Analysis
-
max time kernel
153s -
max time network
140s -
platform
windows7_x64 -
resource
win7v20210408 -
submitted
08-10-2021 18:03
Static task
static1
Behavioral task
behavioral1
Sample
3d1e2ef175fcb07d039f702890c6d25c.exe
Resource
win7v20210408
Behavioral task
behavioral2
Sample
3d1e2ef175fcb07d039f702890c6d25c.exe
Resource
win10-en-20210920
General
-
Target
3d1e2ef175fcb07d039f702890c6d25c.exe
-
Size
165KB
-
MD5
3d1e2ef175fcb07d039f702890c6d25c
-
SHA1
e6f90a294184278ba6d23487527b3f5fc822b164
-
SHA256
8b59d8f1ea4fb412eb2064b4243c6f2dcc4efd26b78e3eae92c9daf6f6a70b7b
-
SHA512
a2ff1aa1d9330db61e204ded129caf0350fd4f9d34154872f2fe71836d5435cf9527c4a5c1e3ae3b1b3dece08e184151973dd50133988793f83da936b000101a
Malware Config
Extracted
C:\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT
buran
payransom500@mail2tor.com
Extracted
smokeloader
2020
http://fazanaharahe10.top/
http://xandelissane20.top/
http://ustiassosale30.top/
http://cytheriata40.top/
http://ggiergionard50.top/
Extracted
raccoon
1.8.2
2ea41939378a473cbe7002fd507389778c0f10e7
-
url4cnc
http://teletop.top/stevuitreen
http://teleta.top/stevuitreen
https://t.me/stevuitreen
Extracted
vidar
41.2
1033
https://mas.to/@serg4325
-
profile_id
1033
Extracted
raccoon
1.8.2
8d179b9e611eee525425544ee8c6d77360ab7cd9
-
url4cnc
http://teletop.top/agrybirdsgamerept
http://teleta.top/agrybirdsgamerept
https://t.me/agrybirdsgamerept
Extracted
redline
MIX7
185.237.165.181:58506
Extracted
raccoon
1.8.2
c95bfeb977df680e3fb35c1ce322d091ffdbaf92
-
url4cnc
http://teletop.top/vvhotsummer
http://teleta.top/vvhotsummer
https://t.me/vvhotsummer
Signatures
-
Buran
Ransomware-as-a-service based on the VegaLocker family first identified in 2019.
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine Payload 1 IoCs
Processes:
resource yara_rule behavioral1/memory/1892-120-0x00000000006E0000-0x00000000006FC000-memory.dmp family_redline -
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
-
Vidar Stealer 2 IoCs
Processes:
resource yara_rule behavioral1/memory/1748-76-0x0000000002E10000-0x0000000002EE6000-memory.dmp family_vidar behavioral1/memory/1748-88-0x0000000000400000-0x0000000002E10000-memory.dmp family_vidar -
Downloads MZ/PE file
-
Executes dropped EXE 16 IoCs
Processes:
E4D3.exeEC05.exeF549.exe7D1.exeAED.exe1451.exe25EE.exesqtvvs.exe3422.exesvcli.exefilename.exeBot_bottov768674.exepay.exetaskeng.exetaskeng.exesqtvvs.exepid process 2004 E4D3.exe 1748 EC05.exe 1732 F549.exe 816 7D1.exe 1892 AED.exe 1624 1451.exe 1440 25EE.exe 768 sqtvvs.exe 1612 3422.exe 2188 svcli.exe 2244 filename.exe 2324 Bot_bottov768674.exe 2408 pay.exe 2536 taskeng.exe 3024 taskeng.exe 2372 sqtvvs.exe -
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\25EE.exe vmprotect behavioral1/memory/1440-126-0x0000000000E60000-0x00000000015B6000-memory.dmp vmprotect C:\Users\Admin\AppData\Local\Temp\25EE.exe vmprotect \Users\Admin\AppData\Local\Temp\603c0340b4\sqtvvs.exe vmprotect C:\Users\Admin\AppData\Local\Temp\603c0340b4\sqtvvs.exe vmprotect behavioral1/memory/768-138-0x0000000001000000-0x0000000001756000-memory.dmp vmprotect C:\Users\Admin\AppData\Local\Temp\603c0340b4\sqtvvs.exe vmprotect C:\Users\Admin\AppData\Local\Temp\603c0340b4\sqtvvs.exe vmprotect -
Checks BIOS information in registry 2 TTPs 4 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
7D1.exe3422.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 7D1.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 3422.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 3422.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 7D1.exe -
Deletes itself 1 IoCs
Processes:
pid process 1228 -
Loads dropped DLL 17 IoCs
Processes:
WerFault.exeWerFault.exe25EE.exe7D1.exeAED.exe3422.exepay.exepid process 1416 WerFault.exe 1416 WerFault.exe 1416 WerFault.exe 1416 WerFault.exe 1416 WerFault.exe 1416 WerFault.exe 1416 WerFault.exe 904 WerFault.exe 904 WerFault.exe 904 WerFault.exe 904 WerFault.exe 1440 25EE.exe 816 7D1.exe 1892 AED.exe 1612 3422.exe 2408 pay.exe 2408 pay.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\7D1.exe themida behavioral1/memory/816-102-0x0000000001330000-0x0000000001331000-memory.dmp themida C:\Users\Admin\AppData\Local\Temp\3422.exe themida behavioral1/memory/1612-145-0x0000000000AA0000-0x0000000000AA1000-memory.dmp themida -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
pay.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run pay.exe Set value (str) \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\taskeng.exe = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\taskeng.exe\" -start" pay.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Processes:
7D1.exe3422.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 7D1.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 3422.exe -
Enumerates connected drives 3 TTPs 24 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
taskeng.exedescription ioc process File opened (read-only) \??\E: taskeng.exe File opened (read-only) \??\B: taskeng.exe File opened (read-only) \??\A: taskeng.exe File opened (read-only) \??\K: taskeng.exe File opened (read-only) \??\Y: taskeng.exe File opened (read-only) \??\V: taskeng.exe File opened (read-only) \??\U: taskeng.exe File opened (read-only) \??\Q: taskeng.exe File opened (read-only) \??\P: taskeng.exe File opened (read-only) \??\O: taskeng.exe File opened (read-only) \??\N: taskeng.exe File opened (read-only) \??\H: taskeng.exe File opened (read-only) \??\Z: taskeng.exe File opened (read-only) \??\X: taskeng.exe File opened (read-only) \??\W: taskeng.exe File opened (read-only) \??\R: taskeng.exe File opened (read-only) \??\I: taskeng.exe File opened (read-only) \??\G: taskeng.exe File opened (read-only) \??\T: taskeng.exe File opened (read-only) \??\S: taskeng.exe File opened (read-only) \??\M: taskeng.exe File opened (read-only) \??\L: taskeng.exe File opened (read-only) \??\J: taskeng.exe File opened (read-only) \??\F: taskeng.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 66 geoiptool.com -
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
Processes:
7D1.exe3422.exepid process 816 7D1.exe 1612 3422.exe -
Suspicious use of SetThreadContext 3 IoCs
Processes:
3d1e2ef175fcb07d039f702890c6d25c.exeBot_bottov768674.exesvcli.exedescription pid process target process PID 1684 set thread context of 1496 1684 3d1e2ef175fcb07d039f702890c6d25c.exe 3d1e2ef175fcb07d039f702890c6d25c.exe PID 2324 set thread context of 2760 2324 Bot_bottov768674.exe RegSvcs.exe PID 2188 set thread context of 1356 2188 svcli.exe RegSvcs.exe -
