-0x0000000000920000-0x0000000000921000-memory.dmp	themida

Accesses 2FA software files, possible credential harvesting 2 TTPs
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

EE5E.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\badde24d-8e35-46fe-81a0-9bc6c1433da3\\EE5E.exe\" --AutoStart"	EE5E.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Checks whether UAC is enabled 1 TTPs 2 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

A26E.exeD7D7.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	A26E.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	D7D7.exe

Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

31 api.2ip.ua
32 api.2ip.ua
41 api.2ip.ua
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

Processes:

A26E.exeD7D7.exe

pid process

2612 A26E.exe
2376 D7D7.exe

flow	ioc
31	api.2ip.ua
32	api.2ip.ua
41	api.2ip.ua

pid	process
2612	A26E.exe
2376	D7D7.exe

Suspicious use of SetThreadContext 4 IoCs

Processes:

EE5E.exeEE5E.exebuild2.exebuild3.exe

description	pid	process	target process
PID 1968 set thread context of 3496	1968	EE5E.exe	EE5E.exe
PID 3324 set thread context of 2296	3324	EE5E.exe	EE5E.exe
PID 2272 set thread context of 520	2272	build2.exe	build2.exe
PID 2604 set thread context of 392	2604	build3.exe	build3.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

Fri19870e2febf5544.exe

description	ioc	process
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Fri19870e2febf5544.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Fri19870e2febf5544.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Fri19870e2febf5544.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

build2.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	build2.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	build2.exe

Creates scheduled task(s) 1 TTPs 3 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exeschtasks.exe

pid process

368 schtasks.exe
3796 schtasks.exe
2232 schtasks.exe
Delays execution with timeout.exe 2 IoCs
evasion

Processes:

timeout.exetimeout.exe

pid process

3740 timeout.exe
2272 timeout.exe
Kills process with taskkill 1 IoCs
evasion

Processes:

taskkill.exe

pid process

3796 taskkill.exe

pid	process
368	schtasks.exe
3796	schtasks.exe
2232	schtasks.exe

pid	process
3740	timeout.exe
2272	timeout.exe

pid	process
3796	taskkill.exe

Modifies registry class 2 IoCs

Processes:

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance
Key created	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

EE5E.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	EE5E.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 5c000000010000000400000000080000090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	EE5E.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

Fri19870e2febf5544.exe

pid	process
2648	Fri19870e2febf5544.exe
2648	Fri19870e2febf5544.exe
2372
2372
2372
2372
2372
2372
2372
2372
2372
2372
2372
2372
2372
2372
2372
2372
2372
2372
2372
2372
2372
2372
2372
2372
2372
2372
2372
2372
2372
2372
2372
2372
2372
2372
2372
2372
2372
2372
2372
2372
2372
2372
2372
2372
2372
2372
2372
2372
2372
2372
2372
2372
2372
2372
2372
2372
2372
2372
2372
2372
2372
2372

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

pid process

2372
Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

Fri19870e2febf5544.exe

pid process

2648 Fri19870e2febf5544.exe

pid	process
2372

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

C411.exetaskkill.exeA26E.exeD7D7.exe

description	pid	process
Token: SeShutdownPrivilege	2372
Token: SeCreatePagefilePrivilege	2372
Token: SeShutdownPrivilege	2372
Token: SeCreatePagefilePrivilege	2372
Token: SeShutdownPrivilege	2372
Token: SeCreatePagefilePrivilege	2372
Token: SeDebugPrivilege	4052	C411.exe
Token: SeShutdownPrivilege	2372
Token: SeCreatePagefilePrivilege	2372
Token: SeShutdownPrivilege	2372
Token: SeCreatePagefilePrivilege	2372
Token: SeShutdownPrivilege	2372
Token: SeCreatePagefilePrivilege	2372
Token: SeShutdownPrivilege	2372
Token: SeCreatePagefilePrivilege	2372
Token: SeShutdownPrivilege	2372
Token: SeCreatePagefilePrivilege	2372
Token: SeShutdownPrivilege	2372
Token: SeCreatePagefilePrivilege	2372
Token: SeShutdownPrivilege	2372
Token: SeCreatePagefilePrivilege	2372
Token: SeShutdownPrivilege	2372
Token: SeCreatePagefilePrivilege	2372
Token: SeShutdownPrivilege	2372
Token: SeCreatePagefilePrivilege	2372
Token: SeShutdownPrivilege	2372
Token: SeCreatePagefilePrivilege	2372
Token: SeShutdownPrivilege	2372
Token: SeCreatePagefilePrivilege	2372
Token: SeDebugPrivilege	3796	taskkill.exe
Token: SeShutdownPrivilege	2372
Token: SeCreatePagefilePrivilege	2372
Token: SeShutdownPrivilege	2372
Token: SeCreatePagefilePrivilege	2372
Token: SeShutdownPrivilege	2372
Token: SeCreatePagefilePrivilege	2372
Token: SeShutdownPrivilege	2372
Token: SeCreatePagefilePrivilege	2372
Token: SeDebugPrivilege	2612	A26E.exe
Token: SeShutdownPrivilege	2372
Token: SeCreatePagefilePrivilege	2372
Token: SeShutdownPrivilege	2372
Token: SeCreatePagefilePrivilege	2372
Token: SeShutdownPrivilege	2372
Token: SeCreatePagefilePrivilege	2372
Token: SeShutdownPrivilege	2372
Token: SeCreatePagefilePrivilege	2372
Token: SeShutdownPrivilege	2372
Token: SeCreatePagefilePrivilege	2372
Token: SeShutdownPrivilege	2372
Token: SeCreatePagefilePrivilege	2372
Token: SeShutdownPrivilege	2372
Token: SeCreatePagefilePrivilege	2372
Token: SeShutdownPrivilege	2372
Token: SeCreatePagefilePrivilege	2372
Token: SeDebugPrivilege	2376	D7D7.exe
Token: SeShutdownPrivilege	2372
Token: SeCreatePagefilePrivilege	2372
Token: SeShutdownPrivilege	2372
Token: SeCreatePagefilePrivilege	2372
Token: SeShutdownPrivilege	2372
Token: SeCreatePagefilePrivilege	2372
Token: SeShutdownPrivilege	2372
Token: SeCreatePagefilePrivilege	2372

