danabot | c45d421ef1cd52ccc0dfa8bbacd093af7fdca76d402c7d773e97a5b1f0c8522a

Analysis

max time kernel
148s
max time network
147s
platform
windows10_x64
resource
win10-en-20211014
submitted
22-10-2021 12:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4708d7597f8efc46d22031ffc794047a.exe
Size

6.0MB
MD5

4708d7597f8efc46d22031ffc794047a
SHA1

028dd45e2fb27d82f53c14f1dc9abfa3573b8c15
SHA256

c45d421ef1cd52ccc0dfa8bbacd093af7fdca76d402c7d773e97a5b1f0c8522a
SHA512

2e435473f8874a6544044ca3ad6f939e80d87bdbb4dd42427b2c111024dbd8132021044565416cac0d27b8e5f7460bf8f696bfb1c7b04fbff20ef33ff386e4ba

Score

10^/10

danabot 4 banker collection discovery evasion spyware stealer themida trojan

Malware Config

Extracted

Family

danabot

192.119.110.73:443

192.236.147.159:443

192.210.222.88:443

Attributes

embedded_hash
F4711E27D559B4AEB1A081A1EB0AC465
type
loader

rsa_pubkey.plain

rsa_privkey.plain

Extracted

Family

danabot

Version

2052

Botnet

192.119.110.73:443

192.236.147.159:443

192.210.222.88:443

Attributes

embedded_hash
F4711E27D559B4AEB1A081A1EB0AC465
type
main

rsa_privkey.plain

rsa_pubkey.plain

Signatures

Danabot
Danabot is a modular banking Trojan that has been linked with other malware.
trojan banker danabot

Danabot Loader Component 6 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\CBFNPN~1.DLL	DanabotLoader2021
\Users\Admin\AppData\Local\Temp\CBFNPN~1.DLL	DanabotLoader2021
\Users\Admin\AppData\Local\Temp\CBFNPN~1.DLL	DanabotLoader2021
behavioral2/memory/3264-146-0x0000000000E10000-0x0000000000F74000-memory.dmp	DanabotLoader2021
\Users\Admin\AppData\Local\Temp\CBFNPN~1.DLL	DanabotLoader2021
\Users\Admin\AppData\Local\Temp\CBFNPN~1.DLL	DanabotLoader2021

Suspicious use of NtCreateProcessExOtherParentProcess 2 IoCs

Processes:

WerFault.exeWerFault.exe

description pid process target process

PID 388 created 1528 388 WerFault.exe cbfnpnnidcey.exe
PID 3208 created 3264 3208 WerFault.exe rundll32.exe
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497
Blocklisted process makes network request 6 IoCs

Processes:

WScript.exerundll32.exeRUNDLL32.EXE

flow pid process

44 3868 WScript.exe
46 3868 WScript.exe
48 3868 WScript.exe
50 3868 WScript.exe
51 3264 rundll32.exe
54 3192 RUNDLL32.EXE
Downloads MZ/PE file
Executes dropped EXE 4 IoCs

Processes:

remedy.exesimityvp.exeIntelRapid.execbfnpnnidcey.exe

pid process

2720 remedy.exe
3512 simityvp.exe
2312 IntelRapid.exe
1528 cbfnpnnidcey.exe

description	pid	process	target process
PID 388 created 1528	388	WerFault.exe	cbfnpnnidcey.exe
PID 3208 created 3264	3208	WerFault.exe	rundll32.exe

flow	pid	process
44	3868	WScript.exe
46	3868	WScript.exe
48	3868	WScript.exe
50	3868	WScript.exe
51	3264	rundll32.exe
54	3192	RUNDLL32.EXE

pid	process
2720	remedy.exe
3512	simityvp.exe
2312	IntelRapid.exe
1528	cbfnpnnidcey.exe

Checks BIOS information in registry 2 TTPs 6 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

remedy.exesimityvp.exeIntelRapid.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	remedy.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	remedy.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	simityvp.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	simityvp.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	IntelRapid.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	IntelRapid.exe

Drops startup file 1 IoCs

Processes:

remedy.exe

description ioc process

File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IntelRapid.lnk remedy.exe
Loads dropped DLL 6 IoCs

Processes:

4708d7597f8efc46d22031ffc794047a.exerundll32.exeRUNDLL32.EXERUNDLL32.EXERUNDLL32.EXE

pid process

2268 4708d7597f8efc46d22031ffc794047a.exe
3264 rundll32.exe
3264 rundll32.exe
3192 RUNDLL32.EXE
3588 RUNDLL32.EXE
500 RUNDLL32.EXE
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IntelRapid.lnk	remedy.exe

pid	process
2268	4708d7597f8efc46d22031ffc794047a.exe
3264	rundll32.exe
3264	rundll32.exe
3192	RUNDLL32.EXE
3588	RUNDLL32.EXE
500	RUNDLL32.EXE

Themida packer 16 IoCs

Detects Themida, an advanced Windows software protection system.

themida

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\lizard\remedy.exe	themida
C:\Users\Admin\AppData\Local\Temp\lizard\remedy.exe	themida
C:\Users\Admin\AppData\Local\Temp\lizard\simityvp.exe	themida
C:\Users\Admin\AppData\Local\Temp\lizard\simityvp.exe	themida
behavioral2/memory/2720-122-0x00007FF79B310000-0x00007FF79BC28000-memory.dmp	themida
behavioral2/memory/2720-123-0x00007FF79B310000-0x00007FF79BC28000-memory.dmp	themida
behavioral2/memory/2720-125-0x00007FF79B310000-0x00007FF79BC28000-memory.dmp	themida
behavioral2/memory/3512-126-0x00000000001D0000-0x0000000000899000-memory.dmp	themida
behavioral2/memory/3512-127-0x00000000001D0000-0x0000000000899000-memory.dmp	themida
behavioral2/memory/3512-128-0x00000000001D0000-0x0000000000899000-memory.dmp	themida
behavioral2/memory/3512-129-0x00000000001D0000-0x0000000000899000-memory.dmp	themida
C:\Users\Admin\AppData\Roaming\Intel Rapid\IntelRapid.exe	themida
C:\Users\Admin\AppData\Roaming\Intel Rapid\IntelRapid.exe	themida
behavioral2/memory/2312-133-0x00007FF654F30000-0x00007FF655848000-memory.dmp	themida
behavioral2/memory/2312-134-0x00007FF654F30000-0x00007FF655848000-memory.dmp	themida
behavioral2/memory/2312-135-0x00007FF654F30000-0x00007FF655848000-memory.dmp	themida

Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs

collection

Email Collection

T1114

Processes:

RUNDLL32.EXE

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	RUNDLL32.EXE

Accesses Microsoft Outlook profiles 1 TTPs 4 IoCs

collection

Email Collection

T1114

Processes:

RUNDLL32.EXE

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RUNDLL32.EXE
Key opened	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RUNDLL32.EXE
Key opened	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	RUNDLL32.EXE
Key opened	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RUNDLL32.EXE

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Checks whether UAC is enabled 1 TTPs 3 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

remedy.exesimityvp.exeIntelRapid.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	remedy.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	simityvp.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	IntelRapid.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

11 ip-api.com
Suspicious use of NtSetInformationThreadHideFromDebugger 3 IoCs

Processes:

remedy.exesimityvp.exeIntelRapid.exe

pid process

2720 remedy.exe
3512 simityvp.exe
2312 IntelRapid.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

RUNDLL32.EXE

description pid process target process

PID 3588 set thread context of 3832 3588 RUNDLL32.EXE rundll32.exe

flow	ioc
11	ip-api.com

pid	process
2720	remedy.exe
3512	simityvp.exe
2312	IntelRapid.exe

description	pid	process	target process
PID 3588 set thread context of 3832	3588	RUNDLL32.EXE	rundll32.exe

Drops file in Program Files directory 4 IoCs

Processes:

4708d7597f8efc46d22031ffc794047a.exerundll32.exe

description	ioc	process
File created	C:\Program Files (x86)\foler\olader\acppage.dll	4708d7597f8efc46d22031ffc794047a.exe
File created	C:\Program Files (x86)\foler\olader\adprovider.dll	4708d7597f8efc46d22031ffc794047a.exe
File created	C:\Program Files (x86)\foler\olader\acledit.dll	4708d7597f8efc46d22031ffc794047a.exe
File created	C:\PROGRA~3\zohplghndapsm.tmp	rundll32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 2 IoCs

Processes:

WerFault.exeWerFault.exe

pid pid_target process target process

388 1528 WerFault.exe cbfnpnnidcey.exe
3208 3264 WerFault.exe rundll32.exe

pid	pid_target	process	target process
388	1528	WerFault.exe	cbfnpnnidcey.exe
3208	3264	WerFault.exe	rundll32.exe

Checks processor information in registry 2 TTPs 43 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

RUNDLL32.EXERUNDLL32.EXEsimityvp.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Configuration Data	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Identifier	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\FeatureSet	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\VendorIdentifier	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Previous Update Revision	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Status	RUNDLL32.EXE
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Status	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Revision	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\VendorIdentifier	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Component Information	RUNDLL32.EXE
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Previous Update Revision	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information	RUNDLL32.EXE
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\FeatureSet	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	simityvp.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	RUNDLL32.EXE
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Status	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Configuration Data	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	RUNDLL32.EXE
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Configuration Data	RUNDLL32.EXE
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	RUNDLL32.EXE
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	RUNDLL32.EXE
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	RUNDLL32.EXE
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Revision	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString	RUNDLL32.EXE
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	simityvp.exe
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Component Information	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information	RUNDLL32.EXE
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	RUNDLL32.EXE

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

Processes:

rundll32.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Internet Explorer\TypedURLs	rundll32.exe

Modifies registry class 1 IoCs

Processes:

simityvp.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings simityvp.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings	simityvp.exe

Modifies system certificate store 2 TTPs 4 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

WScript.exeRUNDLL32.EXE

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	WScript.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 5c000000010000000400000000080000090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	WScript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\7F94839E8083BAE409CB1682CF2AF381AF4C0DB4	RUNDLL32.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\7F94839E8083BAE409CB1682CF2AF381AF4C0DB4\Blob = 0300000001000000140000007f94839e8083bae409cb1682cf2af381af4c0db420000000010000006e0200003082026a308201d3a003020102020844196d28191764df300d06092a864886f70d01010b0500305a3122302006035504030c1942616c74696d6f72652043796265725472756c7420526f6f7431133011060355040b0c0a4379626572547275737431123010060355040a0c0942616c74696d6f7265310b3009060355040613024945301e170d3139313032333032323335335a170d3233313032323032323335335a305a3122302006035504030c1942616c74696d6f72652043796265725472756c7420526f6f7431133011060355040b0c0a4379626572547275737431123010060355040a0c0942616c74696d6f7265310b300906035504061302494530819f300d06092a864886f70d010101050003818d0030818902818100c56e3500f647ffd9e52951401a98fd59459e442643dbaafb6535cc73f6ecc4d60a304771f870c7ec52b32d507c5d26debac2300983c1e059ebbe7b5703e156052ddb7b61625e1a3aeaa8e93f20d9e224834edef9bd5e991d1cb04509310f4e6d2633568ebb25165f4f4cf04a967f26a76b030dd636f83b244ae91782e93c40950203010001a3393037300f0603551d130101ff040530030101ff30240603551d11041d301b821942616c74696d6f72652043796265725472756c7420526f6f74300d06092a864886f70d01010b0500038181003040b3da959f5651524b903c2454294c42c34802255b5e02de60c77712b0f6cd85caf77b48a0bf3a9b2ef725d3b7792bdb37bb7d4d56154ae8e9c7c8cce59824c34acfcc977a822ee3a46d403adbde92091a276d8576a6d4b616036e0b4a5f93e70a6708e089b302decf971d307ee2867d343ec14a221624c5710061d05fe781	RUNDLL32.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

