danabot | c98b385fbe81a0170835d5ece1bb8a32fb93a7b98961fcd093416f6b3e8a1385

Analysis

max time kernel
146s
max time network
125s
platform
windows7_x64
resource
win7-en-20211014
submitted
19-10-2021 20:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

95ba729a585e05067d55b624c9253986.exe
Size

6.1MB
MD5

95ba729a585e05067d55b624c9253986
SHA1

d22767b650d3a5f809fc3aca26f59cbcb5919c0b
SHA256

c98b385fbe81a0170835d5ece1bb8a32fb93a7b98961fcd093416f6b3e8a1385
SHA512

3777587e1ca246df901dbf7fdc6cf6349fb8d729ad36f061e743433a7666e1cc5f13f734e765d5c36f663a79125dc7bf2e4eebe892ed22880ceeccf170ad47b8

Score

10^/10

danabot 4 banker collection discovery evasion spyware stealer themida trojan

Malware Config

Extracted

Family

danabot

192.119.110.73:443

192.236.147.159:443

192.210.222.88:443

Attributes

embedded_hash
F4711E27D559B4AEB1A081A1EB0AC465
type
loader

rsa_pubkey.plain

rsa_privkey.plain

Extracted

Family

danabot

Version

2052

Botnet

192.119.110.73:443

192.236.147.159:443

192.210.222.88:443

Attributes

embedded_hash
F4711E27D559B4AEB1A081A1EB0AC465
type
main

rsa_privkey.plain

rsa_pubkey.plain

Signatures

Danabot
Danabot is a modular banking Trojan that has been linked with other malware.
trojan banker danabot

Danabot Loader Component 16 IoCs

Processes:

resource	yara_rule
\Users\Admin\AppData\Local\Temp\ABYOWD~1.DLL	DanabotLoader2021
\Users\Admin\AppData\Local\Temp\ABYOWD~1.DLL	DanabotLoader2021
\Users\Admin\AppData\Local\Temp\ABYOWD~1.DLL	DanabotLoader2021
C:\Users\Admin\AppData\Local\Temp\ABYOWD~1.DLL	DanabotLoader2021
\Users\Admin\AppData\Local\Temp\ABYOWD~1.DLL	DanabotLoader2021
behavioral1/memory/724-105-0x00000000020D0000-0x0000000002236000-memory.dmp	DanabotLoader2021
\Users\Admin\AppData\Local\Temp\ABYOWD~1.DLL	DanabotLoader2021
\Users\Admin\AppData\Local\Temp\ABYOWD~1.DLL	DanabotLoader2021
\Users\Admin\AppData\Local\Temp\ABYOWD~1.DLL	DanabotLoader2021
behavioral1/memory/1136-118-0x0000000001E00000-0x0000000001F66000-memory.dmp	DanabotLoader2021
\Users\Admin\AppData\Local\Temp\ABYOWD~1.DLL	DanabotLoader2021
\Users\Admin\AppData\Local\Temp\ABYOWD~1.DLL	DanabotLoader2021
\Users\Admin\AppData\Local\Temp\ABYOWD~1.DLL	DanabotLoader2021
\Users\Admin\AppData\Local\Temp\ABYOWD~1.DLL	DanabotLoader2021
behavioral1/memory/328-128-0x0000000001F10000-0x0000000002076000-memory.dmp	DanabotLoader2021
\Users\Admin\AppData\Local\Temp\ABYOWD~1.DLL	DanabotLoader2021

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Blocklisted process makes network request 8 IoCs

Processes:

WScript.exerundll32.exeRUNDLL32.EXE

flow	pid	process
19	1648	WScript.exe
21	1648	WScript.exe
23	1648	WScript.exe
25	1648	WScript.exe
27	1648	WScript.exe
32	724	rundll32.exe
33	1136	RUNDLL32.EXE
37	1136	RUNDLL32.EXE

Downloads MZ/PE file
Executes dropped EXE 4 IoCs

Processes:

foulervp.exegiliak.exeIntelRapid.exeabyowdcmxvm.exe

pid process

1120 foulervp.exe
1240 giliak.exe
1448 IntelRapid.exe
1832 abyowdcmxvm.exe

Checks BIOS information in registry 2 TTPs 6 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

foulervp.exegiliak.exeIntelRapid.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	foulervp.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	foulervp.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	giliak.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	giliak.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	IntelRapid.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	IntelRapid.exe

Drops startup file 1 IoCs

Processes:

giliak.exe

description ioc process

File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IntelRapid.lnk giliak.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IntelRapid.lnk	giliak.exe

Loads dropped DLL 25 IoCs

Processes:

95ba729a585e05067d55b624c9253986.exefoulervp.exegiliak.exeabyowdcmxvm.exerundll32.exeRUNDLL32.EXERUNDLL32.EXE

pid	process
1336	95ba729a585e05067d55b624c9253986.exe
1336	95ba729a585e05067d55b624c9253986.exe
1120	foulervp.exe
1120	foulervp.exe
1336	95ba729a585e05067d55b624c9253986.exe
1336	95ba729a585e05067d55b624c9253986.exe
1240	giliak.exe
1240	giliak.exe
1240	giliak.exe
1120	foulervp.exe
1120	foulervp.exe
1832	abyowdcmxvm.exe
1832	abyowdcmxvm.exe
724	rundll32.exe
724	rundll32.exe
724	rundll32.exe
724	rundll32.exe
1136	RUNDLL32.EXE
1136	RUNDLL32.EXE
1136	RUNDLL32.EXE
1136	RUNDLL32.EXE
328	RUNDLL32.EXE
328	RUNDLL32.EXE
328	RUNDLL32.EXE
328	RUNDLL32.EXE

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Themida packer 23 IoCs

Detects Themida, an advanced Windows software protection system.

