raccoon | 211f7686f518eb521b7421393ce0b3fac878b2d5c4ee61629b1d4b2a0d3dcdd3

Resubmissions

09-10-2021 06:02

211009-grepnafad7 10

08-10-2021 19:47

211008-yhw11segg5 10

08-10-2021 19:00

211008-xnq7aaegf2 10

Analysis

max time kernel
1222s
max time network
1146s
platform
windows11_x64
resource
win11
submitted
08-10-2021 19:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

211f7686f518eb521b7421393ce0b3fac878b2d5c4ee61629b1d4b2a0d3dcdd3.exe
Size

166KB
MD5

38662eca83bf7fff531b9bdc43f8ed52
SHA1

1426c264bd6067cc8f5a76ac10182c380a18eb5b
SHA256

211f7686f518eb521b7421393ce0b3fac878b2d5c4ee61629b1d4b2a0d3dcdd3
SHA512

4cdf5822e696a511bb689bfedad92ad10f3b148045eacd22977daa5b3397ee5e449db4fc31d97b3ac7e459ea3905eadf71ab6bfb91b9ff8d5219edec8278644e

Score

10^/10

raccoon redline smokeloader tofsee vidar 777 c95bfeb977df680e3fb35c1ce322d091ffdbaf92 backdoor collection discovery evasion infostealer spyware stealer themida trojan vmprotect

Malware Config

Extracted

Family

smokeloader

Version

2020

http://fazanaharahe10.top/

http://xandelissane20.top/

http://ustiassosale30.top/

http://cytheriata40.top/

http://ggiergionard50.top/

rc4.i32

Extracted

Family

redline

Botnet

777

93.115.20.139:28978

Extracted

Family

raccoon

Version

1.8.2

Botnet

c95bfeb977df680e3fb35c1ce322d091ffdbaf92

Attributes

url4cnc
http://teletop.top/vvhotsummer
http://teleta.top/vvhotsummer
https://t.me/vvhotsummer

rc4.plain

Signatures

Raccoon
Simple but powerful infostealer which was very active in 2019.
stealer raccoon
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine Payload 4 IoCs

Processes:

resource	yara_rule
behavioral4/memory/2168-171-0x0000000000000000-mapping.dmp	family_redline
behavioral4/memory/2168-172-0x0000000000400000-0x0000000000422000-memory.dmp	family_redline
behavioral4/memory/2168-184-0x0000000004EF0000-0x0000000005508000-memory.dmp	family_redline
C:\Users\Admin\AppData\Local\Temp\C2F.exe	family_redline

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader

Suspicious use of NtCreateProcessExOtherParentProcess 5 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

description	pid	process	target process
PID 2848 created 2876	2848	WerFault.exe	5D5.exe
PID 3936 created 2184	3936	WerFault.exe	17AA.exe
PID 4500 created 4596	4500	WerFault.exe	725D.exe
PID 4276 created 2036	4276	WerFault.exe	CB6B.exe
PID 4280 created 2352	4280	WerFault.exe	499E.exe

Tofsee
Backdoor/botnet which carries out malicious activities based on commands from a C2 server.
trojan tofsee
Vidar
Vidar is an infostealer based on Arkei stealer.
stealer vidar
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Vidar Stealer 1 IoCs

stealer

Processes:

resource	yara_rule
behavioral4/memory/4596-216-0x0000000004C20000-0x0000000004CF6000-memory.dmp	family_vidar

Downloads MZ/PE file

Executes dropped EXE 16 IoCs

Processes:

66DE.exe66DE.exeDFC.exeDFC.exe5D5.exeC2F.exe17AA.exe725D.exeCB6B.exeD734.exe2931.exe2EA1.exe37BA.exesqtvvs.exe419E.exe499E.exe

pid	process
3128	66DE.exe
3180	66DE.exe
1860	DFC.exe
2168	DFC.exe
2876	5D5.exe
3332	C2F.exe
2184	17AA.exe
4596	725D.exe
2036	CB6B.exe
3640	D734.exe
2896	2931.exe
3268	2EA1.exe
4788	37BA.exe
1516	sqtvvs.exe
4228	419E.exe
2352	499E.exe

VMProtect packed file 3 IoCs

Detects executables packed with VMProtect commercial packer.

vmprotect

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\37BA.exe	vmprotect
C:\Users\Admin\AppData\Local\Temp\37BA.exe	vmprotect
C:\Users\Admin\AppData\Local\Temp\603c0340b4\sqtvvs.exe	vmprotect

Checks BIOS information in registry 2 TTPs 6 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

419E.exeC2F.exeD734.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	419E.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	C2F.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	C2F.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	D734.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	D734.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	419E.exe

Loads dropped DLL 3 IoCs

Processes:

2EA1.exe

pid process

3268 2EA1.exe
3268 2EA1.exe
3268 2EA1.exe
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

pid	process
3268	2EA1.exe
3268	2EA1.exe
3268	2EA1.exe

Themida packer 5 IoCs

Detects Themida, an advanced Windows software protection system.

themida

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\C2F.exe	themida
behavioral4/memory/3332-218-0x0000000000FD0000-0x0000000000FD1000-memory.dmp	themida
C:\Users\Admin\AppData\Local\Temp\D734.exe	themida
behavioral4/memory/3640-245-0x0000000000C40000-0x0000000000C41000-memory.dmp	themida
C:\Users\Admin\AppData\Local\Temp\419E.exe	themida

Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs

collection

Email Collection

T1114

Processes:

2EA1.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-257790753-2419383948-818201544-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	2EA1.exe

Accesses Microsoft Outlook profiles 1 TTPs 8 IoCs

collection

Email Collection

T1114

Processes:

2EA1.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-257790753-2419383948-818201544-1000\Software\Microsoft\Office\17.0\Outlook\Profiles\Outlook	2EA1.exe
Key opened	\REGISTRY\USER\S-1-5-21-257790753-2419383948-818201544-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook	2EA1.exe
Key opened	\REGISTRY\USER\S-1-5-21-257790753-2419383948-818201544-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook	2EA1.exe
Key opened	\REGISTRY\USER\S-1-5-21-257790753-2419383948-818201544-1000\Software\Microsoft\Office\14.0\Outlook\Profiles\Outlook	2EA1.exe
Key opened	\REGISTRY\USER\S-1-5-21-257790753-2419383948-818201544-1000\Software\Microsoft\Office\13.0\Outlook\Profiles\Outlook	2EA1.exe
Key opened	\REGISTRY\USER\S-1-5-21-257790753-2419383948-818201544-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	2EA1.exe
Key opened	\REGISTRY\USER\S-1-5-21-257790753-2419383948-818201544-1000\Software\Microsoft\Office\19.0\Outlook\Profiles\Outlook	2EA1.exe
Key opened	\REGISTRY\USER\S-1-5-21-257790753-2419383948-818201544-1000\Software\Microsoft\Office\18.0\Outlook\Profiles\Outlook	2EA1.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Checks whether UAC is enabled 1 TTPs 3 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