IntelRapid.exe

pid process

2312 IntelRapid.exe

pid	process
2312	IntelRapid.exe

Suspicious behavior: EnumeratesProcesses 46 IoCs

Processes:

simityvp.exeWerFault.exeWerFault.exeRUNDLL32.EXERUNDLL32.EXEpowershell.exepowershell.exepowershell.exe

pid	process
3512	simityvp.exe
3512	simityvp.exe
388	WerFault.exe
388	WerFault.exe
388	WerFault.exe
388	WerFault.exe
388	WerFault.exe
388	WerFault.exe
388	WerFault.exe
388	WerFault.exe
388	WerFault.exe
388	WerFault.exe
388	WerFault.exe
388	WerFault.exe
3208	WerFault.exe
3208	WerFault.exe
3208	WerFault.exe
3208	WerFault.exe
3208	WerFault.exe
3208	WerFault.exe
3208	WerFault.exe
3208	WerFault.exe
3208	WerFault.exe
3208	WerFault.exe
3208	WerFault.exe
3208	WerFault.exe
3208	WerFault.exe
3192	RUNDLL32.EXE
3192	RUNDLL32.EXE
3192	RUNDLL32.EXE
3192	RUNDLL32.EXE
3192	RUNDLL32.EXE
3192	RUNDLL32.EXE
3588	RUNDLL32.EXE
3588	RUNDLL32.EXE
2656	powershell.exe
2656	powershell.exe
3752	powershell.exe
3752	powershell.exe
2656	powershell.exe
3752	powershell.exe
3192	RUNDLL32.EXE
3192	RUNDLL32.EXE
3920	powershell.exe
3920	powershell.exe
3920	powershell.exe

Suspicious use of AdjustPrivilegeToken 8 IoCs

Processes:

WerFault.exeWerFault.exepowershell.exeRUNDLL32.EXEpowershell.exepowershell.exe

description	pid	process
Token: SeRestorePrivilege	388	WerFault.exe
Token: SeBackupPrivilege	388	WerFault.exe
Token: SeDebugPrivilege	388	WerFault.exe
Token: SeDebugPrivilege	3208	WerFault.exe
Token: SeDebugPrivilege	2656	powershell.exe
Token: SeDebugPrivilege	3192	RUNDLL32.EXE
Token: SeDebugPrivilege	3752	powershell.exe
Token: SeDebugPrivilege	3920	powershell.exe

Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

rundll32.exeRUNDLL32.EXE

pid process

3832 rundll32.exe
3192 RUNDLL32.EXE

pid	process
3832	rundll32.exe
3192	RUNDLL32.EXE

Suspicious use of WriteProcessMemory 51 IoCs

Processes:

4708d7597f8efc46d22031ffc794047a.exeremedy.exesimityvp.execbfnpnnidcey.exerundll32.exeRUNDLL32.EXERUNDLL32.EXErundll32.exepowershell.exe

description	pid	process	target process
PID 2268 wrote to memory of 2720	2268	4708d7597f8efc46d22031ffc794047a.exe	remedy.exe
PID 2268 wrote to memory of 2720	2268	4708d7597f8efc46d22031ffc794047a.exe	remedy.exe
PID 2268 wrote to memory of 3512	2268	4708d7597f8efc46d22031ffc794047a.exe	simityvp.exe
PID 2268 wrote to memory of 3512	2268	4708d7597f8efc46d22031ffc794047a.exe	simityvp.exe
PID 2268 wrote to memory of 3512	2268	4708d7597f8efc46d22031ffc794047a.exe	simityvp.exe
PID 2720 wrote to memory of 2312	2720	remedy.exe	IntelRapid.exe
PID 2720 wrote to memory of 2312	2720	remedy.exe	IntelRapid.exe
PID 3512 wrote to memory of 1528	3512	simityvp.exe	cbfnpnnidcey.exe
PID 3512 wrote to memory of 1528	3512	simityvp.exe	cbfnpnnidcey.exe
PID 3512 wrote to memory of 1528	3512	simityvp.exe	cbfnpnnidcey.exe
PID 3512 wrote to memory of 3944	3512	simityvp.exe	WScript.exe
PID 3512 wrote to memory of 3944	3512	simityvp.exe	WScript.exe
PID 3512 wrote to memory of 3944	3512	simityvp.exe	WScript.exe
PID 1528 wrote to memory of 3264	1528	cbfnpnnidcey.exe	rundll32.exe
PID 1528 wrote to memory of 3264	1528	cbfnpnnidcey.exe	rundll32.exe
PID 1528 wrote to memory of 3264	1528	cbfnpnnidcey.exe	rundll32.exe
PID 3512 wrote to memory of 3868	3512	simityvp.exe	WScript.exe
PID 3512 wrote to memory of 3868	3512	simityvp.exe	WScript.exe
PID 3512 wrote to memory of 3868	3512	simityvp.exe	WScript.exe
PID 3264 wrote to memory of 3192	3264	rundll32.exe	RUNDLL32.EXE
PID 3264 wrote to memory of 3192	3264	rundll32.exe	RUNDLL32.EXE
PID 3264 wrote to memory of 3192	3264	rundll32.exe	RUNDLL32.EXE
PID 3192 wrote to memory of 2656	3192	RUNDLL32.EXE	powershell.exe
PID 3192 wrote to memory of 2656	3192	RUNDLL32.EXE	powershell.exe
PID 3192 wrote to memory of 2656	3192	RUNDLL32.EXE	powershell.exe
PID 3192 wrote to memory of 3588	3192	RUNDLL32.EXE	RUNDLL32.EXE
PID 3192 wrote to memory of 3588	3192	RUNDLL32.EXE	RUNDLL32.EXE
PID 3192 wrote to memory of 3588	3192	RUNDLL32.EXE	RUNDLL32.EXE
PID 3588 wrote to memory of 3832	3588	RUNDLL32.EXE	rundll32.exe
PID 3588 wrote to memory of 3832	3588	RUNDLL32.EXE	rundll32.exe
PID 3588 wrote to memory of 3832	3588	RUNDLL32.EXE	rundll32.exe
PID 3192 wrote to memory of 500	3192	RUNDLL32.EXE	RUNDLL32.EXE
PID 3192 wrote to memory of 500	3192	RUNDLL32.EXE	RUNDLL32.EXE
PID 3192 wrote to memory of 500	3192	RUNDLL32.EXE	RUNDLL32.EXE
PID 3832 wrote to memory of 1328	3832	rundll32.exe	ctfmon.exe
PID 3832 wrote to memory of 1328	3832	rundll32.exe	ctfmon.exe
PID 3192 wrote to memory of 3752	3192	RUNDLL32.EXE	powershell.exe
PID 3192 wrote to memory of 3752	3192	RUNDLL32.EXE	powershell.exe
PID 3192 wrote to memory of 3752	3192	RUNDLL32.EXE	powershell.exe
PID 3192 wrote to memory of 3920	3192	RUNDLL32.EXE	powershell.exe
PID 3192 wrote to memory of 3920	3192	RUNDLL32.EXE	powershell.exe
PID 3192 wrote to memory of 3920	3192	RUNDLL32.EXE	powershell.exe
PID 3920 wrote to memory of 3088	3920	powershell.exe	nslookup.exe
PID 3920 wrote to memory of 3088	3920	powershell.exe	nslookup.exe
PID 3920 wrote to memory of 3088	3920	powershell.exe	nslookup.exe
PID 3192 wrote to memory of 2756	3192	RUNDLL32.EXE	schtasks.exe
PID 3192 wrote to memory of 2756	3192	RUNDLL32.EXE	schtasks.exe
PID 3192 wrote to memory of 2756	3192	RUNDLL32.EXE	schtasks.exe
PID 3192 wrote to memory of 3284	3192	RUNDLL32.EXE	schtasks.exe
PID 3192 wrote to memory of 3284	3192	RUNDLL32.EXE	schtasks.exe
PID 3192 wrote to memory of 3284	3192	RUNDLL32.EXE	schtasks.exe

