djvu | 7322cf687936439baf84cad597cd18da65d36a95bcb6e83caac5abdef5aa9b3d

Analysis

max time kernel
150s
max time network
152s
platform
windows10_x64
resource
win10-20220414-en
submitted
15-04-2022 09:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7322cf687936439baf84cad597cd18da65d36a95bcb6e83caac5abdef5aa9b3d.exe
Size

266KB
MD5

079f281954c9b22e1561b16b05967656
SHA1

30c215a1a3fba70d6b0c1bdd0983c458a5165cb0
SHA256

7322cf687936439baf84cad597cd18da65d36a95bcb6e83caac5abdef5aa9b3d
SHA512

d945f85becd2556743a65d84016896206d9f35f22ead519d55d70356e5d09f4d06888772371ba11b58951c525ffa139ade6fd96e3a1358c35da2a1477581bf02

Score

10^/10

djvu metastealer redline smokeloader vidar paladin backdoor discovery infostealer persistence ransomware spyware stealer suricata trojan

Malware Config

Extracted

Family

smokeloader

Version

2020

http://coralee.at/upload/

http://ducvietcao.com/upload/

http://biz-acc.ru/upload/

http://toimap.com/upload/

http://bbb7d.com/upload/

http://piratia-life.ru/upload/

http://curvreport.com/upload/

http://viagratos.com/upload/

http://mordo.ru/upload/

http://pkodev.net/upload/

rc4.i32

Extracted

Family

djvu

http://fuyt.org/fhsgtsspen6/get.php

Attributes

extension
.qpss
offline_id
miqhSGmGE63yWs53FTz0fnp8eCARpnaYE3O3p2t1
payload_url
http://zerit.top/dl/build2.exe

http://fuyt.org/files/1/build3.exe
ransomnote
ATTENTION! Don't worry, you can return all your files! All your files like pictures, databases, documents and other important are encrypted with strongest encryption and unique key. The only method of recovering files is to purchase decrypt tool and unique key for you. This software will decrypt all your encrypted files. What guarantees you have? You can send one of your encrypted file from your PC and we decrypt it for free. But we can decrypt only 1 file for free. File must not contain valuable information. You can get and look video overview decrypt tool: https://we.tl/t-0SLhZxAjRX Price of private key and decrypt software is $980. Discount 50% available if you contact us first 72 hours, that's price for you is $490. Please note that you'll never restore your data without payment. Check your e-mail "Spam" or "Junk" folder if you don't get answer more than 6 hours. To get this software you need write on our e-mail: [email protected] Reserve e-mail address to contact us: [email protected] Your personal ID: 0448JIjdm

rsa_pubkey.plain

Extracted

Family

redline

Botnet

paladin

193.150.103.38:80

Attributes

auth_value
87a8f0ab6301809ee2c83215939da2a6

Signatures

Detected Djvu ransomware 10 IoCs

resource	yara_rule
behavioral1/memory/4724-126-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/4724-127-0x0000000000424141-mapping.dmp	family_djvu
behavioral1/memory/2540-130-0x0000000002320000-0x000000000243B000-memory.dmp	family_djvu
behavioral1/memory/4724-129-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/4724-131-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/4724-132-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/3648-139-0x0000000000424141-mapping.dmp	family_djvu
behavioral1/memory/3648-141-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/3648-142-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/3648-143-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu

Djvu Ransomware
Ransomware which is a variant of the STOP family.
ransomware djvu
Meta Stealer Stealer
Meta Stealer steals passwords stored in browsers, written in C++.
stealer metastealer
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine Payload 3 IoCs

resource	yara_rule
behavioral1/files/0x000600000001ac11-201.dat	family_redline
behavioral1/files/0x000600000001ac11-205.dat	family_redline
behavioral1/memory/504-206-0x00000000007E0000-0x0000000000800000-memory.dmp	family_redline

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
Vidar
Vidar is an infostealer based on Arkei stealer.
stealer vidar
suricata: ET MALWARE Potential Dridex.Maldoc Minimal Executable Request
suricata: ET MALWARE Potential Dridex.Maldoc Minimal Executable Request
suricata
suricata: ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt)
suricata: ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt)
suricata
suricata: ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt) M2
suricata: ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt) M2
suricata
suricata: ET MALWARE Suspicious Zipped Filename in Outbound POST Request (passwords.txt) M2
suricata: ET MALWARE Suspicious Zipped Filename in Outbound POST Request (passwords.txt) M2
suricata
suricata: ET MALWARE Vidar/Arkei Stealer Client Data Upload
suricata: ET MALWARE Vidar/Arkei Stealer Client Data Upload
suricata
suricata: ET MALWARE Vidar/Arkei/Megumin/Oski Stealer Data Exfil
suricata: ET MALWARE Vidar/Arkei/Megumin/Oski Stealer Data Exfil
suricata
suricata: ET MALWARE Vidar/Arkei/Megumin/Oski Stealer HTTP POST Pattern
suricata: ET MALWARE Vidar/Arkei/Megumin/Oski Stealer HTTP POST Pattern
suricata

Vidar Stealer 6 IoCs

stealer

resource	yara_rule
behavioral1/memory/3608-152-0x0000000000400000-0x00000000004AA000-memory.dmp	family_vidar
behavioral1/memory/3608-153-0x00000000004717BA-mapping.dmp	family_vidar
behavioral1/memory/3608-156-0x0000000000400000-0x00000000004AA000-memory.dmp	family_vidar
behavioral1/memory/3240-157-0x0000000002180000-0x0000000002228000-memory.dmp	family_vidar
behavioral1/memory/3608-158-0x0000000000400000-0x00000000004AA000-memory.dmp	family_vidar
behavioral1/memory/3608-159-0x0000000000400000-0x00000000004AA000-memory.dmp	family_vidar

Blocklisted process makes network request 2 IoCs

flow	pid	Process
72	4616	rundll32.exe
74	4616	rundll32.exe

Downloads MZ/PE file

Executes dropped EXE 17 IoCs

pid	Process
2540	C1ED.exe
4724	C1ED.exe
4160	C1ED.exe
3648	C1ED.exe
3240	build2.exe
3608	build2.exe
3728	34BD.exe
2464	7z.exe
1772	7z.exe
3084	7z.exe
4536	7z.exe
4564	7z.exe
4580	7z.exe
4368	7z.exe
5012	7z.exe
504	skldfklsdflkjsdklfsdf.exe
3308	5D26.exe

Deletes itself 1 IoCs

pid	Process
3104	Process not Found

Loads dropped DLL 10 IoCs

pid	Process
3608	build2.exe
3608	build2.exe
2464	7z.exe
1772	7z.exe
3084	7z.exe
4536	7z.exe
4564	7z.exe
4580	7z.exe
4368	7z.exe
5012	7z.exe