Suspicious use of FindShellTrayWindow 8 IoCs

Processes:

pid process

2372
2372
2372
2372
2372
2372
2372
2372
Suspicious use of SendNotifyMessage 3 IoCs

Processes:

pid process

2372
2372
2372

pid	process
2372
2372
2372
2372
2372
2372
2372
2372

pid	process
2372
2372
2372

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

EE5E.exeEE5E.exeEE5E.exeEE5E.exebuild2.exebuild3.exebuild3.exebuild2.exe

description	pid	process	target process
PID 2372 wrote to memory of 4052	2372		C411.exe
PID 2372 wrote to memory of 4052	2372		C411.exe
PID 2372 wrote to memory of 4052	2372		C411.exe
PID 2372 wrote to memory of 1968	2372		EE5E.exe
PID 2372 wrote to memory of 1968	2372		EE5E.exe
PID 2372 wrote to memory of 1968	2372		EE5E.exe
PID 1968 wrote to memory of 3496	1968	EE5E.exe	EE5E.exe
PID 1968 wrote to memory of 3496	1968	EE5E.exe	EE5E.exe
PID 1968 wrote to memory of 3496	1968	EE5E.exe	EE5E.exe
PID 1968 wrote to memory of 3496	1968	EE5E.exe	EE5E.exe
PID 1968 wrote to memory of 3496	1968	EE5E.exe	EE5E.exe
PID 1968 wrote to memory of 3496	1968	EE5E.exe	EE5E.exe
PID 1968 wrote to memory of 3496	1968	EE5E.exe	EE5E.exe
PID 1968 wrote to memory of 3496	1968	EE5E.exe	EE5E.exe
PID 1968 wrote to memory of 3496	1968	EE5E.exe	EE5E.exe
PID 1968 wrote to memory of 3496	1968	EE5E.exe	EE5E.exe
PID 3496 wrote to memory of 3400	3496	EE5E.exe	icacls.exe
PID 3496 wrote to memory of 3400	3496	EE5E.exe	icacls.exe
PID 3496 wrote to memory of 3400	3496	EE5E.exe	icacls.exe
PID 3496 wrote to memory of 3324	3496	EE5E.exe	EE5E.exe
PID 3496 wrote to memory of 3324	3496	EE5E.exe	EE5E.exe
PID 3496 wrote to memory of 3324	3496	EE5E.exe	EE5E.exe
PID 3324 wrote to memory of 2296	3324	EE5E.exe	EE5E.exe
PID 3324 wrote to memory of 2296	3324	EE5E.exe	EE5E.exe
PID 3324 wrote to memory of 2296	3324	EE5E.exe	EE5E.exe
PID 3324 wrote to memory of 2296	3324	EE5E.exe	EE5E.exe
PID 3324 wrote to memory of 2296	3324	EE5E.exe	EE5E.exe
PID 3324 wrote to memory of 2296	3324	EE5E.exe	EE5E.exe
PID 3324 wrote to memory of 2296	3324	EE5E.exe	EE5E.exe
PID 3324 wrote to memory of 2296	3324	EE5E.exe	EE5E.exe
PID 3324 wrote to memory of 2296	3324	EE5E.exe	EE5E.exe
PID 3324 wrote to memory of 2296	3324	EE5E.exe	EE5E.exe
PID 2296 wrote to memory of 2272	2296	EE5E.exe	build2.exe
PID 2296 wrote to memory of 2272	2296	EE5E.exe	build2.exe
PID 2296 wrote to memory of 2272	2296	EE5E.exe	build2.exe
PID 2372 wrote to memory of 2124	2372		1688.exe
PID 2372 wrote to memory of 2124	2372		1688.exe
PID 2372 wrote to memory of 2124	2372		1688.exe
PID 2296 wrote to memory of 2604	2296	EE5E.exe	build3.exe
PID 2296 wrote to memory of 2604	2296	EE5E.exe	build3.exe
PID 2296 wrote to memory of 2604	2296	EE5E.exe	build3.exe
PID 2272 wrote to memory of 520	2272	build2.exe	build2.exe
PID 2272 wrote to memory of 520	2272	build2.exe	build2.exe
PID 2272 wrote to memory of 520	2272	build2.exe	build2.exe
PID 2272 wrote to memory of 520	2272	build2.exe	build2.exe
PID 2272 wrote to memory of 520	2272	build2.exe	build2.exe
PID 2272 wrote to memory of 520	2272	build2.exe	build2.exe
PID 2272 wrote to memory of 520	2272	build2.exe	build2.exe
PID 2272 wrote to memory of 520	2272	build2.exe	build2.exe
PID 2604 wrote to memory of 392	2604	build3.exe	build3.exe
PID 2604 wrote to memory of 392	2604	build3.exe	build3.exe
PID 2604 wrote to memory of 392	2604	build3.exe	build3.exe
PID 2604 wrote to memory of 392	2604	build3.exe	build3.exe
PID 2604 wrote to memory of 392	2604	build3.exe	build3.exe
PID 2604 wrote to memory of 392	2604	build3.exe	build3.exe
PID 2604 wrote to memory of 392	2604	build3.exe	build3.exe
PID 2604 wrote to memory of 392	2604	build3.exe	build3.exe
PID 2604 wrote to memory of 392	2604	build3.exe	build3.exe
PID 392 wrote to memory of 368	392	build3.exe	schtasks.exe
PID 392 wrote to memory of 368	392	build3.exe	schtasks.exe
PID 392 wrote to memory of 368	392	build3.exe	schtasks.exe
PID 520 wrote to memory of 2968	520	build2.exe	cmd.exe
PID 520 wrote to memory of 2968	520	build2.exe	cmd.exe
PID 520 wrote to memory of 2968	520	build2.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\Fri19870e2febf5544.exe
"C:\Users\Admin\AppData\Local\Temp\Fri19870e2febf5544.exe"
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:2648

