danabot | c3b9a8dde21bf3c1bb09426a261c77eb4b59cb2f36ac82e5b8f6b4a4d3565b5b

Analysis

max time kernel
132s
max time network
149s
platform
windows10_x64
resource
win10-en-20210920
submitted
28-09-2021 11:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

267667a4bbfdfcf20c407c2b191fd0ed.exe
Size

371KB
MD5

267667a4bbfdfcf20c407c2b191fd0ed
SHA1

73870de4caa2eaaf162c81c34740527e12b8467c
SHA256

c3b9a8dde21bf3c1bb09426a261c77eb4b59cb2f36ac82e5b8f6b4a4d3565b5b
SHA512

604c56940caf033ea9132067f47030272042c22d73c4ea8744508e75cca5d6c6058c917c32f72b0e29cecb2c5349e52a111af15f21990d2089f4ed098773565d

Score

10^/10

danabot 4 banker discovery evasion persistence spyware stealer themida trojan

Malware Config

Extracted

Family

danabot

Version

2052

Botnet

142.11.192.232:443

192.119.110.73:443

142.11.242.31:443

192.210.222.88:443

Attributes

embedded_hash
F4711E27D559B4AEB1A081A1EB0AC465

rsa_privkey.plain

rsa_pubkey.plain

Signatures

Danabot
Danabot is a modular banking Trojan that has been linked with other malware.
trojan banker danabot

Danabot Loader Component 6 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\AOFDEB~1.DLL	DanabotLoader2021
\Users\Admin\AppData\Local\Temp\AOFDEB~1.DLL	DanabotLoader2021
behavioral2/memory/864-180-0x00000000041B0000-0x0000000004311000-memory.dmp	DanabotLoader2021
\Users\Admin\AppData\Local\Temp\AOFDEB~1.DLL	DanabotLoader2021
\Users\Admin\AppData\Local\Temp\AOFDEB~1.DLL	DanabotLoader2021
\Users\Admin\AppData\Local\Temp\AOFDEB~1.DLL	DanabotLoader2021

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497
Blocklisted process makes network request 5 IoCs

Processes:

WScript.exerundll32.exe

flow pid process

33 2624 WScript.exe
35 2624 WScript.exe
37 2624 WScript.exe
39 2624 WScript.exe
44 3700 rundll32.exe
Downloads MZ/PE file
Executes dropped EXE 7 IoCs

Processes:

File.exewheezy.exeparted.exeBisogna.exe.comBisogna.exe.comIntelRapid.exeaofdebgigln.exe

pid process

2352 File.exe
2964 wheezy.exe
4084 parted.exe
864 Bisogna.exe.com
3552 Bisogna.exe.com
436 IntelRapid.exe
2264 aofdebgigln.exe

flow	pid	process
33	2624	WScript.exe
35	2624	WScript.exe
37	2624	WScript.exe
39	2624	WScript.exe
44	3700	rundll32.exe

pid	process
2352	File.exe
2964	wheezy.exe
4084	parted.exe
864	Bisogna.exe.com
3552	Bisogna.exe.com
436	IntelRapid.exe
2264	aofdebgigln.exe

Checks BIOS information in registry 2 TTPs 4 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

parted.exeIntelRapid.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	parted.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	parted.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	IntelRapid.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	IntelRapid.exe

Drops startup file 1 IoCs

Processes:

parted.exe

description ioc process

File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IntelRapid.lnk parted.exe
Loads dropped DLL 4 IoCs

Processes:

File.exerundll32.exeRUNDLL32.EXE

pid process

2352 File.exe
3700 rundll32.exe
864 RUNDLL32.EXE
864 RUNDLL32.EXE
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IntelRapid.lnk	parted.exe

pid	process
2352	File.exe
3700	rundll32.exe
864	RUNDLL32.EXE
864	RUNDLL32.EXE

Themida packer 6 IoCs

Detects Themida, an advanced Windows software protection system.

themida

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\dislip\parted.exe	themida
C:\Users\Admin\AppData\Local\Temp\dislip\parted.exe	themida
behavioral2/memory/4084-145-0x00007FF66ACA0000-0x00007FF66B600000-memory.dmp	themida
C:\Users\Admin\AppData\Roaming\Intel Rapid\IntelRapid.exe	themida
C:\Users\Admin\AppData\Roaming\Intel Rapid\IntelRapid.exe	themida
behavioral2/memory/436-161-0x00007FF792920000-0x00007FF793280000-memory.dmp	themida

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

wheezy.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	wheezy.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	wheezy.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Checks whether UAC is enabled 1 TTPs 2 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

parted.exeIntelRapid.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	parted.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	IntelRapid.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

17 ip-api.com
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

Processes:

parted.exeIntelRapid.exe

pid process

4084 parted.exe
436 IntelRapid.exe

flow	ioc
17	ip-api.com

pid	process
4084	parted.exe
436	IntelRapid.exe

Drops file in Program Files directory 4 IoCs

Processes:

File.exerundll32.exe

description	ioc	process
File created	C:\Program Files (x86)\foler\olader\acppage.dll	File.exe
File created	C:\Program Files (x86)\foler\olader\adprovider.dll	File.exe
File created	C:\Program Files (x86)\foler\olader\acledit.dll	File.exe
File created	C:\PROGRA~3\zohplghndapsm.tmp	rundll32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

2264 1424 WerFault.exe RUNDLL32.EXE

pid	pid_target	process	target process
2264	1424	WerFault.exe	RUNDLL32.EXE

Checks processor information in registry 2 TTPs 24 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

267667a4bbfdfcf20c407c2b191fd0ed.exeRUNDLL32.EXEBisogna.exe.com

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	267667a4bbfdfcf20c407c2b191fd0ed.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\VendorIdentifier	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Previous Update Revision	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	Bisogna.exe.com
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	RUNDLL32.EXE
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\FeatureSet	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Platform Specific Field 1	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Configuration Data	RUNDLL32.EXE
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	267667a4bbfdfcf20c407c2b191fd0ed.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Bisogna.exe.com
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	RUNDLL32.EXE
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Status	RUNDLL32.EXE
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Previous Update Revision	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Revision	RUNDLL32.EXE

Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

3692 timeout.exe
Modifies registry class 1 IoCs

Processes:

Bisogna.exe.com

description ioc process

Key created \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings Bisogna.exe.com

pid	process
3692	timeout.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings	Bisogna.exe.com

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

WScript.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	WScript.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 5c000000010000000400000000080000090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	WScript.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

3936 PING.EXE
Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

IntelRapid.exe

pid process

436 IntelRapid.exe
Suspicious use of FindShellTrayWindow 6 IoCs

Processes:

Bisogna.exe.comBisogna.exe.com

pid process

864 Bisogna.exe.com
864 Bisogna.exe.com
864 Bisogna.exe.com
3552 Bisogna.exe.com
3552 Bisogna.exe.com
3552 Bisogna.exe.com
Suspicious use of SendNotifyMessage 6 IoCs

Processes:

Bisogna.exe.comBisogna.exe.com

pid process

864 Bisogna.exe.com
864 Bisogna.exe.com
864 Bisogna.exe.com
3552 Bisogna.exe.com
3552 Bisogna.exe.com
3552 Bisogna.exe.com

pid	process
3936	PING.EXE

pid	process
436	IntelRapid.exe

pid	process
864	Bisogna.exe.com
864	Bisogna.exe.com
864	Bisogna.exe.com
3552	Bisogna.exe.com
3552	Bisogna.exe.com
3552	Bisogna.exe.com

pid	process
864	Bisogna.exe.com
864	Bisogna.exe.com
864	Bisogna.exe.com
3552	Bisogna.exe.com
3552	Bisogna.exe.com
3552	Bisogna.exe.com

Suspicious use of WriteProcessMemory 52 IoCs

Processes:

267667a4bbfdfcf20c407c2b191fd0ed.execmd.exeFile.exewheezy.execmd.execmd.exeBisogna.exe.comparted.exeBisogna.exe.comaofdebgigln.exerundll32.exe

description	pid	process	target process
PID 1764 wrote to memory of 2352	1764	267667a4bbfdfcf20c407c2b191fd0ed.exe	File.exe
PID 1764 wrote to memory of 2352	1764	267667a4bbfdfcf20c407c2b191fd0ed.exe	File.exe
PID 1764 wrote to memory of 2352	1764	267667a4bbfdfcf20c407c2b191fd0ed.exe	File.exe
PID 1764 wrote to memory of 2528	1764	267667a4bbfdfcf20c407c2b191fd0ed.exe	cmd.exe
PID 1764 wrote to memory of 2528	1764	267667a4bbfdfcf20c407c2b191fd0ed.exe	cmd.exe
PID 1764 wrote to memory of 2528	1764	267667a4bbfdfcf20c407c2b191fd0ed.exe	cmd.exe
PID 2528 wrote to memory of 3692	2528	cmd.exe	timeout.exe
PID 2528 wrote to memory of 3692	2528	cmd.exe	timeout.exe
PID 2528 wrote to memory of 3692	2528	cmd.exe	timeout.exe
PID 2352 wrote to memory of 2964	2352	File.exe	wheezy.exe
PID 2352 wrote to memory of 2964	2352	File.exe	wheezy.exe
PID 2352 wrote to memory of 2964	2352	File.exe	wheezy.exe
PID 2352 wrote to memory of 4084	2352	File.exe	parted.exe
PID 2352 wrote to memory of 4084	2352	File.exe	parted.exe
PID 2964 wrote to memory of 1112	2964	wheezy.exe	dllhost.exe
PID 2964 wrote to memory of 1112	2964	wheezy.exe	dllhost.exe
PID 2964 wrote to memory of 1112	2964	wheezy.exe	dllhost.exe
PID 2964 wrote to memory of 1044	2964	wheezy.exe	cmd.exe
PID 2964 wrote to memory of 1044	2964	wheezy.exe	cmd.exe
PID 2964 wrote to memory of 1044	2964	wheezy.exe	cmd.exe
PID 1044 wrote to memory of 2208	1044	cmd.exe	cmd.exe
PID 1044 wrote to memory of 2208	1044	cmd.exe	cmd.exe
PID 1044 wrote to memory of 2208	1044	cmd.exe	cmd.exe
PID 2208 wrote to memory of 2752	2208	cmd.exe	findstr.exe
PID 2208 wrote to memory of 2752	2208	cmd.exe	findstr.exe
PID 2208 wrote to memory of 2752	2208	cmd.exe	findstr.exe
PID 2208 wrote to memory of 864	2208	cmd.exe	Bisogna.exe.com
PID 2208 wrote to memory of 864	2208	cmd.exe	Bisogna.exe.com
PID 2208 wrote to memory of 864	2208	cmd.exe	Bisogna.exe.com
PID 2208 wrote to memory of 3936	2208	cmd.exe	PING.EXE
PID 2208 wrote to memory of 3936	2208	cmd.exe	PING.EXE
PID 2208 wrote to memory of 3936	2208	cmd.exe	PING.EXE
PID 864 wrote to memory of 3552	864	Bisogna.exe.com	Bisogna.exe.com
PID 864 wrote to memory of 3552	864	Bisogna.exe.com	Bisogna.exe.com
PID 864 wrote to memory of 3552	864	Bisogna.exe.com	Bisogna.exe.com
PID 4084 wrote to memory of 436	4084	parted.exe	IntelRapid.exe
PID 4084 wrote to memory of 436	4084	parted.exe	IntelRapid.exe
PID 3552 wrote to memory of 2264	3552	Bisogna.exe.com	aofdebgigln.exe
PID 3552 wrote to memory of 2264	3552	Bisogna.exe.com	aofdebgigln.exe
PID 3552 wrote to memory of 2264	3552	Bisogna.exe.com	aofdebgigln.exe
PID 3552 wrote to memory of 2884	3552	Bisogna.exe.com	WScript.exe
PID 3552 wrote to memory of 2884	3552	Bisogna.exe.com	WScript.exe
PID 3552 wrote to memory of 2884	3552	Bisogna.exe.com	WScript.exe
PID 2264 wrote to memory of 3700	2264	aofdebgigln.exe	rundll32.exe
PID 2264 wrote to memory of 3700	2264	aofdebgigln.exe	rundll32.exe
PID 2264 wrote to memory of 3700	2264	aofdebgigln.exe	rundll32.exe
PID 3552 wrote to memory of 2624	3552	Bisogna.exe.com	WScript.exe
PID 3552 wrote to memory of 2624	3552	Bisogna.exe.com	WScript.exe
PID 3552 wrote to memory of 2624	3552	Bisogna.exe.com	WScript.exe
PID 3700 wrote to memory of 864	3700	rundll32.exe	RUNDLL32.EXE
PID 3700 wrote to memory of 864	3700	rundll32.exe	RUNDLL32.EXE
PID 3700 wrote to memory of 864	3700	rundll32.exe	RUNDLL32.EXE