outlook_office_path 1 IoCs

Processes:

RUNDLL32.EXE

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RUNDLL32.EXE

outlook_win_path 1 IoCs

Processes:

RUNDLL32.EXE

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RUNDLL32.EXE

C:\Users\Admin\AppData\Local\Temp\4708d7597f8efc46d22031ffc794047a.exe
"C:\Users\Admin\AppData\Local\Temp\4708d7597f8efc46d22031ffc794047a.exe"
1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:2268

C:\Users\Admin\AppData\Local\Temp\lizard\remedy.exe
"C:\Users\Admin\AppData\Local\Temp\lizard\remedy.exe"
2⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Drops startup file
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of WriteProcessMemory
PID:2720

C:\Users\Admin\AppData\Roaming\Intel Rapid\IntelRapid.exe
"C:\Users\Admin\AppData\Roaming\Intel Rapid\IntelRapid.exe"
3⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: AddClipboardFormatListener
PID:2312

C:\Users\Admin\AppData\Local\Temp\lizard\simityvp.exe
"C:\Users\Admin\AppData\Local\Temp\lizard\simityvp.exe"
2⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks processor information in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3512

C:\Users\Admin\AppData\Local\Temp\cbfnpnnidcey.exe
"C:\Users\Admin\AppData\Local\Temp\cbfnpnnidcey.exe"
3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1528

C:\Windows\SysWOW64\rundll32.exe
C:\Windows\system32\rundll32.exe C:\Users\Admin\AppData\Local\Temp\CBFNPN~1.DLL,s C:\Users\Admin\AppData\Local\Temp\CBFNPN~1.EXE
4⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:3264

C:\Windows\SysWOW64\RUNDLL32.EXE
C:\Windows\system32\RUNDLL32.EXE C:\Users\Admin\AppData\Local\Temp\CBFNPN~1.DLL,eV0cV002
5⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Accesses Microsoft Outlook accounts
- Accesses Microsoft Outlook profiles
- Checks processor information in registry
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
- outlook_office_path
- outlook_win_path
PID:3192

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath C:\Users\Admin\AppData\Local\Temp\CBFNPN~1.DLL
6⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2656

C:\Windows\SysWOW64\RUNDLL32.EXE
C:\Windows\system32\RUNDLL32.EXE C:\Users\Admin\AppData\Local\Temp\CBFNPN~1.DLL,gj1E
6⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3588

C:\Windows\system32\rundll32.exe
C:\Windows\system32\rundll32.exe C:\Windows\system32\shell32.dll,#61 17659
7⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:3832

C:\Windows\system32\ctfmon.exe
ctfmon.exe
8⤵
PID:1328

C:\Windows\SysWOW64\RUNDLL32.EXE
C:\Windows\system32\RUNDLL32.EXE C:\Users\Admin\AppData\Local\Temp\58cfb4a6.dll,Start
6⤵
- Loads dropped DLL
PID:500

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Executionpolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\tmp2E1C.tmp.ps1"
6⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3752

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Executionpolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\tmp7364.tmp.ps1"
6⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3920

C:\Windows\SysWOW64\nslookup.exe
"C:\Windows\system32\nslookup.exe" -type=any localhost
7⤵
PID:3088

C:\Windows\SysWOW64\schtasks.exe
schtasks /End /tn \Microsoft\Windows\Wininet\CacheTask
6⤵
PID:2756

C:\Windows\SysWOW64\schtasks.exe
schtasks /Run /tn \Microsoft\Windows\Wininet\CacheTask
6⤵
PID:3284

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3264 -s 784
5⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3208

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1528 -s 580
4⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:388

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\rohnxuepug.vbs"
3⤵
PID:3944

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\gehmwexi.vbs"
3⤵
- Blocklisted process makes network request
- Modifies system certificate store
PID:3868

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

T1497

Modify Registry

T1112

Install Root Certificate

T1130

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Exfiltration

Command and Control

Web Service

T1102

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\PROGRA~3\zohplghndapsm.tmp
MD5
ac9aa30f97cba656ecc798d1aead4410