C:\Users\Admin\AppData\Local\Temp\C411.exe
C:\Users\Admin\AppData\Local\Temp\C411.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4052

C:\Users\Admin\AppData\Local\Temp\EE5E.exe
C:\Users\Admin\AppData\Local\Temp\EE5E.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1968

C:\Users\Admin\AppData\Local\Temp\EE5E.exe
C:\Users\Admin\AppData\Local\Temp\EE5E.exe
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Modifies system certificate store
- Suspicious use of WriteProcessMemory
PID:3496

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Users\Admin\AppData\Local\badde24d-8e35-46fe-81a0-9bc6c1433da3" /deny *S-1-1-0:(OI)(CI)(DE,DC)
3⤵
- Modifies file permissions
PID:3400

C:\Users\Admin\AppData\Local\Temp\EE5E.exe
"C:\Users\Admin\AppData\Local\Temp\EE5E.exe" --Admin IsNotAutoStart IsNotTask
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3324

C:\Users\Admin\AppData\Local\Temp\EE5E.exe
"C:\Users\Admin\AppData\Local\Temp\EE5E.exe" --Admin IsNotAutoStart IsNotTask
4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2296

C:\Users\Admin\AppData\Local\31e66087-2e7d-4d44-a1ed-4f6ab697fe35\build2.exe
"C:\Users\Admin\AppData\Local\31e66087-2e7d-4d44-a1ed-4f6ab697fe35\build2.exe"
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2272

C:\Users\Admin\AppData\Local\31e66087-2e7d-4d44-a1ed-4f6ab697fe35\build2.exe
"C:\Users\Admin\AppData\Local\31e66087-2e7d-4d44-a1ed-4f6ab697fe35\build2.exe"
6⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks processor information in registry
- Suspicious use of WriteProcessMemory
PID:520

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c taskkill /im build2.exe /f & timeout /t 6 & del /f /q "C:\Users\Admin\AppData\Local\31e66087-2e7d-4d44-a1ed-4f6ab697fe35\build2.exe" & del C:\ProgramData\*.dll & exit
7⤵
PID:2968

C:\Windows\SysWOW64\taskkill.exe
taskkill /im build2.exe /f
8⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3796

C:\Windows\SysWOW64\timeout.exe
timeout /t 6
8⤵
- Delays execution with timeout.exe
PID:3740

C:\Users\Admin\AppData\Local\31e66087-2e7d-4d44-a1ed-4f6ab697fe35\build3.exe
"C:\Users\Admin\AppData\Local\31e66087-2e7d-4d44-a1ed-4f6ab697fe35\build3.exe"
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2604

C:\Users\Admin\AppData\Local\31e66087-2e7d-4d44-a1ed-4f6ab697fe35\build3.exe
"C:\Users\Admin\AppData\Local\31e66087-2e7d-4d44-a1ed-4f6ab697fe35\build3.exe"
6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:392

C:\Windows\SysWOW64\schtasks.exe
/C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"
7⤵
- Creates scheduled task(s)
PID:368

C:\Users\Admin\AppData\Local\Temp\1688.exe
C:\Users\Admin\AppData\Local\Temp\1688.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2124

C:\Users\Admin\AppData\Local\Temp\zQrIY5gSN5.exe
"C:\Users\Admin\AppData\Local\Temp\zQrIY5gSN5.exe"
2⤵
- Executes dropped EXE
PID:1928

C:\Windows\SysWOW64\schtasks.exe
/C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\sihost.exe"
3⤵
- Creates scheduled task(s)
PID:3796

C:\Windows\SysWOW64\cmd.exe
cmd.exe /C timeout /T 10 /NOBREAK > Nul & Del /f /q "C:\Users\Admin\AppData\Local\Temp\1688.exe"
2⤵
PID:1008

C:\Windows\SysWOW64\timeout.exe
timeout /T 10 /NOBREAK
3⤵
- Delays execution with timeout.exe
PID:2272

C:\Users\Admin\AppData\Roaming\Microsoft\Network\sihost.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\sihost.exe
1⤵
- Executes dropped EXE
PID:908

C:\Windows\SysWOW64\schtasks.exe
/C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\sihost.exe"
2⤵
- Creates scheduled task(s)
PID:2232

C:\Users\Admin\AppData\Local\Temp\A26E.exe
C:\Users\Admin\AppData\Local\Temp\A26E.exe
1⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
PID:2612

C:\Users\Admin\AppData\Local\Temp\D7D7.exe
C:\Users\Admin\AppData\Local\Temp\D7D7.exe
1⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
PID:2376

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Virtualization/Sandbox Evasion

T1497

File Permissions Modification

T1222

Modify Registry

T1112

Install Root Certificate

T1130

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

System Information Discovery

T1082

Peripheral Device Discovery

T1120

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\freebl3.dll
MD5
ef2834ac4ee7d6724f255beaf527e635

SHA1
5be8c1e73a21b49f353c2ecfa4108e43a883cb7b

SHA256
a770ecba3b08bbabd0a567fc978e50615f8b346709f8eb3cfacf3faab24090ba

SHA512
c6ea0e4347cbd7ef5e80ae8c0afdca20ea23ac2bdd963361dfaf562a9aed58dcbc43f89dd826692a064d76c3f4b3e92361af7b79a6d16a75d9951591ae3544d2