Modifies file permissions 1 TTPs 1 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
4932	icacls.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses 2FA software files, possible credential harvesting 2 TTPs
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4236190499-842014725-259441995-1000\Software\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\67f4cf96-2de7-48eb-9b43-6e0481054e2a\\C1ED.exe\" --AutoStart"	C1ED.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Looks up external IP address via web service 3 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
12	api.2ip.ua
13	api.2ip.ua
19	api.2ip.ua

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 2540 set thread context of 4724	2540	C1ED.exe	68
PID 4160 set thread context of 3648	4160	C1ED.exe	72
PID 3240 set thread context of 3608	3240	build2.exe	74

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4316	3308	WerFault.exe	89

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	7322cf687936439baf84cad597cd18da65d36a95bcb6e83caac5abdef5aa9b3d.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	7322cf687936439baf84cad597cd18da65d36a95bcb6e83caac5abdef5aa9b3d.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	7322cf687936439baf84cad597cd18da65d36a95bcb6e83caac5abdef5aa9b3d.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	build2.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	build2.exe

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	C1ED.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 5c000000010000000400000000080000090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	C1ED.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2648	7322cf687936439baf84cad597cd18da65d36a95bcb6e83caac5abdef5aa9b3d.exe
2648	7322cf687936439baf84cad597cd18da65d36a95bcb6e83caac5abdef5aa9b3d.exe
3104	Process not Found
3104	Process not Found
3104	Process not Found
3104	Process not Found
3104	Process not Found
3104	Process not Found
3104	Process not Found
3104	Process not Found
3104	Process not Found
3104	Process not Found
3104	Process not Found
3104	Process not Found
3104	Process not Found
3104	Process not Found
3104	Process not Found
3104	Process not Found
3104	Process not Found
3104	Process not Found
3104	Process not Found
3104	Process not Found
3104	Process not Found
3104	Process not Found
3104	Process not Found
3104	Process not Found
3104	Process not Found
3104	Process not Found
3104	Process not Found
3104	Process not Found
3104	Process not Found
3104	Process not Found
3104	Process not Found
3104	Process not Found
3104	Process not Found
3104	Process not Found
3104	Process not Found
3104	Process not Found
3104	Process not Found
3104	Process not Found
3104	Process not Found
3104	Process not Found
3104	Process not Found
3104	Process not Found
3104	Process not Found
3104	Process not Found
3104	Process not Found
3104	Process not Found
3104	Process not Found
3104	Process not Found
3104	Process not Found
3104	Process not Found
3104	Process not Found
3104	Process not Found
3104	Process not Found
3104	Process not Found
3104	Process not Found
3104	Process not Found
3104	Process not Found
3104	Process not Found
3104	Process not Found
3104	Process not Found
3104	Process not Found
3104	Process not Found

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
3104	Process not Found

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
2648	7322cf687936439baf84cad597cd18da65d36a95bcb6e83caac5abdef5aa9b3d.exe

Suspicious use of AdjustPrivilegeToken 53 IoCs

description	pid	Process
Token: SeShutdownPrivilege	3104	Process not Found
Token: SeCreatePagefilePrivilege	3104	Process not Found
Token: SeShutdownPrivilege	3104	Process not Found
Token: SeCreatePagefilePrivilege	3104	Process not Found
Token: SeShutdownPrivilege	3104	Process not Found
Token: SeCreatePagefilePrivilege	3104	Process not Found
Token: SeShutdownPrivilege	3104	Process not Found
Token: SeCreatePagefilePrivilege	3104	Process not Found
Token: SeShutdownPrivilege	3104	Process not Found
Token: SeCreatePagefilePrivilege	3104	Process not Found
Token: SeShutdownPrivilege	3104	Process not Found
Token: SeCreatePagefilePrivilege	3104	Process not Found
Token: SeShutdownPrivilege	3104	Process not Found
Token: SeCreatePagefilePrivilege	3104	Process not Found
Token: SeRestorePrivilege	2464	7z.exe
Token: 35	2464	7z.exe
Token: SeSecurityPrivilege	2464	7z.exe
Token: SeSecurityPrivilege	2464	7z.exe
Token: SeRestorePrivilege	1772	7z.exe
Token: 35	1772	7z.exe
Token: SeSecurityPrivilege	1772	7z.exe
Token: SeSecurityPrivilege	1772	7z.exe
Token: SeRestorePrivilege	3084	7z.exe
Token: 35	3084	7z.exe
Token: SeSecurityPrivilege	3084	7z.exe
Token: SeSecurityPrivilege	3084	7z.exe
Token: SeRestorePrivilege	4536	7z.exe
Token: 35	4536	7z.exe
Token: SeSecurityPrivilege	4536	7z.exe
Token: SeSecurityPrivilege	4536	7z.exe
Token: SeRestorePrivilege	4564	7z.exe
Token: 35	4564	7z.exe
Token: SeSecurityPrivilege	4564	7z.exe
Token: SeSecurityPrivilege	4564	7z.exe
Token: SeRestorePrivilege	4580	7z.exe
Token: 35	4580	7z.exe
Token: SeSecurityPrivilege	4580	7z.exe
Token: SeSecurityPrivilege	4580	7z.exe
Token: SeRestorePrivilege	4368	7z.exe
Token: 35	4368	7z.exe
Token: SeSecurityPrivilege	4368	7z.exe
Token: SeSecurityPrivilege	4368	7z.exe
Token: SeRestorePrivilege	5012	7z.exe
Token: 35	5012	7z.exe
Token: SeSecurityPrivilege	5012	7z.exe
Token: SeSecurityPrivilege	5012	7z.exe
Token: SeDebugPrivilege	504	skldfklsdflkjsdklfsdf.exe
Token: SeShutdownPrivilege	3104	Process not Found
Token: SeCreatePagefilePrivilege	3104	Process not Found
Token: SeShutdownPrivilege	3104	Process not Found
Token: SeCreatePagefilePrivilege	3104	Process not Found
Token: SeShutdownPrivilege	3104	Process not Found
Token: SeCreatePagefilePrivilege	3104	Process not Found