themida

Processes:

resource	yara_rule
\Users\Admin\AppData\Local\Temp\effort\foulervp.exe	themida
C:\Users\Admin\AppData\Local\Temp\effort\foulervp.exe	themida
\Users\Admin\AppData\Local\Temp\effort\foulervp.exe	themida
C:\Users\Admin\AppData\Local\Temp\effort\foulervp.exe	themida
\Users\Admin\AppData\Local\Temp\effort\foulervp.exe	themida
\Users\Admin\AppData\Local\Temp\effort\giliak.exe	themida
\Users\Admin\AppData\Local\Temp\effort\giliak.exe	themida
behavioral1/memory/1120-66-0x0000000000D80000-0x0000000001452000-memory.dmp	themida
C:\Users\Admin\AppData\Local\Temp\effort\giliak.exe	themida
behavioral1/memory/1120-67-0x0000000000D80000-0x0000000001452000-memory.dmp	themida
behavioral1/memory/1120-69-0x0000000000D80000-0x0000000001452000-memory.dmp	themida
behavioral1/memory/1120-70-0x0000000000D80000-0x0000000001452000-memory.dmp	themida
behavioral1/memory/1240-71-0x000000013FA20000-0x000000014033D000-memory.dmp	themida
behavioral1/memory/1240-72-0x000000013FA20000-0x000000014033D000-memory.dmp	themida
behavioral1/memory/1240-73-0x000000013FA20000-0x000000014033D000-memory.dmp	themida
C:\Users\Admin\AppData\Local\Temp\effort\giliak.exe	themida
\Users\Admin\AppData\Roaming\Intel Rapid\IntelRapid.exe	themida
\Users\Admin\AppData\Roaming\Intel Rapid\IntelRapid.exe	themida
\Users\Admin\AppData\Roaming\Intel Rapid\IntelRapid.exe	themida
C:\Users\Admin\AppData\Roaming\Intel Rapid\IntelRapid.exe	themida
behavioral1/memory/1448-81-0x000000013F1A0000-0x000000013FABD000-memory.dmp	themida
behavioral1/memory/1448-82-0x000000013F1A0000-0x000000013FABD000-memory.dmp	themida
behavioral1/memory/1448-83-0x000000013F1A0000-0x000000013FABD000-memory.dmp	themida

Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs

collection

Email Collection

T1114

Processes:

RUNDLL32.EXE

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	RUNDLL32.EXE

Accesses Microsoft Outlook profiles 1 TTPs 4 IoCs

collection

Email Collection

T1114

Processes:

RUNDLL32.EXE

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	RUNDLL32.EXE
Key opened	\REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RUNDLL32.EXE
Key opened	\REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RUNDLL32.EXE
Key opened	\REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RUNDLL32.EXE

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Checks whether UAC is enabled 1 TTPs 3 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

foulervp.exegiliak.exeIntelRapid.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	foulervp.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	giliak.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	IntelRapid.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

4 ip-api.com
Suspicious use of NtSetInformationThreadHideFromDebugger 3 IoCs

Processes:

foulervp.exegiliak.exeIntelRapid.exe

pid process

1120 foulervp.exe
1240 giliak.exe
1448 IntelRapid.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

RUNDLL32.EXE

description pid process target process

PID 328 set thread context of 1476 328 RUNDLL32.EXE rundll32.exe

flow	ioc
4	ip-api.com

description	pid	process	target process
PID 328 set thread context of 1476	328	RUNDLL32.EXE	rundll32.exe

Drops file in Program Files directory 4 IoCs

Processes:

95ba729a585e05067d55b624c9253986.exerundll32.exe

description	ioc	process
File created	C:\Program Files (x86)\foler\olader\acppage.dll	95ba729a585e05067d55b624c9253986.exe
File created	C:\Program Files (x86)\foler\olader\adprovider.dll	95ba729a585e05067d55b624c9253986.exe
File created	C:\Program Files (x86)\foler\olader\acledit.dll	95ba729a585e05067d55b624c9253986.exe
File created	C:\PROGRA~3\zohplghndapsm.tmp	rundll32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 56 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

RUNDLL32.EXERUNDLL32.EXEfoulervp.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Platform ID	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	RUNDLL32.EXE
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform ID	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString	RUNDLL32.EXE
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Status	RUNDLL32.EXE
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\~MHz	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Identifier	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\~MHz	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\FeatureSet	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Signature	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\VendorIdentifier	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Signature	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Configuration Data	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Status	RUNDLL32.EXE
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	RUNDLL32.EXE
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	RUNDLL32.EXE
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	RUNDLL32.EXE
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Component Information	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\FeatureSet	RUNDLL32.EXE
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Previous Update Signature	RUNDLL32.EXE
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Identifier	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information	RUNDLL32.EXE
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	foulervp.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Previous Update Signature	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform ID	RUNDLL32.EXE
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\VendorIdentifier	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Platform ID	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Previous Update Signature	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Status	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\FeatureSet	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	foulervp.exe
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Configuration Data	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Component Information	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Configuration Data	RUNDLL32.EXE
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Status	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\FeatureSet	RUNDLL32.EXE

Modifies system certificate store 2 TTPs 5 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

WScript.exeRUNDLL32.EXE

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	WScript.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	WScript.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f00000053000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	WScript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\15BB0E63E309CB20A0D897944411B6FDA06E6755	RUNDLL32.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\15BB0E63E309CB20A0D897944411B6FDA06E6755\Blob = 03000000010000001400000015bb0e63e309cb20a0d897944411b6fda06e67552000000001000000230200003082021f30820188a003020102020859e6fb731d520be2300d06092a864886f70d01010b0500302f312d302b06035504030c244d6963726f736f667420526f6f7420436572746966696361746c20417574686f72697479301e170d3139313032303232313734345a170d3233313031393232313734345a302f312d302b06035504030c244d6963726f736f667420526f6f7420436572746966696361746c20417574686f7269747930819f300d06092a864886f70d010101050003818d0030818902818100e2e7d7ecd332e10e80cec7a3962ba8b41589c459802616279b064dd535888c33db045fc234d7396277194fd457fa167d7d5860671e6a764b62d837ed362e63cf7540c530141da2e15fda2eabd6fd515b40c6ad79d27783d8aee2672d47edb2caaef2cd3b7eda24d68083aa6e6410305a36f26d2116040aa551a264b7bd0ac7d70203010001a3443042300f0603551d130101ff040530030101ff302f0603551d110428302682244d6963726f736f667420526f6f7420436572746966696361746c20417574686f72697479300d06092a864886f70d01010b0500038181007c9b7a9f78695f5355331a7d72af3e385b6930959c7c9244a48dfb43f51dd6c3a4050b725cfde2595906c7f666067892e6022cc1afef2a0146b6737a1200561d369116cbedccf9044aea7ddada1a46ea7428567a61e9ceef67320ad571d00e9bc13f9ee184ab3cfe3cf9eea0d00e8abfff2cf364b881270b5553b9a58e2ca6f1	RUNDLL32.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