C2F.exeD734.exe419E.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	C2F.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	D734.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	419E.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 3 IoCs

Processes:

C2F.exeD734.exe419E.exe

pid process

3332 C2F.exe
3640 D734.exe
4228 419E.exe

pid	process
3332	C2F.exe
3640	D734.exe
4228	419E.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

211f7686f518eb521b7421393ce0b3fac878b2d5c4ee61629b1d4b2a0d3dcdd3.exe66DE.exeDFC.exe

description	pid	process	target process
PID 3544 set thread context of 1180	3544	211f7686f518eb521b7421393ce0b3fac878b2d5c4ee61629b1d4b2a0d3dcdd3.exe	211f7686f518eb521b7421393ce0b3fac878b2d5c4ee61629b1d4b2a0d3dcdd3.exe
PID 3128 set thread context of 3180	3128	66DE.exe	66DE.exe
PID 1860 set thread context of 2168	1860	DFC.exe	DFC.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 5 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
3148	2876	WerFault.exe	5D5.exe
4748	2184	WerFault.exe	17AA.exe
588	4596	WerFault.exe	725D.exe
4628	2036	WerFault.exe	CB6B.exe
2100	2352	WerFault.exe	499E.exe

Checks SCSI registry key(s) 3 TTPs 6 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

211f7686f518eb521b7421393ce0b3fac878b2d5c4ee61629b1d4b2a0d3dcdd3.exe66DE.exe

description	ioc	process
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	211f7686f518eb521b7421393ce0b3fac878b2d5c4ee61629b1d4b2a0d3dcdd3.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	211f7686f518eb521b7421393ce0b3fac878b2d5c4ee61629b1d4b2a0d3dcdd3.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	66DE.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	66DE.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	66DE.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	211f7686f518eb521b7421393ce0b3fac878b2d5c4ee61629b1d4b2a0d3dcdd3.exe

Checks processor information in registry 2 TTPs 35 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	WerFault.exe

Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

752 schtasks.exe

pid	process
752	schtasks.exe

Enumerates system info in registry 2 TTPs 10 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WerFault.exe

Modifies data under HKEY_USERS 43 IoCs

Processes:

sihclient.exesvchost.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	sihclient.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Classes\Local Settings\MuiCache\7\52C64B7E	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	sihclient.exe
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	sihclient.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Classes\Local Settings\MuiCache	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	sihclient.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

211f7686f518eb521b7421393ce0b3fac878b2d5c4ee61629b1d4b2a0d3dcdd3.exe

pid	process
1180	211f7686f518eb521b7421393ce0b3fac878b2d5c4ee61629b1d4b2a0d3dcdd3.exe
1180	211f7686f518eb521b7421393ce0b3fac878b2d5c4ee61629b1d4b2a0d3dcdd3.exe
3232
3232
3232
3232
3232
3232
3232
3232
3232
3232
3232
3232
3232
3232
3232
3232
3232
3232
3232
3232
3232
3232
3232
3232
3232
3232
3232
3232
3232
3232
3232
3232
3232
3232
3232
3232
3232
3232
3232
3232
3232
3232
3232
3232
3232
3232
3232
3232
3232
3232
3232
3232
3232
3232
3232
3232
3232
3232
3232
3232
3232
3232

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

pid process

3232
Suspicious behavior: MapViewOfSection 2 IoCs

Processes:

211f7686f518eb521b7421393ce0b3fac878b2d5c4ee61629b1d4b2a0d3dcdd3.exe66DE.exe

pid process

1180 211f7686f518eb521b7421393ce0b3fac878b2d5c4ee61629b1d4b2a0d3dcdd3.exe
3180 66DE.exe

pid	process
3232

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

svchost.exeDFC.exeWerFault.exeC2F.exeD734.exe

description	pid	process
Token: SeSystemtimePrivilege	3964	svchost.exe
Token: SeSystemtimePrivilege	3964	svchost.exe
Token: SeIncBasePriorityPrivilege	3964	svchost.exe
Token: SeShutdownPrivilege	3232
Token: SeCreatePagefilePrivilege	3232
Token: SeShutdownPrivilege	3232
Token: SeCreatePagefilePrivilege	3232
Token: SeShutdownPrivilege	3232
Token: SeCreatePagefilePrivilege	3232
Token: SeShutdownPrivilege	3232
Token: SeCreatePagefilePrivilege	3232
Token: SeShutdownPrivilege	3232
Token: SeCreatePagefilePrivilege	3232
Token: SeShutdownPrivilege	3232
Token: SeCreatePagefilePrivilege	3232
Token: SeDebugPrivilege	2168	DFC.exe
Token: SeShutdownPrivilege	3232
Token: SeCreatePagefilePrivilege	3232
Token: SeShutdownPrivilege	3232
Token: SeCreatePagefilePrivilege	3232
Token: SeShutdownPrivilege	3232
Token: SeCreatePagefilePrivilege	3232
Token: SeShutdownPrivilege	3232
Token: SeCreatePagefilePrivilege	3232
Token: SeShutdownPrivilege	3232
Token: SeCreatePagefilePrivilege	3232
Token: SeRestorePrivilege	3148	WerFault.exe
Token: SeBackupPrivilege	3148	WerFault.exe
Token: SeShutdownPrivilege	3232
Token: SeCreatePagefilePrivilege	3232
Token: SeShutdownPrivilege	3232
Token: SeCreatePagefilePrivilege	3232
Token: SeShutdownPrivilege	3232
Token: SeCreatePagefilePrivilege	3232
Token: SeShutdownPrivilege	3232
Token: SeCreatePagefilePrivilege	3232
Token: SeDebugPrivilege	3332	C2F.exe
Token: SeShutdownPrivilege	3232
Token: SeCreatePagefilePrivilege	3232
Token: SeShutdownPrivilege	3232
Token: SeCreatePagefilePrivilege	3232
Token: SeShutdownPrivilege	3232
Token: SeCreatePagefilePrivilege	3232
Token: SeShutdownPrivilege	3232
Token: SeCreatePagefilePrivilege	3232
Token: SeShutdownPrivilege	3232
Token: SeCreatePagefilePrivilege	3232
Token: SeShutdownPrivilege	3232
Token: SeCreatePagefilePrivilege	3232
Token: SeShutdownPrivilege	3232
Token: SeCreatePagefilePrivilege	3232
Token: SeShutdownPrivilege	3232
Token: SeCreatePagefilePrivilege	3232
Token: SeShutdownPrivilege	3232
Token: SeCreatePagefilePrivilege	3232
Token: SeDebugPrivilege	3640	D734.exe
Token: SeShutdownPrivilege	3232
Token: SeCreatePagefilePrivilege	3232
Token: SeShutdownPrivilege	3232
Token: SeCreatePagefilePrivilege	3232
Token: SeShutdownPrivilege	3232
Token: SeCreatePagefilePrivilege	3232
Token: SeShutdownPrivilege	3232
Token: SeCreatePagefilePrivilege	3232