Drops file in Program Files directory 64 IoCs
Processes:
taskeng.exedescription ioc process File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.ja_5.5.0.165303.jar taskeng.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.core.runtime_3.10.0.v20140318-2214.jar taskeng.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\Pacific\Enderbury taskeng.exe File created C:\Program Files\VideoLAN\VLC\locale\fr\LC_MESSAGES\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT taskeng.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\SPACER.GIF taskeng.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\Sounds\Places\RADAR.WAV.@payransom500.AFE-D41-E68 taskeng.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\servertool.exe taskeng.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\com-sun-tools-visualvm-host.xml.@payransom500.AFE-D41-E68 taskeng.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\America\Paramaribo.@payransom500.AFE-D41-E68 taskeng.exe File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\AUTOSHAP\BD18248_.WMF taskeng.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\BORDERS\MSART15.BDR.@payransom500.AFE-D41-E68 taskeng.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\NA02450_.WMF.@payransom500.AFE-D41-E68 taskeng.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PAGESIZE\PGMN110.XML taskeng.exe File opened for modification C:\Program Files\ConfirmCopy.csv.@payransom500.AFE-D41-E68 taskeng.exe File opened for modification C:\Program Files\7-Zip\Lang\pt-br.txt taskeng.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0149018.JPG.@payransom500.AFE-D41-E68 taskeng.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\NA01357_.WMF.@payransom500.AFE-D41-E68 taskeng.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\NA02446_.WMF taskeng.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\HM00114_.WMF taskeng.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\ChessIconImages.bmp taskeng.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\rtf_pressed.gif.@payransom500.AFE-D41-E68 taskeng.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Rankin_Inlet.@payransom500.AFE-D41-E68 taskeng.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.swt.nl_zh_4.4.0.v20140623020002.jar.@payransom500.AFE-D41-E68 taskeng.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\can.hyp taskeng.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0101857.BMP.@payransom500.AFE-D41-E68 taskeng.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Effects\Oriel.eftx taskeng.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Etc\UCT.@payransom500.AFE-D41-E68 taskeng.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-modules-options-api.xml taskeng.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\America\Whitehorse.@payransom500.AFE-D41-E68 taskeng.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\NA02398_.WMF taskeng.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH03012U.BMP taskeng.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\ZPDIR24F.GIF.@payransom500.AFE-D41-E68 taskeng.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\MEDIA\VOLTAGE.WAV.@payransom500.AFE-D41-E68 taskeng.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Tijuana.@payransom500.AFE-D41-E68 taskeng.exe File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD21519_.GIF taskeng.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\America\Resolute taskeng.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\Median.xml.@payransom500.AFE-D41-E68 taskeng.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Slate.css taskeng.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\MSOUC.HXS.@payransom500.AFE-D41-E68 taskeng.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Rectangles\NavigationUp_SelectionSubpicture.png taskeng.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\include\jvmticmlr.h.@payransom500.AFE-D41-E68 taskeng.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0151063.WMF.@payransom500.AFE-D41-E68 taskeng.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PE02265_.WMF.@payransom500.AFE-D41-E68 taskeng.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO02048_.WMF taskeng.exe File created C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\SoftBlue\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT taskeng.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\rmid.exe.@payransom500.AFE-D41-E68 taskeng.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\javacpl.exe.@payransom500.AFE-D41-E68 taskeng.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-modules-options-keymap.xml taskeng.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\EN00006_.WMF.@payransom500.AFE-D41-E68 taskeng.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\STOPICON.JPG taskeng.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\rmiregistry.exe.@payransom500.AFE-D41-E68 taskeng.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.equinox.p2.core.feature_1.3.0.v20140523-0116\epl-v10.html taskeng.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO00917_.WMF taskeng.exe File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\J0301480.WMF taskeng.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Americana\TAB_OFF.GIF.@payransom500.AFE-D41-E68 taskeng.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\FormsPreviewTemplate.html.@payransom500.AFE-D41-E68 taskeng.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\Europe\London taskeng.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH01478U.BMP.@payransom500.AFE-D41-E68 taskeng.exe File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\J0222021.WMF.@payransom500.AFE-D41-E68 taskeng.exe File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\AUTOSHAP\BD18234_.WMF taskeng.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\FieldTypePreview\UnformattedNumeric.jpg.@payransom500.AFE-D41-E68 taskeng.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\PDIR46B.GIF taskeng.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.browser.jdp.zh_CN_5.5.0.165303.jar taskeng.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.touchpoint.natives.nl_zh_4.4.0.v20140623020002.jar taskeng.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 2 IoCs
Processes:
WerFault.exeWerFault.exepid pid_target process target process 1416 2004 WerFault.exe E4D3.exe 904 1748 WerFault.exe EC05.exe -