Download Submit
C:\ProgramData\mozglue.dll
MD5
8f73c08a9660691143661bf7332c3c27

SHA1
37fa65dd737c50fda710fdbde89e51374d0c204a

SHA256
3fe6b1c54b8cf28f571e0c5d6636b4069a8ab00b4f11dd842cfec00691d0c9cd

SHA512
0042ecf9b3571bb5eba2de893e8b2371df18f7c5a589f52ee66e4bfbaa15a5b8b7cc6a155792aaa8988528c27196896d5e82e1751c998bacea0d92395f66ad89

Download Submit
C:\ProgramData\msvcp140.dll
MD5
109f0f02fd37c84bfc7508d4227d7ed5

SHA1
ef7420141bb15ac334d3964082361a460bfdb975

SHA256
334e69ac9367f708ce601a6f490ff227d6c20636da5222f148b25831d22e13d4

SHA512
46eb62b65817365c249b48863d894b4669e20fcb3992e747cd5c9fdd57968e1b2cf7418d1c9340a89865eadda362b8db51947eb4427412eb83b35994f932fd39

Download Submit
C:\ProgramData\nss3.dll
MD5
bfac4e3c5908856ba17d41edcd455a51

SHA1
8eec7e888767aa9e4cca8ff246eb2aacb9170428

SHA256
e2935b5b28550d47dc971f456d6961f20d1633b4892998750140e0eaa9ae9d78

SHA512
2565bab776c4d732ffb1f9b415992a4c65b81bcd644a9a1df1333a269e322925fc1df4f76913463296efd7c88ef194c3056de2f1ca1357d7b5fe5ff0da877a66

Download Submit
C:\ProgramData\softokn3.dll
MD5
a2ee53de9167bf0d6c019303b7ca84e5

SHA1
2a3c737fa1157e8483815e98b666408a18c0db42

SHA256
43536adef2ddcc811c28d35fa6ce3031029a2424ad393989db36169ff2995083

SHA512
45b56432244f86321fa88fbcca6a0d2a2f7f4e0648c1d7d7b1866adc9daa5eddd9f6bb73662149f279c9ab60930dad1113c8337cb5e6ec9eed5048322f65f7d8

Download Submit
C:\ProgramData\vcruntime140.dll
MD5
7587bf9cb4147022cd5681b015183046

SHA1
f2106306a8f6f0da5afb7fc765cfa0757ad5a628

SHA256
c40bb03199a2054dabfc7a8e01d6098e91de7193619effbd0f142a7bf031c14d

SHA512
0b63e4979846ceba1b1ed8470432ea6aa18cca66b5f5322d17b14bc0dfa4b2ee09ca300a016e16a01db5123e4e022820698f46d9bad1078bd24675b4b181e91f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\07CEF2F654E3ED6050FFC9B6EB844250_3431D4C539FB2CFCB781821E9902850D
MD5
dd8bb22fc8495c946c4d1ff088ea977d

SHA1
48e9ce1819f05936b5b714319706bf6afa31864b

SHA256
1669c755ecb1a8708fd0489f15b36886462226bb0bb0e38ed29370447e5eb6f0

SHA512
9fa46564e1fa684ec3920927f5f580ab906b3f0593ba2e24910153d3230624b49b1a85033d258db9c425395124540b0e79dde8733eca773e39e90123b44b0eb0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E
MD5
d12bfa6ae1cbd991414be0296bc36b97

SHA1
c24d7100e92e78a7316dd392afae18d4514434e6

SHA256
be2c99e04ef422106d205cd79068a5bf2a09bca2b8ea7439749862f6b5326ffe

SHA512
80c790410f69b913b880ec838586adab7f995a5561cf08a1b61b3eedb4df0f2955181cbd85724ce1c5202970f821e16e99a1a991193482c78321efad68cdfab3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\07CEF2F654E3ED6050FFC9B6EB844250_3431D4C539FB2CFCB781821E9902850D
MD5
1bec982cbc881ad7f0682885466dd19d

SHA1
732266aa4e8df4a1ecb95ddd5c2096d22d4e49bf

SHA256
300eeafae045fd2f88e8ba91361fc137f6397e22fea078ebd13a63fe6ff3b09f

SHA512
890eb9a452421a7999df95ac6fbc3adabc364f65c33d47c391da8715351a2097db64d57c3eb1f141e638056aed0c2ae605b456c9430e1b446b294f19bbb225c0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E
MD5
b38cb9c490f169cd7c70f9caafd1d4ce

SHA1
a3850eaf8c3b96ab935615f1c600f98580af8477

SHA256
48439dceb5ab0d9fcccf7ac9c816eb203454b07ca190e9e89bf737dcdf38a1d1

SHA512
0d9954d0447f706bbcaacdc5aef6e75acf5694d0a68862e8f11a27f38c3e07775b3a1993062d9ef1840bc7c76527d5ce18a00f69629dc8ef275c25d697f9ef71

Download Submit
C:\Users\Admin\AppData\Local\31e66087-2e7d-4d44-a1ed-4f6ab697fe35\build2.exe
MD5
3e73dfe33f7b811b809ea3f09fb5fd4e

SHA1
72dda21fa9e3e8061f87c9f36fcf0371738205cd

SHA256
424471fcdba0fddc7bb6048830c384da72c46f7bb81eedb1212528372c34c08b

SHA512
5a84b6f4d36e25390d1ffa191e8c5bd8999b947683f45c3be9dc9338a636fdd070e69f48e8be702de8c94b76a5d59f59b41ae7778aed4914b1c6a73a537e46f9

Download Submit
C:\Users\Admin\AppData\Local\31e66087-2e7d-4d44-a1ed-4f6ab697fe35\build2.exe
MD5
3e73dfe33f7b811b809ea3f09fb5fd4e

SHA1
72dda21fa9e3e8061f87c9f36fcf0371738205cd

SHA256
424471fcdba0fddc7bb6048830c384da72c46f7bb81eedb1212528372c34c08b

SHA512
5a84b6f4d36e25390d1ffa191e8c5bd8999b947683f45c3be9dc9338a636fdd070e69f48e8be702de8c94b76a5d59f59b41ae7778aed4914b1c6a73a537e46f9

