arkei | e461fe15f9e582be71695a8a52439cc93c6c68b5168f527ffd28f2c62236f46f

Analysis

max time kernel
151s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-en-20220112
submitted
18-02-2022 18:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

01b31a5b16aa19085e8182dab279ddf8.exe
Size

330KB
MD5

01b31a5b16aa19085e8182dab279ddf8
SHA1

005fed815cef211835a93b94b0185bd6abe98db4
SHA256

e461fe15f9e582be71695a8a52439cc93c6c68b5168f527ffd28f2c62236f46f
SHA512

2cb4a021438356173ea8d680ba3aec8af167fdb76b5bdf694579f5a4870119152cacfbdde9652211a6258179abe8ac448fd26e8aa36afda314afbad3376c71a4

Score

10^/10

arkei icedid smokeloader warzonerat 1860595763 backdoor banker collection discovery evasion infostealer rat spyware stealer suricata trojan

Malware Config

Extracted

Family

smokeloader

Version

2020

http://dollybuster.at/upload/

http://spaldingcompanies.com/upload/

http://remik-franchise.ru/upload/

http://fennsports.com/upload/

http://am1420wbec.com/upload/

http://islamic-city.com/upload/

http://egsagl.com/upload/

http://mordo.ru/upload/

http://piratia-life.ru/upload/

https://oakland-studio.video/search.php

https://seattle-university.video/search.php

http://statssblogsta.in/stat/

http://statssblogsta.com/stat/

rc4.i32

Extracted

Family

icedid

Campaign

1860595763

badgoodreason.com

Extracted

Family

warzonerat

193.203.203.96:5200

Signatures

Arkei
Arkei is an infostealer written in C++.
stealer arkei
IcedID, BokBot
IcedID is a banking trojan capable of stealing credentials.
trojan banker icedid
SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader

Suspicious use of NtCreateProcessExOtherParentProcess 8 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

description	pid	process	target process
PID 2084 created 1780	2084	WerFault.exe	explorer.exe
PID 3932 created 3652	3932	WerFault.exe	7D7.exe
PID 2360 created 2568	2360	WerFault.exe	explorer.exe
PID 1264 created 2652	1264	WerFault.exe	DllHost.exe
PID 2868 created 3392	2868	WerFault.exe	DllHost.exe
PID 3652 created 2272	3652	WerFault.exe	DllHost.exe
PID 1936 created 2224	1936	WerFault.exe	DllHost.exe
PID 552 created 1060	552	WerFault.exe	winint.exe

WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
rat infostealer warzonerat
suricata: ET MALWARE Single char EXE direct download likely trojan (multiple families)
suricata: ET MALWARE Single char EXE direct download likely trojan (multiple families)
suricata
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
suricata
suricata: ET MALWARE Win32/IcedID Request Cookie
suricata: ET MALWARE Win32/IcedID Request Cookie
suricata
suricata: ET MALWARE Win32/Vidar Variant/Mars Stealer CnC Exfil
suricata: ET MALWARE Win32/Vidar Variant/Mars Stealer CnC Exfil
suricata
suricata: ET MALWARE Windows dir Microsoft Windows DOS prompt command exit OUTBOUND
suricata: ET MALWARE Windows dir Microsoft Windows DOS prompt command exit OUTBOUND
suricata
suricata: ET MALWARE Windows route Microsoft Windows DOS prompt command exit OUTBOUND
suricata: ET MALWARE Windows route Microsoft Windows DOS prompt command exit OUTBOUND
suricata
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Warzone RAT Payload 3 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/3652-185-0x0000000000960000-0x000000000097E000-memory.dmp	warzonerat
behavioral2/memory/3652-186-0x0000000000400000-0x0000000000554000-memory.dmp	warzonerat
behavioral2/memory/1060-202-0x0000000000400000-0x0000000000554000-memory.dmp	warzonerat

Downloads MZ/PE file
Executes dropped EXE 6 IoCs

Processes:

1229.exe2F76.exe45BE.exeAD24.exe7D7.exewinint.exe

pid process

2192 1229.exe
4032 2F76.exe
2532 45BE.exe
2928 AD24.exe
3652 7D7.exe
1060 winint.exe
Modifies Windows Firewall 1 TTPs
evasion

Modify Existing Service
T1031

pid	process
2192	1229.exe
4032	2F76.exe
2532	45BE.exe
2928	AD24.exe
3652	7D7.exe
1060	winint.exe

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

45BE.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	45BE.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	45BE.exe

Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.

Query Registry
T1012

System Information Discovery
T1082

Processes:

45BE.exe

description ioc process

Key value queried \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Control Panel\International\Geo\Nation 45BE.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Control Panel\International\Geo\Nation	45BE.exe

Loads dropped DLL 11 IoCs

Processes:

45BE.exewinint.exe

pid	process
2532	45BE.exe
2532	45BE.exe
2532	45BE.exe
1060	winint.exe
1060	winint.exe
1060	winint.exe
1060	winint.exe
1060	winint.exe
1060	winint.exe
1060	winint.exe
1060	winint.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Accesses Microsoft Outlook profiles 1 TTPs 2 IoCs

collection

Email Collection

T1114

Processes:

winint.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	winint.exe
Key opened	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	winint.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Checks whether UAC is enabled 1 TTPs 1 IoCs
evasion trojan

System Information Discovery
T1082

Processes:

45BE.exe

description ioc process

Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 45BE.exe
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

Processes:

45BE.exe

pid process

2532 45BE.exe
2532 45BE.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	45BE.exe

Drops file in Windows directory 3 IoCs

Processes:

svchost.exeTiWorker.exe

description	ioc	process
File opened for modification	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\DeliveryOptimization\State\keyValueLKG.dat	svchost.exe
File opened for modification	C:\Windows\Logs\CBS\CBS.log	TiWorker.exe
File opened for modification	C:\Windows\WinSxS\pending.xml	TiWorker.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 8 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
2916	1780	WerFault.exe	explorer.exe
2612	3652	WerFault.exe	7D7.exe
3652	2568	WerFault.exe	explorer.exe
2272	2652	WerFault.exe	DllHost.exe
1936	3392	WerFault.exe	DllHost.exe
316	2272	WerFault.exe	DllHost.exe
1100	2224	WerFault.exe	DllHost.exe
1444	1060	WerFault.exe	winint.exe

Checks SCSI registry key(s) 3 TTPs 9 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

1229.exeAD24.exe01b31a5b16aa19085e8182dab279ddf8.exe

description	ioc	process
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	1229.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	AD24.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	1229.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	AD24.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	AD24.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	01b31a5b16aa19085e8182dab279ddf8.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	01b31a5b16aa19085e8182dab279ddf8.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	01b31a5b16aa19085e8182dab279ddf8.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	1229.exe

Checks processor information in registry 2 TTPs 28 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe45BE.exeWerFault.exeWerFault.exeWerFault.exeMusNotifyIcon.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WerFault.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	45BE.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WerFault.exe
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	MusNotifyIcon.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	MusNotifyIcon.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	45BE.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WerFault.exe

Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

808 timeout.exe
Enumerates processes with tasklist 1 TTPs 1 IoCs

Process Discovery
T1057

Processes:

tasklist.exe

pid process

2988 tasklist.exe

pid	process
808	timeout.exe

pid	process
2988	tasklist.exe

Enumerates system info in registry 2 TTPs 16 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WerFault.exe

Gathers network information 2 TTPs 4 IoCs
Uses commandline utility to view network configuration.