IntelRapid.exe

pid process

1448 IntelRapid.exe

pid	process
1448	IntelRapid.exe

Suspicious behavior: EnumeratesProcesses 9 IoCs

Processes:

foulervp.exeRUNDLL32.EXERUNDLL32.EXEpowershell.exe

pid	process
1120	foulervp.exe
1136	RUNDLL32.EXE
1136	RUNDLL32.EXE
1136	RUNDLL32.EXE
1136	RUNDLL32.EXE
328	RUNDLL32.EXE
1628	powershell.exe
1136	RUNDLL32.EXE
1136	RUNDLL32.EXE

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

RUNDLL32.EXEpowershell.exe

description pid process

Token: SeDebugPrivilege 1136 RUNDLL32.EXE
Token: SeDebugPrivilege 1628 powershell.exe
Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

rundll32.exe

pid process

1476 rundll32.exe

description	pid	process
Token: SeDebugPrivilege	1136	RUNDLL32.EXE
Token: SeDebugPrivilege	1628	powershell.exe

pid	process
1476	rundll32.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

95ba729a585e05067d55b624c9253986.exegiliak.exefoulervp.exeabyowdcmxvm.exerundll32.exeRUNDLL32.EXERUNDLL32.EXErundll32.exe

description	pid	process	target process
PID 1336 wrote to memory of 1120	1336	95ba729a585e05067d55b624c9253986.exe	foulervp.exe
PID 1336 wrote to memory of 1120	1336	95ba729a585e05067d55b624c9253986.exe	foulervp.exe
PID 1336 wrote to memory of 1120	1336	95ba729a585e05067d55b624c9253986.exe	foulervp.exe
PID 1336 wrote to memory of 1120	1336	95ba729a585e05067d55b624c9253986.exe	foulervp.exe
PID 1336 wrote to memory of 1120	1336	95ba729a585e05067d55b624c9253986.exe	foulervp.exe
PID 1336 wrote to memory of 1120	1336	95ba729a585e05067d55b624c9253986.exe	foulervp.exe
PID 1336 wrote to memory of 1120	1336	95ba729a585e05067d55b624c9253986.exe	foulervp.exe
PID 1336 wrote to memory of 1240	1336	95ba729a585e05067d55b624c9253986.exe	giliak.exe
PID 1336 wrote to memory of 1240	1336	95ba729a585e05067d55b624c9253986.exe	giliak.exe
PID 1336 wrote to memory of 1240	1336	95ba729a585e05067d55b624c9253986.exe	giliak.exe
PID 1336 wrote to memory of 1240	1336	95ba729a585e05067d55b624c9253986.exe	giliak.exe
PID 1240 wrote to memory of 1448	1240	giliak.exe	IntelRapid.exe
PID 1240 wrote to memory of 1448	1240	giliak.exe	IntelRapid.exe
PID 1240 wrote to memory of 1448	1240	giliak.exe	IntelRapid.exe
PID 1120 wrote to memory of 1832	1120	foulervp.exe	abyowdcmxvm.exe
PID 1120 wrote to memory of 1832	1120	foulervp.exe	abyowdcmxvm.exe
PID 1120 wrote to memory of 1832	1120	foulervp.exe	abyowdcmxvm.exe
PID 1120 wrote to memory of 1832	1120	foulervp.exe	abyowdcmxvm.exe
PID 1120 wrote to memory of 1832	1120	foulervp.exe	abyowdcmxvm.exe
PID 1120 wrote to memory of 1832	1120	foulervp.exe	abyowdcmxvm.exe
PID 1120 wrote to memory of 1832	1120	foulervp.exe	abyowdcmxvm.exe
PID 1120 wrote to memory of 848	1120	foulervp.exe	WScript.exe
PID 1120 wrote to memory of 848	1120	foulervp.exe	WScript.exe
PID 1120 wrote to memory of 848	1120	foulervp.exe	WScript.exe
PID 1120 wrote to memory of 848	1120	foulervp.exe	WScript.exe
PID 1120 wrote to memory of 848	1120	foulervp.exe	WScript.exe
PID 1120 wrote to memory of 848	1120	foulervp.exe	WScript.exe
PID 1120 wrote to memory of 848	1120	foulervp.exe	WScript.exe
PID 1832 wrote to memory of 724	1832	abyowdcmxvm.exe	rundll32.exe
PID 1832 wrote to memory of 724	1832	abyowdcmxvm.exe	rundll32.exe
PID 1832 wrote to memory of 724	1832	abyowdcmxvm.exe	rundll32.exe
PID 1832 wrote to memory of 724	1832	abyowdcmxvm.exe	rundll32.exe
PID 1832 wrote to memory of 724	1832	abyowdcmxvm.exe	rundll32.exe
PID 1832 wrote to memory of 724	1832	abyowdcmxvm.exe	rundll32.exe
PID 1832 wrote to memory of 724	1832	abyowdcmxvm.exe	rundll32.exe
PID 1120 wrote to memory of 1648	1120	foulervp.exe	WScript.exe
PID 1120 wrote to memory of 1648	1120	foulervp.exe	WScript.exe
PID 1120 wrote to memory of 1648	1120	foulervp.exe	WScript.exe
PID 1120 wrote to memory of 1648	1120	foulervp.exe	WScript.exe
PID 1120 wrote to memory of 1648	1120	foulervp.exe	WScript.exe
PID 1120 wrote to memory of 1648	1120	foulervp.exe	WScript.exe
PID 1120 wrote to memory of 1648	1120	foulervp.exe	WScript.exe
PID 724 wrote to memory of 1136	724	rundll32.exe	RUNDLL32.EXE
PID 724 wrote to memory of 1136	724	rundll32.exe	RUNDLL32.EXE
PID 724 wrote to memory of 1136	724	rundll32.exe	RUNDLL32.EXE
PID 724 wrote to memory of 1136	724	rundll32.exe	RUNDLL32.EXE
PID 724 wrote to memory of 1136	724	rundll32.exe	RUNDLL32.EXE
PID 724 wrote to memory of 1136	724	rundll32.exe	RUNDLL32.EXE
PID 724 wrote to memory of 1136	724	rundll32.exe	RUNDLL32.EXE
PID 1136 wrote to memory of 328	1136	RUNDLL32.EXE	RUNDLL32.EXE
PID 1136 wrote to memory of 328	1136	RUNDLL32.EXE	RUNDLL32.EXE
PID 1136 wrote to memory of 328	1136	RUNDLL32.EXE	RUNDLL32.EXE
PID 1136 wrote to memory of 328	1136	RUNDLL32.EXE	RUNDLL32.EXE
PID 1136 wrote to memory of 328	1136	RUNDLL32.EXE	RUNDLL32.EXE
PID 1136 wrote to memory of 328	1136	RUNDLL32.EXE	RUNDLL32.EXE
PID 1136 wrote to memory of 328	1136	RUNDLL32.EXE	RUNDLL32.EXE
PID 328 wrote to memory of 1476	328	RUNDLL32.EXE	rundll32.exe
PID 328 wrote to memory of 1476	328	RUNDLL32.EXE	rundll32.exe
PID 328 wrote to memory of 1476	328	RUNDLL32.EXE	rundll32.exe
PID 328 wrote to memory of 1476	328	RUNDLL32.EXE	rundll32.exe
PID 328 wrote to memory of 1476	328	RUNDLL32.EXE	rundll32.exe
PID 1476 wrote to memory of 1336	1476	rundll32.exe	ctfmon.exe
PID 1476 wrote to memory of 1336	1476	rundll32.exe	ctfmon.exe
PID 1476 wrote to memory of 1336	1476	rundll32.exe	ctfmon.exe