Suspicious use of FindShellTrayWindow 6 IoCs

Processes:

pid process

3232
3232
3232
3232
3232
3232
Suspicious use of SendNotifyMessage 6 IoCs

Processes:

pid process

3232
3232
3232
3232
3232
3232
Suspicious use of UnmapMainImage 1 IoCs

Processes:

pid process

3232

pid	process
3232
3232
3232
3232
3232
3232

pid	process
3232
3232
3232
3232
3232
3232

pid	process
3232

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

211f7686f518eb521b7421393ce0b3fac878b2d5c4ee61629b1d4b2a0d3dcdd3.exe66DE.exeDFC.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe37BA.exe

description	pid	process	target process
PID 3544 wrote to memory of 1180	3544	211f7686f518eb521b7421393ce0b3fac878b2d5c4ee61629b1d4b2a0d3dcdd3.exe	211f7686f518eb521b7421393ce0b3fac878b2d5c4ee61629b1d4b2a0d3dcdd3.exe
PID 3544 wrote to memory of 1180	3544	211f7686f518eb521b7421393ce0b3fac878b2d5c4ee61629b1d4b2a0d3dcdd3.exe	211f7686f518eb521b7421393ce0b3fac878b2d5c4ee61629b1d4b2a0d3dcdd3.exe
PID 3544 wrote to memory of 1180	3544	211f7686f518eb521b7421393ce0b3fac878b2d5c4ee61629b1d4b2a0d3dcdd3.exe	211f7686f518eb521b7421393ce0b3fac878b2d5c4ee61629b1d4b2a0d3dcdd3.exe
PID 3544 wrote to memory of 1180	3544	211f7686f518eb521b7421393ce0b3fac878b2d5c4ee61629b1d4b2a0d3dcdd3.exe	211f7686f518eb521b7421393ce0b3fac878b2d5c4ee61629b1d4b2a0d3dcdd3.exe
PID 3544 wrote to memory of 1180	3544	211f7686f518eb521b7421393ce0b3fac878b2d5c4ee61629b1d4b2a0d3dcdd3.exe	211f7686f518eb521b7421393ce0b3fac878b2d5c4ee61629b1d4b2a0d3dcdd3.exe
PID 3544 wrote to memory of 1180	3544	211f7686f518eb521b7421393ce0b3fac878b2d5c4ee61629b1d4b2a0d3dcdd3.exe	211f7686f518eb521b7421393ce0b3fac878b2d5c4ee61629b1d4b2a0d3dcdd3.exe
PID 3232 wrote to memory of 3128	3232		66DE.exe
PID 3232 wrote to memory of 3128	3232		66DE.exe
PID 3232 wrote to memory of 3128	3232		66DE.exe
PID 3128 wrote to memory of 3180	3128	66DE.exe	66DE.exe
PID 3128 wrote to memory of 3180	3128	66DE.exe	66DE.exe
PID 3128 wrote to memory of 3180	3128	66DE.exe	66DE.exe
PID 3128 wrote to memory of 3180	3128	66DE.exe	66DE.exe
PID 3128 wrote to memory of 3180	3128	66DE.exe	66DE.exe
PID 3128 wrote to memory of 3180	3128	66DE.exe	66DE.exe
PID 3232 wrote to memory of 1860	3232		DFC.exe
PID 3232 wrote to memory of 1860	3232		DFC.exe
PID 3232 wrote to memory of 1860	3232		DFC.exe
PID 1860 wrote to memory of 2168	1860	DFC.exe	DFC.exe
PID 1860 wrote to memory of 2168	1860	DFC.exe	DFC.exe
PID 1860 wrote to memory of 2168	1860	DFC.exe	DFC.exe
PID 1860 wrote to memory of 2168	1860	DFC.exe	DFC.exe
PID 1860 wrote to memory of 2168	1860	DFC.exe	DFC.exe
PID 1860 wrote to memory of 2168	1860	DFC.exe	DFC.exe
PID 1860 wrote to memory of 2168	1860	DFC.exe	DFC.exe
PID 1860 wrote to memory of 2168	1860	DFC.exe	DFC.exe
PID 3232 wrote to memory of 2876	3232		5D5.exe
PID 3232 wrote to memory of 2876	3232		5D5.exe
PID 3232 wrote to memory of 2876	3232		5D5.exe
PID 3232 wrote to memory of 3332	3232		C2F.exe
PID 3232 wrote to memory of 3332	3232		C2F.exe
PID 3232 wrote to memory of 3332	3232		C2F.exe
PID 3232 wrote to memory of 2184	3232		17AA.exe
PID 3232 wrote to memory of 2184	3232		17AA.exe
PID 3232 wrote to memory of 2184	3232		17AA.exe
PID 2848 wrote to memory of 2876	2848	WerFault.exe	5D5.exe
PID 2848 wrote to memory of 2876	2848	WerFault.exe	5D5.exe
PID 3936 wrote to memory of 2184	3936	WerFault.exe	17AA.exe
PID 3936 wrote to memory of 2184	3936	WerFault.exe	17AA.exe
PID 3232 wrote to memory of 4596	3232		725D.exe
PID 3232 wrote to memory of 4596	3232		725D.exe
PID 3232 wrote to memory of 4596	3232		725D.exe
PID 4500 wrote to memory of 4596	4500	WerFault.exe	725D.exe
PID 4500 wrote to memory of 4596	4500	WerFault.exe	725D.exe
PID 3232 wrote to memory of 2036	3232		CB6B.exe
PID 3232 wrote to memory of 2036	3232		CB6B.exe
PID 3232 wrote to memory of 2036	3232		CB6B.exe
PID 3232 wrote to memory of 3640	3232		D734.exe
PID 3232 wrote to memory of 3640	3232		D734.exe
PID 3232 wrote to memory of 3640	3232		D734.exe
PID 4276 wrote to memory of 2036	4276	WerFault.exe	CB6B.exe
PID 4276 wrote to memory of 2036	4276	WerFault.exe	CB6B.exe
PID 3232 wrote to memory of 2896	3232		2931.exe
PID 3232 wrote to memory of 2896	3232		2931.exe
PID 3232 wrote to memory of 2896	3232		2931.exe
PID 3232 wrote to memory of 3268	3232		2EA1.exe
PID 3232 wrote to memory of 3268	3232		2EA1.exe
PID 3232 wrote to memory of 3268	3232		2EA1.exe
PID 3232 wrote to memory of 4788	3232		37BA.exe
PID 3232 wrote to memory of 4788	3232		37BA.exe
PID 3232 wrote to memory of 4788	3232		37BA.exe
PID 4788 wrote to memory of 1516	4788	37BA.exe	sqtvvs.exe
PID 4788 wrote to memory of 1516	4788	37BA.exe	sqtvvs.exe
PID 4788 wrote to memory of 1516	4788	37BA.exe	sqtvvs.exe