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
3d1e2ef175fcb07d039f702890c6d25c.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 3d1e2ef175fcb07d039f702890c6d25c.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 3d1e2ef175fcb07d039f702890c6d25c.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 3d1e2ef175fcb07d039f702890c6d25c.exe -
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exepid process 1392 schtasks.exe 2128 schtasks.exe -
Interacts with shadow copies 2 TTPs 2 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
vssadmin.exevssadmin.exepid process 992 vssadmin.exe 2288 vssadmin.exe -
Processes:
pay.exetaskeng.exeEC05.exedescription ioc process Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e pay.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f00000053000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e pay.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349 taskeng.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 040000000100000010000000497904b0eb8719ac47b0bc11519b74d00f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e taskeng.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13 EC05.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 040000000100000010000000410352dc0ff7501b16f0028eba6f45c50f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131900000001000000100000006cf252fec3e8f20996de5d4dd9aef42420000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510 EC05.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349 pay.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
3d1e2ef175fcb07d039f702890c6d25c.exepid process 1496 3d1e2ef175fcb07d039f702890c6d25c.exe 1496 3d1e2ef175fcb07d039f702890c6d25c.exe 1228 1228 1228 1228 1228 1228 1228 1228 1228 1228 1228 1228 1228 1228 1228 1228 1228 1228 1228 1228 1228 1228 1228 1228 1228 1228 1228 1228 1228 1228 1228 1228 1228 1228 1228 1228 1228 1228 1228 1228 1228 1228 1228 1228 1228 1228 1228 1228 1228 1228 1228 1228 1228 1228 1228 1228 1228 1228 1228 1228 1228 1228 -
Suspicious behavior: GetForegroundWindowSpam 3 IoCs
Processes:
WerFault.exeWerFault.exepid process 1228 1416 WerFault.exe 904 WerFault.exe -
Suspicious behavior: MapViewOfSection 1 IoCs
Processes:
3d1e2ef175fcb07d039f702890c6d25c.exepid process 1496 3d1e2ef175fcb07d039f702890c6d25c.exe -
Suspicious behavior: SetClipboardViewer 1 IoCs
Processes:
RegSvcs.exepid process 1356 RegSvcs.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
WerFault.exeAED.exeWerFault.exe7D1.exe3422.exepay.exeWMIC.exeWMIC.exedescription pid process Token: SeDebugPrivilege 1416 WerFault.exe Token: SeShutdownPrivilege 1228 Token: SeShutdownPrivilege 1228 Token: SeShutdownPrivilege 1228 Token: SeDebugPrivilege 1892 AED.exe Token: SeDebugPrivilege 904 WerFault.exe Token: SeShutdownPrivilege 1228 Token: SeDebugPrivilege 816 7D1.exe Token: SeShutdownPrivilege 1228 Token: SeShutdownPrivilege 1228 Token: SeDebugPrivilege 1612 3422.exe Token: SeShutdownPrivilege 1228 Token: SeDebugPrivilege 2408 pay.exe Token: SeDebugPrivilege 2408 pay.exe Token: SeIncreaseQuotaPrivilege 2988 WMIC.exe Token: SeSecurityPrivilege 2988 WMIC.exe Token: SeTakeOwnershipPrivilege 2988 WMIC.exe Token: SeLoadDriverPrivilege 2988 WMIC.exe Token: SeSystemProfilePrivilege 2988 WMIC.exe Token: SeSystemtimePrivilege 2988 WMIC.exe Token: SeProfSingleProcessPrivilege 2988 WMIC.exe Token: SeIncBasePriorityPrivilege 2988 WMIC.exe Token: SeCreatePagefilePrivilege 2988 WMIC.exe Token: SeBackupPrivilege 2988 WMIC.exe Token: SeRestorePrivilege 2988 WMIC.exe Token: SeShutdownPrivilege 2988 WMIC.exe Token: SeDebugPrivilege 2988 WMIC.exe Token: SeSystemEnvironmentPrivilege 2988 WMIC.exe Token: SeRemoteShutdownPrivilege 2988 WMIC.exe Token: SeUndockPrivilege 2988 WMIC.exe Token: SeManageVolumePrivilege 2988 WMIC.exe Token: 33 2988 WMIC.exe Token: 34 2988 WMIC.exe Token: 35 2988 WMIC.exe Token: SeIncreaseQuotaPrivilege 1992 WMIC.exe Token: SeSecurityPrivilege 1992 WMIC.exe Token: SeTakeOwnershipPrivilege 1992 WMIC.exe Token: SeLoadDriverPrivilege 1992 WMIC.exe Token: SeSystemProfilePrivilege 1992 WMIC.exe Token: SeSystemtimePrivilege 1992 WMIC.exe Token: SeProfSingleProcessPrivilege 1992 WMIC.exe Token: SeIncBasePriorityPrivilege 1992 WMIC.exe Token: SeCreatePagefilePrivilege 1992 WMIC.exe Token: SeBackupPrivilege 1992 WMIC.exe Token: SeRestorePrivilege 1992 WMIC.exe Token: SeShutdownPrivilege 1992 WMIC.exe Token: SeDebugPrivilege 1992 WMIC.exe Token: SeSystemEnvironmentPrivilege 1992 WMIC.exe Token: SeRemoteShutdownPrivilege 1992 WMIC.exe Token: SeUndockPrivilege 1992 WMIC.exe Token: SeManageVolumePrivilege 1992 WMIC.exe Token: 33 1992 WMIC.exe Token: 34 1992 WMIC.exe Token: 35 1992 WMIC.exe Token: SeIncreaseQuotaPrivilege 1992 WMIC.exe Token: SeSecurityPrivilege 1992 WMIC.exe Token: SeTakeOwnershipPrivilege 1992 WMIC.exe Token: SeLoadDriverPrivilege 1992 WMIC.exe Token: SeSystemProfilePrivilege 1992 WMIC.exe Token: SeSystemtimePrivilege 1992 WMIC.exe Token: SeProfSingleProcessPrivilege 1992 WMIC.exe Token: SeIncBasePriorityPrivilege 1992 WMIC.exe Token: SeCreatePagefilePrivilege 1992 WMIC.exe Token: SeBackupPrivilege 1992 WMIC.exe -
Suspicious use of FindShellTrayWindow 10 IoCs
Processes:
pid process 1228 1228 1228 1228 1228 1228 1228 1228 1228 1228 -
Suspicious use of SendNotifyMessage 5 IoCs
Processes:
pid process 1228 1228 1228 1228 1228 -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
3d1e2ef175fcb07d039f702890c6d25c.exeE4D3.exeEC05.exe25EE.exesqtvvs.execmd.exe7D1.exedescription pid process target process PID 1684 wrote to memory of 1496 1684 3d1e2ef175fcb07d039f702890c6d25c.exe 3d1e2ef175fcb07d039f702890c6d25c.exe PID 1684 wrote to memory of 1496 1684 3d1e2ef175fcb07d039f702890c6d25c.exe 3d1e2ef175fcb07d039f702890c6d25c.exe PID 1684 wrote to memory of 1496 1684 3d1e2ef175fcb07d039f702890c6d25c.exe 3d1e2ef175fcb07d039f702890c6d25c.exe PID 1684 wrote to memory of 1496 1684 3d1e2ef175fcb07d039f702890c6d25c.exe 3d1e2ef175fcb07d039f702890c6d25c.exe PID 1684 wrote to memory of 1496 1684 3d1e2ef175fcb07d039f702890c6d25c.exe 3d1e2ef175fcb07d039f702890c6d25c.exe PID 1684 wrote to memory of 1496 1684 3d1e2ef175fcb07d039f702890c6d25c.exe 3d1e2ef175fcb07d039f702890c6d25c.exe PID 1684 wrote to memory of 1496 1684 3d1e2ef175fcb07d039f702890c6d25c.exe 3d1e2ef175fcb07d039f702890c6d25c.exe PID 1228 wrote to memory of 2004 1228 E4D3.exe PID 1228 wrote to memory of 2004 1228 E4D3.exe PID 1228 wrote to memory of 2004 1228 E4D3.exe