Download Submit
C:\Users\Admin\AppData\Local\31e66087-2e7d-4d44-a1ed-4f6ab697fe35\build2.exe
MD5
3e73dfe33f7b811b809ea3f09fb5fd4e

SHA1
72dda21fa9e3e8061f87c9f36fcf0371738205cd

SHA256
424471fcdba0fddc7bb6048830c384da72c46f7bb81eedb1212528372c34c08b

SHA512
5a84b6f4d36e25390d1ffa191e8c5bd8999b947683f45c3be9dc9338a636fdd070e69f48e8be702de8c94b76a5d59f59b41ae7778aed4914b1c6a73a537e46f9

Download Submit
C:\Users\Admin\AppData\Local\31e66087-2e7d-4d44-a1ed-4f6ab697fe35\build3.exe
MD5
0fea771099e342facd95a9d659548919

SHA1
9f8b56a37870f8b4ac5aa0ff5677a666f94c7197

SHA256
6f032f671284b3812373e90b0ab5b16ea737bd7dc87d22b8f2aabe558334e403

SHA512
2c1eeb2909acdc1ac36a677dba5131775e97dd107cd60f03bc6672be1791b2dd83a9f588719cb376cc4771570c6b2c202e783e30450ae3c2aa48bbaf2ee049c3

Download Submit
C:\Users\Admin\AppData\Local\31e66087-2e7d-4d44-a1ed-4f6ab697fe35\build3.exe
MD5
0fea771099e342facd95a9d659548919

SHA1
9f8b56a37870f8b4ac5aa0ff5677a666f94c7197

SHA256
6f032f671284b3812373e90b0ab5b16ea737bd7dc87d22b8f2aabe558334e403

SHA512
2c1eeb2909acdc1ac36a677dba5131775e97dd107cd60f03bc6672be1791b2dd83a9f588719cb376cc4771570c6b2c202e783e30450ae3c2aa48bbaf2ee049c3

Download Submit
C:\Users\Admin\AppData\Local\31e66087-2e7d-4d44-a1ed-4f6ab697fe35\build3.exe
MD5
0fea771099e342facd95a9d659548919

SHA1
9f8b56a37870f8b4ac5aa0ff5677a666f94c7197

SHA256
6f032f671284b3812373e90b0ab5b16ea737bd7dc87d22b8f2aabe558334e403

SHA512
2c1eeb2909acdc1ac36a677dba5131775e97dd107cd60f03bc6672be1791b2dd83a9f588719cb376cc4771570c6b2c202e783e30450ae3c2aa48bbaf2ee049c3

Download Submit
C:\Users\Admin\AppData\Local\Temp\1688.exe
MD5
365e96a5d59a0a48e78d86252fd6cb39

SHA1
f9fdde7ab683fd870cca6c2a8625825cc7aec6a4

SHA256
b8e0f8e4ca4dc284d6f7798b2a5805f7cb77b9870905efa6a6d8afcadecbe285

SHA512
16839263793c88b48c1a2000db79bf1f691ce28f7381ebc96a43eff8734dc0081f33192d1680dedfd0524e7f98933df735db7d2145267c01a8f9ebabc79bbb4c

Download Submit
C:\Users\Admin\AppData\Local\Temp\1688.exe
MD5
365e96a5d59a0a48e78d86252fd6cb39

SHA1
f9fdde7ab683fd870cca6c2a8625825cc7aec6a4

SHA256
b8e0f8e4ca4dc284d6f7798b2a5805f7cb77b9870905efa6a6d8afcadecbe285

SHA512
16839263793c88b48c1a2000db79bf1f691ce28f7381ebc96a43eff8734dc0081f33192d1680dedfd0524e7f98933df735db7d2145267c01a8f9ebabc79bbb4c

Download Submit
C:\Users\Admin\AppData\Local\Temp\A26E.exe
MD5
f752040c5645a94432ce9fd6aeb0e04d

SHA1
f07481217cee08253a5ac4999eeec96cf3d6df7a

SHA256
fc40949e683c9024184a97d697f9f18494aaff1d0d524a070c47661a786e4e7e

SHA512
a561443278103a07d8defcb9d0a97299a52df0d90d99d087deea6ec2c575f31c60c960601326fa5d71c245d9542bae284658891191726c32c828a227dade07e7

Download Submit
C:\Users\Admin\AppData\Local\Temp\A26E.exe
MD5
f752040c5645a94432ce9fd6aeb0e04d

SHA1
f07481217cee08253a5ac4999eeec96cf3d6df7a

SHA256
fc40949e683c9024184a97d697f9f18494aaff1d0d524a070c47661a786e4e7e

SHA512
a561443278103a07d8defcb9d0a97299a52df0d90d99d087deea6ec2c575f31c60c960601326fa5d71c245d9542bae284658891191726c32c828a227dade07e7

Download Submit
C:\Users\Admin\AppData\Local\Temp\C411.exe
MD5
faac9487468eb9a3e5256d367ab63a19

SHA1
1e40625b880dc02fec32f8e70aa43c5b2821eec7

SHA256
def9c509f8e80c9f8f15f46efe0dcbd585a47236d14ca29c76f688abd35b9b2e

SHA512
a2d48698e988ec6c3c946a28a283c32cc1c05c357b76fcbd02c75d8e1033ffae28d9672c915a6567a8bff2cff5dd802fe85e37444f3efd5042fb6c5019b00242

Download Submit
C:\Users\Admin\AppData\Local\Temp\C411.exe
MD5
faac9487468eb9a3e5256d367ab63a19

SHA1
1e40625b880dc02fec32f8e70aa43c5b2821eec7

SHA256
def9c509f8e80c9f8f15f46efe0dcbd585a47236d14ca29c76f688abd35b9b2e

SHA512
a2d48698e988ec6c3c946a28a283c32cc1c05c357b76fcbd02c75d8e1033ffae28d9672c915a6567a8bff2cff5dd802fe85e37444f3efd5042fb6c5019b00242

