dcrat | 4938c74639ddd5cd77b4a25326dde2ee2bc1b56249d7001688d39b223268d2d5

Analysis

max time kernel
119s
max time network
154s
platform
windows7_x64
resource
win7-20220414-en
submitted
24-05-2022 16:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4938c74639ddd5cd77b4a25326dde2ee2bc1b56249d7001688d39b223268d2d5.exe
Size

3.4MB
MD5

cec18a3bcd163583c7ea013b611373a7
SHA1

623e208522b88f56920eeeb291d1ac1328cf3942
SHA256

4938c74639ddd5cd77b4a25326dde2ee2bc1b56249d7001688d39b223268d2d5
SHA512

acaeb674587bcdd4e9c35a58f8093f1644adf22d859412a4b69f9081f7a230ae563ae2aac6fc4a207e2fb03131ae10bb05c45772650e7a2cfbe316fa7e317e54

Score

10^/10

dcrat gozi_rm3 banker infostealer persistence rat suricata trojan upx

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Gozi RM3
A heavily modified version of Gozi using RM3 loader.
banker trojan gozi_rm3
suricata: ET MALWARE DCRat Initial CnC Activity
suricata: ET MALWARE DCRat Initial CnC Activity
suricata

Executes dropped EXE 10 IoCs

pid	Process
1736	ClownfishVoiceChanger.exe
2024	clown.exe
1208	Process not Found
1872	Guwk5OeHiM9G8JYDRUxo.exe
1504	Starter.exe
1616	e6ee5674bb9446c78bbc5729af6e2c28.exe
1492	refdll.exe
1000	Adobe QuikInstall.exe
2152	SecurityHealthService.exe
2292	YourPhone.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x0009000000012733-59.dat	upx
behavioral1/files/0x0009000000012733-61.dat	upx
behavioral1/files/0x0009000000012733-63.dat	upx

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\System.lnk	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\System.lnk	cmd.exe

Loads dropped DLL 23 IoCs

pid	Process
1708	4938c74639ddd5cd77b4a25326dde2ee2bc1b56249d7001688d39b223268d2d5.exe
1708	4938c74639ddd5cd77b4a25326dde2ee2bc1b56249d7001688d39b223268d2d5.exe
1208	Process not Found
1712	cmd.exe
1872	Guwk5OeHiM9G8JYDRUxo.exe
1872	Guwk5OeHiM9G8JYDRUxo.exe
1872	Guwk5OeHiM9G8JYDRUxo.exe
1872	Guwk5OeHiM9G8JYDRUxo.exe
1680	WScript.exe
560	cmd.exe
1504	Starter.exe
2124	cmd.exe
2244	cmd.exe
2404	WerFault.exe
2404	WerFault.exe
2404	WerFault.exe
2404	WerFault.exe
2404	WerFault.exe
2456	WerFault.exe
2456	WerFault.exe
2456	WerFault.exe
2456	WerFault.exe
2456	WerFault.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Windows\CurrentVersion\Run	ClownfishVoiceChanger.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Windows\CurrentVersion\Run\Adobe QuikInstall = "C:\\Users\\Admin\\AppData\\Roaming\\Adobe\\Adobe QuikInstall.exe"	Starter.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 2 IoCs

pid	pid_target	Process	procid_target
2404	2152	WerFault.exe	51
2456	2292	WerFault.exe	54

Modifies Internet Explorer settings 1 TTPs 57 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\DOMStorage\clownfish-translator.com\ = "44"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "70"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\DOMStorage\clownfish-translator.com\ = "154"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000962422cf799f2f46a7e75b376cef3c3c00000000020000000000106600000001000020000000525a440fb7a9a3a510100530f66148381b307e696424205172eb88ae34feeaf7000000000e80000000020000200000001ac6ae52fac839afc015ed95792dfa858843790434392b233745afc77f21b8a490000000a168e7837a6c676c734ecbf7f8885431e6e465bf77b1a6e688e20ea31ff3595848018b83e3f7458d3cb3c87db55bef1e086c0b15783a31317e9b7d6c37b5461da69effa63158680ff2b41536ff3499e5abf2d4d7e63ce003a3735aef8fb91cb659aeb2fd4a9f7551f04318e6ee206d3af221ec071cfdcc4face135b24bf5e76f6e377c04e32def0c9d0520512297f8fc4000000037c185183ef78462b6b2425a2dfb292b7cc28c628a079033dbc72f1da10f51466c0756effe6ebb00424700d1f64006e14c1d1df90c55190946774ba22736f6cf	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\DOMStorage\clownfish-translator.com\NumberOfSubdomains = "1"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000962422cf799f2f46a7e75b376cef3c3c00000000020000000000106600000001000020000000166f0de58507fb1756cdba6e4af697039082ed35c98eb87f14aff7232f5086a1000000000e800000000200002000000025dcddf9178ed9301f4448f87f07a9f5706a4859b4cf9c4764a3e9423087ddb12000000004b8b8d0c106c390279930315d8711cb12ea93f846f39c6d722eaf4d6fffeaf240000000a668faaa4cf8de5e38ca8903c7d7931f2cb46ce694097597239ff433c69c9243e931cefa37159e958f5d81c622cd7984907b8625aaca9b154bc85e1bde916079	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\DOMStorage\clownfish-translator.com\Total = "154"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\DOMStorage\clownfish-translator.com\Total = "70"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\DOMStorage	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\DOMStorage\clownfish-translator.com\Total = "44"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "360185056"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "44"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\DOMStorage\clownfish-translator.com\Total = "102"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\DOMStorage\google.com	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 70138c94a36fd801	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\DOMStorage\clownfish-translator.com\Total = "15"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\DOMStorage\clownfish-translator.com\ = "15"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "102"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\DOMStorage\clownfish-translator.com\ = "102"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{AF24F941-DB96-11EC-8E39-DE95627D9645} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\DOMStorage\clownfish-translator.com	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\DOMStorage\clownfish-translator.com\ = "70"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\DOMStorage\google.com\NumberOfSubdomains = "1"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "15"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "154"	IEXPLORE.EXE

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
1492	refdll.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: SeDebugPrivilege	1492	refdll.exe
Token: 33	1052	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	1052	AUDIODG.EXE
Token: 33	1052	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	1052	AUDIODG.EXE

Suspicious use of FindShellTrayWindow 4 IoCs

pid	Process
1736	ClownfishVoiceChanger.exe
1736	ClownfishVoiceChanger.exe
1736	ClownfishVoiceChanger.exe
1692	iexplore.exe

