arkei | bbe27c85bfb6beafedee33d106dfe71f91e129268c5dbf8d0c3873c1e31103bb

Analysis

max time kernel
151s
max time network
144s
platform
windows10_x64
resource
win10-en-20211104
submitted
14-11-2021 09:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

bbe27c85bfb6beafedee33d106dfe71f91e129268c5dbf8d0c3873c1e31103bb.exe
Size

219KB
MD5

e8885e91006b4e833a0d1b45680f6f8d
SHA1

70458dfabf3bfe1780e5b16a65af46825ca7790a
SHA256

bbe27c85bfb6beafedee33d106dfe71f91e129268c5dbf8d0c3873c1e31103bb
SHA512

97b1ccc582f33c3d1a8ed6bb330425b38102b45932fdf99aadc38870aca2e4c62ebbd1b2dddfde82b648a90d50928172251959fc4f31e952477841d00b4969ca

Score

10^/10

arkei raccoon redline smokeloader 11/13 675718a5f2ce6d3cacf6cb04a512f5637eae995f ddf183af4241e3172885cf1b2c4c1fb4ee03d05a superstar ошибка backdoor discovery infostealer persistence spyware stealer trojan upx

Malware Config

Extracted

Family

smokeloader

Version

2020

http://host-file-host6.com/

http://host-host-file8.com/

rc4.i32

Extracted

Family

redline

185.159.80.90:38637

Extracted

Family

redline

Botnet

SuperStar

185.215.113.29:36224

Extracted

Family

raccoon

Version

1.8.3-hotfix

Botnet

ddf183af4241e3172885cf1b2c4c1fb4ee03d05a

Attributes

url4cnc
http://91.219.236.27/capibar
http://5.181.156.92/capibar
http://91.219.236.207/capibar
http://185.225.19.18/capibar
http://91.219.237.227/capibar
https://t.me/capibar

rc4.plain

Extracted

Family

raccoon

Version

1.8.3-hotfix

Botnet

675718a5f2ce6d3cacf6cb04a512f5637eae995f

Attributes

url4cnc
http://91.219.236.27/agrybirdsgamerept
http://5.181.156.92/agrybirdsgamerept
http://91.219.236.207/agrybirdsgamerept
http://185.225.19.18/agrybirdsgamerept
http://91.219.237.227/agrybirdsgamerept
http://185.163.47.176/agrybirdsgamerept

rc4.plain

Extracted

Family

redline

Botnet

ОШИБКА

185.183.32.161:45391

Extracted

Family

redline

Botnet

11/13

94.103.9.133:1169

Signatures

Arkei
Arkei is an infostealer written in C++.
stealer arkei
Raccoon
Simple but powerful infostealer which was very active in 2019.
stealer raccoon
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine Payload 8 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1600-155-0x0000000002240000-0x000000000225C000-memory.dmp	family_redline
behavioral1/memory/1600-157-0x0000000004E20000-0x0000000004E3B000-memory.dmp	family_redline
behavioral1/memory/2364-176-0x0000000000400000-0x0000000000420000-memory.dmp	family_redline
behavioral1/memory/2364-177-0x0000000000418EEA-mapping.dmp	family_redline
behavioral1/memory/2364-188-0x0000000005320000-0x0000000005926000-memory.dmp	family_redline
behavioral1/memory/3644-259-0x0000000001230000-0x0000000001250000-memory.dmp	family_redline
behavioral1/memory/3644-270-0x0000000005720000-0x0000000005D26000-memory.dmp	family_redline
behavioral1/memory/4188-283-0x00000000003A0000-0x00000000003D8000-memory.dmp	family_redline

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
Suspicious use of NtCreateProcessExOtherParentProcess 1 IoCs

Processes:

WerFault.exe

description pid process target process

PID 1072 created 536 1072 WerFault.exe 146.exe

description	pid	process	target process
PID 1072 created 536	1072	WerFault.exe	146.exe

Arkei Stealer Payload 2 IoCs

stealer

Processes:

resource	yara_rule
behavioral1/memory/4952-233-0x00000000005D0000-0x00000000005F1000-memory.dmp	family_arkei
behavioral1/memory/4952-235-0x0000000000400000-0x000000000044B000-memory.dmp	family_arkei

Downloads MZ/PE file

Executes dropped EXE 25 IoCs

Processes:

FA01.exeFA01.exeFE96.exe146.exe53F.exe908.exe53F.exeFE96.exe151F.exeFE96.exe228E.exe2B39.exeMarsBuild_2021-11-14_11-20.execlean.exeOQTGVRp.execlean.exeQdUPABU.exeForma.exe.comForma.exe.comUdi.exe.comUdi.exe.comRegAsm.exeuwtjgijuwtjgijRegAsm.exe

pid	process
3200	FA01.exe
3724	FA01.exe
3888	FE96.exe
536	146.exe
924	53F.exe
1444	908.exe
1600	53F.exe
824	FE96.exe
2524	151F.exe
2364	FE96.exe
4116	228E.exe
4820	2B39.exe
4952	MarsBuild_2021-11-14_11-20.exe
4852	clean.exe
4584	OQTGVRp.exe
4596	clean.exe
1788	QdUPABU.exe
984	Forma.exe.com
2244	Forma.exe.com
1900	Udi.exe.com
3560	Udi.exe.com
3644	RegAsm.exe
516	uwtjgij
4244	uwtjgij
4188	RegAsm.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\clean.exe	upx
C:\Users\Admin\AppData\Local\Temp\clean.exe	upx
C:\Users\Admin\AppData\Local\Temp\clean.exe	upx

Deletes itself 1 IoCs

Processes:

pid process

2716
Loads dropped DLL 3 IoCs

Processes:

MarsBuild_2021-11-14_11-20.exe

pid process

4952 MarsBuild_2021-11-14_11-20.exe
4952 MarsBuild_2021-11-14_11-20.exe
4952 MarsBuild_2021-11-14_11-20.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

pid	process
2716

pid	process
4952	MarsBuild_2021-11-14_11-20.exe
4952	MarsBuild_2021-11-14_11-20.exe
4952	MarsBuild_2021-11-14_11-20.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

QdUPABU.exeOQTGVRp.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	QdUPABU.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	OQTGVRp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	OQTGVRp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	QdUPABU.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Suspicious use of SetThreadContext 7 IoCs

Processes:

bbe27c85bfb6beafedee33d106dfe71f91e129268c5dbf8d0c3873c1e31103bb.exeFA01.exe53F.exeFE96.exeUdi.exe.comuwtjgijForma.exe.com

description	pid	process	target process
PID 516 set thread context of 3988	516	bbe27c85bfb6beafedee33d106dfe71f91e129268c5dbf8d0c3873c1e31103bb.exe	bbe27c85bfb6beafedee33d106dfe71f91e129268c5dbf8d0c3873c1e31103bb.exe
PID 3200 set thread context of 3724	3200	FA01.exe	FA01.exe
PID 924 set thread context of 1600	924	53F.exe	53F.exe
PID 3888 set thread context of 2364	3888	FE96.exe	FE96.exe
PID 3560 set thread context of 3644	3560	Udi.exe.com	RegAsm.exe
PID 516 set thread context of 4244	516	uwtjgij	uwtjgij
PID 2244 set thread context of 4188	2244	Forma.exe.com	RegAsm.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 2 IoCs

Processes:

WerFault.exeWerFault.exe

pid pid_target process target process

1072 536 WerFault.exe 146.exe
2656 2524 WerFault.exe 151F.exe

pid	pid_target	process	target process
1072	536	WerFault.exe	146.exe
2656	2524	WerFault.exe	151F.exe

Checks SCSI registry key(s) 3 TTPs 9 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

bbe27c85bfb6beafedee33d106dfe71f91e129268c5dbf8d0c3873c1e31103bb.exeFA01.exeuwtjgij

