danabot | bae8a350275fcbd67c5e6290df472a19e59646a5203536d2e152003a91a4db5d

Analysis

max time kernel
147s
max time network
148s
platform
windows10_x64
resource
win10-en-20210920
submitted
19-10-2021 13:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

26336dc0ae102f2f33224e7a9287d2d9.exe
Size

6.2MB
MD5

26336dc0ae102f2f33224e7a9287d2d9
SHA1

69cbd25941b893bdc57737a4b3946a970ff3eaf4
SHA256

bae8a350275fcbd67c5e6290df472a19e59646a5203536d2e152003a91a4db5d
SHA512

a5feb183f86966cf4c8458da898385ac172678b28dafaf89a5bbe8cc92c171ca4251406bc7b42162195d167a0f97e293effce43447cdf918c441a46862c5afe3

Score

10^/10

danabot 4 banker collection discovery evasion spyware stealer themida trojan

Malware Config

Extracted

Family

danabot

192.119.110.73:443

192.236.147.159:443

192.210.222.88:443

Attributes

embedded_hash
F4711E27D559B4AEB1A081A1EB0AC465
type
loader

rsa_pubkey.plain

rsa_privkey.plain

Extracted

Family

danabot

Version

2052

Botnet

192.119.110.73:443

192.236.147.159:443

192.210.222.88:443

Attributes

embedded_hash
F4711E27D559B4AEB1A081A1EB0AC465
type
main

rsa_privkey.plain

rsa_pubkey.plain

Signatures

Danabot
Danabot is a modular banking Trojan that has been linked with other malware.
trojan banker danabot

Danabot Loader Component 4 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\WEYVSB~1.DLL	DanabotLoader2021
\Users\Admin\AppData\Local\Temp\WEYVSB~1.DLL	DanabotLoader2021
\Users\Admin\AppData\Local\Temp\WEYVSB~1.DLL	DanabotLoader2021
\Users\Admin\AppData\Local\Temp\WEYVSB~1.DLL	DanabotLoader2021

Suspicious use of NtCreateProcessExOtherParentProcess 2 IoCs

Processes:

WerFault.exeWerFault.exe

description pid process target process

PID 824 created 1236 824 WerFault.exe rundll32.exe
PID 996 created 2340 996 WerFault.exe RUNDLL32.EXE
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

description	pid	process	target process
PID 824 created 1236	824	WerFault.exe	rundll32.exe
PID 996 created 2340	996	WerFault.exe	RUNDLL32.EXE

Blocklisted process makes network request 10 IoCs

Processes:

WScript.exerundll32.exeRUNDLL32.EXE

flow	pid	process
34	1984	WScript.exe
36	1984	WScript.exe
38	1984	WScript.exe
40	1984	WScript.exe
44	1236	rundll32.exe
47	2232	RUNDLL32.EXE
49	2232	RUNDLL32.EXE
50	2232	RUNDLL32.EXE
51	2232	RUNDLL32.EXE
52	2232	RUNDLL32.EXE

Downloads MZ/PE file
Executes dropped EXE 4 IoCs

Processes:

foulervp.exegiliak.exeIntelRapid.exeweyvsbmj.exe

pid process

3432 foulervp.exe
3820 giliak.exe
912 IntelRapid.exe
996 weyvsbmj.exe

Checks BIOS information in registry 2 TTPs 6 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

foulervp.exeIntelRapid.exegiliak.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	foulervp.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	IntelRapid.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	IntelRapid.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	giliak.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	giliak.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	foulervp.exe

Drops startup file 1 IoCs

Processes:

giliak.exe

description ioc process

File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IntelRapid.lnk giliak.exe
Loads dropped DLL 4 IoCs

Processes:

26336dc0ae102f2f33224e7a9287d2d9.exerundll32.exeRUNDLL32.EXERUNDLL32.EXE

pid process

2016 26336dc0ae102f2f33224e7a9287d2d9.exe
1236 rundll32.exe
2232 RUNDLL32.EXE
2340 RUNDLL32.EXE
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IntelRapid.lnk	giliak.exe

pid	process
2016	26336dc0ae102f2f33224e7a9287d2d9.exe
1236	rundll32.exe
2232	RUNDLL32.EXE
2340	RUNDLL32.EXE

Themida packer 16 IoCs

Detects Themida, an advanced Windows software protection system.

themida

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\effort\foulervp.exe	themida
C:\Users\Admin\AppData\Local\Temp\effort\foulervp.exe	themida
C:\Users\Admin\AppData\Local\Temp\effort\giliak.exe	themida
C:\Users\Admin\AppData\Local\Temp\effort\giliak.exe	themida
behavioral2/memory/3820-122-0x00007FF62BCB0000-0x00007FF62C636000-memory.dmp	themida
behavioral2/memory/3820-123-0x00007FF62BCB0000-0x00007FF62C636000-memory.dmp	themida
behavioral2/memory/3820-124-0x00007FF62BCB0000-0x00007FF62C636000-memory.dmp	themida
behavioral2/memory/3432-125-0x0000000000C90000-0x0000000001353000-memory.dmp	themida
behavioral2/memory/3432-126-0x0000000000C90000-0x0000000001353000-memory.dmp	themida
C:\Users\Admin\AppData\Roaming\Intel Rapid\IntelRapid.exe	themida
behavioral2/memory/3432-130-0x0000000000C90000-0x0000000001353000-memory.dmp	themida
C:\Users\Admin\AppData\Roaming\Intel Rapid\IntelRapid.exe	themida
behavioral2/memory/3432-132-0x0000000000C90000-0x0000000001353000-memory.dmp	themida
behavioral2/memory/912-133-0x00007FF6F8710000-0x00007FF6F9096000-memory.dmp	themida
behavioral2/memory/912-134-0x00007FF6F8710000-0x00007FF6F9096000-memory.dmp	themida
behavioral2/memory/912-135-0x00007FF6F8710000-0x00007FF6F9096000-memory.dmp	themida

Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs

collection

Email Collection

T1114

Processes:

RUNDLL32.EXE

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	RUNDLL32.EXE

Accesses Microsoft Outlook profiles 1 TTPs 4 IoCs

collection

Email Collection

T1114

Processes:

RUNDLL32.EXE

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	RUNDLL32.EXE
Key opened	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RUNDLL32.EXE
Key opened	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RUNDLL32.EXE
Key opened	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RUNDLL32.EXE

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Checks whether UAC is enabled 1 TTPs 3 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

giliak.exefoulervp.exeIntelRapid.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	giliak.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	foulervp.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	IntelRapid.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

8 ip-api.com
Suspicious use of NtSetInformationThreadHideFromDebugger 3 IoCs

Processes:

giliak.exefoulervp.exeIntelRapid.exe

pid process

3820 giliak.exe
3432 foulervp.exe
912 IntelRapid.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

RUNDLL32.EXE

description pid process target process

PID 2340 set thread context of 1340 2340 RUNDLL32.EXE rundll32.exe

flow	ioc
8	ip-api.com

pid	process
3820	giliak.exe
3432	foulervp.exe
912	IntelRapid.exe

description	pid	process	target process
PID 2340 set thread context of 1340	2340	RUNDLL32.EXE	rundll32.exe

Drops file in Program Files directory 4 IoCs

Processes:

26336dc0ae102f2f33224e7a9287d2d9.exerundll32.exe

description	ioc	process
File created	C:\Program Files (x86)\foler\olader\acppage.dll	26336dc0ae102f2f33224e7a9287d2d9.exe
File created	C:\Program Files (x86)\foler\olader\adprovider.dll	26336dc0ae102f2f33224e7a9287d2d9.exe
File created	C:\Program Files (x86)\foler\olader\acledit.dll	26336dc0ae102f2f33224e7a9287d2d9.exe
File created	C:\PROGRA~3\zohplghndapsm.tmp	rundll32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 2 IoCs

Processes:

WerFault.exeWerFault.exe

pid pid_target process target process

824 1236 WerFault.exe rundll32.exe
996 2340 WerFault.exe RUNDLL32.EXE

pid	pid_target	process	target process
824	1236	WerFault.exe	rundll32.exe
996	2340	WerFault.exe	RUNDLL32.EXE

Checks processor information in registry 2 TTPs 45 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

foulervp.exeRUNDLL32.EXERUNDLL32.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	foulervp.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Previous Update Revision	RUNDLL32.EXE
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\~MHz	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\VendorIdentifier	RUNDLL32.EXE
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Configuration Data	RUNDLL32.EXE
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1	RUNDLL32.EXE
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\FeatureSet	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Status	RUNDLL32.EXE
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	RUNDLL32.EXE
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	foulervp.exe
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	RUNDLL32.EXE
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	RUNDLL32.EXE
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	RUNDLL32.EXE
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Configuration Data	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Previous Update Revision	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Component Information	RUNDLL32.EXE
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	RUNDLL32.EXE
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Status	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\~MHz	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Previous Update Revision	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Platform Specific Field 1	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\FeatureSet	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\FeatureSet	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\VendorIdentifier	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Previous Update Revision	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	RUNDLL32.EXE

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

Processes:

rundll32.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\TypedURLs	rundll32.exe

Modifies registry class 1 IoCs

Processes:

foulervp.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings foulervp.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings	foulervp.exe

Modifies system certificate store 2 TTPs 4 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

WScript.exeRUNDLL32.EXE

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	WScript.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 5c000000010000000400000000080000090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	WScript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CCA5A76C31AE4AA766752DD408C1AA45F20A2AA8	RUNDLL32.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CCA5A76C31AE4AA766752DD408C1AA45F20A2AA8\Blob = 030000000100000014000000cca5a76c31ae4aa766752dd408c1aa45f20a2aa820000000010000009602000030820292308201fba0030201020208632abec3394c7f02300d06092a864886f70d01010b050030643136303406035504030c2d53716d616e74656320456e7465727072697365204d6f62696c6520526f6f7420666f72204d6963726f736f6674311d301b060355040a0c1453796d616e74656320436f72706f726174696f6e310b3009060355040613025553301e170d3139313032333133343134305a170d3233313032323133343134305a30643136303406035504030c2d53716d616e74656320456e7465727072697365204d6f62696c6520526f6f7420666f72204d6963726f736f6674311d301b060355040a0c1453796d616e74656320436f72706f726174696f6e310b300906035504061302555330819f300d06092a864886f70d010101050003818d0030818902818100c6b140f805a48411f487789f02a322263944336ca8fcb933253faabb25a4da0b4312b16889a6fb9db9fb02c872c3f6d52c0cbb4161bf2b924f71ee38bd551593bd4e16238788c959d9fd85cddd9735628c70ffbcbbd5d194a9b17fd98c564ad1932bacc74747ef57eb04d133c697d272cfd9303be6c9c189f1f537a4ae1bcd070203010001a34d304b300f0603551d130101ff040530030101ff30380603551d110431302f822d53716d616e74656320456e7465727072697365204d6f62696c6520526f6f7420666f72204d6963726f736f6674300d06092a864886f70d01010b050003818100054a8cd799251b607cab8961b2701713c5471b37bec01ff34e280bbc923cc130773d69905282611e1a244161f29a7778556b7f16bd59c376b9627237ce2dde2b27868f2c1d70fccc896f71959fd7f47df7d6bd8f86023660b85793054e277a1e0583220cfb43fe3d7904199180f91b487ffca716d82f376ae9042bf6bc3cee0c	RUNDLL32.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