C:\Users\Admin\AppData\Local\Temp\267667a4bbfdfcf20c407c2b191fd0ed.exe
"C:\Users\Admin\AppData\Local\Temp\267667a4bbfdfcf20c407c2b191fd0ed.exe"
1⤵
- Checks processor information in registry
- Suspicious use of WriteProcessMemory
PID:1764

C:\Users\Admin\AppData\Local\Temp\File.exe
"C:\Users\Admin\AppData\Local\Temp\File.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:2352

C:\Users\Admin\AppData\Local\Temp\dislip\wheezy.exe
"C:\Users\Admin\AppData\Local\Temp\dislip\wheezy.exe"
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2964

C:\Windows\SysWOW64\dllhost.exe
dllhost.exe
4⤵
PID:1112

C:\Windows\SysWOW64\cmd.exe
cmd /c cmd < Quegli.wav
4⤵
- Suspicious use of WriteProcessMemory
PID:1044

C:\Windows\SysWOW64\cmd.exe
cmd
5⤵
- Suspicious use of WriteProcessMemory
PID:2208

C:\Windows\SysWOW64\findstr.exe
findstr /V /R "^DUaegCnUMchmsYAygRiDFQbmDzwCKZUZJepHBYJZehdUDKbgCOorIoZNvTmUBVpMAhPfPTEdoiBamDVSWNqWRRdBeclInOnitDzdUonJlSVAHHhSXGYOUhVJWgj$" Bel.wav
6⤵
PID:2752

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Bisogna.exe.com
Bisogna.exe.com l
6⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:864

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Bisogna.exe.com
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Bisogna.exe.com l
7⤵
- Executes dropped EXE
- Checks processor information in registry
- Modifies registry class
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3552

C:\Users\Admin\AppData\Local\Temp\aofdebgigln.exe
"C:\Users\Admin\AppData\Local\Temp\aofdebgigln.exe"
8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2264

C:\Windows\SysWOW64\rundll32.exe
C:\Windows\system32\rundll32.exe C:\Users\Admin\AppData\Local\Temp\AOFDEB~1.DLL,s C:\Users\Admin\AppData\Local\Temp\AOFDEB~1.EXE
9⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:3700

C:\Windows\SysWOW64\RUNDLL32.EXE
C:\Windows\system32\RUNDLL32.EXE C:\Users\Admin\AppData\Local\Temp\AOFDEB~1.DLL,PyIdUUNOQko=
10⤵
- Loads dropped DLL
- Checks processor information in registry
PID:864

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath C:\Users\Admin\AppData\Local\Temp\AOFDEB~1.DLL
11⤵
PID:3996

C:\Windows\SysWOW64\RUNDLL32.EXE
C:\Windows\system32\RUNDLL32.EXE C:\Users\Admin\AppData\Local\Temp\AOFDEB~1.DLL,USMtWkdWUWc=
11⤵
PID:1424

C:\Windows\system32\rundll32.exe
C:\Windows\system32\rundll32.exe C:\Windows\system32\shell32.dll,#61 19638
12⤵
PID:3776

C:\Windows\system32\ctfmon.exe
ctfmon.exe
13⤵
PID:2368

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1424 -s 808
12⤵
- Program crash
PID:2264

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Executionpolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\tmp9651.tmp.ps1"
11⤵
PID:2248

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\gcnwveibi.vbs"
8⤵
PID:2884

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\vasdtbicpg.vbs"
8⤵
- Blocklisted process makes network request
- Modifies system certificate store
PID:2624

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1
6⤵
- Runs ping.exe
PID:3936

C:\Users\Admin\AppData\Local\Temp\dislip\parted.exe
"C:\Users\Admin\AppData\Local\Temp\dislip\parted.exe"
3⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Drops startup file
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of WriteProcessMemory
PID:4084

C:\Users\Admin\AppData\Roaming\Intel Rapid\IntelRapid.exe
"C:\Users\Admin\AppData\Roaming\Intel Rapid\IntelRapid.exe"
4⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: AddClipboardFormatListener
PID:436

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c rd /s /q C:\Users\Admin\AppData\Local\Temp\WJMarOUFUOpL & timeout 4 & del /f /q "C:\Users\Admin\AppData\Local\Temp\267667a4bbfdfcf20c407c2b191fd0ed.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:2528

C:\Windows\SysWOW64\timeout.exe
timeout 4
3⤵
- Delays execution with timeout.exe
PID:3692

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

T1497

Modify Registry

T1112

Install Root Certificate

T1130

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

System Information Discovery

T1082

Remote System Discovery

T1018

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Web Service

T1102

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\PROGRA~3\zohplghndapsm.tmp
MD5
ee154094754387ccff066cfca3456238

SHA1
c1cac7a2ce0b02ef1d873588e133830de867125c

SHA256
a2f466faba786a68bb813d286fb909ffd544159a30ed90c592509c766ebd6bd5

SHA512
70ad6db9416d029130b4a2edd16305a11ad5c7f9f18ac5aa06a8897600a1c652d445efb03788c4a466e0e394e93fe35dd18e925b03abfd3d0cc945a3827a87ba

