snakekeylogger | e6da15aedc54f4b4faa8df84038a7172eb010fcaa4caeb3008e7fd371597f973

Analysis

max time kernel
157s
max time network
160s
platform
windows10-2004_x64
resource
win10v2004-20220722-en
resource tags

arch:x64arch:x86image:win10v2004-20220722-enlocale:en-usos:windows10-2004-x64system
submitted
02-08-2022 17:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3-FRQ MOQ 001 08 2022PDT.exe
Size

1.2MB
MD5

105c2d0f5e8b8202ff79c97392855544
SHA1

d14307bfae983cde57dad14172d3a65258e9ba4e
SHA256

e6da15aedc54f4b4faa8df84038a7172eb010fcaa4caeb3008e7fd371597f973
SHA512

6072430cce7bc853e392f3f8ec63ba715e246b0ea36905df0523e9f0f61de3d06707cb56d1a86437c1ac047d874bab8b2fde58049e5fd9aaf0b56be9af063be5

Score

10^/10

snakekeylogger warzonerat collection evasion infostealer keylogger rat spyware stealer trojan

Malware Config

Extracted

Family

warzonerat

toomuchego.ydns.eu:5200

Signatures

Snake Keylogger
Keylogger and Infostealer first seen in November 2020.
stealer keylogger snakekeylogger

Snake Keylogger payload 11 IoCs

Processes:

resource	yara_rule
behavioral2/memory/1140-140-0x0000000000400000-0x00000000004AF000-memory.dmp	family_snakekeylogger
behavioral2/memory/1140-141-0x0000000000400000-0x00000000004AF000-memory.dmp	family_snakekeylogger
behavioral2/memory/1140-142-0x0000000000400000-0x00000000004AF000-memory.dmp	family_snakekeylogger
behavioral2/memory/1140-143-0x0000000000400000-0x00000000004AF000-memory.dmp	family_snakekeylogger
C:\Users\Admin\AppData\Local\Temp\EGGMM.EXE	family_snakekeylogger
C:\Users\Admin\AppData\Local\Temp\EGGMM.EXE	family_snakekeylogger
C:\Users\Admin\AppData\Local\Temp\WXS.EXE	family_snakekeylogger
C:\Users\Admin\AppData\Local\Temp\WXS.EXE	family_snakekeylogger
behavioral2/memory/256-150-0x0000000000E60000-0x0000000000E86000-memory.dmp	family_snakekeylogger
behavioral2/memory/1140-151-0x0000000000400000-0x00000000004AF000-memory.dmp	family_snakekeylogger
C:\Users\Admin\AppData\Local\Temp\EGGMM.EXE	family_snakekeylogger

UAC bypass 3 TTPs 1 IoCs
evasion trojan

Bypass User Account Control
T1088

Disabling Security Tools
T1089

Modify Registry
T1112

Processes:

GUM.EXE

description ioc process

Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" GUM.EXE
WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
rat infostealer warzonerat
Windows security bypass 2 TTPs 1 IoCs
evasion trojan

Disabling Security Tools
T1089

Modify Registry
T1112

Processes:

GUM.EXE

description ioc process

Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UACDisableNotify = "0" GUM.EXE
Executes dropped EXE 6 IoCs

Processes:

EGGMM.EXEWXS.EXEEGGMM.EXEGUM.EXEWALL PAPER.EXEimages.exe

pid process

256 EGGMM.EXE
1820 WXS.EXE
4488 EGGMM.EXE
5048 GUM.EXE
3108 WALL PAPER.EXE
3764 images.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	GUM.EXE

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UACDisableNotify = "0"	GUM.EXE

pid	process
256	EGGMM.EXE
1820	WXS.EXE
4488	EGGMM.EXE
5048	GUM.EXE
3108	WALL PAPER.EXE
3764	images.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