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3104 wrote to memory of 2540	3104	Process not Found	67
PID 3104 wrote to memory of 2540	3104	Process not Found	67
PID 3104 wrote to memory of 2540	3104	Process not Found	67
PID 2540 wrote to memory of 4724	2540	C1ED.exe	68
PID 2540 wrote to memory of 4724	2540	C1ED.exe	68
PID 2540 wrote to memory of 4724	2540	C1ED.exe	68
PID 2540 wrote to memory of 4724	2540	C1ED.exe	68
PID 2540 wrote to memory of 4724	2540	C1ED.exe	68
PID 2540 wrote to memory of 4724	2540	C1ED.exe	68
PID 2540 wrote to memory of 4724	2540	C1ED.exe	68
PID 2540 wrote to memory of 4724	2540	C1ED.exe	68
PID 2540 wrote to memory of 4724	2540	C1ED.exe	68
PID 2540 wrote to memory of 4724	2540	C1ED.exe	68
PID 4724 wrote to memory of 4932	4724	C1ED.exe	69
PID 4724 wrote to memory of 4932	4724	C1ED.exe	69
PID 4724 wrote to memory of 4932	4724	C1ED.exe	69
PID 4724 wrote to memory of 4160	4724	C1ED.exe	70
PID 4724 wrote to memory of 4160	4724	C1ED.exe	70
PID 4724 wrote to memory of 4160	4724	C1ED.exe	70
PID 4160 wrote to memory of 3648	4160	C1ED.exe	72
PID 4160 wrote to memory of 3648	4160	C1ED.exe	72
PID 4160 wrote to memory of 3648	4160	C1ED.exe	72
PID 4160 wrote to memory of 3648	4160	C1ED.exe	72
PID 4160 wrote to memory of 3648	4160	C1ED.exe	72
PID 4160 wrote to memory of 3648	4160	C1ED.exe	72
PID 4160 wrote to memory of 3648	4160	C1ED.exe	72
PID 4160 wrote to memory of 3648	4160	C1ED.exe	72
PID 4160 wrote to memory of 3648	4160	C1ED.exe	72
PID 4160 wrote to memory of 3648	4160	C1ED.exe	72
PID 3648 wrote to memory of 3240	3648	C1ED.exe	73
PID 3648 wrote to memory of 3240	3648	C1ED.exe	73
PID 3648 wrote to memory of 3240	3648	C1ED.exe	73
PID 3240 wrote to memory of 3608	3240	build2.exe	74
PID 3240 wrote to memory of 3608	3240	build2.exe	74
PID 3240 wrote to memory of 3608	3240	build2.exe	74
PID 3240 wrote to memory of 3608	3240	build2.exe	74
PID 3240 wrote to memory of 3608	3240	build2.exe	74
PID 3240 wrote to memory of 3608	3240	build2.exe	74
PID 3240 wrote to memory of 3608	3240	build2.exe	74
PID 3240 wrote to memory of 3608	3240	build2.exe	74
PID 3104 wrote to memory of 3728	3104	Process not Found	75
PID 3104 wrote to memory of 3728	3104	Process not Found	75
PID 3104 wrote to memory of 3728	3104	Process not Found	75
PID 3728 wrote to memory of 3548	3728	34BD.exe	76
PID 3728 wrote to memory of 3548	3728	34BD.exe	76
PID 3548 wrote to memory of 4484	3548	cmd.exe	78
PID 3548 wrote to memory of 4484	3548	cmd.exe	78
PID 3548 wrote to memory of 2464	3548	cmd.exe	79
PID 3548 wrote to memory of 2464	3548	cmd.exe	79
PID 3548 wrote to memory of 1772	3548	cmd.exe	80
PID 3548 wrote to memory of 1772	3548	cmd.exe	80
PID 3548 wrote to memory of 3084	3548	cmd.exe	81
PID 3548 wrote to memory of 3084	3548	cmd.exe	81
PID 3548 wrote to memory of 4536	3548	cmd.exe	82
PID 3548 wrote to memory of 4536	3548	cmd.exe	82
PID 3548 wrote to memory of 4564	3548	cmd.exe	83
PID 3548 wrote to memory of 4564	3548	cmd.exe	83
PID 3548 wrote to memory of 4580	3548	cmd.exe	84
PID 3548 wrote to memory of 4580	3548	cmd.exe	84
PID 3548 wrote to memory of 4368	3548	cmd.exe	85
PID 3548 wrote to memory of 4368	3548	cmd.exe	85
PID 3548 wrote to memory of 5012	3548	cmd.exe	86
PID 3548 wrote to memory of 5012	3548	cmd.exe	86
PID 3548 wrote to memory of 5024	3548	cmd.exe	87

Views/modifies file attributes 1 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1158

pid	Process
5024	attrib.exe

C:\Users\Admin\AppData\Local\Temp\7322cf687936439baf84cad597cd18da65d36a95bcb6e83caac5abdef5aa9b3d.exe
"C:\Users\Admin\AppData\Local\Temp\7322cf687936439baf84cad597cd18da65d36a95bcb6e83caac5abdef5aa9b3d.exe"
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:2648

C:\Users\Admin\AppData\Local\Temp\C1ED.exe
C:\Users\Admin\AppData\Local\Temp\C1ED.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2540
- C:\Users\Admin\AppData\Local\Temp\C1ED.exe
  C:\Users\Admin\AppData\Local\Temp\C1ED.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Modifies system certificate store
  - Suspicious use of WriteProcessMemory
  PID:4724
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Users\Admin\AppData\Local\67f4cf96-2de7-48eb-9b43-6e0481054e2a" /deny *S-1-1-0:(OI)(CI)(DE,DC)
    3⤵
    - Modifies file permissions
    PID:4932
- - C:\Users\Admin\AppData\Local\Temp\C1ED.exe
    "C:\Users\Admin\AppData\Local\Temp\C1ED.exe" --Admin IsNotAutoStart IsNotTask
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of WriteProcessMemory
    PID:4160
  - - C:\Users\Admin\AppData\Local\Temp\C1ED.exe
      "C:\Users\Admin\AppData\Local\Temp\C1ED.exe" --Admin IsNotAutoStart IsNotTask
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:3648
    - - C:\Users\Admin\AppData\Local\578616de-4de0-456f-9ed8-91e6ec6182dd\build2.exe
        
        "C:\Users\Admin\AppData\Local\578616de-4de0-456f-9ed8-91e6ec6182dd\build2.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:3240
      - C:\Users\Admin\AppData\Local\578616de-4de0-456f-9ed8-91e6ec6182dd\build2.exe
        
        "C:\Users\Admin\AppData\Local\578616de-4de0-456f-9ed8-91e6ec6182dd\build2.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Checks processor information in registry
        
        PID:3608

C:\Users\Admin\AppData\Local\Temp\34BD.exe
C:\Users\Admin\AppData\Local\Temp\34BD.exe
1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3728
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\main\main.bat" /S"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3548
- - C:\Windows\system32\mode.com
    mode 65,10
    3⤵
    PID:4484
- - C:\Users\Admin\AppData\Local\Temp\main\7z.exe
    7z.exe e file.zip -p31565149592231627387184778876 -oextracted
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of AdjustPrivilegeToken
    PID:2464
- - C:\Users\Admin\AppData\Local\Temp\main\7z.exe
    7z.exe e extracted/file_7.zip -oextracted
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of AdjustPrivilegeToken
    PID:1772
- - C:\Users\Admin\AppData\Local\Temp\main\7z.exe
    7z.exe e extracted/file_6.zip -oextracted
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of AdjustPrivilegeToken
    PID:3084
- - C:\Users\Admin\AppData\Local\Temp\main\7z.exe
    7z.exe e extracted/file_5.zip -oextracted
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of AdjustPrivilegeToken
    PID:4536
- - C:\Users\Admin\AppData\Local\Temp\main\7z.exe
    7z.exe e extracted/file_4.zip -oextracted
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of AdjustPrivilegeToken
    PID:4564
- - C:\Users\Admin\AppData\Local\Temp\main\7z.exe
    7z.exe e extracted/file_3.zip -oextracted
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of AdjustPrivilegeToken
    PID:4580
- - C:\Users\Admin\AppData\Local\Temp\main\7z.exe
    7z.exe e extracted/file_2.zip -oextracted
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of AdjustPrivilegeToken
    PID:4368
- - C:\Users\Admin\AppData\Local\Temp\main\7z.exe
    7z.exe e extracted/file_1.zip -oextracted
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of AdjustPrivilegeToken
    PID:5012
- - C:\Windows\system32\attrib.exe
    attrib +H "skldfklsdflkjsdklfsdf.exe"
    3⤵
    - Views/modifies file attributes
    PID:5024
- - C:\Users\Admin\AppData\Local\Temp\main\skldfklsdflkjsdklfsdf.exe
    "skldfklsdflkjsdklfsdf.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:504