Suspicious use of SendNotifyMessage 3 IoCs

pid	Process
1736	ClownfishVoiceChanger.exe
1736	ClownfishVoiceChanger.exe
1736	ClownfishVoiceChanger.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
1736	ClownfishVoiceChanger.exe
1692	iexplore.exe
1692	iexplore.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1708 wrote to memory of 1736	1708	4938c74639ddd5cd77b4a25326dde2ee2bc1b56249d7001688d39b223268d2d5.exe	27
PID 1708 wrote to memory of 1736	1708	4938c74639ddd5cd77b4a25326dde2ee2bc1b56249d7001688d39b223268d2d5.exe	27
PID 1708 wrote to memory of 1736	1708	4938c74639ddd5cd77b4a25326dde2ee2bc1b56249d7001688d39b223268d2d5.exe	27
PID 1708 wrote to memory of 1736	1708	4938c74639ddd5cd77b4a25326dde2ee2bc1b56249d7001688d39b223268d2d5.exe	27
PID 1708 wrote to memory of 2024	1708	4938c74639ddd5cd77b4a25326dde2ee2bc1b56249d7001688d39b223268d2d5.exe	28
PID 1708 wrote to memory of 2024	1708	4938c74639ddd5cd77b4a25326dde2ee2bc1b56249d7001688d39b223268d2d5.exe	28
PID 1708 wrote to memory of 2024	1708	4938c74639ddd5cd77b4a25326dde2ee2bc1b56249d7001688d39b223268d2d5.exe	28
PID 1708 wrote to memory of 2024	1708	4938c74639ddd5cd77b4a25326dde2ee2bc1b56249d7001688d39b223268d2d5.exe	28
PID 2024 wrote to memory of 1068	2024	clown.exe	31
PID 2024 wrote to memory of 1068	2024	clown.exe	31
PID 2024 wrote to memory of 1068	2024	clown.exe	31
PID 2024 wrote to memory of 1068	2024	clown.exe	31
PID 1068 wrote to memory of 1712	1068	WScript.exe	32
PID 1068 wrote to memory of 1712	1068	WScript.exe	32
PID 1068 wrote to memory of 1712	1068	WScript.exe	32
PID 1068 wrote to memory of 1712	1068	WScript.exe	32
PID 1712 wrote to memory of 1872	1712	cmd.exe	34
PID 1712 wrote to memory of 1872	1712	cmd.exe	34
PID 1712 wrote to memory of 1872	1712	cmd.exe	34
PID 1712 wrote to memory of 1872	1712	cmd.exe	34
PID 1872 wrote to memory of 1680	1872	Guwk5OeHiM9G8JYDRUxo.exe	35
PID 1872 wrote to memory of 1680	1872	Guwk5OeHiM9G8JYDRUxo.exe	35
PID 1872 wrote to memory of 1680	1872	Guwk5OeHiM9G8JYDRUxo.exe	35
PID 1872 wrote to memory of 1680	1872	Guwk5OeHiM9G8JYDRUxo.exe	35
PID 1872 wrote to memory of 1788	1872	Guwk5OeHiM9G8JYDRUxo.exe	36
PID 1872 wrote to memory of 1788	1872	Guwk5OeHiM9G8JYDRUxo.exe	36
PID 1872 wrote to memory of 1788	1872	Guwk5OeHiM9G8JYDRUxo.exe	36
PID 1872 wrote to memory of 1788	1872	Guwk5OeHiM9G8JYDRUxo.exe	36
PID 1872 wrote to memory of 1504	1872	Guwk5OeHiM9G8JYDRUxo.exe	37
PID 1872 wrote to memory of 1504	1872	Guwk5OeHiM9G8JYDRUxo.exe	37
PID 1872 wrote to memory of 1504	1872	Guwk5OeHiM9G8JYDRUxo.exe	37
PID 1872 wrote to memory of 1504	1872	Guwk5OeHiM9G8JYDRUxo.exe	37
PID 1680 wrote to memory of 560	1680	WScript.exe	38
PID 1680 wrote to memory of 560	1680	WScript.exe	38
PID 1680 wrote to memory of 560	1680	WScript.exe	38
PID 1680 wrote to memory of 560	1680	WScript.exe	38
PID 1680 wrote to memory of 1616	1680	WScript.exe	40
PID 1680 wrote to memory of 1616	1680	WScript.exe	40
PID 1680 wrote to memory of 1616	1680	WScript.exe	40
PID 1680 wrote to memory of 1616	1680	WScript.exe	40
PID 560 wrote to memory of 1492	560	cmd.exe	41
PID 560 wrote to memory of 1492	560	cmd.exe	41
PID 560 wrote to memory of 1492	560	cmd.exe	41
PID 560 wrote to memory of 1492	560	cmd.exe	41
PID 1736 wrote to memory of 1692	1736	ClownfishVoiceChanger.exe	42
PID 1736 wrote to memory of 1692	1736	ClownfishVoiceChanger.exe	42
PID 1736 wrote to memory of 1692	1736	ClownfishVoiceChanger.exe	42
PID 1692 wrote to memory of 1740	1692	iexplore.exe	44
PID 1692 wrote to memory of 1740	1692	iexplore.exe	44
PID 1692 wrote to memory of 1740	1692	iexplore.exe	44
PID 1692 wrote to memory of 1740	1692	iexplore.exe	44
PID 1504 wrote to memory of 1000	1504	Starter.exe	46
PID 1504 wrote to memory of 1000	1504	Starter.exe	46
PID 1504 wrote to memory of 1000	1504	Starter.exe	46
PID 1504 wrote to memory of 1000	1504	Starter.exe	46
PID 1504 wrote to memory of 1000	1504	Starter.exe	46
PID 1504 wrote to memory of 1000	1504	Starter.exe	46
PID 1504 wrote to memory of 1000	1504	Starter.exe	46
PID 1000 wrote to memory of 1304	1000	Adobe QuikInstall.exe	47
PID 1000 wrote to memory of 1304	1000	Adobe QuikInstall.exe	47
PID 1000 wrote to memory of 1304	1000	Adobe QuikInstall.exe	47
PID 1000 wrote to memory of 1304	1000	Adobe QuikInstall.exe	47
PID 1000 wrote to memory of 2124	1000	Adobe QuikInstall.exe	49
PID 1000 wrote to memory of 2124	1000	Adobe QuikInstall.exe	49