outlook_office_path 1 IoCs

Processes:

RUNDLL32.EXE

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RUNDLL32.EXE

outlook_win_path 1 IoCs

Processes:

RUNDLL32.EXE

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RUNDLL32.EXE

C:\Users\Admin\AppData\Local\Temp\95ba729a585e05067d55b624c9253986.exe
"C:\Users\Admin\AppData\Local\Temp\95ba729a585e05067d55b624c9253986.exe"
1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:1336

C:\Users\Admin\AppData\Local\Temp\effort\foulervp.exe
"C:\Users\Admin\AppData\Local\Temp\effort\foulervp.exe"
2⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Loads dropped DLL
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1120

C:\Users\Admin\AppData\Local\Temp\abyowdcmxvm.exe
"C:\Users\Admin\AppData\Local\Temp\abyowdcmxvm.exe"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1832

C:\Windows\SysWOW64\rundll32.exe
C:\Windows\system32\rundll32.exe C:\Users\Admin\AppData\Local\Temp\ABYOWD~1.DLL,s C:\Users\Admin\AppData\Local\Temp\ABYOWD~1.EXE
4⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:724

C:\Windows\SysWOW64\RUNDLL32.EXE
C:\Windows\system32\RUNDLL32.EXE C:\Users\Admin\AppData\Local\Temp\ABYOWD~1.DLL,NC4GVUk5
5⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Accesses Microsoft Outlook accounts
- Accesses Microsoft Outlook profiles
- Checks processor information in registry
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- outlook_office_path
- outlook_win_path
PID:1136

C:\Windows\SysWOW64\RUNDLL32.EXE
C:\Windows\system32\RUNDLL32.EXE C:\Users\Admin\AppData\Local\Temp\ABYOWD~1.DLL,KxgSNHpTVDVr
6⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:328

C:\Windows\system32\rundll32.exe
C:\Windows\system32\rundll32.exe C:\Windows\system32\shell32.dll,#61 17739
7⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:1476

C:\Windows\system32\ctfmon.exe
ctfmon.exe
8⤵
PID:1336

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Executionpolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\tmp6CD7.tmp.ps1"
6⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1628

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\oqrhsjkwlj.vbs"
3⤵
PID:848

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\jgmjtvgli.vbs"
3⤵
- Blocklisted process makes network request
- Modifies system certificate store
PID:1648

C:\Users\Admin\AppData\Local\Temp\effort\giliak.exe
"C:\Users\Admin\AppData\Local\Temp\effort\giliak.exe"
2⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Drops startup file
- Loads dropped DLL
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of WriteProcessMemory
PID:1240

C:\Users\Admin\AppData\Roaming\Intel Rapid\IntelRapid.exe
"C:\Users\Admin\AppData\Roaming\Intel Rapid\IntelRapid.exe"
3⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: AddClipboardFormatListener
PID:1448

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

T1497

Install Root Certificate

T1130

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Exfiltration

Command and Control

Web Service

T1102

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\PROGRA~3\zohplghndapsm.tmp
MD5
82d4a90b76c9577d8d1ea33a292bd039

SHA1
63d7695a4f59fc5be35c08c1c26e72f63e54ab92

SHA256
0d2a93ef60c8b185a42ca413012632b2a952ff237eec08204c0ce9fcfc967c82

SHA512
de95013386c77736fc93c37dde66c6bfd2826692fdcd052e231c55c807fb2bd8ec1d0f287ef45b6ed7f3557a841ac9b67c3105f6b457bcb397d8c87fb9f9b255

Download Submit
C:\PROGRA~3\zohplghndapsm.tmp
MD5
82d4a90b76c9577d8d1ea33a292bd039

SHA1
63d7695a4f59fc5be35c08c1c26e72f63e54ab92

SHA256
0d2a93ef60c8b185a42ca413012632b2a952ff237eec08204c0ce9fcfc967c82

SHA512
de95013386c77736fc93c37dde66c6bfd2826692fdcd052e231c55c807fb2bd8ec1d0f287ef45b6ed7f3557a841ac9b67c3105f6b457bcb397d8c87fb9f9b255

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
MD5
d810d75ef7f08a45f621850fdfda1206

SHA1
ee5e526ce91489303634a373bd981423afa279b0

SHA256
5bad863d8777e3c49799b01a0899ef3959b576ad2bded4e27e7ac7b9ae34ba8c

SHA512
026a693c14aa6fd8bee5664df0e822976ad1c674e5f8f9f556eb4a535a824f7725ff2dbc4b24f9f5887b36af735623d77d34832a23ae4db702359585159d8515

Download Submit
C:\Users\Admin\AppData\Local\Temp\ABYOWD~1.DLL
MD5
4d3d3ae03be0abe6f25aac77944851fa

SHA1
cfe8157dc463c52013b35717156cbd701d6c532c

SHA256
37f6629b9b15b2e2638c8cad7586e608589cb138e2ae6dbc6423588ba3fd38dc

SHA512
56cb4c5255223d6f57d84137c86bc824e5bd59e0df0fde2e27bb68ae6ebfe7ba3ba31c66f3d9942f0d5e069dcf2b6691a0e7b2ac3ca1e57ac41ef201385ef1a3

Download Submit
C:\Users\Admin\AppData\Local\Temp\abyowdcmxvm.exe
MD5
327a36ee6b5fb3e95d975ee9f622ad5a

