danabot | eb50c5447c789b7cab2a404cfbbd049c55fa70bc58783f2bb27df7d169474d27

Resubmissions

14-09-2021 09:06

210914-k2x6jaadeq 10

14-09-2021 08:57

210914-kw2a1afde8 10

Analysis

max time kernel
579s
max time network
560s
platform
windows10_x64
resource
win10-en
submitted
14-09-2021 09:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

lv.exe
Size

4.2MB
MD5

1919bd531e95d9195dc53ee6af79ffc8
SHA1

65c2dfb3ad6ff0b3f1b33db143ec9a65ea64e2b0
SHA256

eb50c5447c789b7cab2a404cfbbd049c55fa70bc58783f2bb27df7d169474d27
SHA512

b00029cdfeac8266653f2fefe07e40815c14c811dce68fc95b821a408f8cf60489366a461a1def3d423747a2f5559ce6c1acaee16a795d893036d2a8226ae9c6

Score

10^/10

danabot 4 banker discovery evasion spyware stealer themida trojan

Malware Config

Extracted

Family

danabot

Version

2033

Botnet

23.229.29.48:443

5.9.224.204:443

192.255.166.212:443

Attributes

embedded_hash
0E1A7A1479C37094441FA911262B322A

rsa_privkey.plain

rsa_pubkey.plain

Signatures

Danabot
Danabot is a modular banking Trojan that has been linked with other malware.
trojan banker danabot

Danabot Loader Component 6 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\OSPYBX~1.DLL	DanabotLoader2021
\Users\Admin\AppData\Local\Temp\OSPYBX~1.DLL	DanabotLoader2021
\Users\Admin\AppData\Local\Temp\OSPYBX~1.DLL	DanabotLoader2021
behavioral2/memory/4584-158-0x0000000004000000-0x0000000004162000-memory.dmp	DanabotLoader2021
\Users\Admin\AppData\Local\Temp\OSPYBX~1.DLL	DanabotLoader2021
\Users\Admin\AppData\Local\Temp\OSPYBX~1.DLL	DanabotLoader2021

Suspicious use of NtCreateProcessExOtherParentProcess 2 IoCs

Processes:

WerFault.exeWerFault.exe

description pid process target process

PID 1056 created 4584 1056 WerFault.exe rundll32.exe
PID 3796 created 2604 3796 WerFault.exe RUNDLL32.EXE
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

description	pid	process	target process
PID 1056 created 4584	1056	WerFault.exe	rundll32.exe
PID 3796 created 2604	3796	WerFault.exe	RUNDLL32.EXE

Blocklisted process makes network request 11 IoCs

Processes:

WScript.exerundll32.exeRUNDLL32.EXE

flow	pid	process
29	4076	WScript.exe
31	4076	WScript.exe
33	4076	WScript.exe
35	4076	WScript.exe
42	4584	rundll32.exe
45	916	RUNDLL32.EXE
47	916	RUNDLL32.EXE
48	916	RUNDLL32.EXE
49	916	RUNDLL32.EXE
50	916	RUNDLL32.EXE
63	916	RUNDLL32.EXE

Downloads MZ/PE file
Executes dropped EXE 7 IoCs

Processes:

wakingvp.exefulzie.exeIntelRapid.exeEstremita.exe.comEstremita.exe.comipconfig.exeospybxlremjl.exe

pid process

4572 wakingvp.exe
4596 fulzie.exe
4736 IntelRapid.exe
4828 Estremita.exe.com
4900 Estremita.exe.com
4960 ipconfig.exe
5052 ospybxlremjl.exe

pid	process
4572	wakingvp.exe
4596	fulzie.exe
4736	IntelRapid.exe
4828	Estremita.exe.com
4900	Estremita.exe.com
4960	ipconfig.exe
5052	ospybxlremjl.exe

Checks BIOS information in registry 2 TTPs 4 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

fulzie.exeIntelRapid.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	fulzie.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	fulzie.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	IntelRapid.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	IntelRapid.exe

Drops startup file 1 IoCs

Processes:

fulzie.exe

description ioc process

File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IntelRapid.lnk fulzie.exe
Loads dropped DLL 6 IoCs

Processes:

lv.exewakingvp.exerundll32.exeRUNDLL32.EXERUNDLL32.EXE

pid process

4524 lv.exe
4572 wakingvp.exe
4584 rundll32.exe
4584 rundll32.exe
916 RUNDLL32.EXE
2604 RUNDLL32.EXE
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IntelRapid.lnk	fulzie.exe

pid	process
4524	lv.exe
4572	wakingvp.exe
4584	rundll32.exe
4584	rundll32.exe
916	RUNDLL32.EXE
2604	RUNDLL32.EXE

Themida packer 6 IoCs

Detects Themida, an advanced Windows software protection system.

themida

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\picoid\fulzie.exe	themida
C:\Users\Admin\AppData\Local\Temp\picoid\fulzie.exe	themida
behavioral2/memory/4596-124-0x00007FF6B1AC0000-0x00007FF6B23D4000-memory.dmp	themida
C:\Users\Admin\AppData\Roaming\Intel Rapid\IntelRapid.exe	themida
C:\Users\Admin\AppData\Roaming\Intel Rapid\IntelRapid.exe	themida
behavioral2/memory/4736-132-0x00007FF636D00000-0x00007FF637614000-memory.dmp	themida

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Checks whether UAC is enabled 1 TTPs 2 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

fulzie.exeIntelRapid.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	fulzie.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	IntelRapid.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

8 ip-api.com
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

Processes:

fulzie.exeIntelRapid.exe

pid process

4596 fulzie.exe
4736 IntelRapid.exe

flow	ioc
8	ip-api.com

pid	process
4596	fulzie.exe
4736	IntelRapid.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

Estremita.exe.comRUNDLL32.EXE

description	pid	process	target process
PID 4900 set thread context of 4960	4900	Estremita.exe.com	ipconfig.exe
PID 2604 set thread context of 4120	2604	RUNDLL32.EXE	rundll32.exe

Drops file in Program Files directory 4 IoCs

Processes:

lv.exerundll32.exe

description	ioc	process
File created	C:\Program Files (x86)\foler\olader\acppage.dll	lv.exe
File created	C:\Program Files (x86)\foler\olader\adprovider.dll	lv.exe
File created	C:\Program Files (x86)\foler\olader\acledit.dll	lv.exe
File created	C:\PROGRA~3\Gskyj.tmp	rundll32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 2 IoCs