C:\Users\Admin\AppData\Local\Temp\5D26.exe
C:\Users\Admin\AppData\Local\Temp\5D26.exe
1⤵
- Executes dropped EXE
PID:3308
- C:\Windows\syswow64\rundll32.exe
  "C:\Windows\syswow64\rundll32.exe" "C:\Windows\syswow64\shell32.dll",#61
  2⤵
  - Blocklisted process makes network request
  PID:4616
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3308 -s 624
  2⤵
  - Program crash
  PID:4316

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

T1158

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

File and Directory Permissions Modification

T1222

Hidden Files and Directories

T1158

Install Root Certificate

T1130

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\07CEF2F654E3ED6050FFC9B6EB844250_3431D4C539FB2CFCB781821E9902850D

Filesize
727B

MD5
0b3a9e2a3af5e088c454ad6b601c1368

SHA1
d127642e756c983ec6bbf893f9a8ee8869585b79

SHA256
45f4e01985e6716b6a9c7bf07febed64955696eec1100a1e98170729fc26222a

SHA512
ca847cc4325097185f6ae1951ab0be031bcd36b157c91ae8d8f032adaa01c450e6c0160569e1ebf80791eadae6cfb0d807d0d84c83428ed8f22a72f1e29dd9c2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E

Filesize
471B

MD5
49cec540e54dd5754c06644651359378

SHA1
b91b5a6de4c62fd9162a14761e78a4c022716483

SHA256
52bab5137c3bf7bb6bba690de523948cbe422da0705f49adfd3de3ff6a44e047

SHA512
f027356796990d41a30a8eaf5092d7b0f8c494509bd4c2d70322bb901fcdb9d7cb65e1a6b8436569a9adc681716290fecd04f303c1d9b6c59adfeac4cab1f144

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\07CEF2F654E3ED6050FFC9B6EB844250_3431D4C539FB2CFCB781821E9902850D

Filesize
402B

MD5
65f5db03c7895c81139839a2bb24e32a

SHA1
d1fea3ad7cad0f1203898a8c5b1e95ffe3f1a07e

SHA256
09758d7c2e0ad8a5145dac4f37e05789807ad7de33994810652924fbeef37392

SHA512
b86e7a033f7bfa8342004e7e0928f052498c199e2cc0444f84b3d5eb9d81d67a7952a5178fdf425c7372ce8070c8ec4fb34921a559b8a0ddd85d20fea7f2da55

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E

Filesize
396B

MD5
3bf83342dca8d2dc7816145524871cfd

SHA1
354cd5100fb1539ac43f61e6f7a9bef0944c76ca

SHA256
d6ae1113ad83f2225e46faacfd9541875c4ad6bf61e2ae810bb215edd77abe79

SHA512
20901dda044c7e777005f06aaddf5c8b51fe4a926097f76665f88058ee11471c913a0898535a01daa2822202d8eedf920b5f93c12d495f3cb832c1a37a4aa542

Download Submit
C:\Users\Admin\AppData\Local\578616de-4de0-456f-9ed8-91e6ec6182dd\build2.exe

Filesize
603KB

MD5
a13e3b18282318c65f096bad322b3c50

SHA1
2c76179e95e583b588bcd516e94e7a2da52d5299

SHA256
ba981a94852325debf0e4b478266f6efd8e4e9c5b149fd9ad277be0be5045768

SHA512
acb009f4b622ab7e8729dac2c45da975ba2305612c9575e5c8ce221edecf2d49da2236fc28b00d8f424a251765b935d8acce7bf40a1557d9fc79ba446250e786

Download Submit
C:\Users\Admin\AppData\Local\578616de-4de0-456f-9ed8-91e6ec6182dd\build2.exe

Filesize
603KB

MD5
a13e3b18282318c65f096bad322b3c50

SHA1
2c76179e95e583b588bcd516e94e7a2da52d5299

SHA256
ba981a94852325debf0e4b478266f6efd8e4e9c5b149fd9ad277be0be5045768

SHA512
acb009f4b622ab7e8729dac2c45da975ba2305612c9575e5c8ce221edecf2d49da2236fc28b00d8f424a251765b935d8acce7bf40a1557d9fc79ba446250e786

Download Submit
C:\Users\Admin\AppData\Local\578616de-4de0-456f-9ed8-91e6ec6182dd\build2.exe

Filesize
603KB

MD5
a13e3b18282318c65f096bad322b3c50

SHA1
2c76179e95e583b588bcd516e94e7a2da52d5299

SHA256
ba981a94852325debf0e4b478266f6efd8e4e9c5b149fd9ad277be0be5045768

SHA512
acb009f4b622ab7e8729dac2c45da975ba2305612c9575e5c8ce221edecf2d49da2236fc28b00d8f424a251765b935d8acce7bf40a1557d9fc79ba446250e786

Download Submit
C:\Users\Admin\AppData\Local\67f4cf96-2de7-48eb-9b43-6e0481054e2a\C1ED.exe

Filesize
783KB

MD5
11a7a50ed1e0e2ee600d32b19ab24bcd

SHA1
6bfbe71ea8be778af116f745cc5174c9aca1e937

SHA256
0e06d6ba14f5513e44c4711ccac41a06633df9a27eb26aa37b73f01d18d07ad2

SHA512
b1da01f3c58aa95cff003843f2ad4e22bc9d09bc0e72e4568e1c46e96af047d54812fb3c226c50bb3682bac37e50dbb042711b5ae29aaaefa29fa3822909976c

Download Submit
C:\Users\Admin\AppData\Local\Temp\34BD.exe

Filesize
2.3MB

MD5
e231ea3632e21091bdc9e7bc503323e4

SHA1
1ec542a90d01ede7dee22fc59211c829ee5199a2

SHA256
fea7374fe6529cc9701b756fc2763ba053ee3f3798b3b594cdb6147c5fde5b8a

SHA512
7a747c994aced4ca1e1eab78ec4440f8a977e390424877b4759d5043cbba160b8cee30a5d44f30e8cd4f18cbe3f78c6a50df64ea6176b508ced0c8a9f9ff646c