3-FRQ MOQ 001 08 2022PDT.exeWXS.EXE

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3463845317-933582289-45817732-1000\Control Panel\International\Geo\Nation	3-FRQ MOQ 001 08 2022PDT.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3463845317-933582289-45817732-1000\Control Panel\International\Geo\Nation	WXS.EXE

Loads dropped DLL 6 IoCs

Processes:

images.exe

pid process

3764 images.exe
3764 images.exe
3764 images.exe
3764 images.exe
3764 images.exe
3764 images.exe
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Windows security modification 2 TTPs 1 IoCs
evasion trojan

Disabling Security Tools
T1089

Modify Registry
T1112

Processes:

GUM.EXE

description ioc process

Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UACDisableNotify = "0" GUM.EXE

pid	process
3764	images.exe
3764	images.exe
3764	images.exe
3764	images.exe
3764	images.exe
3764	images.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UACDisableNotify = "0"	GUM.EXE

Accesses Microsoft Outlook profiles 1 TTPs 8 IoCs

collection

Email Collection

T1114

Processes:

EGGMM.EXEimages.exeEGGMM.EXE

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-3463845317-933582289-45817732-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	EGGMM.EXE
Key opened	\REGISTRY\USER\S-1-5-21-3463845317-933582289-45817732-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	images.exe
Key opened	\REGISTRY\USER\S-1-5-21-3463845317-933582289-45817732-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	images.exe
Key opened	\REGISTRY\USER\S-1-5-21-3463845317-933582289-45817732-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	EGGMM.EXE
Key opened	\REGISTRY\USER\S-1-5-21-3463845317-933582289-45817732-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	EGGMM.EXE
Key opened	\REGISTRY\USER\S-1-5-21-3463845317-933582289-45817732-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	EGGMM.EXE
Key opened	\REGISTRY\USER\S-1-5-21-3463845317-933582289-45817732-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	EGGMM.EXE
Key opened	\REGISTRY\USER\S-1-5-21-3463845317-933582289-45817732-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	EGGMM.EXE

Checks whether UAC is enabled 1 TTPs 1 IoCs
evasion trojan

System Information Discovery
T1082

Processes:

GUM.EXE

description ioc process

Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" GUM.EXE
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

40 checkip.dyndns.org

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	GUM.EXE

flow	ioc
40	checkip.dyndns.org

Program crash 29 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
3428	4992	WerFault.exe	iexplore.exe
1680	1476	WerFault.exe	iexplore.exe
1228	3176	WerFault.exe	iexplore.exe
2220	5112	WerFault.exe	iexplore.exe
5004	2768	WerFault.exe	iexplore.exe
2944	4972	WerFault.exe	iexplore.exe
4576	3616	WerFault.exe	iexplore.exe
3768	3372	WerFault.exe	iexplore.exe
3088	2928	WerFault.exe	iexplore.exe
4996	3672	WerFault.exe	iexplore.exe
868	3068	WerFault.exe	iexplore.exe
3132	3872	WerFault.exe	iexplore.exe
5104	3660	WerFault.exe	iexplore.exe
2164	616	WerFault.exe	iexplore.exe
384	3792	WerFault.exe	iexplore.exe
3368	2200	WerFault.exe	iexplore.exe
4576	3736	WerFault.exe	iexplore.exe
4996	2032	WerFault.exe	iexplore.exe
3720	3168	WerFault.exe	iexplore.exe
4160	2560	WerFault.exe	iexplore.exe
2204	4576	WerFault.exe	iexplore.exe
3536	1540	WerFault.exe	iexplore.exe
1684	2780	WerFault.exe	iexplore.exe
3132	5004	WerFault.exe	iexplore.exe
3476	2820	WerFault.exe	iexplore.exe
4952	2128	WerFault.exe	iexplore.exe
4204	868	WerFault.exe	iexplore.exe
768	384	WerFault.exe	iexplore.exe
5040	2612	WerFault.exe	iexplore.exe

Suspicious use of SetThreadContext 30 IoCs

Processes:

3-FRQ MOQ 001 08 2022PDT.exeGUM.EXE

description	pid	process	target process
PID 1124 set thread context of 1140	1124	3-FRQ MOQ 001 08 2022PDT.exe	3-FRQ MOQ 001 08 2022PDT.exe
PID 5048 set thread context of 4992	5048	GUM.EXE	iexplore.exe
PID 5048 set thread context of 1476	5048	GUM.EXE	iexplore.exe
PID 5048 set thread context of 3176	5048	GUM.EXE	iexplore.exe
PID 5048 set thread context of 5112	5048	GUM.EXE	iexplore.exe
PID 5048 set thread context of 2768	5048	GUM.EXE	iexplore.exe
PID 5048 set thread context of 4972	5048	GUM.EXE	iexplore.exe
PID 5048 set thread context of 3616	5048	GUM.EXE	iexplore.exe
PID 5048 set thread context of 3372	5048	GUM.EXE	iexplore.exe
PID 5048 set thread context of 2928	5048	GUM.EXE	iexplore.exe
PID 5048 set thread context of 3672	5048	GUM.EXE	iexplore.exe
PID 5048 set thread context of 3068	5048	GUM.EXE	iexplore.exe
PID 5048 set thread context of 3872	5048	GUM.EXE	iexplore.exe
PID 5048 set thread context of 3660	5048	GUM.EXE	iexplore.exe
PID 5048 set thread context of 616	5048	GUM.EXE	iexplore.exe
PID 5048 set thread context of 3792	5048	GUM.EXE	iexplore.exe
PID 5048 set thread context of 2200	5048	GUM.EXE	iexplore.exe
PID 5048 set thread context of 3736	5048	GUM.EXE	iexplore.exe
PID 5048 set thread context of 2032	5048	GUM.EXE	iexplore.exe
PID 5048 set thread context of 3168	5048	GUM.EXE	iexplore.exe
PID 5048 set thread context of 2560	5048	GUM.EXE	iexplore.exe
PID 5048 set thread context of 4576	5048	GUM.EXE	iexplore.exe
PID 5048 set thread context of 1540	5048	GUM.EXE	iexplore.exe
PID 5048 set thread context of 2780	5048	GUM.EXE	iexplore.exe
PID 5048 set thread context of 5004	5048	GUM.EXE	iexplore.exe
PID 5048 set thread context of 2820	5048	GUM.EXE	iexplore.exe
PID 5048 set thread context of 2128	5048	GUM.EXE	iexplore.exe
PID 5048 set thread context of 868	5048	GUM.EXE	iexplore.exe
PID 5048 set thread context of 384	5048	GUM.EXE	iexplore.exe
PID 5048 set thread context of 2612	5048	GUM.EXE	iexplore.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

3-FRQ MOQ 001 08 2022PDT.exeEGGMM.EXEEGGMM.EXEGUM.EXE

pid	process
1124	3-FRQ MOQ 001 08 2022PDT.exe
1124	3-FRQ MOQ 001 08 2022PDT.exe
1124	3-FRQ MOQ 001 08 2022PDT.exe
1124	3-FRQ MOQ 001 08 2022PDT.exe
256	EGGMM.EXE
4488	EGGMM.EXE
5048	GUM.EXE
5048	GUM.EXE
5048	GUM.EXE
5048	GUM.EXE
5048	GUM.EXE
5048	GUM.EXE
5048	GUM.EXE
5048	GUM.EXE
5048	GUM.EXE
5048	GUM.EXE
5048	GUM.EXE
5048	GUM.EXE
5048	GUM.EXE
5048	GUM.EXE
5048	GUM.EXE
5048	GUM.EXE
5048	GUM.EXE
5048	GUM.EXE
5048	GUM.EXE
5048	GUM.EXE
5048	GUM.EXE
5048	GUM.EXE
5048	GUM.EXE
5048	GUM.EXE
5048	GUM.EXE
5048	GUM.EXE
5048	GUM.EXE
5048	GUM.EXE
5048	GUM.EXE
5048	GUM.EXE
5048	GUM.EXE
5048	GUM.EXE
5048	GUM.EXE
5048	GUM.EXE
5048	GUM.EXE
5048	GUM.EXE
5048	GUM.EXE
5048	GUM.EXE
5048	GUM.EXE
5048	GUM.EXE
5048	GUM.EXE
5048	GUM.EXE
5048	GUM.EXE
5048	GUM.EXE
5048	GUM.EXE
5048	GUM.EXE
5048	GUM.EXE
5048	GUM.EXE
5048	GUM.EXE
5048	GUM.EXE
5048	GUM.EXE
5048	GUM.EXE
5048	GUM.EXE
5048	GUM.EXE
5048	GUM.EXE
5048	GUM.EXE
5048	GUM.EXE
5048	GUM.EXE