SHA1
b220e54a401c1c1135ce0a8106c249a7b7a87c44

SHA256
de3d0be676bca261b2ce5691b55b444355dd3ba0dd7614f1dd4f2921656b24d8

SHA512
118a41f3c386a29c2833d717d7d3eeab8c1cf85b34c303dd31f5e461aa14edb0198d75329902864402621b7431dcada6d2ee999e7bb071042f13d45604614d59

Download Submit
C:\PROGRA~3\zohplghndapsm.tmp
MD5
83ebc6a7b7eb0d0f15e69b397365a7dd

SHA1
94a9ad6ec5c2e5cce2a4e909d7ea622e6756f5e8

SHA256
4c2b0b73c16f9caaca97b16a58e0e5d2ee2eeb716f3e1564ca4ebd72c7465c28

SHA512
24f7d95e5b1c0753f7fc24b9eeecc6fb4bdc276a83854af046f7f9d313019a5c4d54f3bba02d6dbecf23b61853c6d0d8a5bf19c57d56eb5806eef9f23e1a8056

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
MD5
f7a808b5711f58fb4f85476c1bb24ac3

SHA1
fbdf9670d622e8fc3446ad4f53fbbd83016f03d1

SHA256
de4aadfe00c4cf41434a12450cdc69d37cb2d9cec951b074c3b5e7bfce9e94ec

SHA512
866848d13e999e6a1a79d77c33adb642d78d0a11adee293fca411b4ed5f7bf85324f90b3031148a66ac10dccc577d3c2a7c1ab6ed4237360de9911c27516a5af

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
MD5
34cbce7a86066983ddec1c5c7316fa24

SHA1
a1135a1ddbfd3ae8079f7e449d7978fdb92f3bd9

SHA256
23bf6d99f757f6728c8c896676b0707e190e1acb80ec8758696fa3efa8d6cb42

SHA512
f6537a61341ef316200de61d4185d7fdf8169fa5f01446241d34dc74ffdf9edfd520c5d06d54c9df8a8d1eb0eeab53141d75c88f157b72cbcb6b7f0bdb84e769

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
36ed06e57449809251e7372a39ce7045

SHA1
713482f71fb8ba2dc421985a797f09b063124969

SHA256
87d562478329d3c055d09819751ab65bd05841fc7f71ce2f9b7c4149621c9e02

SHA512
5327ad6228ab5c478af3b18d818c61f3fc45939d2287a4c3337dfe168dd5a6416b389b67cbd5673a970d931f872b0b01949cf11eb485646c679447d93f62898c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
07d64ab75ad3a9dd73cd9867069a5a64

SHA1
9dd9251dab7e7544c7d1fac1f1f3bde3dee92a37

SHA256
e6c0b631af935f53f974055a1afb0202b39bf5dcb2ef7d9ae80aca6467d5a25f

SHA512
0dd62a7759ad0ebd8f92a5b2abe45cc16d9b9349f82846430e4818769192702f7e85fc8f6a7016fd1785a4739ddeea7a6f457c03d21d16b7b974ee98985bdc7f

Download Submit
C:\Users\Admin\AppData\Local\Temp\58cfb4a6.dll
MD5
5951f0afa96cda14623b4cce74d58cca

SHA1
ad4a21bd28a3065037b1ea40fab4d7c4d7549fde

SHA256
8b64b8bfd9e36cc40c273deccd4301a6c2ab44df03b976530c1bc517d7220bce

SHA512
b098f302ad3446edafa5d9914f4697cbf7731b7c2ae31bc513de532115d7c672bec17e810d153eb0dbaae5b5782c1ac55351377231f7aa6502a3d9c223d55071

Download Submit
C:\Users\Admin\AppData\Local\Temp\CBFNPN~1.DLL
MD5
20ddea4b300d2ffa7d3acaf5346a04cb

SHA1
bdea5ae26ed437d536a7909c4f8f7e546a0f0497

SHA256
a71a262055d3d1fdedef4601c9d0ebca48ddd33d60074bb772e3652ec2fddcb0

SHA512
4c6e63e3d1aca9d9e4b3ee904619a5e716ceefe60a2e9d56d10f179ee1803d7328d55ba6351efaa28731f5e1358ed30a3e534a04ed62b90ac4f5809db67f4881

Download Submit
C:\Users\Admin\AppData\Local\Temp\cbfnpnnidcey.exe
MD5
00c28e54775b45f20fddff77b1ded22c

SHA1
f802027b030cc702464498dd28c58bfd61145a11

SHA256
d9e365ef3c3b36a9974bf0b5c95d50188d0879849fb39bc3dc38fdda6ced9b8b

SHA512
d0807f03ddfd6bca693fe3fc405e4a45cb86cab03dcff9b5dccf7401cab4236d29a8413c3c52e04e7adc06d30a5751d303eae25a888d5e14592a8fbd16795b8e

Download Submit
C:\Users\Admin\AppData\Local\Temp\cbfnpnnidcey.exe
MD5
00c28e54775b45f20fddff77b1ded22c

SHA1
f802027b030cc702464498dd28c58bfd61145a11

SHA256
d9e365ef3c3b36a9974bf0b5c95d50188d0879849fb39bc3dc38fdda6ced9b8b

SHA512
d0807f03ddfd6bca693fe3fc405e4a45cb86cab03dcff9b5dccf7401cab4236d29a8413c3c52e04e7adc06d30a5751d303eae25a888d5e14592a8fbd16795b8e

Download Submit
C:\Users\Admin\AppData\Local\Temp\gehmwexi.vbs
MD5
3087bf74b4c7f5c32f281e3729a00339

SHA1
bccbc61b31a1150b5ed46b246b555d4682af9e39

SHA256
d92ad78b506305aa71a470cacbf2e49f4d458b3e35b6474909402e111e7e4761

SHA512
ceff15750150f98565530aefef4f75491e2cda8e891a4dd8238ba88ab9612e67a67beb7e0bd41bb6bd97de5cf5fba8697b87a179c79340ed487157fb03bc48ca

Download Submit
C:\Users\Admin\AppData\Local\Temp\lizard\remedy.exe
MD5
a549bfe1170323076f438b7199bd39da