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	bbe27c85bfb6beafedee33d106dfe71f91e129268c5dbf8d0c3873c1e31103bb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	FA01.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	FA01.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	uwtjgij
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	uwtjgij
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	bbe27c85bfb6beafedee33d106dfe71f91e129268c5dbf8d0c3873c1e31103bb.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	bbe27c85bfb6beafedee33d106dfe71f91e129268c5dbf8d0c3873c1e31103bb.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	FA01.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	uwtjgij

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

MarsBuild_2021-11-14_11-20.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	MarsBuild_2021-11-14_11-20.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	MarsBuild_2021-11-14_11-20.exe

Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

5012 timeout.exe
Runs ping.exe 1 TTPs 2 IoCs

Remote System Discovery
T1018

Processes:

PING.EXEPING.EXE

pid process

372 PING.EXE
4420 PING.EXE

pid	process
5012	timeout.exe

pid	process
372	PING.EXE
4420	PING.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

bbe27c85bfb6beafedee33d106dfe71f91e129268c5dbf8d0c3873c1e31103bb.exe

pid	process
3988	bbe27c85bfb6beafedee33d106dfe71f91e129268c5dbf8d0c3873c1e31103bb.exe
3988	bbe27c85bfb6beafedee33d106dfe71f91e129268c5dbf8d0c3873c1e31103bb.exe
2716
2716
2716
2716
2716
2716
2716
2716
2716
2716
2716
2716
2716
2716
2716
2716
2716
2716
2716
2716
2716
2716
2716
2716
2716
2716
2716
2716
2716
2716
2716
2716
2716
2716
2716
2716
2716
2716
2716
2716
2716
2716
2716
2716
2716
2716
2716
2716
2716
2716
2716
2716
2716
2716
2716
2716
2716
2716
2716
2716
2716
2716

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

pid process

2716
Suspicious behavior: MapViewOfSection 3 IoCs

Processes:

bbe27c85bfb6beafedee33d106dfe71f91e129268c5dbf8d0c3873c1e31103bb.exeFA01.exeuwtjgij

pid process

3988 bbe27c85bfb6beafedee33d106dfe71f91e129268c5dbf8d0c3873c1e31103bb.exe
3724 FA01.exe
4244 uwtjgij

pid	process
2716

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

WerFault.exeWerFault.exe

description	pid	process
Token: SeShutdownPrivilege	2716
Token: SeCreatePagefilePrivilege	2716
Token: SeShutdownPrivilege	2716
Token: SeCreatePagefilePrivilege	2716
Token: SeShutdownPrivilege	2716
Token: SeCreatePagefilePrivilege	2716
Token: SeShutdownPrivilege	2716
Token: SeCreatePagefilePrivilege	2716
Token: SeShutdownPrivilege	2716
Token: SeCreatePagefilePrivilege	2716
Token: SeRestorePrivilege	1072	WerFault.exe
Token: SeBackupPrivilege	1072	WerFault.exe
Token: SeDebugPrivilege	1072	WerFault.exe
Token: SeShutdownPrivilege	2716
Token: SeCreatePagefilePrivilege	2716
Token: SeShutdownPrivilege	2716
Token: SeCreatePagefilePrivilege	2716
Token: SeShutdownPrivilege	2716
Token: SeCreatePagefilePrivilege	2716
Token: SeDebugPrivilege	2656	WerFault.exe
Token: SeShutdownPrivilege	2716
Token: SeCreatePagefilePrivilege	2716
Token: SeShutdownPrivilege	2716
Token: SeCreatePagefilePrivilege	2716
Token: SeShutdownPrivilege	2716
Token: SeCreatePagefilePrivilege	2716
Token: SeShutdownPrivilege	2716
Token: SeCreatePagefilePrivilege	2716
Token: SeShutdownPrivilege	2716
Token: SeCreatePagefilePrivilege	2716
Token: SeShutdownPrivilege	2716
Token: SeCreatePagefilePrivilege	2716
Token: SeShutdownPrivilege	2716
Token: SeCreatePagefilePrivilege	2716
Token: SeShutdownPrivilege	2716
Token: SeCreatePagefilePrivilege	2716
Token: SeShutdownPrivilege	2716
Token: SeCreatePagefilePrivilege	2716
Token: SeShutdownPrivilege	2716
Token: SeCreatePagefilePrivilege	2716
Token: SeShutdownPrivilege	2716
Token: SeCreatePagefilePrivilege	2716
Token: SeShutdownPrivilege	2716
Token: SeCreatePagefilePrivilege	2716
Token: SeShutdownPrivilege	2716
Token: SeCreatePagefilePrivilege	2716
Token: SeShutdownPrivilege	2716
Token: SeCreatePagefilePrivilege	2716
Token: SeShutdownPrivilege	2716
Token: SeCreatePagefilePrivilege	2716
Token: SeShutdownPrivilege	2716
Token: SeCreatePagefilePrivilege	2716
Token: SeShutdownPrivilege	2716
Token: SeCreatePagefilePrivilege	2716
Token: SeShutdownPrivilege	2716
Token: SeCreatePagefilePrivilege	2716
Token: SeShutdownPrivilege	2716
Token: SeCreatePagefilePrivilege	2716
Token: SeShutdownPrivilege	2716
Token: SeCreatePagefilePrivilege	2716
Token: SeShutdownPrivilege	2716
Token: SeCreatePagefilePrivilege	2716
Token: SeShutdownPrivilege	2716
Token: SeCreatePagefilePrivilege	2716

Suspicious use of FindShellTrayWindow 28 IoCs

Processes:

Forma.exe.comForma.exe.comUdi.exe.comUdi.exe.com

pid	process
984	Forma.exe.com
2716
2716
984	Forma.exe.com
984	Forma.exe.com
2716
2716
2244	Forma.exe.com
2716
2716
2244	Forma.exe.com
2244	Forma.exe.com
2716
2716
1900	Udi.exe.com
2716
2716
1900	Udi.exe.com
1900	Udi.exe.com
2716
2716
3560	Udi.exe.com
2716
2716
3560	Udi.exe.com
3560	Udi.exe.com
2716
2716

Suspicious use of SendNotifyMessage 12 IoCs

Processes:

Forma.exe.comForma.exe.comUdi.exe.comUdi.exe.com

pid	process
984	Forma.exe.com
984	Forma.exe.com
984	Forma.exe.com
2244	Forma.exe.com
2244	Forma.exe.com
2244	Forma.exe.com
1900	Udi.exe.com
1900	Udi.exe.com
1900	Udi.exe.com
3560	Udi.exe.com
3560	Udi.exe.com
3560	Udi.exe.com

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

bbe27c85bfb6beafedee33d106dfe71f91e129268c5dbf8d0c3873c1e31103bb.exeFA01.exeFE96.exe53F.exe2B39.exe