Processes:

WerFault.exeWerFault.exe

pid pid_target process target process

1056 4584 WerFault.exe rundll32.exe
3796 2604 WerFault.exe RUNDLL32.EXE

pid	pid_target	process	target process
1056	4584	WerFault.exe	rundll32.exe
3796	2604	WerFault.exe	RUNDLL32.EXE

NSIS installer 4 IoCs

installer

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\picoid\wakingvp.exe	nsis_installer_1
C:\Users\Admin\AppData\Local\Temp\picoid\wakingvp.exe	nsis_installer_2
C:\Users\Admin\AppData\Local\Temp\picoid\wakingvp.exe	nsis_installer_1
C:\Users\Admin\AppData\Local\Temp\picoid\wakingvp.exe	nsis_installer_2

Checks processor information in registry 2 TTPs 43 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

RUNDLL32.EXERUNDLL32.EXEipconfig.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Platform Specific Field 1	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Configuration Data	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	RUNDLL32.EXE
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Configuration Data	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Revision	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	ipconfig.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Previous Update Revision	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\~MHz	RUNDLL32.EXE
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Previous Update Revision	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Status	RUNDLL32.EXE
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	RUNDLL32.EXE
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	RUNDLL32.EXE
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Configuration Data	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\~MHz	RUNDLL32.EXE
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\FeatureSet	RUNDLL32.EXE
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Status	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Identifier	RUNDLL32.EXE
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Component Information	RUNDLL32.EXE
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Status	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\FeatureSet	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\FeatureSet	RUNDLL32.EXE
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	RUNDLL32.EXE
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Revision	RUNDLL32.EXE
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	ipconfig.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Status	RUNDLL32.EXE
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	RUNDLL32.EXE

Gathers network information 2 TTPs 1 IoCs
Uses commandline utility to view network configuration.

System Information Discovery
T1082

Command-Line Interface
T1059

Processes:

ipconfig.exe

pid process

4960 ipconfig.exe
Modifies registry class 1 IoCs

Processes:

ipconfig.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\Local Settings ipconfig.exe

pid	process
4960	ipconfig.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\Local Settings	ipconfig.exe

Modifies system certificate store 2 TTPs 4 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

WScript.exeRUNDLL32.EXE

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	WScript.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 5c000000010000000400000000080000090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	WScript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\691CA36A8E2B15F071FE2C968C4D0154C8D3E7B1	RUNDLL32.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\691CA36A8E2B15F071FE2C968C4D0154C8D3E7B1\Blob = 030000000100000014000000691ca36a8e2b15f071fe2c968c4d0154c8d3e7b120000000010000003f0200003082023b308201a4a003020102020841fdb2ce59c3d6a3300d06092a864886f70d01010b050030433121301f06035504030c184d6963726f736f667420526f6f6c20417574686f72697479311e301c060355040b0c154d6963726f736f667420436f72706f726174696f6e301e170d3139303931353039303933395a170d3233303931343039303933395a30433121301f06035504030c184d6963726f736f667420526f6f6c20417574686f72697479311e301c060355040b0c154d6963726f736f667420436f72706f726174696f6e30819f300d06092a864886f70d010101050003818d0030818902818100cc5c0993d92ebe6260abbe990a1af30b3e6cb0fe22c92a55116bc50d39387381feadc7b4a5920fe58fc973b7a6fcaa49c00e857d6859c8ee2276242405e74cd497e829961a950dba1a0cefce7f41420d2534e538e1f6d91f5d85a611515538609ee8a237433b1e5ec4602322d7fc48035090ed6d7a540d1f642491430dc657af0203010001a3383036300f0603551d130101ff040530030101ff30230603551d11041c301a82184d6963726f736f667420526f6f6c20417574686f72697479300d06092a864886f70d01010b0500038181001dc106fccbcb05d8b7153360841e69bff0b4fb12323edfc53605cf686f4ba7fbba2a2ff4178dcba983fdbe42ca05200ac5bdc33ac771760f2383bb0d93d380170f647af6a99695bb0689e981c8e37539800dbab9d21c448a2c86e3c16b47a1c80d8d29b9713c5f99227f6b1bac5edb575911ce076db4a89f81b210dc7d357c48	RUNDLL32.EXE

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

4856 PING.EXE
Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

IntelRapid.exe

pid process

4736 IntelRapid.exe

pid	process
4856	PING.EXE

pid	process
4736	IntelRapid.exe

Suspicious behavior: EnumeratesProcesses 48 IoCs

Processes:

WerFault.exeRUNDLL32.EXEpowershell.exeRUNDLL32.EXEWerFault.exepowershell.exepowershell.exe

pid	process
1056	WerFault.exe
1056	WerFault.exe
1056	WerFault.exe
1056	WerFault.exe
1056	WerFault.exe
1056	WerFault.exe
1056	WerFault.exe
1056	WerFault.exe
1056	WerFault.exe
1056	WerFault.exe
1056	WerFault.exe
1056	WerFault.exe
1056	WerFault.exe
1056	WerFault.exe
916	RUNDLL32.EXE
916	RUNDLL32.EXE
916	RUNDLL32.EXE
916	RUNDLL32.EXE
916	RUNDLL32.EXE
916	RUNDLL32.EXE
2056	powershell.exe
2056	powershell.exe
2604	RUNDLL32.EXE
2604	RUNDLL32.EXE
3796	WerFault.exe
3796	WerFault.exe
3796	WerFault.exe
3796	WerFault.exe
3796	WerFault.exe
3796	WerFault.exe
3796	WerFault.exe
3796	WerFault.exe
3796	WerFault.exe
3796	WerFault.exe
3796	WerFault.exe
3796	WerFault.exe
3796	WerFault.exe
3796	WerFault.exe
3796	WerFault.exe
2056	powershell.exe
2628	powershell.exe
2628	powershell.exe
2628	powershell.exe
916	RUNDLL32.EXE
916	RUNDLL32.EXE
300	powershell.exe
300	powershell.exe
300	powershell.exe

Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

Estremita.exe.com

pid process

4900 Estremita.exe.com

pid	process
4900	Estremita.exe.com

Suspicious use of AdjustPrivilegeToken 8 IoCs

Processes:

