djvu | 89e3b00acfc8b0904398665280312cf9a2b426db3eb77b2e5303131de48a2dde

Analysis

max time kernel
154s
max time network
151s
platform
windows7_x64
resource
win7v20210408
submitted
26-09-2021 17:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2c7373ab965995304bd8b007f66ebad2.exe
Size

134KB
MD5

2c7373ab965995304bd8b007f66ebad2
SHA1

48a6f884b3a5fd51a371f900cbdb1b8651af72b4
SHA256

89e3b00acfc8b0904398665280312cf9a2b426db3eb77b2e5303131de48a2dde
SHA512

52f52a8c42f40fa6fab49cd303a310cd23513439e97e669b92aaec4a78baa60cebed9b66254770d1fcb6c5783e08d90422b17836ee7175effc0f935fa4cbea4e

Score

10^/10

djvu redline smokeloader vidar xmrig paladin backdoor discovery evasion infostealer miner persistence ransomware spyware stealer suricata themida trojan

Malware Config

Extracted

Family

smokeloader

Version

2020

http://govsurplusstore.com/upload/

http://best-forsale.com/upload/

http://chmxnautoparts.com/upload/

http://kwazone.com/upload/

rc4.i32

Extracted

Family

redline

92.246.89.6:38437

Extracted

Family

redline

Botnet

paladin

94.26.228.204:32917

Signatures

Detected Djvu ransomware 6 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2012-68-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/2012-69-0x0000000000424141-mapping.dmp	family_djvu
behavioral1/memory/2004-72-0x0000000001E90000-0x0000000001FAB000-memory.dmp	family_djvu
behavioral1/memory/2012-73-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/1476-84-0x0000000000424141-mapping.dmp	family_djvu
behavioral1/memory/1476-87-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu

Djvu Ransomware
Ransomware which is a variant of the STOP family.
ransomware djvu
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine Payload 5 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1172-94-0x0000000000780000-0x00000000007B0000-memory.dmp	family_redline
behavioral1/memory/1172-100-0x00000000020E0000-0x000000000210E000-memory.dmp	family_redline
behavioral1/memory/464-121-0x0000000000400000-0x0000000000422000-memory.dmp	family_redline
behavioral1/memory/464-122-0x000000000041C5BA-mapping.dmp	family_redline
behavioral1/memory/464-124-0x0000000000400000-0x0000000000422000-memory.dmp	family_redline

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
Vidar
Vidar is an infostealer based on Arkei stealer.
stealer vidar
suricata: ET MALWARE EXE Download Request To Wordpress Folder Likely Malicious
suricata: ET MALWARE EXE Download Request To Wordpress Folder Likely Malicious
suricata
suricata: ET MALWARE Potential Dridex.Maldoc Minimal Executable Request
suricata: ET MALWARE Potential Dridex.Maldoc Minimal Executable Request
suricata
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Vidar Stealer 4 IoCs

stealer

Processes:

resource	yara_rule
behavioral1/memory/1092-116-0x00000000004A032D-mapping.dmp	family_vidar
behavioral1/memory/1092-115-0x0000000000400000-0x00000000004D7000-memory.dmp	family_vidar
behavioral1/memory/764-119-0x0000000000300000-0x00000000003D4000-memory.dmp	family_vidar
behavioral1/memory/1092-120-0x0000000000400000-0x00000000004D7000-memory.dmp	family_vidar

XMRig Miner Payload 13 IoCs

miner

Processes:

resource	yara_rule
\ProgramData\Systemd\note3dll.exe	xmrig
C:\ProgramData\Systemd\note3dll.exe	xmrig
C:\ProgramData\Systemd\note3dll.exe	xmrig
C:\ProgramData\Systemd\note3dll.exe	xmrig
C:\ProgramData\Systemd\note3dll.exe	xmrig
C:\ProgramData\Systemd\note3dll.exe	xmrig
C:\ProgramData\Systemd\note3dll.exe	xmrig
C:\ProgramData\Systemd\note3dll.exe	xmrig
C:\ProgramData\Systemd\note3dll.exe	xmrig
C:\ProgramData\Systemd\note3dll.exe	xmrig
C:\ProgramData\Systemd\note3dll.exe	xmrig
C:\ProgramData\Systemd\note3dll.exe	xmrig
C:\ProgramData\Systemd\note3dll.exe	xmrig

Downloads MZ/PE file

Executes dropped EXE 29 IoCs

Processes:

E252.exeE252.exeE252.exe416.exeE252.exe172A.exebuild2.exebuild2.exe172A.exebuild3.exebuild3.exeNetFrame.exe5B6B.exenote3dll.exenote3dll.exenote3dll.exenote3dll.exenote3dll.exenote3dll.exenote3dll.exenote3dll.exemstsca.exemstsca.exenote3dll.exenote3dll.exenote3dll.exenote3dll.exenote3dll.exenote3dll.exe

pid	process
2004	E252.exe
2012	E252.exe
668	E252.exe
1172	416.exe
1476	E252.exe
368	172A.exe
764	build2.exe
1092	build2.exe
464	172A.exe
740	build3.exe
1640	build3.exe
332	NetFrame.exe
1788	5B6B.exe
1828	note3dll.exe
1696	note3dll.exe
648	note3dll.exe
1940	note3dll.exe
1084	note3dll.exe
736	note3dll.exe
1784	note3dll.exe
568	note3dll.exe
1504	mstsca.exe
1696	mstsca.exe
520	note3dll.exe
616	note3dll.exe
1240	note3dll.exe
556	note3dll.exe
1472	note3dll.exe
1604	note3dll.exe

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

5B6B.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	5B6B.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	5B6B.exe

Deletes itself 1 IoCs

Processes:

pid process

1208
Drops startup file 1 IoCs

Processes:

NetFrame.exe

description ioc process

File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\exe.lnk NetFrame.exe

pid	process
1208

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\exe.lnk	NetFrame.exe

Loads dropped DLL 17 IoCs

Processes:

E252.exeE252.exeE252.exe172A.exeE252.exebuild2.exe172A.exeNetFrame.exe

pid	process
2004	E252.exe
2012	E252.exe
2012	E252.exe
668	E252.exe
368	172A.exe
1476	E252.exe
1476	E252.exe
1476	E252.exe
1476	E252.exe
1092	build2.exe
1092	build2.exe
1092	build2.exe
1092	build2.exe
464	172A.exe
1860
332	NetFrame.exe
332	NetFrame.exe

Modifies file permissions 1 TTPs 1 IoCs
discovery

File and Directory Permissions Modification
T1222

Processes:

icacls.exe

pid process

1680 icacls.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

pid	process
1680	icacls.exe

Themida packer 2 IoCs

Detects Themida, an advanced Windows software protection system.

themida

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\5B6B.exe	themida
behavioral1/memory/1788-179-0x0000000000D30000-0x0000000000D31000-memory.dmp	themida

Accesses 2FA software files, possible credential harvesting 2 TTPs
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

E252.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\bbd84c30-d15b-45aa-8c10-baa4d2d03f5d\\E252.exe\" --AutoStart"	E252.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Checks whether UAC is enabled 1 TTPs 1 IoCs
evasion trojan

System Information Discovery
T1082

Processes:

5B6B.exe

description ioc process

Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 5B6B.exe
Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

20 api.2ip.ua
21 api.2ip.ua
33 api.2ip.ua
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

Processes:

5B6B.exe

pid process

1788 5B6B.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	5B6B.exe

flow	ioc
20	api.2ip.ua
21	api.2ip.ua
33	api.2ip.ua

pid	process
1788	5B6B.exe

Suspicious use of SetThreadContext 6 IoCs

Processes:

E252.exeE252.exebuild2.exe172A.exebuild3.exemstsca.exe

description	pid	process	target process
PID 2004 set thread context of 2012	2004	E252.exe	E252.exe
PID 668 set thread context of 1476	668	E252.exe	E252.exe
PID 764 set thread context of 1092	764	build2.exe	build2.exe
PID 368 set thread context of 464	368	172A.exe	172A.exe
PID 740 set thread context of 1640	740	build3.exe	build3.exe
PID 1504 set thread context of 1696	1504	mstsca.exe	mstsca.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

2c7373ab965995304bd8b007f66ebad2.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	2c7373ab965995304bd8b007f66ebad2.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	2c7373ab965995304bd8b007f66ebad2.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	2c7373ab965995304bd8b007f66ebad2.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

build2.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	build2.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	build2.exe

Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exe

pid process

1144 schtasks.exe
1884 schtasks.exe
Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

1292 timeout.exe
Kills process with taskkill 1 IoCs
evasion

Processes:

taskkill.exe

pid process

1164 taskkill.exe

pid	process
1144	schtasks.exe
1884	schtasks.exe

pid	process
1292	timeout.exe

pid	process
1164	taskkill.exe

Modifies system certificate store 2 TTPs 10 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

E252.exeE252.exeNetFrame.exebuild2.exe

description	ioc	process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	E252.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f00000053000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	E252.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	E252.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 190000000100000010000000ba4f3972e7aed9dccdc210db59da13c90300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc251d00000001000000100000008f76b981d528ad4770088245e2031b630b0000000100000012000000440069006700690043006500720074000000140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc35300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a82000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	NetFrame.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	E252.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 040000000100000010000000497904b0eb8719ac47b0bc11519b74d00f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	E252.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13	build2.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 040000000100000010000000410352dc0ff7501b16f0028eba6f45c50f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131900000001000000100000006cf252fec3e8f20996de5d4dd9aef42420000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	build2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25	NetFrame.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703085300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc252000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	NetFrame.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

2c7373ab965995304bd8b007f66ebad2.exe

pid	process
1820	2c7373ab965995304bd8b007f66ebad2.exe
1820	2c7373ab965995304bd8b007f66ebad2.exe
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

pid process

1208
Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

2c7373ab965995304bd8b007f66ebad2.exe

pid process

1820 2c7373ab965995304bd8b007f66ebad2.exe

pid	process
1208

Suspicious use of AdjustPrivilegeToken 55 IoCs

Processes:

416.exe172A.exetaskkill.exepowershell.exe5B6B.exe

description	pid	process
Token: SeShutdownPrivilege	1208
Token: SeShutdownPrivilege	1208
Token: SeShutdownPrivilege	1208
Token: SeShutdownPrivilege	1208
Token: SeShutdownPrivilege	1208
Token: SeDebugPrivilege	1172	416.exe
Token: SeDebugPrivilege	464	172A.exe
Token: SeDebugPrivilege	1164	taskkill.exe
Token: SeShutdownPrivilege	1208
Token: SeShutdownPrivilege	1208
Token: SeDebugPrivilege	1164	powershell.exe
Token: SeShutdownPrivilege	1208
Token: SeShutdownPrivilege	1208
Token: SeShutdownPrivilege	1208
Token: SeShutdownPrivilege	1208
Token: SeShutdownPrivilege	1208
Token: SeDebugPrivilege	1788	5B6B.exe
Token: SeShutdownPrivilege	1208
Token: SeShutdownPrivilege	1208
Token: SeShutdownPrivilege	1208
Token: SeShutdownPrivilege	1208
Token: SeShutdownPrivilege	1208
Token: SeShutdownPrivilege	1208
Token: SeShutdownPrivilege	1208
Token: SeShutdownPrivilege	1208
Token: SeShutdownPrivilege	1208
Token: SeShutdownPrivilege	1208
Token: SeShutdownPrivilege	1208
Token: SeShutdownPrivilege	1208
Token: SeShutdownPrivilege	1208
Token: SeShutdownPrivilege	1208
Token: SeShutdownPrivilege	1208
Token: SeShutdownPrivilege	1208
Token: SeShutdownPrivilege	1208
Token: SeShutdownPrivilege	1208
Token: SeShutdownPrivilege	1208
Token: SeShutdownPrivilege	1208
Token: SeShutdownPrivilege	1208
Token: SeShutdownPrivilege	1208
Token: SeShutdownPrivilege	1208
Token: SeShutdownPrivilege	1208
Token: SeShutdownPrivilege	1208
Token: SeShutdownPrivilege	1208
Token: SeShutdownPrivilege	1208
Token: SeShutdownPrivilege	1208
Token: SeShutdownPrivilege	1208
Token: SeShutdownPrivilege	1208
Token: SeShutdownPrivilege	1208
Token: SeShutdownPrivilege	1208
Token: SeShutdownPrivilege	1208
Token: SeShutdownPrivilege	1208
Token: SeShutdownPrivilege	1208
Token: SeShutdownPrivilege	1208
Token: SeShutdownPrivilege	1208
Token: SeShutdownPrivilege	1208

Suspicious use of FindShellTrayWindow 27 IoCs

Processes:

pid process

1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
Suspicious use of SendNotifyMessage 6 IoCs

Processes:

pid process

1208
1208
1208
1208
1208
1208

pid	process
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208

pid	process
1208
1208
1208
1208
1208
1208

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

E252.exeE252.exeE252.exe172A.exeE252.exebuild2.exe

description	pid	process	target process
PID 1208 wrote to memory of 2004	1208		E252.exe
PID 1208 wrote to memory of 2004	1208		E252.exe
PID 1208 wrote to memory of 2004	1208		E252.exe
PID 1208 wrote to memory of 2004	1208		E252.exe
PID 2004 wrote to memory of 2012	2004	E252.exe	E252.exe
PID 2004 wrote to memory of 2012	2004	E252.exe	E252.exe
PID 2004 wrote to memory of 2012	2004	E252.exe	E252.exe
PID 2004 wrote to memory of 2012	2004	E252.exe	E252.exe
PID 2004 wrote to memory of 2012	2004	E252.exe	E252.exe
PID 2004 wrote to memory of 2012	2004	E252.exe	E252.exe
PID 2004 wrote to memory of 2012	2004	E252.exe	E252.exe
PID 2004 wrote to memory of 2012	2004	E252.exe	E252.exe
PID 2004 wrote to memory of 2012	2004	E252.exe	E252.exe
PID 2004 wrote to memory of 2012	2004	E252.exe	E252.exe
PID 2004 wrote to memory of 2012	2004	E252.exe	E252.exe
PID 2012 wrote to memory of 1680	2012	E252.exe	icacls.exe
PID 2012 wrote to memory of 1680	2012	E252.exe	icacls.exe
PID 2012 wrote to memory of 1680	2012	E252.exe	icacls.exe
PID 2012 wrote to memory of 1680	2012	E252.exe	icacls.exe
PID 2012 wrote to memory of 668	2012	E252.exe	E252.exe
PID 2012 wrote to memory of 668	2012	E252.exe	E252.exe
PID 2012 wrote to memory of 668	2012	E252.exe	E252.exe
PID 2012 wrote to memory of 668	2012	E252.exe	E252.exe
PID 1208 wrote to memory of 1172	1208		416.exe
PID 1208 wrote to memory of 1172	1208		416.exe
PID 1208 wrote to memory of 1172	1208		416.exe
PID 1208 wrote to memory of 1172	1208		416.exe
PID 668 wrote to memory of 1476	668	E252.exe	E252.exe
PID 668 wrote to memory of 1476	668	E252.exe	E252.exe
PID 668 wrote to memory of 1476	668	E252.exe	E252.exe
PID 668 wrote to memory of 1476	668	E252.exe	E252.exe
PID 668 wrote to memory of 1476	668	E252.exe	E252.exe
PID 668 wrote to memory of 1476	668	E252.exe	E252.exe
PID 668 wrote to memory of 1476	668	E252.exe	E252.exe
PID 668 wrote to memory of 1476	668	E252.exe	E252.exe
PID 668 wrote to memory of 1476	668	E252.exe	E252.exe
PID 668 wrote to memory of 1476	668	E252.exe	E252.exe
PID 668 wrote to memory of 1476	668	E252.exe	E252.exe
PID 1208 wrote to memory of 368	1208		172A.exe
PID 1208 wrote to memory of 368	1208		172A.exe
PID 1208 wrote to memory of 368	1208		172A.exe
PID 1208 wrote to memory of 368	1208		172A.exe
PID 368 wrote to memory of 464	368	172A.exe	172A.exe
PID 368 wrote to memory of 464	368	172A.exe	172A.exe
PID 368 wrote to memory of 464	368	172A.exe	172A.exe
PID 368 wrote to memory of 464	368	172A.exe	172A.exe
PID 1476 wrote to memory of 764	1476	E252.exe	build2.exe
PID 1476 wrote to memory of 764	1476	E252.exe	build2.exe
PID 1476 wrote to memory of 764	1476	E252.exe	build2.exe
PID 1476 wrote to memory of 764	1476	E252.exe	build2.exe
PID 764 wrote to memory of 1092	764	build2.exe	build2.exe
PID 764 wrote to memory of 1092	764	build2.exe	build2.exe
PID 764 wrote to memory of 1092	764	build2.exe	build2.exe
PID 764 wrote to memory of 1092	764	build2.exe	build2.exe
PID 764 wrote to memory of 1092	764	build2.exe	build2.exe
PID 764 wrote to memory of 1092	764	build2.exe	build2.exe
PID 764 wrote to memory of 1092	764	build2.exe	build2.exe
PID 764 wrote to memory of 1092	764	build2.exe	build2.exe
PID 764 wrote to memory of 1092	764	build2.exe	build2.exe
PID 368 wrote to memory of 464	368	172A.exe	172A.exe
PID 368 wrote to memory of 464	368	172A.exe	172A.exe
PID 368 wrote to memory of 464	368	172A.exe	172A.exe
PID 368 wrote to memory of 464	368	172A.exe	172A.exe
PID 368 wrote to memory of 464	368	172A.exe	172A.exe