System Information Discovery
T1082

Command-Line Interface
T1059

Processes:

ipconfig.exeNETSTAT.EXENETSTAT.EXEipconfig.exe

pid process

1672 ipconfig.exe
112 NETSTAT.EXE
3640 NETSTAT.EXE
1148 ipconfig.exe
Gathers system information 1 TTPs 1 IoCs
Runs systeminfo.exe.

System Information Discovery
T1082

Processes:

systeminfo.exe

pid process

3132 systeminfo.exe

pid	process
1672	ipconfig.exe
112	NETSTAT.EXE
3640	NETSTAT.EXE
1148	ipconfig.exe

pid	process
3132	systeminfo.exe

Modifies Internet Explorer settings 1 TTPs 29 IoCs

adware spyware

Modify Registry

T1112

Processes:

iexplore.exeIEXPLORE.EXE

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{C4F193FA-90EE-11EC-82D0-5ECADF14C037} = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000cce5a29beacafa47833fc2d72883fdda00000000020000000000106600000001000020000000f2c7bd5eeaa36bae0dac172eff52917da119009c2c66ca6e3d31de6a42ae97d8000000000e8000000002000020000000e756d94fcd8012e7969c653e872e6128ae67f7a35cd3e8a82aeef3df108869922000000008430a2383323e34c568ba984fc0388fd8aff0d9bcc4fe46f73b2d1be235c2ff40000000241aee107480d1df5a785ba97d9af65f088e1d4e994626b1779277ea332f7eed483092d190b79a148a3f4bb13f6ae8d3235bb67b0153b776c9527ce545656c66	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\SOFTWARE\Microsoft\Internet Explorer\Main
Set value (str)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Software\Microsoft\Internet Explorer\VersionManager	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "2578043622"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "30942459"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Software\Microsoft\Internet Explorer\VersionManager	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\SOFTWARE\Microsoft\Internet Explorer\Main\DisableFirstRunCustomize = "1"
Key created	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "2590231693"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "30942459"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "2578043622"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "30942459"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000cce5a29beacafa47833fc2d72883fdda00000000020000000000106600000001000020000000bab2c260ca73bc79f624c7dd33fe217f8c78a33a442ba36ec654b7a5518d68ac000000000e8000000002000020000000287e6c81f6c4075a17e930e47aac22c169a356c1580f6bfdd91a6610b3f5624a200000008eec1037b3291883e03946c3072465b4a655188b425f7f3d95edd14a637b5d7940000000eaafe60602f7e8b0db62375ed354568ab75dc3e2981dd59c32bed0412f97afe9332b0ae9cc4ea3f3cf5409ff7b49e98f2e1c2a46526100fd5ae3dc5db5ece005	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = d0850d9dfb24d801	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = c022179dfb24d801	iexplore.exe

Modifies data under HKEY_USERS 55 IoCs

Processes:

svchost.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateFrBps = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\PeerInfoCount = "0"	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\DownloadMode_BackCompat = "1"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\LinkLocalConnectionCount = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadRatePct = "100"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadMonthlyLanBytes = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyGroupBytes = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CDNConnectionCount = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\LANConnectionCount = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\FrDownloadRatePct = "90"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyLanBytes = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\SwarmCount = "1"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownlinkBps = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UplinkBps = "0"	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CPUpct = "0.000000"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyCdnBytes = "90228624"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateFrCnt = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\GroupConnectionCount = "0"	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CPUpct = "0.006542"	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\Geo_EndpointFullUri = "https://geo.prod.do.dsp.mp.microsoft.com/geo"	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CacheSizeBytes = "0"	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\NormalDownloadCount = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MemoryUsageKB = "4364"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MemoryUsageKB = "4028"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MonthID = "1"	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CPUpct = "11.537962"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\SwarmCount = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyCdnBytes = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateBkBps = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MonthID = "2"	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Settings	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\KVFileExpirationTime = "132898578845422097"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadCount = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\PriorityDownloadCount = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\DODownloadMode = "1"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadMonthlyInternetBytes = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\NormalDownloadPendingCount = "0"	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CPUpct = "10.714565"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyLinkLocalBytes = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\InternetConnectionCount = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UplinkUsageBps = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\PriorityDownloadPendingCount = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyCacheHostBytes = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateBkBps = "1157726"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateBkCnt = "4"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\BkDownloadRatePct = "45"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MonthlyUploadRestriction = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateBkCnt = "0"	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\GeoVersion_EndpointFullUri = "https://geover.prod.do.dsp.mp.microsoft.com/geoversion"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyInternetBytes = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownlinkUsageBps = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MemoryUsageKB = "4156"	svchost.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

01b31a5b16aa19085e8182dab279ddf8.exe

pid	process
336	01b31a5b16aa19085e8182dab279ddf8.exe
336	01b31a5b16aa19085e8182dab279ddf8.exe
2364
2364
2364
2364
2364
2364
2364
2364
2364
2364
2364
2364
2364
2364
2364
2364
2364
2364
2364
2364
2364
2364
2364
2364
2364
2364
2364
2364
2364
2364
2364
2364
2364
2364
2364
2364
2364
2364
2364
2364
2364
2364
2364
2364
2364
2364
2364
2364
2364
2364
2364
2364
2364
2364
2364
2364
2364
2364
2364
2364
2364
2364

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

pid process

2364

pid	process
2364

Suspicious behavior: MapViewOfSection 64 IoCs

Processes:

01b31a5b16aa19085e8182dab279ddf8.exe1229.exeAD24.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exe

pid	process
336	01b31a5b16aa19085e8182dab279ddf8.exe
2192	1229.exe
2928	AD24.exe
2364
2364
2364
2364
2364
2364
2364
2364
2364
2364
760	explorer.exe
760	explorer.exe
2364
2364
3488	explorer.exe
3488	explorer.exe
2364
2364
2900	explorer.exe
2900	explorer.exe
2364
2364
3132	explorer.exe
3132	explorer.exe
2364
2364
1856	explorer.exe
1856	explorer.exe
2364
2364
2364
2364
1972	explorer.exe
1972	explorer.exe
2364
2364
2364
2364
2364
2364
2120	explorer.exe
2120	explorer.exe
2364
2364
2364
2364
3328	explorer.exe
3328	explorer.exe
2364
2364
2364
2364
2436	explorer.exe
2436	explorer.exe
2364
2364
2364
2364
3692	explorer.exe
3692	explorer.exe
2364