WerFault.exepowershell.exeWerFault.exeRUNDLL32.EXEpowershell.exepowershell.exe

description	pid	process
Token: SeRestorePrivilege	1056	WerFault.exe
Token: SeBackupPrivilege	1056	WerFault.exe
Token: SeDebugPrivilege	1056	WerFault.exe
Token: SeDebugPrivilege	2056	powershell.exe
Token: SeDebugPrivilege	3796	WerFault.exe
Token: SeDebugPrivilege	916	RUNDLL32.EXE
Token: SeDebugPrivilege	2628	powershell.exe
Token: SeDebugPrivilege	300	powershell.exe

Suspicious use of FindShellTrayWindow 8 IoCs

Processes:

Estremita.exe.comEstremita.exe.comrundll32.exeRUNDLL32.EXE

pid	process
4828	Estremita.exe.com
4828	Estremita.exe.com
4828	Estremita.exe.com
4900	Estremita.exe.com
4900	Estremita.exe.com
4900	Estremita.exe.com
4120	rundll32.exe
916	RUNDLL32.EXE

Suspicious use of SendNotifyMessage 6 IoCs

Processes:

Estremita.exe.comEstremita.exe.com

pid process

4828 Estremita.exe.com
4828 Estremita.exe.com
4828 Estremita.exe.com
4900 Estremita.exe.com
4900 Estremita.exe.com
4900 Estremita.exe.com

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

lv.exewakingvp.execmd.exefulzie.execmd.exeEstremita.exe.comEstremita.exe.comipconfig.exeospybxlremjl.exerundll32.exeRUNDLL32.EXERUNDLL32.EXErundll32.exepowershell.exe

description	pid	process	target process
PID 4524 wrote to memory of 4572	4524	lv.exe	wakingvp.exe
PID 4524 wrote to memory of 4572	4524	lv.exe	wakingvp.exe
PID 4524 wrote to memory of 4572	4524	lv.exe	wakingvp.exe
PID 4524 wrote to memory of 4596	4524	lv.exe	fulzie.exe
PID 4524 wrote to memory of 4596	4524	lv.exe	fulzie.exe
PID 4572 wrote to memory of 4640	4572	wakingvp.exe	cmd.exe
PID 4572 wrote to memory of 4640	4572	wakingvp.exe	cmd.exe
PID 4572 wrote to memory of 4640	4572	wakingvp.exe	cmd.exe
PID 4640 wrote to memory of 4696	4640	cmd.exe	cmd.exe
PID 4640 wrote to memory of 4696	4640	cmd.exe	cmd.exe
PID 4640 wrote to memory of 4696	4640	cmd.exe	cmd.exe
PID 4596 wrote to memory of 4736	4596	fulzie.exe	IntelRapid.exe
PID 4596 wrote to memory of 4736	4596	fulzie.exe	IntelRapid.exe
PID 4696 wrote to memory of 4784	4696	cmd.exe	findstr.exe
PID 4696 wrote to memory of 4784	4696	cmd.exe	findstr.exe
PID 4696 wrote to memory of 4784	4696	cmd.exe	findstr.exe
PID 4696 wrote to memory of 4828	4696	cmd.exe	Estremita.exe.com
PID 4696 wrote to memory of 4828	4696	cmd.exe	Estremita.exe.com
PID 4696 wrote to memory of 4828	4696	cmd.exe	Estremita.exe.com
PID 4696 wrote to memory of 4856	4696	cmd.exe	PING.EXE
PID 4696 wrote to memory of 4856	4696	cmd.exe	PING.EXE
PID 4696 wrote to memory of 4856	4696	cmd.exe	PING.EXE
PID 4828 wrote to memory of 4900	4828	Estremita.exe.com	Estremita.exe.com
PID 4828 wrote to memory of 4900	4828	Estremita.exe.com	Estremita.exe.com
PID 4828 wrote to memory of 4900	4828	Estremita.exe.com	Estremita.exe.com
PID 4900 wrote to memory of 4960	4900	Estremita.exe.com	ipconfig.exe
PID 4900 wrote to memory of 4960	4900	Estremita.exe.com	ipconfig.exe
PID 4900 wrote to memory of 4960	4900	Estremita.exe.com	ipconfig.exe
PID 4900 wrote to memory of 4960	4900	Estremita.exe.com	ipconfig.exe
PID 4960 wrote to memory of 5052	4960	ipconfig.exe	ospybxlremjl.exe
PID 4960 wrote to memory of 5052	4960	ipconfig.exe	ospybxlremjl.exe
PID 4960 wrote to memory of 5052	4960	ipconfig.exe	ospybxlremjl.exe
PID 4960 wrote to memory of 5084	4960	ipconfig.exe	WScript.exe
PID 4960 wrote to memory of 5084	4960	ipconfig.exe	WScript.exe
PID 4960 wrote to memory of 5084	4960	ipconfig.exe	WScript.exe
PID 4960 wrote to memory of 4076	4960	ipconfig.exe	WScript.exe
PID 4960 wrote to memory of 4076	4960	ipconfig.exe	WScript.exe
PID 4960 wrote to memory of 4076	4960	ipconfig.exe	WScript.exe
PID 5052 wrote to memory of 4584	5052	ospybxlremjl.exe	rundll32.exe
PID 5052 wrote to memory of 4584	5052	ospybxlremjl.exe	rundll32.exe
PID 5052 wrote to memory of 4584	5052	ospybxlremjl.exe	rundll32.exe
PID 4584 wrote to memory of 916	4584	rundll32.exe	RUNDLL32.EXE
PID 4584 wrote to memory of 916	4584	rundll32.exe	RUNDLL32.EXE
PID 4584 wrote to memory of 916	4584	rundll32.exe	RUNDLL32.EXE
PID 916 wrote to memory of 2056	916	RUNDLL32.EXE	powershell.exe
PID 916 wrote to memory of 2056	916	RUNDLL32.EXE	powershell.exe
PID 916 wrote to memory of 2056	916	RUNDLL32.EXE	powershell.exe
PID 916 wrote to memory of 2604	916	RUNDLL32.EXE	RUNDLL32.EXE
PID 916 wrote to memory of 2604	916	RUNDLL32.EXE	RUNDLL32.EXE
PID 916 wrote to memory of 2604	916	RUNDLL32.EXE	RUNDLL32.EXE
PID 2604 wrote to memory of 4120	2604	RUNDLL32.EXE	rundll32.exe
PID 2604 wrote to memory of 4120	2604	RUNDLL32.EXE	rundll32.exe
PID 2604 wrote to memory of 4120	2604	RUNDLL32.EXE	rundll32.exe
PID 4120 wrote to memory of 4868	4120	rundll32.exe	ctfmon.exe
PID 4120 wrote to memory of 4868	4120	rundll32.exe	ctfmon.exe
PID 916 wrote to memory of 2628	916	RUNDLL32.EXE	powershell.exe
PID 916 wrote to memory of 2628	916	RUNDLL32.EXE	powershell.exe
PID 916 wrote to memory of 2628	916	RUNDLL32.EXE	powershell.exe
PID 916 wrote to memory of 300	916	RUNDLL32.EXE	powershell.exe
PID 916 wrote to memory of 300	916	RUNDLL32.EXE	powershell.exe
PID 916 wrote to memory of 300	916	RUNDLL32.EXE	powershell.exe
PID 300 wrote to memory of 4836	300	powershell.exe	nslookup.exe
PID 300 wrote to memory of 4836	300	powershell.exe	nslookup.exe
PID 300 wrote to memory of 4836	300	powershell.exe	nslookup.exe

