danabot | c6aa02a56f11f479f9ae81a74af6cdf1fd8a13ab88e569aa01ab37604bbfc313

Resubmissions

20-12-2021 14:27

211220-rssysabfbl 10

20-12-2021 14:17

211220-rlpmsabehq 10

Analysis

max time kernel
295s
max time network
276s
platform
windows10_x64
resource
win10-en-20211208
submitted
20-12-2021 14:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d3d0d747febe769eff3b01ddf5317fd1.exe
Size

5.3MB
MD5

d3d0d747febe769eff3b01ddf5317fd1
SHA1

c2c9444fe6215578de88ee1d9577d636388d16e3
SHA256

c6aa02a56f11f479f9ae81a74af6cdf1fd8a13ab88e569aa01ab37604bbfc313
SHA512

8c53059e7bfa2e61ad23817083df408ef4be04719eb634e40c487aeb1d62db0ebb43b975c76a33b7ac02b9d8fe5b58d5743f853e5a20e8324e5a054a04b04894

Score

10^/10

danabot 4 banker collection discovery evasion persistence spyware stealer suricata themida trojan

Malware Config

Extracted

Family

danabot

Botnet

142.11.244.223:443

23.106.122.139:443

Attributes

embedded_hash
0FA95F120D6EB149A5D48E36BC76879D
type
loader

rsa_pubkey.plain

rsa_privkey.plain

Extracted

Family

danabot

Version

2052

Botnet

142.11.244.223:443

23.106.122.139:443

Attributes

embedded_hash
0FA95F120D6EB149A5D48E36BC76879D
type
main

rsa_privkey.plain

rsa_pubkey.plain

Signatures

Danabot
Danabot is a modular banking Trojan that has been linked with other malware.
trojan banker danabot

Danabot Loader Component 4 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\SDKWTD~1.DLL	DanabotLoader2021
\Users\Admin\AppData\Local\Temp\SDKWTD~1.DLL	DanabotLoader2021
\Users\Admin\AppData\Local\Temp\SDKWTD~1.DLL	DanabotLoader2021
\Users\Admin\AppData\Local\Temp\SDKWTD~1.DLL	DanabotLoader2021

Suspicious use of NtCreateProcessExOtherParentProcess 2 IoCs

Processes:

WerFault.exeWerFault.exe

description pid process target process

PID 1448 created 1312 1448 WerFault.exe sdkwtddg.exe
PID 2080 created 3804 2080 WerFault.exe RUNDLL32.EXE
suricata: ET MALWARE Danabot Key Exchange Request
suricata: ET MALWARE Danabot Key Exchange Request
suricata
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497
Blocklisted process makes network request 7 IoCs

Processes:

WScript.exerundll32.exeRUNDLL32.EXE

flow pid process

30 3424 WScript.exe
38 936 rundll32.exe
39 2152 RUNDLL32.EXE
44 2152 RUNDLL32.EXE
45 2152 RUNDLL32.EXE
46 2152 RUNDLL32.EXE
47 2152 RUNDLL32.EXE
Downloads MZ/PE file
Executes dropped EXE 4 IoCs

Processes:

napaea.exeoutwitvp.exesdkwtddg.exeDpEditor.exe

pid process

1924 napaea.exe
2596 outwitvp.exe
1312 sdkwtddg.exe
740 DpEditor.exe

description	pid	process	target process
PID 1448 created 1312	1448	WerFault.exe	sdkwtddg.exe
PID 2080 created 3804	2080	WerFault.exe	RUNDLL32.EXE

flow	pid	process
30	3424	WScript.exe
38	936	rundll32.exe
39	2152	RUNDLL32.EXE
44	2152	RUNDLL32.EXE
45	2152	RUNDLL32.EXE
46	2152	RUNDLL32.EXE
47	2152	RUNDLL32.EXE

Checks BIOS information in registry 2 TTPs 6 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

napaea.exeoutwitvp.exeDpEditor.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	napaea.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	napaea.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	outwitvp.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	outwitvp.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	DpEditor.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	DpEditor.exe

Drops startup file 1 IoCs

Processes:

DpEditor.exe

description ioc process

File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\nssyncer.lnk DpEditor.exe
Loads dropped DLL 5 IoCs

Processes:

d3d0d747febe769eff3b01ddf5317fd1.exerundll32.exeRUNDLL32.EXERUNDLL32.EXERUNDLL32.EXE

pid process

2692 d3d0d747febe769eff3b01ddf5317fd1.exe
936 rundll32.exe
2152 RUNDLL32.EXE
3804 RUNDLL32.EXE
3416 RUNDLL32.EXE
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\nssyncer.lnk	DpEditor.exe

pid	process
2692	d3d0d747febe769eff3b01ddf5317fd1.exe
936	rundll32.exe
2152	RUNDLL32.EXE
3804	RUNDLL32.EXE
3416	RUNDLL32.EXE

Themida packer 18 IoCs

Detects Themida, an advanced Windows software protection system.

themida

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\patwin\napaea.exe	themida
C:\Users\Admin\AppData\Local\Temp\patwin\napaea.exe	themida
C:\Users\Admin\AppData\Local\Temp\patwin\outwitvp.exe	themida
C:\Users\Admin\AppData\Local\Temp\patwin\outwitvp.exe	themida
behavioral2/memory/1924-123-0x0000000000AC0000-0x00000000011B6000-memory.dmp	themida
behavioral2/memory/1924-124-0x0000000000AC0000-0x00000000011B6000-memory.dmp	themida
behavioral2/memory/1924-125-0x0000000000AC0000-0x00000000011B6000-memory.dmp	themida
behavioral2/memory/1924-126-0x0000000000AC0000-0x00000000011B6000-memory.dmp	themida
behavioral2/memory/2596-128-0x0000000001330000-0x0000000001997000-memory.dmp	themida
behavioral2/memory/2596-129-0x0000000001330000-0x0000000001997000-memory.dmp	themida
behavioral2/memory/2596-130-0x0000000001330000-0x0000000001997000-memory.dmp	themida
behavioral2/memory/2596-131-0x0000000001330000-0x0000000001997000-memory.dmp	themida
C:\Users\Admin\AppData\Roaming\NCH Software\DrawPad\DpEditor.exe	themida
C:\Users\Admin\AppData\Roaming\NCH Software\DrawPad\DpEditor.exe	themida
behavioral2/memory/740-140-0x0000000001210000-0x0000000001906000-memory.dmp	themida
behavioral2/memory/740-141-0x0000000001210000-0x0000000001906000-memory.dmp	themida
behavioral2/memory/740-142-0x0000000001210000-0x0000000001906000-memory.dmp	themida
behavioral2/memory/740-143-0x0000000001210000-0x0000000001906000-memory.dmp	themida

Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs

collection

Email Collection

T1114

Processes:

RUNDLL32.EXE

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	RUNDLL32.EXE

Accesses Microsoft Outlook profiles 1 TTPs 4 IoCs

collection

Email Collection

T1114

Processes:

RUNDLL32.EXE

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	RUNDLL32.EXE
Key opened	\REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RUNDLL32.EXE
Key opened	\REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RUNDLL32.EXE
Key opened	\REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RUNDLL32.EXE

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

DpEditor.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\NCH Sync Service = "C:\\Users\\Admin\\AppData\\Roaming\\NCH Software\\DrawPad\\DpEditor.exe"	DpEditor.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Checks whether UAC is enabled 1 TTPs 3 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

napaea.exeoutwitvp.exeDpEditor.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	napaea.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	outwitvp.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	DpEditor.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

8 ip-api.com
Suspicious use of NtSetInformationThreadHideFromDebugger 3 IoCs

Processes:

napaea.exeoutwitvp.exeDpEditor.exe

pid process

1924 napaea.exe
2596 outwitvp.exe
740 DpEditor.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

RUNDLL32.EXE

description pid process target process

PID 3804 set thread context of 3840 3804 RUNDLL32.EXE rundll32.exe

flow	ioc
8	ip-api.com

description	pid	process	target process
PID 3804 set thread context of 3840	3804	RUNDLL32.EXE	rundll32.exe

Drops file in Program Files directory 4 IoCs

Processes:

d3d0d747febe769eff3b01ddf5317fd1.exerundll32.exe

description	ioc	process
File created	C:\Program Files (x86)\foler\olader\acppage.dll	d3d0d747febe769eff3b01ddf5317fd1.exe
File created	C:\Program Files (x86)\foler\olader\adprovider.dll	d3d0d747febe769eff3b01ddf5317fd1.exe
File created	C:\Program Files (x86)\foler\olader\acledit.dll	d3d0d747febe769eff3b01ddf5317fd1.exe
File created	C:\PROGRA~3\Hzxrf.tmp	rundll32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 2 IoCs

Processes:

WerFault.exeWerFault.exe

pid pid_target process target process

1448 1312 WerFault.exe sdkwtddg.exe
2080 3804 WerFault.exe RUNDLL32.EXE

pid	pid_target	process	target process
1448	1312	WerFault.exe	sdkwtddg.exe
2080	3804	WerFault.exe	RUNDLL32.EXE

Checks processor information in registry 2 TTPs 49 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

RUNDLL32.EXERUNDLL32.EXEoutwitvp.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Status	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\FeatureSet	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\VendorIdentifier	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Status	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Status	RUNDLL32.EXE
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	RUNDLL32.EXE
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\VendorIdentifier	RUNDLL32.EXE
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Configuration Data	RUNDLL32.EXE
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Previous Update Revision	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Identifier	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Revision	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\~MHz	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Platform Specific Field 1	RUNDLL32.EXE
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	RUNDLL32.EXE
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	RUNDLL32.EXE
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Platform Specific Field 1	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\FeatureSet	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Configuration Data	RUNDLL32.EXE
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Previous Update Revision	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Identifier	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	RUNDLL32.EXE
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	outwitvp.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Configuration Data	RUNDLL32.EXE
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Status	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	outwitvp.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information	RUNDLL32.EXE
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	RUNDLL32.EXE
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\FeatureSet	RUNDLL32.EXE

Modifies registry class 1 IoCs

Processes:

outwitvp.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000_Classes\Local Settings outwitvp.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000_Classes\Local Settings	outwitvp.exe

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

RUNDLL32.EXE

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\85937C1456C532E76A1E9560C51FC5A1B89609CC	RUNDLL32.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\85937C1456C532E76A1E9560C51FC5A1B89609CC\Blob = 03000000010000001400000085937c1456c532e76a1e9560c51fc5a1b89609cc20000000010000007a02000030820276308201dfa003020102020821c40b241a9171d0300d06092a864886f70d01010b050030613120301e06035504030c17446967694365727420476c7262616c20526f6f7420473231193017060355040b0c107777772e64696769636572742e636f6d31153013060355040a0c0c446967694365727420496e63310b3009060355040613025553301e170d3139313232313134333135305a170d3233313232303134333135305a30613120301e06035504030c17446967694365727420476c7262616c20526f6f7420473231193017060355040b0c107777772e64696769636572742e636f6d31153013060355040a0c0c446967694365727420496e63310b300906035504061302555330819f300d06092a864886f70d010101050003818d0030818902818100c278cf629e6d9c9faa87f0e2d11074c70003744f158c786801ee9e9660953e968f544e5cafc4b90e2abf32bfe960f3a0f6c03088de15a2ca408e98d1e8a7c6ff87d46f991b643d4529e82a7ea58ea8733c56fa0818daa26847819f62bbf117284823f929b905eb1edeb7e15bc9c319f36935f195b2526f6a669ff8f097a74aa90203010001a3373035300f0603551d130101ff040530030101ff30220603551d11041b30198217446967694365727420476c7262616c20526f6f74204732300d06092a864886f70d01010b05000381810065cbf0cd58674847b58ca627a6a3a9c156527e42c7e4bbb834810bf6f401bcd990b2f14eebfb3365492713cc19378ced5e399b51f68f54aabd89eabb647b7aefc22a7c483309c155c1585d4ef9a7afd39e1b8562efc7f458c3db828a06017f7d0e3b41a561ddd17299d9ced27cddf71d90325e59bdd87ca63be8e7f88f35648c	RUNDLL32.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