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

TiWorker.exe

description	pid	process
Token: SeSecurityPrivilege	2964	TiWorker.exe
Token: SeRestorePrivilege	2964	TiWorker.exe
Token: SeBackupPrivilege	2964	TiWorker.exe
Token: SeBackupPrivilege	2964	TiWorker.exe
Token: SeRestorePrivilege	2964	TiWorker.exe
Token: SeSecurityPrivilege	2964	TiWorker.exe
Token: SeBackupPrivilege	2964	TiWorker.exe
Token: SeRestorePrivilege	2964	TiWorker.exe
Token: SeSecurityPrivilege	2964	TiWorker.exe
Token: SeBackupPrivilege	2964	TiWorker.exe
Token: SeRestorePrivilege	2964	TiWorker.exe
Token: SeSecurityPrivilege	2964	TiWorker.exe
Token: SeBackupPrivilege	2964	TiWorker.exe
Token: SeRestorePrivilege	2964	TiWorker.exe
Token: SeSecurityPrivilege	2964	TiWorker.exe
Token: SeBackupPrivilege	2964	TiWorker.exe
Token: SeRestorePrivilege	2964	TiWorker.exe
Token: SeSecurityPrivilege	2964	TiWorker.exe
Token: SeBackupPrivilege	2964	TiWorker.exe
Token: SeRestorePrivilege	2964	TiWorker.exe
Token: SeSecurityPrivilege	2964	TiWorker.exe
Token: SeBackupPrivilege	2964	TiWorker.exe
Token: SeRestorePrivilege	2964	TiWorker.exe
Token: SeSecurityPrivilege	2964	TiWorker.exe
Token: SeBackupPrivilege	2964	TiWorker.exe
Token: SeRestorePrivilege	2964	TiWorker.exe
Token: SeSecurityPrivilege	2964	TiWorker.exe
Token: SeBackupPrivilege	2964	TiWorker.exe
Token: SeRestorePrivilege	2964	TiWorker.exe
Token: SeSecurityPrivilege	2964	TiWorker.exe
Token: SeBackupPrivilege	2964	TiWorker.exe
Token: SeRestorePrivilege	2964	TiWorker.exe
Token: SeSecurityPrivilege	2964	TiWorker.exe
Token: SeBackupPrivilege	2964	TiWorker.exe
Token: SeRestorePrivilege	2964	TiWorker.exe
Token: SeSecurityPrivilege	2964	TiWorker.exe
Token: SeBackupPrivilege	2964	TiWorker.exe
Token: SeRestorePrivilege	2964	TiWorker.exe
Token: SeSecurityPrivilege	2964	TiWorker.exe
Token: SeBackupPrivilege	2964	TiWorker.exe
Token: SeRestorePrivilege	2964	TiWorker.exe
Token: SeSecurityPrivilege	2964	TiWorker.exe
Token: SeBackupPrivilege	2964	TiWorker.exe
Token: SeRestorePrivilege	2964	TiWorker.exe
Token: SeSecurityPrivilege	2964	TiWorker.exe
Token: SeBackupPrivilege	2964	TiWorker.exe
Token: SeRestorePrivilege	2964	TiWorker.exe
Token: SeSecurityPrivilege	2964	TiWorker.exe
Token: SeBackupPrivilege	2964	TiWorker.exe
Token: SeRestorePrivilege	2964	TiWorker.exe
Token: SeSecurityPrivilege	2964	TiWorker.exe
Token: SeBackupPrivilege	2964	TiWorker.exe
Token: SeRestorePrivilege	2964	TiWorker.exe
Token: SeSecurityPrivilege	2964	TiWorker.exe
Token: SeBackupPrivilege	2964	TiWorker.exe
Token: SeRestorePrivilege	2964	TiWorker.exe
Token: SeSecurityPrivilege	2964	TiWorker.exe
Token: SeBackupPrivilege	2964	TiWorker.exe
Token: SeRestorePrivilege	2964	TiWorker.exe
Token: SeSecurityPrivilege	2964	TiWorker.exe
Token: SeBackupPrivilege	2964	TiWorker.exe
Token: SeRestorePrivilege	2964	TiWorker.exe
Token: SeSecurityPrivilege	2964	TiWorker.exe
Token: SeBackupPrivilege	2964	TiWorker.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

iexplore.exe

pid process

3856 iexplore.exe
Suspicious use of SetWindowsHookEx 4 IoCs

Processes:

iexplore.exeIEXPLORE.EXE

pid process

3856 iexplore.exe
3856 iexplore.exe
1652 IEXPLORE.EXE
1652 IEXPLORE.EXE

pid	process
3856	iexplore.exe

pid	process
3856	iexplore.exe
3856	iexplore.exe
1652	IEXPLORE.EXE
1652	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

cmd.exe45BE.execmd.exenet.exenet.exe

description	pid	process	target process
PID 2364 wrote to memory of 2192	2364		1229.exe
PID 2364 wrote to memory of 2192	2364		1229.exe
PID 2364 wrote to memory of 2192	2364		1229.exe
PID 2364 wrote to memory of 4032	2364		2F76.exe
PID 2364 wrote to memory of 4032	2364		2F76.exe
PID 2364 wrote to memory of 2532	2364		45BE.exe
PID 2364 wrote to memory of 2532	2364		45BE.exe
PID 2364 wrote to memory of 2532	2364		45BE.exe
PID 2364 wrote to memory of 2664	2364		cmd.exe
PID 2364 wrote to memory of 2664	2364		cmd.exe
PID 2664 wrote to memory of 3792	2664	cmd.exe	WMIC.exe
PID 2664 wrote to memory of 3792	2664	cmd.exe	WMIC.exe
PID 2532 wrote to memory of 4080	2532	45BE.exe	cmd.exe
PID 2532 wrote to memory of 4080	2532	45BE.exe	cmd.exe
PID 2532 wrote to memory of 4080	2532	45BE.exe	cmd.exe
PID 4080 wrote to memory of 808	4080	cmd.exe	timeout.exe
PID 4080 wrote to memory of 808	4080	cmd.exe	timeout.exe
PID 4080 wrote to memory of 808	4080	cmd.exe	timeout.exe
PID 2664 wrote to memory of 1836	2664	cmd.exe	WMIC.exe
PID 2664 wrote to memory of 1836	2664	cmd.exe	WMIC.exe
PID 2664 wrote to memory of 3800	2664	cmd.exe	WMIC.exe
PID 2664 wrote to memory of 3800	2664	cmd.exe	WMIC.exe
PID 2664 wrote to memory of 1224	2664	cmd.exe	WMIC.exe
PID 2664 wrote to memory of 1224	2664	cmd.exe	WMIC.exe
PID 2664 wrote to memory of 1284	2664	cmd.exe	WMIC.exe
PID 2664 wrote to memory of 1284	2664	cmd.exe	WMIC.exe
PID 2664 wrote to memory of 228	2664	cmd.exe	WMIC.exe
PID 2664 wrote to memory of 228	2664	cmd.exe	WMIC.exe
PID 2664 wrote to memory of 1808	2664	cmd.exe	WMIC.exe
PID 2664 wrote to memory of 1808	2664	cmd.exe	WMIC.exe
PID 2664 wrote to memory of 3984	2664	cmd.exe	WMIC.exe
PID 2664 wrote to memory of 3984	2664	cmd.exe	WMIC.exe
PID 2664 wrote to memory of 2948	2664	cmd.exe	WMIC.exe
PID 2664 wrote to memory of 2948	2664	cmd.exe	WMIC.exe
PID 2664 wrote to memory of 3432	2664	cmd.exe	WMIC.exe
PID 2664 wrote to memory of 3432	2664	cmd.exe	WMIC.exe
PID 2364 wrote to memory of 2928	2364		AD24.exe
PID 2364 wrote to memory of 2928	2364		AD24.exe
PID 2364 wrote to memory of 2928	2364		AD24.exe
PID 2664 wrote to memory of 2352	2664	cmd.exe	WMIC.exe
PID 2664 wrote to memory of 2352	2664	cmd.exe	WMIC.exe
PID 2664 wrote to memory of 372	2664	cmd.exe	WMIC.exe
PID 2664 wrote to memory of 372	2664	cmd.exe	WMIC.exe
PID 2664 wrote to memory of 1216	2664	cmd.exe	WMIC.exe
PID 2664 wrote to memory of 1216	2664	cmd.exe	WMIC.exe
PID 2664 wrote to memory of 3220	2664	cmd.exe	WMIC.exe
PID 2664 wrote to memory of 3220	2664	cmd.exe	WMIC.exe
PID 2664 wrote to memory of 1672	2664	cmd.exe	ipconfig.exe
PID 2664 wrote to memory of 1672	2664	cmd.exe	ipconfig.exe
PID 2664 wrote to memory of 1292	2664	cmd.exe	ROUTE.EXE
PID 2664 wrote to memory of 1292	2664	cmd.exe	ROUTE.EXE
PID 2664 wrote to memory of 2996	2664	cmd.exe	netsh.exe
PID 2664 wrote to memory of 2996	2664	cmd.exe	netsh.exe
PID 2664 wrote to memory of 3132	2664	cmd.exe	systeminfo.exe
PID 2664 wrote to memory of 3132	2664	cmd.exe	systeminfo.exe
PID 2664 wrote to memory of 2988	2664	cmd.exe	tasklist.exe
PID 2664 wrote to memory of 2988	2664	cmd.exe	tasklist.exe
PID 2664 wrote to memory of 2344	2664	cmd.exe	net.exe
PID 2664 wrote to memory of 2344	2664	cmd.exe	net.exe
PID 2344 wrote to memory of 1276	2344	net.exe	net1.exe
PID 2344 wrote to memory of 1276	2344	net.exe	net1.exe
PID 2664 wrote to memory of 3336	2664	cmd.exe	net.exe
PID 2664 wrote to memory of 3336	2664	cmd.exe	net.exe
PID 3336 wrote to memory of 3604	3336	net.exe	net1.exe