C:\Users\Admin\AppData\Local\Temp\lv.exe
"C:\Users\Admin\AppData\Local\Temp\lv.exe"
1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:4524
- C:\Users\Admin\AppData\Local\Temp\picoid\wakingvp.exe
  "C:\Users\Admin\AppData\Local\Temp\picoid\wakingvp.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:4572
- - C:\Windows\SysWOW64\cmd.exe
    "cmd" /c cmd < Giu.vst
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4640
  - - C:\Windows\SysWOW64\cmd.exe
      cmd
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4696
    - - C:\Windows\SysWOW64\findstr.exe
        
        findstr /V /R "^xUlNXJkiuCtOHCFKpjDKUUxBRFKQlgBZHHJmaqfsJHlshynlliqvvnNmAJWsYcXSwtiqTyaoWjqjKehMumFehtDoUpZItXagJafpYnsyOSmlnAPbcpkmPVEXBYyJy$" Ape.vst
        5⤵
        
        PID:4784
    - - C:\Users\Admin\AppData\Roaming\Estremita.exe.com
        
        Estremita.exe.com o
        5⤵
        Executes dropped EXE
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of WriteProcessMemory
        
        PID:4828
      - C:\Users\Admin\AppData\Roaming\Estremita.exe.com
        
        C:\Users\Admin\AppData\Roaming\Estremita.exe.com o
        6⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious behavior: MapViewOfSection
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of WriteProcessMemory
        
        PID:4900
        
        C:\Users\Admin\AppData\Roaming\ipconfig.exe
        
        C:\Users\Admin\AppData\Roaming\ipconfig.exe
        7⤵
        Executes dropped EXE
        Checks processor information in registry
        Gathers network information
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4960
        
        C:\Users\Admin\AppData\Local\Temp\ospybxlremjl.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ospybxlremjl.exe"
        8⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:5052
        
        C:\Windows\SysWOW64\rundll32.exe
        
        C:\Windows\system32\rundll32.exe C:\Users\Admin\AppData\Local\Temp\OSPYBX~1.DLL,s C:\Users\Admin\AppData\Local\Temp\OSPYBX~1.EXE
        9⤵
        Blocklisted process makes network request
        Loads dropped DLL
        Drops file in Program Files directory
        Suspicious use of WriteProcessMemory
        
        PID:4584
        
        C:\Windows\SysWOW64\RUNDLL32.EXE
        
        C:\Windows\system32\RUNDLL32.EXE C:\Users\Admin\AppData\Local\Temp\OSPYBX~1.DLL,nj5g
        10⤵
        Blocklisted process makes network request
        Loads dropped DLL
        Checks processor information in registry
        Modifies system certificate store
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of WriteProcessMemory
        
        PID:916
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath C:\Users\Admin\AppData\Local\Temp\OSPYBX~1.DLL
        11⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2056
        
        C:\Windows\SysWOW64\RUNDLL32.EXE
        
        C:\Windows\system32\RUNDLL32.EXE C:\Users\Admin\AppData\Local\Temp\OSPYBX~1.DLL,RxYwNGtZ
        11⤵
        Loads dropped DLL
        Suspicious use of SetThreadContext
        Checks processor information in registry
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:2604
        
        C:\Windows\system32\rundll32.exe
        
        C:\Windows\system32\rundll32.exe C:\Windows\system32\shell32.dll,#61 17554
        12⤵
        Suspicious use of FindShellTrayWindow
        Suspicious use of WriteProcessMemory
        
        PID:4120
        
        C:\Windows\system32\ctfmon.exe
        
        ctfmon.exe
        13⤵
        
        PID:4868
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2604 -s 824
        12⤵
        Suspicious use of NtCreateProcessExOtherParentProcess
        Program crash
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3796
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Executionpolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\tmp2B6.tmp.ps1"
        11⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2628
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Executionpolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\tmp193E.tmp.ps1"
        11⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:300
        
        C:\Windows\SysWOW64\nslookup.exe
        
        "C:\Windows\system32\nslookup.exe" -type=any localhost
        12⤵
        
        PID:4836
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /End /tn \Microsoft\Windows\Wininet\CacheTask
        11⤵
        
        PID:5004
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /Run /tn \Microsoft\Windows\Wininet\CacheTask
        11⤵
        
        PID:4084
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4584 -s 784
        10⤵
        Suspicious use of NtCreateProcessExOtherParentProcess
        Program crash
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1056
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\dcmrydfiyx.vbs"
        8⤵
        
        PID:5084
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\pmgktqonv.vbs"
        8⤵
        Blocklisted process makes network request
        Modifies system certificate store
        
        PID:4076
    - - C:\Windows\SysWOW64\PING.EXE
        
        ping GSNTPAWQ
        5⤵
        Runs ping.exe
        
        PID:4856
- C:\Users\Admin\AppData\Local\Temp\picoid\fulzie.exe
  "C:\Users\Admin\AppData\Local\Temp\picoid\fulzie.exe"
  2⤵
  - Executes dropped EXE
  - Checks BIOS information in registry
  - Drops startup file
  - Checks whether UAC is enabled
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious use of WriteProcessMemory
  PID:4596
- - C:\Users\Admin\AppData\Roaming\Intel Rapid\IntelRapid.exe
    "C:\Users\Admin\AppData\Roaming\Intel Rapid\IntelRapid.exe"
    3⤵
    - Executes dropped EXE
    - Checks BIOS information in registry
    - Checks whether UAC is enabled
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - Suspicious behavior: AddClipboardFormatListener
    PID:4736