C:\Users\Admin\AppData\Local\Temp\4938c74639ddd5cd77b4a25326dde2ee2bc1b56249d7001688d39b223268d2d5.exe
"C:\Users\Admin\AppData\Local\Temp\4938c74639ddd5cd77b4a25326dde2ee2bc1b56249d7001688d39b223268d2d5.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1708
- C:\Users\Admin\AppData\Local\Temp\ClownfishVoiceChanger.exe
  "C:\Users\Admin\AppData\Local\Temp\ClownfishVoiceChanger.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1736
- - C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe" http://clownfish-translator.com/voicechanger/#download
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:1692
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1692 CREDAT:275457 /prefetch:2
      4⤵
      Modifies Internet Explorer settings
      PID:1740
- C:\Users\Admin\AppData\Local\Temp\clown.exe
  "C:\Users\Admin\AppData\Local\Temp\clown.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2024
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\sessionbroker\V6ZfNpMwa80Ecl73qN9wDUqnhhJcXx.vbs"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1068
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\sessionbroker\PTmML7yW9T4Ctotb9dW9FrHJbGZK55.bat" "
      4⤵
      Loads dropped DLL
      Suspicious use of WriteProcessMemory
      PID:1712
    - - C:\sessionbroker\Guwk5OeHiM9G8JYDRUxo.exe
        
        Guwk5OeHiM9G8JYDRUxo.exe -p8afb71dfeb417fa95789ccd9f3db8ee749f826da
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:1872
      - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\sessionbroker\System.vbe"
        6⤵
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:1680
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\sessionbroker\wD7q3dcRTzSTpGXv3NPz1OZjtfa8Gq.bat" "
        7⤵
        Drops startup file
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:560
        
        C:\sessionbroker\refdll.exe
        
        "C:\sessionbroker\refdll.exe"
        8⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1492
        
        C:\sessionbroker\e6ee5674bb9446c78bbc5729af6e2c28.exe
        
        "C:\sessionbroker\e6ee5674bb9446c78bbc5729af6e2c28.exe"
        7⤵
        Executes dropped EXE
        
        PID:1616
      - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\sessionbroker\msg.vbs"
        6⤵
        
        PID:1788
      - C:\sessionbroker\Starter.exe
        
        "C:\sessionbroker\Starter.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Suspicious use of WriteProcessMemory
        
        PID:1504
        
        C:\Users\Admin\AppData\Roaming\Adobe\Adobe QuikInstall.exe
        
        "C:\Users\Admin\AppData\Roaming\Adobe\Adobe QuikInstall.exe"
        7⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1000
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C C:\Users\Admin\AppData\Roaming\Obsidium\Runtime Broker.exe
        8⤵
        
        PID:1304
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C C:\Users\Admin\AppData\Roaming\Vortex\SecurityHealthService.exe
        8⤵
        Loads dropped DLL
        
        PID:2124
        
        C:\Users\Admin\AppData\Roaming\Vortex\SecurityHealthService.exe
        
        C:\Users\Admin\AppData\Roaming\Vortex\SecurityHealthService.exe
        9⤵
        Executes dropped EXE
        
        PID:2152
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2152 -s 584
        10⤵
        Loads dropped DLL
        Program crash
        
        PID:2404
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C C:\Users\Admin\AppData\Roaming\Sun\YourPhone.exe
        8⤵
        Loads dropped DLL
        
        PID:2244
        
        C:\Users\Admin\AppData\Roaming\Sun\YourPhone.exe
        
        C:\Users\Admin\AppData\Roaming\Sun\YourPhone.exe
        9⤵
        Executes dropped EXE
        
        PID:2292
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2292 -s 588
        10⤵
        Loads dropped DLL
        Program crash
        
        PID:2456

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{3F6B5E16-092A-41ED-930B-0B4125D91D4E}
1⤵
PID:1996

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x548
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1052

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\ClownfishVoiceChanger.exe

Filesize
656KB

MD5
bcd56645f1eaa038af93d01dee52c335

SHA1
200c1b8482f26c09d296314fdd2ef7a7cadf8d7d

SHA256
d1ee3c213590e7952c4b1fd7843dd6c352b25d9a927ea4ad4dfcaa037140917e

SHA512
08b573cd05b2effbb274bb31b8307bec6ed005172f9c7b4de920a22a76fe59e5d12c1c830d926010f5b12952b681a2bb3e2249bfa0e7a07463d20bc771569272

Download Submit
C:\Users\Admin\AppData\Local\Temp\ClownfishVoiceChanger.exe

Filesize
656KB

MD5
bcd56645f1eaa038af93d01dee52c335

SHA1
200c1b8482f26c09d296314fdd2ef7a7cadf8d7d

SHA256
d1ee3c213590e7952c4b1fd7843dd6c352b25d9a927ea4ad4dfcaa037140917e

SHA512
08b573cd05b2effbb274bb31b8307bec6ed005172f9c7b4de920a22a76fe59e5d12c1c830d926010f5b12952b681a2bb3e2249bfa0e7a07463d20bc771569272

Download Submit
C:\Users\Admin\AppData\Local\Temp\clown.exe

Filesize
2.8MB

MD5
78d45941a9d888f76fd30f33d67a3e80

SHA1
882487f1a0e3a573fd63edbb3baa6ec0fe4287f7

SHA256
415bde4254aacfa987e27ef5a3953c95aacfcc0f1e41b54ff12e17a364013133

SHA512
94d0cd82e5fdc9bf6bcb1d6f5fc69073ebf6e18f7de5ec68f95c4f1fafed4d80a780a926bed61bb8271e9b0b1b476535c3da7c97fde8722716f72e77f99b2253

Download Submit
C:\Users\Admin\AppData\Local\Temp\clown.exe

Filesize
2.8MB

MD5
78d45941a9d888f76fd30f33d67a3e80

SHA1
882487f1a0e3a573fd63edbb3baa6ec0fe4287f7

SHA256
415bde4254aacfa987e27ef5a3953c95aacfcc0f1e41b54ff12e17a364013133

SHA512
94d0cd82e5fdc9bf6bcb1d6f5fc69073ebf6e18f7de5ec68f95c4f1fafed4d80a780a926bed61bb8271e9b0b1b476535c3da7c97fde8722716f72e77f99b2253

Download Submit
C:\Users\Admin\AppData\Roaming\Adobe\Adobe QuikInstall.exe

Filesize
7KB

MD5
34507f733381f4ad8c1e8d6a9f1bdf82

SHA1
8c2491c79a5148371acaa155e2a72591958aa5d3

SHA256
e427517f29872fe7fbcb90598b5b9e794f2d7bc2cf512b2c0cc1d6e03669d3c3

SHA512
a84cf10fb1493c1aed0b497347b5b3a60e7c1877b7c3465d62d403fa9d845ac325d5344a9245eeb72792e971e5112038893cf65f37c60bd862ee96001258a27f