Download Submit
C:\Users\Admin\AppData\Local\Temp\D7D7.exe
MD5
40812e1cb32c3aac85fa09d43a93cae2

SHA1
b13b4a69e76dadc3997b6f5fc7668c24866bc47a

SHA256
8f60d1c43808d45f5390c24d4ed8a29f39bc55589c93b4beba8200ddf92707f7

SHA512
e18174b710e2f2e1ce95524f501c1acf9187ca6988f39327915df2437eff6a9a4f79be92fc603b7dd7fec89c2e494864347b8f86069d2713490ef8aa69de8d4c

Download Submit
C:\Users\Admin\AppData\Local\Temp\D7D7.exe
MD5
40812e1cb32c3aac85fa09d43a93cae2

SHA1
b13b4a69e76dadc3997b6f5fc7668c24866bc47a

SHA256
8f60d1c43808d45f5390c24d4ed8a29f39bc55589c93b4beba8200ddf92707f7

SHA512
e18174b710e2f2e1ce95524f501c1acf9187ca6988f39327915df2437eff6a9a4f79be92fc603b7dd7fec89c2e494864347b8f86069d2713490ef8aa69de8d4c

Download Submit
C:\Users\Admin\AppData\Local\Temp\EE5E.exe
MD5
c1bb2b414704bec38049d65d9768cfd2

SHA1
1d7220655159db08b5d0e9b74b0aea88bd6196d1

SHA256
503770bf55e256a7251b41667238c7be6ca36aa0cff5fadfc699c1e3b45518d4

SHA512
410ed6b72bdcd70820867b81e63ef82b0928b06f82553ed0024b151352add7b288910d893270ba8c57532fac7317509976bdc7d2e787986b72a790930fc2046d

Download Submit
C:\Users\Admin\AppData\Local\Temp\EE5E.exe
MD5
c1bb2b414704bec38049d65d9768cfd2

SHA1
1d7220655159db08b5d0e9b74b0aea88bd6196d1

SHA256
503770bf55e256a7251b41667238c7be6ca36aa0cff5fadfc699c1e3b45518d4

SHA512
410ed6b72bdcd70820867b81e63ef82b0928b06f82553ed0024b151352add7b288910d893270ba8c57532fac7317509976bdc7d2e787986b72a790930fc2046d

Download Submit
C:\Users\Admin\AppData\Local\Temp\EE5E.exe
MD5
c1bb2b414704bec38049d65d9768cfd2

SHA1
1d7220655159db08b5d0e9b74b0aea88bd6196d1

SHA256
503770bf55e256a7251b41667238c7be6ca36aa0cff5fadfc699c1e3b45518d4

SHA512
410ed6b72bdcd70820867b81e63ef82b0928b06f82553ed0024b151352add7b288910d893270ba8c57532fac7317509976bdc7d2e787986b72a790930fc2046d

Download Submit
C:\Users\Admin\AppData\Local\Temp\EE5E.exe
MD5
c1bb2b414704bec38049d65d9768cfd2

SHA1
1d7220655159db08b5d0e9b74b0aea88bd6196d1

SHA256
503770bf55e256a7251b41667238c7be6ca36aa0cff5fadfc699c1e3b45518d4

SHA512
410ed6b72bdcd70820867b81e63ef82b0928b06f82553ed0024b151352add7b288910d893270ba8c57532fac7317509976bdc7d2e787986b72a790930fc2046d

Download Submit
C:\Users\Admin\AppData\Local\Temp\EE5E.exe
MD5
c1bb2b414704bec38049d65d9768cfd2

SHA1
1d7220655159db08b5d0e9b74b0aea88bd6196d1

SHA256
503770bf55e256a7251b41667238c7be6ca36aa0cff5fadfc699c1e3b45518d4

SHA512
410ed6b72bdcd70820867b81e63ef82b0928b06f82553ed0024b151352add7b288910d893270ba8c57532fac7317509976bdc7d2e787986b72a790930fc2046d

Download Submit
C:\Users\Admin\AppData\Local\Temp\zQrIY5gSN5.exe
MD5
9c827f4701f1658fc5f0021f1b303cee

SHA1
ea29c82f9fde17ce14f3fdf60b151a269df14d04

SHA256
28f9f76830394544f7bbd736f5102dc03349f059233e2373251290578351d7bc

SHA512
97088efa9cf1e8ecd8803b3bb54b55d1e8e94f9fd0fd4b7589547f8a49e5f7af0a7a07e3918c6b1c42d729dc295a48a7897906de65191ae62e57cb079f384c5a

Download Submit
C:\Users\Admin\AppData\Local\Temp\zQrIY5gSN5.exe
MD5
9c827f4701f1658fc5f0021f1b303cee

SHA1
ea29c82f9fde17ce14f3fdf60b151a269df14d04

SHA256
28f9f76830394544f7bbd736f5102dc03349f059233e2373251290578351d7bc

SHA512
97088efa9cf1e8ecd8803b3bb54b55d1e8e94f9fd0fd4b7589547f8a49e5f7af0a7a07e3918c6b1c42d729dc295a48a7897906de65191ae62e57cb079f384c5a

Download Submit
C:\Users\Admin\AppData\Local\badde24d-8e35-46fe-81a0-9bc6c1433da3\EE5E.exe
MD5
c1bb2b414704bec38049d65d9768cfd2

SHA1
1d7220655159db08b5d0e9b74b0aea88bd6196d1

SHA256
503770bf55e256a7251b41667238c7be6ca36aa0cff5fadfc699c1e3b45518d4

SHA512
410ed6b72bdcd70820867b81e63ef82b0928b06f82553ed0024b151352add7b288910d893270ba8c57532fac7317509976bdc7d2e787986b72a790930fc2046d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Network\sihost.exe
MD5
9c827f4701f1658fc5f0021f1b303cee