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Command-Line Interface

T1059

Persistence

Privilege Escalation

Defense Evasion

Install Root Certificate

T1130

Modify Registry

T1112

Virtualization/Sandbox Evasion

T1497

Web Service

T1102

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\PROGRA~3\Gskyj.tmp

MD5
04b3ec934f36b3d75c04834c2deaab45

SHA1
8f9c79e1280dc320155ed47a4506d976ddd4b8b5

SHA256
0910ce82f2dae0fc9cf075cca8c8f26ac009ac60c3535960615d86ff9d60417f

SHA512
29fa3f875afb417e196c0b46d3295a768828d6a481cce7f7f14347f667b751b964e2c3bcf05bd6952e9c4b75889b14b9fd38821dbbff841004cd083a001a8a80

Download Submit
C:\PROGRA~3\Gskyj.tmp

MD5
902f240dda75ab83a523a524f02a219b

SHA1
63343130dcf3607356151aca3f5cf87908f54222

SHA256
f9eb0d40d50b4725e628221df5d0474089672525476f6a2af87a5d81115a8516

SHA512
7e9198ec7acbf61dcfefce175fb5e79224b49084e529423197fa836164e192c63ba32751aee1ac4347697b9afcea1daea8e7589ca32a7224140c5590c90a6204

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5
f7a808b5711f58fb4f85476c1bb24ac3

SHA1
fbdf9670d622e8fc3446ad4f53fbbd83016f03d1

SHA256
de4aadfe00c4cf41434a12450cdc69d37cb2d9cec951b074c3b5e7bfce9e94ec

SHA512
866848d13e999e6a1a79d77c33adb642d78d0a11adee293fca411b4ed5f7bf85324f90b3031148a66ac10dccc577d3c2a7c1ab6ed4237360de9911c27516a5af

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5
82f20bdb962448b206b1100ec96e06c4

SHA1
d93b063435b34862b00381c73e56252d61a52338

SHA256
094b2d52238cacb1164941c22ae4b382f18daec2fef374ac75fe15e326174eb5

SHA512
e162228098413c085984d77df1ae846be3692ed268b4264add12fbaf1889eaf8d00f508db3d299b34146f940994ecae7b907da9fb7c2beb3fa4a847ecf46508e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5
56a3fd16b9c3a0a035a887752b235876

SHA1
30bdb38c5264bba9f2f43b1efc1fa9236560873f

SHA256
467a7e36438c843b4c590c238770341d02c819ab9e20052d6e80ce70029d13df

SHA512
678672b8ce4dab19bb8c0fb5f14907a94c06a153e2903a62b100a1795f89edaa48cfa9d3ed22443ac58cbdaf4e4f24f0da8046d2e9c338611f237878b94bd5f4

Download Submit
C:\Users\Admin\AppData\Local\Temp\OSPYBX~1.DLL

MD5
090ef284158ee26fc0980ce24fe4d23b

SHA1
7dea7ee9b6c6a5faf1bf7c4671e11f8f8ead295a

SHA256
036e0667c4b3c9be9ce5816a435969dc808a25457880b8b60c4547bf02dd7dfc

SHA512
55b2e9cfb77f278e6da5b0d8c326675eca78167996e72b06bcfd4c2c8a0074b79a24d3a8d1c287817f91a480d1bc1a4fb38753b68313c27e623945450a1348e0

Download Submit
C:\Users\Admin\AppData\Local\Temp\dcmrydfiyx.vbs

MD5
b32f455939ad400ec1584b86ba7c21cb

SHA1
95e10ce44f9994a7ee244571b29cfdc541ccb302

SHA256
a9668763875f9429109072f0e197d12098fe246c1b70ec9ae67d4c2321a5fdd6

SHA512
07af44c01c123a226689016cc2df5406aca8eb2ac798cbeadec081ca2562ab9017c02d90bb92384831819add2345ff7dc9a6f27d531bb9bcb45b6b85c7828b94

Download Submit
C:\Users\Admin\AppData\Local\Temp\ospybxlremjl.exe

MD5
b7a35ebacfed2c27abbb217cca8dca06

SHA1
e4d9ec5209e7bf6037de2f199e2f215c64751a92

SHA256
61bb57d4ddc1f9de56ffe1f1104af48a1a9dfdf72d084b8338730632fcfb54fc

SHA512
d39213c25d0cecb800fdad7212f1ad7f74429ae82986e5856e58012e949edb67c844ac7686cadc2a59bacc7325d499121eb98f1bc4e8e36b722cea5b9a9b7ebd

Download Submit
C:\Users\Admin\AppData\Local\Temp\ospybxlremjl.exe

MD5
b7a35ebacfed2c27abbb217cca8dca06

SHA1
e4d9ec5209e7bf6037de2f199e2f215c64751a92

SHA256
61bb57d4ddc1f9de56ffe1f1104af48a1a9dfdf72d084b8338730632fcfb54fc

SHA512
d39213c25d0cecb800fdad7212f1ad7f74429ae82986e5856e58012e949edb67c844ac7686cadc2a59bacc7325d499121eb98f1bc4e8e36b722cea5b9a9b7ebd

Download Submit
C:\Users\Admin\AppData\Local\Temp\picoid\fulzie.exe

MD5
03a2391c69f3fb0c90500a7713b83b0c

SHA1
72d5a9b0547a061ed86a060c699bfb89fe045e55

SHA256
9080c0afa31a3a559dcfc88d2377fe46a36e82d53f35d98fa44041a2ae081c37

SHA512
de94437b46f1163e4e06817b6c2f17944703c3e88a2ae57563d304d854f69fa4f61793b75f292e371e5d47ebed63055f27fad0df85e57c6f9b2707054495088d

Download Submit
C:\Users\Admin\AppData\Local\Temp\picoid\fulzie.exe

MD5
03a2391c69f3fb0c90500a7713b83b0c

SHA1
72d5a9b0547a061ed86a060c699bfb89fe045e55

SHA256
9080c0afa31a3a559dcfc88d2377fe46a36e82d53f35d98fa44041a2ae081c37

SHA512
de94437b46f1163e4e06817b6c2f17944703c3e88a2ae57563d304d854f69fa4f61793b75f292e371e5d47ebed63055f27fad0df85e57c6f9b2707054495088d