Download Submit
C:\PROGRA~3\zohplghndapsm.tmp
MD5
03f2349805a6c057d666690a20dc5279

SHA1
25d61f1af23321f2d7d717fbf291242987f9c257

SHA256
af72707110ebb39bd64c2fb73cd569694dfc63d222b5430e1f30e0526d441bea

SHA512
fcad7028b03e27b4ef5c7af3e9bfb9ff48dc6bb86aad809079f0c130344fb3b283bda75c95439f2eb2ab71ed30834a63895ab8f5827ccbc6c6b0bfa041889456

Download Submit
C:\Users\Admin\AppData\Local\Temp\AOFDEB~1.DLL
MD5
33f49309f5b16fdb0bbeb7ee600bdc86

SHA1
f522961628d4fad4a2a3c0319b7e835926a64e7a

SHA256
e092dbef96a68f27aad516946cb36856bce3b4f3d60fcfa2098c568101180839

SHA512
cad13720fc19ed4e6bf0a968bae24f5bb6702d40358aa093c2ac232cef593cbf6ffaefac9e5ecd8da214bfbc848e5799cb5a724f21756fab0c8df7ca895a49ab

Download Submit
C:\Users\Admin\AppData\Local\Temp\File.exe
MD5
303f5de158a079aae941319be50d1f2d

SHA1
f4dd4f24cc60053f9707eacd21f6c17e9c401ee3

SHA256
cf1d928e2ff239cf44c0e9bd41598ec6e714ac1b1d1de020a5a726b26a62e90d

SHA512
1e86b87124145bedca24728bee1db5d6208782056c7baf3581690eb89fad5f283243c5648fd604b427271c024f2cfe5d772c47c2adf3f2002e24f3fad747af14

Download Submit
C:\Users\Admin\AppData\Local\Temp\File.exe
MD5
303f5de158a079aae941319be50d1f2d

SHA1
f4dd4f24cc60053f9707eacd21f6c17e9c401ee3

SHA256
cf1d928e2ff239cf44c0e9bd41598ec6e714ac1b1d1de020a5a726b26a62e90d

SHA512
1e86b87124145bedca24728bee1db5d6208782056c7baf3581690eb89fad5f283243c5648fd604b427271c024f2cfe5d772c47c2adf3f2002e24f3fad747af14

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Attitudine.wav
MD5
614ff77f40c57405f24f17f3f908ac8a

SHA1
4d739ad63f3fd7aa481bbfad06ad2c758fe834bf

SHA256
37a101023f94b802b17fa5636929e0b9f908e5e58dba8d827047b06eb6641e6f

SHA512
7aba4d54095d9ba3659eb9ee8ce5e7d8c5853fc6918cd33bdd66bafc1bbf74a87f5d99a51c9bdd18a297045aef95fb69412f89e63b4c5645668a7bb524fbb7ec

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Bel.wav
MD5
979fae6a471437343d15e9c78801e719

SHA1
0451b723f3f5f9fbe4d60acb3737e1df13f094a3

SHA256
1f814c47791117379e1c9f6559b17291a7d58222d4efefe28e18b3d81b76f57b

SHA512
fbf3d2de406626f11f87ce6c07fcee80dc1de53cd8be91a336a8fbeb262a043fa687e38b3b0b74b72da93d26b49cb1984504f1332158e1f66a944d5e9902b69d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Bisogna.exe.com
MD5
c56b5f0201a3b3de53e561fe76912bfd

SHA1
2a4062e10a5de813f5688221dbeb3f3ff33eb417

SHA256
237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d

SHA512
195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Bisogna.exe.com
MD5
c56b5f0201a3b3de53e561fe76912bfd

SHA1
2a4062e10a5de813f5688221dbeb3f3ff33eb417

SHA256
237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d

SHA512
195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Bisogna.exe.com
MD5
c56b5f0201a3b3de53e561fe76912bfd

SHA1
2a4062e10a5de813f5688221dbeb3f3ff33eb417

SHA256
237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d

SHA512
195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Quegli.wav
MD5
05cd6f416b8f61975eea28e64a6adf3f

SHA1
097f3077bf5ef6929bd9d92b036b176d8d232375

SHA256
e6d0abfb60ce6dd43ae270c1f21d2dc57906b957c8a570b1aab807bfed92ca2d

SHA512
7356354071ac90b4996fb68f60d45e2020f169b5b0cefdb2aacc89215aa6bfb0f2dd114b7b021cdad6202f77bc82773a0575d0fa2950e50043c286468d9cd4c9

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\l
MD5
614ff77f40c57405f24f17f3f908ac8a

SHA1
4d739ad63f3fd7aa481bbfad06ad2c758fe834bf

SHA256
37a101023f94b802b17fa5636929e0b9f908e5e58dba8d827047b06eb6641e6f

SHA512
7aba4d54095d9ba3659eb9ee8ce5e7d8c5853fc6918cd33bdd66bafc1bbf74a87f5d99a51c9bdd18a297045aef95fb69412f89e63b4c5645668a7bb524fbb7ec

Download Submit
C:\Users\Admin\AppData\Local\Temp\WJMarOUFUOpL\WCTVKF~1.ZIP
MD5
0f6a2489479553625e8f5dd16c37e3fa

SHA1
08128012be31373d026aae9266f5015acaf7f4af

SHA256
591716b23338812f6ee6e543dc732713fa652c162d26deb9fc5b9ceb4f599c70

SHA512
b1baa9977ef9e1cf42fe2898928b7bcfc193cd1cc49da5d7260769d728a7e7d02119446cc3c66a92158ee8c482775f4dda7f1d56ce243faffc54b5428562c318

Download Submit
C:\Users\Admin\AppData\Local\Temp\WJMarOUFUOpL\XERQHS~1.ZIP
MD5
8ed71229a0ce8c9659914222d561452a

SHA1
a042062495af6992c312301bd604b3a58ea7aaf2

SHA256
77519ccfb87dfffeb2f99aed9ce60316ebbfb83f0afdb7a26ea0aa7cf8292e4b

SHA512
d8106129970f5f9cef49eb855b3146cc53c3ef18738ff310bc420b589f8f3af2a7c23610a411b11a5efc05a9baa38926a5086096b27afcd9257d94974737bb9b