C:\Users\Admin\AppData\Local\Temp\2c7373ab965995304bd8b007f66ebad2.exe
"C:\Users\Admin\AppData\Local\Temp\2c7373ab965995304bd8b007f66ebad2.exe"
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:1820

C:\Users\Admin\AppData\Local\Temp\E252.exe
C:\Users\Admin\AppData\Local\Temp\E252.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2004

C:\Users\Admin\AppData\Local\Temp\E252.exe
C:\Users\Admin\AppData\Local\Temp\E252.exe
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Modifies system certificate store
- Suspicious use of WriteProcessMemory
PID:2012

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Users\Admin\AppData\Local\bbd84c30-d15b-45aa-8c10-baa4d2d03f5d" /deny *S-1-1-0:(OI)(CI)(DE,DC)
3⤵
- Modifies file permissions
PID:1680

C:\Users\Admin\AppData\Local\Temp\E252.exe
"C:\Users\Admin\AppData\Local\Temp\E252.exe" --Admin IsNotAutoStart IsNotTask
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:668

C:\Users\Admin\AppData\Local\Temp\E252.exe
"C:\Users\Admin\AppData\Local\Temp\E252.exe" --Admin IsNotAutoStart IsNotTask
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies system certificate store
- Suspicious use of WriteProcessMemory
PID:1476

C:\Users\Admin\AppData\Local\812011da-a0b4-40dd-a21a-898b2b1c253d\build2.exe
"C:\Users\Admin\AppData\Local\812011da-a0b4-40dd-a21a-898b2b1c253d\build2.exe"
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:764

C:\Users\Admin\AppData\Local\812011da-a0b4-40dd-a21a-898b2b1c253d\build2.exe
"C:\Users\Admin\AppData\Local\812011da-a0b4-40dd-a21a-898b2b1c253d\build2.exe"
6⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks processor information in registry
- Modifies system certificate store
PID:1092

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c taskkill /im build2.exe /f & timeout /t 6 & del /f /q "C:\Users\Admin\AppData\Local\812011da-a0b4-40dd-a21a-898b2b1c253d\build2.exe" & del C:\ProgramData\*.dll & exit
7⤵
PID:300

C:\Windows\SysWOW64\taskkill.exe
taskkill /im build2.exe /f
8⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1164

C:\Windows\SysWOW64\timeout.exe
timeout /t 6
8⤵
- Delays execution with timeout.exe
PID:1292

C:\Users\Admin\AppData\Local\812011da-a0b4-40dd-a21a-898b2b1c253d\build3.exe
"C:\Users\Admin\AppData\Local\812011da-a0b4-40dd-a21a-898b2b1c253d\build3.exe"
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:740

C:\Users\Admin\AppData\Local\812011da-a0b4-40dd-a21a-898b2b1c253d\build3.exe
"C:\Users\Admin\AppData\Local\812011da-a0b4-40dd-a21a-898b2b1c253d\build3.exe"
6⤵
- Executes dropped EXE
PID:1640

C:\Windows\SysWOW64\schtasks.exe
/C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"
7⤵
- Creates scheduled task(s)
PID:1144

C:\Users\Admin\AppData\Local\Temp\416.exe
C:\Users\Admin\AppData\Local\Temp\416.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1172

C:\Users\Admin\AppData\Local\Temp\172A.exe
C:\Users\Admin\AppData\Local\Temp\172A.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:368

C:\Users\Admin\AppData\Local\Temp\172A.exe
C:\Users\Admin\AppData\Local\Temp\172A.exe
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:464

C:\Users\Admin\AppData\Local\Temp\NetFrame.exe
"C:\Users\Admin\AppData\Local\Temp\NetFrame.exe"
3⤵
- Executes dropped EXE
- Drops startup file
- Loads dropped DLL
- Modifies system certificate store
PID:332

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath C:\ProgramData
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:1164

C:\ProgramData\Systemd\note3dll.exe
NULL
4⤵
- Executes dropped EXE
PID:1828

C:\ProgramData\Systemd\note3dll.exe
NULL
4⤵
- Executes dropped EXE
PID:1696

C:\ProgramData\Systemd\note3dll.exe
NULL
4⤵
- Executes dropped EXE
PID:648

C:\ProgramData\Systemd\note3dll.exe
NULL
4⤵
- Executes dropped EXE
PID:1940

C:\ProgramData\Systemd\note3dll.exe
NULL
4⤵
- Executes dropped EXE
PID:1084

C:\ProgramData\Systemd\note3dll.exe
NULL
4⤵
- Executes dropped EXE
PID:736

C:\ProgramData\Systemd\note3dll.exe
NULL
4⤵
- Executes dropped EXE
PID:1784

C:\ProgramData\Systemd\note3dll.exe
NULL
4⤵
- Executes dropped EXE
PID:568

C:\ProgramData\Systemd\note3dll.exe
NULL
4⤵
- Executes dropped EXE
PID:520

C:\ProgramData\Systemd\note3dll.exe
NULL
4⤵
- Executes dropped EXE
PID:616

C:\ProgramData\Systemd\note3dll.exe
NULL
4⤵
- Executes dropped EXE
PID:1240

C:\ProgramData\Systemd\note3dll.exe
NULL
4⤵
- Executes dropped EXE
PID:556

C:\ProgramData\Systemd\note3dll.exe
NULL
4⤵
- Executes dropped EXE
PID:1472

C:\ProgramData\Systemd\note3dll.exe
NULL
4⤵
- Executes dropped EXE
PID:1604

C:\Users\Admin\AppData\Local\Temp\5B6B.exe
C:\Users\Admin\AppData\Local\Temp\5B6B.exe
1⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
PID:1788

C:\Windows\system32\taskeng.exe
taskeng.exe {70B03756-FA8A-45C2-A4A2-1030ED7F3D6B} S-1-5-21-2455352368-1077083310-2879168483-1000:QWOCTUPM\Admin:Interactive:[1]
1⤵
PID:1100

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:1504

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
3⤵
- Executes dropped EXE
PID:1696

C:\Windows\SysWOW64\schtasks.exe
/C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"
4⤵
- Creates scheduled task(s)
PID:1884

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

File and Directory Permissions Modification

T1222

Install Root Certificate

T1130

Modify Registry

T1112

Virtualization/Sandbox Evasion

T1497

Web Service

T1102

Credential Access

Credentials in Files

T1081

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Systemd\note3dll.exe
MD5
ffb329c2154e6f420068c6eacb1c0fe7

SHA1
b3157f6538b5ae8634e387ca670241dab5728109

SHA256
088e1203ee8d1119bdf8dffc9753456ba8d2d78ddd9c882344b5270b1767b9e9

SHA512
65ae6ad8ac8a2fd473b61833e57ef43fa36e6c9dfc9b6ef301957fc08075a6883d83dd119c1fbf055d2d9ffab91be4900abc65f3a340022f39aa90bbe63679ec

Download Submit
C:\ProgramData\Systemd\note3dll.exe
MD5
ffb329c2154e6f420068c6eacb1c0fe7