SHA1
ea29c82f9fde17ce14f3fdf60b151a269df14d04

SHA256
28f9f76830394544f7bbd736f5102dc03349f059233e2373251290578351d7bc

SHA512
97088efa9cf1e8ecd8803b3bb54b55d1e8e94f9fd0fd4b7589547f8a49e5f7af0a7a07e3918c6b1c42d729dc295a48a7897906de65191ae62e57cb079f384c5a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Network\sihost.exe
MD5
9c827f4701f1658fc5f0021f1b303cee

SHA1
ea29c82f9fde17ce14f3fdf60b151a269df14d04

SHA256
28f9f76830394544f7bbd736f5102dc03349f059233e2373251290578351d7bc

SHA512
97088efa9cf1e8ecd8803b3bb54b55d1e8e94f9fd0fd4b7589547f8a49e5f7af0a7a07e3918c6b1c42d729dc295a48a7897906de65191ae62e57cb079f384c5a

Download Submit
\ProgramData\mozglue.dll
MD5
8f73c08a9660691143661bf7332c3c27

SHA1
37fa65dd737c50fda710fdbde89e51374d0c204a

SHA256
3fe6b1c54b8cf28f571e0c5d6636b4069a8ab00b4f11dd842cfec00691d0c9cd

SHA512
0042ecf9b3571bb5eba2de893e8b2371df18f7c5a589f52ee66e4bfbaa15a5b8b7cc6a155792aaa8988528c27196896d5e82e1751c998bacea0d92395f66ad89

Download Submit
\ProgramData\nss3.dll
MD5
bfac4e3c5908856ba17d41edcd455a51

SHA1
8eec7e888767aa9e4cca8ff246eb2aacb9170428

SHA256
e2935b5b28550d47dc971f456d6961f20d1633b4892998750140e0eaa9ae9d78

SHA512
2565bab776c4d732ffb1f9b415992a4c65b81bcd644a9a1df1333a269e322925fc1df4f76913463296efd7c88ef194c3056de2f1ca1357d7b5fe5ff0da877a66

Download Submit
\Users\Admin\AppData\LocalLow\sqlite3.dll
MD5
f964811b68f9f1487c2b41e1aef576ce

SHA1
b423959793f14b1416bc3b7051bed58a1034025f

SHA256
83bc57dcf282264f2b00c21ce0339eac20fcb7401f7c5472c0cd0c014844e5f7

SHA512
565b1a7291c6fcb63205907fcd9e72fc2e11ca945afc4468c378edba882e2f314c2ac21a7263880ff7d4b84c2a1678024c1ac9971ac1c1de2bfa4248ec0f98c4

Download Submit
\Users\Admin\AppData\LocalLow\uS0wV5wY9qH3\freebl3.dll
MD5
60acd24430204ad2dc7f148b8cfe9bdc

SHA1
989f377b9117d7cb21cbe92a4117f88f9c7693d9

SHA256
9876c53134dbbec4dcca67581f53638eba3fea3a15491aa3cf2526b71032da97

SHA512
626c36e9567f57fa8ec9c36d96cbadede9c6f6734a7305ecfb9f798952bbacdfa33a1b6c4999ba5b78897dc2ec6f91870f7ec25b2ceacbaee4be942fe881db01

Download Submit
\Users\Admin\AppData\LocalLow\uS0wV5wY9qH3\mozglue.dll
MD5
eae9273f8cdcf9321c6c37c244773139

SHA1
8378e2a2f3635574c106eea8419b5eb00b8489b0

SHA256
a0c6630d4012ae0311ff40f4f06911bcf1a23f7a4762ce219b8dffa012d188cc

SHA512
06e43e484a89cea9ba9b9519828d38e7c64b040f44cdaeb321cbda574e7551b11fea139ce3538f387a0a39a3d8c4cba7f4cf03e4a3c98db85f8121c2212a9097

Download Submit
\Users\Admin\AppData\LocalLow\uS0wV5wY9qH3\nss3.dll
MD5
02cc7b8ee30056d5912de54f1bdfc219

SHA1
a6923da95705fb81e368ae48f93d28522ef552fb

SHA256
1989526553fd1e1e49b0fea8036822ca062d3d39c4cab4a37846173d0f1753d5

SHA512
0d5dfcf4fb19b27246fa799e339d67cd1b494427783f379267fb2d10d615ffb734711bab2c515062c078f990a44a36f2d15859b1dacd4143dcc35b5c0cee0ef5

Download Submit
\Users\Admin\AppData\LocalLow\uS0wV5wY9qH3\softokn3.dll
MD5
4e8df049f3459fa94ab6ad387f3561ac

SHA1
06ed392bc29ad9d5fc05ee254c2625fd65925114

SHA256
25a4dae37120426ab060ebb39b7030b3e7c1093cc34b0877f223b6843b651871

SHA512
3dd4a86f83465989b2b30c240a7307edd1b92d5c1d5c57d47eff287dc9daa7bace157017908d82e00be90f08ff5badb68019ffc9d881440229dcea5038f61cd6