description	pid	process	target process
PID 516 wrote to memory of 3988	516	bbe27c85bfb6beafedee33d106dfe71f91e129268c5dbf8d0c3873c1e31103bb.exe	bbe27c85bfb6beafedee33d106dfe71f91e129268c5dbf8d0c3873c1e31103bb.exe
PID 516 wrote to memory of 3988	516	bbe27c85bfb6beafedee33d106dfe71f91e129268c5dbf8d0c3873c1e31103bb.exe	bbe27c85bfb6beafedee33d106dfe71f91e129268c5dbf8d0c3873c1e31103bb.exe
PID 516 wrote to memory of 3988	516	bbe27c85bfb6beafedee33d106dfe71f91e129268c5dbf8d0c3873c1e31103bb.exe	bbe27c85bfb6beafedee33d106dfe71f91e129268c5dbf8d0c3873c1e31103bb.exe
PID 516 wrote to memory of 3988	516	bbe27c85bfb6beafedee33d106dfe71f91e129268c5dbf8d0c3873c1e31103bb.exe	bbe27c85bfb6beafedee33d106dfe71f91e129268c5dbf8d0c3873c1e31103bb.exe
PID 516 wrote to memory of 3988	516	bbe27c85bfb6beafedee33d106dfe71f91e129268c5dbf8d0c3873c1e31103bb.exe	bbe27c85bfb6beafedee33d106dfe71f91e129268c5dbf8d0c3873c1e31103bb.exe
PID 516 wrote to memory of 3988	516	bbe27c85bfb6beafedee33d106dfe71f91e129268c5dbf8d0c3873c1e31103bb.exe	bbe27c85bfb6beafedee33d106dfe71f91e129268c5dbf8d0c3873c1e31103bb.exe
PID 2716 wrote to memory of 3200	2716		FA01.exe
PID 2716 wrote to memory of 3200	2716		FA01.exe
PID 2716 wrote to memory of 3200	2716		FA01.exe
PID 3200 wrote to memory of 3724	3200	FA01.exe	FA01.exe
PID 3200 wrote to memory of 3724	3200	FA01.exe	FA01.exe
PID 3200 wrote to memory of 3724	3200	FA01.exe	FA01.exe
PID 3200 wrote to memory of 3724	3200	FA01.exe	FA01.exe
PID 3200 wrote to memory of 3724	3200	FA01.exe	FA01.exe
PID 3200 wrote to memory of 3724	3200	FA01.exe	FA01.exe
PID 2716 wrote to memory of 3888	2716		FE96.exe
PID 2716 wrote to memory of 3888	2716		FE96.exe
PID 2716 wrote to memory of 3888	2716		FE96.exe
PID 2716 wrote to memory of 536	2716		146.exe
PID 2716 wrote to memory of 536	2716		146.exe
PID 2716 wrote to memory of 536	2716		146.exe
PID 3888 wrote to memory of 824	3888	FE96.exe	FE96.exe
PID 3888 wrote to memory of 824	3888	FE96.exe	FE96.exe
PID 3888 wrote to memory of 824	3888	FE96.exe	FE96.exe
PID 2716 wrote to memory of 924	2716		53F.exe
PID 2716 wrote to memory of 924	2716		53F.exe
PID 2716 wrote to memory of 924	2716		53F.exe
PID 2716 wrote to memory of 1444	2716		908.exe
PID 2716 wrote to memory of 1444	2716		908.exe
PID 2716 wrote to memory of 1444	2716		908.exe
PID 924 wrote to memory of 1600	924	53F.exe	53F.exe
PID 924 wrote to memory of 1600	924	53F.exe	53F.exe
PID 924 wrote to memory of 1600	924	53F.exe	53F.exe
PID 924 wrote to memory of 1600	924	53F.exe	53F.exe
PID 924 wrote to memory of 1600	924	53F.exe	53F.exe
PID 924 wrote to memory of 1600	924	53F.exe	53F.exe
PID 924 wrote to memory of 1600	924	53F.exe	53F.exe
PID 924 wrote to memory of 1600	924	53F.exe	53F.exe
PID 924 wrote to memory of 1600	924	53F.exe	53F.exe
PID 3888 wrote to memory of 2364	3888	FE96.exe	FE96.exe
PID 3888 wrote to memory of 2364	3888	FE96.exe	FE96.exe
PID 3888 wrote to memory of 2364	3888	FE96.exe	FE96.exe
PID 2716 wrote to memory of 2524	2716		151F.exe
PID 2716 wrote to memory of 2524	2716		151F.exe
PID 2716 wrote to memory of 2524	2716		151F.exe
PID 3888 wrote to memory of 2364	3888	FE96.exe	FE96.exe
PID 3888 wrote to memory of 2364	3888	FE96.exe	FE96.exe
PID 3888 wrote to memory of 2364	3888	FE96.exe	FE96.exe
PID 3888 wrote to memory of 2364	3888	FE96.exe	FE96.exe
PID 3888 wrote to memory of 2364	3888	FE96.exe	FE96.exe
PID 2716 wrote to memory of 4116	2716		228E.exe
PID 2716 wrote to memory of 4116	2716		228E.exe
PID 2716 wrote to memory of 4116	2716		228E.exe
PID 2716 wrote to memory of 4820	2716		2B39.exe
PID 2716 wrote to memory of 4820	2716		2B39.exe
PID 2716 wrote to memory of 4820	2716		2B39.exe
PID 4820 wrote to memory of 4952	4820	2B39.exe	MarsBuild_2021-11-14_11-20.exe
PID 4820 wrote to memory of 4952	4820	2B39.exe	MarsBuild_2021-11-14_11-20.exe
PID 4820 wrote to memory of 4952	4820	2B39.exe	MarsBuild_2021-11-14_11-20.exe
PID 4820 wrote to memory of 4852	4820	2B39.exe	clean.exe
PID 4820 wrote to memory of 4852	4820	2B39.exe	clean.exe
PID 4820 wrote to memory of 4584	4820	2B39.exe	OQTGVRp.exe
PID 4820 wrote to memory of 4584	4820	2B39.exe	OQTGVRp.exe
PID 4820 wrote to memory of 4584	4820	2B39.exe	OQTGVRp.exe

C:\Users\Admin\AppData\Local\Temp\bbe27c85bfb6beafedee33d106dfe71f91e129268c5dbf8d0c3873c1e31103bb.exe
"C:\Users\Admin\AppData\Local\Temp\bbe27c85bfb6beafedee33d106dfe71f91e129268c5dbf8d0c3873c1e31103bb.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:516

C:\Users\Admin\AppData\Local\Temp\bbe27c85bfb6beafedee33d106dfe71f91e129268c5dbf8d0c3873c1e31103bb.exe
"C:\Users\Admin\AppData\Local\Temp\bbe27c85bfb6beafedee33d106dfe71f91e129268c5dbf8d0c3873c1e31103bb.exe"
2⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:3988

C:\Users\Admin\AppData\Local\Temp\FA01.exe
C:\Users\Admin\AppData\Local\Temp\FA01.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3200

C:\Users\Admin\AppData\Local\Temp\FA01.exe
C:\Users\Admin\AppData\Local\Temp\FA01.exe
2⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
PID:3724

C:\Users\Admin\AppData\Local\Temp\FE96.exe
C:\Users\Admin\AppData\Local\Temp\FE96.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3888

C:\Users\Admin\AppData\Local\Temp\FE96.exe
C:\Users\Admin\AppData\Local\Temp\FE96.exe
2⤵
- Executes dropped EXE
PID:824

C:\Users\Admin\AppData\Local\Temp\FE96.exe
C:\Users\Admin\AppData\Local\Temp\FE96.exe
2⤵
- Executes dropped EXE
PID:2364

C:\Users\Admin\AppData\Local\Temp\146.exe
C:\Users\Admin\AppData\Local\Temp\146.exe
1⤵
- Executes dropped EXE
PID:536

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 536 -s 480
2⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Program crash
- Suspicious use of AdjustPrivilegeToken
PID:1072

C:\Users\Admin\AppData\Local\Temp\53F.exe
C:\Users\Admin\AppData\Local\Temp\53F.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:924

C:\Users\Admin\AppData\Local\Temp\53F.exe
C:\Users\Admin\AppData\Local\Temp\53F.exe
2⤵
- Executes dropped EXE
PID:1600

C:\Users\Admin\AppData\Local\Temp\908.exe
C:\Users\Admin\AppData\Local\Temp\908.exe
1⤵
- Executes dropped EXE
PID:1444

C:\Users\Admin\AppData\Local\Temp\151F.exe
C:\Users\Admin\AppData\Local\Temp\151F.exe
1⤵
- Executes dropped EXE
PID:2524

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2524 -s 400
2⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
PID:2656

C:\Users\Admin\AppData\Local\Temp\228E.exe
C:\Users\Admin\AppData\Local\Temp\228E.exe
1⤵
- Executes dropped EXE
PID:4116

C:\Users\Admin\AppData\Local\Temp\2B39.exe
C:\Users\Admin\AppData\Local\Temp\2B39.exe
1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4820

C:\Users\Admin\AppData\Local\Temp\MarsBuild_2021-11-14_11-20.exe
"C:\Users\Admin\AppData\Local\Temp\MarsBuild_2021-11-14_11-20.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks processor information in registry
PID:4952