DpEditor.exe

pid process

740 DpEditor.exe

pid	process
740	DpEditor.exe

Suspicious behavior: EnumeratesProcesses 50 IoCs

Processes:

napaea.exeoutwitvp.exeDpEditor.exeWerFault.exeRUNDLL32.EXEpowershell.exeRUNDLL32.EXEWerFault.exepowershell.exepowershell.exe

pid	process
1924	napaea.exe
1924	napaea.exe
2596	outwitvp.exe
2596	outwitvp.exe
740	DpEditor.exe
740	DpEditor.exe
1448	WerFault.exe
1448	WerFault.exe
1448	WerFault.exe
1448	WerFault.exe
1448	WerFault.exe
1448	WerFault.exe
1448	WerFault.exe
1448	WerFault.exe
1448	WerFault.exe
1448	WerFault.exe
1448	WerFault.exe
1448	WerFault.exe
2152	RUNDLL32.EXE
2152	RUNDLL32.EXE
2152	RUNDLL32.EXE
2152	RUNDLL32.EXE
2152	RUNDLL32.EXE
2152	RUNDLL32.EXE
3640	powershell.exe
3640	powershell.exe
3640	powershell.exe
3804	RUNDLL32.EXE
3804	RUNDLL32.EXE
2080	WerFault.exe
2080	WerFault.exe
2080	WerFault.exe
2080	WerFault.exe
2080	WerFault.exe
2080	WerFault.exe
2080	WerFault.exe
2080	WerFault.exe
2080	WerFault.exe
2080	WerFault.exe
2080	WerFault.exe
2080	WerFault.exe
2080	WerFault.exe
428	powershell.exe
428	powershell.exe
428	powershell.exe
2152	RUNDLL32.EXE
2152	RUNDLL32.EXE
3168	powershell.exe
3168	powershell.exe
3168	powershell.exe

Suspicious use of AdjustPrivilegeToken 8 IoCs

Processes:

WerFault.exepowershell.exeWerFault.exeRUNDLL32.EXEpowershell.exepowershell.exe

description	pid	process
Token: SeRestorePrivilege	1448	WerFault.exe
Token: SeBackupPrivilege	1448	WerFault.exe
Token: SeDebugPrivilege	1448	WerFault.exe
Token: SeDebugPrivilege	3640	powershell.exe
Token: SeDebugPrivilege	2080	WerFault.exe
Token: SeDebugPrivilege	2152	RUNDLL32.EXE
Token: SeDebugPrivilege	428	powershell.exe
Token: SeDebugPrivilege	3168	powershell.exe

Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

rundll32.exeRUNDLL32.EXE

pid process

3840 rundll32.exe
2152 RUNDLL32.EXE

pid	process
3840	rundll32.exe
2152	RUNDLL32.EXE

Suspicious use of WriteProcessMemory 53 IoCs

Processes:

d3d0d747febe769eff3b01ddf5317fd1.exeoutwitvp.exenapaea.exesdkwtddg.exerundll32.exeRUNDLL32.EXERUNDLL32.EXErundll32.exepowershell.exe

description	pid	process	target process
PID 2692 wrote to memory of 1924	2692	d3d0d747febe769eff3b01ddf5317fd1.exe	napaea.exe
PID 2692 wrote to memory of 1924	2692	d3d0d747febe769eff3b01ddf5317fd1.exe	napaea.exe
PID 2692 wrote to memory of 1924	2692	d3d0d747febe769eff3b01ddf5317fd1.exe	napaea.exe
PID 2692 wrote to memory of 2596	2692	d3d0d747febe769eff3b01ddf5317fd1.exe	outwitvp.exe
PID 2692 wrote to memory of 2596	2692	d3d0d747febe769eff3b01ddf5317fd1.exe	outwitvp.exe
PID 2692 wrote to memory of 2596	2692	d3d0d747febe769eff3b01ddf5317fd1.exe	outwitvp.exe
PID 2596 wrote to memory of 1312	2596	outwitvp.exe	sdkwtddg.exe
PID 2596 wrote to memory of 1312	2596	outwitvp.exe	sdkwtddg.exe
PID 2596 wrote to memory of 1312	2596	outwitvp.exe	sdkwtddg.exe
PID 2596 wrote to memory of 1944	2596	outwitvp.exe	WScript.exe
PID 2596 wrote to memory of 1944	2596	outwitvp.exe	WScript.exe
PID 2596 wrote to memory of 1944	2596	outwitvp.exe	WScript.exe
PID 1924 wrote to memory of 740	1924	napaea.exe	DpEditor.exe
PID 1924 wrote to memory of 740	1924	napaea.exe	DpEditor.exe
PID 1924 wrote to memory of 740	1924	napaea.exe	DpEditor.exe
PID 2596 wrote to memory of 3424	2596	outwitvp.exe	WScript.exe
PID 2596 wrote to memory of 3424	2596	outwitvp.exe	WScript.exe
PID 2596 wrote to memory of 3424	2596	outwitvp.exe	WScript.exe
PID 1312 wrote to memory of 936	1312	sdkwtddg.exe	rundll32.exe
PID 1312 wrote to memory of 936	1312	sdkwtddg.exe	rundll32.exe
PID 1312 wrote to memory of 936	1312	sdkwtddg.exe	rundll32.exe
PID 936 wrote to memory of 2152	936	rundll32.exe	RUNDLL32.EXE
PID 936 wrote to memory of 2152	936	rundll32.exe	RUNDLL32.EXE
PID 936 wrote to memory of 2152	936	rundll32.exe	RUNDLL32.EXE
PID 2152 wrote to memory of 3640	2152	RUNDLL32.EXE	powershell.exe
PID 2152 wrote to memory of 3640	2152	RUNDLL32.EXE	powershell.exe
PID 2152 wrote to memory of 3640	2152	RUNDLL32.EXE	powershell.exe
PID 2152 wrote to memory of 3804	2152	RUNDLL32.EXE	RUNDLL32.EXE
PID 2152 wrote to memory of 3804	2152	RUNDLL32.EXE	RUNDLL32.EXE
PID 2152 wrote to memory of 3804	2152	RUNDLL32.EXE	RUNDLL32.EXE
PID 3804 wrote to memory of 3840	3804	RUNDLL32.EXE	rundll32.exe
PID 3804 wrote to memory of 3840	3804	RUNDLL32.EXE	rundll32.exe
PID 3804 wrote to memory of 3840	3804	RUNDLL32.EXE	rundll32.exe
PID 2152 wrote to memory of 3416	2152	RUNDLL32.EXE	RUNDLL32.EXE
PID 2152 wrote to memory of 3416	2152	RUNDLL32.EXE	RUNDLL32.EXE
PID 2152 wrote to memory of 3416	2152	RUNDLL32.EXE	RUNDLL32.EXE
PID 3840 wrote to memory of 3152	3840	rundll32.exe	ctfmon.exe
PID 3840 wrote to memory of 3152	3840	rundll32.exe	ctfmon.exe
PID 2152 wrote to memory of 428	2152	RUNDLL32.EXE	powershell.exe
PID 2152 wrote to memory of 428	2152	RUNDLL32.EXE	powershell.exe
PID 2152 wrote to memory of 428	2152	RUNDLL32.EXE	powershell.exe
PID 2152 wrote to memory of 3168	2152	RUNDLL32.EXE	powershell.exe
PID 2152 wrote to memory of 3168	2152	RUNDLL32.EXE	powershell.exe
PID 2152 wrote to memory of 3168	2152	RUNDLL32.EXE	powershell.exe
PID 3168 wrote to memory of 864	3168	powershell.exe	nslookup.exe
PID 3168 wrote to memory of 864	3168	powershell.exe	nslookup.exe
PID 3168 wrote to memory of 864	3168	powershell.exe	nslookup.exe
PID 2152 wrote to memory of 3660	2152	RUNDLL32.EXE	schtasks.exe
PID 2152 wrote to memory of 3660	2152	RUNDLL32.EXE	schtasks.exe
PID 2152 wrote to memory of 3660	2152	RUNDLL32.EXE	schtasks.exe
PID 2152 wrote to memory of 1504	2152	RUNDLL32.EXE	schtasks.exe
PID 2152 wrote to memory of 1504	2152	RUNDLL32.EXE	schtasks.exe
PID 2152 wrote to memory of 1504	2152	RUNDLL32.EXE	schtasks.exe