Download Submit
C:\Users\Admin\AppData\Local\Temp\34BD.exe

Filesize
2.3MB

MD5
e231ea3632e21091bdc9e7bc503323e4

SHA1
1ec542a90d01ede7dee22fc59211c829ee5199a2

SHA256
fea7374fe6529cc9701b756fc2763ba053ee3f3798b3b594cdb6147c5fde5b8a

SHA512
7a747c994aced4ca1e1eab78ec4440f8a977e390424877b4759d5043cbba160b8cee30a5d44f30e8cd4f18cbe3f78c6a50df64ea6176b508ced0c8a9f9ff646c

Download Submit
C:\Users\Admin\AppData\Local\Temp\5D26.exe

Filesize
996KB

MD5
787518326366c6a091ae2dcfa8366863

SHA1
44123f51e2c418873d3b044a844227b56d8752aa

SHA256
db6cb279687271bd10869c3adc5c1a088e5646888eb40b99727ff50e520c4273

SHA512
c8abe9ca1d7b33dda78b7b7794dec3a68621fd9a101ed3763c5265b75711dec12ae0e4d7016d476511de20b32e607bfec50349fe611a1dddbb6534cdc00238a6

Download Submit
C:\Users\Admin\AppData\Local\Temp\5D26.exe

Filesize
996KB

MD5
787518326366c6a091ae2dcfa8366863

SHA1
44123f51e2c418873d3b044a844227b56d8752aa

SHA256
db6cb279687271bd10869c3adc5c1a088e5646888eb40b99727ff50e520c4273

SHA512
c8abe9ca1d7b33dda78b7b7794dec3a68621fd9a101ed3763c5265b75711dec12ae0e4d7016d476511de20b32e607bfec50349fe611a1dddbb6534cdc00238a6

Download Submit
C:\Users\Admin\AppData\Local\Temp\C1ED.exe

Filesize
783KB

MD5
11a7a50ed1e0e2ee600d32b19ab24bcd

SHA1
6bfbe71ea8be778af116f745cc5174c9aca1e937

SHA256
0e06d6ba14f5513e44c4711ccac41a06633df9a27eb26aa37b73f01d18d07ad2

SHA512
b1da01f3c58aa95cff003843f2ad4e22bc9d09bc0e72e4568e1c46e96af047d54812fb3c226c50bb3682bac37e50dbb042711b5ae29aaaefa29fa3822909976c

Download Submit
C:\Users\Admin\AppData\Local\Temp\C1ED.exe

Filesize
783KB

MD5
11a7a50ed1e0e2ee600d32b19ab24bcd

SHA1
6bfbe71ea8be778af116f745cc5174c9aca1e937

SHA256
0e06d6ba14f5513e44c4711ccac41a06633df9a27eb26aa37b73f01d18d07ad2

SHA512
b1da01f3c58aa95cff003843f2ad4e22bc9d09bc0e72e4568e1c46e96af047d54812fb3c226c50bb3682bac37e50dbb042711b5ae29aaaefa29fa3822909976c

Download Submit
C:\Users\Admin\AppData\Local\Temp\C1ED.exe

Filesize
783KB

MD5
11a7a50ed1e0e2ee600d32b19ab24bcd

SHA1
6bfbe71ea8be778af116f745cc5174c9aca1e937

SHA256
0e06d6ba14f5513e44c4711ccac41a06633df9a27eb26aa37b73f01d18d07ad2

SHA512
b1da01f3c58aa95cff003843f2ad4e22bc9d09bc0e72e4568e1c46e96af047d54812fb3c226c50bb3682bac37e50dbb042711b5ae29aaaefa29fa3822909976c

Download Submit
C:\Users\Admin\AppData\Local\Temp\C1ED.exe

Filesize
783KB

MD5
11a7a50ed1e0e2ee600d32b19ab24bcd

SHA1
6bfbe71ea8be778af116f745cc5174c9aca1e937

SHA256
0e06d6ba14f5513e44c4711ccac41a06633df9a27eb26aa37b73f01d18d07ad2

SHA512
b1da01f3c58aa95cff003843f2ad4e22bc9d09bc0e72e4568e1c46e96af047d54812fb3c226c50bb3682bac37e50dbb042711b5ae29aaaefa29fa3822909976c

Download Submit
C:\Users\Admin\AppData\Local\Temp\C1ED.exe

Filesize
783KB

MD5
11a7a50ed1e0e2ee600d32b19ab24bcd

SHA1
6bfbe71ea8be778af116f745cc5174c9aca1e937

SHA256
0e06d6ba14f5513e44c4711ccac41a06633df9a27eb26aa37b73f01d18d07ad2

SHA512
b1da01f3c58aa95cff003843f2ad4e22bc9d09bc0e72e4568e1c46e96af047d54812fb3c226c50bb3682bac37e50dbb042711b5ae29aaaefa29fa3822909976c

Download Submit
C:\Users\Admin\AppData\Local\Temp\main\7z.dll

Filesize
1.6MB

MD5
72491c7b87a7c2dd350b727444f13bb4

SHA1
1e9338d56db7ded386878eab7bb44b8934ab1bc7

SHA256
34ad9bb80fe8bf28171e671228eb5b64a55caa388c31cb8c0df77c0136735891

SHA512
583d0859d29145dfc48287c5a1b459e5db4e939624bd549ff02c61eae8a0f31fc96a509f3e146200cdd4c93b154123e5adfbfe01f7d172db33968155189b5511

Download Submit
C:\Users\Admin\AppData\Local\Temp\main\7z.exe

Filesize
458KB

MD5
619f7135621b50fd1900ff24aade1524

SHA1
6c7ea8bbd435163ae3945cbef30ef6b9872a4591

SHA256
344f076bb1211cb02eca9e5ed2c0ce59bcf74ccbc749ec611538fa14ecb9aad2

SHA512
2c7293c084d09bc2e3ae2d066dd7b331c810d9e2eeca8b236a8e87fdeb18e877b948747d3491fcaff245816507685250bd35f984c67a43b29b0ae31ecb2bd628

Download Submit
C:\Users\Admin\AppData\Local\Temp\main\7z.exe

Filesize
458KB

MD5
619f7135621b50fd1900ff24aade1524

SHA1
6c7ea8bbd435163ae3945cbef30ef6b9872a4591

SHA256
344f076bb1211cb02eca9e5ed2c0ce59bcf74ccbc749ec611538fa14ecb9aad2

SHA512
2c7293c084d09bc2e3ae2d066dd7b331c810d9e2eeca8b236a8e87fdeb18e877b948747d3491fcaff245816507685250bd35f984c67a43b29b0ae31ecb2bd628

Download Submit
C:\Users\Admin\AppData\Local\Temp\main\7z.exe

Filesize
458KB

MD5
619f7135621b50fd1900ff24aade1524

SHA1
6c7ea8bbd435163ae3945cbef30ef6b9872a4591

SHA256
344f076bb1211cb02eca9e5ed2c0ce59bcf74ccbc749ec611538fa14ecb9aad2

SHA512
2c7293c084d09bc2e3ae2d066dd7b331c810d9e2eeca8b236a8e87fdeb18e877b948747d3491fcaff245816507685250bd35f984c67a43b29b0ae31ecb2bd628