outlook_office_path 1 IoCs

Processes:

winint.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	winint.exe

outlook_win_path 1 IoCs

Processes:

winint.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	winint.exe

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup
1⤵
PID:2160

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
PID:2140

C:\Windows\system32\taskhostw.exe
taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
1⤵
PID:2208

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p
1⤵
PID:2456

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:2652
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 2652 -s 1004
  2⤵
  - Program crash
  - Checks processor information in registry
  - Enumerates system info in registry
  PID:2272

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:2828

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3000

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:2204

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3676

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3616

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3208

C:\Users\Admin\AppData\Local\Temp\01b31a5b16aa19085e8182dab279ddf8.exe
"C:\Users\Admin\AppData\Local\Temp\01b31a5b16aa19085e8182dab279ddf8.exe"
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:336

C:\Windows\system32\MusNotifyIcon.exe
%systemroot%\system32\MusNotifyIcon.exe NotifyTrayIcon 13
1⤵
- Checks processor information in registry
PID:1600

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p
1⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
PID:2660

C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2964

C:\Users\Admin\AppData\Local\Temp\1229.exe
C:\Users\Admin\AppData\Local\Temp\1229.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
PID:2192

C:\Users\Admin\AppData\Local\Temp\2F76.exe
C:\Users\Admin\AppData\Local\Temp\2F76.exe
1⤵
- Executes dropped EXE
PID:4032

C:\Users\Admin\AppData\Local\Temp\45BE.exe
C:\Users\Admin\AppData\Local\Temp\45BE.exe
1⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks computer location settings
- Loads dropped DLL
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks processor information in registry
- Suspicious use of WriteProcessMemory
PID:2532
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c timeout /t 5 & del /f /q "C:\Users\Admin\AppData\Local\Temp\45BE.exe" & exit
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4080
- - C:\Windows\SysWOW64\timeout.exe
    timeout /t 5
    3⤵
    - Delays execution with timeout.exe
    PID:808

C:\Windows\system32\cmd.exe
cmd
1⤵
- Suspicious use of WriteProcessMemory
PID:2664
- C:\Windows\System32\Wbem\WMIC.exe
  wmic /namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName /format:csv
  2⤵
  PID:3792
- C:\Windows\System32\Wbem\WMIC.exe
  wmic /namespace:\\root\SecurityCenter2 Path FirewallProduct Get displayName /format:csv
  2⤵
  PID:1836
- C:\Windows\System32\Wbem\WMIC.exe
  wmic /namespace:\\root\SecurityCenter2 Path AntiSpywareProduct Get displayName /format:csv
  2⤵
  PID:3800
- C:\Windows\System32\Wbem\WMIC.exe
  wmic /namespace:\\root\cimv2 Path Win32_Processor Get Name,DeviceID,NumberOfCores /format:csv
  2⤵
  PID:1224
- C:\Windows\System32\Wbem\WMIC.exe
  wmic /namespace:\\root\cimv2 Path Win32_Product Get Name,Version /format:csv
  2⤵
  PID:1284
- C:\Windows\System32\Wbem\WMIC.exe
  wmic /namespace:\\root\cimv2 Path Win32_NetworkAdapter Where PhysicalAdapter=TRUE Get Name,MACAddress,ProductName,ServiceName,NetConnectionID /format:csv
  2⤵
  PID:228
- C:\Windows\System32\Wbem\WMIC.exe
  wmic /namespace:\\root\cimv2 Path Win32_StartupCommand Get Name,Location,Command /format:csv
  2⤵
  PID:1808
- C:\Windows\System32\Wbem\WMIC.exe
  wmic /namespace:\\root\cimv2 Path Win32_OperatingSystem Get Caption,CSDVersion,BuildNumber,Version,BuildType,CountryCode,CurrentTimeZone,InstallDate,LastBootUpTime,Locale,OSArchitecture,OSLanguage,OSProductSuite,OSType,SystemDirectory,Organization,RegisteredUser,SerialNumber /format:csv
  2⤵
  PID:3984
- C:\Windows\System32\Wbem\WMIC.exe
  wmic /namespace:\\root\cimv2 Path Win32_Process Get Caption,CommandLine,ExecutablePath,ProcessId /format:csv
  2⤵
  PID:2948
- C:\Windows\System32\Wbem\WMIC.exe
  wmic /namespace:\\root\cimv2 Path Win32_Volume Get Name,Label,FileSystem,SerialNumber,BootVolume,Capacity,DriveType /format:csv
  2⤵
  PID:3432
- C:\Windows\System32\Wbem\WMIC.exe
  wmic /namespace:\\root\cimv2 Path Win32_UserAccount Get Name,Domain,AccountType,LocalAccount,Disabled,Status,SID /format:csv
  2⤵
  PID:2352
- C:\Windows\System32\Wbem\WMIC.exe
  wmic /namespace:\\root\cimv2 Path Win32_GroupUser Get GroupComponent,PartComponent /format:csv
  2⤵
  PID:372
- C:\Windows\System32\Wbem\WMIC.exe
  wmic /namespace:\\root\cimv2 Path Win32_ComputerSystem Get Caption,Manufacturer,PrimaryOwnerName,UserName,Workgroup /format:csv
  2⤵
  PID:1216
- C:\Windows\System32\Wbem\WMIC.exe
  wmic /namespace:\\root\cimv2 Path Win32_PnPEntity Where ClassGuid="{50dd5230-ba8a-11d1-bf5d-0000f805f530}" Get Name,DeviceID,PNPDeviceID,Manufacturer,Description /format:csv
  2⤵
  PID:3220
- C:\Windows\system32\ipconfig.exe
  ipconfig /displaydns
  2⤵
  - Gathers network information
  PID:1672
- C:\Windows\system32\ROUTE.EXE
  route print
  2⤵
  PID:1292
- C:\Windows\system32\netsh.exe
  netsh firewall show state
  2⤵
  PID:2996
- C:\Windows\system32\systeminfo.exe
  systeminfo
  2⤵
  - Gathers system information
  PID:3132
- C:\Windows\system32\tasklist.exe
  tasklist /v
  2⤵
  - Enumerates processes with tasklist
  PID:2988
- C:\Windows\system32\net.exe
  net accounts /domain
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2344
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 accounts /domain
    3⤵
    PID:1276
- C:\Windows\system32\net.exe
  net share
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3336
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 share
    3⤵
    PID:3604
- C:\Windows\system32\net.exe
  net user
  2⤵
  PID:3544
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 user
    3⤵
    PID:3040
- C:\Windows\system32\net.exe
  net user /domain
  2⤵
  PID:4024
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 user /domain
    3⤵
    PID:3080
- C:\Windows\system32\net.exe
  net use
  2⤵
  PID:2544
- C:\Windows\system32\net.exe
  net group
  2⤵
  PID:1880
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 group
    3⤵
    PID:3112
- C:\Windows\system32\net.exe
  net localgroup
  2⤵
  PID:2556
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 localgroup
    3⤵
    PID:2864
- C:\Windows\system32\NETSTAT.EXE
  netstat -r
  2⤵
  - Gathers network information
  PID:112
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Windows\system32\route.exe" print
    3⤵
    PID:4032
  - - C:\Windows\system32\ROUTE.EXE
      C:\Windows\system32\route.exe print
      4⤵
      PID:676
- C:\Windows\system32\NETSTAT.EXE
  netstat -nao
  2⤵
  - Gathers network information
  PID:3640
- C:\Windows\system32\schtasks.exe
  schtasks /query
  2⤵
  PID:100
- C:\Windows\system32\ipconfig.exe
  ipconfig /all
  2⤵
  - Gathers network information
  PID:1148