SHA1
b3157f6538b5ae8634e387ca670241dab5728109

SHA256
088e1203ee8d1119bdf8dffc9753456ba8d2d78ddd9c882344b5270b1767b9e9

SHA512
65ae6ad8ac8a2fd473b61833e57ef43fa36e6c9dfc9b6ef301957fc08075a6883d83dd119c1fbf055d2d9ffab91be4900abc65f3a340022f39aa90bbe63679ec

Download Submit
C:\ProgramData\Systemd\note3dll.exe
MD5
ffb329c2154e6f420068c6eacb1c0fe7

SHA1
b3157f6538b5ae8634e387ca670241dab5728109

SHA256
088e1203ee8d1119bdf8dffc9753456ba8d2d78ddd9c882344b5270b1767b9e9

SHA512
65ae6ad8ac8a2fd473b61833e57ef43fa36e6c9dfc9b6ef301957fc08075a6883d83dd119c1fbf055d2d9ffab91be4900abc65f3a340022f39aa90bbe63679ec

Download Submit
C:\ProgramData\Systemd\note3dll.exe
MD5
ffb329c2154e6f420068c6eacb1c0fe7

SHA1
b3157f6538b5ae8634e387ca670241dab5728109

SHA256
088e1203ee8d1119bdf8dffc9753456ba8d2d78ddd9c882344b5270b1767b9e9

SHA512
65ae6ad8ac8a2fd473b61833e57ef43fa36e6c9dfc9b6ef301957fc08075a6883d83dd119c1fbf055d2d9ffab91be4900abc65f3a340022f39aa90bbe63679ec

Download Submit
C:\ProgramData\Systemd\note3dll.exe
MD5
ffb329c2154e6f420068c6eacb1c0fe7

SHA1
b3157f6538b5ae8634e387ca670241dab5728109

SHA256
088e1203ee8d1119bdf8dffc9753456ba8d2d78ddd9c882344b5270b1767b9e9

SHA512
65ae6ad8ac8a2fd473b61833e57ef43fa36e6c9dfc9b6ef301957fc08075a6883d83dd119c1fbf055d2d9ffab91be4900abc65f3a340022f39aa90bbe63679ec

Download Submit
C:\ProgramData\Systemd\note3dll.exe
MD5
ffb329c2154e6f420068c6eacb1c0fe7

SHA1
b3157f6538b5ae8634e387ca670241dab5728109

SHA256
088e1203ee8d1119bdf8dffc9753456ba8d2d78ddd9c882344b5270b1767b9e9

SHA512
65ae6ad8ac8a2fd473b61833e57ef43fa36e6c9dfc9b6ef301957fc08075a6883d83dd119c1fbf055d2d9ffab91be4900abc65f3a340022f39aa90bbe63679ec

Download Submit
C:\ProgramData\Systemd\note3dll.exe
MD5
ffb329c2154e6f420068c6eacb1c0fe7

SHA1
b3157f6538b5ae8634e387ca670241dab5728109

SHA256
088e1203ee8d1119bdf8dffc9753456ba8d2d78ddd9c882344b5270b1767b9e9

SHA512
65ae6ad8ac8a2fd473b61833e57ef43fa36e6c9dfc9b6ef301957fc08075a6883d83dd119c1fbf055d2d9ffab91be4900abc65f3a340022f39aa90bbe63679ec

Download Submit
C:\ProgramData\Systemd\note3dll.exe
MD5
ffb329c2154e6f420068c6eacb1c0fe7

SHA1
b3157f6538b5ae8634e387ca670241dab5728109

SHA256
088e1203ee8d1119bdf8dffc9753456ba8d2d78ddd9c882344b5270b1767b9e9

SHA512
65ae6ad8ac8a2fd473b61833e57ef43fa36e6c9dfc9b6ef301957fc08075a6883d83dd119c1fbf055d2d9ffab91be4900abc65f3a340022f39aa90bbe63679ec

Download Submit
C:\ProgramData\Systemd\note3dll.exe
MD5
ffb329c2154e6f420068c6eacb1c0fe7

SHA1
b3157f6538b5ae8634e387ca670241dab5728109

SHA256
088e1203ee8d1119bdf8dffc9753456ba8d2d78ddd9c882344b5270b1767b9e9

SHA512
65ae6ad8ac8a2fd473b61833e57ef43fa36e6c9dfc9b6ef301957fc08075a6883d83dd119c1fbf055d2d9ffab91be4900abc65f3a340022f39aa90bbe63679ec

Download Submit
C:\ProgramData\Systemd\note3dll.exe
MD5
ffb329c2154e6f420068c6eacb1c0fe7

SHA1
b3157f6538b5ae8634e387ca670241dab5728109

SHA256
088e1203ee8d1119bdf8dffc9753456ba8d2d78ddd9c882344b5270b1767b9e9

SHA512
65ae6ad8ac8a2fd473b61833e57ef43fa36e6c9dfc9b6ef301957fc08075a6883d83dd119c1fbf055d2d9ffab91be4900abc65f3a340022f39aa90bbe63679ec

Download Submit
C:\ProgramData\Systemd\note3dll.exe
MD5
ffb329c2154e6f420068c6eacb1c0fe7

SHA1
b3157f6538b5ae8634e387ca670241dab5728109

SHA256
088e1203ee8d1119bdf8dffc9753456ba8d2d78ddd9c882344b5270b1767b9e9

SHA512
65ae6ad8ac8a2fd473b61833e57ef43fa36e6c9dfc9b6ef301957fc08075a6883d83dd119c1fbf055d2d9ffab91be4900abc65f3a340022f39aa90bbe63679ec

Download Submit
C:\ProgramData\Systemd\note3dll.exe
MD5
ffb329c2154e6f420068c6eacb1c0fe7

SHA1
b3157f6538b5ae8634e387ca670241dab5728109

SHA256
088e1203ee8d1119bdf8dffc9753456ba8d2d78ddd9c882344b5270b1767b9e9

SHA512
65ae6ad8ac8a2fd473b61833e57ef43fa36e6c9dfc9b6ef301957fc08075a6883d83dd119c1fbf055d2d9ffab91be4900abc65f3a340022f39aa90bbe63679ec

Download Submit
C:\ProgramData\freebl3.dll
MD5
ef2834ac4ee7d6724f255beaf527e635

SHA1
5be8c1e73a21b49f353c2ecfa4108e43a883cb7b

SHA256
a770ecba3b08bbabd0a567fc978e50615f8b346709f8eb3cfacf3faab24090ba

SHA512
c6ea0e4347cbd7ef5e80ae8c0afdca20ea23ac2bdd963361dfaf562a9aed58dcbc43f89dd826692a064d76c3f4b3e92361af7b79a6d16a75d9951591ae3544d2

Download Submit
C:\ProgramData\mozglue.dll
MD5
8f73c08a9660691143661bf7332c3c27

SHA1
37fa65dd737c50fda710fdbde89e51374d0c204a

SHA256
3fe6b1c54b8cf28f571e0c5d6636b4069a8ab00b4f11dd842cfec00691d0c9cd

SHA512
0042ecf9b3571bb5eba2de893e8b2371df18f7c5a589f52ee66e4bfbaa15a5b8b7cc6a155792aaa8988528c27196896d5e82e1751c998bacea0d92395f66ad89

Download Submit
C:\ProgramData\msvcp140.dll
MD5
109f0f02fd37c84bfc7508d4227d7ed5

SHA1
ef7420141bb15ac334d3964082361a460bfdb975

SHA256
334e69ac9367f708ce601a6f490ff227d6c20636da5222f148b25831d22e13d4

SHA512
46eb62b65817365c249b48863d894b4669e20fcb3992e747cd5c9fdd57968e1b2cf7418d1c9340a89865eadda362b8db51947eb4427412eb83b35994f932fd39

Download Submit
C:\ProgramData\nss3.dll
MD5
bfac4e3c5908856ba17d41edcd455a51

SHA1
8eec7e888767aa9e4cca8ff246eb2aacb9170428

SHA256
e2935b5b28550d47dc971f456d6961f20d1633b4892998750140e0eaa9ae9d78

SHA512
2565bab776c4d732ffb1f9b415992a4c65b81bcd644a9a1df1333a269e322925fc1df4f76913463296efd7c88ef194c3056de2f1ca1357d7b5fe5ff0da877a66