Download Submit
C:\Users\Admin\AppData\Local\Temp\main\7z.exe

Filesize
458KB

MD5
619f7135621b50fd1900ff24aade1524

SHA1
6c7ea8bbd435163ae3945cbef30ef6b9872a4591

SHA256
344f076bb1211cb02eca9e5ed2c0ce59bcf74ccbc749ec611538fa14ecb9aad2

SHA512
2c7293c084d09bc2e3ae2d066dd7b331c810d9e2eeca8b236a8e87fdeb18e877b948747d3491fcaff245816507685250bd35f984c67a43b29b0ae31ecb2bd628

Download Submit
C:\Users\Admin\AppData\Local\Temp\main\7z.exe

Filesize
458KB

MD5
619f7135621b50fd1900ff24aade1524

SHA1
6c7ea8bbd435163ae3945cbef30ef6b9872a4591

SHA256
344f076bb1211cb02eca9e5ed2c0ce59bcf74ccbc749ec611538fa14ecb9aad2

SHA512
2c7293c084d09bc2e3ae2d066dd7b331c810d9e2eeca8b236a8e87fdeb18e877b948747d3491fcaff245816507685250bd35f984c67a43b29b0ae31ecb2bd628

Download Submit
C:\Users\Admin\AppData\Local\Temp\main\7z.exe

Filesize
458KB

MD5
619f7135621b50fd1900ff24aade1524

SHA1
6c7ea8bbd435163ae3945cbef30ef6b9872a4591

SHA256
344f076bb1211cb02eca9e5ed2c0ce59bcf74ccbc749ec611538fa14ecb9aad2

SHA512
2c7293c084d09bc2e3ae2d066dd7b331c810d9e2eeca8b236a8e87fdeb18e877b948747d3491fcaff245816507685250bd35f984c67a43b29b0ae31ecb2bd628

Download Submit
C:\Users\Admin\AppData\Local\Temp\main\7z.exe

Filesize
458KB

MD5
619f7135621b50fd1900ff24aade1524

SHA1
6c7ea8bbd435163ae3945cbef30ef6b9872a4591

SHA256
344f076bb1211cb02eca9e5ed2c0ce59bcf74ccbc749ec611538fa14ecb9aad2

SHA512
2c7293c084d09bc2e3ae2d066dd7b331c810d9e2eeca8b236a8e87fdeb18e877b948747d3491fcaff245816507685250bd35f984c67a43b29b0ae31ecb2bd628

Download Submit
C:\Users\Admin\AppData\Local\Temp\main\7z.exe

Filesize
458KB

MD5
619f7135621b50fd1900ff24aade1524

SHA1
6c7ea8bbd435163ae3945cbef30ef6b9872a4591

SHA256
344f076bb1211cb02eca9e5ed2c0ce59bcf74ccbc749ec611538fa14ecb9aad2

SHA512
2c7293c084d09bc2e3ae2d066dd7b331c810d9e2eeca8b236a8e87fdeb18e877b948747d3491fcaff245816507685250bd35f984c67a43b29b0ae31ecb2bd628

Download Submit
C:\Users\Admin\AppData\Local\Temp\main\extracted\ANTIAV~1.DAT

Filesize
2.0MB

MD5
e8111b0f4fefb7f5f959b7c6dd1b0198

SHA1
c35d045ee873362bbfe1b11468778c4f6c883b74

SHA256
b02df7830d03a0bce9b84bb3eb58a003520842dddf7bb68cdb053cd3b9354ce8

SHA512
9a616532934e8bb9c9cdadf808cbc1d83ba8cd72d583bea6829420b5f021f676c6fe4fa277458ce322dbe510c3e8daa6cb285e13745a75b05a2fb538e47f0425

Download Submit
C:\Users\Admin\AppData\Local\Temp\main\extracted\file_1.zip

Filesize
45KB

MD5
4afbaf4a4beb1a0db1fea37fa8e04db4

SHA1
bbe7368ed32cfda26cf67793888137a637874f3d

SHA256
89b2a067ed227728cdd3486db6a4cf868ef0121754c3a406a953dc9a6c8c858d

SHA512
b061e3be8c2752b00c72e8be7cd65626f95420d968796fefe09089337305e13a212df970a8d473c0891bb873881632804e41d9e38fefee8be371c03ebf903427

Download Submit
C:\Users\Admin\AppData\Local\Temp\main\extracted\file_2.zip

Filesize
45KB

MD5
e61276d9c18b4215b8cbe0ff966c9668

SHA1
150ef0b0e49000cbd1dc4b013ac76ca12d6e2c85

SHA256
eb6d7bfbfb99baf5ebe81fbf5e036ea0f5e1b5a55acf56445a8aff9efab0451e

SHA512
2c859a2f8cc774c891433082b2e14f5129ec696779d4ee850cc796b818ee9dda8aa86f32e773e6fee27b1c6876840e9d421230c82d4084850af7da0522f4b930

Download Submit
C:\Users\Admin\AppData\Local\Temp\main\extracted\file_3.zip

Filesize
45KB

MD5
2438c1854e770439e7ae6d5696a18913

SHA1
4a243543aea62e73c7ebf887e27273f048049cc4

SHA256
5a37d3fc2bc23db2ac0737bd67c0dab8af7735022edbfc0404ac6030d83989d6

SHA512
5aeb99d7f61820e7517bcca05b22ca78f286542681531d33a7980491ff0693324f9319b12f6d149b899e89072ec2bebaf62aba42b6ae9222c2d051c32ffae8b1

Download Submit
C:\Users\Admin\AppData\Local\Temp\main\extracted\file_4.zip

Filesize
45KB

MD5
d01f83ed179bc746e82c0fe5df75b380

SHA1
38088b32c96407b285789009b3bc943664337ec7

SHA256
a7154cc662eebcb16d207b5823aa40f449f13b7d86086e2faf58ab90b3d50cde

SHA512
bd99815531508c2e2b1bfdf311f5f128712062b7dba8155fdfb2850654cbc91eadad5bc7b4eedc113b5deb9c661d951966c2c9e376894fe93cedfb9b0bd1e02d

Download Submit
C:\Users\Admin\AppData\Local\Temp\main\extracted\file_5.zip

Filesize
45KB

MD5
b3edd4a8f1c34d87856ea4fbcc9f78b2

SHA1
3c7944e6f6c8f619e76cc64cb229c2329837723f

SHA256
57afecf9cf198515af5c638a4367a7ad4234bbc50540906e5fd3345d2d893afb

SHA512
8cc9cde687dae31b7f0bd384259e0cb05282d62794d6bfa242f24c6d8e0e6edc951a0fe0ca0cfba82397f33df1f8d0d187e97e67fd9981664ea6f7b5dfb3da35