outlook_office_path 1 IoCs

Processes:

2EA1.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-257790753-2419383948-818201544-1000\Software\Microsoft\Office\13.0\Outlook\Profiles\Outlook	2EA1.exe

outlook_win_path 1 IoCs

Processes:

2EA1.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-257790753-2419383948-818201544-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	2EA1.exe

C:\Users\Admin\AppData\Local\Temp\211f7686f518eb521b7421393ce0b3fac878b2d5c4ee61629b1d4b2a0d3dcdd3.exe
"C:\Users\Admin\AppData\Local\Temp\211f7686f518eb521b7421393ce0b3fac878b2d5c4ee61629b1d4b2a0d3dcdd3.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3544

C:\Users\Admin\AppData\Local\Temp\211f7686f518eb521b7421393ce0b3fac878b2d5c4ee61629b1d4b2a0d3dcdd3.exe
"C:\Users\Admin\AppData\Local\Temp\211f7686f518eb521b7421393ce0b3fac878b2d5c4ee61629b1d4b2a0d3dcdd3.exe"
2⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:1180

C:\Windows\System32\Upfc.exe
C:\Windows\System32\Upfc.exe /launchtype periodic /cv kI4Azv9Yeku4dyAXNg+kFg.0
1⤵
PID:4992

C:\Windows\System32\sihclient.exe
C:\Windows\System32\sihclient.exe /cv 1PsfHjy/6UuX87LF/E3WAg.0.2
1⤵
- Modifies data under HKEY_USERS
PID:4416

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
1⤵
- Modifies data under HKEY_USERS
PID:3948

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -s W32Time
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3964

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s SSDPSRV
1⤵
PID:2268

C:\Users\Admin\AppData\Local\Temp\66DE.exe
C:\Users\Admin\AppData\Local\Temp\66DE.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3128

C:\Users\Admin\AppData\Local\Temp\66DE.exe
C:\Users\Admin\AppData\Local\Temp\66DE.exe
2⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
PID:3180

C:\Users\Admin\AppData\Local\Temp\DFC.exe
C:\Users\Admin\AppData\Local\Temp\DFC.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1860

C:\Users\Admin\AppData\Local\Temp\DFC.exe
C:\Users\Admin\AppData\Local\Temp\DFC.exe
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2168

C:\Users\Admin\AppData\Local\Temp\5D5.exe
C:\Users\Admin\AppData\Local\Temp\5D5.exe
1⤵
- Executes dropped EXE
PID:2876

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2876 -s 244
2⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken
PID:3148

C:\Users\Admin\AppData\Local\Temp\C2F.exe
C:\Users\Admin\AppData\Local\Temp\C2F.exe
1⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
PID:3332

C:\Users\Admin\AppData\Local\Temp\17AA.exe
C:\Users\Admin\AppData\Local\Temp\17AA.exe
1⤵
- Executes dropped EXE
PID:2184

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2184 -s 236
2⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
PID:4748

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 2876 -ip 2876
1⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Suspicious use of WriteProcessMemory
PID:2848

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 2184 -ip 2184
1⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Suspicious use of WriteProcessMemory
PID:3936

C:\Users\Admin\AppData\Local\Temp\725D.exe
C:\Users\Admin\AppData\Local\Temp\725D.exe
1⤵
- Executes dropped EXE
PID:4596

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4596 -s 304
2⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
PID:588

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 596 -p 4596 -ip 4596
1⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Suspicious use of WriteProcessMemory
PID:4500

C:\Users\Admin\AppData\Local\Temp\CB6B.exe
C:\Users\Admin\AppData\Local\Temp\CB6B.exe
1⤵
- Executes dropped EXE
PID:2036

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2036 -s 236
2⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
PID:4628

C:\Users\Admin\AppData\Local\Temp\D734.exe
C:\Users\Admin\AppData\Local\Temp\D734.exe
1⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
PID:3640

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2036 -ip 2036
1⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Suspicious use of WriteProcessMemory
PID:4276

C:\Users\Admin\AppData\Local\Temp\2931.exe
C:\Users\Admin\AppData\Local\Temp\2931.exe
1⤵
- Executes dropped EXE
PID:2896

C:\Users\Admin\AppData\Local\Temp\2EA1.exe
C:\Users\Admin\AppData\Local\Temp\2EA1.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Accesses Microsoft Outlook accounts
- Accesses Microsoft Outlook profiles
- outlook_office_path
- outlook_win_path
PID:3268

C:\Users\Admin\AppData\Local\Temp\37BA.exe
C:\Users\Admin\AppData\Local\Temp\37BA.exe
1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4788

C:\Users\Admin\AppData\Local\Temp\603c0340b4\sqtvvs.exe
"C:\Users\Admin\AppData\Local\Temp\603c0340b4\sqtvvs.exe"
2⤵
- Executes dropped EXE
PID:1516