IntelRapid.exe

pid process

912 IntelRapid.exe

pid	process
912	IntelRapid.exe

Suspicious behavior: EnumeratesProcesses 48 IoCs

Processes:

foulervp.exeWerFault.exeRUNDLL32.EXEpowershell.exeRUNDLL32.EXEWerFault.exepowershell.exepowershell.exe

pid	process
3432	foulervp.exe
3432	foulervp.exe
824	WerFault.exe
824	WerFault.exe
824	WerFault.exe
824	WerFault.exe
824	WerFault.exe
824	WerFault.exe
824	WerFault.exe
824	WerFault.exe
824	WerFault.exe
824	WerFault.exe
824	WerFault.exe
824	WerFault.exe
824	WerFault.exe
2232	RUNDLL32.EXE
2232	RUNDLL32.EXE
2232	RUNDLL32.EXE
2232	RUNDLL32.EXE
2232	RUNDLL32.EXE
2232	RUNDLL32.EXE
2164	powershell.exe
2164	powershell.exe
2340	RUNDLL32.EXE
2340	RUNDLL32.EXE
996	WerFault.exe
996	WerFault.exe
996	WerFault.exe
996	WerFault.exe
996	WerFault.exe
996	WerFault.exe
996	WerFault.exe
996	WerFault.exe
996	WerFault.exe
996	WerFault.exe
996	WerFault.exe
996	WerFault.exe
996	WerFault.exe
996	WerFault.exe
2164	powershell.exe
2312	powershell.exe
2312	powershell.exe
2312	powershell.exe
2232	RUNDLL32.EXE
2232	RUNDLL32.EXE
1148	powershell.exe
1148	powershell.exe
1148	powershell.exe

Suspicious use of AdjustPrivilegeToken 8 IoCs

Processes:

WerFault.exepowershell.exeWerFault.exeRUNDLL32.EXEpowershell.exepowershell.exe

description	pid	process
Token: SeRestorePrivilege	824	WerFault.exe
Token: SeBackupPrivilege	824	WerFault.exe
Token: SeDebugPrivilege	824	WerFault.exe
Token: SeDebugPrivilege	2164	powershell.exe
Token: SeDebugPrivilege	996	WerFault.exe
Token: SeDebugPrivilege	2232	RUNDLL32.EXE
Token: SeDebugPrivilege	2312	powershell.exe
Token: SeDebugPrivilege	1148	powershell.exe

Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

rundll32.exeRUNDLL32.EXE

pid process

1340 rundll32.exe
2232 RUNDLL32.EXE

pid	process
1340	rundll32.exe
2232	RUNDLL32.EXE

Suspicious use of WriteProcessMemory 48 IoCs

Processes:

26336dc0ae102f2f33224e7a9287d2d9.exegiliak.exefoulervp.exeweyvsbmj.exerundll32.exeRUNDLL32.EXERUNDLL32.EXErundll32.exepowershell.exe