Download Submit
C:\Users\Admin\AppData\Local\Temp\main\extracted\file_6.zip

Filesize
45KB

MD5
6b9f27e1b2d4477b550eceb92ddddac3

SHA1
5afc335661a64f6ad18ea9d45ca93cd1213f6e2a

SHA256
248d81b4517b3386dbdad94f311b7c82918f3b75d4fa18ea0d773212345c7b7c

SHA512
d64252e3850db6fca8751e350355fb6d82282066d50f00df046fc5823280dbc755d33a7acddd7c8d1f61e23133973ad535cc2d15a70e295f7adf424c062a3aa1

Download Submit
C:\Users\Admin\AppData\Local\Temp\main\extracted\file_7.zip

Filesize
1.5MB

MD5
31fb46810ce665d466a292399e51d0e3

SHA1
8e43364b0f5f370215172e029ad80ac76f6e90c7

SHA256
e0c0db722ba882cac5ef51c8a128114ef0ec323519e48d96251dc2bdebed1463

SHA512
e37baf3011f31481a4728ea667c0c72c7e38cafc5e66aee1b97633200314bfc7749f86a3ac03df1da02b5dbf334f775fab4953f84fc9394c0abc52b7b0d30e88

Download Submit
C:\Users\Admin\AppData\Local\Temp\main\extracted\skldfklsdflkjsdklfsdf.exe

Filesize
106KB

MD5
2a554fb297ca187db7cd579bfa7f8ca4

SHA1
3b662124fa6d2d5f7d913809995780db8ac310d5

SHA256
452abbf4b882d48f175cb09ab6cc1a2ea6885b796b94dd636b667cf7bdf268ab

SHA512
0400db0c5206ab2f1dce4eed696ba31960778c157d94f49b9ce4e9ad9bacfce83ea0e940c6b20ca161fda8f39211849097a50e30a9ed615dd2b60634248e1944

Download Submit
C:\Users\Admin\AppData\Local\Temp\main\file.bin

Filesize
1.5MB

MD5
48c66aa2bf5dc344e598ff201cee0d58

SHA1
4896f76fd25e4360bd09e96eafd2f24efe2bbf99

SHA256
98c1388a5f25e7446291bf9ed09c7f9aac5ec2ae8bed41074f03b67ba5b05a7f

SHA512
f4821a171e7ea185c2d30a3803ed405338054176cd4355ae4a2aabd63a381dfcc4033b2b2b6cda0d9a281020e6ecd3283889be5c6a3dd37a478717dd85aca5d4

Download Submit
C:\Users\Admin\AppData\Local\Temp\main\main.bat

Filesize
542B

MD5
766a0940f85363a2dd3f78e4e615b295

SHA1
9b3802c123454843a7100e1e1022910b49d9be6f

SHA256
aeaa5fba738dbeddf2d8b56a94c3ca95392f24a0080cd4a6f2f55b15904ac84e

SHA512
37f46a394e81699105fd658247c97cd056dfba2a38809fe5220d5eb96a46a5af55b5e945c16fc45a037059330986938f7a3fad28e5f50849f15c89708039cbf2

Download Submit
C:\Users\Admin\AppData\Local\Temp\main\skldfklsdflkjsdklfsdf.exe

Filesize
106KB

MD5
2a554fb297ca187db7cd579bfa7f8ca4

SHA1
3b662124fa6d2d5f7d913809995780db8ac310d5

SHA256
452abbf4b882d48f175cb09ab6cc1a2ea6885b796b94dd636b667cf7bdf268ab

SHA512
0400db0c5206ab2f1dce4eed696ba31960778c157d94f49b9ce4e9ad9bacfce83ea0e940c6b20ca161fda8f39211849097a50e30a9ed615dd2b60634248e1944

Download Submit
\ProgramData\mozglue.dll

Filesize
133KB

MD5
8f73c08a9660691143661bf7332c3c27

SHA1
37fa65dd737c50fda710fdbde89e51374d0c204a

SHA256
3fe6b1c54b8cf28f571e0c5d6636b4069a8ab00b4f11dd842cfec00691d0c9cd

SHA512
0042ecf9b3571bb5eba2de893e8b2371df18f7c5a589f52ee66e4bfbaa15a5b8b7cc6a155792aaa8988528c27196896d5e82e1751c998bacea0d92395f66ad89

Download Submit
\ProgramData\nss3.dll

Filesize
1.2MB

MD5
bfac4e3c5908856ba17d41edcd455a51

SHA1
8eec7e888767aa9e4cca8ff246eb2aacb9170428

SHA256
e2935b5b28550d47dc971f456d6961f20d1633b4892998750140e0eaa9ae9d78

SHA512
2565bab776c4d732ffb1f9b415992a4c65b81bcd644a9a1df1333a269e322925fc1df4f76913463296efd7c88ef194c3056de2f1ca1357d7b5fe5ff0da877a66

Download Submit
\Users\Admin\AppData\Local\Temp\main\7z.dll

Filesize
1.6MB

MD5
72491c7b87a7c2dd350b727444f13bb4

SHA1
1e9338d56db7ded386878eab7bb44b8934ab1bc7

SHA256
34ad9bb80fe8bf28171e671228eb5b64a55caa388c31cb8c0df77c0136735891

SHA512
583d0859d29145dfc48287c5a1b459e5db4e939624bd549ff02c61eae8a0f31fc96a509f3e146200cdd4c93b154123e5adfbfe01f7d172db33968155189b5511

Download Submit
\Users\Admin\AppData\Local\Temp\main\7z.dll

Filesize
1.6MB

MD5
72491c7b87a7c2dd350b727444f13bb4

SHA1
1e9338d56db7ded386878eab7bb44b8934ab1bc7

SHA256
34ad9bb80fe8bf28171e671228eb5b64a55caa388c31cb8c0df77c0136735891

SHA512
583d0859d29145dfc48287c5a1b459e5db4e939624bd549ff02c61eae8a0f31fc96a509f3e146200cdd4c93b154123e5adfbfe01f7d172db33968155189b5511

Download Submit
\Users\Admin\AppData\Local\Temp\main\7z.dll

Filesize
1.6MB

MD5
72491c7b87a7c2dd350b727444f13bb4

SHA1
1e9338d56db7ded386878eab7bb44b8934ab1bc7

SHA256
34ad9bb80fe8bf28171e671228eb5b64a55caa388c31cb8c0df77c0136735891

SHA512
583d0859d29145dfc48287c5a1b459e5db4e939624bd549ff02c61eae8a0f31fc96a509f3e146200cdd4c93b154123e5adfbfe01f7d172db33968155189b5511

Download Submit
\Users\Admin\AppData\Local\Temp\main\7z.dll

Filesize
1.6MB

MD5
72491c7b87a7c2dd350b727444f13bb4

SHA1
1e9338d56db7ded386878eab7bb44b8934ab1bc7

SHA256
34ad9bb80fe8bf28171e671228eb5b64a55caa388c31cb8c0df77c0136735891

SHA512
583d0859d29145dfc48287c5a1b459e5db4e939624bd549ff02c61eae8a0f31fc96a509f3e146200cdd4c93b154123e5adfbfe01f7d172db33968155189b5511