Download Submit
C:\Users\Admin\AppData\Local\Temp\WJMarOUFUOpL\_Files\_Chrome\DEFAUL~1.BIN
MD5
dc2f254b5562f0d42df820a0c3d577f9

SHA1
16109f6ddd0ce94200daed7323617f43b604f42a

SHA256
19afe2b33cc988fb44548cc87f1b467d37a20e74f53b4d71c7c4050c2527f178

SHA512
ac0ab6311eefc114412ccfbb4895e19aae0a129171ae7ffeb85a37c5a99a6b89ce795b58681162fc48931306f67c0b1004049665d0171a2c1e6a0ceaca1023d2

Download Submit
C:\Users\Admin\AppData\Local\Temp\WJMarOUFUOpL\_Files\_Chrome\DEFAUL~1.DB
MD5
b608d407fc15adea97c26936bc6f03f6

SHA1
953e7420801c76393902c0d6bb56148947e41571

SHA256
b281ce54125d4250a80f48fcc02a8eea53f2c35c3b726e2512c3d493da0013bf

SHA512
cc96ddf4bf90d6aaa9d86803cb2aa30cd8e9b295aee1bd5544b88aeab63dc60bb1d4641e846c9771bab51aabbfbcd984c6d3ee83b96f5b65d09c0841d464b9e4

Download Submit
C:\Users\Admin\AppData\Local\Temp\WJMarOUFUOpL\_Files\_Chrome\DEFAUL~2.DB
MD5
055c8c5c47424f3c2e7a6fc2ee904032

SHA1
5952781d22cff35d94861fac25d89a39af6d0a87

SHA256
531b3121bd59938df4933972344d936a67e75d8b1741807a8a51c898d185dd2a

SHA512
c2772893695f49cb185add62c35284779b20d45adc01184f1912613fa8b2d70c8e785f0d7cfa3bfaf1d2d58e7cdc74f4304fd973a956601927719d6d370dd57a

Download Submit
C:\Users\Admin\AppData\Local\Temp\WJMarOUFUOpL\_Files\_Chrome\DEFAUL~3.DB
MD5
8ee018331e95a610680a789192a9d362

SHA1
e1fba0ac3f3d8689acf6c2ee26afdfd0c8e02df9

SHA256
94354ea6703c5ef5fa052aeb1d29715587d80300858ebc063a61c02b7e6e9575

SHA512
4b89b5adc77641e497eda7db62a48fee7b4b8dda83bff637cac850645d31deb93aafee5afeb41390e07fd16505a63f418b6cb153a1d35777c483e2d6d3f783b4

Download Submit
C:\Users\Admin\AppData\Local\Temp\WJMarOUFUOpL\_Files\_Files\INITIA~1.TXT
MD5
0d360d98e130a0238a60047254d94521

SHA1
b5af691922f7827069961e3280e30b95b5e397f9

SHA256
b7f41e97d423f958a2f6fb409bedf6a613c77c5a5a723dc481e7dbf702f35524

SHA512
32568be9fbf6580228328cea51da48be0a44d6b666e8af89b046a8322b4239aeb5e849cc053e76a6c888298c2efe20b1f782e0e85e57ca6cb8648b2be17d1f2a

Download Submit
C:\Users\Admin\AppData\Local\Temp\WJMarOUFUOpL\_Files\_INFOR~1.TXT
MD5
4ed86b46404587d685ca1c819115e02f

SHA1
f973be6f13b805c5675989096ee19451baf350a7

SHA256
1f69660fbf1af943e7756d51f89fa866c44ac2f1a52a3bffd84371668f727414

SHA512
eb34edb2dcae21a5e1002af5ab96ce2b8191701ea67ea5e7a26f45e61ff3e1a1f70d5475c6aa0bfc988a89c3f35bb59b7e7d3884b76e8ae73492c8dce9ee23eb

Download Submit
C:\Users\Admin\AppData\Local\Temp\WJMarOUFUOpL\_Files\_SCREE~1.JPE
MD5
b440670064c52331aaf079d9eb3890cc

SHA1
2e76d5235a1e023d82bdd61f5945df24466506d9

SHA256
5be74f92ccfa7f7f5d49109026fee6e0b8dae82fcb5a59f6cc06e59381352d30

SHA512
c0b6571ed9201708d46b21eeccbf5b86bea8ca6b9dfd0892318f4c5af2ac77029870951bb631c5687411d6c6d13a278d51e19042128f70a83d020a8aa4fff695

Download Submit
C:\Users\Admin\AppData\Local\Temp\WJMarOUFUOpL\files_\SCREEN~1.JPG
MD5
b440670064c52331aaf079d9eb3890cc

SHA1
2e76d5235a1e023d82bdd61f5945df24466506d9

SHA256
5be74f92ccfa7f7f5d49109026fee6e0b8dae82fcb5a59f6cc06e59381352d30

SHA512
c0b6571ed9201708d46b21eeccbf5b86bea8ca6b9dfd0892318f4c5af2ac77029870951bb631c5687411d6c6d13a278d51e19042128f70a83d020a8aa4fff695

Download Submit
C:\Users\Admin\AppData\Local\Temp\WJMarOUFUOpL\files_\SYSTEM~1.TXT
MD5
4ed86b46404587d685ca1c819115e02f

SHA1
f973be6f13b805c5675989096ee19451baf350a7

SHA256
1f69660fbf1af943e7756d51f89fa866c44ac2f1a52a3bffd84371668f727414

SHA512
eb34edb2dcae21a5e1002af5ab96ce2b8191701ea67ea5e7a26f45e61ff3e1a1f70d5475c6aa0bfc988a89c3f35bb59b7e7d3884b76e8ae73492c8dce9ee23eb

Download Submit
C:\Users\Admin\AppData\Local\Temp\WJMarOUFUOpL\files_\_Chrome\DEFAUL~1.BIN
MD5
dc2f254b5562f0d42df820a0c3d577f9