Download Submit
C:\ProgramData\softokn3.dll
MD5
a2ee53de9167bf0d6c019303b7ca84e5

SHA1
2a3c737fa1157e8483815e98b666408a18c0db42

SHA256
43536adef2ddcc811c28d35fa6ce3031029a2424ad393989db36169ff2995083

SHA512
45b56432244f86321fa88fbcca6a0d2a2f7f4e0648c1d7d7b1866adc9daa5eddd9f6bb73662149f279c9ab60930dad1113c8337cb5e6ec9eed5048322f65f7d8

Download Submit
C:\ProgramData\vcruntime140.dll
MD5
7587bf9cb4147022cd5681b015183046

SHA1
f2106306a8f6f0da5afb7fc765cfa0757ad5a628

SHA256
c40bb03199a2054dabfc7a8e01d6098e91de7193619effbd0f142a7bf031c14d

SHA512
0b63e4979846ceba1b1ed8470432ea6aa18cca66b5f5322d17b14bc0dfa4b2ee09ca300a016e16a01db5123e4e022820698f46d9bad1078bd24675b4b181e91f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\07CEF2F654E3ED6050FFC9B6EB844250_3431D4C539FB2CFCB781821E9902850D
MD5
57ba3fd55153ccfffc38981d45eb27ef

SHA1
8b89079e2a405fe04a1a87fe901d88982ef516cb

SHA256
19d84b87ec3acb0894fbbb2c95b23053373568282aa6817da64607ed3225dcef

SHA512
58ae33ebb38e6bec6332b9085f8b41850b53d7de804bc87a462f9ce7b1e960051d3682fb87a14c159041a7577a36af95cb2edf971e4d23c902d583da9945c0b4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
MD5
ab5c36d10261c173c5896f3478cdc6b7

SHA1
87ac53810ad125663519e944bc87ded3979cbee4

SHA256
f8e90fb0557fe49d7702cfb506312ac0b24c97802f9c782696db6d47f434e8e9

SHA512
e83e4eae44e7a9cbcd267dbfc25a7f4f68b50591e3bbe267324b1f813c9220d565b284994ded5f7d2d371d50e1ebfa647176ec8de9716f754c6b5785c6e897fa

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E
MD5
3f5ce173eed18d061760acea4c8f69f3

SHA1
c8a02499ede88cb10496fbbc77fee1f2757e6629

SHA256
b7666f21ebc73a75f02fefbf7d6f17700897b69301eae07ce4bab6b32ab107c8

SHA512
22f7b2af2a230e7f6ae2830d27b5769c07f0c3f8d327cfb6be6a4c632af012e823e303514c62dac8f70c973e4df81aeba10138a930d4a8880caf18c8a7062d24

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\07CEF2F654E3ED6050FFC9B6EB844250_3431D4C539FB2CFCB781821E9902850D
MD5
72914eb1acef50f85d5da8c9cd3b57e2

SHA1
1fd3dc1ef9e3f6b2ecda13cdfd526330bdb3dc5c

SHA256
745b2389d6a8cb6b5916f4c61923adcfab93a9894336898a882fe1310bb8aad7

SHA512
ecd06b8eb9918a0f25978bd833622e6fdeff322a2ab4e26d4cfe4fdfa428aacb0d76a35798931fbf008f9624c77e9f597034b681bc42e72303dad0b7dd8fd474

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
MD5
3f1f7b7328f9a82ffdedb891a03549df

SHA1
d058efb2330f7d94be32a2203c4535b506633b86

SHA256
5eaa82f57d1c7d035061ac5937082f286e8e45277a5c6beab721847112a84c17

SHA512
58f4a5dcd7343e91ec93e03fb3dc3b03208a5281f02e7d35f92c1c96f2d7f3a4f82c3775e63b8c95514975388286226c4bfb25c8d8df8cc4dedd81227fbed07c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E
MD5
569d9c135ac33110d29c05c51460fbcd

SHA1
8fd7738d58957ce9c0409ecb95a43698cf43a88f

SHA256
bb1ab97d7a48b758a74f0b06348fb58cf3b8946e596651efda24ec2bfed74fe8

SHA512
9360610c3c6f95e94b8734e797909105b85629f5f8827ca958658c17097795a366982902fef145ce1d4b20c5e509a0cab903e652adc228a5fc5d3c60e3f8d069

Download Submit
C:\Users\Admin\AppData\Local\812011da-a0b4-40dd-a21a-898b2b1c253d\build2.exe
MD5
7c48019f424bbd08de9d0c7d66e0ea7c

SHA1
1394ad4f1fd9a7109e179695d4b404eaca70fa88

SHA256
33d15dacd2b4951517f39aa2e12afa747ddc5785b0ef3c2d78c3db16cae97d7c

SHA512
63cf0ee393e8a3dec78a06dd0a478a993143bc9061acdb828fa6edecc5d45b286aa081d0ed99819ab8d8c95345eac73658c819eefdf6efa30da877af7374e322

Download Submit
C:\Users\Admin\AppData\Local\812011da-a0b4-40dd-a21a-898b2b1c253d\build2.exe
MD5
7c48019f424bbd08de9d0c7d66e0ea7c

SHA1
1394ad4f1fd9a7109e179695d4b404eaca70fa88

SHA256
33d15dacd2b4951517f39aa2e12afa747ddc5785b0ef3c2d78c3db16cae97d7c

SHA512
63cf0ee393e8a3dec78a06dd0a478a993143bc9061acdb828fa6edecc5d45b286aa081d0ed99819ab8d8c95345eac73658c819eefdf6efa30da877af7374e322

Download Submit
C:\Users\Admin\AppData\Local\812011da-a0b4-40dd-a21a-898b2b1c253d\build2.exe
MD5
7c48019f424bbd08de9d0c7d66e0ea7c

SHA1
1394ad4f1fd9a7109e179695d4b404eaca70fa88

SHA256
33d15dacd2b4951517f39aa2e12afa747ddc5785b0ef3c2d78c3db16cae97d7c

SHA512
63cf0ee393e8a3dec78a06dd0a478a993143bc9061acdb828fa6edecc5d45b286aa081d0ed99819ab8d8c95345eac73658c819eefdf6efa30da877af7374e322

Download Submit
C:\Users\Admin\AppData\Local\812011da-a0b4-40dd-a21a-898b2b1c253d\build3.exe
MD5
0fea771099e342facd95a9d659548919

SHA1
9f8b56a37870f8b4ac5aa0ff5677a666f94c7197

SHA256
6f032f671284b3812373e90b0ab5b16ea737bd7dc87d22b8f2aabe558334e403

SHA512
2c1eeb2909acdc1ac36a677dba5131775e97dd107cd60f03bc6672be1791b2dd83a9f588719cb376cc4771570c6b2c202e783e30450ae3c2aa48bbaf2ee049c3

Download Submit
C:\Users\Admin\AppData\Local\812011da-a0b4-40dd-a21a-898b2b1c253d\build3.exe
MD5
0fea771099e342facd95a9d659548919

SHA1
9f8b56a37870f8b4ac5aa0ff5677a666f94c7197

SHA256
6f032f671284b3812373e90b0ab5b16ea737bd7dc87d22b8f2aabe558334e403

SHA512
2c1eeb2909acdc1ac36a677dba5131775e97dd107cd60f03bc6672be1791b2dd83a9f588719cb376cc4771570c6b2c202e783e30450ae3c2aa48bbaf2ee049c3

Download Submit
C:\Users\Admin\AppData\Local\812011da-a0b4-40dd-a21a-898b2b1c253d\build3.exe
MD5
0fea771099e342facd95a9d659548919

SHA1
9f8b56a37870f8b4ac5aa0ff5677a666f94c7197

SHA256
6f032f671284b3812373e90b0ab5b16ea737bd7dc87d22b8f2aabe558334e403

SHA512
2c1eeb2909acdc1ac36a677dba5131775e97dd107cd60f03bc6672be1791b2dd83a9f588719cb376cc4771570c6b2c202e783e30450ae3c2aa48bbaf2ee049c3

Download Submit
C:\Users\Admin\AppData\Local\Temp\172A.exe
MD5
287976d8c62519cbb494cf31916ce26e

SHA1
e9749fe784aeba486115ee4cef0fe8400439d613

SHA256
91802cc2e767e5fc498a4f8068b97de249a16b5aa05e085354862e5cc3f17d3b

SHA512
9e63b59777b413d9d62c68ee3f7a52e487ea6a563603174fbccc5eb8893009b04a11d37e7d29d286e26bb7039c84027493a605947b0472affa73fafbc5f0d29f