Download Submit
memory/368-178-0x0000000000000000-mapping.dmp

Download
memory/392-175-0x0000000000400000-0x0000000000406000-memory.dmp

Filesize
24KB

Download
memory/392-182-0x0000000000400000-0x0000000000406000-memory.dmp

Filesize
24KB

Download
memory/392-176-0x0000000000401AFA-mapping.dmp

Download
memory/520-174-0x0000000000400000-0x00000000004D5000-memory.dmp

Filesize
852KB

Download
memory/520-171-0x000000000049EC7D-mapping.dmp

Download
memory/520-170-0x0000000000400000-0x00000000004D5000-memory.dmp

Filesize
852KB

Download
memory/908-211-0x0000000000400000-0x0000000002142000-memory.dmp

Filesize
29.3MB

Download
memory/908-210-0x0000000002230000-0x000000000237A000-memory.dmp

Filesize
1.3MB

Download
memory/1008-194-0x0000000000000000-mapping.dmp

Download
memory/1928-193-0x0000000000000000-mapping.dmp

Download
memory/1928-206-0x0000000000400000-0x0000000002142000-memory.dmp

Filesize
29.3MB

Download
memory/1928-205-0x00000000021A0000-0x00000000021A4000-memory.dmp

Filesize
16KB

Download
memory/1968-135-0x0000000000000000-mapping.dmp

Download
memory/1968-149-0x0000000003F30000-0x000000000404B000-memory.dmp

Filesize
1.1MB

Download
memory/2124-164-0x0000000000000000-mapping.dmp

Download
memory/2124-181-0x0000000000400000-0x000000000218C000-memory.dmp

Filesize
29.5MB

Download
memory/2124-179-0x0000000003E30000-0x0000000003EC0000-memory.dmp

Filesize
576KB

Download
memory/2232-209-0x0000000000000000-mapping.dmp

Download
memory/2272-161-0x0000000000000000-mapping.dmp

Download
memory/2272-173-0x0000000002490000-0x0000000002562000-memory.dmp

Filesize
840KB

Download
memory/2272-197-0x0000000000000000-mapping.dmp

Download
memory/2296-160-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/2296-154-0x0000000000424141-mapping.dmp

Download
memory/2372-117-0x0000000000440000-0x0000000000455000-memory.dmp

Filesize
84KB

Download
memory/2376-237-0x0000000000920000-0x0000000000921000-memory.dmp

Filesize
4KB

Download
memory/2376-244-0x0000000077C30000-0x0000000077DBE000-memory.dmp

Filesize
1.6MB

Download
memory/2376-245-0x00000000051F0000-0x00000000057F6000-memory.dmp

Filesize
6.0MB

Download
memory/2376-232-0x0000000000000000-mapping.dmp

Download
memory/2604-167-0x0000000000000000-mapping.dmp

Download
memory/2604-180-0x00000000001D0000-0x00000000001D4000-memory.dmp

Filesize
16KB

Download
memory/2612-222-0x00000000052F0000-0x00000000052F1000-memory.dmp

Filesize
4KB

Download
memory/2612-224-0x0000000005230000-0x0000000005836000-memory.dmp

Filesize
6.0MB

Download
memory/2612-223-0x0000000077C30000-0x0000000077DBE000-memory.dmp

Filesize
1.6MB

Download
memory/2612-216-0x0000000000A00000-0x0000000000A01000-memory.dmp

Filesize
4KB

Download
memory/2612-212-0x0000000000000000-mapping.dmp

Download
memory/2612-235-0x0000000008D90000-0x0000000008D91000-memory.dmp

Filesize
4KB

Download
memory/2648-115-0x0000000002230000-0x0000000002239000-memory.dmp

Filesize
36KB

Download
memory/2648-116-0x0000000000400000-0x0000000002145000-memory.dmp

Filesize
29.3MB

Download
memory/2968-190-0x0000000000000000-mapping.dmp

Download
memory/3324-151-0x0000000000000000-mapping.dmp

Download
memory/3400-147-0x0000000000000000-mapping.dmp

Download
memory/3496-144-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/3496-150-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/3496-145-0x0000000000424141-mapping.dmp

Download
memory/3740-192-0x0000000000000000-mapping.dmp

Download
memory/3796-191-0x0000000000000000-mapping.dmp

Download
memory/3796-204-0x0000000000000000-mapping.dmp

Download
memory/4052-133-0x00000000073A0000-0x00000000073A1000-memory.dmp

Filesize
4KB

Download
memory/4052-131-0x0000000003EE3000-0x0000000003EE4000-memory.dmp

Filesize
4KB

Download
memory/4052-125-0x00000000040A0000-0x00000000040BC000-memory.dmp

Filesize
112KB

Download
memory/4052-124-0x0000000006780000-0x0000000006781000-memory.dmp

Filesize
4KB

Download
memory/4052-132-0x0000000003EE4000-0x0000000003EE6000-memory.dmp

Filesize
8KB

Download
memory/4052-123-0x0000000003EC0000-0x0000000003EDD000-memory.dmp

Filesize
116KB

Download
memory/4052-121-0x00000000021B0000-0x00000000021E0000-memory.dmp

Filesize
192KB

Download
memory/4052-129-0x0000000003EE0000-0x0000000003EE1000-memory.dmp

Filesize
4KB

Download
memory/4052-122-0x0000000000400000-0x000000000215F000-memory.dmp

Filesize
29.4MB

Download
memory/4052-118-0x0000000000000000-mapping.dmp

Download
memory/4052-134-0x0000000007410000-0x0000000007411000-memory.dmp

Filesize
4KB

Download
memory/4052-130-0x0000000003EE2000-0x0000000003EE3000-memory.dmp

Filesize
4KB

Download
memory/4052-126-0x0000000006C80000-0x0000000006C81000-memory.dmp

Filesize
4KB

Download
memory/4052-138-0x0000000008630000-0x0000000008631000-memory.dmp

Filesize
4KB

Download
memory/4052-139-0x0000000008800000-0x0000000008801000-memory.dmp

Filesize
4KB

Download
memory/4052-140-0x0000000008E20000-0x0000000008E21000-memory.dmp

Filesize
4KB

Download
memory/4052-141-0x0000000008F40000-0x0000000008F41000-memory.dmp

Filesize
4KB

Download
memory/4052-142-0x0000000009100000-0x0000000009101000-memory.dmp

Filesize
4KB

Download
memory/4052-143-0x0000000009180000-0x0000000009181000-memory.dmp

Filesize
4KB

Download
memory/4052-127-0x0000000004250000-0x0000000004251000-memory.dmp

Filesize
4KB

Download
memory/4052-128-0x0000000007290000-0x0000000007291000-memory.dmp

Filesize
4KB

Download