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

3-FRQ MOQ 001 08 2022PDT.exeEGGMM.EXEEGGMM.EXE

description pid process

Token: SeDebugPrivilege 1124 3-FRQ MOQ 001 08 2022PDT.exe
Token: SeDebugPrivilege 256 EGGMM.EXE
Token: SeDebugPrivilege 4488 EGGMM.EXE
Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

GUM.EXEimages.exe

pid process

5048 GUM.EXE
3764 images.exe

description	pid	process
Token: SeDebugPrivilege	1124	3-FRQ MOQ 001 08 2022PDT.exe
Token: SeDebugPrivilege	256	EGGMM.EXE
Token: SeDebugPrivilege	4488	EGGMM.EXE

pid	process
5048	GUM.EXE
3764	images.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

3-FRQ MOQ 001 08 2022PDT.exe3-FRQ MOQ 001 08 2022PDT.exeWXS.EXEGUM.EXEWALL PAPER.EXEcmd.exeimages.exe

description	pid	process	target process
PID 1124 wrote to memory of 616	1124	3-FRQ MOQ 001 08 2022PDT.exe	3-FRQ MOQ 001 08 2022PDT.exe
PID 1124 wrote to memory of 616	1124	3-FRQ MOQ 001 08 2022PDT.exe	3-FRQ MOQ 001 08 2022PDT.exe
PID 1124 wrote to memory of 616	1124	3-FRQ MOQ 001 08 2022PDT.exe	3-FRQ MOQ 001 08 2022PDT.exe
PID 1124 wrote to memory of 1072	1124	3-FRQ MOQ 001 08 2022PDT.exe	3-FRQ MOQ 001 08 2022PDT.exe
PID 1124 wrote to memory of 1072	1124	3-FRQ MOQ 001 08 2022PDT.exe	3-FRQ MOQ 001 08 2022PDT.exe
PID 1124 wrote to memory of 1072	1124	3-FRQ MOQ 001 08 2022PDT.exe	3-FRQ MOQ 001 08 2022PDT.exe
PID 1124 wrote to memory of 1140	1124	3-FRQ MOQ 001 08 2022PDT.exe	3-FRQ MOQ 001 08 2022PDT.exe
PID 1124 wrote to memory of 1140	1124	3-FRQ MOQ 001 08 2022PDT.exe	3-FRQ MOQ 001 08 2022PDT.exe
PID 1124 wrote to memory of 1140	1124	3-FRQ MOQ 001 08 2022PDT.exe	3-FRQ MOQ 001 08 2022PDT.exe
PID 1124 wrote to memory of 1140	1124	3-FRQ MOQ 001 08 2022PDT.exe	3-FRQ MOQ 001 08 2022PDT.exe
PID 1124 wrote to memory of 1140	1124	3-FRQ MOQ 001 08 2022PDT.exe	3-FRQ MOQ 001 08 2022PDT.exe
PID 1124 wrote to memory of 1140	1124	3-FRQ MOQ 001 08 2022PDT.exe	3-FRQ MOQ 001 08 2022PDT.exe
PID 1124 wrote to memory of 1140	1124	3-FRQ MOQ 001 08 2022PDT.exe	3-FRQ MOQ 001 08 2022PDT.exe
PID 1124 wrote to memory of 1140	1124	3-FRQ MOQ 001 08 2022PDT.exe	3-FRQ MOQ 001 08 2022PDT.exe
PID 1124 wrote to memory of 1140	1124	3-FRQ MOQ 001 08 2022PDT.exe	3-FRQ MOQ 001 08 2022PDT.exe