SHA1
16109f6ddd0ce94200daed7323617f43b604f42a

SHA256
19afe2b33cc988fb44548cc87f1b467d37a20e74f53b4d71c7c4050c2527f178

SHA512
ac0ab6311eefc114412ccfbb4895e19aae0a129171ae7ffeb85a37c5a99a6b89ce795b58681162fc48931306f67c0b1004049665d0171a2c1e6a0ceaca1023d2

Download Submit
C:\Users\Admin\AppData\Local\Temp\WJMarOUFUOpL\files_\_Chrome\DEFAUL~1.DB
MD5
b608d407fc15adea97c26936bc6f03f6

SHA1
953e7420801c76393902c0d6bb56148947e41571

SHA256
b281ce54125d4250a80f48fcc02a8eea53f2c35c3b726e2512c3d493da0013bf

SHA512
cc96ddf4bf90d6aaa9d86803cb2aa30cd8e9b295aee1bd5544b88aeab63dc60bb1d4641e846c9771bab51aabbfbcd984c6d3ee83b96f5b65d09c0841d464b9e4

Download Submit
C:\Users\Admin\AppData\Local\Temp\WJMarOUFUOpL\files_\_Chrome\DEFAUL~2.DB
MD5
055c8c5c47424f3c2e7a6fc2ee904032

SHA1
5952781d22cff35d94861fac25d89a39af6d0a87

SHA256
531b3121bd59938df4933972344d936a67e75d8b1741807a8a51c898d185dd2a

SHA512
c2772893695f49cb185add62c35284779b20d45adc01184f1912613fa8b2d70c8e785f0d7cfa3bfaf1d2d58e7cdc74f4304fd973a956601927719d6d370dd57a

Download Submit
C:\Users\Admin\AppData\Local\Temp\WJMarOUFUOpL\files_\_Chrome\DEFAUL~3.DB
MD5
8ee018331e95a610680a789192a9d362

SHA1
e1fba0ac3f3d8689acf6c2ee26afdfd0c8e02df9

SHA256
94354ea6703c5ef5fa052aeb1d29715587d80300858ebc063a61c02b7e6e9575

SHA512
4b89b5adc77641e497eda7db62a48fee7b4b8dda83bff637cac850645d31deb93aafee5afeb41390e07fd16505a63f418b6cb153a1d35777c483e2d6d3f783b4

Download Submit
C:\Users\Admin\AppData\Local\Temp\WJMarOUFUOpL\files_\files\INITIA~1.TXT
MD5
0d360d98e130a0238a60047254d94521

SHA1
b5af691922f7827069961e3280e30b95b5e397f9

SHA256
b7f41e97d423f958a2f6fb409bedf6a613c77c5a5a723dc481e7dbf702f35524

SHA512
32568be9fbf6580228328cea51da48be0a44d6b666e8af89b046a8322b4239aeb5e849cc053e76a6c888298c2efe20b1f782e0e85e57ca6cb8648b2be17d1f2a

Download Submit
C:\Users\Admin\AppData\Local\Temp\aofdebgigln.exe
MD5
24530c612bf7c794a1858fd7a36975f7

SHA1
60ac535745f12770b13fa39a1d1e7395e638eb84

SHA256
b26a8a40b314a8bb032facd98db9530c1a4ab0dd134ea83e8b0509abf2415568

SHA512
dab37e0b17aa5d01c3ceb2b54305eb5af43d8c6b9af86435153117b2628b596eab1a7229a2b26196771c78b0eb9acace096db7564b8992a33e6b13694f898a77

Download Submit
C:\Users\Admin\AppData\Local\Temp\aofdebgigln.exe
MD5
24530c612bf7c794a1858fd7a36975f7

SHA1
60ac535745f12770b13fa39a1d1e7395e638eb84

SHA256
b26a8a40b314a8bb032facd98db9530c1a4ab0dd134ea83e8b0509abf2415568

SHA512
dab37e0b17aa5d01c3ceb2b54305eb5af43d8c6b9af86435153117b2628b596eab1a7229a2b26196771c78b0eb9acace096db7564b8992a33e6b13694f898a77

Download Submit
C:\Users\Admin\AppData\Local\Temp\dislip\parted.exe
MD5
c92045f9553387fe8ab90b2b6a24e805

SHA1
2dbeaa703044cc1862c4defb3a6d296f2aaf21cb

SHA256
eab2c4113047771525f41faaeab5e4946691f44c9e5848c540593752c10d3c47

SHA512
238009e38f830f6354c30967e6a60fd237262d9b7515b591cc24c471574095b4e62b0b29d84dd4b21ad33c8ba3abcf10c2985c8c67fbbdddf90bc652715106ff

Download Submit
C:\Users\Admin\AppData\Local\Temp\dislip\parted.exe
MD5
c92045f9553387fe8ab90b2b6a24e805

SHA1
2dbeaa703044cc1862c4defb3a6d296f2aaf21cb

SHA256
eab2c4113047771525f41faaeab5e4946691f44c9e5848c540593752c10d3c47

SHA512
238009e38f830f6354c30967e6a60fd237262d9b7515b591cc24c471574095b4e62b0b29d84dd4b21ad33c8ba3abcf10c2985c8c67fbbdddf90bc652715106ff

Download Submit
C:\Users\Admin\AppData\Local\Temp\dislip\wheezy.exe
MD5
20b1305bcb80b32661d564ce22df4c24

SHA1
18221a3156f955ee75e7028828909ab0f926ddfa

SHA256
4ad13166f9a30bde93d68e3d7edbda87583e12dbb063f569b9f1c9e5656ebf2c

SHA512
9c4691521416d8ed6ddf77cf932564e1c4643d50c6f1addfbb49b86fcb88530a021d09c98902e98401a7c622aca99120884c7ddd94e4261f74606dd1926f48ad

Download Submit
C:\Users\Admin\AppData\Local\Temp\gcnwveibi.vbs
MD5
60076c65b10e2fafe798a276510e5f3b