Download Submit
C:\Users\Admin\AppData\Local\Temp\172A.exe
MD5
287976d8c62519cbb494cf31916ce26e

SHA1
e9749fe784aeba486115ee4cef0fe8400439d613

SHA256
91802cc2e767e5fc498a4f8068b97de249a16b5aa05e085354862e5cc3f17d3b

SHA512
9e63b59777b413d9d62c68ee3f7a52e487ea6a563603174fbccc5eb8893009b04a11d37e7d29d286e26bb7039c84027493a605947b0472affa73fafbc5f0d29f

Download Submit
C:\Users\Admin\AppData\Local\Temp\172A.exe
MD5
287976d8c62519cbb494cf31916ce26e

SHA1
e9749fe784aeba486115ee4cef0fe8400439d613

SHA256
91802cc2e767e5fc498a4f8068b97de249a16b5aa05e085354862e5cc3f17d3b

SHA512
9e63b59777b413d9d62c68ee3f7a52e487ea6a563603174fbccc5eb8893009b04a11d37e7d29d286e26bb7039c84027493a605947b0472affa73fafbc5f0d29f

Download Submit
C:\Users\Admin\AppData\Local\Temp\416.exe
MD5
00f96742e30d5151d30b199e822b014b

SHA1
b00a8589649e09282ea8de72a9c6ebd37f59874c

SHA256
1a258df93de3955089e869e2348df88c72444d09930ff31cba0fab7022701da1

SHA512
c582946d3eabe342b64f58ddde6a8766df0a7760e6bf4767a93e1465b4dad34bb838981790fdfc55906e8c695f1f567172d2ce4a20b0eb8f4c5b94d2dc8de094

Download Submit
C:\Users\Admin\AppData\Local\Temp\5B6B.exe
MD5
706e056e6b2aaebd358701538b774fcd

SHA1
a528290b1eec45a22587c15d8a0135185832e71a

SHA256
c431a09f7c0a0c4ec016f16ca7150c1a6b9227fe5ed216ce004eda4af9878ac8

SHA512
a3ff93f0e7f8781c8c4b664a6d33c63a5bd712dc999f69394a4d991bb3d1059aae0c0c001ec16d6c6b72f3054bce3cb2e7030bd81b15360fdee6a1a8f8c39fcc

Download Submit
C:\Users\Admin\AppData\Local\Temp\E252.exe
MD5
a02b31dac1565be66df4600be65c0def

SHA1
4020c3c83178b0ba063d47767b091b2af3624ca9

SHA256
982661fa50431f34e62cfbd6629bc29a5989dea65f84cf19bd5036f57f44780b

SHA512
840c18abb74493b9b0ba5d77b2aeb96565eba0346f7c1baa85375547131ca90d8077de0362b879639a155117b105c11bb60e0c5b7d9829b9c248fca5209e4e67

Download Submit
C:\Users\Admin\AppData\Local\Temp\E252.exe
MD5
a02b31dac1565be66df4600be65c0def

SHA1
4020c3c83178b0ba063d47767b091b2af3624ca9

SHA256
982661fa50431f34e62cfbd6629bc29a5989dea65f84cf19bd5036f57f44780b

SHA512
840c18abb74493b9b0ba5d77b2aeb96565eba0346f7c1baa85375547131ca90d8077de0362b879639a155117b105c11bb60e0c5b7d9829b9c248fca5209e4e67

Download Submit
C:\Users\Admin\AppData\Local\Temp\E252.exe
MD5
a02b31dac1565be66df4600be65c0def

SHA1
4020c3c83178b0ba063d47767b091b2af3624ca9

SHA256
982661fa50431f34e62cfbd6629bc29a5989dea65f84cf19bd5036f57f44780b

SHA512
840c18abb74493b9b0ba5d77b2aeb96565eba0346f7c1baa85375547131ca90d8077de0362b879639a155117b105c11bb60e0c5b7d9829b9c248fca5209e4e67

Download Submit
C:\Users\Admin\AppData\Local\Temp\E252.exe
MD5
a02b31dac1565be66df4600be65c0def

SHA1
4020c3c83178b0ba063d47767b091b2af3624ca9

SHA256
982661fa50431f34e62cfbd6629bc29a5989dea65f84cf19bd5036f57f44780b

SHA512
840c18abb74493b9b0ba5d77b2aeb96565eba0346f7c1baa85375547131ca90d8077de0362b879639a155117b105c11bb60e0c5b7d9829b9c248fca5209e4e67

Download Submit
C:\Users\Admin\AppData\Local\Temp\E252.exe
MD5
a02b31dac1565be66df4600be65c0def

SHA1
4020c3c83178b0ba063d47767b091b2af3624ca9

SHA256
982661fa50431f34e62cfbd6629bc29a5989dea65f84cf19bd5036f57f44780b

SHA512
840c18abb74493b9b0ba5d77b2aeb96565eba0346f7c1baa85375547131ca90d8077de0362b879639a155117b105c11bb60e0c5b7d9829b9c248fca5209e4e67

Download Submit
C:\Users\Admin\AppData\Local\Temp\NetFrame.exe
MD5
935adaea999dc3ad0672636dced6011e

SHA1
0f6a0f57684c66a14985ee14e858b95905cf8e05

SHA256
9b97b61edb6d9159517d77215d49a34647cd2e9737948a13bc20c4dcb989b005

SHA512
371f39ff8d6216258103d43450f3c6d99301e5fbccabcf2494cfcc136bef510f66e61429eea86a8a7de72f6d5a5786ef5f24a46042379778e965e7395dae5bcf

Download Submit
C:\Users\Admin\AppData\Local\Temp\NetFrame.exe
MD5
935adaea999dc3ad0672636dced6011e

SHA1
0f6a0f57684c66a14985ee14e858b95905cf8e05

SHA256
9b97b61edb6d9159517d77215d49a34647cd2e9737948a13bc20c4dcb989b005

SHA512
371f39ff8d6216258103d43450f3c6d99301e5fbccabcf2494cfcc136bef510f66e61429eea86a8a7de72f6d5a5786ef5f24a46042379778e965e7395dae5bcf

Download Submit
C:\Users\Admin\AppData\Local\bbd84c30-d15b-45aa-8c10-baa4d2d03f5d\E252.exe
MD5
a02b31dac1565be66df4600be65c0def

SHA1
4020c3c83178b0ba063d47767b091b2af3624ca9

SHA256
982661fa50431f34e62cfbd6629bc29a5989dea65f84cf19bd5036f57f44780b

SHA512
840c18abb74493b9b0ba5d77b2aeb96565eba0346f7c1baa85375547131ca90d8077de0362b879639a155117b105c11bb60e0c5b7d9829b9c248fca5209e4e67

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
MD5
0fea771099e342facd95a9d659548919

SHA1
9f8b56a37870f8b4ac5aa0ff5677a666f94c7197

SHA256
6f032f671284b3812373e90b0ab5b16ea737bd7dc87d22b8f2aabe558334e403

SHA512
2c1eeb2909acdc1ac36a677dba5131775e97dd107cd60f03bc6672be1791b2dd83a9f588719cb376cc4771570c6b2c202e783e30450ae3c2aa48bbaf2ee049c3

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
MD5
0fea771099e342facd95a9d659548919

SHA1
9f8b56a37870f8b4ac5aa0ff5677a666f94c7197

SHA256
6f032f671284b3812373e90b0ab5b16ea737bd7dc87d22b8f2aabe558334e403

SHA512
2c1eeb2909acdc1ac36a677dba5131775e97dd107cd60f03bc6672be1791b2dd83a9f588719cb376cc4771570c6b2c202e783e30450ae3c2aa48bbaf2ee049c3

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
MD5
0fea771099e342facd95a9d659548919

SHA1
9f8b56a37870f8b4ac5aa0ff5677a666f94c7197

SHA256
6f032f671284b3812373e90b0ab5b16ea737bd7dc87d22b8f2aabe558334e403

SHA512
2c1eeb2909acdc1ac36a677dba5131775e97dd107cd60f03bc6672be1791b2dd83a9f588719cb376cc4771570c6b2c202e783e30450ae3c2aa48bbaf2ee049c3

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\exe.lnk
MD5
9204c4067037570fbbd3db1398b08d29