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" /f /v Startup /t REG_SZ /d C:\Users\Admin\AppData\Local\Temp\603c0340b4\
3⤵
PID:860

C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" /f /v Startup /t REG_SZ /d C:\Users\Admin\AppData\Local\Temp\603c0340b4\
4⤵
PID:3524

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN sqtvvs.exe /TR "C:\Users\Admin\AppData\Local\Temp\603c0340b4\sqtvvs.exe" /F
3⤵
- Creates scheduled task(s)
PID:752

C:\Users\Admin\AppData\Local\Temp\419E.exe
C:\Users\Admin\AppData\Local\Temp\419E.exe
1⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:4228

C:\Users\Admin\AppData\Local\Temp\499E.exe
C:\Users\Admin\AppData\Local\Temp\499E.exe
1⤵
- Executes dropped EXE
PID:2352

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2352 -s 260
2⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
PID:2100

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 2352 -ip 2352
1⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:4280

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Virtualization/Sandbox Evasion

T1497

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

System Information Discovery

T1082

Peripheral Device Discovery

T1120

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\FflibsFder.tmp\mozglue.dll
MD5
eae9273f8cdcf9321c6c37c244773139

SHA1
8378e2a2f3635574c106eea8419b5eb00b8489b0

SHA256
a0c6630d4012ae0311ff40f4f06911bcf1a23f7a4762ce219b8dffa012d188cc

SHA512
06e43e484a89cea9ba9b9519828d38e7c64b040f44cdaeb321cbda574e7551b11fea139ce3538f387a0a39a3d8c4cba7f4cf03e4a3c98db85f8121c2212a9097

Download Submit
C:\Users\Admin\AppData\LocalLow\FflibsFder.tmp\nss3.dll
MD5
02cc7b8ee30056d5912de54f1bdfc219

SHA1
a6923da95705fb81e368ae48f93d28522ef552fb

SHA256
1989526553fd1e1e49b0fea8036822ca062d3d39c4cab4a37846173d0f1753d5

SHA512
0d5dfcf4fb19b27246fa799e339d67cd1b494427783f379267fb2d10d615ffb734711bab2c515062c078f990a44a36f2d15859b1dacd4143dcc35b5c0cee0ef5

Download Submit
C:\Users\Admin\AppData\LocalLow\sqlite3.dll
MD5
f964811b68f9f1487c2b41e1aef576ce

SHA1
b423959793f14b1416bc3b7051bed58a1034025f

SHA256
83bc57dcf282264f2b00c21ce0339eac20fcb7401f7c5472c0cd0c014844e5f7

SHA512
565b1a7291c6fcb63205907fcd9e72fc2e11ca945afc4468c378edba882e2f314c2ac21a7263880ff7d4b84c2a1678024c1ac9971ac1c1de2bfa4248ec0f98c4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\DFC.exe.log
MD5
e07da89fc7e325db9d25e845e27027a8

SHA1
4b6a03bcdb46f325984cbbb6302ff79f33637e19

SHA256
94ab73c00494d10a2159175b81e23047621451e3a566e5a0b1222379db634aaf

SHA512
1e33e34595ebb6ce129d0244199d29722c916c036da542c3001f84b10a964b96cec7a9fdd19e120d7840614b307b504be993a4f8538d54382aa4944575476dda

Download Submit
C:\Users\Admin\AppData\Local\Temp\15212577907532419383
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Users\Admin\AppData\Local\Temp\17AA.exe
MD5
20fe1450230d861579e323ffd7ba5485

SHA1
971e83ba0ff1cbbdc9e1ac1ff6cd1c9ae38ce633

SHA256
0cbd381e5c415c904ab13ab415f549b5b5711831fd20f46975c83fb4e03fc9e3

SHA512
abf22e174d97ffe32dcaa14277e9f658e5e3c2d47c21efd40be2d645cb3639534cc22c73de59c83d0e9485fffe17e9064b40f953de42b8bd9d28da95d2ff753f

Download Submit
C:\Users\Admin\AppData\Local\Temp\17AA.exe
MD5
20fe1450230d861579e323ffd7ba5485

SHA1
971e83ba0ff1cbbdc9e1ac1ff6cd1c9ae38ce633

SHA256
0cbd381e5c415c904ab13ab415f549b5b5711831fd20f46975c83fb4e03fc9e3

SHA512
abf22e174d97ffe32dcaa14277e9f658e5e3c2d47c21efd40be2d645cb3639534cc22c73de59c83d0e9485fffe17e9064b40f953de42b8bd9d28da95d2ff753f

Download Submit
C:\Users\Admin\AppData\Local\Temp\2931.exe
MD5
42161cff637993d514d1cc15ad5229af

SHA1
03ae4b56ba6f0fa6612d45f1f336fcc059d76178

SHA256
66a92814d6e3eab407e0c49e9dd10a21b093dbd79e7b3dd2c89367c94658e3f3

SHA512
722eeb2176d94254edf52a32ecd95eede02e0c518d924059520471e4232626b76041f9e6dcc586a8abc5a632ed013891c3dd92264cf891131a08d1baa0cadc8d

Download Submit
C:\Users\Admin\AppData\Local\Temp\2931.exe
MD5
42161cff637993d514d1cc15ad5229af

SHA1
03ae4b56ba6f0fa6612d45f1f336fcc059d76178

SHA256
66a92814d6e3eab407e0c49e9dd10a21b093dbd79e7b3dd2c89367c94658e3f3

SHA512
722eeb2176d94254edf52a32ecd95eede02e0c518d924059520471e4232626b76041f9e6dcc586a8abc5a632ed013891c3dd92264cf891131a08d1baa0cadc8d

Download Submit
C:\Users\Admin\AppData\Local\Temp\2EA1.exe
MD5
61ac16369c6228d0e762519946fae610

SHA1
851bff728927da7f5245488c5abb9b7787b0fa85

SHA256
9ab460a5a88fb1c145c85a43bb56211c9209d650d25318f128a6a7f429b6bf45

SHA512
c9c5d689e86dfec882fa43d183d176b6cbec36a205c8ab53352f0c6c73b202472fe80f0324a741b220331a7273e5ac68fdcc4f199560d50c865739fa51ad2aad

Download Submit
C:\Users\Admin\AppData\Local\Temp\2EA1.exe
MD5
61ac16369c6228d0e762519946fae610