PID 1228 wrote to memory of 2004 1228 E4D3.exe PID 1228 wrote to memory of 1748 1228 EC05.exe PID 1228 wrote to memory of 1748 1228 EC05.exe PID 1228 wrote to memory of 1748 1228 EC05.exe PID 1228 wrote to memory of 1748 1228 EC05.exe PID 1228 wrote to memory of 1732 1228 F549.exe PID 1228 wrote to memory of 1732 1228 F549.exe PID 1228 wrote to memory of 1732 1228 F549.exe PID 1228 wrote to memory of 1732 1228 F549.exe PID 2004 wrote to memory of 1416 2004 E4D3.exe WerFault.exe PID 2004 wrote to memory of 1416 2004 E4D3.exe WerFault.exe PID 2004 wrote to memory of 1416 2004 E4D3.exe WerFault.exe PID 2004 wrote to memory of 1416 2004 E4D3.exe WerFault.exe PID 1228 wrote to memory of 816 1228 7D1.exe PID 1228 wrote to memory of 816 1228 7D1.exe PID 1228 wrote to memory of 816 1228 7D1.exe PID 1228 wrote to memory of 816 1228 7D1.exe PID 1228 wrote to memory of 1892 1228 AED.exe PID 1228 wrote to memory of 1892 1228 AED.exe PID 1228 wrote to memory of 1892 1228 AED.exe PID 1228 wrote to memory of 1892 1228 AED.exe PID 1748 wrote to memory of 904 1748 EC05.exe WerFault.exe PID 1748 wrote to memory of 904 1748 EC05.exe WerFault.exe PID 1748 wrote to memory of 904 1748 EC05.exe WerFault.exe PID 1748 wrote to memory of 904 1748 EC05.exe WerFault.exe PID 1228 wrote to memory of 1624 1228 1451.exe PID 1228 wrote to memory of 1624 1228 1451.exe PID 1228 wrote to memory of 1624 1228 1451.exe PID 1228 wrote to memory of 1624 1228 1451.exe PID 1228 wrote to memory of 1440 1228 25EE.exe PID 1228 wrote to memory of 1440 1228 25EE.exe PID 1228 wrote to memory of 1440 1228 25EE.exe PID 1228 wrote to memory of 1440 1228 25EE.exe PID 1440 wrote to memory of 768 1440 25EE.exe sqtvvs.exe PID 1440 wrote to memory of 768 1440 25EE.exe sqtvvs.exe PID 1440 wrote to memory of 768 1440 25EE.exe sqtvvs.exe PID 1440 wrote to memory of 768 1440 25EE.exe sqtvvs.exe PID 1228 wrote to memory of 1612 1228 3422.exe PID 1228 wrote to memory of 1612 1228 3422.exe PID 1228 wrote to memory of 1612 1228 3422.exe PID 1228 wrote to memory of 1612 1228 3422.exe PID 768 wrote to memory of 1296 768 sqtvvs.exe cmd.exe PID 768 wrote to memory of 1296 768 sqtvvs.exe cmd.exe PID 768 wrote to memory of 1296 768 sqtvvs.exe cmd.exe PID 768 wrote to memory of 1296 768 sqtvvs.exe cmd.exe PID 768 wrote to memory of 1392 768 sqtvvs.exe schtasks.exe PID 768 wrote to memory of 1392 768 sqtvvs.exe schtasks.exe PID 768 wrote to memory of 1392 768 sqtvvs.exe schtasks.exe PID 768 wrote to memory of 1392 768 sqtvvs.exe schtasks.exe PID 1296 wrote to memory of 1492 1296 cmd.exe reg.exe PID 1296 wrote to memory of 1492 1296 cmd.exe reg.exe PID 1296 wrote to memory of 1492 1296 cmd.exe reg.exe PID 1296 wrote to memory of 1492 1296 cmd.exe reg.exe PID 816 wrote to memory of 2188 816 7D1.exe svcli.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\3d1e2ef175fcb07d039f702890c6d25c.exe"C:\Users\Admin\AppData\Local\Temp\3d1e2ef175fcb07d039f702890c6d25c.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\3d1e2ef175fcb07d039f702890c6d25c.exe"C:\Users\Admin\AppData\Local\Temp\3d1e2ef175fcb07d039f702890c6d25c.exe"2⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
-
C:\Users\Admin\AppData\Local\Temp\E4D3.exeC:\Users\Admin\AppData\Local\Temp\E4D3.exe1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2004 -s 4322⤵
- Loads dropped DLL
- Program crash
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\EC05.exeC:\Users\Admin\AppData\Local\Temp\EC05.exe1⤵
- Executes dropped EXE
- Modifies system certificate store
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1748 -s 8682⤵
- Loads dropped DLL
- Program crash
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\F549.exeC:\Users\Admin\AppData\Local\Temp\F549.exe1⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\7D1.exeC:\Users\Admin\AppData\Local\Temp\7D1.exe1⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Loads dropped DLL
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\svcli.exe"C:\Users\Admin\AppData\Local\Temp\svcli.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\OLgDLcX" /XML "C:\Users\Admin\AppData\Local\Temp\tmpFE4C.tmp"3⤵
- Creates scheduled task(s)
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"3⤵
- Suspicious behavior: SetClipboardViewer
-
C:\Users\Admin\AppData\Local\Temp\AED.exeC:\Users\Admin\AppData\Local\Temp\AED.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\filename.exe"C:\Users\Admin\AppData\Local\Temp\filename.exe"2⤵
- Executes dropped EXE
-
C:\ProgramData\pay.exe"C:\ProgramData\pay.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Modifies system certificate store
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\taskeng.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\taskeng.exe" -start4⤵
- Executes dropped EXE
- Enumerates connected drives
- Modifies system certificate store
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C wmic shadowcopy delete5⤵
-
C:\Windows\SysWOW64\Wbem\WMIC.exewmic shadowcopy delete6⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C bcdedit /set {default} recoveryenabled no5⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C bcdedit /set {default} bootstatuspolicy ignoreallfailures5⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C wbadmin delete catalog -quiet5⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C vssadmin delete shadows /all /quiet5⤵
-
C:\Windows\SysWOW64\vssadmin.exevssadmin delete shadows /all /quiet6⤵
- Interacts with shadow copies
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\taskeng.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\taskeng.exe" -agent 05⤵
- Executes dropped EXE
- Drops file in Program Files directory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C C:\Users\Admin\AppData\Local\Temp\~temp001.bat5⤵
-
C:\Windows\SysWOW64\Wbem\WMIC.exewmic shadowcopy delete6⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\vssadmin.exevssadmin delete shadows /all /quiet6⤵
- Interacts with shadow copies
-
C:\Windows\SysWOW64\notepad.exenotepad.exe4⤵
-
C:\Users\Admin\AppData\Local\Temp\1451.exeC:\Users\Admin\AppData\Local\Temp\1451.exe1⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\25EE.exeC:\Users\Admin\AppData\Local\Temp\25EE.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\603c0340b4\sqtvvs.exe"C:\Users\Admin\AppData\Local\Temp\603c0340b4\sqtvvs.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" /f /v Startup /t REG_SZ /d C:\Users\Admin\AppData\Local\Temp\603c0340b4\3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" /f /v Startup /t REG_SZ /d C:\Users\Admin\AppData\Local\Temp\603c0340b4\4⤵