SHA1
fb893bcde83c6a8544276f464f03ec762cd3ca0a

SHA256
10a7145031d494fa4b85a71bf01ada3362ce77cd94dc8f6bd7c0afcf7797aac8

SHA512
469a623678fe783cac684b61431b8694f88cb23cf048df3e2d3e0f7955f92f79dcc58de03788d7a34c6ec7e9511c0902f72e8484ccf2834bb4275d362d81ceda

Download Submit
C:\Users\Admin\AppData\Local\Temp\lizard\remedy.exe
MD5
a549bfe1170323076f438b7199bd39da

SHA1
fb893bcde83c6a8544276f464f03ec762cd3ca0a

SHA256
10a7145031d494fa4b85a71bf01ada3362ce77cd94dc8f6bd7c0afcf7797aac8

SHA512
469a623678fe783cac684b61431b8694f88cb23cf048df3e2d3e0f7955f92f79dcc58de03788d7a34c6ec7e9511c0902f72e8484ccf2834bb4275d362d81ceda

Download Submit
C:\Users\Admin\AppData\Local\Temp\lizard\simityvp.exe
MD5
7acd70f3dfdcd33dbe40603e939fcb79

SHA1
d7f63d7b0a37b3d78d13e8ea783e0aba6507aa20

SHA256
069539fb82534ac72239b2f35f4711cd4ac828d26ab29e159c1082f725b9999d

SHA512
4ef930ac69b82f078084212d6e57ea0522568452aca5e35de3a0b85a99a9dae6209fcd394582ea64ac8d45e9708dffefada5d267254332bfa62da780d968cefc

Download Submit
C:\Users\Admin\AppData\Local\Temp\lizard\simityvp.exe
MD5
7acd70f3dfdcd33dbe40603e939fcb79

SHA1
d7f63d7b0a37b3d78d13e8ea783e0aba6507aa20

SHA256
069539fb82534ac72239b2f35f4711cd4ac828d26ab29e159c1082f725b9999d

SHA512
4ef930ac69b82f078084212d6e57ea0522568452aca5e35de3a0b85a99a9dae6209fcd394582ea64ac8d45e9708dffefada5d267254332bfa62da780d968cefc

Download Submit
C:\Users\Admin\AppData\Local\Temp\rohnxuepug.vbs
MD5
1bf19fb112f91220f3ce1d4dfbc5fcc4

SHA1
a30ab1f9058e1f6d722cdf4497fa0d51e625e756

SHA256
c6cab65e67b39b90b4d5399b481be3fd81124debd439521d13c0f087df65f36c

SHA512
8dc200a3da8794932f08e234ec33bce8a285526b2980ae87ea2b7a0bc95aae57bab38a49c4da8a6a4525935774dd75e12f5afc96ec9813eb46921e30d54371d9

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp2E1C.tmp.ps1
MD5
148b05bc8d4319efc60c771b57e38c7a

SHA1
240e666c15b5fad8ea848031b35bf21886fc3fcc

SHA256
98d43c69c800dc0d4754b4b4a44212e64b1ed3f955af68c4d15b13c8734f40eb

SHA512
efdeabcde8f34e0748c99e640e09301a32d79d52b2bfd04d0f17739cbde843f3478f07065658c1cb22a4af2c703491319266611284b8d7a75f8d3c66b8f3728a

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp2E1D.tmp
MD5
c416c12d1b2b1da8c8655e393b544362

SHA1
fb1a43cd8e1c556c2d25f361f42a21293c29e447

SHA256
0600d59103840dff210778179fdfba904dcb737a4bfdb35384608698c86ea046

SHA512
cb6d3636be4330aa2fd577c3636d0b7165f92ee817e98f21180ba0c918eb76f4e38f025086593a0e508234ca981cfec2c53482b0e9cc0acfa885fefbdf89913c

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp7364.tmp.ps1
MD5
707bbc0500d0716e753f78bcecf6e0cb

SHA1
fd91ed998778f073b05528b23b3161520a30ab71

SHA256
0d5ec31f733c05cecef1d622b1ffa203cfbaf13be2ee0fc3ecdb021c3f004954

SHA512
3b2fe9c82b81b6b7336bca67c2dc011f14baae4851ce1543a1a5d639aae328d1dd4f8796a0ba8f7a5ce54a76d55cd65eb7ac6b93ff37c9ca7031859661f636ea

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp7365.tmp
MD5
1860260b2697808b80802352fe324782

SHA1
f07b4cb6a8133d8dd942fc285d63cb3ce5a1ed6b

SHA256
0c4bb6ae7726faa47aef8459bcf37bf9ca16f0b93fd52790932adaf7845d1fb1

SHA512
d9fd458e2fe871e93199d7f3783133ded898d824024d9525e8c9af2af31892b13f3fb147d3bfda7dfd7659b7072f5cd1d6c3ebfe2dbf5893afd00e59a96aa94f

Download Submit
C:\Users\Admin\AppData\Roaming\Intel Rapid\IntelRapid.exe
MD5
a549bfe1170323076f438b7199bd39da

SHA1
fb893bcde83c6a8544276f464f03ec762cd3ca0a

SHA256
10a7145031d494fa4b85a71bf01ada3362ce77cd94dc8f6bd7c0afcf7797aac8

SHA512
469a623678fe783cac684b61431b8694f88cb23cf048df3e2d3e0f7955f92f79dcc58de03788d7a34c6ec7e9511c0902f72e8484ccf2834bb4275d362d81ceda

Download Submit
C:\Users\Admin\AppData\Roaming\Intel Rapid\IntelRapid.exe
MD5
a549bfe1170323076f438b7199bd39da

SHA1
fb893bcde83c6a8544276f464f03ec762cd3ca0a

SHA256
10a7145031d494fa4b85a71bf01ada3362ce77cd94dc8f6bd7c0afcf7797aac8

SHA512
469a623678fe783cac684b61431b8694f88cb23cf048df3e2d3e0f7955f92f79dcc58de03788d7a34c6ec7e9511c0902f72e8484ccf2834bb4275d362d81ceda