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
PID:2908

C:\Users\Admin\AppData\Local\Temp\AD24.exe
C:\Users\Admin\AppData\Local\Temp\AD24.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
PID:2928

C:\Users\Admin\AppData\Local\Temp\7D7.exe
C:\Users\Admin\AppData\Local\Temp\7D7.exe
1⤵
- Executes dropped EXE
PID:3652
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell Add-MpPreference -ExclusionPath C:\
  2⤵
  PID:2668
- C:\ProgramData\winint.exe
  "C:\ProgramData\winint.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Accesses Microsoft Outlook profiles
  - outlook_office_path
  - outlook_win_path
  PID:1060
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe"
    3⤵
    PID:2856
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:3416
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    powershell Add-MpPreference -ExclusionPath C:\
    3⤵
    PID:1880
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1060 -s 964
    3⤵
    - Program crash
    - Checks processor information in registry
    - Enumerates system info in registry
    PID:1444
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3652 -s 864
  2⤵
  - Program crash
  - Checks processor information in registry
  - Enumerates system info in registry
  PID:2612

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:1780
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1780 -s 872
  2⤵
  - Program crash
  - Checks processor information in registry
  - Enumerates system info in registry
  PID:2916

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 196 -p 1780 -ip 1780
1⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:2084

C:\Program Files (x86)\Internet Explorer\ielowutil.exe
"C:\Program Files (x86)\Internet Explorer\ielowutil.exe" -CLSID:{0002DF01-0000-0000-C000-000000000046} -Embedding
1⤵
PID:1216

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
PID:2356

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:3856
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3856 CREDAT:17410 /prefetch:2
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:1652

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:2572

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 3652 -ip 3652
1⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:3932

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:1864

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
- Suspicious behavior: MapViewOfSection
PID:760

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
- Suspicious behavior: MapViewOfSection
PID:3488

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
- Suspicious behavior: MapViewOfSection
PID:2900

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
- Suspicious behavior: MapViewOfSection
PID:3132

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
- Suspicious behavior: MapViewOfSection
PID:1856

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:2568
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2568 -s 868
  2⤵
  - Program crash
  - Checks processor information in registry
  - Enumerates system info in registry
  PID:3652

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 2568 -ip 2568
1⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:2360

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
- Suspicious behavior: MapViewOfSection
PID:1972

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
PID:1148

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:2196

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
- Suspicious behavior: MapViewOfSection
PID:2120

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:3428

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
- Suspicious behavior: MapViewOfSection
PID:3328

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:2808

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
- Suspicious behavior: MapViewOfSection
PID:2436

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
PID:3548

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
- Suspicious behavior: MapViewOfSection
PID:3692

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:1860

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:636

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
PID:2216

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 468 -p 2652 -ip 2652
1⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:1264

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:3392
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 3392 -s 828
  2⤵
  - Program crash
  - Checks processor information in registry
  - Enumerates system info in registry
  PID:1936

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 504 -p 3392 -ip 3392
1⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:2868

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:2272
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 2272 -s 820
  2⤵
  - Program crash
  - Checks processor information in registry
  - Enumerates system info in registry
  PID:316

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 512 -p 2272 -ip 2272
1⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:3652

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:2224
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 2224 -s 808
  2⤵
  - Program crash
  - Checks processor information in registry
  - Enumerates system info in registry
  PID:1100

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 464 -p 2224 -ip 2224
1⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:1936

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 1060 -ip 1060
1⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:552

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Command-Line Interface

T1059

Persistence

Modify Existing Service

T1031

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Virtualization/Sandbox Evasion

T1497

Credential Access

Credentials in Files

T1081

Discovery

Peripheral Device Discovery

T1120

Process Discovery

T1057

Query Registry

T1012

System Information Discovery

T1082

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\mozglue.dll

MD5
8f73c08a9660691143661bf7332c3c27

SHA1
37fa65dd737c50fda710fdbde89e51374d0c204a

SHA256
3fe6b1c54b8cf28f571e0c5d6636b4069a8ab00b4f11dd842cfec00691d0c9cd

SHA512
0042ecf9b3571bb5eba2de893e8b2371df18f7c5a589f52ee66e4bfbaa15a5b8b7cc6a155792aaa8988528c27196896d5e82e1751c998bacea0d92395f66ad89

Download Submit
C:\ProgramData\nss3.dll

MD5
bfac4e3c5908856ba17d41edcd455a51

SHA1
8eec7e888767aa9e4cca8ff246eb2aacb9170428

SHA256
e2935b5b28550d47dc971f456d6961f20d1633b4892998750140e0eaa9ae9d78

SHA512
2565bab776c4d732ffb1f9b415992a4c65b81bcd644a9a1df1333a269e322925fc1df4f76913463296efd7c88ef194c3056de2f1ca1357d7b5fe5ff0da877a66