Download Submit
C:\Users\Admin\AppData\Roaming\Adobe\Adobe QuikInstall.exe

Filesize
7KB

MD5
34507f733381f4ad8c1e8d6a9f1bdf82

SHA1
8c2491c79a5148371acaa155e2a72591958aa5d3

SHA256
e427517f29872fe7fbcb90598b5b9e794f2d7bc2cf512b2c0cc1d6e03669d3c3

SHA512
a84cf10fb1493c1aed0b497347b5b3a60e7c1877b7c3465d62d403fa9d845ac325d5344a9245eeb72792e971e5112038893cf65f37c60bd862ee96001258a27f

Download Submit
C:\Users\Admin\AppData\Roaming\Sun\WatchDog.data

Filesize
52B

MD5
26a776af34ca9a140ac16d14ba3dc33d

SHA1
d1362c52740d1c883868e519901ef4fc9de2f2af

SHA256
c587f59f60896bf67f02746582981b4fe3b867a3902e638067757f0bbfb9743f

SHA512
d4ef56bbe9e7fe15a7145e2da652fce80311afdae2e4914daabc58018ab862c9e3f2eb8ab3a7202b0f6058faa7f643eae32406fc43c3f629c68167dd3255c8a4

Download Submit
C:\Users\Admin\AppData\Roaming\Sun\YourPhone.exe

Filesize
8KB

MD5
c4ad5e0596c518668410f29f68fa6146

SHA1
01f89d196e4ee3e91ed05931a1e2aafd5ba7b1f8

SHA256
20b5958e5fc87457c7881fd49d95acbc8347929add2355e1c9619fb2385f70a4

SHA512
7bae75a9842de75e9cf9be6f3bc37b813210c17353c7a0d79ed9387723aac59cbdc66c8bd3ddd9e4620e0d69392941ad5ecc50b62e1048b0ca4d854a59a2e6ca

Download Submit
C:\Users\Admin\AppData\Roaming\Sun\YourPhone.exe

Filesize
8KB

MD5
c4ad5e0596c518668410f29f68fa6146

SHA1
01f89d196e4ee3e91ed05931a1e2aafd5ba7b1f8

SHA256
20b5958e5fc87457c7881fd49d95acbc8347929add2355e1c9619fb2385f70a4

SHA512
7bae75a9842de75e9cf9be6f3bc37b813210c17353c7a0d79ed9387723aac59cbdc66c8bd3ddd9e4620e0d69392941ad5ecc50b62e1048b0ca4d854a59a2e6ca

Download Submit
C:\Users\Admin\AppData\Roaming\Vortex\SecurityHealthService.exe

Filesize
8KB

MD5
66cadfeeb5b5b9ac39ad88512277066d

SHA1
728820ec3f8f93818776f7217330a79e29b7f6ca

SHA256
db41896e7be47a64b0fb51ee929c14f5714b17d3ea315da5b76984aa8a44759b

SHA512
da2e1e36d69255fc18c7a54636780588f2cb798ed94098be0b4786ae866e3dd05540ef57a2242972f607ddcae649be85f3fd6953c6d618244a99037dc5fb17cf

Download Submit
C:\Users\Admin\AppData\Roaming\Vortex\SecurityHealthService.exe

Filesize
8KB

MD5
66cadfeeb5b5b9ac39ad88512277066d

SHA1
728820ec3f8f93818776f7217330a79e29b7f6ca

SHA256
db41896e7be47a64b0fb51ee929c14f5714b17d3ea315da5b76984aa8a44759b

SHA512
da2e1e36d69255fc18c7a54636780588f2cb798ed94098be0b4786ae866e3dd05540ef57a2242972f607ddcae649be85f3fd6953c6d618244a99037dc5fb17cf

Download Submit
C:\Users\Admin\AppData\Roaming\Vortex\WatchDog.data

Filesize
52B

MD5
26a776af34ca9a140ac16d14ba3dc33d

SHA1
d1362c52740d1c883868e519901ef4fc9de2f2af

SHA256
c587f59f60896bf67f02746582981b4fe3b867a3902e638067757f0bbfb9743f

SHA512
d4ef56bbe9e7fe15a7145e2da652fce80311afdae2e4914daabc58018ab862c9e3f2eb8ab3a7202b0f6058faa7f643eae32406fc43c3f629c68167dd3255c8a4

Download Submit
C:\sessionbroker\Guwk5OeHiM9G8JYDRUxo.exe

Filesize
2.7MB

MD5
1158fc064f1cd00d61840512245edab0

SHA1
527112daaf03f153662901fb56a9302299b52252

SHA256
4cc85f1c92a40aef5b1f3c1690a037bc78ea7712b4e35fffeb76c3a20287d447

SHA512
b425753d9197c0afbfb0748d7fc82f200f56202a290a1012be1e37615b09b3c26ebd4423a93896759b684ff4d01b96ae508fd042955277f2290f15eddf15a381

Download Submit
C:\sessionbroker\Guwk5OeHiM9G8JYDRUxo.exe

Filesize
2.7MB

MD5
1158fc064f1cd00d61840512245edab0

SHA1
527112daaf03f153662901fb56a9302299b52252

SHA256
4cc85f1c92a40aef5b1f3c1690a037bc78ea7712b4e35fffeb76c3a20287d447

SHA512
b425753d9197c0afbfb0748d7fc82f200f56202a290a1012be1e37615b09b3c26ebd4423a93896759b684ff4d01b96ae508fd042955277f2290f15eddf15a381

Download Submit
C:\sessionbroker\MOS

Filesize
23B

MD5
ca49c170e4f6b8faeea4fba1528d03a6

SHA1
27a0fc6dccfde537c04f728fcc4c2ff632d45413

SHA256
b11dfe4ca8e2029344e46ae9c9163c665ffd55b61303e0bfcbc8721a0317fd9f

SHA512
6f6f38f87a8027bc7f422e5f5f87b34bcf23cfe951356d47c3433f92d3f51743c872ff105c4ed5f213d5da30c98cb06ff62a7a530cadcf8a0ab21508f8a2adea

Download Submit
C:\sessionbroker\PTmML7yW9T4Ctotb9dW9FrHJbGZK55.bat

Filesize
100B

MD5
470d5d57235ce3561ed7e007879770d7

SHA1
0dd178469eaf7e1418476b8cfb14d0228e885c78

SHA256
1c9fe9ca21d374c69ce2cfd2201711e61ca77629f13986af586b2dac67d93c7d

SHA512
72b98ee08d179034151e6cb8702588465416c583fc557a3038c693df6fe6933033363aa4e4cb6e5130b553ec5ad8ca1bf23a6a8fa06b75841a04e2a4ad1df823