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c timeout /t 5 & del /f /q "C:\Users\Admin\AppData\Local\Temp\MarsBuild_2021-11-14_11-20.exe" & exit
3⤵
PID:1892

C:\Windows\SysWOW64\timeout.exe
timeout /t 5
4⤵
- Delays execution with timeout.exe
PID:5012

C:\Users\Admin\AppData\Local\Temp\clean.exe
"C:\Users\Admin\AppData\Local\Temp\clean.exe"
2⤵
- Executes dropped EXE
PID:4852

C:\Users\Admin\AppData\Local\Temp\OQTGVRp.exe
"C:\Users\Admin\AppData\Local\Temp\OQTGVRp.exe"
2⤵
- Executes dropped EXE
- Adds Run key to start application
PID:4584

C:\Windows\SysWOW64\makecab.exe
makecab
3⤵
PID:2796

C:\Windows\SysWOW64\cmd.exe
cmd /c cmd < Duro.potx
3⤵
PID:412

C:\Windows\SysWOW64\cmd.exe
cmd
4⤵
PID:1732

C:\Windows\SysWOW64\findstr.exe
findstr /V /R "^JdynOpYGXnWkzSuDQWhFskbJYxaqZbxLWAnCRclynOJXkaaxpyDmJmtnSvAxQXHArlfSxDLxLiiDBmnGwYRUUVevcZJcVQgAupUqemqFzoNBaA$" Due.potx
5⤵
PID:4976

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Forma.exe.com
Forma.exe.com b
5⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:984

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Forma.exe.com
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Forma.exe.com b
6⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2244

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\RegAsm.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\RegAsm.exe
7⤵
- Executes dropped EXE
PID:4188

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1
5⤵
- Runs ping.exe
PID:372

C:\Users\Admin\AppData\Local\Temp\clean.exe
"C:\Users\Admin\AppData\Local\Temp\clean.exe"
2⤵
- Executes dropped EXE
PID:4596

C:\Users\Admin\AppData\Local\Temp\QdUPABU.exe
"C:\Users\Admin\AppData\Local\Temp\QdUPABU.exe"
2⤵
- Executes dropped EXE
- Adds Run key to start application
PID:1788

C:\Windows\SysWOW64\makecab.exe
makecab
3⤵
PID:5052

C:\Windows\SysWOW64\cmd.exe
cmd /c cmd < Aggrava.accdt
3⤵
PID:3400

C:\Windows\SysWOW64\cmd.exe
cmd
4⤵
PID:4440

C:\Windows\SysWOW64\findstr.exe
findstr /V /R "^ShpzYFLbYRfWJuFRXyNbzLysSxWtdBORrgKocLRwRlexRlxdHPIcxtdioSAEIHivrnSxvvvjgLGoIKmHZGvBSzvYYDqDljzlrGszaqTlaviIninbaTFelFEKwTcTvTew$" Pie.accdt
5⤵
PID:3164

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Udi.exe.com
Udi.exe.com k
5⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1900

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Udi.exe.com
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Udi.exe.com k
6⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3560

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\RegAsm.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\RegAsm.exe
7⤵
- Executes dropped EXE
PID:3644

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1
5⤵
- Runs ping.exe
PID:4420

C:\Users\Admin\AppData\Roaming\uwtjgij
C:\Users\Admin\AppData\Roaming\uwtjgij
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:516

C:\Users\Admin\AppData\Roaming\uwtjgij
C:\Users\Admin\AppData\Roaming\uwtjgij
2⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
PID:4244

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Peripheral Device Discovery

T1120

Remote System Discovery

T1018

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\FE96.exe.log
MD5
41fbed686f5700fc29aaccf83e8ba7fd

SHA1
5271bc29538f11e42a3b600c8dc727186e912456

SHA256
df4e9d012687cdabd15e86bf37be15d6c822e1f50dde530a02468f0006586437

SHA512
234b2235c1ced25810a4121c5eabcbf9f269e82c126a1adc363ee34478173f8b462e90eb53f5f11533641663350b90ec1e2360fd805b10c041fab12f4da7a034

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\RegAsm.exe.log
MD5
f8bf8c759e6516d9829fc6171799ffa1

SHA1
3f7ebddabaca2b8afc74a7958ee16828445efd0f

SHA256
2dad6995b234e8975c6f32adb1b12d225abc4cbd837d98dd9cffc5d0b57ac128

SHA512
6a4a97137fd33e59098cb6a648773189e0c1245dcea26b7842d589958aab244d86e22b5ac1085d41e4f697da51e269fda1939619fde84b2b1c023d9fedb255c7

Download Submit
C:\Users\Admin\AppData\Local\Temp\146.exe
MD5
d985b4cfdceecc3c0fe4f3e4fda4e416

SHA1
f3c14a4d87569e54faaf0eac73ec1aafa2621dfa

SHA256
a8b37d6b073ee045ae63473cb1a592c974e896b19e3db06d552f955901c06db7

SHA512
560a056c076db6893f6407807d9a10d1078c148aa588d9de6ce1874eeac0a4feaf2102b656ba96316a32c89df97986f20cf77e55117e2c9bf97e52ef3381335c

Download Submit
C:\Users\Admin\AppData\Local\Temp\146.exe
MD5
d985b4cfdceecc3c0fe4f3e4fda4e416

SHA1
f3c14a4d87569e54faaf0eac73ec1aafa2621dfa

SHA256
a8b37d6b073ee045ae63473cb1a592c974e896b19e3db06d552f955901c06db7

SHA512
560a056c076db6893f6407807d9a10d1078c148aa588d9de6ce1874eeac0a4feaf2102b656ba96316a32c89df97986f20cf77e55117e2c9bf97e52ef3381335c

Download Submit
C:\Users\Admin\AppData\Local\Temp\151F.exe
MD5
41a38ac01d1ec59c3f3ccabca37c35ca

SHA1
55391e36fb245f08aab49c0d36015557126c4943

SHA256
8e764ca97e49f2274523c3a21f091635c8dacadbdcb1ca64e248d656c36a7250

SHA512
f64118254949f6607b97e870e8de08c510e62aee6dc1ccc29198f9ff509a2d65231d8da6e5e5751533e155041d15185fb6e77e59ed1de6962277ab0b354e93c2

Download Submit
C:\Users\Admin\AppData\Local\Temp\151F.exe
MD5
41a38ac01d1ec59c3f3ccabca37c35ca

SHA1
55391e36fb245f08aab49c0d36015557126c4943

SHA256
8e764ca97e49f2274523c3a21f091635c8dacadbdcb1ca64e248d656c36a7250

SHA512
f64118254949f6607b97e870e8de08c510e62aee6dc1ccc29198f9ff509a2d65231d8da6e5e5751533e155041d15185fb6e77e59ed1de6962277ab0b354e93c2

Download Submit
C:\Users\Admin\AppData\Local\Temp\228E.exe
MD5
d513e817da5fbce634ed9609ca78e589

SHA1
95c8614b7c7a709a278a45ae3b7579c9c167ea54

SHA256
77a28b993e27b8249fa5463748ed15cf0a513402a25bbd72fc00b96fd321e674

SHA512
49055ea2137dd1ef65ce8a8932a109c6f06a0ea6bd3fecf3e1c52aabc5dc6cc998b45fef4f030bc3f76e1d25f201f005dbb968e1ea29be7719fd6fb6f413d63a

Download Submit
C:\Users\Admin\AppData\Local\Temp\228E.exe
MD5
d513e817da5fbce634ed9609ca78e589

SHA1
95c8614b7c7a709a278a45ae3b7579c9c167ea54

SHA256
77a28b993e27b8249fa5463748ed15cf0a513402a25bbd72fc00b96fd321e674

SHA512
49055ea2137dd1ef65ce8a8932a109c6f06a0ea6bd3fecf3e1c52aabc5dc6cc998b45fef4f030bc3f76e1d25f201f005dbb968e1ea29be7719fd6fb6f413d63a

Download Submit
C:\Users\Admin\AppData\Local\Temp\2B39.exe
MD5
aa25a6dbf0319ac7466e5e4c8b7ee4a3