Download Submit
C:\Users\Admin\AppData\Local\Temp\picoid\wakingvp.exe

MD5
a528555dff61a67168646ec8c542cb98

SHA1
74db3485a17d22befa1a7ba4d090434e47007fb1

SHA256
0513f7eee6e496728165e72393dc910e3319efce1a624e231ab47a6b57009570

SHA512
561aac7278d0411a163dbfc63149ba42f645d058545003168b95939fecdfe6b2e6a520fcedf80648f63481b3d9c1690c49d3919d7675e9463f3fee1d2535f77a

Download Submit
C:\Users\Admin\AppData\Local\Temp\picoid\wakingvp.exe

MD5
a528555dff61a67168646ec8c542cb98

SHA1
74db3485a17d22befa1a7ba4d090434e47007fb1

SHA256
0513f7eee6e496728165e72393dc910e3319efce1a624e231ab47a6b57009570

SHA512
561aac7278d0411a163dbfc63149ba42f645d058545003168b95939fecdfe6b2e6a520fcedf80648f63481b3d9c1690c49d3919d7675e9463f3fee1d2535f77a

Download Submit
C:\Users\Admin\AppData\Local\Temp\pmgktqonv.vbs

MD5
5536897b254fb318e8c6f9b33a482f06

SHA1
adf03cceafe7a5ba22f9245c653df67d1dcfbc4d

SHA256
699605eadc4ef5ec046673ed11db949b0ebbedc4fc50b7b11f06a721d4991ac6

SHA512
a246cb0839942f4e331ab768a6ed1231e2f228554d2afe74a980c117c1a3e4cdd3a3cbc456fe8bba801e2fb11245d54797ea8686e5f72ccd3d4613fba0a7540c

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp193E.tmp.ps1

MD5
5ca729077e79ce630ba68a7fca010bb4

SHA1
b3c78257923f160e510cd57489ebf6aa7d90d897

SHA256
b0d5086dc2f5f1bf149e81f3f335c63537b3b06e267c3dc143502bdda16231d9

SHA512
cd8a79ab6f21610599b1e881f730321754f05ede5781ec0529700afbd4654e1ff1bd2fb78003e306f33c1cb5446f40c95cbf4ac46da6f20527000eccbbec5d13

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp193F.tmp

MD5
1860260b2697808b80802352fe324782

SHA1
f07b4cb6a8133d8dd942fc285d63cb3ce5a1ed6b

SHA256
0c4bb6ae7726faa47aef8459bcf37bf9ca16f0b93fd52790932adaf7845d1fb1

SHA512
d9fd458e2fe871e93199d7f3783133ded898d824024d9525e8c9af2af31892b13f3fb147d3bfda7dfd7659b7072f5cd1d6c3ebfe2dbf5893afd00e59a96aa94f

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp2B6.tmp.ps1

MD5
3cd89e79086ea719ce7ecb9eeeb1024a

SHA1
505793b404fb92144f89cfa4f735d9dfd7138e23

SHA256
ef25d55433a024f33662f9c8839c4225f906c1759bfbd235b66cd2392de92024

SHA512
241c8e1c8464d25ccb1c76a5eb66976643c7d87913ffa5b1bf9fe6cf153ef74937cdc4618c4e86fea1a0a2247e3565aac95b2bc9b4a0f76b125a921b6face72b

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp2B7.tmp

MD5
c416c12d1b2b1da8c8655e393b544362

SHA1
fb1a43cd8e1c556c2d25f361f42a21293c29e447

SHA256
0600d59103840dff210778179fdfba904dcb737a4bfdb35384608698c86ea046

SHA512
cb6d3636be4330aa2fd577c3636d0b7165f92ee817e98f21180ba0c918eb76f4e38f025086593a0e508234ca981cfec2c53482b0e9cc0acfa885fefbdf89913c

Download Submit
C:\Users\Admin\AppData\Roaming\Ape.vst

MD5
0f95d588ea95ba041d1e1ab00ab5985a

SHA1
59b0f6f218ca27e6bb4a8f709a9bb5c322caa5d9

SHA256
e785765db1d69967274f7556a1bb7f58d03ac7a42ce30c898f8b82b5967a836c

SHA512
0f0bc00fb441342f01574eb95fd2ea82c01dfe358476226af2de5038b6529dab71da430b2394efb229eea75e6ea2a58f625d8d92cadb497a8cdbcfbe82b53d8a

Download Submit
C:\Users\Admin\AppData\Roaming\Estremita.exe.com

MD5
c56b5f0201a3b3de53e561fe76912bfd

SHA1
2a4062e10a5de813f5688221dbeb3f3ff33eb417

SHA256
237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d

SHA512
195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

Download Submit
C:\Users\Admin\AppData\Roaming\Estremita.exe.com

MD5
c56b5f0201a3b3de53e561fe76912bfd

SHA1
2a4062e10a5de813f5688221dbeb3f3ff33eb417

SHA256
237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d

SHA512
195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

Download Submit
C:\Users\Admin\AppData\Roaming\Giu.vst

MD5
6b8f8744aed55fed3f2a4d8641a51b38

SHA1
7bb78b0d2cfaa007b004d664975fab47f8e61573

SHA256
dca7e57053322373679c95f82885555615554b4b6d614b271f733c1c32dccf08

SHA512
60e92939d82e6a6458c7928012d89c988b5b4d35fc5d4d1dfded22855dbb638c952dd4bf293360dc2ec89407b58d8cc47bd1cc19caa181ec84bbc8d933802aad

Download Submit
C:\Users\Admin\AppData\Roaming\Guardo.vst

MD5
ba3ab0710c08184730d023649fb798a7

SHA1
9681e1f7cbf4f69a4067993b64faf85faa6beb08

SHA256
69ff4fcbd902b901ade16bb5702560b0a13ee0b353f9cc16d90fe995e5b01498

SHA512
ea744158004880f643e947abeae924a58b4f95426970f688a8083b2d5a44fa566919e3271f5ede1e0c48de4aec43e50383f723fbe71915a96c3f1ced50c07b5a

Download Submit
C:\Users\Admin\AppData\Roaming\Intel Rapid\IntelRapid.exe

MD5
03a2391c69f3fb0c90500a7713b83b0c

SHA1
72d5a9b0547a061ed86a060c699bfb89fe045e55

SHA256
9080c0afa31a3a559dcfc88d2377fe46a36e82d53f35d98fa44041a2ae081c37

SHA512
de94437b46f1163e4e06817b6c2f17944703c3e88a2ae57563d304d854f69fa4f61793b75f292e371e5d47ebed63055f27fad0df85e57c6f9b2707054495088d