SHA1
56a86082143a7c94bec42dbb5e6e9b3fdc0d2218

SHA256
1e5bfa5bdc7c9a4fc286f2aa1eaaa52452741f4fe940845428376370ab080370

SHA512
a83575bf4563665b4cec3a6986da8b6daed247ae9340bd4a442ccb3f9927d780d6b9f1a39a0dd6a5978435e2f095e2b7d6fcf2b34f71248c495a39ffb01a39e5

Download Submit
\ProgramData\Microsoft Network\System.exe
MD5
935adaea999dc3ad0672636dced6011e

SHA1
0f6a0f57684c66a14985ee14e858b95905cf8e05

SHA256
9b97b61edb6d9159517d77215d49a34647cd2e9737948a13bc20c4dcb989b005

SHA512
371f39ff8d6216258103d43450f3c6d99301e5fbccabcf2494cfcc136bef510f66e61429eea86a8a7de72f6d5a5786ef5f24a46042379778e965e7395dae5bcf

Download Submit
\ProgramData\Systemd\note3dll.exe
MD5
ffb329c2154e6f420068c6eacb1c0fe7

SHA1
b3157f6538b5ae8634e387ca670241dab5728109

SHA256
088e1203ee8d1119bdf8dffc9753456ba8d2d78ddd9c882344b5270b1767b9e9

SHA512
65ae6ad8ac8a2fd473b61833e57ef43fa36e6c9dfc9b6ef301957fc08075a6883d83dd119c1fbf055d2d9ffab91be4900abc65f3a340022f39aa90bbe63679ec

Download Submit
\ProgramData\mozglue.dll
MD5
8f73c08a9660691143661bf7332c3c27

SHA1
37fa65dd737c50fda710fdbde89e51374d0c204a

SHA256
3fe6b1c54b8cf28f571e0c5d6636b4069a8ab00b4f11dd842cfec00691d0c9cd

SHA512
0042ecf9b3571bb5eba2de893e8b2371df18f7c5a589f52ee66e4bfbaa15a5b8b7cc6a155792aaa8988528c27196896d5e82e1751c998bacea0d92395f66ad89

Download Submit
\ProgramData\msvcp140.dll
MD5
109f0f02fd37c84bfc7508d4227d7ed5

SHA1
ef7420141bb15ac334d3964082361a460bfdb975

SHA256
334e69ac9367f708ce601a6f490ff227d6c20636da5222f148b25831d22e13d4

SHA512
46eb62b65817365c249b48863d894b4669e20fcb3992e747cd5c9fdd57968e1b2cf7418d1c9340a89865eadda362b8db51947eb4427412eb83b35994f932fd39

Download Submit
\ProgramData\nss3.dll
MD5
bfac4e3c5908856ba17d41edcd455a51

SHA1
8eec7e888767aa9e4cca8ff246eb2aacb9170428

SHA256
e2935b5b28550d47dc971f456d6961f20d1633b4892998750140e0eaa9ae9d78

SHA512
2565bab776c4d732ffb1f9b415992a4c65b81bcd644a9a1df1333a269e322925fc1df4f76913463296efd7c88ef194c3056de2f1ca1357d7b5fe5ff0da877a66

Download Submit
\ProgramData\vcruntime140.dll
MD5
7587bf9cb4147022cd5681b015183046

SHA1
f2106306a8f6f0da5afb7fc765cfa0757ad5a628

SHA256
c40bb03199a2054dabfc7a8e01d6098e91de7193619effbd0f142a7bf031c14d

SHA512
0b63e4979846ceba1b1ed8470432ea6aa18cca66b5f5322d17b14bc0dfa4b2ee09ca300a016e16a01db5123e4e022820698f46d9bad1078bd24675b4b181e91f

Download Submit
\Users\Admin\AppData\Local\812011da-a0b4-40dd-a21a-898b2b1c253d\build2.exe
MD5
7c48019f424bbd08de9d0c7d66e0ea7c

SHA1
1394ad4f1fd9a7109e179695d4b404eaca70fa88

SHA256
33d15dacd2b4951517f39aa2e12afa747ddc5785b0ef3c2d78c3db16cae97d7c

SHA512
63cf0ee393e8a3dec78a06dd0a478a993143bc9061acdb828fa6edecc5d45b286aa081d0ed99819ab8d8c95345eac73658c819eefdf6efa30da877af7374e322

Download Submit
\Users\Admin\AppData\Local\812011da-a0b4-40dd-a21a-898b2b1c253d\build2.exe
MD5
7c48019f424bbd08de9d0c7d66e0ea7c

SHA1
1394ad4f1fd9a7109e179695d4b404eaca70fa88

SHA256
33d15dacd2b4951517f39aa2e12afa747ddc5785b0ef3c2d78c3db16cae97d7c

SHA512
63cf0ee393e8a3dec78a06dd0a478a993143bc9061acdb828fa6edecc5d45b286aa081d0ed99819ab8d8c95345eac73658c819eefdf6efa30da877af7374e322

Download Submit
\Users\Admin\AppData\Local\812011da-a0b4-40dd-a21a-898b2b1c253d\build3.exe
MD5
0fea771099e342facd95a9d659548919

SHA1
9f8b56a37870f8b4ac5aa0ff5677a666f94c7197

SHA256
6f032f671284b3812373e90b0ab5b16ea737bd7dc87d22b8f2aabe558334e403

SHA512
2c1eeb2909acdc1ac36a677dba5131775e97dd107cd60f03bc6672be1791b2dd83a9f588719cb376cc4771570c6b2c202e783e30450ae3c2aa48bbaf2ee049c3

Download Submit
\Users\Admin\AppData\Local\812011da-a0b4-40dd-a21a-898b2b1c253d\build3.exe
MD5
0fea771099e342facd95a9d659548919

SHA1
9f8b56a37870f8b4ac5aa0ff5677a666f94c7197

SHA256
6f032f671284b3812373e90b0ab5b16ea737bd7dc87d22b8f2aabe558334e403

SHA512
2c1eeb2909acdc1ac36a677dba5131775e97dd107cd60f03bc6672be1791b2dd83a9f588719cb376cc4771570c6b2c202e783e30450ae3c2aa48bbaf2ee049c3

Download Submit
\Users\Admin\AppData\Local\Temp\172A.exe
MD5
287976d8c62519cbb494cf31916ce26e

SHA1
e9749fe784aeba486115ee4cef0fe8400439d613

SHA256
91802cc2e767e5fc498a4f8068b97de249a16b5aa05e085354862e5cc3f17d3b

SHA512
9e63b59777b413d9d62c68ee3f7a52e487ea6a563603174fbccc5eb8893009b04a11d37e7d29d286e26bb7039c84027493a605947b0472affa73fafbc5f0d29f

Download Submit
\Users\Admin\AppData\Local\Temp\E252.exe
MD5
a02b31dac1565be66df4600be65c0def

SHA1
4020c3c83178b0ba063d47767b091b2af3624ca9

SHA256
982661fa50431f34e62cfbd6629bc29a5989dea65f84cf19bd5036f57f44780b

SHA512
840c18abb74493b9b0ba5d77b2aeb96565eba0346f7c1baa85375547131ca90d8077de0362b879639a155117b105c11bb60e0c5b7d9829b9c248fca5209e4e67

Download Submit
\Users\Admin\AppData\Local\Temp\E252.exe
MD5
a02b31dac1565be66df4600be65c0def

SHA1
4020c3c83178b0ba063d47767b091b2af3624ca9

SHA256
982661fa50431f34e62cfbd6629bc29a5989dea65f84cf19bd5036f57f44780b

SHA512
840c18abb74493b9b0ba5d77b2aeb96565eba0346f7c1baa85375547131ca90d8077de0362b879639a155117b105c11bb60e0c5b7d9829b9c248fca5209e4e67

Download Submit
\Users\Admin\AppData\Local\Temp\E252.exe
MD5
a02b31dac1565be66df4600be65c0def

SHA1
4020c3c83178b0ba063d47767b091b2af3624ca9

SHA256
982661fa50431f34e62cfbd6629bc29a5989dea65f84cf19bd5036f57f44780b

SHA512
840c18abb74493b9b0ba5d77b2aeb96565eba0346f7c1baa85375547131ca90d8077de0362b879639a155117b105c11bb60e0c5b7d9829b9c248fca5209e4e67