outlook_office_path 1 IoCs

Processes:

RUNDLL32.EXE

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RUNDLL32.EXE

outlook_win_path 1 IoCs

Processes:

RUNDLL32.EXE

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RUNDLL32.EXE

C:\Users\Admin\AppData\Local\Temp\d3d0d747febe769eff3b01ddf5317fd1.exe
"C:\Users\Admin\AppData\Local\Temp\d3d0d747febe769eff3b01ddf5317fd1.exe"
1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:2692

C:\Users\Admin\AppData\Local\Temp\patwin\napaea.exe
"C:\Users\Admin\AppData\Local\Temp\patwin\napaea.exe"
2⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1924

C:\Users\Admin\AppData\Roaming\NCH Software\DrawPad\DpEditor.exe
"C:\Users\Admin\AppData\Roaming\NCH Software\DrawPad\DpEditor.exe"
3⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Drops startup file
- Adds Run key to start application
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: EnumeratesProcesses
PID:740

C:\Users\Admin\AppData\Local\Temp\patwin\outwitvp.exe
"C:\Users\Admin\AppData\Local\Temp\patwin\outwitvp.exe"
2⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks processor information in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2596

C:\Users\Admin\AppData\Local\Temp\sdkwtddg.exe
"C:\Users\Admin\AppData\Local\Temp\sdkwtddg.exe"
3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1312

C:\Windows\SysWOW64\rundll32.exe
C:\Windows\system32\rundll32.exe C:\Users\Admin\AppData\Local\Temp\SDKWTD~1.DLL,s C:\Users\Admin\AppData\Local\Temp\sdkwtddg.exe
4⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:936

C:\Windows\SysWOW64\RUNDLL32.EXE
C:\Windows\system32\RUNDLL32.EXE C:\Users\Admin\AppData\Local\Temp\SDKWTD~1.DLL,DQEMQmhHUg==
5⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Accesses Microsoft Outlook accounts
- Accesses Microsoft Outlook profiles
- Checks processor information in registry
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
- outlook_office_path
- outlook_win_path
PID:2152

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath C:\Users\Admin\AppData\Local\Temp\SDKWTD~1.DLL
6⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3640

C:\Windows\SysWOW64\RUNDLL32.EXE
C:\Windows\system32\RUNDLL32.EXE C:\Users\Admin\AppData\Local\Temp\SDKWTD~1.DLL,KBEWWFNtcQ==
6⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3804

C:\Windows\system32\rundll32.exe
C:\Windows\system32\rundll32.exe C:\Windows\system32\shell32.dll,#61 27571
7⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:3840

C:\Windows\system32\ctfmon.exe
ctfmon.exe
8⤵
PID:3152

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3804 -s 776
7⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2080

C:\Windows\SysWOW64\RUNDLL32.EXE
C:\Windows\system32\RUNDLL32.EXE C:\Users\Admin\AppData\Local\Temp\58cfb4a6.dll,Start
6⤵
- Loads dropped DLL
PID:3416

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Executionpolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\tmpC4E4.tmp.ps1"
6⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:428

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Executionpolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\tmp198D.tmp.ps1"
6⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3168

C:\Windows\SysWOW64\nslookup.exe
"C:\Windows\system32\nslookup.exe" -type=any localhost
7⤵
PID:864

C:\Windows\SysWOW64\schtasks.exe
schtasks /End /tn \Microsoft\Windows\Wininet\CacheTask
6⤵
PID:3660

C:\Windows\SysWOW64\schtasks.exe
schtasks /Run /tn \Microsoft\Windows\Wininet\CacheTask
6⤵
PID:1504

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1312 -s 576
4⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1448

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\nxodlua.vbs"
3⤵
PID:1944

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\djbtnpxyje.vbs"
3⤵
- Blocklisted process makes network request
PID:3424

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

T1497

Modify Registry

T1112

Install Root Certificate

T1130

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Exfiltration

Command and Control

Web Service

T1102

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\PROGRA~3\Hzxrf.tmp
MD5
39070cc4669f0ee906b40edfe9218912