Download Submit
\Users\Admin\AppData\Local\Temp\58cfb4a6.dll
MD5
5951f0afa96cda14623b4cce74d58cca

SHA1
ad4a21bd28a3065037b1ea40fab4d7c4d7549fde

SHA256
8b64b8bfd9e36cc40c273deccd4301a6c2ab44df03b976530c1bc517d7220bce

SHA512
b098f302ad3446edafa5d9914f4697cbf7731b7c2ae31bc513de532115d7c672bec17e810d153eb0dbaae5b5782c1ac55351377231f7aa6502a3d9c223d55071

Download Submit
\Users\Admin\AppData\Local\Temp\CBFNPN~1.DLL
MD5
20ddea4b300d2ffa7d3acaf5346a04cb

SHA1
bdea5ae26ed437d536a7909c4f8f7e546a0f0497

SHA256
a71a262055d3d1fdedef4601c9d0ebca48ddd33d60074bb772e3652ec2fddcb0

SHA512
4c6e63e3d1aca9d9e4b3ee904619a5e716ceefe60a2e9d56d10f179ee1803d7328d55ba6351efaa28731f5e1358ed30a3e534a04ed62b90ac4f5809db67f4881

Download Submit
\Users\Admin\AppData\Local\Temp\CBFNPN~1.DLL
MD5
20ddea4b300d2ffa7d3acaf5346a04cb

SHA1
bdea5ae26ed437d536a7909c4f8f7e546a0f0497

SHA256
a71a262055d3d1fdedef4601c9d0ebca48ddd33d60074bb772e3652ec2fddcb0

SHA512
4c6e63e3d1aca9d9e4b3ee904619a5e716ceefe60a2e9d56d10f179ee1803d7328d55ba6351efaa28731f5e1358ed30a3e534a04ed62b90ac4f5809db67f4881

Download Submit
\Users\Admin\AppData\Local\Temp\CBFNPN~1.DLL
MD5
20ddea4b300d2ffa7d3acaf5346a04cb

SHA1
bdea5ae26ed437d536a7909c4f8f7e546a0f0497

SHA256
a71a262055d3d1fdedef4601c9d0ebca48ddd33d60074bb772e3652ec2fddcb0

SHA512
4c6e63e3d1aca9d9e4b3ee904619a5e716ceefe60a2e9d56d10f179ee1803d7328d55ba6351efaa28731f5e1358ed30a3e534a04ed62b90ac4f5809db67f4881

Download Submit
\Users\Admin\AppData\Local\Temp\CBFNPN~1.DLL
MD5
20ddea4b300d2ffa7d3acaf5346a04cb

SHA1
bdea5ae26ed437d536a7909c4f8f7e546a0f0497

SHA256
a71a262055d3d1fdedef4601c9d0ebca48ddd33d60074bb772e3652ec2fddcb0

SHA512
4c6e63e3d1aca9d9e4b3ee904619a5e716ceefe60a2e9d56d10f179ee1803d7328d55ba6351efaa28731f5e1358ed30a3e534a04ed62b90ac4f5809db67f4881

Download Submit
\Users\Admin\AppData\Local\Temp\nsaD033.tmp\UAC.dll
MD5
adb29e6b186daa765dc750128649b63d

SHA1
160cbdc4cb0ac2c142d361df138c537aa7e708c9

SHA256
2f7f8fc05dc4fd0d5cda501b47e4433357e887bbfed7292c028d99c73b52dc08

SHA512
b28adcccf0c33660fecd6f95f28f11f793dc9988582187617b4c113fb4e6fdad4cf7694cd8c0300a477e63536456894d119741a940dda09b7df3ff0087a7eada