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN sqtvvs.exe /TR "C:\Users\Admin\AppData\Local\Temp\603c0340b4\sqtvvs.exe" /F3⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Local\Temp\3422.exeC:\Users\Admin\AppData\Local\Temp\3422.exe1⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Loads dropped DLL
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\Bot_bottov768674.exe"C:\Users\Admin\AppData\Local\Temp\Bot_bottov768674.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"3⤵
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
-
C:\Windows\system32\taskeng.exetaskeng.exe {5FDF861C-A331-432F-AE80-B1BD8AACF257} S-1-5-21-2455352368-1077083310-2879168483-1000:QWOCTUPM\Admin:Interactive:[1]1⤵
-
C:\Users\Admin\AppData\Local\Temp\603c0340b4\sqtvvs.exeC:\Users\Admin\AppData\Local\Temp\603c0340b4\sqtvvs.exe2⤵
- Executes dropped EXE
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\pay.exeMD5
9c13ab7b79aec8dc02869999773cd4b2
SHA14b4d865132329e0dd1d129e85fc4fa9ad0c1d206
SHA256774ef04333c3fb2a6a4407654e28c2900c62bd202ad6e5909336eb9bc180d279
SHA5123854d8b8fc71f6ff48232839c5a2463ad2f94c6560fc57765a36da8121fdae5975a0334c1424a5fff7a3c7c3a4129f31cd8f14df6425d9f7ccdcf0a0e15724cf
-
C:\ProgramData\pay.exeMD5
9c13ab7b79aec8dc02869999773cd4b2
SHA14b4d865132329e0dd1d129e85fc4fa9ad0c1d206
SHA256774ef04333c3fb2a6a4407654e28c2900c62bd202ad6e5909336eb9bc180d279
SHA5123854d8b8fc71f6ff48232839c5a2463ad2f94c6560fc57765a36da8121fdae5975a0334c1424a5fff7a3c7c3a4129f31cd8f14df6425d9f7ccdcf0a0e15724cf
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\07CEF2F654E3ED6050FFC9B6EB844250_3F26ED5DE6B4E859CCCA6035ECB8D9CBMD5
123ce078f265a756c5ce19625077105d
SHA1a42e1e043112724f7ff8c1ef6c47388481ea29cf
SHA256d8f9429e9c2c97768ebbba5e4ff1f05a3ac98444aaad5013bbec671eed423b6f
SHA5122b4e1587c0c31544dcb7e101ec8cd942c0a488175bf71dc0d840ff6858246326f30ea0268cec17333889787462775c6091fd218e89685fe213957d8b031d4288
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\204C1AA6F6114E6A513754A2AB5760FA_0673414C08DE7F919AE3F6C4CC65AEEEMD5
b0a06d7c0ec787a055614a5b261a56f9
SHA1416ecbc2c20e635eab68b5120e49e015533d68ec
SHA2567a34b9593dd3149888d57722cdf3460544e87d2b2dff55e3ec210e4b635bfe20
SHA512fe62ed5e32ae5eee79dfccdbac9cf33faba21cdbeb0a9e6e11a8e1dc3051ecea530670f81f2daa3d869badc88806cdb66b34437a59e935be8e5686ef4a1af6e9
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015MD5
ab5c36d10261c173c5896f3478cdc6b7
SHA187ac53810ad125663519e944bc87ded3979cbee4
SHA256f8e90fb0557fe49d7702cfb506312ac0b24c97802f9c782696db6d47f434e8e9
SHA512e83e4eae44e7a9cbcd267dbfc25a7f4f68b50591e3bbe267324b1f813c9220d565b284994ded5f7d2d371d50e1ebfa647176ec8de9716f754c6b5785c6e897fa
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711EMD5
8f439021290aa6bf8af3da275aeca450
SHA1f52db4ca1c156995e612063ba10b68e19ce16d6d
SHA25690d9d61871087772c554bd45271bb8c7f018e219b2bc692f08766ad6adec45f1
SHA512599c96987d5ebf9c4546003265b6727a10787b048bfbf7662301776e345f7b7ba416a6df96dad63e31a96d77ef45f260dd81495d61dad215305593692425e5cf
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\07CEF2F654E3ED6050FFC9B6EB844250_3F26ED5DE6B4E859CCCA6035ECB8D9CBMD5
f6a64ddc3eb2974d7e6398b77ef2f2d2
SHA1fa42f4f85c810b333fca011eb6f69b8c94ebaf51
SHA256b4d473cef25749bab10b19f819fd92bbaca3b969b21a7cdf9c07784d4c5d27a4
SHA5128e31c485189cfcfe4b4615e8b08f6d5c415e826067e19b11ec0aab49387d9dcbbf3cd4487a52ddfe9f07914cd63ef9becc4f1f4b40d9315b3985500636350b54
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\204C1AA6F6114E6A513754A2AB5760FA_0673414C08DE7F919AE3F6C4CC65AEEEMD5
69183ed4db0361b6d465fb2a2758710d
SHA15f27750e1bdd4afce3ee9220d41e6a8549466771
SHA2566503c600541b3e30c756f180416681ab2adb0fab4afd57b7c949bb79eec85220
SHA5129565a0c5235ab5771db4a45751aa8967649bb37f042afb1ea0fa3ae5051f523a94918ff92ca92042372c069ef44c72db895d37c811efa287d8d453e07b004b9e
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015MD5
b8d8c0356e8e187756030544323e1c78
SHA12f874fcca531c0f1f6b236d47b657e85fcaa77de
SHA2568c72964701be45e5db3b6c2d4438ef8d7a5c04d1f48c763e0446a3e9fa50aaa2
SHA512258067a7ce1b370d21e0f0fcfa5e1499f82e05de551ae3aafa394a01710b19c1f930061567c50c43edb1453e32a7807e935d8a45c01514e10ed417104af82175
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015MD5
d65edfb46e6c192f7b37def7f4b37d96
SHA1681571797fdd6107f1df003cb5c8d8fb2551845c
SHA25639e7211e2e58f667f45119696fbc4f9037f248869d0aa22f02e43e784b10da2d
SHA512c74c44fe70a703acaae2f66ed67c2916b94422cbb0821ed27b1e8960933dde2166283077d3281107fcb048114bc9f3a5f260af6a9cee6ac36d5a6407dad1280c
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711EMD5
7a7956636d19d728067fd492b16b9940
SHA1c4232c282f58e0cd988fef2e20955b5a1778b127
SHA2568473ad400a8d6c72892cf45ae079e6f0fa82d105ecd8ff6fbe2e44308e2e0552
SHA5127dc9e54cf3ccbe8c585b0d7e833cd46c066b08951995824a02cde6a50e7b0ea2be1117fcc3c4fe20bda7f5f99e1e8b7b1557f2de50e2a00c6144097027e6d189
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\D4X32ZLU\OSQZCRT6.htmMD5
8615e70875c2cc0b9db16027b9adf11d
SHA14ed62cf405311c0ff562a3c59334a15ddc4f1bf9
SHA256da96949ba6b0567343f144486505c8c8fa1d892fd88c9cbc3ef3d751a570724d
SHA512cd9dfc88dc2af9438b7d6b618d1b62029b3bdf739fc4daa5b37397afd12c4528561b3bf2fc3f3f2adf3fd1f582d5524332441fd30248fcd078e41aa91e17cb73
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\L1Y3K90W\LYVSGSQ1.htmMD5
b1cd7c031debba3a5c77b39b6791c1a7
SHA1e5d91e14e9c685b06f00e550d9e189deb2075f76
SHA25657ba053f075e0b80f747f3102ed985687c16a8754d109e7c4d33633269a36aaa
SHA512d2bbefdc1effb52a38964c4cec5990a5a226248eca36f99e446c0c5704436f666bf1cb514e73b8991411d497d3325ecc646cbd5065c364e92ab6b9c5f1ad4a72
-
C:\Users\Admin\AppData\Local\Temp\1451.exeMD5
61ac16369c6228d0e762519946fae610
SHA1851bff728927da7f5245488c5abb9b7787b0fa85
SHA2569ab460a5a88fb1c145c85a43bb56211c9209d650d25318f128a6a7f429b6bf45
SHA512c9c5d689e86dfec882fa43d183d176b6cbec36a205c8ab53352f0c6c73b202472fe80f0324a741b220331a7273e5ac68fdcc4f199560d50c865739fa51ad2aad
-
C:\Users\Admin\AppData\Local\Temp\15212455352368107708MD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
C:\Users\Admin\AppData\Local\Temp\15212455352368107708MD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
C:\Users\Admin\AppData\Local\Temp\25EE.exeMD5
9dcec4cd98534038775474bedc66a237
SHA137c4e6955d492ba77b8b3101a46c0d9056a1620d
SHA2569b7927979f7205cc87f772dafa96ab34b9914c205f42a18de80d7eaec8bb9871