Download Submit
C:\ProgramData\sqlite3.dll

MD5
e477a96c8f2b18d6b5c27bde49c990bf

SHA1
e980c9bf41330d1e5bd04556db4646a0210f7409

SHA256
16574f51785b0e2fc29c2c61477eb47bb39f714829999511dc8952b43ab17660

SHA512
335a86268e7c0e568b1c30981ec644e6cd332e66f96d2551b58a82515316693c1859d87b4f4b7310cf1ac386cee671580fdd999c3bcb23acf2c2282c01c8798c

Download Submit
C:\ProgramData\winint.exe

MD5
7ebf83d6afced0394129991df3612529

SHA1
4c33f4521dcc84e8bb8b7c314bec08abc59302d0

SHA256
72d0bb231cc67408be460859073c558a4b31e6a41c1723b2505887d0da3fc5e2

SHA512
5251c8e487ee56efca1b5d924c37a54caf91fdd0b043309593195d92a168f47a4814a7fdb56cc088215d886260fe3398c769f97a12e978554ee9f69cf50ac81b

Download Submit
C:\ProgramData\winint.exe

MD5
7ebf83d6afced0394129991df3612529

SHA1
4c33f4521dcc84e8bb8b7c314bec08abc59302d0

SHA256
72d0bb231cc67408be460859073c558a4b31e6a41c1723b2505887d0da3fc5e2

SHA512
5251c8e487ee56efca1b5d924c37a54caf91fdd0b043309593195d92a168f47a4814a7fdb56cc088215d886260fe3398c769f97a12e978554ee9f69cf50ac81b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776

MD5
3674f7cda76af30f9cb73ff917254185

SHA1
45638845225db24cd77017aa828e873a8934d156

SHA256
c36fbede741db54b99ae04c229246654ee7aea62dc42d60952fd8e49e86ae231

SHA512
637549b0ae8583bd0145bff9f5a36a97523fcffd56c3f6e1be18c6593ff46a2a225471f8ebbfc4bf68c21618c6c1e04e92c14e4220684303e2352d10aaad1db9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776

MD5
9b84ebcb8fde2959d1f9d73d8ff24414

SHA1
7627f3151d795821ebca487607f7f5f0e88cc508

SHA256
f8666cda0eb7469487dea53a3546e5c79a2d5067663cac89ec1daa8661ce8b49

SHA512
a9e7d8029ead8e07a36f15f044ade1c40825e842180c77cf63ebe968fef79f77acabd1b3642f3ef49473a86d427f50624a8959808bbce59f54e11d949a603a53

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5
968cb9309758126772781b83adb8a28f

SHA1
8da30e71accf186b2ba11da1797cf67f8f78b47c

SHA256
92099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a

SHA512
4bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5
fbb96c41202becbf4e786d4c2c57ac04

SHA1
42b117e9e7fe88d7b9072507fccbbd4885fcb615

SHA256
da96be039386bed84ed4065a1ec4581151dd8a370d82a1d49ce572c4cea93fdd

SHA512
2e0bc26c2eff62746ecf51174472d9e0715a8649b1697b137fce1f2f0fe29aaadc85701c3b7ff1d1449803cae25f92a5c053d4eaff4a02a8d93f2eb250ca940e

Download Submit
C:\Users\Admin\AppData\Local\Temp\1229.exe

MD5
38f7391a007eb92c6aea2b3204f5403b

SHA1
f0a9cbe3b13cfd46aab81e66b81ba80d1b12640f

SHA256
915b9e086d3ec4654effa7fefaaeee27fde55808e211f6a8981ce60563e5463e

SHA512
1bc6b012fabf4acb67ecc652ea12fb676a03811dfd623a5af96a376648b5b69de78c0408502ca509c83bde976000aef81cfc1486e6ca8c6020884e0b5e044c1f

Download Submit
C:\Users\Admin\AppData\Local\Temp\1229.exe

MD5
38f7391a007eb92c6aea2b3204f5403b

SHA1
f0a9cbe3b13cfd46aab81e66b81ba80d1b12640f

SHA256
915b9e086d3ec4654effa7fefaaeee27fde55808e211f6a8981ce60563e5463e

SHA512
1bc6b012fabf4acb67ecc652ea12fb676a03811dfd623a5af96a376648b5b69de78c0408502ca509c83bde976000aef81cfc1486e6ca8c6020884e0b5e044c1f

Download Submit
C:\Users\Admin\AppData\Local\Temp\2F76.exe

MD5
681d5bc4a5880d91af5df5a912eccc57

SHA1
67bcfc75090a9c2925620d2ec816574c3fe56d3c

SHA256
4d9922dff30dcb266a0787506fc198f21a4e4d93a3a542e18319cc609d3016ff

SHA512
7834d0b6f3822985aae21f4a94487c6dfedcc9cb5fdcf9aa72a63544c26c88a982b3e73b6ae2623aebf421b119cebbaf67d2bab54eca8e376b8ed8de01cee1f4

Download Submit
C:\Users\Admin\AppData\Local\Temp\2F76.exe

MD5
681d5bc4a5880d91af5df5a912eccc57

SHA1
67bcfc75090a9c2925620d2ec816574c3fe56d3c

SHA256
4d9922dff30dcb266a0787506fc198f21a4e4d93a3a542e18319cc609d3016ff

SHA512
7834d0b6f3822985aae21f4a94487c6dfedcc9cb5fdcf9aa72a63544c26c88a982b3e73b6ae2623aebf421b119cebbaf67d2bab54eca8e376b8ed8de01cee1f4

Download Submit
C:\Users\Admin\AppData\Local\Temp\45BE.exe

MD5
84d59e503054fe8d7f21a8a1d060c598

SHA1
e3e095192dac15395263f4893113a15dbe0ca234

SHA256
0006877214e4bf31ec896e697ea9ec1850e6aee4c12a6313802dbb71e89fba16

SHA512
60e12e950085faff2a66b2e95296f10c695b8159680bf4eefd0ea5b85123f6da5e04189f8b2a5e2787058f67d799219d7dc2d9b1b78117bbc5bea63cd2756ab5

Download Submit
C:\Users\Admin\AppData\Local\Temp\45BE.exe

MD5
84d59e503054fe8d7f21a8a1d060c598

SHA1
e3e095192dac15395263f4893113a15dbe0ca234

SHA256
0006877214e4bf31ec896e697ea9ec1850e6aee4c12a6313802dbb71e89fba16

SHA512
60e12e950085faff2a66b2e95296f10c695b8159680bf4eefd0ea5b85123f6da5e04189f8b2a5e2787058f67d799219d7dc2d9b1b78117bbc5bea63cd2756ab5

Download Submit
C:\Users\Admin\AppData\Local\Temp\7D7.exe

MD5
7ebf83d6afced0394129991df3612529

SHA1
4c33f4521dcc84e8bb8b7c314bec08abc59302d0

SHA256
72d0bb231cc67408be460859073c558a4b31e6a41c1723b2505887d0da3fc5e2

SHA512
5251c8e487ee56efca1b5d924c37a54caf91fdd0b043309593195d92a168f47a4814a7fdb56cc088215d886260fe3398c769f97a12e978554ee9f69cf50ac81b

Download Submit
C:\Users\Admin\AppData\Local\Temp\7D7.exe

MD5
7ebf83d6afced0394129991df3612529

SHA1
4c33f4521dcc84e8bb8b7c314bec08abc59302d0

SHA256
72d0bb231cc67408be460859073c558a4b31e6a41c1723b2505887d0da3fc5e2

SHA512
5251c8e487ee56efca1b5d924c37a54caf91fdd0b043309593195d92a168f47a4814a7fdb56cc088215d886260fe3398c769f97a12e978554ee9f69cf50ac81b