description	pid	process	target process
PID 2016 wrote to memory of 3432	2016	26336dc0ae102f2f33224e7a9287d2d9.exe	foulervp.exe
PID 2016 wrote to memory of 3432	2016	26336dc0ae102f2f33224e7a9287d2d9.exe	foulervp.exe
PID 2016 wrote to memory of 3432	2016	26336dc0ae102f2f33224e7a9287d2d9.exe	foulervp.exe
PID 2016 wrote to memory of 3820	2016	26336dc0ae102f2f33224e7a9287d2d9.exe	giliak.exe
PID 2016 wrote to memory of 3820	2016	26336dc0ae102f2f33224e7a9287d2d9.exe	giliak.exe
PID 3820 wrote to memory of 912	3820	giliak.exe	IntelRapid.exe
PID 3820 wrote to memory of 912	3820	giliak.exe	IntelRapid.exe
PID 3432 wrote to memory of 996	3432	foulervp.exe	weyvsbmj.exe
PID 3432 wrote to memory of 996	3432	foulervp.exe	weyvsbmj.exe
PID 3432 wrote to memory of 996	3432	foulervp.exe	weyvsbmj.exe
PID 3432 wrote to memory of 3168	3432	foulervp.exe	WScript.exe
PID 3432 wrote to memory of 3168	3432	foulervp.exe	WScript.exe
PID 3432 wrote to memory of 3168	3432	foulervp.exe	WScript.exe
PID 996 wrote to memory of 1236	996	weyvsbmj.exe	rundll32.exe
PID 996 wrote to memory of 1236	996	weyvsbmj.exe	rundll32.exe
PID 996 wrote to memory of 1236	996	weyvsbmj.exe	rundll32.exe
PID 3432 wrote to memory of 1984	3432	foulervp.exe	WScript.exe
PID 3432 wrote to memory of 1984	3432	foulervp.exe	WScript.exe
PID 3432 wrote to memory of 1984	3432	foulervp.exe	WScript.exe
PID 1236 wrote to memory of 2232	1236	rundll32.exe	RUNDLL32.EXE
PID 1236 wrote to memory of 2232	1236	rundll32.exe	RUNDLL32.EXE
PID 1236 wrote to memory of 2232	1236	rundll32.exe	RUNDLL32.EXE
PID 2232 wrote to memory of 2164	2232	RUNDLL32.EXE	powershell.exe
PID 2232 wrote to memory of 2164	2232	RUNDLL32.EXE	powershell.exe
PID 2232 wrote to memory of 2164	2232	RUNDLL32.EXE	powershell.exe
PID 2232 wrote to memory of 2340	2232	RUNDLL32.EXE	RUNDLL32.EXE
PID 2232 wrote to memory of 2340	2232	RUNDLL32.EXE	RUNDLL32.EXE
PID 2232 wrote to memory of 2340	2232	RUNDLL32.EXE	RUNDLL32.EXE
PID 2340 wrote to memory of 1340	2340	RUNDLL32.EXE	rundll32.exe
PID 2340 wrote to memory of 1340	2340	RUNDLL32.EXE	rundll32.exe
PID 2340 wrote to memory of 1340	2340	RUNDLL32.EXE	rundll32.exe
PID 1340 wrote to memory of 1316	1340	rundll32.exe	ctfmon.exe
PID 1340 wrote to memory of 1316	1340	rundll32.exe	ctfmon.exe
PID 2232 wrote to memory of 2312	2232	RUNDLL32.EXE	powershell.exe
PID 2232 wrote to memory of 2312	2232	RUNDLL32.EXE	powershell.exe
PID 2232 wrote to memory of 2312	2232	RUNDLL32.EXE	powershell.exe
PID 2232 wrote to memory of 1148	2232	RUNDLL32.EXE	powershell.exe
PID 2232 wrote to memory of 1148	2232	RUNDLL32.EXE	powershell.exe
PID 2232 wrote to memory of 1148	2232	RUNDLL32.EXE	powershell.exe
PID 1148 wrote to memory of 2920	1148	powershell.exe	nslookup.exe
PID 1148 wrote to memory of 2920	1148	powershell.exe	nslookup.exe
PID 1148 wrote to memory of 2920	1148	powershell.exe	nslookup.exe
PID 2232 wrote to memory of 1124	2232	RUNDLL32.EXE	schtasks.exe
PID 2232 wrote to memory of 1124	2232	RUNDLL32.EXE	schtasks.exe
PID 2232 wrote to memory of 1124	2232	RUNDLL32.EXE	schtasks.exe
PID 2232 wrote to memory of 3040	2232	RUNDLL32.EXE	schtasks.exe
PID 2232 wrote to memory of 3040	2232	RUNDLL32.EXE	schtasks.exe
PID 2232 wrote to memory of 3040	2232	RUNDLL32.EXE	schtasks.exe

outlook_office_path 1 IoCs

Processes:

RUNDLL32.EXE

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RUNDLL32.EXE

outlook_win_path 1 IoCs

Processes:

RUNDLL32.EXE

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RUNDLL32.EXE

C:\Users\Admin\AppData\Local\Temp\26336dc0ae102f2f33224e7a9287d2d9.exe
"C:\Users\Admin\AppData\Local\Temp\26336dc0ae102f2f33224e7a9287d2d9.exe"
1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:2016

C:\Users\Admin\AppData\Local\Temp\effort\foulervp.exe
"C:\Users\Admin\AppData\Local\Temp\effort\foulervp.exe"
2⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks processor information in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3432

C:\Users\Admin\AppData\Local\Temp\weyvsbmj.exe
"C:\Users\Admin\AppData\Local\Temp\weyvsbmj.exe"
3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:996

C:\Windows\SysWOW64\rundll32.exe
C:\Windows\system32\rundll32.exe C:\Users\Admin\AppData\Local\Temp\WEYVSB~1.DLL,s C:\Users\Admin\AppData\Local\Temp\weyvsbmj.exe
4⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:1236

C:\Windows\SysWOW64\RUNDLL32.EXE
C:\Windows\system32\RUNDLL32.EXE C:\Users\Admin\AppData\Local\Temp\WEYVSB~1.DLL,bxFeeGM=
5⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Accesses Microsoft Outlook accounts
- Accesses Microsoft Outlook profiles
- Checks processor information in registry
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
- outlook_office_path
- outlook_win_path
PID:2232

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath C:\Users\Admin\AppData\Local\Temp\WEYVSB~1.DLL
6⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2164

C:\Windows\SysWOW64\RUNDLL32.EXE
C:\Windows\system32\RUNDLL32.EXE C:\Users\Admin\AppData\Local\Temp\WEYVSB~1.DLL,QAk2NUQ=
6⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2340

C:\Windows\system32\rundll32.exe
C:\Windows\system32\rundll32.exe C:\Windows\system32\shell32.dll,#61 19638
7⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:1340

C:\Windows\system32\ctfmon.exe
ctfmon.exe
8⤵
PID:1316

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2340 -s 824
7⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:996

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Executionpolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\tmpF4EB.tmp.ps1"
6⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2312

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Executionpolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\tmp837.tmp.ps1"
6⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1148

C:\Windows\SysWOW64\nslookup.exe
"C:\Windows\system32\nslookup.exe" -type=any localhost
7⤵
PID:2920

C:\Windows\SysWOW64\schtasks.exe
schtasks /End /tn \Microsoft\Windows\Wininet\CacheTask
6⤵
PID:1124

C:\Windows\SysWOW64\schtasks.exe
schtasks /Run /tn \Microsoft\Windows\Wininet\CacheTask
6⤵
PID:3040

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1236 -s 832
5⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:824

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\jylwqal.vbs"
3⤵
PID:3168

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\jnfqesgpeby.vbs"
3⤵
- Blocklisted process makes network request
- Modifies system certificate store
PID:1984