Download Submit
\Users\Admin\AppData\Local\Temp\E252.exe
MD5
a02b31dac1565be66df4600be65c0def

SHA1
4020c3c83178b0ba063d47767b091b2af3624ca9

SHA256
982661fa50431f34e62cfbd6629bc29a5989dea65f84cf19bd5036f57f44780b

SHA512
840c18abb74493b9b0ba5d77b2aeb96565eba0346f7c1baa85375547131ca90d8077de0362b879639a155117b105c11bb60e0c5b7d9829b9c248fca5209e4e67

Download Submit
\Users\Admin\AppData\Local\Temp\NetFrame.exe
MD5
935adaea999dc3ad0672636dced6011e

SHA1
0f6a0f57684c66a14985ee14e858b95905cf8e05

SHA256
9b97b61edb6d9159517d77215d49a34647cd2e9737948a13bc20c4dcb989b005

SHA512
371f39ff8d6216258103d43450f3c6d99301e5fbccabcf2494cfcc136bef510f66e61429eea86a8a7de72f6d5a5786ef5f24a46042379778e965e7395dae5bcf

Download Submit
\Users\Admin\AppData\Local\Temp\NetFrame.exe
MD5
935adaea999dc3ad0672636dced6011e

SHA1
0f6a0f57684c66a14985ee14e858b95905cf8e05

SHA256
9b97b61edb6d9159517d77215d49a34647cd2e9737948a13bc20c4dcb989b005

SHA512
371f39ff8d6216258103d43450f3c6d99301e5fbccabcf2494cfcc136bef510f66e61429eea86a8a7de72f6d5a5786ef5f24a46042379778e965e7395dae5bcf

Download Submit
memory/300-143-0x0000000000000000-mapping.dmp

Download
memory/332-150-0x000007FEFBED1000-0x000007FEFBED3000-memory.dmp

Filesize
8KB

Download
memory/332-147-0x0000000000000000-mapping.dmp

Download
memory/368-103-0x0000000000000000-mapping.dmp

Download
memory/368-106-0x0000000000820000-0x0000000000821000-memory.dmp

Filesize
4KB

Download
memory/368-109-0x0000000004960000-0x0000000004961000-memory.dmp

Filesize
4KB

Download
memory/464-121-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/464-122-0x000000000041C5BA-mapping.dmp

Download
memory/464-126-0x00000000007B0000-0x00000000007B1000-memory.dmp

Filesize
4KB

Download
memory/464-124-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/520-217-0x0000000000000000-mapping.dmp

Download
memory/556-223-0x0000000000000000-mapping.dmp

Download
memory/568-207-0x0000000000000000-mapping.dmp

Download
memory/616-219-0x0000000000000000-mapping.dmp

Download
memory/648-197-0x0000000000000000-mapping.dmp

Download
memory/668-78-0x0000000000000000-mapping.dmp

Download
memory/736-203-0x0000000000000000-mapping.dmp

Download
memory/740-129-0x0000000000000000-mapping.dmp

Download
memory/740-141-0x0000000000220000-0x0000000000224000-memory.dmp

Filesize
16KB

Download
memory/764-112-0x0000000000000000-mapping.dmp

Download
memory/764-119-0x0000000000300000-0x00000000003D4000-memory.dmp

Filesize
848KB

Download
memory/1084-201-0x0000000000000000-mapping.dmp

Download
memory/1092-115-0x0000000000400000-0x00000000004D7000-memory.dmp

Filesize
860KB

Download
memory/1092-116-0x00000000004A032D-mapping.dmp

Download
memory/1092-120-0x0000000000400000-0x00000000004D7000-memory.dmp

Filesize
860KB

Download
memory/1144-136-0x0000000000000000-mapping.dmp

Download
memory/1164-178-0x000000001B3F0000-0x000000001B3F1000-memory.dmp

Filesize
4KB

Download
memory/1164-171-0x000000001A9D0000-0x000000001A9D1000-memory.dmp

Filesize
4KB

Download
memory/1164-159-0x000000001AA00000-0x000000001AA02000-memory.dmp

Filesize
8KB

Download
memory/1164-161-0x00000000023F0000-0x00000000023F1000-memory.dmp

Filesize
4KB

Download
memory/1164-194-0x000000001B440000-0x000000001B441000-memory.dmp

Filesize
4KB

Download
memory/1164-157-0x00000000023C0000-0x00000000023C1000-memory.dmp

Filesize
4KB

Download
memory/1164-156-0x000000001AA80000-0x000000001AA81000-memory.dmp

Filesize
4KB

Download
memory/1164-155-0x00000000022E0000-0x00000000022E1000-memory.dmp

Filesize
4KB

Download
memory/1164-151-0x0000000000000000-mapping.dmp

Download
memory/1164-193-0x000000001B430000-0x000000001B431000-memory.dmp

Filesize
4KB

Download
memory/1164-144-0x0000000000000000-mapping.dmp

Download
memory/1164-160-0x000000001AA04000-0x000000001AA06000-memory.dmp

Filesize
8KB

Download
memory/1172-102-0x0000000004A34000-0x0000000004A36000-memory.dmp

Filesize
8KB

Download
memory/1172-94-0x0000000000780000-0x00000000007B0000-memory.dmp

Filesize
192KB

Download
memory/1172-96-0x0000000000400000-0x00000000004C7000-memory.dmp

Filesize
796KB

Download
memory/1172-99-0x0000000004A33000-0x0000000004A34000-memory.dmp

Filesize
4KB

Download
memory/1172-98-0x0000000004A31000-0x0000000004A32000-memory.dmp

Filesize
4KB

Download
memory/1172-80-0x0000000000000000-mapping.dmp

Download
memory/1172-97-0x0000000004A32000-0x0000000004A33000-memory.dmp

Filesize
4KB

Download
memory/1172-100-0x00000000020E0000-0x000000000210E000-memory.dmp

Filesize
184KB

Download
memory/1172-95-0x0000000000230000-0x0000000000272000-memory.dmp

Filesize
264KB

Download
memory/1208-101-0x00000000042E0000-0x00000000042F0000-memory.dmp

Filesize
64KB

Download
memory/1208-63-0x0000000004B20000-0x0000000004B35000-memory.dmp

Filesize
84KB

Download
memory/1240-221-0x0000000000000000-mapping.dmp

Download
memory/1292-145-0x0000000000000000-mapping.dmp

Download
memory/1472-225-0x0000000000000000-mapping.dmp

Download
memory/1476-87-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/1476-84-0x0000000000424141-mapping.dmp

Download
memory/1504-210-0x0000000000000000-mapping.dmp

Download
memory/1604-226-0x0000000000000000-mapping.dmp

Download
memory/1640-132-0x0000000000400000-0x0000000000406000-memory.dmp

Filesize
24KB

Download
memory/1640-133-0x0000000000401AFA-mapping.dmp

Download
memory/1640-142-0x0000000000400000-0x0000000000406000-memory.dmp

Filesize
24KB

Download
memory/1680-74-0x0000000000000000-mapping.dmp

Download
memory/1696-195-0x0000000000000000-mapping.dmp

Download
memory/1696-213-0x0000000000401AFA-mapping.dmp

Download
memory/1784-205-0x0000000000000000-mapping.dmp

Download
memory/1788-191-0x00000000053C0000-0x00000000053C1000-memory.dmp

Filesize
4KB

Download
memory/1788-179-0x0000000000D30000-0x0000000000D31000-memory.dmp

Filesize
4KB

Download
memory/1788-162-0x0000000000000000-mapping.dmp

Download
memory/1820-60-0x0000000076641000-0x0000000076643000-memory.dmp

Filesize
8KB

Download
memory/1820-61-0x0000000000220000-0x0000000000229000-memory.dmp

Filesize
36KB

Download
memory/1820-62-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1828-173-0x0000000000000000-mapping.dmp

Download
memory/1884-216-0x0000000000000000-mapping.dmp

Download
memory/1940-199-0x0000000000000000-mapping.dmp

Download
memory/2004-64-0x0000000000000000-mapping.dmp

Download
memory/2004-72-0x0000000001E90000-0x0000000001FAB000-memory.dmp

Filesize
1.1MB

Download
memory/2012-68-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/2012-69-0x0000000000424141-mapping.dmp

Download
memory/2012-73-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download