Download Submit
C:\Users\Admin\AppData\Local\Temp\AD24.exe

MD5
e84002da8bb6ce831f1c409a0ec19d89

SHA1
0aca2f21e8a73b507c38f38700cb54b6f5893ade

SHA256
a261e4781d99aaaf5769801e2a4fdf483d9a27edfc35183d6ffe7d57437b3b08

SHA512
3cd4dd1ff02ebd9970b322a59941f6af72b16fb8bf397ffc1bffbe1ab12380120204059435f2b6c30b87e91234c69d7fa3486c5903fea21f39bf6af09fa8c784

Download Submit
C:\Users\Admin\AppData\Local\Temp\AD24.exe

MD5
e84002da8bb6ce831f1c409a0ec19d89

SHA1
0aca2f21e8a73b507c38f38700cb54b6f5893ade

SHA256
a261e4781d99aaaf5769801e2a4fdf483d9a27edfc35183d6ffe7d57437b3b08

SHA512
3cd4dd1ff02ebd9970b322a59941f6af72b16fb8bf397ffc1bffbe1ab12380120204059435f2b6c30b87e91234c69d7fa3486c5903fea21f39bf6af09fa8c784

Download Submit
C:\Users\Admin\AppData\Local\Temp\freebl3.dll

MD5
ef12ab9d0b231b8f898067b2114b1bc0

SHA1
6d90f27b2105945f9bb77039e8b892070a5f9442

SHA256
2b00fc4f541ac10c94e3556ff28e30a801811c36422546a546a445aca3f410f7

SHA512
2aa62bfba556ad8f042942dd25aa071ff6677c257904377c1ec956fd9e862abcbf379e0cfd8c630c303a32ece75618c24e3eef58bddb705c427985b944689193

Download Submit
C:\Users\Admin\AppData\Local\Temp\freebl3.dll

MD5
ef12ab9d0b231b8f898067b2114b1bc0

SHA1
6d90f27b2105945f9bb77039e8b892070a5f9442

SHA256
2b00fc4f541ac10c94e3556ff28e30a801811c36422546a546a445aca3f410f7

SHA512
2aa62bfba556ad8f042942dd25aa071ff6677c257904377c1ec956fd9e862abcbf379e0cfd8c630c303a32ece75618c24e3eef58bddb705c427985b944689193

Download Submit
C:\Users\Admin\AppData\Local\Temp\mozglue.dll

MD5
75f8cc548cabf0cc800c25047e4d3124

SHA1
602676768f9faecd35b48c38a0632781dfbde10c

SHA256
fb419a60305f17359e2ac0510233ee80e845885eee60607715c67dd88e501ef0

SHA512
ed831c9c769aef3be253c52542cf032afa0a8fa5fe25ca704db65ee6883c608220df7102ac2b99ee9c2e599a0f5db99fd86894a4b169e68440eb1b0d0012672f

Download Submit
C:\Users\Admin\AppData\Local\Temp\mozglue.dll

MD5
75f8cc548cabf0cc800c25047e4d3124

SHA1
602676768f9faecd35b48c38a0632781dfbde10c

SHA256
fb419a60305f17359e2ac0510233ee80e845885eee60607715c67dd88e501ef0

SHA512
ed831c9c769aef3be253c52542cf032afa0a8fa5fe25ca704db65ee6883c608220df7102ac2b99ee9c2e599a0f5db99fd86894a4b169e68440eb1b0d0012672f

Download Submit
C:\Users\Admin\AppData\Local\Temp\msvcp140.dll

MD5
e26357ac6be56568c2f4a254bfe84a95

SHA1
545781eddf8ee8aed84a7903d48a594dff04f117

SHA256
798cd44e804d86bd4e0b22ccfd6363eb4621a9e91c79d994225f6df214b363ac

SHA512
1224aa477b9c63f1e329215055756f7ff129fca11c0eaf09207ee6cf29ea5e50fbada0d82dfa45bfed9f6738ef807f2a1fe2baade0e8ead8436535a9b4ea43be

Download Submit
C:\Users\Admin\AppData\Local\Temp\msvcp140.dll

MD5
e26357ac6be56568c2f4a254bfe84a95

SHA1
545781eddf8ee8aed84a7903d48a594dff04f117

SHA256
798cd44e804d86bd4e0b22ccfd6363eb4621a9e91c79d994225f6df214b363ac

SHA512
1224aa477b9c63f1e329215055756f7ff129fca11c0eaf09207ee6cf29ea5e50fbada0d82dfa45bfed9f6738ef807f2a1fe2baade0e8ead8436535a9b4ea43be

Download Submit
C:\Users\Admin\AppData\Local\Temp\msvcp140.dll

MD5
e26357ac6be56568c2f4a254bfe84a95

SHA1
545781eddf8ee8aed84a7903d48a594dff04f117

SHA256
798cd44e804d86bd4e0b22ccfd6363eb4621a9e91c79d994225f6df214b363ac

SHA512
1224aa477b9c63f1e329215055756f7ff129fca11c0eaf09207ee6cf29ea5e50fbada0d82dfa45bfed9f6738ef807f2a1fe2baade0e8ead8436535a9b4ea43be

Download Submit
C:\Users\Admin\AppData\Local\Temp\msvcp140.dll

MD5
e26357ac6be56568c2f4a254bfe84a95

SHA1
545781eddf8ee8aed84a7903d48a594dff04f117

SHA256
798cd44e804d86bd4e0b22ccfd6363eb4621a9e91c79d994225f6df214b363ac

SHA512
1224aa477b9c63f1e329215055756f7ff129fca11c0eaf09207ee6cf29ea5e50fbada0d82dfa45bfed9f6738ef807f2a1fe2baade0e8ead8436535a9b4ea43be

Download Submit
\??\PIPE\lsarpc

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/336-131-0x000000000097D000-0x000000000098E000-memory.dmp

Filesize
68KB

Download
memory/336-130-0x000000000097D000-0x000000000098E000-memory.dmp

Filesize
68KB

Download
memory/336-132-0x0000000002590000-0x0000000002599000-memory.dmp

Filesize
36KB

Download
memory/336-133-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/760-200-0x0000000000650000-0x0000000000657000-memory.dmp