SHA1
c793849506cb1ff00fb6cb2e82889f86f39be0d4

SHA256
c197d6464af02ea75a481c6eb309aab6409ff1cba3505b077e0f785b7594b1bb

SHA512
e98e5b079770713ffdec033a121d7df64e3e31b2c8f9356ce700d03e3ad5fe288d94c5ef9ad33b8a08e99bd2e127467fda7d09831d294f8757b93a72d84562e7

Download Submit
C:\PROGRA~3\Hzxrf.tmp
MD5
098da3eb2479e1110ff8b6a77447f0c7

SHA1
79e0a6044ddac5044c269850b92473b2fec84df1

SHA256
2c145e554e3ea3a621eae2fb19c91ea8fbb580c7b8ca991f73eb99602c12b9c9

SHA512
fe223fe977a64f07a572f8023587a23a8502b897ace9253c0e7cb9c437ca20d031a82487c26ad76b57ac52466a574d50d15463444fc8b1293c171fb1d16d8a3a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\103621DE9CD5414CC2538780B4B75751
MD5
54e9306f95f32e50ccd58af19753d929

SHA1
eab9457321f34d4dcf7d4a0ac83edc9131bf7c57

SHA256
45f94dceb18a8f738a26da09ce4558995a4fe02b971882e8116fc9b59813bb72

SHA512
8711a4d866f21cdf4d4e6131ec4cfaf6821d0d22b90946be8b5a09ab868af0270a89bc326f03b858f0361a83c11a1531b894dfd1945e4812ba429a7558791f4f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\103621DE9CD5414CC2538780B4B75751
MD5
88e4c7df81b9505ac1f26d2fc5133b80

SHA1
4252d2185bc7fc688ec3eec396a0039252515426

SHA256
4fc10c18153dc86c325b1cd3146c09a90057548e8c0f177941c8dc446c7a3cbe

SHA512
7ddfed5eff4d004563bcd301dfa1c1e0d9fceb3ce1f0d7a15d6a936f9d59660e4463ca34ea9f1533ee536429c068b1e439f6f0ccf33ad526a56915e223b47f5c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
MD5
f7a808b5711f58fb4f85476c1bb24ac3

SHA1
fbdf9670d622e8fc3446ad4f53fbbd83016f03d1

SHA256
de4aadfe00c4cf41434a12450cdc69d37cb2d9cec951b074c3b5e7bfce9e94ec

SHA512
866848d13e999e6a1a79d77c33adb642d78d0a11adee293fca411b4ed5f7bf85324f90b3031148a66ac10dccc577d3c2a7c1ab6ed4237360de9911c27516a5af

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
MD5
7247129cd0644457905b7d6bf17fd078

SHA1
dbf9139b5a1b72141f170d2eae911bbbe7e128c8

SHA256
dfa6e0d79449f29310b2a0400dc7fa5a3a6b08182233147a81902d1f80a0f8e4

SHA512
9b1ebd7fe485811f10ec02778d90a7f7eccafa0231027b640b94eaed8408107051da7fcc4f17a9aa0eef900fa2595f44be7fd115331fb6da9b10076f5fcf87e0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
0f8c5ec2bc6789e30b2697c7fe487a8f

SHA1
473b50d935f68bc401f1809b670d1bdb4dd6c986

SHA256
8db9186afed8a752a7b9a116b2dae679373c06a35ef7fb8cde5ca653b7733310

SHA512
4c22c93ce4db8639cbc24f77339fff0a7d573578d270a710d7adda92b6f869b8da53b918c64215df1a5154eae3457e215101699745bc09f5fda827382dced24d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
dc75f5eed878c7903efbbf5fdfa1ce55

SHA1
ee18c7b8a7c93581982b55f4d9e8d82917ce0fc6

SHA256
20e3420ac418352cdac8b6c95e89a7cb4eb9fb2b24e24973a9266aae22afe608

SHA512
8be43398a803c6ac14e779220effc400ac0fe4b96a5f2d66948f178fd0ae559303113aca8e1aa81fa2d42faf1058ba51490c2c9144d4f2787f45cef2086b7746

Download Submit
C:\Users\Admin\AppData\Local\Temp\58cfb4a6.dll
MD5
5951f0afa96cda14623b4cce74d58cca

SHA1
ad4a21bd28a3065037b1ea40fab4d7c4d7549fde

SHA256
8b64b8bfd9e36cc40c273deccd4301a6c2ab44df03b976530c1bc517d7220bce

SHA512
b098f302ad3446edafa5d9914f4697cbf7731b7c2ae31bc513de532115d7c672bec17e810d153eb0dbaae5b5782c1ac55351377231f7aa6502a3d9c223d55071

Download Submit
C:\Users\Admin\AppData\Local\Temp\SDKWTD~1.DLL
MD5
7101221de9839b5dd1344643ab8e54c0

SHA1
7d7a32330e01ac07f462a2aae0a25e73935a99df

SHA256
0f092ba67d5a07a33878965f9795dfc477ed1dfdb0892b93471d8ca914a008e9

SHA512
a88db53a912ec3cc1d03941492b35a24c847165e4b1edf0dffcc7e547de298cf2a0056863f7f0ee3163d7bd461cd1eaffbd7d2cc6c3496302f02a301f88a7c16

Download Submit
C:\Users\Admin\AppData\Local\Temp\djbtnpxyje.vbs
MD5
6141260687282373ed239b6a1c52c569

SHA1
58c7d712bfec9af3f584f56648d7d085d0376de2

SHA256
f93d1677185edd17199ebe94c62629df4be2cf80486a14dbd72190297a2f630c

SHA512
64a818804d2ef6219555fe4a9dcffaf50e91dc38c75b37fb59621fc38ff5b07c7c0a0339bfe42e14e4becfe429e22a5e78fd8f818508e574adb228239af9e22a

Download Submit
C:\Users\Admin\AppData\Local\Temp\nxodlua.vbs
MD5
39e73cd63cd1e36170c4e4924b32c0b8