Download Submit
C:\sessionbroker\Starter.exe

Filesize
9KB

MD5
b00efab139b5ad485dbb33eb2b81f266

SHA1
7bd87bda9677233762b5cb77e40dd5c526c15a48

SHA256
2c98f47368944a18b6e083f78653080d666e4cd0fad758e08782ddf473bec023

SHA512
cbe9928efa4f975173038d5b15de560a0537232f04bddb0b91691d32a768ee7ffbe4bb9c7621f38a7fd94f4c5fed35785ba0bee7cca20b5f541d6f4e35ec5803

Download Submit
C:\sessionbroker\Starter.exe

Filesize
9KB

MD5
b00efab139b5ad485dbb33eb2b81f266

SHA1
7bd87bda9677233762b5cb77e40dd5c526c15a48

SHA256
2c98f47368944a18b6e083f78653080d666e4cd0fad758e08782ddf473bec023

SHA512
cbe9928efa4f975173038d5b15de560a0537232f04bddb0b91691d32a768ee7ffbe4bb9c7621f38a7fd94f4c5fed35785ba0bee7cca20b5f541d6f4e35ec5803

Download Submit
C:\sessionbroker\System.lnk

Filesize
387B

MD5
6a3b9691d595955853a73aea2e77a33b

SHA1
905584ceb769bfbdec406b7e7d1944d1dea13c42

SHA256
a94f962f05aa5a9e7c85b5a32199418dc209f230efd1f8f84b6bcc74beb4d28e

SHA512
f224e1125d63194d230bdd1dbe29eb43de0ef1170f9aa82bed1370f395b19fbac02f53303b416de6a0e9debd8ba2a5116decc26e92bcdff81295005dfaf5cf6a

Download Submit
C:\sessionbroker\System.vbe

Filesize
458B

MD5
5562dd3b24699b8870d6138d16c5fa83

SHA1
cab419914579bdec1460ed16d14e3b8398259b1f

SHA256
cfae6a92b2ce52acb1801647b90c38f7f0c6c12dae8e89c12c956db5283f928a

SHA512
715a81b6ae634b3a70413441494a71fd71a6887c8185237e9d3ea0ce6f3d08720a65f0bfa4c21a92afaecb14ae291026af4838fe347b8be7993b85049a14cab3

Download Submit
C:\sessionbroker\V6ZfNpMwa80Ecl73qN9wDUqnhhJcXx.vbs

Filesize
123B

MD5
4c5840f95623a8a8707dd5fa0484a69a

SHA1
09d8a2a494e37d3f40086158a703138aec5251d0

SHA256
d3e701145df84a0400befc92d377927132a8e50f24868d6e12f2d9683459f0fb

SHA512
dd623da560fedede299575af2a8e4a8e39b029c8be7b2148a16de0e25c464a77211494b302be4c885b618537f3d6016b785d0ad1d78d2cf91dd3abfd1190687a

Download Submit
C:\sessionbroker\WatchDog.data

Filesize
52B

MD5
26a776af34ca9a140ac16d14ba3dc33d

SHA1
d1362c52740d1c883868e519901ef4fc9de2f2af

SHA256
c587f59f60896bf67f02746582981b4fe3b867a3902e638067757f0bbfb9743f

SHA512
d4ef56bbe9e7fe15a7145e2da652fce80311afdae2e4914daabc58018ab862c9e3f2eb8ab3a7202b0f6058faa7f643eae32406fc43c3f629c68167dd3255c8a4

Download Submit
C:\sessionbroker\dogs\Adobe QuikInstall.exe

Filesize
7KB

MD5
34507f733381f4ad8c1e8d6a9f1bdf82

SHA1
8c2491c79a5148371acaa155e2a72591958aa5d3

SHA256
e427517f29872fe7fbcb90598b5b9e794f2d7bc2cf512b2c0cc1d6e03669d3c3

SHA512
a84cf10fb1493c1aed0b497347b5b3a60e7c1877b7c3465d62d403fa9d845ac325d5344a9245eeb72792e971e5112038893cf65f37c60bd862ee96001258a27f

Download Submit
C:\sessionbroker\dogs\Runtime Broker.exe

Filesize
8KB

MD5
4b234c41befcfc964b252a0e1d90719d

SHA1
62afe720aa8d51ad620e38623a05cf9613914bbe

SHA256
798ec429808329fec2c19782c2f5a5f78992c3f682d1457c16c9c61db7388225

SHA512
c32a4266860ad645245cac80f1b98485298a5e061d11b7d2b78dc954edbb227f9402fd6048683adafe0e5d8ccde499d20161a63246a15409bb8d63d3332a2fbd

Download Submit
C:\sessionbroker\dogs\SecurityHealthService.exe

Filesize
8KB

MD5
66cadfeeb5b5b9ac39ad88512277066d

SHA1
728820ec3f8f93818776f7217330a79e29b7f6ca

SHA256
db41896e7be47a64b0fb51ee929c14f5714b17d3ea315da5b76984aa8a44759b

SHA512
da2e1e36d69255fc18c7a54636780588f2cb798ed94098be0b4786ae866e3dd05540ef57a2242972f607ddcae649be85f3fd6953c6d618244a99037dc5fb17cf

Download Submit
C:\sessionbroker\dogs\YourPhone.exe

Filesize
8KB

MD5
c4ad5e0596c518668410f29f68fa6146

SHA1
01f89d196e4ee3e91ed05931a1e2aafd5ba7b1f8

SHA256
20b5958e5fc87457c7881fd49d95acbc8347929add2355e1c9619fb2385f70a4

SHA512
7bae75a9842de75e9cf9be6f3bc37b813210c17353c7a0d79ed9387723aac59cbdc66c8bd3ddd9e4620e0d69392941ad5ecc50b62e1048b0ca4d854a59a2e6ca

Download Submit
C:\sessionbroker\e6ee5674bb9446c78bbc5729af6e2c28.exe

Filesize
8KB

MD5
c4a3c2cad895e1922b778b91c519f7f0

SHA1
9c8267bd68db7ecd98af6420195e2ddbc5faf99b

SHA256
50d672e104dfc82540dd8246f6a177e869a8154a1f8750bde373d3c0466cae1e

SHA512
8032a1e7fccaaf353308e8d5da1477d94dd89baebdbf736e84f062679dfa1859f51f1b11ef570d96602c78820484921aa68c77874175c2bb8f439135a46ce99c