SHA1
28dd1e62967fafd0116ebc93e26d57a844a36bef

SHA256
fddab57903d8f025b87ab7dd7aa0b86e7813fbb712baf9bbad8a900fd11ceea3

SHA512
652ed545a42858bcf2a4396ac3d274d9a624e0a915193b8f6049f957d707ded2015eae58b13dc54ab79818fefef87604a02b5a8a7090b003a2403bb03d1f6cac

Download Submit
C:\Users\Admin\AppData\Local\Temp\abyowdcmxvm.exe
MD5
327a36ee6b5fb3e95d975ee9f622ad5a

SHA1
28dd1e62967fafd0116ebc93e26d57a844a36bef

SHA256
fddab57903d8f025b87ab7dd7aa0b86e7813fbb712baf9bbad8a900fd11ceea3

SHA512
652ed545a42858bcf2a4396ac3d274d9a624e0a915193b8f6049f957d707ded2015eae58b13dc54ab79818fefef87604a02b5a8a7090b003a2403bb03d1f6cac

Download Submit
C:\Users\Admin\AppData\Local\Temp\effort\foulervp.exe
MD5
cdb73573c8178486d14bd96c016b3704

SHA1
3d8f95f8746b3b2531eb572189318a7156922ac3

SHA256
3d073c7abee0fd8b6c23f451e1c124fda27982e39ddc1312dcb10792e8d0f997

SHA512
79bdded5729e8f20ea41063a43af5a2df4e3298dfc9f427b8d24ab8d36b555bb2198c8d7e5828a51c798de9ebd284e2357d9500c43d0da0a62ad1d0b1549dfe2

Download Submit
C:\Users\Admin\AppData\Local\Temp\effort\foulervp.exe
MD5
cdb73573c8178486d14bd96c016b3704

SHA1
3d8f95f8746b3b2531eb572189318a7156922ac3

SHA256
3d073c7abee0fd8b6c23f451e1c124fda27982e39ddc1312dcb10792e8d0f997

SHA512
79bdded5729e8f20ea41063a43af5a2df4e3298dfc9f427b8d24ab8d36b555bb2198c8d7e5828a51c798de9ebd284e2357d9500c43d0da0a62ad1d0b1549dfe2

Download Submit
C:\Users\Admin\AppData\Local\Temp\effort\giliak.exe
MD5
e8897ec6f7b1f25e825b8ea21cd6956f

SHA1
aa5853c9fd6cbaa2dbfc0d72595657bf037ac373

SHA256
6bdeeed4478140576e6d44228e0066f8fc0d7cd544c49ceaa144598953c5f654

SHA512
e3e6c7defd9872911a3799a9d5c6eda3fffafe2a836b7a2caa360529b1c3acbc516f21ee6beba4b1a8ffe662b439ca61d1ed6075ec3ea87fb7f77bc5609a52f4

Download Submit
C:\Users\Admin\AppData\Local\Temp\effort\giliak.exe
MD5
e8897ec6f7b1f25e825b8ea21cd6956f

SHA1
aa5853c9fd6cbaa2dbfc0d72595657bf037ac373

SHA256
6bdeeed4478140576e6d44228e0066f8fc0d7cd544c49ceaa144598953c5f654

SHA512
e3e6c7defd9872911a3799a9d5c6eda3fffafe2a836b7a2caa360529b1c3acbc516f21ee6beba4b1a8ffe662b439ca61d1ed6075ec3ea87fb7f77bc5609a52f4

Download Submit
C:\Users\Admin\AppData\Local\Temp\jgmjtvgli.vbs
MD5
4ffcd2bffe12871c8187f16f27990f2f

SHA1
94515a4b9e7ade097a7978b08886f8b43a1f29f0

SHA256
e77eb406bb4621593698ccc1da39db6aba225ec709982a1ba7b189be2e81240f

SHA512
8c3bd7c349a066283933dcb6ce370613df9d4d0223fbce40d582822eae138d93e13d016b4dcdd9c2963f9665667e9333cae5be17a57e7d5d014a199629c99174

Download Submit
C:\Users\Admin\AppData\Local\Temp\oqrhsjkwlj.vbs
MD5
174d58a586f0c20c69f382ef14743cdd

SHA1
4c2d812a021c85d9a0d83551925677d157badd29

SHA256
3fb809b852f7bc0334bb6fcb815f35ebea6f1b3c860dea15cfef7493764e2cda

SHA512
0967abfe9f8811cf9498aee94a9b621dde5934724bd5535d2e02bb9f17608a7c22b90c8467dbb1a492535b81fc1a4f4af91a5e625097c76323c522168e3193cc

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp6CD7.tmp.ps1
MD5
eb4fd2fb03166af5987a9c475af8c593

SHA1
08faeff2d51c9ac4a82b247d7a835173daaa67e3

SHA256
49ea1ddb1c81f5ea87416141f3608b78f9e14314b9cdac7aeef4fba3f90dbc31

SHA512
4c9930d940307f7e1bd5d2ebfbab8ec435b232a6f4d84c01c1f4cfd4aed3c2b6781d73d35530e738127910d4768a54ff0ebc4905a404860352f305738802581a

Download Submit
C:\Users\Admin\AppData\Roaming\Intel Rapid\IntelRapid.exe
MD5
e8897ec6f7b1f25e825b8ea21cd6956f

SHA1
aa5853c9fd6cbaa2dbfc0d72595657bf037ac373

SHA256
6bdeeed4478140576e6d44228e0066f8fc0d7cd544c49ceaa144598953c5f654

SHA512
e3e6c7defd9872911a3799a9d5c6eda3fffafe2a836b7a2caa360529b1c3acbc516f21ee6beba4b1a8ffe662b439ca61d1ed6075ec3ea87fb7f77bc5609a52f4

Download Submit
\Users\Admin\AppData\Local\Temp\ABYOWD~1.DLL
MD5
4d3d3ae03be0abe6f25aac77944851fa

SHA1
cfe8157dc463c52013b35717156cbd701d6c532c

SHA256
37f6629b9b15b2e2638c8cad7586e608589cb138e2ae6dbc6423588ba3fd38dc

SHA512
56cb4c5255223d6f57d84137c86bc824e5bd59e0df0fde2e27bb68ae6ebfe7ba3ba31c66f3d9942f0d5e069dcf2b6691a0e7b2ac3ca1e57ac41ef201385ef1a3

Download Submit
\Users\Admin\AppData\Local\Temp\ABYOWD~1.DLL
MD5
4d3d3ae03be0abe6f25aac77944851fa