Download Submit
C:\Users\Admin\AppData\Roaming\Intel Rapid\IntelRapid.exe

MD5
03a2391c69f3fb0c90500a7713b83b0c

SHA1
72d5a9b0547a061ed86a060c699bfb89fe045e55

SHA256
9080c0afa31a3a559dcfc88d2377fe46a36e82d53f35d98fa44041a2ae081c37

SHA512
de94437b46f1163e4e06817b6c2f17944703c3e88a2ae57563d304d854f69fa4f61793b75f292e371e5d47ebed63055f27fad0df85e57c6f9b2707054495088d

Download Submit
C:\Users\Admin\AppData\Roaming\ipconfig.exe

MD5
a69ba0e84d1a6b853acf752969d3f937

SHA1
ff1bee9468afc6c4ff82cba3f5ae13842ea07f0c

SHA256
01cbe910e5d343c25e9066ccc7f8777a79b0d3e210aa2fb7e4428ab259712469

SHA512
fd4fa4b978b746638bd847fce9dfa9bc9c0ab5c91fb989e9aeea147a4a35e2326586ec04d80bdab6b21d06b2f41e870e9f588aeca27fc3473e3fca0973e60eca

Download Submit
C:\Users\Admin\AppData\Roaming\ipconfig.exe

MD5
a69ba0e84d1a6b853acf752969d3f937

SHA1
ff1bee9468afc6c4ff82cba3f5ae13842ea07f0c

SHA256
01cbe910e5d343c25e9066ccc7f8777a79b0d3e210aa2fb7e4428ab259712469

SHA512
fd4fa4b978b746638bd847fce9dfa9bc9c0ab5c91fb989e9aeea147a4a35e2326586ec04d80bdab6b21d06b2f41e870e9f588aeca27fc3473e3fca0973e60eca

Download Submit
C:\Users\Admin\AppData\Roaming\o

MD5
ba3ab0710c08184730d023649fb798a7

SHA1
9681e1f7cbf4f69a4067993b64faf85faa6beb08

SHA256
69ff4fcbd902b901ade16bb5702560b0a13ee0b353f9cc16d90fe995e5b01498

SHA512
ea744158004880f643e947abeae924a58b4f95426970f688a8083b2d5a44fa566919e3271f5ede1e0c48de4aec43e50383f723fbe71915a96c3f1ced50c07b5a

Download Submit
\Users\Admin\AppData\Local\Temp\OSPYBX~1.DLL

MD5
090ef284158ee26fc0980ce24fe4d23b

SHA1
7dea7ee9b6c6a5faf1bf7c4671e11f8f8ead295a

SHA256
036e0667c4b3c9be9ce5816a435969dc808a25457880b8b60c4547bf02dd7dfc

SHA512
55b2e9cfb77f278e6da5b0d8c326675eca78167996e72b06bcfd4c2c8a0074b79a24d3a8d1c287817f91a480d1bc1a4fb38753b68313c27e623945450a1348e0

Download Submit
\Users\Admin\AppData\Local\Temp\OSPYBX~1.DLL

MD5
090ef284158ee26fc0980ce24fe4d23b

SHA1
7dea7ee9b6c6a5faf1bf7c4671e11f8f8ead295a

SHA256
036e0667c4b3c9be9ce5816a435969dc808a25457880b8b60c4547bf02dd7dfc

SHA512
55b2e9cfb77f278e6da5b0d8c326675eca78167996e72b06bcfd4c2c8a0074b79a24d3a8d1c287817f91a480d1bc1a4fb38753b68313c27e623945450a1348e0

Download Submit
\Users\Admin\AppData\Local\Temp\OSPYBX~1.DLL

MD5
090ef284158ee26fc0980ce24fe4d23b

SHA1
7dea7ee9b6c6a5faf1bf7c4671e11f8f8ead295a

SHA256
036e0667c4b3c9be9ce5816a435969dc808a25457880b8b60c4547bf02dd7dfc

SHA512
55b2e9cfb77f278e6da5b0d8c326675eca78167996e72b06bcfd4c2c8a0074b79a24d3a8d1c287817f91a480d1bc1a4fb38753b68313c27e623945450a1348e0

Download Submit
\Users\Admin\AppData\Local\Temp\OSPYBX~1.DLL

MD5
090ef284158ee26fc0980ce24fe4d23b

SHA1
7dea7ee9b6c6a5faf1bf7c4671e11f8f8ead295a

SHA256
036e0667c4b3c9be9ce5816a435969dc808a25457880b8b60c4547bf02dd7dfc

SHA512
55b2e9cfb77f278e6da5b0d8c326675eca78167996e72b06bcfd4c2c8a0074b79a24d3a8d1c287817f91a480d1bc1a4fb38753b68313c27e623945450a1348e0

Download Submit
\Users\Admin\AppData\Local\Temp\nsu2021.tmp\nsExec.dll

MD5
09c2e27c626d6f33018b8a34d3d98cb6

SHA1
8d6bf50218c8f201f06ecf98ca73b74752a2e453

SHA256
114c6941a8b489416c84563e94fd266ea5cad2b518db45cd977f1f9761e00cb1

SHA512
883454bef7b6de86d53af790755ae624f756b48b23970f865558ba03a5aecfa8d15f14700e92b3c51546e738c93e53dc50b8a45f79ef3f00aa84382853440954

Download Submit
\Users\Admin\AppData\Local\Temp\nsy1DCF.tmp\UAC.dll

MD5
adb29e6b186daa765dc750128649b63d

SHA1
160cbdc4cb0ac2c142d361df138c537aa7e708c9

SHA256
2f7f8fc05dc4fd0d5cda501b47e4433357e887bbfed7292c028d99c73b52dc08

SHA512
b28adcccf0c33660fecd6f95f28f11f793dc9988582187617b4c113fb4e6fdad4cf7694cd8c0300a477e63536456894d119741a940dda09b7df3ff0087a7eada