Download Submit
C:\sessionbroker\e6ee5674bb9446c78bbc5729af6e2c28.exe

Filesize
8KB

MD5
c4a3c2cad895e1922b778b91c519f7f0

SHA1
9c8267bd68db7ecd98af6420195e2ddbc5faf99b

SHA256
50d672e104dfc82540dd8246f6a177e869a8154a1f8750bde373d3c0466cae1e

SHA512
8032a1e7fccaaf353308e8d5da1477d94dd89baebdbf736e84f062679dfa1859f51f1b11ef570d96602c78820484921aa68c77874175c2bb8f439135a46ce99c

Download Submit
C:\sessionbroker\msg.vbs

Filesize
128B

MD5
01c71ea2d98437129936261c48403132

SHA1
dc689fb68a3e7e09a334e7a37c0d10d0641af1a6

SHA256
0401f2dd76d5ed6f90c82b72e1e7a122ef127bedbaf717532c4bba26d43a0061

SHA512
a668d4216a50ccc699221dd902d8b0f864e44368dc7474fa5659a739154d4e769b85d49b60a73affb8fba7628e7210b0f8106d5652006d1bbba67083513e65d9

Download Submit
C:\sessionbroker\refdll.exe

Filesize
2.2MB

MD5
7df85f5215c5a11c4e2ad007bd5b1571

SHA1
4ff16210bf5fab2f6fab85e6472c551d70fee692

SHA256
d9381960ff3975d9e76a8d1ba5642c2ab7abc16a7e8ec1aedca3d88c15175541

SHA512
df09df54155cdf36b0cda46e985cc24342c2427e61e52ca9e590791e3dc46753584ad2926994ee9db6ae68908b83af191856db82623e354cba32358c9b512b62

Download Submit
C:\sessionbroker\refdll.exe

Filesize
2.2MB

MD5
7df85f5215c5a11c4e2ad007bd5b1571

SHA1
4ff16210bf5fab2f6fab85e6472c551d70fee692

SHA256
d9381960ff3975d9e76a8d1ba5642c2ab7abc16a7e8ec1aedca3d88c15175541

SHA512
df09df54155cdf36b0cda46e985cc24342c2427e61e52ca9e590791e3dc46753584ad2926994ee9db6ae68908b83af191856db82623e354cba32358c9b512b62

Download Submit
C:\sessionbroker\vmcheck32.dll

Filesize
432B

MD5
01e954f8eaaa17ed800fe1ff3ff5d452

SHA1
23834d26fbd3e2c4025e2c85e6b00334eff27d83

SHA256
0c8f21f5e329f8eb03a7064564b2b9ef5e54e223ad424c4d83d39c53461682a4

SHA512
6dd53151b3e98e67458ae3a4fc779de658a34693a6e920ac2e98560f122d126496837ec355cb9954a9346bb8d6348f00c652ceaa8c349054f7035743a34e5f6e

Download Submit
C:\sessionbroker\wD7q3dcRTzSTpGXv3NPz1OZjtfa8Gq.bat

Filesize
726B

MD5
6f93493cd797bf7751706f989bb0a280

SHA1
78407ee33190d34b079f6e583e688ce961422c0d

SHA256
bdb70d4c3b00e090ad38249bac8fbde1b59e365b4db20517e32ab3cb1bccbead

SHA512
326c3bbbcb8c78e874742460a9e2420d37bb4f50eeff711ec101499f72176c78ec14dd7881a50789c5b06a8f3f37098bec6d567fdc2b3cc202fd7057e16d5dd4

Download Submit
\Users\Admin\AppData\Local\Temp\ClownfishVoiceChanger.exe

Filesize
656KB

MD5
bcd56645f1eaa038af93d01dee52c335

SHA1
200c1b8482f26c09d296314fdd2ef7a7cadf8d7d

SHA256
d1ee3c213590e7952c4b1fd7843dd6c352b25d9a927ea4ad4dfcaa037140917e

SHA512
08b573cd05b2effbb274bb31b8307bec6ed005172f9c7b4de920a22a76fe59e5d12c1c830d926010f5b12952b681a2bb3e2249bfa0e7a07463d20bc771569272

Download Submit
\Users\Admin\AppData\Local\Temp\ClownfishVoiceChanger.exe

Filesize
656KB

MD5
bcd56645f1eaa038af93d01dee52c335

SHA1
200c1b8482f26c09d296314fdd2ef7a7cadf8d7d

SHA256
d1ee3c213590e7952c4b1fd7843dd6c352b25d9a927ea4ad4dfcaa037140917e

SHA512
08b573cd05b2effbb274bb31b8307bec6ed005172f9c7b4de920a22a76fe59e5d12c1c830d926010f5b12952b681a2bb3e2249bfa0e7a07463d20bc771569272

Download Submit
\Users\Admin\AppData\Local\Temp\ClownfishVoiceChanger.exe

Filesize
656KB

MD5
bcd56645f1eaa038af93d01dee52c335

SHA1
200c1b8482f26c09d296314fdd2ef7a7cadf8d7d

SHA256
d1ee3c213590e7952c4b1fd7843dd6c352b25d9a927ea4ad4dfcaa037140917e

SHA512
08b573cd05b2effbb274bb31b8307bec6ed005172f9c7b4de920a22a76fe59e5d12c1c830d926010f5b12952b681a2bb3e2249bfa0e7a07463d20bc771569272

Download Submit
\Users\Admin\AppData\Local\Temp\clown.exe

Filesize
2.8MB

MD5
78d45941a9d888f76fd30f33d67a3e80

SHA1
882487f1a0e3a573fd63edbb3baa6ec0fe4287f7

SHA256
415bde4254aacfa987e27ef5a3953c95aacfcc0f1e41b54ff12e17a364013133

SHA512
94d0cd82e5fdc9bf6bcb1d6f5fc69073ebf6e18f7de5ec68f95c4f1fafed4d80a780a926bed61bb8271e9b0b1b476535c3da7c97fde8722716f72e77f99b2253

Download Submit
\Users\Admin\AppData\Roaming\Adobe\Adobe QuikInstall.exe

Filesize
7KB

MD5
34507f733381f4ad8c1e8d6a9f1bdf82

SHA1
8c2491c79a5148371acaa155e2a72591958aa5d3

SHA256
e427517f29872fe7fbcb90598b5b9e794f2d7bc2cf512b2c0cc1d6e03669d3c3

SHA512
a84cf10fb1493c1aed0b497347b5b3a60e7c1877b7c3465d62d403fa9d845ac325d5344a9245eeb72792e971e5112038893cf65f37c60bd862ee96001258a27f