SHA1
d1d80b4bfed26eba83140bff4cf6faf8d5d04975

SHA256
652a7f226c88a9b532411adb12b893630e5dd4588f156450af0fff6188fdd5ba

SHA512
a3c94fed527da337748faaf489fc4d489cff9db967520acbae34b534ec913895255c08eeb93ff1aaa8c4eaaad772c38988dab5d84679bc9b52aa9def0d2a0402

Download Submit
C:\Users\Admin\AppData\Local\Temp\patwin\napaea.exe
MD5
af36c20219a8f5fa58d205a9e5db1cc1

SHA1
17356b91dd8292bddea7300c3a9fc1a98fccd11f

SHA256
3276687dad3c0a8d82bd752b2591c7d0b89c823a2e9761b4db8c95e9cd842f81

SHA512
443ba7a6c07ee2076f823a5a70ef6dffb60e5f36dc413672f8194e6e46abcb47dc364812f2b2b76e1da914e8d64322111cc78e7875608c205a5331302ecc1e4e

Download Submit
C:\Users\Admin\AppData\Local\Temp\patwin\napaea.exe
MD5
af36c20219a8f5fa58d205a9e5db1cc1

SHA1
17356b91dd8292bddea7300c3a9fc1a98fccd11f

SHA256
3276687dad3c0a8d82bd752b2591c7d0b89c823a2e9761b4db8c95e9cd842f81

SHA512
443ba7a6c07ee2076f823a5a70ef6dffb60e5f36dc413672f8194e6e46abcb47dc364812f2b2b76e1da914e8d64322111cc78e7875608c205a5331302ecc1e4e

Download Submit
C:\Users\Admin\AppData\Local\Temp\patwin\outwitvp.exe
MD5
9baf6cadcbff7a3b885e589d411f8e8a

SHA1
35af631df140d421c0e0d012cbb3a63198e02b9b

SHA256
c0d120c7cd7b3932c62fa85150cb19656fc5801fbc662ac184b283c45e40566b

SHA512
72548c529695d15e4915808261b176cf28eb1ef56f569b38128a2984216013f9793ac31a1a7b156be0386621c26698a1a424e02bd6ffd8d17e9795e71c9b2ed3

Download Submit
C:\Users\Admin\AppData\Local\Temp\patwin\outwitvp.exe
MD5
9baf6cadcbff7a3b885e589d411f8e8a

SHA1
35af631df140d421c0e0d012cbb3a63198e02b9b

SHA256
c0d120c7cd7b3932c62fa85150cb19656fc5801fbc662ac184b283c45e40566b

SHA512
72548c529695d15e4915808261b176cf28eb1ef56f569b38128a2984216013f9793ac31a1a7b156be0386621c26698a1a424e02bd6ffd8d17e9795e71c9b2ed3

Download Submit
C:\Users\Admin\AppData\Local\Temp\sdkwtddg.exe
MD5
9bc77053fcddc327ccaa4dc042d75f59

SHA1
5d758c777e95d552ed2df0d689fd770023867661

SHA256
83d28c6d02718741f6282c3c9a83c89d1013f8d174d6cb58631c3c9de2c8770d

SHA512
5e34ddff62702576a8a7a4c9c58e3097eda9cdd664ecc00a6208ff2abe7e3d31380251573d321a41cc36b4c4efd6468affdda8222318ff39b68ff41d49f6963a

Download Submit
C:\Users\Admin\AppData\Local\Temp\sdkwtddg.exe
MD5
9bc77053fcddc327ccaa4dc042d75f59

SHA1
5d758c777e95d552ed2df0d689fd770023867661

SHA256
83d28c6d02718741f6282c3c9a83c89d1013f8d174d6cb58631c3c9de2c8770d

SHA512
5e34ddff62702576a8a7a4c9c58e3097eda9cdd664ecc00a6208ff2abe7e3d31380251573d321a41cc36b4c4efd6468affdda8222318ff39b68ff41d49f6963a

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp198D.tmp.ps1
MD5
b94f865e14384f0e2eb9e62247208fe5

SHA1
f31c6fd0f43b19f585484615bbfaa7d563edf676

SHA256
b512bd1fad5879018a439a898ae59a2b7261f82a1250da7c42601f94791e6eaa

SHA512
00f637404c80a083113360c5a858c9285b5a33cb8f993410293344ccc62036ecebfff4ebe83b26fda3ea14795360fc3f9c6a159a7e0a450a27b84f396328a8d1

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp198E.tmp
MD5
1860260b2697808b80802352fe324782

SHA1
f07b4cb6a8133d8dd942fc285d63cb3ce5a1ed6b

SHA256
0c4bb6ae7726faa47aef8459bcf37bf9ca16f0b93fd52790932adaf7845d1fb1

SHA512
d9fd458e2fe871e93199d7f3783133ded898d824024d9525e8c9af2af31892b13f3fb147d3bfda7dfd7659b7072f5cd1d6c3ebfe2dbf5893afd00e59a96aa94f

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpC4E4.tmp.ps1
MD5
9f5af7637fa0d82b7b231f9e0c7de7a0

SHA1
c2e4ed559cf4b2d6d6a179c45766ccd9a9fc3ba6

SHA256
cdc653c1b0f5027e55c4c53c86db3e3af807f5b607168a10bf83a392a9ba9ad2

SHA512
c1f928de1479c44595ca125557702bf0f7d38944465a228b1f6a1ced81fa6388b026d2fe66407701a767f714dfb9e6102de6d2496d3eea410fc33cb2d275fab6

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpC4E5.tmp
MD5
c416c12d1b2b1da8c8655e393b544362

SHA1
fb1a43cd8e1c556c2d25f361f42a21293c29e447

SHA256
0600d59103840dff210778179fdfba904dcb737a4bfdb35384608698c86ea046

SHA512
cb6d3636be4330aa2fd577c3636d0b7165f92ee817e98f21180ba0c918eb76f4e38f025086593a0e508234ca981cfec2c53482b0e9cc0acfa885fefbdf89913c

Download Submit
C:\Users\Admin\AppData\Roaming\NCH Software\DrawPad\DpEditor.exe
MD5
af36c20219a8f5fa58d205a9e5db1cc1