SHA1
f5cfc23ae0d2785f5aae32a07eaf15f9cfc4ac24

SHA256
4ef41d48509cbc289c46f9b252d780ea1abd83e849c42a47bf7b481b79fead7e

SHA512
ccd6232ae5918110ef911fbd27de2619cc2a1cbf1b08029b4953166bdaaa2ba087d418726e612dc84afc803e1cc95229834e1b0c91696471b8b08e4c6ff080df

Download Submit
C:\Users\Admin\AppData\Local\Temp\2B39.exe
MD5
aa25a6dbf0319ac7466e5e4c8b7ee4a3

SHA1
f5cfc23ae0d2785f5aae32a07eaf15f9cfc4ac24

SHA256
4ef41d48509cbc289c46f9b252d780ea1abd83e849c42a47bf7b481b79fead7e

SHA512
ccd6232ae5918110ef911fbd27de2619cc2a1cbf1b08029b4953166bdaaa2ba087d418726e612dc84afc803e1cc95229834e1b0c91696471b8b08e4c6ff080df

Download Submit
C:\Users\Admin\AppData\Local\Temp\53F.exe
MD5
aed0b742062f7029630a8978b3794fa6

SHA1
393ac4248d660a1e8342b65d2074f5a4766ab86c

SHA256
4a7a97d9986619bcaa11a46ed09419421ac72142421a4ea362d3e403007aa0eb

SHA512
d824cd6b97d67b88ebbe41eeb729f4d0701243ffd960206b00608635bc79880c3517d6c5a1517cb18e893ed761d2761f59010da179083da944a7e2a808dc22c5

Download Submit
C:\Users\Admin\AppData\Local\Temp\53F.exe
MD5
aed0b742062f7029630a8978b3794fa6

SHA1
393ac4248d660a1e8342b65d2074f5a4766ab86c

SHA256
4a7a97d9986619bcaa11a46ed09419421ac72142421a4ea362d3e403007aa0eb

SHA512
d824cd6b97d67b88ebbe41eeb729f4d0701243ffd960206b00608635bc79880c3517d6c5a1517cb18e893ed761d2761f59010da179083da944a7e2a808dc22c5

Download Submit
C:\Users\Admin\AppData\Local\Temp\53F.exe
MD5
aed0b742062f7029630a8978b3794fa6

SHA1
393ac4248d660a1e8342b65d2074f5a4766ab86c

SHA256
4a7a97d9986619bcaa11a46ed09419421ac72142421a4ea362d3e403007aa0eb

SHA512
d824cd6b97d67b88ebbe41eeb729f4d0701243ffd960206b00608635bc79880c3517d6c5a1517cb18e893ed761d2761f59010da179083da944a7e2a808dc22c5

Download Submit
C:\Users\Admin\AppData\Local\Temp\908.exe
MD5
0f9d1f2e3aaad601bb95a039b0aedcfb

SHA1
141e7b7b2a4a31b2a7e599b2d2064239fcc66707

SHA256
db4ec306ea32c01cb486566c699b9b88013beb26c2830319785bf5a4ee4735b5

SHA512
b68708a0aa425a3f90df3c1639aeb2358f34fa5bfb3691d3010cd528cdce99692269b13cda9f05172d8608fc08b7b7ca5449d495290a5e9e81221edfe9d052e7

Download Submit
C:\Users\Admin\AppData\Local\Temp\908.exe
MD5
0f9d1f2e3aaad601bb95a039b0aedcfb

SHA1
141e7b7b2a4a31b2a7e599b2d2064239fcc66707

SHA256
db4ec306ea32c01cb486566c699b9b88013beb26c2830319785bf5a4ee4735b5

SHA512
b68708a0aa425a3f90df3c1639aeb2358f34fa5bfb3691d3010cd528cdce99692269b13cda9f05172d8608fc08b7b7ca5449d495290a5e9e81221edfe9d052e7

Download Submit
C:\Users\Admin\AppData\Local\Temp\FA01.exe
MD5
e8885e91006b4e833a0d1b45680f6f8d

SHA1
70458dfabf3bfe1780e5b16a65af46825ca7790a

SHA256
bbe27c85bfb6beafedee33d106dfe71f91e129268c5dbf8d0c3873c1e31103bb

SHA512
97b1ccc582f33c3d1a8ed6bb330425b38102b45932fdf99aadc38870aca2e4c62ebbd1b2dddfde82b648a90d50928172251959fc4f31e952477841d00b4969ca

Download Submit
C:\Users\Admin\AppData\Local\Temp\FA01.exe
MD5
e8885e91006b4e833a0d1b45680f6f8d

SHA1
70458dfabf3bfe1780e5b16a65af46825ca7790a

SHA256
bbe27c85bfb6beafedee33d106dfe71f91e129268c5dbf8d0c3873c1e31103bb

SHA512
97b1ccc582f33c3d1a8ed6bb330425b38102b45932fdf99aadc38870aca2e4c62ebbd1b2dddfde82b648a90d50928172251959fc4f31e952477841d00b4969ca

Download Submit
C:\Users\Admin\AppData\Local\Temp\FA01.exe
MD5
e8885e91006b4e833a0d1b45680f6f8d

SHA1
70458dfabf3bfe1780e5b16a65af46825ca7790a

SHA256
bbe27c85bfb6beafedee33d106dfe71f91e129268c5dbf8d0c3873c1e31103bb

SHA512
97b1ccc582f33c3d1a8ed6bb330425b38102b45932fdf99aadc38870aca2e4c62ebbd1b2dddfde82b648a90d50928172251959fc4f31e952477841d00b4969ca

Download Submit
C:\Users\Admin\AppData\Local\Temp\FE96.exe
MD5
5e34695c9f46f1e69ce731d3b7359c88

SHA1
e1e5bb43f0c7556bcccc8cb698f854694bdc024a

SHA256
97f96815d81f9c1c8ede31f1c21fda2bee7cbab3490184ef833d9d2e8c17e6fc

SHA512
659fa0b695942c35dd4ef499d6c01d9b2a8c23254ea31465a126fd71a0d542ee71da9349ffc8226083393ed37c0668f63c97cc7ef3e014eae793b1f1ba7d6b43

Download Submit
C:\Users\Admin\AppData\Local\Temp\FE96.exe
MD5
5e34695c9f46f1e69ce731d3b7359c88

SHA1
e1e5bb43f0c7556bcccc8cb698f854694bdc024a

SHA256
97f96815d81f9c1c8ede31f1c21fda2bee7cbab3490184ef833d9d2e8c17e6fc

SHA512
659fa0b695942c35dd4ef499d6c01d9b2a8c23254ea31465a126fd71a0d542ee71da9349ffc8226083393ed37c0668f63c97cc7ef3e014eae793b1f1ba7d6b43

Download Submit
C:\Users\Admin\AppData\Local\Temp\FE96.exe
MD5
5e34695c9f46f1e69ce731d3b7359c88

SHA1
e1e5bb43f0c7556bcccc8cb698f854694bdc024a

SHA256
97f96815d81f9c1c8ede31f1c21fda2bee7cbab3490184ef833d9d2e8c17e6fc

SHA512
659fa0b695942c35dd4ef499d6c01d9b2a8c23254ea31465a126fd71a0d542ee71da9349ffc8226083393ed37c0668f63c97cc7ef3e014eae793b1f1ba7d6b43

Download Submit
C:\Users\Admin\AppData\Local\Temp\FE96.exe
MD5
5e34695c9f46f1e69ce731d3b7359c88

SHA1
e1e5bb43f0c7556bcccc8cb698f854694bdc024a

SHA256
97f96815d81f9c1c8ede31f1c21fda2bee7cbab3490184ef833d9d2e8c17e6fc

SHA512
659fa0b695942c35dd4ef499d6c01d9b2a8c23254ea31465a126fd71a0d542ee71da9349ffc8226083393ed37c0668f63c97cc7ef3e014eae793b1f1ba7d6b43