Download Submit
\Users\Admin\AppData\Roaming\Sun\YourPhone.exe

Filesize
8KB

MD5
c4ad5e0596c518668410f29f68fa6146

SHA1
01f89d196e4ee3e91ed05931a1e2aafd5ba7b1f8

SHA256
20b5958e5fc87457c7881fd49d95acbc8347929add2355e1c9619fb2385f70a4

SHA512
7bae75a9842de75e9cf9be6f3bc37b813210c17353c7a0d79ed9387723aac59cbdc66c8bd3ddd9e4620e0d69392941ad5ecc50b62e1048b0ca4d854a59a2e6ca

Download Submit
\Users\Admin\AppData\Roaming\Sun\YourPhone.exe

Filesize
8KB

MD5
c4ad5e0596c518668410f29f68fa6146

SHA1
01f89d196e4ee3e91ed05931a1e2aafd5ba7b1f8

SHA256
20b5958e5fc87457c7881fd49d95acbc8347929add2355e1c9619fb2385f70a4

SHA512
7bae75a9842de75e9cf9be6f3bc37b813210c17353c7a0d79ed9387723aac59cbdc66c8bd3ddd9e4620e0d69392941ad5ecc50b62e1048b0ca4d854a59a2e6ca

Download Submit
\Users\Admin\AppData\Roaming\Sun\YourPhone.exe

Filesize
8KB

MD5
c4ad5e0596c518668410f29f68fa6146

SHA1
01f89d196e4ee3e91ed05931a1e2aafd5ba7b1f8

SHA256
20b5958e5fc87457c7881fd49d95acbc8347929add2355e1c9619fb2385f70a4

SHA512
7bae75a9842de75e9cf9be6f3bc37b813210c17353c7a0d79ed9387723aac59cbdc66c8bd3ddd9e4620e0d69392941ad5ecc50b62e1048b0ca4d854a59a2e6ca

Download Submit
\Users\Admin\AppData\Roaming\Sun\YourPhone.exe

Filesize
8KB

MD5
c4ad5e0596c518668410f29f68fa6146

SHA1
01f89d196e4ee3e91ed05931a1e2aafd5ba7b1f8

SHA256
20b5958e5fc87457c7881fd49d95acbc8347929add2355e1c9619fb2385f70a4

SHA512
7bae75a9842de75e9cf9be6f3bc37b813210c17353c7a0d79ed9387723aac59cbdc66c8bd3ddd9e4620e0d69392941ad5ecc50b62e1048b0ca4d854a59a2e6ca

Download Submit
\Users\Admin\AppData\Roaming\Sun\YourPhone.exe

Filesize
8KB

MD5
c4ad5e0596c518668410f29f68fa6146

SHA1
01f89d196e4ee3e91ed05931a1e2aafd5ba7b1f8

SHA256
20b5958e5fc87457c7881fd49d95acbc8347929add2355e1c9619fb2385f70a4

SHA512
7bae75a9842de75e9cf9be6f3bc37b813210c17353c7a0d79ed9387723aac59cbdc66c8bd3ddd9e4620e0d69392941ad5ecc50b62e1048b0ca4d854a59a2e6ca

Download Submit
\Users\Admin\AppData\Roaming\Sun\YourPhone.exe

Filesize
8KB

MD5
c4ad5e0596c518668410f29f68fa6146

SHA1
01f89d196e4ee3e91ed05931a1e2aafd5ba7b1f8

SHA256
20b5958e5fc87457c7881fd49d95acbc8347929add2355e1c9619fb2385f70a4

SHA512
7bae75a9842de75e9cf9be6f3bc37b813210c17353c7a0d79ed9387723aac59cbdc66c8bd3ddd9e4620e0d69392941ad5ecc50b62e1048b0ca4d854a59a2e6ca

Download Submit
\Users\Admin\AppData\Roaming\Vortex\SecurityHealthService.exe

Filesize
8KB

MD5
66cadfeeb5b5b9ac39ad88512277066d

SHA1
728820ec3f8f93818776f7217330a79e29b7f6ca

SHA256
db41896e7be47a64b0fb51ee929c14f5714b17d3ea315da5b76984aa8a44759b

SHA512
da2e1e36d69255fc18c7a54636780588f2cb798ed94098be0b4786ae866e3dd05540ef57a2242972f607ddcae649be85f3fd6953c6d618244a99037dc5fb17cf

Download Submit
\Users\Admin\AppData\Roaming\Vortex\SecurityHealthService.exe

Filesize
8KB

MD5
66cadfeeb5b5b9ac39ad88512277066d

SHA1
728820ec3f8f93818776f7217330a79e29b7f6ca

SHA256
db41896e7be47a64b0fb51ee929c14f5714b17d3ea315da5b76984aa8a44759b

SHA512
da2e1e36d69255fc18c7a54636780588f2cb798ed94098be0b4786ae866e3dd05540ef57a2242972f607ddcae649be85f3fd6953c6d618244a99037dc5fb17cf

Download Submit
\Users\Admin\AppData\Roaming\Vortex\SecurityHealthService.exe

Filesize
8KB

MD5
66cadfeeb5b5b9ac39ad88512277066d

SHA1
728820ec3f8f93818776f7217330a79e29b7f6ca

SHA256
db41896e7be47a64b0fb51ee929c14f5714b17d3ea315da5b76984aa8a44759b

SHA512
da2e1e36d69255fc18c7a54636780588f2cb798ed94098be0b4786ae866e3dd05540ef57a2242972f607ddcae649be85f3fd6953c6d618244a99037dc5fb17cf

Download Submit
\Users\Admin\AppData\Roaming\Vortex\SecurityHealthService.exe

Filesize
8KB

MD5
66cadfeeb5b5b9ac39ad88512277066d

SHA1
728820ec3f8f93818776f7217330a79e29b7f6ca

SHA256
db41896e7be47a64b0fb51ee929c14f5714b17d3ea315da5b76984aa8a44759b

SHA512
da2e1e36d69255fc18c7a54636780588f2cb798ed94098be0b4786ae866e3dd05540ef57a2242972f607ddcae649be85f3fd6953c6d618244a99037dc5fb17cf