SHA51284c5d078c10fd1912004c98535096f16a8ffcd25f0387037ebc6482d1d6b501a455c5e59f5774b14f142d6222c6930f1a65cd923e89e865fc4a5c2a5d600ad01
-
C:\Users\Admin\AppData\Local\Temp\25EE.exeMD5
9dcec4cd98534038775474bedc66a237
SHA137c4e6955d492ba77b8b3101a46c0d9056a1620d
SHA2569b7927979f7205cc87f772dafa96ab34b9914c205f42a18de80d7eaec8bb9871
SHA51284c5d078c10fd1912004c98535096f16a8ffcd25f0387037ebc6482d1d6b501a455c5e59f5774b14f142d6222c6930f1a65cd923e89e865fc4a5c2a5d600ad01
-
C:\Users\Admin\AppData\Local\Temp\3422.exeMD5
4c65a9ca5daa3a5c2253f97921def28c
SHA10b0f69d7a1df109c4bf21c3fa22595bcbe83a1c1
SHA2566a623648d1e44d8966e35890baa148cbbc3160e978de078c78045d1e6d3a848e
SHA512b0e28023cedfbafd70fe41a9f9706bf2f874923360f2e2cc68e2e13deacf81715cd2a70c83933e54eaa2d840d69daf82b593d2457c0aa1b5e68832c2cf555370
-
C:\Users\Admin\AppData\Local\Temp\603c0340b4\sqtvvs.exeMD5
9dcec4cd98534038775474bedc66a237
SHA137c4e6955d492ba77b8b3101a46c0d9056a1620d
SHA2569b7927979f7205cc87f772dafa96ab34b9914c205f42a18de80d7eaec8bb9871
SHA51284c5d078c10fd1912004c98535096f16a8ffcd25f0387037ebc6482d1d6b501a455c5e59f5774b14f142d6222c6930f1a65cd923e89e865fc4a5c2a5d600ad01
-
C:\Users\Admin\AppData\Local\Temp\603c0340b4\sqtvvs.exeMD5
9dcec4cd98534038775474bedc66a237
SHA137c4e6955d492ba77b8b3101a46c0d9056a1620d
SHA2569b7927979f7205cc87f772dafa96ab34b9914c205f42a18de80d7eaec8bb9871
SHA51284c5d078c10fd1912004c98535096f16a8ffcd25f0387037ebc6482d1d6b501a455c5e59f5774b14f142d6222c6930f1a65cd923e89e865fc4a5c2a5d600ad01
-
C:\Users\Admin\AppData\Local\Temp\603c0340b4\sqtvvs.exeMD5
9dcec4cd98534038775474bedc66a237
SHA137c4e6955d492ba77b8b3101a46c0d9056a1620d
SHA2569b7927979f7205cc87f772dafa96ab34b9914c205f42a18de80d7eaec8bb9871
SHA51284c5d078c10fd1912004c98535096f16a8ffcd25f0387037ebc6482d1d6b501a455c5e59f5774b14f142d6222c6930f1a65cd923e89e865fc4a5c2a5d600ad01
-
C:\Users\Admin\AppData\Local\Temp\7D1.exeMD5
57b5f410bba704152ed728ae30b26665
SHA1755da63fac5d2f95d600253a0a94e4d19c62eb96
SHA2562dbeea7c52d13a743dbdbdde06da28d1616ea6b1d765684fd3ec1a8f44040269
SHA512670a23161098b3c990f5c1c07ad86cb3fb14a61a62460f2e016d660331c07353a809ed5da92fa32e0e1d84512d8325fa3ecc896c0c2c10e1e8a6762a34cc416c
-
C:\Users\Admin\AppData\Local\Temp\AED.exeMD5
42161cff637993d514d1cc15ad5229af
SHA103ae4b56ba6f0fa6612d45f1f336fcc059d76178
SHA25666a92814d6e3eab407e0c49e9dd10a21b093dbd79e7b3dd2c89367c94658e3f3
SHA512722eeb2176d94254edf52a32ecd95eede02e0c518d924059520471e4232626b76041f9e6dcc586a8abc5a632ed013891c3dd92264cf891131a08d1baa0cadc8d
-
C:\Users\Admin\AppData\Local\Temp\AED.exeMD5
42161cff637993d514d1cc15ad5229af
SHA103ae4b56ba6f0fa6612d45f1f336fcc059d76178
SHA25666a92814d6e3eab407e0c49e9dd10a21b093dbd79e7b3dd2c89367c94658e3f3
SHA512722eeb2176d94254edf52a32ecd95eede02e0c518d924059520471e4232626b76041f9e6dcc586a8abc5a632ed013891c3dd92264cf891131a08d1baa0cadc8d
-
C:\Users\Admin\AppData\Local\Temp\Bot_bottov768674.exeMD5
8e0be060385c07d8e8860749f9c721c3
SHA118d38d893ded507b058266857633083d1fbdbac5
SHA25646c8ac53157328105a599fd431f76664c79b597ab7686e12897b2d07043f8d2b
SHA5128950b31c5615b8518894d0222d49d9f447a76b3e0c67556e31503bbdf899a7e3eaf352b18d22207b1752289c6d4520b77369fc5a5b43efcd86d9b37eaf1ade30
-
C:\Users\Admin\AppData\Local\Temp\Bot_bottov768674.exeMD5
8e0be060385c07d8e8860749f9c721c3
SHA118d38d893ded507b058266857633083d1fbdbac5
SHA25646c8ac53157328105a599fd431f76664c79b597ab7686e12897b2d07043f8d2b
SHA5128950b31c5615b8518894d0222d49d9f447a76b3e0c67556e31503bbdf899a7e3eaf352b18d22207b1752289c6d4520b77369fc5a5b43efcd86d9b37eaf1ade30
-
C:\Users\Admin\AppData\Local\Temp\E4D3.exeMD5
20fe1450230d861579e323ffd7ba5485
SHA1971e83ba0ff1cbbdc9e1ac1ff6cd1c9ae38ce633
SHA2560cbd381e5c415c904ab13ab415f549b5b5711831fd20f46975c83fb4e03fc9e3
SHA512abf22e174d97ffe32dcaa14277e9f658e5e3c2d47c21efd40be2d645cb3639534cc22c73de59c83d0e9485fffe17e9064b40f953de42b8bd9d28da95d2ff753f
-
C:\Users\Admin\AppData\Local\Temp\E4D3.exeMD5
20fe1450230d861579e323ffd7ba5485
SHA1971e83ba0ff1cbbdc9e1ac1ff6cd1c9ae38ce633
SHA2560cbd381e5c415c904ab13ab415f549b5b5711831fd20f46975c83fb4e03fc9e3
SHA512abf22e174d97ffe32dcaa14277e9f658e5e3c2d47c21efd40be2d645cb3639534cc22c73de59c83d0e9485fffe17e9064b40f953de42b8bd9d28da95d2ff753f
-
C:\Users\Admin\AppData\Local\Temp\EC05.exeMD5
047b7730310a945e1a587c5395c0638a
SHA1685e18a8f11c49fcd2829cd79fb4acdcd254f2fa
SHA2564ecf8f85d92f0d00fe80c0c8f7140888f8804b4834b94472960067fa54584a79
SHA512f3ad7a1cdb85c051a6fcd0fa415c242bf77bf9ee9ce4f571ecb16d4f28292e0f1ccf6d84ea9db0b71a88ecb0bc3946df6ac77526dfd7f3054f3c68a8ebc49120
-
C:\Users\Admin\AppData\Local\Temp\EC05.exeMD5
047b7730310a945e1a587c5395c0638a
SHA1685e18a8f11c49fcd2829cd79fb4acdcd254f2fa
SHA2564ecf8f85d92f0d00fe80c0c8f7140888f8804b4834b94472960067fa54584a79
SHA512f3ad7a1cdb85c051a6fcd0fa415c242bf77bf9ee9ce4f571ecb16d4f28292e0f1ccf6d84ea9db0b71a88ecb0bc3946df6ac77526dfd7f3054f3c68a8ebc49120
-
C:\Users\Admin\AppData\Local\Temp\F549.exeMD5
a17c071fb4c0c7efe7c0c3020d6d9e12
SHA1f6f0e87deca0fdfe3f3f87921d07fa89ed9cfb59
SHA256f302db2e7293cac08f7c95cb9ffaa0066e85db088747b80c8e42855d8fe29e1a
SHA512cb871e46f858bf7fbb391a5de2b39dc74356c15ed1b183960f4ec42c9ca67311726647f88618a31d8a9a16194dcdf0c4e660cfc75a2c09c7cce8b7a436ee9400
-
C:\Users\Admin\AppData\Local\Temp\filename.exeMD5
4498fc49ef44442a2727cde9dc9c6aef
SHA1bbe773c15ee59ab0ac0b2bb2d3d2a660ef84b16a
SHA256e53ea20c7026e81930009f61c70ebba16de4bad0ee8211203422ecad3f2c9412
SHA5121411170c8c131348cae3a69dbef01f127640435bdb48184d84ceae716273d2425b9e6328513c33db81b4b47dff6d39896389f3267c92f51e2e1efd9201294de3
-
C:\Users\Admin\AppData\Local\Temp\filename.exeMD5
4498fc49ef44442a2727cde9dc9c6aef
SHA1bbe773c15ee59ab0ac0b2bb2d3d2a660ef84b16a
SHA256e53ea20c7026e81930009f61c70ebba16de4bad0ee8211203422ecad3f2c9412
SHA5121411170c8c131348cae3a69dbef01f127640435bdb48184d84ceae716273d2425b9e6328513c33db81b4b47dff6d39896389f3267c92f51e2e1efd9201294de3
-
C:\Users\Admin\AppData\Local\Temp\svcli.exeMD5
1e6dd03f819ceb81293623cbf88505d3
SHA190a4237bd0a54e9d964805520477f11ae6859dc2
SHA2569a2204f9f2ee0f3c5331b88a148770b0ab6bfcb6fa4452c040ef1245418a6dbf
SHA5126aaf95d8b4209d233802ec0aaab55c29d3d5e500b00925c1bd6219035f022edf73e884d16a2b89a615a82b832e405b454f104eabc768916833193f0882b44e77
-
C:\Users\Admin\AppData\Local\Temp\svcli.exeMD5
1e6dd03f819ceb81293623cbf88505d3
SHA190a4237bd0a54e9d964805520477f11ae6859dc2
SHA2569a2204f9f2ee0f3c5331b88a148770b0ab6bfcb6fa4452c040ef1245418a6dbf
SHA5126aaf95d8b4209d233802ec0aaab55c29d3d5e500b00925c1bd6219035f022edf73e884d16a2b89a615a82b832e405b454f104eabc768916833193f0882b44e77