SHA1
cfe8157dc463c52013b35717156cbd701d6c532c

SHA256
37f6629b9b15b2e2638c8cad7586e608589cb138e2ae6dbc6423588ba3fd38dc

SHA512
56cb4c5255223d6f57d84137c86bc824e5bd59e0df0fde2e27bb68ae6ebfe7ba3ba31c66f3d9942f0d5e069dcf2b6691a0e7b2ac3ca1e57ac41ef201385ef1a3

Download Submit
\Users\Admin\AppData\Local\Temp\ABYOWD~1.DLL
MD5
4d3d3ae03be0abe6f25aac77944851fa

SHA1
cfe8157dc463c52013b35717156cbd701d6c532c

SHA256
37f6629b9b15b2e2638c8cad7586e608589cb138e2ae6dbc6423588ba3fd38dc

SHA512
56cb4c5255223d6f57d84137c86bc824e5bd59e0df0fde2e27bb68ae6ebfe7ba3ba31c66f3d9942f0d5e069dcf2b6691a0e7b2ac3ca1e57ac41ef201385ef1a3

Download Submit
\Users\Admin\AppData\Local\Temp\ABYOWD~1.DLL
MD5
4d3d3ae03be0abe6f25aac77944851fa

SHA1
cfe8157dc463c52013b35717156cbd701d6c532c

SHA256
37f6629b9b15b2e2638c8cad7586e608589cb138e2ae6dbc6423588ba3fd38dc

SHA512
56cb4c5255223d6f57d84137c86bc824e5bd59e0df0fde2e27bb68ae6ebfe7ba3ba31c66f3d9942f0d5e069dcf2b6691a0e7b2ac3ca1e57ac41ef201385ef1a3

Download Submit
\Users\Admin\AppData\Local\Temp\ABYOWD~1.DLL
MD5
4d3d3ae03be0abe6f25aac77944851fa

SHA1
cfe8157dc463c52013b35717156cbd701d6c532c

SHA256
37f6629b9b15b2e2638c8cad7586e608589cb138e2ae6dbc6423588ba3fd38dc

SHA512
56cb4c5255223d6f57d84137c86bc824e5bd59e0df0fde2e27bb68ae6ebfe7ba3ba31c66f3d9942f0d5e069dcf2b6691a0e7b2ac3ca1e57ac41ef201385ef1a3

Download Submit
\Users\Admin\AppData\Local\Temp\ABYOWD~1.DLL
MD5
4d3d3ae03be0abe6f25aac77944851fa

SHA1
cfe8157dc463c52013b35717156cbd701d6c532c

SHA256
37f6629b9b15b2e2638c8cad7586e608589cb138e2ae6dbc6423588ba3fd38dc

SHA512
56cb4c5255223d6f57d84137c86bc824e5bd59e0df0fde2e27bb68ae6ebfe7ba3ba31c66f3d9942f0d5e069dcf2b6691a0e7b2ac3ca1e57ac41ef201385ef1a3

Download Submit
\Users\Admin\AppData\Local\Temp\ABYOWD~1.DLL
MD5
4d3d3ae03be0abe6f25aac77944851fa

SHA1
cfe8157dc463c52013b35717156cbd701d6c532c

SHA256
37f6629b9b15b2e2638c8cad7586e608589cb138e2ae6dbc6423588ba3fd38dc

SHA512
56cb4c5255223d6f57d84137c86bc824e5bd59e0df0fde2e27bb68ae6ebfe7ba3ba31c66f3d9942f0d5e069dcf2b6691a0e7b2ac3ca1e57ac41ef201385ef1a3

Download Submit
\Users\Admin\AppData\Local\Temp\ABYOWD~1.DLL
MD5
4d3d3ae03be0abe6f25aac77944851fa

SHA1
cfe8157dc463c52013b35717156cbd701d6c532c

SHA256
37f6629b9b15b2e2638c8cad7586e608589cb138e2ae6dbc6423588ba3fd38dc

SHA512
56cb4c5255223d6f57d84137c86bc824e5bd59e0df0fde2e27bb68ae6ebfe7ba3ba31c66f3d9942f0d5e069dcf2b6691a0e7b2ac3ca1e57ac41ef201385ef1a3

Download Submit
\Users\Admin\AppData\Local\Temp\ABYOWD~1.DLL
MD5
4d3d3ae03be0abe6f25aac77944851fa

SHA1
cfe8157dc463c52013b35717156cbd701d6c532c

SHA256
37f6629b9b15b2e2638c8cad7586e608589cb138e2ae6dbc6423588ba3fd38dc

SHA512
56cb4c5255223d6f57d84137c86bc824e5bd59e0df0fde2e27bb68ae6ebfe7ba3ba31c66f3d9942f0d5e069dcf2b6691a0e7b2ac3ca1e57ac41ef201385ef1a3

Download Submit
\Users\Admin\AppData\Local\Temp\ABYOWD~1.DLL
MD5
4d3d3ae03be0abe6f25aac77944851fa

SHA1
cfe8157dc463c52013b35717156cbd701d6c532c

SHA256
37f6629b9b15b2e2638c8cad7586e608589cb138e2ae6dbc6423588ba3fd38dc

SHA512
56cb4c5255223d6f57d84137c86bc824e5bd59e0df0fde2e27bb68ae6ebfe7ba3ba31c66f3d9942f0d5e069dcf2b6691a0e7b2ac3ca1e57ac41ef201385ef1a3

Download Submit
\Users\Admin\AppData\Local\Temp\ABYOWD~1.DLL
MD5
4d3d3ae03be0abe6f25aac77944851fa

SHA1
cfe8157dc463c52013b35717156cbd701d6c532c

SHA256
37f6629b9b15b2e2638c8cad7586e608589cb138e2ae6dbc6423588ba3fd38dc

SHA512
56cb4c5255223d6f57d84137c86bc824e5bd59e0df0fde2e27bb68ae6ebfe7ba3ba31c66f3d9942f0d5e069dcf2b6691a0e7b2ac3ca1e57ac41ef201385ef1a3

Download Submit
\Users\Admin\AppData\Local\Temp\ABYOWD~1.DLL
MD5
4d3d3ae03be0abe6f25aac77944851fa

SHA1
cfe8157dc463c52013b35717156cbd701d6c532c

SHA256
37f6629b9b15b2e2638c8cad7586e608589cb138e2ae6dbc6423588ba3fd38dc

SHA512
56cb4c5255223d6f57d84137c86bc824e5bd59e0df0fde2e27bb68ae6ebfe7ba3ba31c66f3d9942f0d5e069dcf2b6691a0e7b2ac3ca1e57ac41ef201385ef1a3