SHA1
851bff728927da7f5245488c5abb9b7787b0fa85

SHA256
9ab460a5a88fb1c145c85a43bb56211c9209d650d25318f128a6a7f429b6bf45

SHA512
c9c5d689e86dfec882fa43d183d176b6cbec36a205c8ab53352f0c6c73b202472fe80f0324a741b220331a7273e5ac68fdcc4f199560d50c865739fa51ad2aad

Download Submit
C:\Users\Admin\AppData\Local\Temp\37BA.exe
MD5
9dcec4cd98534038775474bedc66a237

SHA1
37c4e6955d492ba77b8b3101a46c0d9056a1620d

SHA256
9b7927979f7205cc87f772dafa96ab34b9914c205f42a18de80d7eaec8bb9871

SHA512
84c5d078c10fd1912004c98535096f16a8ffcd25f0387037ebc6482d1d6b501a455c5e59f5774b14f142d6222c6930f1a65cd923e89e865fc4a5c2a5d600ad01

Download Submit
C:\Users\Admin\AppData\Local\Temp\37BA.exe
MD5
9dcec4cd98534038775474bedc66a237

SHA1
37c4e6955d492ba77b8b3101a46c0d9056a1620d

SHA256
9b7927979f7205cc87f772dafa96ab34b9914c205f42a18de80d7eaec8bb9871

SHA512
84c5d078c10fd1912004c98535096f16a8ffcd25f0387037ebc6482d1d6b501a455c5e59f5774b14f142d6222c6930f1a65cd923e89e865fc4a5c2a5d600ad01

Download Submit
C:\Users\Admin\AppData\Local\Temp\419E.exe
MD5
696f26fdbaef21828cfb490c33a88e20

SHA1
02e7c5b4abc64177eccfe3678becbfe65f71d550

SHA256
b793664decfade077601c56fb60a41f9d1f55fb29cc51653bf8a6131536648d0

SHA512
77ebaacd90c606ef80226376d9cec9557c3669d4805c24b8bc0d4b3a04aa28003ec1983653199ab8cea1dc7af9d0b047fb9084da3fd977bdc4dd0f59310742cb

Download Submit
C:\Users\Admin\AppData\Local\Temp\499E.exe
MD5
25a398ade67d1eb9974db341f4139a5b

SHA1
0fe163a25dc0c280fd334576605d0b988b8b5396

SHA256
7f5b4e168ef2a2cf6e339400752a2e3c12afeecb355fc5507b7db36cb70ec910

SHA512
e631adf0b0dbc126000d7662e1a89d2f53dd32e53337df09ce752f4cd9f064a1b6321eb0fdbf9f84776c856680ad555b6cf64d4a09ad9483e4058f7f1f539ca7

Download Submit
C:\Users\Admin\AppData\Local\Temp\499E.exe
MD5
25a398ade67d1eb9974db341f4139a5b

SHA1
0fe163a25dc0c280fd334576605d0b988b8b5396

SHA256
7f5b4e168ef2a2cf6e339400752a2e3c12afeecb355fc5507b7db36cb70ec910

SHA512
e631adf0b0dbc126000d7662e1a89d2f53dd32e53337df09ce752f4cd9f064a1b6321eb0fdbf9f84776c856680ad555b6cf64d4a09ad9483e4058f7f1f539ca7

Download Submit
C:\Users\Admin\AppData\Local\Temp\5D5.exe
MD5
aa58d1f4f6f46fbde9cde947ee130ac1

SHA1
4d85d425431ee3413a115f80a9d6871c451b7148

SHA256
d82cd9ccf5444a3429ffe98e69c5d54403cc61484646eb9902f7ca8b5686a561

SHA512
9c1d9bceb7366a0f54b421eaca363b2543bdae10f3395fd16d5d254a0924ad51469a335b51ef1c732a5d7b045709bb99376b8de60d674b05511e041b0f710e2d

Download Submit
C:\Users\Admin\AppData\Local\Temp\5D5.exe
MD5
aa58d1f4f6f46fbde9cde947ee130ac1

SHA1
4d85d425431ee3413a115f80a9d6871c451b7148

SHA256
d82cd9ccf5444a3429ffe98e69c5d54403cc61484646eb9902f7ca8b5686a561

SHA512
9c1d9bceb7366a0f54b421eaca363b2543bdae10f3395fd16d5d254a0924ad51469a335b51ef1c732a5d7b045709bb99376b8de60d674b05511e041b0f710e2d

Download Submit
C:\Users\Admin\AppData\Local\Temp\603c0340b4\sqtvvs.exe
MD5
9dcec4cd98534038775474bedc66a237

SHA1
37c4e6955d492ba77b8b3101a46c0d9056a1620d

SHA256
9b7927979f7205cc87f772dafa96ab34b9914c205f42a18de80d7eaec8bb9871

SHA512
84c5d078c10fd1912004c98535096f16a8ffcd25f0387037ebc6482d1d6b501a455c5e59f5774b14f142d6222c6930f1a65cd923e89e865fc4a5c2a5d600ad01

Download Submit
C:\Users\Admin\AppData\Local\Temp\66DE.exe
MD5
38662eca83bf7fff531b9bdc43f8ed52

SHA1
1426c264bd6067cc8f5a76ac10182c380a18eb5b

SHA256
211f7686f518eb521b7421393ce0b3fac878b2d5c4ee61629b1d4b2a0d3dcdd3

SHA512
4cdf5822e696a511bb689bfedad92ad10f3b148045eacd22977daa5b3397ee5e449db4fc31d97b3ac7e459ea3905eadf71ab6bfb91b9ff8d5219edec8278644e

Download Submit
C:\Users\Admin\AppData\Local\Temp\66DE.exe
MD5
38662eca83bf7fff531b9bdc43f8ed52

SHA1
1426c264bd6067cc8f5a76ac10182c380a18eb5b

SHA256
211f7686f518eb521b7421393ce0b3fac878b2d5c4ee61629b1d4b2a0d3dcdd3

SHA512
4cdf5822e696a511bb689bfedad92ad10f3b148045eacd22977daa5b3397ee5e449db4fc31d97b3ac7e459ea3905eadf71ab6bfb91b9ff8d5219edec8278644e

Download Submit
C:\Users\Admin\AppData\Local\Temp\66DE.exe
MD5
38662eca83bf7fff531b9bdc43f8ed52