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Due.potx
MD5
6684f94034e10a93758e2c22c75f1613

SHA1
25b7d85449caa642beafcf488f1af1fb745ad0ca

SHA256
3e6fff185ac509106bed8e02969acc2c272f65300249e66b5a504c92d4a58d0e

SHA512
43141e2a5f1cd92cff9a63e1af68d9a1af458ae8f5f7b489172d06e21fe103793a045ed4ee613b4618b42665c5d644d058c0ac78d19d0ef55cf5936201cfd1fb

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Duro.potx
MD5
32672958dfe282494f18f8be6b5daea8

SHA1
29eb8689b235ffc001286410039ff1399b9e3d33

SHA256
a9a4218d1a194894aaf6b487c502a24f0f84041a20e720a4a719201ffc31ae02

SHA512
05a7c2ee83b6284df5f072ba493a0b90e315e54c786ee22b159e3d1197335c72f8b637ddf2e1c7884c4275e0ebc553d68492ae2ed42b43d11c0010808e5dc5f4

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Era.potx
MD5
016c737a43c6e6e2cb7abf7d85c5057d

SHA1
e68f088fa89473aa3cc032429bcc62b4b0f61116

SHA256
b1263474b5adfaa1419a51ebd697ddcb05ff89bc6c037e08d376994f4550957b

SHA512
ebba96e749127d7678bae1d47cd00a287812a49840da72932f97e8469e49a3eb01b0c198aa69ae42c03211cfed275c77fdf086679433dc8c55ea60b1ccf3c607

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Forma.exe.com
MD5
c56b5f0201a3b3de53e561fe76912bfd

SHA1
2a4062e10a5de813f5688221dbeb3f3ff33eb417

SHA256
237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d

SHA512
195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Forma.exe.com
MD5
c56b5f0201a3b3de53e561fe76912bfd

SHA1
2a4062e10a5de813f5688221dbeb3f3ff33eb417

SHA256
237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d

SHA512
195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Forma.exe.com
MD5
c56b5f0201a3b3de53e561fe76912bfd

SHA1
2a4062e10a5de813f5688221dbeb3f3ff33eb417

SHA256
237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d

SHA512
195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\RegAsm.exe
MD5
b58b926c3574d28d5b7fdd2ca3ec30d5

SHA1
d260c4ffd603a9cfc057fcb83d678b1cecdf86f9

SHA256
6e70b56d748c4ccab13cc8a055d3795ea0dd95fe3b70568d7d3ac0c6621140a3

SHA512
b13cb998822b716b695013bcd6dec62a2290567d0d1743b2d982ca084235cf69c6ea1fc91c9d4e62657c6f9e102c7c60e81296ab055ffe43b887c5f8ec8958ab

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\RegAsm.exe
MD5
b58b926c3574d28d5b7fdd2ca3ec30d5

SHA1
d260c4ffd603a9cfc057fcb83d678b1cecdf86f9

SHA256
6e70b56d748c4ccab13cc8a055d3795ea0dd95fe3b70568d7d3ac0c6621140a3

SHA512
b13cb998822b716b695013bcd6dec62a2290567d0d1743b2d982ca084235cf69c6ea1fc91c9d4e62657c6f9e102c7c60e81296ab055ffe43b887c5f8ec8958ab

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\b
MD5
016c737a43c6e6e2cb7abf7d85c5057d

SHA1
e68f088fa89473aa3cc032429bcc62b4b0f61116

SHA256
b1263474b5adfaa1419a51ebd697ddcb05ff89bc6c037e08d376994f4550957b

SHA512
ebba96e749127d7678bae1d47cd00a287812a49840da72932f97e8469e49a3eb01b0c198aa69ae42c03211cfed275c77fdf086679433dc8c55ea60b1ccf3c607

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Aggrava.accdt
MD5
ea7b73c99c39a859e7e8b0a815570986

SHA1
bd74eb1f49d26a461060f131683021750889a65f

SHA256
edd2efdd14116825ff18d706aad2bd716382acbe678eda85c5057bd257b1a02e

SHA512
167288428c40eab8e1864bf7db8e70721790763bed0db598af1da860950839058255f58398a61070fbafeea575d9557ec7c6d5b9c424b217602968a40cdf34d9

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Migliore.accdt
MD5
d9119aa074bfaff410bb7a4139146a19

SHA1
74ea5a967fcba2dde0b27de519dbaf1ef7028636

SHA256
797bdb0508bf241ccc4beff1da822e26b5113592556fbbf53623ec2f0c432ec7

SHA512
1187f6c0f0f9488bfd57129622b24e747b54a50cb1141bc7fc9e1d62e9a80c415efa85c7322d3391a88fb9e9b8335daabf0e258d3896f2eba571e9e7fbba32b6

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Pie.accdt
MD5
a172c86dab6bebb6c82410c1f1c1567d

SHA1
56a171dfe8137793f45640fc31b3a159f5a84c7d

SHA256
d83dd02bf0531d87e4b1af3a68cd601b21d33e2a9e77bc7e8cf1753f77b10438

SHA512
107df456743e3e793ca75e2c5e7bfad1ee1801cae03636dec2539cd4c4995b601c3d79118ad0874c6caf8293d1812bf31d459549f7925cb814e30bad4fc30896

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\RegAsm.exe
MD5
b58b926c3574d28d5b7fdd2ca3ec30d5

SHA1
d260c4ffd603a9cfc057fcb83d678b1cecdf86f9

SHA256
6e70b56d748c4ccab13cc8a055d3795ea0dd95fe3b70568d7d3ac0c6621140a3

SHA512
b13cb998822b716b695013bcd6dec62a2290567d0d1743b2d982ca084235cf69c6ea1fc91c9d4e62657c6f9e102c7c60e81296ab055ffe43b887c5f8ec8958ab

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\RegAsm.exe
MD5
b58b926c3574d28d5b7fdd2ca3ec30d5

SHA1
d260c4ffd603a9cfc057fcb83d678b1cecdf86f9

SHA256
6e70b56d748c4ccab13cc8a055d3795ea0dd95fe3b70568d7d3ac0c6621140a3

SHA512
b13cb998822b716b695013bcd6dec62a2290567d0d1743b2d982ca084235cf69c6ea1fc91c9d4e62657c6f9e102c7c60e81296ab055ffe43b887c5f8ec8958ab

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Udi.exe.com
MD5
c56b5f0201a3b3de53e561fe76912bfd

SHA1
2a4062e10a5de813f5688221dbeb3f3ff33eb417

SHA256
237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d

SHA512
195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Udi.exe.com
MD5
c56b5f0201a3b3de53e561fe76912bfd

SHA1
2a4062e10a5de813f5688221dbeb3f3ff33eb417

SHA256
237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d

SHA512
195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Udi.exe.com
MD5
c56b5f0201a3b3de53e561fe76912bfd

SHA1
2a4062e10a5de813f5688221dbeb3f3ff33eb417

SHA256
237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d

SHA512
195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k
MD5
d9119aa074bfaff410bb7a4139146a19

SHA1
74ea5a967fcba2dde0b27de519dbaf1ef7028636

SHA256
797bdb0508bf241ccc4beff1da822e26b5113592556fbbf53623ec2f0c432ec7

SHA512
1187f6c0f0f9488bfd57129622b24e747b54a50cb1141bc7fc9e1d62e9a80c415efa85c7322d3391a88fb9e9b8335daabf0e258d3896f2eba571e9e7fbba32b6

Download Submit
C:\Users\Admin\AppData\Local\Temp\MarsBuild_2021-11-14_11-20.exe
MD5
3d58b1c286a8d5deb900c56210d19611

SHA1
f3a8e5a0fabe01268c9c99e981208e36d210900b

SHA256
19c5b1b8a2cdb858835234cebf962a73492f843b6e434b7e5c11d16ddcf09a62

SHA512
3ed1ed8756d3aee5cc271b4850905dd02e6f1e5b8ba0bb3df004636af5fcb49380ae594774bb0984f8de485e6bfa1307d981aedd7a65bb558598e971fdce1530