Download Submit
\Users\Admin\AppData\Local\Temp\main\7z.dll

Filesize
1.6MB

MD5
72491c7b87a7c2dd350b727444f13bb4

SHA1
1e9338d56db7ded386878eab7bb44b8934ab1bc7

SHA256
34ad9bb80fe8bf28171e671228eb5b64a55caa388c31cb8c0df77c0136735891

SHA512
583d0859d29145dfc48287c5a1b459e5db4e939624bd549ff02c61eae8a0f31fc96a509f3e146200cdd4c93b154123e5adfbfe01f7d172db33968155189b5511

Download Submit
\Users\Admin\AppData\Local\Temp\main\7z.dll

Filesize
1.6MB

MD5
72491c7b87a7c2dd350b727444f13bb4

SHA1
1e9338d56db7ded386878eab7bb44b8934ab1bc7

SHA256
34ad9bb80fe8bf28171e671228eb5b64a55caa388c31cb8c0df77c0136735891

SHA512
583d0859d29145dfc48287c5a1b459e5db4e939624bd549ff02c61eae8a0f31fc96a509f3e146200cdd4c93b154123e5adfbfe01f7d172db33968155189b5511

Download Submit
\Users\Admin\AppData\Local\Temp\main\7z.dll

Filesize
1.6MB

MD5
72491c7b87a7c2dd350b727444f13bb4

SHA1
1e9338d56db7ded386878eab7bb44b8934ab1bc7

SHA256
34ad9bb80fe8bf28171e671228eb5b64a55caa388c31cb8c0df77c0136735891

SHA512
583d0859d29145dfc48287c5a1b459e5db4e939624bd549ff02c61eae8a0f31fc96a509f3e146200cdd4c93b154123e5adfbfe01f7d172db33968155189b5511

Download Submit
\Users\Admin\AppData\Local\Temp\main\7z.dll

Filesize
1.6MB

MD5
72491c7b87a7c2dd350b727444f13bb4

SHA1
1e9338d56db7ded386878eab7bb44b8934ab1bc7

SHA256
34ad9bb80fe8bf28171e671228eb5b64a55caa388c31cb8c0df77c0136735891

SHA512
583d0859d29145dfc48287c5a1b459e5db4e939624bd549ff02c61eae8a0f31fc96a509f3e146200cdd4c93b154123e5adfbfe01f7d172db33968155189b5511

Download Submit
memory/504-208-0x0000000002BA0000-0x0000000002BB2000-memory.dmp

Filesize
72KB

Download
memory/504-211-0x00000000050A0000-0x00000000050EB000-memory.dmp

Filesize
300KB

Download
memory/504-209-0x0000000005170000-0x000000000527A000-memory.dmp

Filesize
1.0MB

Download
memory/504-222-0x0000000006630000-0x000000000664E000-memory.dmp

Filesize
120KB

Download
memory/504-233-0x00000000072E0000-0x00000000074A2000-memory.dmp

Filesize
1.8MB

Download
memory/504-221-0x0000000006B10000-0x000000000700E000-memory.dmp

Filesize
5.0MB

Download
memory/504-207-0x0000000005670000-0x0000000005C76000-memory.dmp

Filesize
6.0MB

Download
memory/504-210-0x0000000005060000-0x000000000509E000-memory.dmp

Filesize
248KB

Download
memory/504-206-0x00000000007E0000-0x0000000000800000-memory.dmp

Filesize
128KB

Download
memory/504-234-0x00000000079E0000-0x0000000007F0C000-memory.dmp

Filesize
5.2MB

Download
memory/504-223-0x0000000006940000-0x00000000069A6000-memory.dmp

Filesize
408KB

Download
memory/504-235-0x0000000007260000-0x00000000072B0000-memory.dmp

Filesize
320KB

Download
memory/504-220-0x0000000006570000-0x0000000006602000-memory.dmp

Filesize
584KB

Download
memory/504-219-0x0000000006450000-0x00000000064C6000-memory.dmp

Filesize
472KB

Download
memory/2540-130-0x0000000002320000-0x000000000243B000-memory.dmp

Filesize
1.1MB

Download
memory/2648-119-0x00000000001D0000-0x00000000001D9000-memory.dmp

Filesize
36KB

Download
memory/2648-118-0x0000000000470000-0x00000000005BA000-memory.dmp

Filesize
1.3MB

Download
memory/2648-120-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/3104-121-0x0000000000970000-0x0000000000986000-memory.dmp

Filesize
88KB

Download
memory/3240-151-0x00000000007C9000-0x0000000000831000-memory.dmp

Filesize
416KB

Download
memory/3240-155-0x00000000007C9000-0x0000000000831000-memory.dmp

Filesize
416KB

Download
memory/3240-157-0x0000000002180000-0x0000000002228000-memory.dmp

Filesize
672KB

Download
memory/3308-217-0x00000000022A0000-0x0000000002489000-memory.dmp

Filesize
1.9MB

Download
memory/3308-216-0x0000000000840000-0x000000000090C000-memory.dmp

Filesize
816KB

Download
memory/3308-218-0x0000000000400000-0x00000000005F4000-memory.dmp

Filesize
2.0MB

Download
memory/3608-152-0x0000000000400000-0x00000000004AA000-memory.dmp

Filesize
680KB

Download
memory/3608-159-0x0000000000400000-0x00000000004AA000-memory.dmp

Filesize
680KB

Download
memory/3608-158-0x0000000000400000-0x00000000004AA000-memory.dmp

Filesize
680KB

Download
memory/3608-156-0x0000000000400000-0x00000000004AA000-memory.dmp

Filesize
680KB

Download
memory/3648-142-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/3648-141-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/3648-143-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/4160-137-0x00000000005CD000-0x000000000065E000-memory.dmp

Filesize
580KB

Download
memory/4616-231-0x00000000028F0000-0x00000000028F3000-memory.dmp

Filesize
12KB

Download
memory/4616-229-0x00000000028D0000-0x00000000028D3000-memory.dmp

Filesize
12KB

Download
memory/4616-232-0x0000000002900000-0x0000000002903000-memory.dmp

Filesize
12KB

Download
memory/4616-228-0x00000000028C0000-0x00000000028C3000-memory.dmp

Filesize
12KB

Download
memory/4616-230-0x00000000028E0000-0x00000000028E3000-memory.dmp

Filesize
12KB

Download
memory/4616-225-0x0000000002890000-0x0000000002893000-memory.dmp

Filesize
12KB

Download
memory/4616-226-0x00000000028A0000-0x00000000028A3000-memory.dmp

Filesize
12KB

Download
memory/4616-227-0x00000000028B0000-0x00000000028B3000-memory.dmp

Filesize
12KB

Download
memory/4724-131-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/4724-129-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/4724-126-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/4724-132-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download