SHA1
17356b91dd8292bddea7300c3a9fc1a98fccd11f

SHA256
3276687dad3c0a8d82bd752b2591c7d0b89c823a2e9761b4db8c95e9cd842f81

SHA512
443ba7a6c07ee2076f823a5a70ef6dffb60e5f36dc413672f8194e6e46abcb47dc364812f2b2b76e1da914e8d64322111cc78e7875608c205a5331302ecc1e4e

Download Submit
C:\Users\Admin\AppData\Roaming\NCH Software\DrawPad\DpEditor.exe
MD5
af36c20219a8f5fa58d205a9e5db1cc1

SHA1
17356b91dd8292bddea7300c3a9fc1a98fccd11f

SHA256
3276687dad3c0a8d82bd752b2591c7d0b89c823a2e9761b4db8c95e9cd842f81

SHA512
443ba7a6c07ee2076f823a5a70ef6dffb60e5f36dc413672f8194e6e46abcb47dc364812f2b2b76e1da914e8d64322111cc78e7875608c205a5331302ecc1e4e

Download Submit
\Users\Admin\AppData\Local\Temp\58cfb4a6.dll
MD5
5951f0afa96cda14623b4cce74d58cca

SHA1
ad4a21bd28a3065037b1ea40fab4d7c4d7549fde

SHA256
8b64b8bfd9e36cc40c273deccd4301a6c2ab44df03b976530c1bc517d7220bce

SHA512
b098f302ad3446edafa5d9914f4697cbf7731b7c2ae31bc513de532115d7c672bec17e810d153eb0dbaae5b5782c1ac55351377231f7aa6502a3d9c223d55071

Download Submit
\Users\Admin\AppData\Local\Temp\SDKWTD~1.DLL
MD5
7101221de9839b5dd1344643ab8e54c0

SHA1
7d7a32330e01ac07f462a2aae0a25e73935a99df

SHA256
0f092ba67d5a07a33878965f9795dfc477ed1dfdb0892b93471d8ca914a008e9

SHA512
a88db53a912ec3cc1d03941492b35a24c847165e4b1edf0dffcc7e547de298cf2a0056863f7f0ee3163d7bd461cd1eaffbd7d2cc6c3496302f02a301f88a7c16

Download Submit
\Users\Admin\AppData\Local\Temp\SDKWTD~1.DLL
MD5
7101221de9839b5dd1344643ab8e54c0

SHA1
7d7a32330e01ac07f462a2aae0a25e73935a99df

SHA256
0f092ba67d5a07a33878965f9795dfc477ed1dfdb0892b93471d8ca914a008e9

SHA512
a88db53a912ec3cc1d03941492b35a24c847165e4b1edf0dffcc7e547de298cf2a0056863f7f0ee3163d7bd461cd1eaffbd7d2cc6c3496302f02a301f88a7c16

Download Submit
\Users\Admin\AppData\Local\Temp\SDKWTD~1.DLL
MD5
7101221de9839b5dd1344643ab8e54c0

SHA1
7d7a32330e01ac07f462a2aae0a25e73935a99df

SHA256
0f092ba67d5a07a33878965f9795dfc477ed1dfdb0892b93471d8ca914a008e9

SHA512
a88db53a912ec3cc1d03941492b35a24c847165e4b1edf0dffcc7e547de298cf2a0056863f7f0ee3163d7bd461cd1eaffbd7d2cc6c3496302f02a301f88a7c16

Download Submit
\Users\Admin\AppData\Local\Temp\nsa1049.tmp\UAC.dll
MD5
adb29e6b186daa765dc750128649b63d

SHA1
160cbdc4cb0ac2c142d361df138c537aa7e708c9

SHA256
2f7f8fc05dc4fd0d5cda501b47e4433357e887bbfed7292c028d99c73b52dc08

SHA512
b28adcccf0c33660fecd6f95f28f11f793dc9988582187617b4c113fb4e6fdad4cf7694cd8c0300a477e63536456894d119741a940dda09b7df3ff0087a7eada