Download Submit
C:\Users\Admin\AppData\Local\Temp\MarsBuild_2021-11-14_11-20.exe
MD5
3d58b1c286a8d5deb900c56210d19611

SHA1
f3a8e5a0fabe01268c9c99e981208e36d210900b

SHA256
19c5b1b8a2cdb858835234cebf962a73492f843b6e434b7e5c11d16ddcf09a62

SHA512
3ed1ed8756d3aee5cc271b4850905dd02e6f1e5b8ba0bb3df004636af5fcb49380ae594774bb0984f8de485e6bfa1307d981aedd7a65bb558598e971fdce1530

Download Submit
C:\Users\Admin\AppData\Local\Temp\OQTGVRp.exe
MD5
ae5b62f74b751690528b1158da869f4b

SHA1
9ba07ae06ba49b16fa32dfdd51df33ae771597f4

SHA256
9300234fb143a410b3fc3fa0e0631a6a15f563a086af6854d0917ae5653ff0f5

SHA512
ba5fd421118e296b9678cbabc19419db1645dbf4c403e5d20cc29a6a2e6e41b71a18e4779004dd79c2f8ede2f13ca9d7ebd5717954cb92bc990d338b77a6e3a2

Download Submit
C:\Users\Admin\AppData\Local\Temp\OQTGVRp.exe
MD5
ae5b62f74b751690528b1158da869f4b

SHA1
9ba07ae06ba49b16fa32dfdd51df33ae771597f4

SHA256
9300234fb143a410b3fc3fa0e0631a6a15f563a086af6854d0917ae5653ff0f5

SHA512
ba5fd421118e296b9678cbabc19419db1645dbf4c403e5d20cc29a6a2e6e41b71a18e4779004dd79c2f8ede2f13ca9d7ebd5717954cb92bc990d338b77a6e3a2

Download Submit
C:\Users\Admin\AppData\Local\Temp\QdUPABU.exe
MD5
6a537efb426fe0de4d613615a82fa729

SHA1
ed5acfd81d01a5804df26cb259793e532992f07a

SHA256
0f20bd03381fabc111c319d58c04e5c8c4fdf4a12fbfed2ae5b0d13b8964ff7b

SHA512
bbdc5c3ffd04bc2e35b6cb476dd05315db9d6673edea1b7beafbf70544d4f4a54652213c149362dd8392fddb47d341ee9b17e109d0f8fd8286fceca7abf17ba5

Download Submit
C:\Users\Admin\AppData\Local\Temp\QdUPABU.exe
MD5
6a537efb426fe0de4d613615a82fa729

SHA1
ed5acfd81d01a5804df26cb259793e532992f07a

SHA256
0f20bd03381fabc111c319d58c04e5c8c4fdf4a12fbfed2ae5b0d13b8964ff7b

SHA512
bbdc5c3ffd04bc2e35b6cb476dd05315db9d6673edea1b7beafbf70544d4f4a54652213c149362dd8392fddb47d341ee9b17e109d0f8fd8286fceca7abf17ba5

Download Submit
C:\Users\Admin\AppData\Local\Temp\clean.exe
MD5
374a47aa60ba4ef1c2306be2949f0849

SHA1
612fedf2475d75d3805d9801f00de1111591b7cc

SHA256
c1570c01feaf033c8d7697a7a873b77754b22aa67e0ca0499ed22095b651d2af

SHA512
ecb64e77cbca48ae129c08c93565c937a336c7f0016d19a12b76aee8e2508f21615ee1c104123ed5b5dc5e0e077bc81ac8c7042285e778b855a009b6087fad9d

Download Submit
C:\Users\Admin\AppData\Local\Temp\clean.exe
MD5
374a47aa60ba4ef1c2306be2949f0849

SHA1
612fedf2475d75d3805d9801f00de1111591b7cc

SHA256
c1570c01feaf033c8d7697a7a873b77754b22aa67e0ca0499ed22095b651d2af

SHA512
ecb64e77cbca48ae129c08c93565c937a336c7f0016d19a12b76aee8e2508f21615ee1c104123ed5b5dc5e0e077bc81ac8c7042285e778b855a009b6087fad9d

Download Submit
C:\Users\Admin\AppData\Local\Temp\clean.exe
MD5
374a47aa60ba4ef1c2306be2949f0849

SHA1
612fedf2475d75d3805d9801f00de1111591b7cc

SHA256
c1570c01feaf033c8d7697a7a873b77754b22aa67e0ca0499ed22095b651d2af

SHA512
ecb64e77cbca48ae129c08c93565c937a336c7f0016d19a12b76aee8e2508f21615ee1c104123ed5b5dc5e0e077bc81ac8c7042285e778b855a009b6087fad9d

Download Submit
C:\Users\Admin\AppData\Roaming\uwtjgij
MD5
e8885e91006b4e833a0d1b45680f6f8d

SHA1
70458dfabf3bfe1780e5b16a65af46825ca7790a

SHA256
bbe27c85bfb6beafedee33d106dfe71f91e129268c5dbf8d0c3873c1e31103bb

SHA512
97b1ccc582f33c3d1a8ed6bb330425b38102b45932fdf99aadc38870aca2e4c62ebbd1b2dddfde82b648a90d50928172251959fc4f31e952477841d00b4969ca

Download Submit
C:\Users\Admin\AppData\Roaming\uwtjgij
MD5
e8885e91006b4e833a0d1b45680f6f8d

SHA1
70458dfabf3bfe1780e5b16a65af46825ca7790a

SHA256
bbe27c85bfb6beafedee33d106dfe71f91e129268c5dbf8d0c3873c1e31103bb

SHA512
97b1ccc582f33c3d1a8ed6bb330425b38102b45932fdf99aadc38870aca2e4c62ebbd1b2dddfde82b648a90d50928172251959fc4f31e952477841d00b4969ca

Download Submit
C:\Users\Admin\AppData\Roaming\uwtjgij
MD5
e8885e91006b4e833a0d1b45680f6f8d

SHA1
70458dfabf3bfe1780e5b16a65af46825ca7790a

SHA256
bbe27c85bfb6beafedee33d106dfe71f91e129268c5dbf8d0c3873c1e31103bb

SHA512
97b1ccc582f33c3d1a8ed6bb330425b38102b45932fdf99aadc38870aca2e4c62ebbd1b2dddfde82b648a90d50928172251959fc4f31e952477841d00b4969ca

Download Submit
\ProgramData\mozglue.dll
MD5
8f73c08a9660691143661bf7332c3c27

SHA1
37fa65dd737c50fda710fdbde89e51374d0c204a

SHA256
3fe6b1c54b8cf28f571e0c5d6636b4069a8ab00b4f11dd842cfec00691d0c9cd

SHA512
0042ecf9b3571bb5eba2de893e8b2371df18f7c5a589f52ee66e4bfbaa15a5b8b7cc6a155792aaa8988528c27196896d5e82e1751c998bacea0d92395f66ad89

Download Submit
\ProgramData\nss3.dll
MD5
bfac4e3c5908856ba17d41edcd455a51

SHA1
8eec7e888767aa9e4cca8ff246eb2aacb9170428

SHA256
e2935b5b28550d47dc971f456d6961f20d1633b4892998750140e0eaa9ae9d78

SHA512
2565bab776c4d732ffb1f9b415992a4c65b81bcd644a9a1df1333a269e322925fc1df4f76913463296efd7c88ef194c3056de2f1ca1357d7b5fe5ff0da877a66

Download Submit
\ProgramData\sqlite3.dll
MD5
e477a96c8f2b18d6b5c27bde49c990bf

SHA1
e980c9bf41330d1e5bd04556db4646a0210f7409

SHA256
16574f51785b0e2fc29c2c61477eb47bb39f714829999511dc8952b43ab17660

SHA512
335a86268e7c0e568b1c30981ec644e6cd332e66f96d2551b58a82515316693c1859d87b4f4b7310cf1ac386cee671580fdd999c3bcb23acf2c2282c01c8798c