SHA1
1426c264bd6067cc8f5a76ac10182c380a18eb5b

SHA256
211f7686f518eb521b7421393ce0b3fac878b2d5c4ee61629b1d4b2a0d3dcdd3

SHA512
4cdf5822e696a511bb689bfedad92ad10f3b148045eacd22977daa5b3397ee5e449db4fc31d97b3ac7e459ea3905eadf71ab6bfb91b9ff8d5219edec8278644e

Download Submit
C:\Users\Admin\AppData\Local\Temp\725D.exe
MD5
047b7730310a945e1a587c5395c0638a

SHA1
685e18a8f11c49fcd2829cd79fb4acdcd254f2fa

SHA256
4ecf8f85d92f0d00fe80c0c8f7140888f8804b4834b94472960067fa54584a79

SHA512
f3ad7a1cdb85c051a6fcd0fa415c242bf77bf9ee9ce4f571ecb16d4f28292e0f1ccf6d84ea9db0b71a88ecb0bc3946df6ac77526dfd7f3054f3c68a8ebc49120

Download Submit
C:\Users\Admin\AppData\Local\Temp\725D.exe
MD5
047b7730310a945e1a587c5395c0638a

SHA1
685e18a8f11c49fcd2829cd79fb4acdcd254f2fa

SHA256
4ecf8f85d92f0d00fe80c0c8f7140888f8804b4834b94472960067fa54584a79

SHA512
f3ad7a1cdb85c051a6fcd0fa415c242bf77bf9ee9ce4f571ecb16d4f28292e0f1ccf6d84ea9db0b71a88ecb0bc3946df6ac77526dfd7f3054f3c68a8ebc49120

Download Submit
C:\Users\Admin\AppData\Local\Temp\C2F.exe
MD5
dd8a2cdd496f64590ff7d109578bcafb

SHA1
af670c9d07a6c173b078208d59ee87a456008e98

SHA256
8b0ce7f9bc14bd2a9d418ee89bd05157ebd1c624f5561194947cbc3e0af5debe

SHA512
cd5c4d3cb2eff8cfa478ab008e5cdce47ac68da5894374c059df0c4ddb5352cd5930a0bbec71d706a3d00085126fc42eec0991db88f6474e0fdac2a8881fde25

Download Submit
C:\Users\Admin\AppData\Local\Temp\CB6B.exe
MD5
5096b9646917d070cccc8bf7877f21f9

SHA1
df654bb126cb97eb3342790a2b8cf67d2cc28206

SHA256
249f07e35d8da87e6641d39687bda3fb4cc02ab62c0bbb47537eddce26888a9c

SHA512
aa4065d7ce98d093fa1e1b0a20d4b6b0d49240593883da004845f508e978b22aa223649387a2dc8a774c1bdc5ba2c87057dc3c584ba8d379e22296089391b958

Download Submit
C:\Users\Admin\AppData\Local\Temp\CB6B.exe
MD5
5096b9646917d070cccc8bf7877f21f9

SHA1
df654bb126cb97eb3342790a2b8cf67d2cc28206

SHA256
249f07e35d8da87e6641d39687bda3fb4cc02ab62c0bbb47537eddce26888a9c

SHA512
aa4065d7ce98d093fa1e1b0a20d4b6b0d49240593883da004845f508e978b22aa223649387a2dc8a774c1bdc5ba2c87057dc3c584ba8d379e22296089391b958

Download Submit
C:\Users\Admin\AppData\Local\Temp\D734.exe
MD5
57b5f410bba704152ed728ae30b26665

SHA1
755da63fac5d2f95d600253a0a94e4d19c62eb96

SHA256
2dbeea7c52d13a743dbdbdde06da28d1616ea6b1d765684fd3ec1a8f44040269

SHA512
670a23161098b3c990f5c1c07ad86cb3fb14a61a62460f2e016d660331c07353a809ed5da92fa32e0e1d84512d8325fa3ecc896c0c2c10e1e8a6762a34cc416c

Download Submit
C:\Users\Admin\AppData\Local\Temp\DFC.exe
MD5
4e77860c3d327d661d481433cd7c2b7f

SHA1
27ec68f26eb1b36044d71a64d2d399b06d2248a4

SHA256
48f51e29fc5411f2193d99ff98a4c6d9a6c92623125255442a0620e12993c747

SHA512
7a3b2c56911e82f17bca41fc4260c81a8287244497e88e1bdb6017901a632402d796a0f207402ed3ca975d6c8d37f2575057829f0459ab9616efcefb274429ca

Download Submit
C:\Users\Admin\AppData\Local\Temp\DFC.exe
MD5
4e77860c3d327d661d481433cd7c2b7f

SHA1
27ec68f26eb1b36044d71a64d2d399b06d2248a4

SHA256
48f51e29fc5411f2193d99ff98a4c6d9a6c92623125255442a0620e12993c747

SHA512
7a3b2c56911e82f17bca41fc4260c81a8287244497e88e1bdb6017901a632402d796a0f207402ed3ca975d6c8d37f2575057829f0459ab9616efcefb274429ca

Download Submit
C:\Users\Admin\AppData\Local\Temp\DFC.exe
MD5
4e77860c3d327d661d481433cd7c2b7f

SHA1
27ec68f26eb1b36044d71a64d2d399b06d2248a4

SHA256
48f51e29fc5411f2193d99ff98a4c6d9a6c92623125255442a0620e12993c747

SHA512
7a3b2c56911e82f17bca41fc4260c81a8287244497e88e1bdb6017901a632402d796a0f207402ed3ca975d6c8d37f2575057829f0459ab9616efcefb274429ca

Download Submit
memory/752-308-0x0000000000000000-mapping.dmp

Download
memory/860-306-0x0000000000000000-mapping.dmp

Download
memory/1180-151-0x0000000000000000-mapping.dmp

Download
memory/1180-152-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/1516-292-0x0000000000000000-mapping.dmp