SHA1
a6f7b4b0436ca564c8f4719d6b6537923b22dec4

SHA256
f96089343015d7040982a344454f9741bbbe3a79645573b80cddbba9e6cc20e1

SHA512
8e21d15b0a8544632f19694f3f3c418f8b67c88cdeb1cf8663f5ded796df82dafa5b56baa68561434ee93128be766635627e0b78dd868a084be77546e0508508

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp9651.tmp.ps1
MD5
5a90d94cd8cd9e5468e9a48cdd8f6cb7

SHA1
aa62ab17eff5a90ddc0e7bc464a11b1a0429c63a

SHA256
344e85ffee92c7ffda78689942252fcf2184b0252f318ccaee96e13b26387375

SHA512
6809c6793146e1fe146708e474ca945e18923938e363a880b809e17ed2028f5fe71260f3e5f83f39bbb82a7d36e7af3dfbe5c1241fa261a8ea2efbdcd700026a

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp9652.tmp
MD5
c416c12d1b2b1da8c8655e393b544362

SHA1
fb1a43cd8e1c556c2d25f361f42a21293c29e447

SHA256
0600d59103840dff210778179fdfba904dcb737a4bfdb35384608698c86ea046

SHA512
cb6d3636be4330aa2fd577c3636d0b7165f92ee817e98f21180ba0c918eb76f4e38f025086593a0e508234ca981cfec2c53482b0e9cc0acfa885fefbdf89913c

Download Submit
C:\Users\Admin\AppData\Local\Temp\vasdtbicpg.vbs
MD5
88babed0e7f435222d34a69f04161f49

SHA1
bd2d2874f89cf1617aa2ab22b3271185c24c963f

SHA256
8a63eebc7254a7a6e08cb95d3414ef1e97b596f540ca09ee74f9620af1b159da

SHA512
102eaf10785878e75a8643b8a157f48e6811b85ef00f01c360cad5b7e007fbb57dc77fee22d9936dba0fdff349f5d866011d7718f6732edceebeba068abf29bf

Download Submit
C:\Users\Admin\AppData\Roaming\Intel Rapid\IntelRapid.exe
MD5
c92045f9553387fe8ab90b2b6a24e805

SHA1
2dbeaa703044cc1862c4defb3a6d296f2aaf21cb

SHA256
eab2c4113047771525f41faaeab5e4946691f44c9e5848c540593752c10d3c47

SHA512
238009e38f830f6354c30967e6a60fd237262d9b7515b591cc24c471574095b4e62b0b29d84dd4b21ad33c8ba3abcf10c2985c8c67fbbdddf90bc652715106ff

Download Submit
C:\Users\Admin\AppData\Roaming\Intel Rapid\IntelRapid.exe
MD5
c92045f9553387fe8ab90b2b6a24e805

SHA1
2dbeaa703044cc1862c4defb3a6d296f2aaf21cb

SHA256
eab2c4113047771525f41faaeab5e4946691f44c9e5848c540593752c10d3c47

SHA512
238009e38f830f6354c30967e6a60fd237262d9b7515b591cc24c471574095b4e62b0b29d84dd4b21ad33c8ba3abcf10c2985c8c67fbbdddf90bc652715106ff

Download Submit
\Users\Admin\AppData\Local\Temp\AOFDEB~1.DLL
MD5
33f49309f5b16fdb0bbeb7ee600bdc86

SHA1
f522961628d4fad4a2a3c0319b7e835926a64e7a

SHA256
e092dbef96a68f27aad516946cb36856bce3b4f3d60fcfa2098c568101180839

SHA512
cad13720fc19ed4e6bf0a968bae24f5bb6702d40358aa093c2ac232cef593cbf6ffaefac9e5ecd8da214bfbc848e5799cb5a724f21756fab0c8df7ca895a49ab

Download Submit
\Users\Admin\AppData\Local\Temp\AOFDEB~1.DLL
MD5
33f49309f5b16fdb0bbeb7ee600bdc86

SHA1
f522961628d4fad4a2a3c0319b7e835926a64e7a

SHA256
e092dbef96a68f27aad516946cb36856bce3b4f3d60fcfa2098c568101180839

SHA512
cad13720fc19ed4e6bf0a968bae24f5bb6702d40358aa093c2ac232cef593cbf6ffaefac9e5ecd8da214bfbc848e5799cb5a724f21756fab0c8df7ca895a49ab

Download Submit
\Users\Admin\AppData\Local\Temp\AOFDEB~1.DLL
MD5
33f49309f5b16fdb0bbeb7ee600bdc86

SHA1
f522961628d4fad4a2a3c0319b7e835926a64e7a

SHA256
e092dbef96a68f27aad516946cb36856bce3b4f3d60fcfa2098c568101180839

SHA512
cad13720fc19ed4e6bf0a968bae24f5bb6702d40358aa093c2ac232cef593cbf6ffaefac9e5ecd8da214bfbc848e5799cb5a724f21756fab0c8df7ca895a49ab

Download Submit
\Users\Admin\AppData\Local\Temp\AOFDEB~1.DLL
MD5
33f49309f5b16fdb0bbeb7ee600bdc86

SHA1
f522961628d4fad4a2a3c0319b7e835926a64e7a

SHA256
e092dbef96a68f27aad516946cb36856bce3b4f3d60fcfa2098c568101180839

SHA512
cad13720fc19ed4e6bf0a968bae24f5bb6702d40358aa093c2ac232cef593cbf6ffaefac9e5ecd8da214bfbc848e5799cb5a724f21756fab0c8df7ca895a49ab

Download Submit
\Users\Admin\AppData\Local\Temp\nscCBD3.tmp\UAC.dll
MD5
adb29e6b186daa765dc750128649b63d

SHA1
160cbdc4cb0ac2c142d361df138c537aa7e708c9

SHA256
2f7f8fc05dc4fd0d5cda501b47e4433357e887bbfed7292c028d99c73b52dc08

SHA512
b28adcccf0c33660fecd6f95f28f11f793dc9988582187617b4c113fb4e6fdad4cf7694cd8c0300a477e63536456894d119741a940dda09b7df3ff0087a7eada