-
C:\Users\Admin\AppData\Local\Temp\~temp001.batMD5
ef572e2c7b1bbd57654b36e8dcfdc37a
SHA1b84c4db6d0dfd415c289d0c8ae099aea4001e3b7
SHA256e6e609db3f387f42bfd16dd9e5695ddc2b73d86ae12baf4f0dfc4edda4a96a64
SHA512b8c014b242e8e8f42da37b75fe96c52cd25ebd366d0b5103bcba5ac041806d13142a62351edecdee583d494d2a120f9b330f6229b1b5fe820e1c7d98981089e9
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\taskeng.exeMD5
9c13ab7b79aec8dc02869999773cd4b2
SHA14b4d865132329e0dd1d129e85fc4fa9ad0c1d206
SHA256774ef04333c3fb2a6a4407654e28c2900c62bd202ad6e5909336eb9bc180d279
SHA5123854d8b8fc71f6ff48232839c5a2463ad2f94c6560fc57765a36da8121fdae5975a0334c1424a5fff7a3c7c3a4129f31cd8f14df6425d9f7ccdcf0a0e15724cf
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\taskeng.exeMD5
9c13ab7b79aec8dc02869999773cd4b2
SHA14b4d865132329e0dd1d129e85fc4fa9ad0c1d206
SHA256774ef04333c3fb2a6a4407654e28c2900c62bd202ad6e5909336eb9bc180d279
SHA5123854d8b8fc71f6ff48232839c5a2463ad2f94c6560fc57765a36da8121fdae5975a0334c1424a5fff7a3c7c3a4129f31cd8f14df6425d9f7ccdcf0a0e15724cf
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\taskeng.exeMD5
9c13ab7b79aec8dc02869999773cd4b2
SHA14b4d865132329e0dd1d129e85fc4fa9ad0c1d206
SHA256774ef04333c3fb2a6a4407654e28c2900c62bd202ad6e5909336eb9bc180d279
SHA5123854d8b8fc71f6ff48232839c5a2463ad2f94c6560fc57765a36da8121fdae5975a0334c1424a5fff7a3c7c3a4129f31cd8f14df6425d9f7ccdcf0a0e15724cf
-
\Users\Admin\AppData\Local\Temp\603c0340b4\sqtvvs.exeMD5
9dcec4cd98534038775474bedc66a237
SHA137c4e6955d492ba77b8b3101a46c0d9056a1620d
SHA2569b7927979f7205cc87f772dafa96ab34b9914c205f42a18de80d7eaec8bb9871
SHA51284c5d078c10fd1912004c98535096f16a8ffcd25f0387037ebc6482d1d6b501a455c5e59f5774b14f142d6222c6930f1a65cd923e89e865fc4a5c2a5d600ad01
-
\Users\Admin\AppData\Local\Temp\Bot_bottov768674.exeMD5
8e0be060385c07d8e8860749f9c721c3
SHA118d38d893ded507b058266857633083d1fbdbac5
SHA25646c8ac53157328105a599fd431f76664c79b597ab7686e12897b2d07043f8d2b
SHA5128950b31c5615b8518894d0222d49d9f447a76b3e0c67556e31503bbdf899a7e3eaf352b18d22207b1752289c6d4520b77369fc5a5b43efcd86d9b37eaf1ade30
-
\Users\Admin\AppData\Local\Temp\E4D3.exeMD5
20fe1450230d861579e323ffd7ba5485
SHA1971e83ba0ff1cbbdc9e1ac1ff6cd1c9ae38ce633
SHA2560cbd381e5c415c904ab13ab415f549b5b5711831fd20f46975c83fb4e03fc9e3
SHA512abf22e174d97ffe32dcaa14277e9f658e5e3c2d47c21efd40be2d645cb3639534cc22c73de59c83d0e9485fffe17e9064b40f953de42b8bd9d28da95d2ff753f
-
\Users\Admin\AppData\Local\Temp\E4D3.exeMD5
20fe1450230d861579e323ffd7ba5485
SHA1971e83ba0ff1cbbdc9e1ac1ff6cd1c9ae38ce633
SHA2560cbd381e5c415c904ab13ab415f549b5b5711831fd20f46975c83fb4e03fc9e3
SHA512abf22e174d97ffe32dcaa14277e9f658e5e3c2d47c21efd40be2d645cb3639534cc22c73de59c83d0e9485fffe17e9064b40f953de42b8bd9d28da95d2ff753f
-
\Users\Admin\AppData\Local\Temp\E4D3.exeMD5
20fe1450230d861579e323ffd7ba5485
SHA1971e83ba0ff1cbbdc9e1ac1ff6cd1c9ae38ce633
SHA2560cbd381e5c415c904ab13ab415f549b5b5711831fd20f46975c83fb4e03fc9e3
SHA512abf22e174d97ffe32dcaa14277e9f658e5e3c2d47c21efd40be2d645cb3639534cc22c73de59c83d0e9485fffe17e9064b40f953de42b8bd9d28da95d2ff753f
-
\Users\Admin\AppData\Local\Temp\E4D3.exeMD5
20fe1450230d861579e323ffd7ba5485
SHA1971e83ba0ff1cbbdc9e1ac1ff6cd1c9ae38ce633
SHA2560cbd381e5c415c904ab13ab415f549b5b5711831fd20f46975c83fb4e03fc9e3
SHA512abf22e174d97ffe32dcaa14277e9f658e5e3c2d47c21efd40be2d645cb3639534cc22c73de59c83d0e9485fffe17e9064b40f953de42b8bd9d28da95d2ff753f
-
\Users\Admin\AppData\Local\Temp\E4D3.exeMD5
20fe1450230d861579e323ffd7ba5485
SHA1971e83ba0ff1cbbdc9e1ac1ff6cd1c9ae38ce633
SHA2560cbd381e5c415c904ab13ab415f549b5b5711831fd20f46975c83fb4e03fc9e3
SHA512abf22e174d97ffe32dcaa14277e9f658e5e3c2d47c21efd40be2d645cb3639534cc22c73de59c83d0e9485fffe17e9064b40f953de42b8bd9d28da95d2ff753f
-
\Users\Admin\AppData\Local\Temp\E4D3.exeMD5
20fe1450230d861579e323ffd7ba5485
SHA1971e83ba0ff1cbbdc9e1ac1ff6cd1c9ae38ce633
SHA2560cbd381e5c415c904ab13ab415f549b5b5711831fd20f46975c83fb4e03fc9e3
SHA512abf22e174d97ffe32dcaa14277e9f658e5e3c2d47c21efd40be2d645cb3639534cc22c73de59c83d0e9485fffe17e9064b40f953de42b8bd9d28da95d2ff753f
-
\Users\Admin\AppData\Local\Temp\E4D3.exeMD5
20fe1450230d861579e323ffd7ba5485
SHA1971e83ba0ff1cbbdc9e1ac1ff6cd1c9ae38ce633
SHA2560cbd381e5c415c904ab13ab415f549b5b5711831fd20f46975c83fb4e03fc9e3
SHA512abf22e174d97ffe32dcaa14277e9f658e5e3c2d47c21efd40be2d645cb3639534cc22c73de59c83d0e9485fffe17e9064b40f953de42b8bd9d28da95d2ff753f
-
\Users\Admin\AppData\Local\Temp\EC05.exeMD5
047b7730310a945e1a587c5395c0638a
SHA1685e18a8f11c49fcd2829cd79fb4acdcd254f2fa
SHA2564ecf8f85d92f0d00fe80c0c8f7140888f8804b4834b94472960067fa54584a79
SHA512f3ad7a1cdb85c051a6fcd0fa415c242bf77bf9ee9ce4f571ecb16d4f28292e0f1ccf6d84ea9db0b71a88ecb0bc3946df6ac77526dfd7f3054f3c68a8ebc49120
-
\Users\Admin\AppData\Local\Temp\EC05.exeMD5
047b7730310a945e1a587c5395c0638a
SHA1685e18a8f11c49fcd2829cd79fb4acdcd254f2fa
SHA2564ecf8f85d92f0d00fe80c0c8f7140888f8804b4834b94472960067fa54584a79
SHA512f3ad7a1cdb85c051a6fcd0fa415c242bf77bf9ee9ce4f571ecb16d4f28292e0f1ccf6d84ea9db0b71a88ecb0bc3946df6ac77526dfd7f3054f3c68a8ebc49120
-
\Users\Admin\AppData\Local\Temp\EC05.exeMD5
047b7730310a945e1a587c5395c0638a
SHA1685e18a8f11c49fcd2829cd79fb4acdcd254f2fa
SHA2564ecf8f85d92f0d00fe80c0c8f7140888f8804b4834b94472960067fa54584a79
SHA512f3ad7a1cdb85c051a6fcd0fa415c242bf77bf9ee9ce4f571ecb16d4f28292e0f1ccf6d84ea9db0b71a88ecb0bc3946df6ac77526dfd7f3054f3c68a8ebc49120
-
\Users\Admin\AppData\Local\Temp\EC05.exeMD5
047b7730310a945e1a587c5395c0638a
SHA1685e18a8f11c49fcd2829cd79fb4acdcd254f2fa
SHA2564ecf8f85d92f0d00fe80c0c8f7140888f8804b4834b94472960067fa54584a79
SHA512f3ad7a1cdb85c051a6fcd0fa415c242bf77bf9ee9ce4f571ecb16d4f28292e0f1ccf6d84ea9db0b71a88ecb0bc3946df6ac77526dfd7f3054f3c68a8ebc49120
-
\Users\Admin\AppData\Local\Temp\filename.exeMD5
4498fc49ef44442a2727cde9dc9c6aef
SHA1bbe773c15ee59ab0ac0b2bb2d3d2a660ef84b16a
SHA256e53ea20c7026e81930009f61c70ebba16de4bad0ee8211203422ecad3f2c9412
SHA5121411170c8c131348cae3a69dbef01f127640435bdb48184d84ceae716273d2425b9e6328513c33db81b4b47dff6d39896389f3267c92f51e2e1efd9201294de3
-
\Users\Admin\AppData\Local\Temp\svcli.exeMD5
1e6dd03f819ceb81293623cbf88505d3
SHA190a4237bd0a54e9d964805520477f11ae6859dc2
SHA2569a2204f9f2ee0f3c5331b88a148770b0ab6bfcb6fa4452c040ef1245418a6dbf
SHA5126aaf95d8b4209d233802ec0aaab55c29d3d5e500b00925c1bd6219035f022edf73e884d16a2b89a615a82b832e405b454f104eabc768916833193f0882b44e77
-
\Users\Admin\AppData\Roaming\Microsoft\Windows\taskeng.exeMD5