Filesize
28KB

Download
memory/760-201-0x0000000000640000-0x000000000064B000-memory.dmp

Filesize
44KB

Download
memory/1060-193-0x0000000000A19000-0x0000000000A2B000-memory.dmp

Filesize
72KB

Download
memory/1060-202-0x0000000000400000-0x0000000000554000-memory.dmp

Filesize
1.3MB

Download
memory/1060-199-0x0000000000A19000-0x0000000000A2B000-memory.dmp

Filesize
72KB

Download
memory/1780-182-0x0000000000400000-0x0000000000474000-memory.dmp

Filesize
464KB

Download
memory/1780-183-0x0000000000170000-0x00000000001DB000-memory.dmp

Filesize
428KB

Download
memory/1856-227-0x0000000002CB0000-0x0000000002CB4000-memory.dmp

Filesize
16KB

Download
memory/1856-228-0x0000000002CA0000-0x0000000002CA9000-memory.dmp

Filesize
36KB

Download
memory/1864-192-0x0000000003100000-0x000000000310B000-memory.dmp

Filesize
44KB

Download
memory/1880-214-0x0000000004A12000-0x0000000004A13000-memory.dmp

Filesize
4KB

Download
memory/1880-221-0x00000000089A0000-0x00000000089D2000-memory.dmp

Filesize
200KB

Download
memory/1880-213-0x0000000004A10000-0x0000000004A11000-memory.dmp

Filesize
4KB

Download
memory/1880-210-0x0000000070BBE000-0x0000000070BBF000-memory.dmp

Filesize
4KB

Download
memory/1880-225-0x0000000004A15000-0x0000000004A17000-memory.dmp

Filesize
8KB

Download
memory/1880-223-0x000000006C4D0000-0x000000006C51C000-memory.dmp

Filesize
304KB

Download
memory/2192-137-0x0000000000AE9000-0x0000000000AFA000-memory.dmp

Filesize
68KB

Download
memory/2192-138-0x0000000000AE9000-0x0000000000AFA000-memory.dmp

Filesize
68KB

Download
memory/2192-139-0x00000000009A0000-0x00000000009A9000-memory.dmp

Filesize
36KB

Download
memory/2192-140-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/2356-187-0x0000000000EC0000-0x0000000000ECC000-memory.dmp

Filesize
48KB

Download
memory/2364-141-0x00000000073F0000-0x0000000007406000-memory.dmp

Filesize
88KB

Download
memory/2364-134-0x0000000002B40000-0x0000000002B56000-memory.dmp

Filesize
88KB

Download
memory/2364-168-0x0000000008350000-0x000000000835F000-memory.dmp

Filesize
60KB

Download
memory/2364-177-0x00000000084E0000-0x00000000084F6000-memory.dmp

Filesize
88KB

Download
memory/2532-157-0x0000000001560000-0x0000000001561000-memory.dmp

Filesize
4KB

Download
memory/2532-154-0x0000000000BAE000-0x0000000000BB1000-memory.dmp

Filesize
12KB

Download
memory/2532-161-0x0000000000BB2000-0x0000000000DD8000-memory.dmp

Filesize
2.1MB

Download
memory/2532-146-0x00000000016D0000-0x0000000001716000-memory.dmp

Filesize
280KB

Download
memory/2532-147-0x0000000000B80000-0x0000000001025000-memory.dmp

Filesize
4.6MB

Download
memory/2532-149-0x0000000000B80000-0x0000000001025000-memory.dmp

Filesize
4.6MB

Download
memory/2532-150-0x0000000000B95000-0x0000000000B9C000-memory.dmp

Filesize
28KB

Download
memory/2532-152-0x0000000000B9C000-0x0000000000BAE000-memory.dmp

Filesize
72KB

Download
memory/2532-153-0x0000000000B80000-0x0000000001025000-memory.dmp

Filesize
4.6MB

Download
memory/2532-163-0x0000000000B81000-0x0000000000B95000-memory.dmp

Filesize
80KB

Download
memory/2532-155-0x0000000000EB6000-0x0000000000EB7000-memory.dmp

Filesize
4KB

Download
memory/2532-156-0x0000000000BB1000-0x0000000000BB2000-memory.dmp

Filesize
4KB

Download
memory/2532-162-0x0000000077204000-0x0000000077205000-memory.dmp

Filesize
4KB

Download
memory/2532-158-0x0000000000DD8000-0x0000000000EB6000-memory.dmp

Filesize
888KB

Download
memory/2532-159-0x0000000000B80000-0x0000000001025000-memory.dmp

Filesize
4.6MB

Download
memory/2532-160-0x00000000755A0000-0x00000000757B5000-memory.dmp

Filesize
2.1MB

Download
memory/2532-151-0x0000000000B80000-0x0000000001025000-memory.dmp

Filesize
4.6MB

Download
memory/2532-148-0x0000000000B81000-0x0000000000B95000-memory.dmp

Filesize
80KB

Download
memory/2572-190-0x00000000030D0000-0x00000000030D4000-memory.dmp

Filesize
16KB

Download
memory/2572-191-0x00000000030C0000-0x00000000030C9000-memory.dmp

Filesize
36KB

Download
memory/2668-203-0x0000000006890000-0x0000000006891000-memory.dmp

Filesize
4KB

Download
memory/2668-204-0x0000000006892000-0x0000000006893000-memory.dmp

Filesize
4KB

Download
memory/2668-208-0x00000000075B0000-0x0000000007616000-memory.dmp

Filesize
408KB

Download
memory/2668-216-0x0000000007C90000-0x0000000007CAE000-memory.dmp

Filesize
120KB

Download
memory/2668-226-0x0000000006895000-0x0000000006897000-memory.dmp

Filesize
8KB

Download
memory/2668-205-0x0000000006CD0000-0x0000000006CF2000-memory.dmp

Filesize
136KB

Download
memory/2668-196-0x0000000006700000-0x0000000006736000-memory.dmp

Filesize
216KB

Download
memory/2668-197-0x0000000006ED0000-0x00000000074F8000-memory.dmp

Filesize
6.2MB

Download
memory/2668-198-0x0000000070BBE000-0x0000000070BBF000-memory.dmp

Filesize
4KB

Download
memory/2668-222-0x000000006C4D0000-0x000000006C51C000-memory.dmp

Filesize
304KB

Download
memory/2668-209-0x0000000007690000-0x00000000076F6000-memory.dmp

Filesize
408KB

Download
memory/2668-224-0x0000000008240000-0x000000000825E000-memory.dmp

Filesize
120KB

Download
memory/2856-215-0x0000000002D50000-0x0000000002D51000-memory.dmp

Filesize
4KB

Download
memory/2900-218-0x0000000000780000-0x0000000000789000-memory.dmp

Filesize
36KB

Download
memory/2900-217-0x0000000000790000-0x0000000000795000-memory.dmp

Filesize
20KB

Download
memory/2928-175-0x00000000008D0000-0x00000000008D9000-memory.dmp

Filesize
36KB

Download
memory/2928-174-0x0000000000A09000-0x0000000000A1A000-memory.dmp

Filesize
68KB

Download
memory/2928-176-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/2928-173-0x0000000000A09000-0x0000000000A1A000-memory.dmp

Filesize
68KB

Download
memory/3132-220-0x0000000000AF0000-0x0000000000AFC000-memory.dmp

Filesize
48KB

Download
memory/3132-219-0x0000000000B00000-0x0000000000B06000-memory.dmp

Filesize
24KB

Download
memory/3488-211-0x0000000000840000-0x0000000000849000-memory.dmp

Filesize
36KB

Download
memory/3488-212-0x0000000000830000-0x000000000083F000-memory.dmp

Filesize
60KB

Download
memory/3652-181-0x0000000000B09000-0x0000000000B1B000-memory.dmp

Filesize
72KB

Download
memory/3652-184-0x0000000000B09000-0x0000000000B1B000-memory.dmp

Filesize
72KB

Download
memory/3652-185-0x0000000000960000-0x000000000097E000-memory.dmp

Filesize
120KB

Download
memory/3652-186-0x0000000000400000-0x0000000000554000-memory.dmp

Filesize
1.3MB

Download
memory/4032-164-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download