C:\Users\Admin\AppData\Local\Temp\effort\giliak.exe
"C:\Users\Admin\AppData\Local\Temp\effort\giliak.exe"
2⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Drops startup file
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of WriteProcessMemory
PID:3820

C:\Users\Admin\AppData\Roaming\Intel Rapid\IntelRapid.exe
"C:\Users\Admin\AppData\Roaming\Intel Rapid\IntelRapid.exe"
3⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: AddClipboardFormatListener
PID:912

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Install Root Certificate

T1130

Modify Registry

T1112

Virtualization/Sandbox Evasion

T1497

Web Service

T1102

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\PROGRA~3\zohplghndapsm.tmp
MD5
2def7e89943100cf26d70ef373b1260e

SHA1
d90f028ae9ac9f8edc26445639752acbcacc70e7

SHA256
178020d76bd88c4681056aeb6a693e8db6afe0f6283466c687c0ca0d04ed1549

SHA512
a65902089d46d2dcaca02caa028cc288e287de7a315ab631c532cf8c584850c2c896d3e8820ff338ab86e177b79d828c4fe1c8606e690477714a1afd65750624

Download Submit
C:\PROGRA~3\zohplghndapsm.tmp
MD5
e2f488ecf3adcb56caec78a8cbf47a7b

SHA1
5ffdf24f87b444614ca237fb9ae97f45c2ca25ed

SHA256
0f432109c757831415786b0efde7a5ee8e7090bc1abc05c1c05bea7ad6735f80

SHA512
e534a67be069fe8c6eadee0993b9ea0796e11e46d8cf061ceb6c1bcb2df6822d920f39dcc8e8b9a9fb8b2761883da38426a41c14c07d08a4e8b9f4a8b36ad576

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
MD5
47eebe401625bbc55e75dbfb72e9e89a

SHA1
db3b2135942d2532c59b9788253638eb77e5995e

SHA256
f1cd56000c44bbdb6880b5b133731f493fe8cba8198c5a861da6ae7b489ed0c3

SHA512
590b149863d58be346e7927c28501375cc570858d2f156d234b03d68b86c5c0667a1038e2b6f6639172bf95638ca9f7c70f45270951abbcdf43b1be853b81d56

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
0d6b34901cd8055993f6fc2e8541b9ec

SHA1
ff707cc9cd66be15aa35bd776158c6356d4287f5

SHA256
cb81e9e1e4c680d6cd8789ee4efb5157e386b92adea2b2762a5ed57483e7735a

SHA512
aa9ccbf6a0e3557fef9e0bdcd4dd4742c1838dbe01815b6b51386ec2b6af17f7551d4fba6bc75ef5161be4574fc77a557ea516334f4043881a4d38343be4694b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
2a7af5105ec2f0e3ab5753f8699f2970

SHA1
55887bb79b91feef194afd9a9fa66f561bffcb3d

SHA256
f9dba6784213f5645fbf64f0f59c20e69e423c8269efd6f3f12eaf730fa3fee2

SHA512
deae222d23d70187a0fa76b47ba6900f7adf53b097ddf934d054094cf3024b20fbb850d5569023122c4f6e348b93f7ccd9e75d87f8ad6b56ab2286f506eb05cf

Download Submit
C:\Users\Admin\AppData\Local\Temp\WEYVSB~1.DLL
MD5
2917eef84c11dd5bbb2f8f6c66790230

SHA1
86c473469afcdffe307715a8fb40f6d05a520182

SHA256
fa2775a5162758a1a505d9c5383f3a26c2dfd82530c8e762bbea8ff9ee4ce30b

SHA512
e7573237b1ea3b653245e303578549813d4ef7aa5990a1d13de67e2a6171a534fe7df996c8014e03a560362f0ed54aec382827b20ed7c0aff019945690e61657

Download Submit
C:\Users\Admin\AppData\Local\Temp\effort\foulervp.exe
MD5
0e20c0706d5ed977ca4c638ffdf5ad99

SHA1
a226b30c4a30cb302ec5086a1e509bafca2ae42f

SHA256
c65908600ea034bff5009fc2b5ce1cb137140d61bfcb9118a8e6b0dea61c0b7e

SHA512
3b4a2a33210bef7188c3bfe3397e6b778df89ba32376fffffe97ed7408c87b2ef4c1a27e80b717d8034ba842d5767b71047fba571fc5b1aaf4bbcc4315a9689a

Download Submit
C:\Users\Admin\AppData\Local\Temp\effort\foulervp.exe
MD5
0e20c0706d5ed977ca4c638ffdf5ad99

SHA1
a226b30c4a30cb302ec5086a1e509bafca2ae42f

SHA256
c65908600ea034bff5009fc2b5ce1cb137140d61bfcb9118a8e6b0dea61c0b7e

SHA512
3b4a2a33210bef7188c3bfe3397e6b778df89ba32376fffffe97ed7408c87b2ef4c1a27e80b717d8034ba842d5767b71047fba571fc5b1aaf4bbcc4315a9689a

Download Submit
C:\Users\Admin\AppData\Local\Temp\effort\giliak.exe
MD5
25b502360214612a67db5f75f4b68b9e

SHA1
64852ba4d72da7e5b5750ce0b419e289325690f7

SHA256
429a260f7a8f95b16f28b2cb6c297b8c945dd3744f49aa7e0521eeebcfd251bd

SHA512
de8ead46922af0b3333065acca7d7b40979afaa258b2a6d2d1a39e4767b38e1ad37143c039e6e4038c23bdd8e2ffb8954339bdb04738c98548faa2877481c26c