9c13ab7b79aec8dc02869999773cd4b2
SHA14b4d865132329e0dd1d129e85fc4fa9ad0c1d206
SHA256774ef04333c3fb2a6a4407654e28c2900c62bd202ad6e5909336eb9bc180d279
SHA5123854d8b8fc71f6ff48232839c5a2463ad2f94c6560fc57765a36da8121fdae5975a0334c1424a5fff7a3c7c3a4129f31cd8f14df6425d9f7ccdcf0a0e15724cf
-
\Users\Admin\AppData\Roaming\Microsoft\Windows\taskeng.exeMD5
9c13ab7b79aec8dc02869999773cd4b2
SHA14b4d865132329e0dd1d129e85fc4fa9ad0c1d206
SHA256774ef04333c3fb2a6a4407654e28c2900c62bd202ad6e5909336eb9bc180d279
SHA5123854d8b8fc71f6ff48232839c5a2463ad2f94c6560fc57765a36da8121fdae5975a0334c1424a5fff7a3c7c3a4129f31cd8f14df6425d9f7ccdcf0a0e15724cf
-
memory/768-138-0x0000000001000000-0x0000000001756000-memory.dmpFilesize
7.3MB
-
memory/768-132-0x0000000000000000-mapping.dmp
-
memory/816-114-0x0000000005500000-0x0000000005501000-memory.dmpFilesize
4KB
-
memory/816-94-0x0000000000000000-mapping.dmp
-
memory/816-102-0x0000000001330000-0x0000000001331000-memory.dmpFilesize
4KB
-
memory/904-116-0x0000000000330000-0x0000000000331000-memory.dmpFilesize
4KB
-
memory/904-107-0x0000000000000000-mapping.dmp
-
memory/992-231-0x0000000000000000-mapping.dmp
-
memory/1228-65-0x0000000002A00000-0x0000000002A16000-memory.dmpFilesize
88KB
-
memory/1296-148-0x0000000000000000-mapping.dmp
-
memory/1356-246-0x0000000004D40000-0x0000000004D41000-memory.dmpFilesize
4KB
-
memory/1356-243-0x00000000004042AE-mapping.dmp
-
memory/1392-149-0x0000000000000000-mapping.dmp
-
memory/1416-90-0x0000000000250000-0x0000000000251000-memory.dmpFilesize
4KB
-
memory/1416-80-0x0000000000000000-mapping.dmp
-
memory/1440-122-0x0000000000000000-mapping.dmp
-
memory/1440-126-0x0000000000E60000-0x00000000015B6000-memory.dmpFilesize
7.3MB
-
memory/1492-150-0x0000000000000000-mapping.dmp
-
memory/1496-63-0x0000000075B31000-0x0000000075B33000-memory.dmpFilesize
8KB
-
memory/1496-61-0x0000000000400000-0x0000000000409000-memory.dmpFilesize
36KB
-
memory/1496-62-0x0000000000402E4E-mapping.dmp
-
memory/1612-135-0x0000000000000000-mapping.dmp
-
memory/1612-147-0x0000000005310000-0x0000000005311000-memory.dmpFilesize
4KB
-
memory/1612-145-0x0000000000AA0000-0x0000000000AA1000-memory.dmpFilesize
4KB
-
memory/1624-121-0x0000000006BA0000-0x000000000B67A000-memory.dmpFilesize
74.9MB
-
memory/1624-125-0x0000000000400000-0x0000000004F36000-memory.dmpFilesize
75.2MB
-
memory/1624-115-0x0000000000000000-mapping.dmp
-
memory/1684-64-0x0000000000020000-0x0000000000029000-memory.dmpFilesize
36KB
-
memory/1684-60-0x00000000002E8000-0x00000000002F1000-memory.dmpFilesize
36KB
-
memory/1732-92-0x00000000004A0000-0x000000000052E000-memory.dmpFilesize
568KB
-
memory/1732-79-0x0000000000248000-0x0000000000297000-memory.dmpFilesize
316KB
-
memory/1732-93-0x0000000000400000-0x0000000000491000-memory.dmpFilesize
580KB
-
memory/1732-77-0x0000000000000000-mapping.dmp
-
memory/1748-88-0x0000000000400000-0x0000000002E10000-memory.dmpFilesize
42.1MB
-
memory/1748-69-0x0000000000000000-mapping.dmp
-
memory/1748-71-0x0000000002F5B000-0x0000000002FD8000-memory.dmpFilesize
500KB
-
memory/1748-76-0x0000000002E10000-0x0000000002EE6000-memory.dmpFilesize
856KB
-
memory/1892-120-0x00000000006E0000-0x00000000006FC000-memory.dmpFilesize
112KB
-
memory/1892-119-0x0000000000410000-0x0000000000431000-memory.dmpFilesize
132KB
-
memory/1892-112-0x0000000004D40000-0x0000000004D41000-memory.dmpFilesize
4KB
-
memory/1892-97-0x0000000000000000-mapping.dmp
-
memory/1892-103-0x0000000000360000-0x0000000000361000-memory.dmpFilesize
4KB
-
memory/1992-233-0x0000000000000000-mapping.dmp
-
memory/2004-68-0x0000000002CD8000-0x0000000002D27000-memory.dmpFilesize
316KB
-
memory/2004-66-0x0000000000000000-mapping.dmp
-
memory/2004-74-0x0000000000400000-0x0000000002BB6000-memory.dmpFilesize
39.7MB
-
memory/2004-73-0x0000000000330000-0x00000000003BE000-memory.dmpFilesize
568KB
-
memory/2128-237-0x0000000000000000-mapping.dmp
-
memory/2188-155-0x0000000001380000-0x0000000001381000-memory.dmpFilesize
4KB
-
memory/2188-165-0x0000000004C50000-0x0000000004C51000-memory.dmpFilesize
4KB
-
memory/2188-152-0x0000000000000000-mapping.dmp
-
memory/2188-207-0x0000000000500000-0x0000000000511000-memory.dmpFilesize
68KB
-
memory/2244-181-0x000000001B9A0000-0x000000001B9A2000-memory.dmpFilesize
8KB
-
memory/2244-180-0x0000000002270000-0x00000000022A9000-memory.dmpFilesize
228KB
-
memory/2244-166-0x0000000002070000-0x00000000020AD000-memory.dmpFilesize
244KB
-
memory/2244-162-0x000000013F690000-0x000000013F691000-memory.dmpFilesize
4KB
-
memory/2244-159-0x0000000000000000-mapping.dmp
-
memory/2288-235-0x0000000000000000-mapping.dmp
-
memory/2324-178-0x0000000000810000-0x0000000000854000-memory.dmpFilesize
272KB
-
memory/2324-168-0x0000000000000000-mapping.dmp
-
memory/2324-171-0x0000000000E00000-0x0000000000EA3000-memory.dmpFilesize
652KB
-
memory/2324-172-0x0000000000E00000-0x0000000000EA3000-memory.dmpFilesize
652KB
-
memory/2324-173-0x0000000000E00000-0x0000000000EA3000-memory.dmpFilesize
652KB
-
memory/2324-174-0x0000000000090000-0x0000000000091000-memory.dmpFilesize
4KB
-
memory/2324-177-0x0000000075890000-0x00000000758D7000-memory.dmpFilesize
284KB
-
memory/2324-179-0x00000000000A0000-0x00000000000A1000-memory.dmpFilesize
4KB
-
memory/2372-248-0x0000000000000000-mapping.dmp
-
memory/2408-182-0x0000000000000000-mapping.dmp
-
memory/2536-190-0x0000000000000000-mapping.dmp
-
memory/2564-196-0x0000000000000000-mapping.dmp
-
memory/2564-193-0x0000000000080000-0x0000000000081000-memory.dmpFilesize
4KB
-
memory/2564-234-0x00000000000A0000-0x00000000000A1000-memory.dmpFilesize
4KB
-
memory/2760-219-0x00000000049A0000-0x00000000049A1000-memory.dmpFilesize
4KB
-
memory/2760-217-0x0000000000090000-0x0000000000091000-memory.dmpFilesize
4KB
-
memory/2760-208-0x0000000000090000-0x0000000000098000-memory.dmpFilesize
32KB
-
memory/2760-214-0x0000000000093F6E-mapping.dmp
-
memory/2760-209-0x0000000000090000-0x0000000000098000-memory.dmpFilesize
32KB
-
memory/2760-215-0x0000000000090000-0x0000000000098000-memory.dmpFilesize
32KB
-
memory/2760-216-0x0000000000090000-0x0000000000098000-memory.dmpFilesize
32KB
-
memory/2868-220-0x0000000000000000-mapping.dmp
-
memory/2880-221-0x0000000000000000-mapping.dmp
-
memory/2908-222-0x0000000000000000-mapping.dmp
-
memory/2928-223-0x0000000000000000-mapping.dmp
-
memory/2956-224-0x0000000000000000-mapping.dmp
-
memory/2988-226-0x0000000000000000-mapping.dmp
-
memory/3000-225-0x0000000000000000-mapping.dmp
-
memory/3024-228-0x0000000000000000-mapping.dmp