Download Submit
memory/500-184-0x0000000000000000-mapping.dmp

Download
memory/1328-185-0x0000000000000000-mapping.dmp

Download
memory/1528-139-0x0000000000F9A000-0x000000000108A000-memory.dmp

Filesize
960KB

Download
memory/1528-136-0x0000000000000000-mapping.dmp

Download
memory/1528-147-0x0000000001090000-0x0000000001197000-memory.dmp

Filesize
1.0MB

Download
memory/1528-148-0x0000000000400000-0x0000000000966000-memory.dmp

Filesize
5.4MB

Download
memory/2312-134-0x00007FF654F30000-0x00007FF655848000-memory.dmp

Filesize
9.1MB

Download
memory/2312-135-0x00007FF654F30000-0x00007FF655848000-memory.dmp

Filesize
9.1MB

Download
memory/2312-130-0x0000000000000000-mapping.dmp

Download
memory/2312-133-0x00007FF654F30000-0x00007FF655848000-memory.dmp

Filesize
9.1MB

Download
memory/2656-158-0x0000000000000000-mapping.dmp

Download
memory/2656-175-0x0000000000C92000-0x0000000000C93000-memory.dmp

Filesize
4KB

Download
memory/2656-167-0x0000000006C10000-0x0000000006C11000-memory.dmp

Filesize
4KB

Download
memory/2656-183-0x0000000006AD0000-0x0000000006AD1000-memory.dmp

Filesize
4KB

Download
memory/2656-186-0x0000000006B70000-0x0000000006B71000-memory.dmp

Filesize
4KB

Download
memory/2656-212-0x00000000002E0000-0x00000000002E1000-memory.dmp

Filesize
4KB

Download
memory/2656-193-0x00000000073B0000-0x00000000073B1000-memory.dmp

Filesize
4KB

Download
memory/2656-160-0x00000000002E0000-0x00000000002E1000-memory.dmp

Filesize
4KB

Download
memory/2656-163-0x00000000002E0000-0x00000000002E1000-memory.dmp

Filesize
4KB

Download
memory/2656-223-0x0000000008940000-0x0000000008973000-memory.dmp

Filesize
204KB

Download
memory/2656-203-0x0000000006BF0000-0x0000000006BF1000-memory.dmp

Filesize
4KB

Download
memory/2656-235-0x000000007F170000-0x000000007F171000-memory.dmp

Filesize
4KB

Download
memory/2656-165-0x0000000000C30000-0x0000000000C31000-memory.dmp

Filesize
4KB

Download
memory/2656-241-0x0000000000C93000-0x0000000000C94000-memory.dmp

Filesize
4KB

Download
memory/2656-187-0x0000000007340000-0x0000000007341000-memory.dmp

Filesize
4KB

Download
memory/2656-174-0x0000000000C90000-0x0000000000C91000-memory.dmp

Filesize
4KB

Download
memory/2656-207-0x0000000007B60000-0x0000000007B61000-memory.dmp

Filesize
4KB

Download
memory/2656-206-0x0000000007C70000-0x0000000007C71000-memory.dmp

Filesize
4KB

Download
memory/2720-116-0x0000000000000000-mapping.dmp

Download
memory/2720-123-0x00007FF79B310000-0x00007FF79BC28000-memory.dmp

Filesize
9.1MB

Download
memory/2720-125-0x00007FF79B310000-0x00007FF79BC28000-memory.dmp

Filesize
9.1MB

Download
memory/2720-122-0x00007FF79B310000-0x00007FF79BC28000-memory.dmp

Filesize
9.1MB

Download
memory/2756-482-0x0000000000000000-mapping.dmp

Download
memory/3088-446-0x0000000000000000-mapping.dmp

Download
memory/3192-153-0x0000000000000000-mapping.dmp

Download
memory/3192-157-0x0000000000570000-0x0000000000571000-memory.dmp

Filesize
4KB

Download
memory/3192-156-0x0000000005101000-0x00000000060E5000-memory.dmp

Filesize
15.9MB

Download
memory/3264-151-0x0000000004A41000-0x0000000005A25000-memory.dmp

Filesize
15.9MB

Download
memory/3264-152-0x00000000010C0000-0x00000000010C1000-memory.dmp

Filesize
4KB

Download
memory/3264-146-0x0000000000E10000-0x0000000000F74000-memory.dmp

Filesize
1.4MB

Download
memory/3264-142-0x0000000000000000-mapping.dmp

Download
memory/3284-483-0x0000000000000000-mapping.dmp

Download
memory/3512-128-0x00000000001D0000-0x0000000000899000-memory.dmp

Filesize
6.8MB

Download
memory/3512-119-0x0000000000000000-mapping.dmp

Download
memory/3512-124-0x0000000077210000-0x000000007739E000-memory.dmp

Filesize
1.6MB

Download
memory/3512-126-0x00000000001D0000-0x0000000000899000-memory.dmp

Filesize
6.8MB

Download
memory/3512-127-0x00000000001D0000-0x0000000000899000-memory.dmp

Filesize
6.8MB

Download
memory/3512-129-0x00000000001D0000-0x0000000000899000-memory.dmp

Filesize
6.8MB

Download
memory/3588-166-0x0000000000570000-0x0000000000571000-memory.dmp

Filesize
4KB

Download
memory/3588-177-0x00000000063C0000-0x0000000006500000-memory.dmp

Filesize
1.2MB

Download
memory/3588-159-0x0000000000000000-mapping.dmp

Download
memory/3588-164-0x0000000005311000-0x00000000062F5000-memory.dmp

Filesize
15.9MB

Download
memory/3588-168-0x0000000003490000-0x0000000003491000-memory.dmp

Filesize
4KB

Download
memory/3588-169-0x00000000063C0000-0x0000000006500000-memory.dmp

Filesize
1.2MB

Download
memory/3588-170-0x00000000063C0000-0x0000000006500000-memory.dmp

Filesize
1.2MB

Download
memory/3588-172-0x00000000063C0000-0x0000000006500000-memory.dmp

Filesize
1.2MB

Download
memory/3588-190-0x0000000003400000-0x000000000354A000-memory.dmp

Filesize
1.3MB

Download
memory/3588-173-0x00000000063C0000-0x0000000006500000-memory.dmp

Filesize
1.2MB

Download
memory/3588-176-0x00000000034A0000-0x00000000034A1000-memory.dmp

Filesize
4KB

Download
memory/3588-178-0x00000000063C0000-0x0000000006500000-memory.dmp

Filesize
1.2MB

Download
memory/3752-199-0x0000000004510000-0x0000000004511000-memory.dmp

Filesize
4KB

Download
memory/3752-195-0x0000000000B40000-0x0000000000B41000-memory.dmp

Filesize
4KB

Download
memory/3752-214-0x0000000006BC0000-0x0000000006BC1000-memory.dmp

Filesize
4KB

Download
memory/3752-194-0x0000000000000000-mapping.dmp

Download
memory/3752-215-0x0000000000B40000-0x0000000000B41000-memory.dmp

Filesize
4KB

Download
memory/3752-257-0x0000000004513000-0x0000000004514000-memory.dmp

Filesize
4KB

Download
memory/3752-196-0x0000000000B40000-0x0000000000B41000-memory.dmp

Filesize
4KB

Download
memory/3752-200-0x0000000004512000-0x0000000004513000-memory.dmp

Filesize
4KB

Download
memory/3832-181-0x00000149419C0000-0x00000149419C2000-memory.dmp

Filesize
8KB

Download
memory/3832-191-0x0000000000580000-0x0000000000720000-memory.dmp

Filesize
1.6MB

Download
memory/3832-192-0x00000149417E0000-0x0000014941992000-memory.dmp

Filesize
1.7MB

Download
memory/3832-182-0x00000149419C0000-0x00000149419C2000-memory.dmp

Filesize
8KB

Download
memory/3832-179-0x00007FF79B225FD0-mapping.dmp

Download
memory/3868-149-0x0000000000000000-mapping.dmp

Download
memory/3920-374-0x0000000004E32000-0x0000000004E33000-memory.dmp

Filesize
4KB

Download
memory/3920-372-0x0000000004E30000-0x0000000004E31000-memory.dmp

Filesize
4KB

Download
memory/3920-467-0x0000000004E33000-0x0000000004E34000-memory.dmp

Filesize
4KB

Download
memory/3920-347-0x0000000000000000-mapping.dmp

Download
memory/3944-140-0x0000000000000000-mapping.dmp

Download