Download Submit
C:\Users\Admin\AppData\Local\Temp\effort\giliak.exe
MD5
25b502360214612a67db5f75f4b68b9e

SHA1
64852ba4d72da7e5b5750ce0b419e289325690f7

SHA256
429a260f7a8f95b16f28b2cb6c297b8c945dd3744f49aa7e0521eeebcfd251bd

SHA512
de8ead46922af0b3333065acca7d7b40979afaa258b2a6d2d1a39e4767b38e1ad37143c039e6e4038c23bdd8e2ffb8954339bdb04738c98548faa2877481c26c

Download Submit
C:\Users\Admin\AppData\Local\Temp\jnfqesgpeby.vbs
MD5
3216b6032d2fe0fb141d1070438487dd

SHA1
917bd7f821d589b36353ca5081e6984d31ed69b8

SHA256
9209cd6717ddf764ec239c7966283ce83233b66a319a3dfa0b21cd8ef0c7b2bf

SHA512
0e53c8c9aa6f1c47fbd767ea12f2f934e2083cc3761696a21c13f811a62b1b8d9474eaa13607a11509102836a3c641242ee19792dbbaec92296e8643d167daff

Download Submit
C:\Users\Admin\AppData\Local\Temp\jylwqal.vbs
MD5
6fd0360f33237a6d06a683578d4ad396

SHA1
2ca4498ea1c6cf7fd5efba23103d41d8b19df2f7

SHA256
1d0d429f89e8a236839e26380b9abb323bb48094a49f70788f77940712add25a

SHA512
1ee729c63202a20affe1335ef7f755e10ab460acd4f6d019fc95f1da495c7bab612d3429144c1dab29c51ff7218b3db7df94169afea32123cb250d1083a0fa26

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp837.tmp.ps1
MD5
803d783400c1afe89806320dc2a9247a

SHA1
8425ada439fb44638a929c42974039d981dea272

SHA256
8456f35c74e59e66575b88f3ef2218b44e78755b0e0402c94573bcca56049efc

SHA512
67fe5a490232afff81eb928ffd06f8e6ff3bfbb6f074f1711fbb80648b788323ed96d4dc00fadc86d161b4a31f4b6ea1677f23dbbfdc11b30a4626163a9bdb9a

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp838.tmp
MD5
1860260b2697808b80802352fe324782

SHA1
f07b4cb6a8133d8dd942fc285d63cb3ce5a1ed6b

SHA256
0c4bb6ae7726faa47aef8459bcf37bf9ca16f0b93fd52790932adaf7845d1fb1

SHA512
d9fd458e2fe871e93199d7f3783133ded898d824024d9525e8c9af2af31892b13f3fb147d3bfda7dfd7659b7072f5cd1d6c3ebfe2dbf5893afd00e59a96aa94f

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpF4EB.tmp.ps1
MD5
5950e344c3b465ccf2997bc0a2d97064

SHA1
5c4cdf862026ce50b004a5ec86b7443e571c2e9f

SHA256
01cca3dc4b2db4934f19adf297620beb1815f487589081908fc1b7e900b0fda3

SHA512
17c1fbf4a0e01dedd63fecfb84ed498c2ef7622c0d957bccc05c37685f47e291404c25ad0ab5239f7d2164c0009d899d4909905c7ef4208827b1dbce790efb49

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpF4EC.tmp
MD5
c416c12d1b2b1da8c8655e393b544362

SHA1
fb1a43cd8e1c556c2d25f361f42a21293c29e447

SHA256
0600d59103840dff210778179fdfba904dcb737a4bfdb35384608698c86ea046

SHA512
cb6d3636be4330aa2fd577c3636d0b7165f92ee817e98f21180ba0c918eb76f4e38f025086593a0e508234ca981cfec2c53482b0e9cc0acfa885fefbdf89913c

Download Submit
C:\Users\Admin\AppData\Local\Temp\weyvsbmj.exe
MD5
763dcd16d2e57a9f1d8994d48d51fed4

SHA1
99b9f91a5b094e682f5c0ceb2086503ab439d9ac

SHA256
29393136e15f865547a490bc40afe42e35f761602bebb920883330206435919b

SHA512
6c26a168f8a8be912eacd095097d0f68c609b1eb227cd5f9acfb4b6e26841c6ee325431a1a706bd8366d6c498ab8af22f547b4cbf09e2c9ed062177c1055aeb6

Download Submit
C:\Users\Admin\AppData\Local\Temp\weyvsbmj.exe
MD5
763dcd16d2e57a9f1d8994d48d51fed4

SHA1
99b9f91a5b094e682f5c0ceb2086503ab439d9ac

SHA256
29393136e15f865547a490bc40afe42e35f761602bebb920883330206435919b

SHA512
6c26a168f8a8be912eacd095097d0f68c609b1eb227cd5f9acfb4b6e26841c6ee325431a1a706bd8366d6c498ab8af22f547b4cbf09e2c9ed062177c1055aeb6

Download Submit
C:\Users\Admin\AppData\Roaming\Intel Rapid\IntelRapid.exe
MD5
25b502360214612a67db5f75f4b68b9e

SHA1
64852ba4d72da7e5b5750ce0b419e289325690f7

SHA256
429a260f7a8f95b16f28b2cb6c297b8c945dd3744f49aa7e0521eeebcfd251bd

SHA512
de8ead46922af0b3333065acca7d7b40979afaa258b2a6d2d1a39e4767b38e1ad37143c039e6e4038c23bdd8e2ffb8954339bdb04738c98548faa2877481c26c