Download Submit
\Users\Admin\AppData\Local\Temp\abyowdcmxvm.exe
MD5
327a36ee6b5fb3e95d975ee9f622ad5a

SHA1
28dd1e62967fafd0116ebc93e26d57a844a36bef

SHA256
fddab57903d8f025b87ab7dd7aa0b86e7813fbb712baf9bbad8a900fd11ceea3

SHA512
652ed545a42858bcf2a4396ac3d274d9a624e0a915193b8f6049f957d707ded2015eae58b13dc54ab79818fefef87604a02b5a8a7090b003a2403bb03d1f6cac

Download Submit
\Users\Admin\AppData\Local\Temp\abyowdcmxvm.exe
MD5
327a36ee6b5fb3e95d975ee9f622ad5a

SHA1
28dd1e62967fafd0116ebc93e26d57a844a36bef

SHA256
fddab57903d8f025b87ab7dd7aa0b86e7813fbb712baf9bbad8a900fd11ceea3

SHA512
652ed545a42858bcf2a4396ac3d274d9a624e0a915193b8f6049f957d707ded2015eae58b13dc54ab79818fefef87604a02b5a8a7090b003a2403bb03d1f6cac

Download Submit
\Users\Admin\AppData\Local\Temp\abyowdcmxvm.exe
MD5
327a36ee6b5fb3e95d975ee9f622ad5a

SHA1
28dd1e62967fafd0116ebc93e26d57a844a36bef

SHA256
fddab57903d8f025b87ab7dd7aa0b86e7813fbb712baf9bbad8a900fd11ceea3

SHA512
652ed545a42858bcf2a4396ac3d274d9a624e0a915193b8f6049f957d707ded2015eae58b13dc54ab79818fefef87604a02b5a8a7090b003a2403bb03d1f6cac

Download Submit
\Users\Admin\AppData\Local\Temp\abyowdcmxvm.exe
MD5
327a36ee6b5fb3e95d975ee9f622ad5a

SHA1
28dd1e62967fafd0116ebc93e26d57a844a36bef

SHA256
fddab57903d8f025b87ab7dd7aa0b86e7813fbb712baf9bbad8a900fd11ceea3

SHA512
652ed545a42858bcf2a4396ac3d274d9a624e0a915193b8f6049f957d707ded2015eae58b13dc54ab79818fefef87604a02b5a8a7090b003a2403bb03d1f6cac

Download Submit
\Users\Admin\AppData\Local\Temp\effort\foulervp.exe
MD5
cdb73573c8178486d14bd96c016b3704

SHA1
3d8f95f8746b3b2531eb572189318a7156922ac3

SHA256
3d073c7abee0fd8b6c23f451e1c124fda27982e39ddc1312dcb10792e8d0f997

SHA512
79bdded5729e8f20ea41063a43af5a2df4e3298dfc9f427b8d24ab8d36b555bb2198c8d7e5828a51c798de9ebd284e2357d9500c43d0da0a62ad1d0b1549dfe2

Download Submit
\Users\Admin\AppData\Local\Temp\effort\foulervp.exe
MD5
cdb73573c8178486d14bd96c016b3704

SHA1
3d8f95f8746b3b2531eb572189318a7156922ac3

SHA256
3d073c7abee0fd8b6c23f451e1c124fda27982e39ddc1312dcb10792e8d0f997

SHA512
79bdded5729e8f20ea41063a43af5a2df4e3298dfc9f427b8d24ab8d36b555bb2198c8d7e5828a51c798de9ebd284e2357d9500c43d0da0a62ad1d0b1549dfe2

Download Submit
\Users\Admin\AppData\Local\Temp\effort\foulervp.exe
MD5
cdb73573c8178486d14bd96c016b3704

SHA1
3d8f95f8746b3b2531eb572189318a7156922ac3

SHA256
3d073c7abee0fd8b6c23f451e1c124fda27982e39ddc1312dcb10792e8d0f997

SHA512
79bdded5729e8f20ea41063a43af5a2df4e3298dfc9f427b8d24ab8d36b555bb2198c8d7e5828a51c798de9ebd284e2357d9500c43d0da0a62ad1d0b1549dfe2

Download Submit
\Users\Admin\AppData\Local\Temp\effort\giliak.exe
MD5
e8897ec6f7b1f25e825b8ea21cd6956f

SHA1
aa5853c9fd6cbaa2dbfc0d72595657bf037ac373

SHA256
6bdeeed4478140576e6d44228e0066f8fc0d7cd544c49ceaa144598953c5f654

SHA512
e3e6c7defd9872911a3799a9d5c6eda3fffafe2a836b7a2caa360529b1c3acbc516f21ee6beba4b1a8ffe662b439ca61d1ed6075ec3ea87fb7f77bc5609a52f4

Download Submit
\Users\Admin\AppData\Local\Temp\effort\giliak.exe
MD5
e8897ec6f7b1f25e825b8ea21cd6956f

SHA1
aa5853c9fd6cbaa2dbfc0d72595657bf037ac373

SHA256
6bdeeed4478140576e6d44228e0066f8fc0d7cd544c49ceaa144598953c5f654

SHA512
e3e6c7defd9872911a3799a9d5c6eda3fffafe2a836b7a2caa360529b1c3acbc516f21ee6beba4b1a8ffe662b439ca61d1ed6075ec3ea87fb7f77bc5609a52f4

Download Submit
\Users\Admin\AppData\Local\Temp\nsyC6D9.tmp\UAC.dll
MD5
adb29e6b186daa765dc750128649b63d

SHA1
160cbdc4cb0ac2c142d361df138c537aa7e708c9

SHA256
2f7f8fc05dc4fd0d5cda501b47e4433357e887bbfed7292c028d99c73b52dc08

SHA512
b28adcccf0c33660fecd6f95f28f11f793dc9988582187617b4c113fb4e6fdad4cf7694cd8c0300a477e63536456894d119741a940dda09b7df3ff0087a7eada

Download Submit
\Users\Admin\AppData\Roaming\Intel Rapid\IntelRapid.exe
MD5
e8897ec6f7b1f25e825b8ea21cd6956f

SHA1
aa5853c9fd6cbaa2dbfc0d72595657bf037ac373

SHA256
6bdeeed4478140576e6d44228e0066f8fc0d7cd544c49ceaa144598953c5f654

SHA512
e3e6c7defd9872911a3799a9d5c6eda3fffafe2a836b7a2caa360529b1c3acbc516f21ee6beba4b1a8ffe662b439ca61d1ed6075ec3ea87fb7f77bc5609a52f4