Download Submit
memory/300-371-0x0000000004232000-0x0000000004233000-memory.dmp

Filesize
4KB

Download
memory/300-369-0x0000000004230000-0x0000000004231000-memory.dmp

Filesize
4KB

Download
memory/300-486-0x0000000004233000-0x0000000004234000-memory.dmp

Filesize
4KB

Download
memory/300-325-0x0000000000000000-mapping.dmp

Download
memory/916-174-0x0000000004B60000-0x0000000005DF8000-memory.dmp

Filesize
18.6MB

Download
memory/916-164-0x0000000000000000-mapping.dmp

Download
memory/2056-175-0x0000000000000000-mapping.dmp

Download
memory/2056-178-0x0000000004490000-0x0000000004491000-memory.dmp

Filesize
4KB

Download
memory/2056-480-0x00000000080B0000-0x00000000080B1000-memory.dmp

Filesize
4KB

Download
memory/2056-474-0x00000000080C0000-0x00000000080C1000-memory.dmp

Filesize
4KB

Download
memory/2056-256-0x0000000006923000-0x0000000006924000-memory.dmp

Filesize
4KB

Download
memory/2056-245-0x0000000009280000-0x0000000009281000-memory.dmp

Filesize
4KB

Download
memory/2056-242-0x00000000090A0000-0x00000000090A1000-memory.dmp

Filesize
4KB

Download
memory/2056-240-0x000000007ED10000-0x000000007ED11000-memory.dmp

Filesize
4KB

Download
memory/2056-235-0x0000000008D30000-0x0000000008D31000-memory.dmp

Filesize
4KB

Download
memory/2056-228-0x0000000008D50000-0x0000000008D83000-memory.dmp

Filesize
204KB

Download
memory/2056-205-0x0000000007F80000-0x0000000007F81000-memory.dmp

Filesize
4KB

Download
memory/2056-198-0x0000000007CA0000-0x0000000007CA1000-memory.dmp

Filesize
4KB

Download
memory/2056-179-0x0000000006F60000-0x0000000006F61000-memory.dmp

Filesize
4KB

Download
memory/2056-200-0x0000000008020000-0x0000000008021000-memory.dmp

Filesize
4KB

Download
memory/2056-188-0x0000000007950000-0x0000000007951000-memory.dmp

Filesize
4KB

Download
memory/2056-186-0x0000000006922000-0x0000000006923000-memory.dmp

Filesize
4KB

Download
memory/2056-183-0x0000000006F10000-0x0000000006F11000-memory.dmp

Filesize
4KB

Download
memory/2056-184-0x0000000007600000-0x0000000007601000-memory.dmp

Filesize
4KB

Download
memory/2056-187-0x00000000078E0000-0x00000000078E1000-memory.dmp

Filesize
4KB

Download
memory/2056-185-0x0000000006920000-0x0000000006921000-memory.dmp

Filesize
4KB

Download
memory/2604-201-0x0000000005220000-0x00000000064B8000-memory.dmp

Filesize
18.6MB

Download
memory/2604-202-0x0000000006710000-0x0000000006711000-memory.dmp

Filesize
4KB

Download
memory/2604-180-0x0000000000000000-mapping.dmp

Download
memory/2628-206-0x0000000000000000-mapping.dmp

Download
memory/2628-270-0x0000000009D30000-0x0000000009D31000-memory.dmp

Filesize
4KB

Download
memory/2628-324-0x0000000006E13000-0x0000000006E14000-memory.dmp

Filesize
4KB

Download
memory/2628-310-0x00000000070A0000-0x00000000070A1000-memory.dmp

Filesize
4KB

Download
memory/2628-272-0x00000000092D0000-0x00000000092D1000-memory.dmp

Filesize
4KB

Download
memory/2628-236-0x0000000008670000-0x0000000008671000-memory.dmp

Filesize
4KB

Download
memory/2628-212-0x0000000006E12000-0x0000000006E13000-memory.dmp

Filesize
4KB

Download
memory/2628-211-0x0000000006E10000-0x0000000006E11000-memory.dmp

Filesize
4KB

Download
memory/4076-152-0x0000000000000000-mapping.dmp

Download
memory/4084-497-0x0000000000000000-mapping.dmp

Download
memory/4120-204-0x00000223165A0000-0x0000022316752000-memory.dmp

Filesize
1.7MB

Download
memory/4120-203-0x00000000002B0000-0x0000000000450000-memory.dmp

Filesize
1.6MB

Download
memory/4120-195-0x00007FF6ABFC5FD0-mapping.dmp

Download
memory/4572-116-0x0000000000000000-mapping.dmp

Download
memory/4584-159-0x0000000005C20000-0x0000000005C21000-memory.dmp

Filesize
4KB

Download
memory/4584-154-0x0000000000000000-mapping.dmp

Download
memory/4584-167-0x00000000046F0000-0x0000000005988000-memory.dmp

Filesize
18.6MB

Download
memory/4584-158-0x0000000004000000-0x0000000004162000-memory.dmp

Filesize
1.4MB

Download
memory/4596-118-0x0000000000000000-mapping.dmp

Download
memory/4596-124-0x00007FF6B1AC0000-0x00007FF6B23D4000-memory.dmp

Filesize
9.1MB

Download
memory/4640-123-0x0000000000000000-mapping.dmp

Download
memory/4696-126-0x0000000000000000-mapping.dmp

Download
memory/4736-127-0x0000000000000000-mapping.dmp

Download
memory/4736-132-0x00007FF636D00000-0x00007FF637614000-memory.dmp

Filesize
9.1MB

Download
memory/4784-130-0x0000000000000000-mapping.dmp

Download
memory/4828-134-0x0000000000000000-mapping.dmp

Download
memory/4836-417-0x0000000000000000-mapping.dmp

Download
memory/4856-136-0x0000000000000000-mapping.dmp

Download
memory/4868-199-0x0000000000000000-mapping.dmp

Download
memory/4900-142-0x0000000000FC0000-0x0000000000FC2000-memory.dmp

Filesize
8KB

Download
memory/4900-138-0x0000000000000000-mapping.dmp

Download
memory/4960-140-0x000000000040591E-mapping.dmp

Download
memory/4960-143-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/5004-461-0x0000000000000000-mapping.dmp

Download
memory/5052-151-0x0000000000400000-0x0000000001860000-memory.dmp

Filesize
20.4MB

Download
memory/5052-150-0x0000000003640000-0x0000000003745000-memory.dmp

Filesize
1.0MB

Download
memory/5052-145-0x0000000000000000-mapping.dmp

Download
memory/5084-148-0x0000000000000000-mapping.dmp

Download