Download Submit
memory/428-253-0x0000000007032000-0x0000000007033000-memory.dmp

Filesize
4KB

Download
memory/428-338-0x0000000007033000-0x0000000007034000-memory.dmp

Filesize
4KB

Download
memory/428-223-0x0000000000000000-mapping.dmp

Download
memory/428-251-0x0000000007030000-0x0000000007031000-memory.dmp

Filesize
4KB

Download
memory/740-141-0x0000000001210000-0x0000000001906000-memory.dmp

Filesize
7.0MB

Download
memory/740-140-0x0000000001210000-0x0000000001906000-memory.dmp

Filesize
7.0MB

Download
memory/740-137-0x0000000000000000-mapping.dmp

Download
memory/740-143-0x0000000001210000-0x0000000001906000-memory.dmp

Filesize
7.0MB

Download
memory/740-142-0x0000000001210000-0x0000000001906000-memory.dmp

Filesize
7.0MB

Download
memory/740-144-0x0000000076F70000-0x00000000770FE000-memory.dmp

Filesize
1.6MB

Download
memory/864-487-0x0000000000000000-mapping.dmp

Download
memory/936-152-0x0000000000000000-mapping.dmp

Download
memory/936-155-0x0000000005011000-0x0000000005FF5000-memory.dmp

Filesize
15.9MB

Download
memory/936-156-0x0000000000680000-0x0000000000681000-memory.dmp

Filesize
4KB

Download
memory/1312-146-0x0000000002450000-0x00000000025F5000-memory.dmp

Filesize
1.6MB

Download
memory/1312-147-0x0000000000400000-0x0000000000654000-memory.dmp

Filesize
2.3MB

Download
memory/1312-132-0x0000000000000000-mapping.dmp

Download
memory/1312-145-0x00000000022B2000-0x0000000002440000-memory.dmp

Filesize
1.6MB

Download
memory/1504-492-0x0000000000000000-mapping.dmp

Download
memory/1924-124-0x0000000000AC0000-0x00000000011B6000-memory.dmp

Filesize
7.0MB

Download
memory/1924-125-0x0000000000AC0000-0x00000000011B6000-memory.dmp

Filesize
7.0MB

Download
memory/1924-116-0x0000000000000000-mapping.dmp

Download
memory/1924-122-0x0000000076F70000-0x00000000770FE000-memory.dmp

Filesize
1.6MB

Download
memory/1924-123-0x0000000000AC0000-0x00000000011B6000-memory.dmp

Filesize
7.0MB

Download
memory/1924-126-0x0000000000AC0000-0x00000000011B6000-memory.dmp

Filesize
7.0MB

Download
memory/1944-135-0x0000000000000000-mapping.dmp

Download
memory/2152-160-0x0000000005161000-0x0000000006145000-memory.dmp

Filesize
15.9MB

Download
memory/2152-161-0x0000000000680000-0x0000000000681000-memory.dmp

Filesize
4KB

Download
memory/2152-157-0x0000000000000000-mapping.dmp

Download
memory/2596-131-0x0000000001330000-0x0000000001997000-memory.dmp

Filesize
6.4MB

Download
memory/2596-127-0x0000000076F70000-0x00000000770FE000-memory.dmp

Filesize
1.6MB

Download
memory/2596-128-0x0000000001330000-0x0000000001997000-memory.dmp

Filesize
6.4MB

Download
memory/2596-129-0x0000000001330000-0x0000000001997000-memory.dmp

Filesize
6.4MB

Download
memory/2596-119-0x0000000000000000-mapping.dmp

Download
memory/2596-130-0x0000000001330000-0x0000000001997000-memory.dmp

Filesize
6.4MB

Download
memory/3152-203-0x0000000000000000-mapping.dmp

Download
memory/3168-490-0x0000000004A23000-0x0000000004A24000-memory.dmp

Filesize
4KB

Download
memory/3168-470-0x0000000004A22000-0x0000000004A23000-memory.dmp

Filesize
4KB

Download
memory/3168-468-0x0000000004A20000-0x0000000004A21000-memory.dmp

Filesize
4KB

Download
memory/3168-461-0x0000000000000000-mapping.dmp

Download
memory/3416-200-0x0000000000000000-mapping.dmp

Download
memory/3424-148-0x0000000000000000-mapping.dmp

Download
memory/3640-210-0x0000000009730000-0x0000000009763000-memory.dmp

Filesize
204KB

Download
memory/3640-174-0x00000000081D0000-0x00000000081D1000-memory.dmp

Filesize
4KB

Download
memory/3640-162-0x0000000000000000-mapping.dmp

Download
memory/3640-165-0x0000000003360000-0x0000000003361000-memory.dmp

Filesize
4KB

Download
memory/3640-166-0x0000000003360000-0x0000000003361000-memory.dmp

Filesize
4KB

Download
memory/3640-167-0x00000000070B0000-0x00000000070B1000-memory.dmp

Filesize
4KB

Download
memory/3640-168-0x0000000007740000-0x0000000007741000-memory.dmp

Filesize
4KB

Download
memory/3640-170-0x0000000007102000-0x0000000007103000-memory.dmp

Filesize
4KB

Download
memory/3640-179-0x0000000003360000-0x0000000003361000-memory.dmp

Filesize
4KB

Download
memory/3640-177-0x0000000008940000-0x0000000008941000-memory.dmp

Filesize
4KB

Download
memory/3640-176-0x00000000088F0000-0x00000000088F1000-memory.dmp

Filesize
4KB

Download
memory/3640-169-0x0000000007100000-0x0000000007101000-memory.dmp

Filesize
4KB

Download
memory/3640-171-0x00000000076E0000-0x00000000076E1000-memory.dmp

Filesize
4KB

Download
memory/3640-209-0x000000007EE60000-0x000000007EE61000-memory.dmp

Filesize
4KB

Download
memory/3640-172-0x0000000007EE0000-0x0000000007EE1000-memory.dmp

Filesize
4KB

Download
memory/3640-217-0x0000000007410000-0x0000000007411000-memory.dmp

Filesize
4KB

Download
memory/3640-222-0x0000000009860000-0x0000000009861000-memory.dmp

Filesize
4KB

Download
memory/3640-175-0x0000000008560000-0x0000000008561000-memory.dmp

Filesize
4KB

Download
memory/3640-227-0x0000000007103000-0x0000000007104000-memory.dmp

Filesize
4KB

Download
memory/3640-173-0x0000000008160000-0x0000000008161000-memory.dmp

Filesize
4KB

Download
memory/3660-491-0x0000000000000000-mapping.dmp

Download
memory/3804-163-0x0000000000000000-mapping.dmp

Download
memory/3804-191-0x0000000006340000-0x0000000006341000-memory.dmp

Filesize
4KB

Download
memory/3804-184-0x0000000000680000-0x0000000000681000-memory.dmp

Filesize
4KB

Download
memory/3804-189-0x0000000006130000-0x0000000006270000-memory.dmp

Filesize
1.2MB

Download
memory/3804-192-0x0000000006130000-0x0000000006270000-memory.dmp

Filesize
1.2MB

Download
memory/3804-187-0x0000000006130000-0x0000000006270000-memory.dmp

Filesize
1.2MB

Download
memory/3804-181-0x0000000005081000-0x0000000006065000-memory.dmp

Filesize
15.9MB

Download
memory/3804-186-0x0000000006130000-0x0000000006270000-memory.dmp

Filesize
1.2MB

Download
memory/3804-190-0x0000000006130000-0x0000000006270000-memory.dmp

Filesize
1.2MB

Download
memory/3804-193-0x0000000006130000-0x0000000006270000-memory.dmp

Filesize
1.2MB

Download
memory/3804-185-0x0000000003390000-0x0000000003391000-memory.dmp

Filesize
4KB

Download
memory/3840-196-0x0000017F9CEF0000-0x0000017F9CEF2000-memory.dmp

Filesize
8KB

Download
memory/3840-194-0x00007FF7E23E5FD0-mapping.dmp

Download
memory/3840-207-0x0000017F9D220000-0x0000017F9D3D2000-memory.dmp

Filesize
1.7MB

Download
memory/3840-197-0x0000017F9CEF0000-0x0000017F9CEF2000-memory.dmp

Filesize
8KB

Download
memory/3840-206-0x0000000000D70000-0x0000000000F10000-memory.dmp

Filesize
1.6MB

Download