Download Submit
\Users\Admin\AppData\Roaming\Vortex\SecurityHealthService.exe

Filesize
8KB

MD5
66cadfeeb5b5b9ac39ad88512277066d

SHA1
728820ec3f8f93818776f7217330a79e29b7f6ca

SHA256
db41896e7be47a64b0fb51ee929c14f5714b17d3ea315da5b76984aa8a44759b

SHA512
da2e1e36d69255fc18c7a54636780588f2cb798ed94098be0b4786ae866e3dd05540ef57a2242972f607ddcae649be85f3fd6953c6d618244a99037dc5fb17cf

Download Submit
\Users\Admin\AppData\Roaming\Vortex\SecurityHealthService.exe

Filesize
8KB

MD5
66cadfeeb5b5b9ac39ad88512277066d

SHA1
728820ec3f8f93818776f7217330a79e29b7f6ca

SHA256
db41896e7be47a64b0fb51ee929c14f5714b17d3ea315da5b76984aa8a44759b

SHA512
da2e1e36d69255fc18c7a54636780588f2cb798ed94098be0b4786ae866e3dd05540ef57a2242972f607ddcae649be85f3fd6953c6d618244a99037dc5fb17cf

Download Submit
\sessionbroker\Guwk5OeHiM9G8JYDRUxo.exe

Filesize
2.7MB

MD5
1158fc064f1cd00d61840512245edab0

SHA1
527112daaf03f153662901fb56a9302299b52252

SHA256
4cc85f1c92a40aef5b1f3c1690a037bc78ea7712b4e35fffeb76c3a20287d447

SHA512
b425753d9197c0afbfb0748d7fc82f200f56202a290a1012be1e37615b09b3c26ebd4423a93896759b684ff4d01b96ae508fd042955277f2290f15eddf15a381

Download Submit
\sessionbroker\Starter.exe

Filesize
9KB

MD5
b00efab139b5ad485dbb33eb2b81f266

SHA1
7bd87bda9677233762b5cb77e40dd5c526c15a48

SHA256
2c98f47368944a18b6e083f78653080d666e4cd0fad758e08782ddf473bec023

SHA512
cbe9928efa4f975173038d5b15de560a0537232f04bddb0b91691d32a768ee7ffbe4bb9c7621f38a7fd94f4c5fed35785ba0bee7cca20b5f541d6f4e35ec5803

Download Submit
\sessionbroker\Starter.exe

Filesize
9KB

MD5
b00efab139b5ad485dbb33eb2b81f266

SHA1
7bd87bda9677233762b5cb77e40dd5c526c15a48

SHA256
2c98f47368944a18b6e083f78653080d666e4cd0fad758e08782ddf473bec023

SHA512
cbe9928efa4f975173038d5b15de560a0537232f04bddb0b91691d32a768ee7ffbe4bb9c7621f38a7fd94f4c5fed35785ba0bee7cca20b5f541d6f4e35ec5803

Download Submit
\sessionbroker\Starter.exe

Filesize
9KB

MD5
b00efab139b5ad485dbb33eb2b81f266

SHA1
7bd87bda9677233762b5cb77e40dd5c526c15a48

SHA256
2c98f47368944a18b6e083f78653080d666e4cd0fad758e08782ddf473bec023

SHA512
cbe9928efa4f975173038d5b15de560a0537232f04bddb0b91691d32a768ee7ffbe4bb9c7621f38a7fd94f4c5fed35785ba0bee7cca20b5f541d6f4e35ec5803

Download Submit
\sessionbroker\Starter.exe

Filesize
9KB

MD5
b00efab139b5ad485dbb33eb2b81f266

SHA1
7bd87bda9677233762b5cb77e40dd5c526c15a48

SHA256
2c98f47368944a18b6e083f78653080d666e4cd0fad758e08782ddf473bec023

SHA512
cbe9928efa4f975173038d5b15de560a0537232f04bddb0b91691d32a768ee7ffbe4bb9c7621f38a7fd94f4c5fed35785ba0bee7cca20b5f541d6f4e35ec5803

Download Submit
\sessionbroker\e6ee5674bb9446c78bbc5729af6e2c28.exe

Filesize
8KB

MD5
c4a3c2cad895e1922b778b91c519f7f0

SHA1
9c8267bd68db7ecd98af6420195e2ddbc5faf99b

SHA256
50d672e104dfc82540dd8246f6a177e869a8154a1f8750bde373d3c0466cae1e

SHA512
8032a1e7fccaaf353308e8d5da1477d94dd89baebdbf736e84f062679dfa1859f51f1b11ef570d96602c78820484921aa68c77874175c2bb8f439135a46ce99c

Download Submit
\sessionbroker\refdll.exe

Filesize
2.2MB

MD5
7df85f5215c5a11c4e2ad007bd5b1571

SHA1
4ff16210bf5fab2f6fab85e6472c551d70fee692

SHA256
d9381960ff3975d9e76a8d1ba5642c2ab7abc16a7e8ec1aedca3d88c15175541

SHA512
df09df54155cdf36b0cda46e985cc24342c2427e61e52ca9e590791e3dc46753584ad2926994ee9db6ae68908b83af191856db82623e354cba32358c9b512b62

Download Submit
memory/1000-121-0x00000000008D0000-0x00000000008D8000-memory.dmp

Filesize
32KB

Download
memory/1492-114-0x0000000000730000-0x0000000000746000-memory.dmp

Filesize
88KB

Download
memory/1492-111-0x000000001B750000-0x000000001BAA2000-memory.dmp

Filesize
3.3MB

Download
memory/1492-115-0x000000001AE00000-0x000000001AE7C000-memory.dmp

Filesize
496KB

Download
memory/1492-113-0x000000001AF00000-0x000000001AF90000-memory.dmp

Filesize
576KB

Download
memory/1492-112-0x000000001A970000-0x000000001A9C4000-memory.dmp

Filesize
336KB

Download
memory/1492-103-0x0000000000C10000-0x0000000000E42000-memory.dmp

Filesize
2.2MB

Download
memory/1504-90-0x0000000000050000-0x0000000000058000-memory.dmp

Filesize
32KB

Download
memory/1616-97-0x000007FEF4CB0000-0x000007FEF56D3000-memory.dmp

Filesize
10.1MB

Download
memory/1708-54-0x00000000758D1000-0x00000000758D3000-memory.dmp

Filesize
8KB

Download
memory/1736-58-0x000007FEFBE51000-0x000007FEFBE53000-memory.dmp

Filesize
8KB

Download
memory/2152-129-0x0000000001050000-0x0000000001058000-memory.dmp

Filesize
32KB

Download
memory/2292-137-0x0000000000E90000-0x0000000000E98000-memory.dmp

Filesize
32KB

Download