Download Submit
memory/372-234-0x0000000000000000-mapping.dmp

Download
memory/412-218-0x0000000000000000-mapping.dmp

Download
memory/516-121-0x0000000000540000-0x000000000068A000-memory.dmp

Filesize
1.3MB

Download
memory/516-120-0x0000000000520000-0x0000000000528000-memory.dmp

Filesize
32KB

Download
memory/516-281-0x0000000000560000-0x00000000006AA000-memory.dmp

Filesize
1.3MB

Download
memory/516-282-0x0000000000560000-0x00000000006AA000-memory.dmp

Filesize
1.3MB

Download
memory/536-137-0x0000000000000000-mapping.dmp

Download
memory/536-149-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/536-146-0x0000000000620000-0x0000000000628000-memory.dmp

Filesize
32KB

Download
memory/536-147-0x0000000000810000-0x0000000000819000-memory.dmp

Filesize
36KB

Download
memory/924-143-0x0000000000000000-mapping.dmp

Download
memory/924-164-0x0000000001F90000-0x0000000001FC0000-memory.dmp

Filesize
192KB

Download
memory/924-163-0x0000000001F60000-0x0000000001F82000-memory.dmp

Filesize
136KB

Download
memory/984-229-0x0000000000000000-mapping.dmp

Download
memory/1444-190-0x0000000000400000-0x0000000002B85000-memory.dmp

Filesize
39.5MB

Download
memory/1444-148-0x0000000000000000-mapping.dmp

Download
memory/1444-184-0x0000000002EB6000-0x0000000002F06000-memory.dmp

Filesize
320KB

Download
memory/1444-189-0x0000000004740000-0x00000000047CF000-memory.dmp

Filesize
572KB

Download
memory/1600-162-0x00000000056A0000-0x00000000056A1000-memory.dmp

Filesize
4KB

Download
memory/1600-153-0x000000000040CD2F-mapping.dmp

Download
memory/1600-152-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1600-159-0x00000000054E0000-0x00000000054E1000-memory.dmp

Filesize
4KB

Download
memory/1600-160-0x0000000005510000-0x0000000005511000-memory.dmp

Filesize
4KB

Download
memory/1600-155-0x0000000002240000-0x000000000225C000-memory.dmp

Filesize
112KB

Download
memory/1600-161-0x0000000005620000-0x0000000005621000-memory.dmp

Filesize
4KB

Download
memory/1600-158-0x0000000004E40000-0x0000000004E41000-memory.dmp

Filesize
4KB

Download
memory/1600-168-0x00000000020E3000-0x00000000020E4000-memory.dmp

Filesize
4KB

Download
memory/1600-169-0x00000000020E4000-0x00000000020E6000-memory.dmp

Filesize
8KB

Download
memory/1600-167-0x00000000020E2000-0x00000000020E3000-memory.dmp

Filesize
4KB

Download
memory/1600-157-0x0000000004E20000-0x0000000004E3B000-memory.dmp

Filesize
108KB

Download
memory/1600-165-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1600-166-0x00000000020E0000-0x00000000020E1000-memory.dmp

Filesize
4KB

Download
memory/1732-222-0x0000000000000000-mapping.dmp

Download
memory/1788-212-0x0000000000000000-mapping.dmp

Download
memory/1892-257-0x0000000000000000-mapping.dmp

Download
memory/1900-247-0x0000000000000000-mapping.dmp

Download
memory/2244-237-0x0000000000000000-mapping.dmp

Download
memory/2364-239-0x0000000006E10000-0x0000000006E11000-memory.dmp

Filesize
4KB

Download
memory/2364-176-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2364-223-0x0000000005880000-0x0000000005881000-memory.dmp

Filesize
4KB

Download
memory/2364-226-0x00000000062E0000-0x00000000062E1000-memory.dmp

Filesize
4KB

Download
memory/2364-241-0x0000000007510000-0x0000000007511000-memory.dmp

Filesize
4KB

Download
memory/2364-188-0x0000000005320000-0x0000000005926000-memory.dmp

Filesize
6.0MB

Download
memory/2364-177-0x0000000000418EEA-mapping.dmp

Download
memory/2524-172-0x0000000000000000-mapping.dmp

Download
memory/2524-175-0x0000000002760000-0x00000000027C0000-memory.dmp

Filesize
384KB

Download
memory/2716-122-0x0000000000670000-0x0000000000686000-memory.dmp

Filesize
88KB

Download
memory/2716-171-0x0000000004070000-0x0000000004086000-memory.dmp

Filesize
88KB

Download
memory/2716-296-0x0000000004F10000-0x0000000004F26000-memory.dmp

Filesize
88KB

Download
memory/2796-217-0x0000000000000000-mapping.dmp

Download
memory/3164-244-0x0000000000000000-mapping.dmp

Download
memory/3200-135-0x0000000000440000-0x00000000004EE000-memory.dmp

Filesize
696KB

Download
memory/3200-136-0x0000000000440000-0x00000000004EE000-memory.dmp

Filesize
696KB

Download
memory/3200-123-0x0000000000000000-mapping.dmp

Download
memory/3400-240-0x0000000000000000-mapping.dmp

Download
memory/3560-252-0x0000000000000000-mapping.dmp

Download
memory/3644-270-0x0000000005720000-0x0000000005D26000-memory.dmp

Filesize
6.0MB

Download
memory/3644-259-0x0000000001230000-0x0000000001250000-memory.dmp

Filesize
128KB

Download
memory/3724-127-0x0000000000402DD8-mapping.dmp

Download
memory/3888-140-0x00000000010F0000-0x00000000010F1000-memory.dmp

Filesize
4KB

Download
memory/3888-142-0x0000000005080000-0x0000000005081000-memory.dmp

Filesize
4KB

Download
memory/3888-141-0x0000000005590000-0x0000000005591000-memory.dmp

Filesize
4KB

Download
memory/3888-134-0x0000000004F20000-0x0000000004F21000-memory.dmp

Filesize
4KB

Download
memory/3888-132-0x00000000006C0000-0x00000000006C1000-memory.dmp

Filesize
4KB

Download
memory/3888-129-0x0000000000000000-mapping.dmp

Download
memory/3988-119-0x0000000000402DD8-mapping.dmp

Download
memory/3988-118-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/4116-191-0x0000000000000000-mapping.dmp

Download
memory/4116-194-0x0000000002100000-0x000000000214F000-memory.dmp

Filesize
316KB

Download
memory/4116-195-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/4116-196-0x0000000002150000-0x00000000021DF000-memory.dmp

Filesize
572KB

Download
memory/4188-283-0x00000000003A0000-0x00000000003D8000-memory.dmp

Filesize
224KB

Download
memory/4188-295-0x0000000006D90000-0x0000000006D91000-memory.dmp

Filesize
4KB

Download
memory/4244-279-0x0000000000402DD8-mapping.dmp

Download
memory/4420-250-0x0000000000000000-mapping.dmp

Download
memory/4440-243-0x0000000000000000-mapping.dmp

Download
memory/4584-208-0x0000000000000000-mapping.dmp

Download
memory/4596-209-0x0000000000000000-mapping.dmp

Download
memory/4820-197-0x0000000000000000-mapping.dmp

Download
memory/4820-199-0x0000000002570000-0x0000000002571000-memory.dmp

Filesize
4KB

Download
memory/4820-200-0x0000000002570000-0x0000000002571000-memory.dmp

Filesize
4KB

Download
memory/4852-205-0x0000000000000000-mapping.dmp

Download
memory/4952-230-0x0000000000450000-0x00000000004FE000-memory.dmp

Filesize
696KB

Download
memory/4952-233-0x00000000005D0000-0x00000000005F1000-memory.dmp

Filesize
132KB

Download
memory/4952-235-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/4952-202-0x0000000000000000-mapping.dmp

Download
memory/4976-225-0x0000000000000000-mapping.dmp

Download
memory/5012-258-0x0000000000000000-mapping.dmp

Download
memory/5052-216-0x0000000000000000-mapping.dmp

Download