Download Submit
C:\Users\Admin\AppData\Roaming\Intel Rapid\IntelRapid.exe
MD5
25b502360214612a67db5f75f4b68b9e

SHA1
64852ba4d72da7e5b5750ce0b419e289325690f7

SHA256
429a260f7a8f95b16f28b2cb6c297b8c945dd3744f49aa7e0521eeebcfd251bd

SHA512
de8ead46922af0b3333065acca7d7b40979afaa258b2a6d2d1a39e4767b38e1ad37143c039e6e4038c23bdd8e2ffb8954339bdb04738c98548faa2877481c26c

Download Submit
\Users\Admin\AppData\Local\Temp\WEYVSB~1.DLL
MD5
2917eef84c11dd5bbb2f8f6c66790230

SHA1
86c473469afcdffe307715a8fb40f6d05a520182

SHA256
fa2775a5162758a1a505d9c5383f3a26c2dfd82530c8e762bbea8ff9ee4ce30b

SHA512
e7573237b1ea3b653245e303578549813d4ef7aa5990a1d13de67e2a6171a534fe7df996c8014e03a560362f0ed54aec382827b20ed7c0aff019945690e61657

Download Submit
\Users\Admin\AppData\Local\Temp\WEYVSB~1.DLL
MD5
2917eef84c11dd5bbb2f8f6c66790230

SHA1
86c473469afcdffe307715a8fb40f6d05a520182

SHA256
fa2775a5162758a1a505d9c5383f3a26c2dfd82530c8e762bbea8ff9ee4ce30b

SHA512
e7573237b1ea3b653245e303578549813d4ef7aa5990a1d13de67e2a6171a534fe7df996c8014e03a560362f0ed54aec382827b20ed7c0aff019945690e61657

Download Submit
\Users\Admin\AppData\Local\Temp\WEYVSB~1.DLL
MD5
2917eef84c11dd5bbb2f8f6c66790230

SHA1
86c473469afcdffe307715a8fb40f6d05a520182

SHA256
fa2775a5162758a1a505d9c5383f3a26c2dfd82530c8e762bbea8ff9ee4ce30b

SHA512
e7573237b1ea3b653245e303578549813d4ef7aa5990a1d13de67e2a6171a534fe7df996c8014e03a560362f0ed54aec382827b20ed7c0aff019945690e61657

Download Submit
\Users\Admin\AppData\Local\Temp\nsf9E26.tmp\UAC.dll
MD5
adb29e6b186daa765dc750128649b63d

SHA1
160cbdc4cb0ac2c142d361df138c537aa7e708c9

SHA256
2f7f8fc05dc4fd0d5cda501b47e4433357e887bbfed7292c028d99c73b52dc08

SHA512
b28adcccf0c33660fecd6f95f28f11f793dc9988582187617b4c113fb4e6fdad4cf7694cd8c0300a477e63536456894d119741a940dda09b7df3ff0087a7eada