Download Submit
\Users\Admin\AppData\Roaming\Intel Rapid\IntelRapid.exe
MD5
e8897ec6f7b1f25e825b8ea21cd6956f

SHA1
aa5853c9fd6cbaa2dbfc0d72595657bf037ac373

SHA256
6bdeeed4478140576e6d44228e0066f8fc0d7cd544c49ceaa144598953c5f654

SHA512
e3e6c7defd9872911a3799a9d5c6eda3fffafe2a836b7a2caa360529b1c3acbc516f21ee6beba4b1a8ffe662b439ca61d1ed6075ec3ea87fb7f77bc5609a52f4

Download Submit
\Users\Admin\AppData\Roaming\Intel Rapid\IntelRapid.exe
MD5
e8897ec6f7b1f25e825b8ea21cd6956f

SHA1
aa5853c9fd6cbaa2dbfc0d72595657bf037ac373

SHA256
6bdeeed4478140576e6d44228e0066f8fc0d7cd544c49ceaa144598953c5f654

SHA512
e3e6c7defd9872911a3799a9d5c6eda3fffafe2a836b7a2caa360529b1c3acbc516f21ee6beba4b1a8ffe662b439ca61d1ed6075ec3ea87fb7f77bc5609a52f4

Download Submit
memory/328-131-0x0000000002300000-0x0000000002301000-memory.dmp

Filesize
4KB

Download
memory/328-122-0x0000000000000000-mapping.dmp

Download
memory/328-143-0x0000000000190000-0x000000000019F000-memory.dmp

Filesize
60KB

Download
memory/328-141-0x00000000021C0000-0x0000000002300000-memory.dmp

Filesize
1.2MB

Download
memory/328-140-0x00000000021C0000-0x0000000002300000-memory.dmp

Filesize
1.2MB

Download
memory/328-139-0x0000000000190000-0x0000000000191000-memory.dmp

Filesize
4KB

Download
memory/328-138-0x00000000021C0000-0x0000000002300000-memory.dmp

Filesize
1.2MB

Download
memory/328-136-0x00000000021C0000-0x0000000002300000-memory.dmp

Filesize
1.2MB

Download
memory/328-134-0x00000000021C0000-0x0000000002300000-memory.dmp

Filesize
1.2MB

Download
memory/328-133-0x00000000021C0000-0x0000000002300000-memory.dmp

Filesize
1.2MB

Download
memory/328-132-0x0000000000140000-0x0000000000141000-memory.dmp

Filesize
4KB

Download
memory/328-130-0x00000000026C1000-0x00000000036A5000-memory.dmp

Filesize
15.9MB

Download
memory/328-128-0x0000000001F10000-0x0000000002076000-memory.dmp

Filesize
1.4MB

Download
memory/724-111-0x00000000027D0000-0x00000000027D1000-memory.dmp

Filesize
4KB

Download
memory/724-105-0x00000000020D0000-0x0000000002236000-memory.dmp

Filesize
1.4MB

Download
memory/724-97-0x0000000000000000-mapping.dmp

Download
memory/724-110-0x00000000029A1000-0x0000000003985000-memory.dmp

Filesize
15.9MB

Download
memory/848-93-0x0000000000000000-mapping.dmp

Download
memory/1120-70-0x0000000000D80000-0x0000000001452000-memory.dmp

Filesize
6.8MB

Download
memory/1120-69-0x0000000000D80000-0x0000000001452000-memory.dmp

Filesize
6.8MB

Download
memory/1120-66-0x0000000000D80000-0x0000000001452000-memory.dmp

Filesize
6.8MB

Download
memory/1120-67-0x0000000000D80000-0x0000000001452000-memory.dmp

Filesize
6.8MB

Download
memory/1120-57-0x0000000000000000-mapping.dmp

Download
memory/1136-118-0x0000000001E00000-0x0000000001F66000-memory.dmp

Filesize
1.4MB

Download
memory/1136-112-0x0000000000000000-mapping.dmp

Download
memory/1136-121-0x0000000001F70000-0x0000000001F71000-memory.dmp

Filesize
4KB

Download
memory/1136-120-0x0000000002581000-0x0000000003565000-memory.dmp

Filesize
15.9MB

Download
memory/1240-71-0x000000013FA20000-0x000000014033D000-memory.dmp

Filesize
9.1MB

Download
memory/1240-65-0x0000000000000000-mapping.dmp

Download
memory/1240-73-0x000000013FA20000-0x000000014033D000-memory.dmp

Filesize
9.1MB

Download
memory/1240-75-0x000007FEFC441000-0x000007FEFC443000-memory.dmp

Filesize
8KB

Download
memory/1240-72-0x000000013FA20000-0x000000014033D000-memory.dmp

Filesize
9.1MB

Download
memory/1336-145-0x0000000000000000-mapping.dmp

Download
memory/1336-54-0x0000000075B71000-0x0000000075B73000-memory.dmp

Filesize
8KB

Download
memory/1448-83-0x000000013F1A0000-0x000000013FABD000-memory.dmp

Filesize
9.1MB

Download
memory/1448-81-0x000000013F1A0000-0x000000013FABD000-memory.dmp

Filesize
9.1MB

Download
memory/1448-79-0x0000000000000000-mapping.dmp

Download
memory/1448-82-0x000000013F1A0000-0x000000013FABD000-memory.dmp

Filesize
9.1MB

Download
memory/1476-146-0x0000000000100000-0x00000000002A0000-memory.dmp

Filesize
1.6MB

Download
memory/1476-142-0x00000000FF573CEC-mapping.dmp

Download
memory/1476-137-0x0000000000100000-0x00000000002A0000-memory.dmp

Filesize
1.6MB

Download
memory/1476-147-0x0000000001D60000-0x0000000001F12000-memory.dmp

Filesize
1.7MB

Download
memory/1628-148-0x0000000000000000-mapping.dmp

Download
memory/1628-150-0x0000000001E30000-0x0000000002A7A000-memory.dmp

Filesize
12.3MB

Download
memory/1648-106-0x0000000000000000-mapping.dmp

Download
memory/1832-96-0x0000000003450000-0x000000000603B000-memory.dmp

Filesize
43.9MB

Download
memory/1832-86-0x0000000000000000-mapping.dmp

Download
memory/1832-99-0x0000000000400000-0x0000000002FEB000-memory.dmp

Filesize
43.9MB

Download