Download
memory/1860-162-0x0000000000000000-mapping.dmp

Download
memory/1860-165-0x0000000000E90000-0x0000000000E91000-memory.dmp

Filesize
4KB

Download
memory/1860-167-0x00000000058E0000-0x00000000058E1000-memory.dmp

Filesize
4KB

Download
memory/1860-168-0x00000000058B0000-0x00000000058B1000-memory.dmp

Filesize
4KB

Download
memory/1860-169-0x0000000005AD0000-0x0000000005AD1000-memory.dmp

Filesize
4KB

Download
memory/1860-170-0x0000000006090000-0x0000000006091000-memory.dmp

Filesize
4KB

Download
memory/2036-237-0x0000000000000000-mapping.dmp

Download
memory/2036-256-0x00000000007A0000-0x000000000082E000-memory.dmp

Filesize
568KB

Download
memory/2036-240-0x00000000006B3000-0x0000000000702000-memory.dmp

Filesize
316KB

Download
memory/2168-179-0x00000000050B0000-0x00000000050B1000-memory.dmp

Filesize
4KB

Download
memory/2168-171-0x0000000000000000-mapping.dmp

Download
memory/2168-192-0x00000000076B0000-0x00000000076B1000-memory.dmp

Filesize
4KB

Download
memory/2168-180-0x00000000051C0000-0x00000000051C1000-memory.dmp

Filesize
4KB

Download
memory/2168-189-0x0000000006D90000-0x0000000006D91000-memory.dmp

Filesize
4KB

Download
memory/2168-181-0x0000000004FE0000-0x0000000004FE1000-memory.dmp

Filesize
4KB

Download
memory/2168-178-0x0000000004F80000-0x0000000004F81000-memory.dmp

Filesize
4KB

Download
memory/2168-187-0x0000000007180000-0x0000000007181000-memory.dmp

Filesize
4KB

Download
memory/2168-186-0x0000000006A80000-0x0000000006A81000-memory.dmp

Filesize
4KB

Download
memory/2168-185-0x0000000005330000-0x0000000005331000-memory.dmp

Filesize
4KB

Download
memory/2168-177-0x0000000005510000-0x0000000005511000-memory.dmp

Filesize
4KB

Download
memory/2168-184-0x0000000004EF0000-0x0000000005508000-memory.dmp

Filesize
6.1MB

Download
memory/2168-183-0x00000000052C0000-0x00000000052C1000-memory.dmp

Filesize
4KB

Download
memory/2168-193-0x00000000078B0000-0x00000000078B1000-memory.dmp

Filesize
4KB

Download
memory/2168-182-0x0000000005DC0000-0x0000000005DC1000-memory.dmp

Filesize
4KB

Download
memory/2168-172-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/2184-211-0x0000000002E70000-0x0000000002EFE000-memory.dmp

Filesize
568KB

Download
memory/2184-209-0x0000000002D43000-0x0000000002D92000-memory.dmp

Filesize
316KB

Download
memory/2184-206-0x0000000000000000-mapping.dmp

Download
memory/2352-320-0x0000000000000000-mapping.dmp

Download
memory/2352-333-0x00000000006F0000-0x0000000000732000-memory.dmp

Filesize
264KB

Download
memory/2876-210-0x00000000005F0000-0x0000000000603000-memory.dmp

Filesize
76KB

Download
memory/2876-203-0x0000000000683000-0x0000000000691000-memory.dmp

Filesize
56KB

Download
memory/2876-200-0x0000000000000000-mapping.dmp

Download
memory/2896-265-0x0000000000000000-mapping.dmp

Download
memory/2896-273-0x0000000004F90000-0x0000000005216000-memory.dmp

Filesize
2.5MB

Download
memory/3128-154-0x0000000000000000-mapping.dmp

Download
memory/3128-157-0x00000000004B3000-0x00000000004BC000-memory.dmp

Filesize
36KB

Download
memory/3180-158-0x0000000000000000-mapping.dmp

Download
memory/3232-153-0x0000000002E50000-0x0000000002E66000-memory.dmp

Filesize
88KB

Download
memory/3232-161-0x0000000005490000-0x00000000054A6000-memory.dmp

Filesize
88KB

Download
memory/3268-282-0x0000000000000000-mapping.dmp

Download
memory/3268-310-0x0000000000400000-0x0000000004F36000-memory.dmp

Filesize
75.2MB

Download
memory/3268-297-0x0000000006CF0000-0x000000000B7CA000-memory.dmp

Filesize
74.9MB

Download
memory/3332-204-0x0000000000000000-mapping.dmp

Download
memory/3332-218-0x0000000000FD0000-0x0000000000FD1000-memory.dmp

Filesize
4KB

Download
memory/3332-225-0x00000000059E0000-0x00000000059E1000-memory.dmp

Filesize
4KB

Download
memory/3524-327-0x0000000000000000-mapping.dmp

Download
memory/3544-146-0x0000000000773000-0x000000000077C000-memory.dmp

Filesize
36KB

Download
memory/3544-150-0x00000000005D0000-0x00000000005D9000-memory.dmp

Filesize
36KB

Download
memory/3640-254-0x0000000005F90000-0x0000000005F91000-memory.dmp

Filesize
4KB

Download
memory/3640-245-0x0000000000C40000-0x0000000000C41000-memory.dmp

Filesize
4KB

Download
memory/3640-241-0x0000000000000000-mapping.dmp

Download
memory/3948-149-0x000002950CEF0000-0x000002950CEF4000-memory.dmp

Filesize
16KB

Download
memory/3948-148-0x000002950A8F0000-0x000002950A900000-memory.dmp

Filesize
64KB

Download
memory/3948-198-0x000002950CF10000-0x000002950CF14000-memory.dmp

Filesize
16KB

Download
memory/3948-195-0x000002950D1A0000-0x000002950D1A1000-memory.dmp

Filesize
4KB

Download
memory/3948-196-0x000002950CF20000-0x000002950CF24000-memory.dmp

Filesize
16KB

Download
memory/3948-194-0x000002950D1E0000-0x000002950D1E4000-memory.dmp

Filesize
16KB

Download
memory/3948-197-0x000002950CF10000-0x000002950CF11000-memory.dmp

Filesize
4KB

Download
memory/3948-199-0x000002950ABF0000-0x000002950ABF1000-memory.dmp

Filesize
4KB

Download
memory/3948-147-0x000002950A870000-0x000002950A880000-memory.dmp

Filesize
64KB

Download
memory/4228-294-0x0000000000000000-mapping.dmp

Download
memory/4228-326-0x0000000005700000-0x0000000005701000-memory.dmp

Filesize
4KB

Download
memory/4596-216-0x0000000004C20000-0x0000000004CF6000-memory.dmp

Filesize
856KB

Download
memory/4596-212-0x0000000000000000-mapping.dmp

Download
memory/4596-215-0x0000000002EAD000-0x0000000002F29000-memory.dmp

Filesize
496KB

Download
memory/4788-285-0x0000000000000000-mapping.dmp

Download