Download Submit
memory/436-161-0x00007FF792920000-0x00007FF793280000-memory.dmp

Filesize
9.4MB

Download
memory/436-158-0x0000000000000000-mapping.dmp

Download
memory/864-152-0x0000000000000000-mapping.dmp

Download
memory/864-184-0x0000000004750000-0x0000000005735000-memory.dmp

Filesize
15.9MB

Download
memory/864-183-0x0000000005950000-0x0000000005951000-memory.dmp

Filesize
4KB

Download
memory/864-180-0x00000000041B0000-0x0000000004311000-memory.dmp

Filesize
1.4MB

Download
memory/864-177-0x0000000000000000-mapping.dmp

Download
memory/1044-146-0x0000000000000000-mapping.dmp

Download
memory/1112-144-0x0000000000000000-mapping.dmp

Download
memory/1424-205-0x00000000053B0000-0x0000000006395000-memory.dmp

Filesize
15.9MB

Download
memory/1424-206-0x0000000003530000-0x0000000003531000-memory.dmp

Filesize
4KB

Download
memory/1424-190-0x0000000000000000-mapping.dmp

Download
memory/1764-115-0x0000000002BB0000-0x0000000002C5E000-memory.dmp

Filesize
696KB

Download
memory/1764-116-0x0000000000400000-0x0000000002BA5000-memory.dmp

Filesize
39.6MB

Download
memory/2208-148-0x0000000000000000-mapping.dmp

Download
memory/2248-218-0x0000000004F90000-0x0000000004F91000-memory.dmp

Filesize
4KB

Download
memory/2248-211-0x0000000000000000-mapping.dmp

Download
memory/2248-247-0x0000000007590000-0x0000000007591000-memory.dmp

Filesize
4KB

Download
memory/2248-293-0x0000000008AF0000-0x0000000008AF1000-memory.dmp

Filesize
4KB

Download
memory/2248-269-0x0000000009760000-0x0000000009761000-memory.dmp

Filesize
4KB

Download
memory/2248-308-0x0000000004F93000-0x0000000004F94000-memory.dmp

Filesize
4KB

Download
memory/2248-266-0x000000000A1D0000-0x000000000A1D1000-memory.dmp

Filesize
4KB

Download
memory/2248-219-0x0000000004F92000-0x0000000004F93000-memory.dmp

Filesize
4KB

Download
memory/2264-172-0x0000000000400000-0x0000000002C6E000-memory.dmp

Filesize
40.4MB

Download
memory/2264-163-0x0000000000000000-mapping.dmp

Download
memory/2264-171-0x00000000032B0000-0x00000000033B3000-memory.dmp

Filesize
1.0MB

Download
memory/2352-117-0x0000000000000000-mapping.dmp

Download
memory/2368-204-0x0000000000000000-mapping.dmp

Download
memory/2528-120-0x0000000000000000-mapping.dmp

Download
memory/2624-173-0x0000000000000000-mapping.dmp

Download
memory/2752-149-0x0000000000000000-mapping.dmp

Download
memory/2884-166-0x0000000000000000-mapping.dmp

Download
memory/2964-139-0x0000000000000000-mapping.dmp

Download
memory/3552-156-0x0000000000000000-mapping.dmp

Download
memory/3692-138-0x0000000000000000-mapping.dmp

Download
memory/3700-168-0x0000000000000000-mapping.dmp

Download
memory/3700-182-0x0000000004ED0000-0x0000000005EB5000-memory.dmp

Filesize
15.9MB

Download
memory/3776-208-0x000002316ADE0000-0x000002316AF92000-memory.dmp

Filesize
1.7MB

Download
memory/3776-200-0x00007FF7E87B5FD0-mapping.dmp

Download
memory/3776-207-0x0000000000AC0000-0x0000000000C60000-memory.dmp

Filesize
1.6MB

Download
memory/3936-155-0x0000000000000000-mapping.dmp

Download
memory/3996-185-0x0000000000000000-mapping.dmp

Download
memory/3996-241-0x0000000008080000-0x0000000008081000-memory.dmp

Filesize
4KB

Download
memory/3996-210-0x0000000007F60000-0x0000000007F61000-memory.dmp

Filesize
4KB

Download
memory/3996-189-0x0000000006E60000-0x0000000006E61000-memory.dmp

Filesize
4KB

Download
memory/3996-212-0x0000000007E20000-0x0000000007E21000-memory.dmp

Filesize
4KB

Download
memory/3996-197-0x0000000006D70000-0x0000000006D71000-memory.dmp

Filesize
4KB

Download
memory/3996-188-0x0000000000EB0000-0x0000000000EB1000-memory.dmp

Filesize
4KB

Download
memory/3996-233-0x0000000008BD0000-0x0000000008C03000-memory.dmp

Filesize
204KB

Download
memory/3996-237-0x000000007EAF0000-0x000000007EAF1000-memory.dmp

Filesize
4KB

Download
memory/3996-209-0x0000000007A20000-0x0000000007A21000-memory.dmp

Filesize
4KB

Download
memory/3996-193-0x0000000000FD0000-0x0000000000FD1000-memory.dmp

Filesize
4KB

Download
memory/3996-194-0x0000000000FD2000-0x0000000000FD3000-memory.dmp

Filesize
4KB

Download
memory/3996-248-0x0000000008F10000-0x0000000008F11000-memory.dmp

Filesize
4KB

Download
memory/3996-250-0x0000000009100000-0x0000000009101000-memory.dmp

Filesize
4KB

Download
memory/3996-252-0x0000000000FD3000-0x0000000000FD4000-memory.dmp

Filesize
4KB

Download
memory/3996-201-0x00000000076D0000-0x00000000076D1000-memory.dmp

Filesize
4KB

Download
memory/3996-198-0x0000000007660000-0x0000000007661000-memory.dmp

Filesize
4KB

Download
memory/3996-199-0x0000000007590000-0x0000000007591000-memory.dmp

Filesize
4KB

Download
memory/4084-141-0x0000000000000000-mapping.dmp

Download
memory/4084-145-0x00007FF66ACA0000-0x00007FF66B600000-memory.dmp

Filesize
9.4MB

Download