Download Submit
memory/912-127-0x0000000000000000-mapping.dmp

Download
memory/912-135-0x00007FF6F8710000-0x00007FF6F9096000-memory.dmp

Filesize
9.5MB

Download
memory/912-134-0x00007FF6F8710000-0x00007FF6F9096000-memory.dmp

Filesize
9.5MB

Download
memory/912-133-0x00007FF6F8710000-0x00007FF6F9096000-memory.dmp

Filesize
9.5MB

Download
memory/996-136-0x0000000000000000-mapping.dmp

Download
memory/996-144-0x0000000004DB0000-0x0000000004EB9000-memory.dmp

Filesize
1.0MB

Download
memory/996-145-0x0000000000400000-0x0000000002FF2000-memory.dmp

Filesize
43.9MB

Download
memory/996-139-0x0000000004BB5000-0x0000000004CA7000-memory.dmp

Filesize
968KB

Download
memory/1124-474-0x0000000000000000-mapping.dmp

Download
memory/1148-426-0x0000000004CE0000-0x0000000004CE1000-memory.dmp

Filesize
4KB

Download
memory/1148-481-0x0000000004CE3000-0x0000000004CE4000-memory.dmp

Filesize
4KB

Download
memory/1148-428-0x0000000004CE2000-0x0000000004CE3000-memory.dmp

Filesize
4KB

Download
memory/1148-357-0x0000000000000000-mapping.dmp

Download
memory/1236-150-0x0000000000570000-0x0000000000571000-memory.dmp

Filesize
4KB

Download
memory/1236-149-0x0000000005051000-0x0000000006035000-memory.dmp

Filesize
15.9MB

Download
memory/1236-142-0x0000000000000000-mapping.dmp

Download
memory/1316-187-0x0000000000000000-mapping.dmp

Download
memory/1340-190-0x000001D8F45E0000-0x000001D8F4792000-memory.dmp

Filesize
1.7MB

Download
memory/1340-189-0x00000000002A0000-0x0000000000440000-memory.dmp

Filesize
1.6MB

Download
memory/1340-183-0x00007FF64A2E5FD0-mapping.dmp

Download
memory/1340-186-0x000001D8F4420000-0x000001D8F4422000-memory.dmp

Filesize
8KB

Download
memory/1340-185-0x000001D8F4420000-0x000001D8F4422000-memory.dmp

Filesize
8KB

Download
memory/1984-147-0x0000000000000000-mapping.dmp

Download
memory/2164-165-0x0000000004D22000-0x0000000004D23000-memory.dmp

Filesize
4KB

Download
memory/2164-157-0x0000000003360000-0x0000000003361000-memory.dmp

Filesize
4KB

Download
memory/2164-164-0x0000000004D20000-0x0000000004D21000-memory.dmp

Filesize
4KB

Download
memory/2164-159-0x0000000004C90000-0x0000000004C91000-memory.dmp

Filesize
4KB

Download
memory/2164-188-0x0000000008810000-0x0000000008811000-memory.dmp

Filesize
4KB

Download
memory/2164-168-0x0000000007670000-0x0000000007671000-memory.dmp

Filesize
4KB

Download
memory/2164-167-0x00000000075D0000-0x00000000075D1000-memory.dmp

Filesize
4KB

Download
memory/2164-169-0x0000000007EA0000-0x0000000007EA1000-memory.dmp

Filesize
4KB

Download
memory/2164-170-0x00000000081A0000-0x00000000081A1000-memory.dmp

Filesize
4KB

Download
memory/2164-273-0x0000000004D23000-0x0000000004D24000-memory.dmp

Filesize
4KB

Download
memory/2164-272-0x000000007F3E0000-0x000000007F3E1000-memory.dmp

Filesize
4KB

Download
memory/2164-156-0x0000000000000000-mapping.dmp

Download
memory/2164-215-0x0000000009760000-0x0000000009793000-memory.dmp

Filesize
204KB

Download
memory/2164-162-0x0000000007800000-0x0000000007801000-memory.dmp

Filesize
4KB

Download
memory/2164-177-0x0000000007F10000-0x0000000007F11000-memory.dmp

Filesize
4KB

Download
memory/2164-158-0x0000000003360000-0x0000000003361000-memory.dmp

Filesize
4KB

Download
memory/2164-179-0x0000000008680000-0x0000000008681000-memory.dmp

Filesize
4KB

Download
memory/2164-196-0x0000000003360000-0x0000000003361000-memory.dmp

Filesize
4KB

Download
memory/2232-151-0x0000000000000000-mapping.dmp

Download
memory/2232-155-0x0000000000570000-0x0000000000571000-memory.dmp

Filesize
4KB

Download
memory/2232-154-0x0000000004E61000-0x0000000005E45000-memory.dmp

Filesize
15.9MB

Download
memory/2312-203-0x0000000006FF2000-0x0000000006FF3000-memory.dmp

Filesize
4KB

Download
memory/2312-202-0x0000000006FF0000-0x0000000006FF1000-memory.dmp

Filesize
4KB

Download
memory/2312-208-0x0000000007290000-0x0000000007291000-memory.dmp

Filesize
4KB

Download
memory/2312-193-0x0000000003110000-0x0000000003111000-memory.dmp

Filesize
4KB

Download
memory/2312-214-0x0000000003110000-0x0000000003111000-memory.dmp

Filesize
4KB

Download
memory/2312-331-0x0000000006FF3000-0x0000000006FF4000-memory.dmp

Filesize
4KB

Download
memory/2312-191-0x0000000000000000-mapping.dmp

Download
memory/2312-192-0x0000000003110000-0x0000000003111000-memory.dmp

Filesize
4KB

Download
memory/2340-176-0x0000000006030000-0x0000000006170000-memory.dmp

Filesize
1.2MB

Download
memory/2340-166-0x0000000004F81000-0x0000000005F65000-memory.dmp

Filesize
15.9MB

Download
memory/2340-182-0x0000000006030000-0x0000000006170000-memory.dmp

Filesize
1.2MB

Download
memory/2340-181-0x0000000006030000-0x0000000006170000-memory.dmp

Filesize
1.2MB

Download
memory/2340-180-0x0000000006260000-0x0000000006261000-memory.dmp

Filesize
4KB

Download
memory/2340-178-0x0000000006030000-0x0000000006170000-memory.dmp

Filesize
1.2MB

Download
memory/2340-174-0x0000000006030000-0x0000000006170000-memory.dmp

Filesize
1.2MB

Download
memory/2340-173-0x0000000006030000-0x0000000006170000-memory.dmp

Filesize
1.2MB

Download
memory/2340-172-0x0000000006250000-0x0000000006251000-memory.dmp

Filesize
4KB

Download
memory/2340-171-0x0000000000570000-0x0000000000571000-memory.dmp

Filesize
4KB

Download
memory/2340-160-0x0000000000000000-mapping.dmp

Download
memory/2920-471-0x0000000000000000-mapping.dmp

Download
memory/3040-482-0x0000000000000000-mapping.dmp

Download
memory/3168-140-0x0000000000000000-mapping.dmp

Download
memory/3432-116-0x0000000000000000-mapping.dmp

Download
memory/3432-132-0x0000000000C90000-0x0000000001353000-memory.dmp

Filesize
6.8MB

Download
memory/3432-130-0x0000000000C90000-0x0000000001353000-memory.dmp

Filesize
6.8MB

Download
memory/3432-131-0x0000000077C70000-0x0000000077DFE000-memory.dmp

Filesize
1.6MB

Download
memory/3432-126-0x0000000000C90000-0x0000000001353000-memory.dmp

Filesize
6.8MB

Download
memory/3432-125-0x0000000000C90000-0x0000000001353000-memory.dmp

Filesize
6.8MB

Download
memory/3820-124-0x00007FF62BCB0000-0x00007FF62C636000-memory.dmp

Filesize
9.5MB

Download
memory/3820-119-0x0000000000000000-mapping.dmp

Download
memory/3820-122-0x00007FF62BCB0000-0x00007FF62C636000-memory.dmp

Filesize
9.5MB

Download
memory/3820-123-0x00007FF62BCB0000-0x00007FF62C636000-memory.dmp

Filesize
9.5MB

Download