PID 1124 wrote to memory of 1140	1124	3-FRQ MOQ 001 08 2022PDT.exe	3-FRQ MOQ 001 08 2022PDT.exe
PID 1140 wrote to memory of 256	1140	3-FRQ MOQ 001 08 2022PDT.exe	EGGMM.EXE
PID 1140 wrote to memory of 256	1140	3-FRQ MOQ 001 08 2022PDT.exe	EGGMM.EXE
PID 1140 wrote to memory of 256	1140	3-FRQ MOQ 001 08 2022PDT.exe	EGGMM.EXE
PID 1140 wrote to memory of 1820	1140	3-FRQ MOQ 001 08 2022PDT.exe	WXS.EXE
PID 1140 wrote to memory of 1820	1140	3-FRQ MOQ 001 08 2022PDT.exe	WXS.EXE
PID 1140 wrote to memory of 1820	1140	3-FRQ MOQ 001 08 2022PDT.exe	WXS.EXE
PID 1820 wrote to memory of 4488	1820	WXS.EXE	EGGMM.EXE
PID 1820 wrote to memory of 4488	1820	WXS.EXE	EGGMM.EXE
PID 1820 wrote to memory of 4488	1820	WXS.EXE	EGGMM.EXE
PID 1820 wrote to memory of 5048	1820	WXS.EXE	GUM.EXE
PID 1820 wrote to memory of 5048	1820	WXS.EXE	GUM.EXE
PID 1820 wrote to memory of 5048	1820	WXS.EXE	GUM.EXE
PID 1820 wrote to memory of 3108	1820	WXS.EXE	WALL PAPER.EXE
PID 1820 wrote to memory of 3108	1820	WXS.EXE	WALL PAPER.EXE
PID 1820 wrote to memory of 3108	1820	WXS.EXE	WALL PAPER.EXE
PID 5048 wrote to memory of 4992	5048	GUM.EXE	iexplore.exe
PID 5048 wrote to memory of 4992	5048	GUM.EXE	iexplore.exe
PID 5048 wrote to memory of 4992	5048	GUM.EXE	iexplore.exe
PID 5048 wrote to memory of 4992	5048	GUM.EXE	iexplore.exe
PID 5048 wrote to memory of 4992	5048	GUM.EXE	iexplore.exe
PID 5048 wrote to memory of 4992	5048	GUM.EXE	iexplore.exe
PID 5048 wrote to memory of 4992	5048	GUM.EXE	iexplore.exe
PID 5048 wrote to memory of 4992	5048	GUM.EXE	iexplore.exe
PID 3108 wrote to memory of 2876	3108	WALL PAPER.EXE	cmd.exe
PID 3108 wrote to memory of 2876	3108	WALL PAPER.EXE	cmd.exe
PID 3108 wrote to memory of 2876	3108	WALL PAPER.EXE	cmd.exe
PID 3108 wrote to memory of 3764	3108	WALL PAPER.EXE	images.exe
PID 3108 wrote to memory of 3764	3108	WALL PAPER.EXE	images.exe
PID 3108 wrote to memory of 3764	3108	WALL PAPER.EXE	images.exe
PID 2876 wrote to memory of 3932	2876	cmd.exe	reg.exe
PID 2876 wrote to memory of 3932	2876	cmd.exe	reg.exe
PID 2876 wrote to memory of 3932	2876	cmd.exe	reg.exe
PID 5048 wrote to memory of 1476	5048	GUM.EXE	iexplore.exe
PID 5048 wrote to memory of 1476	5048	GUM.EXE	iexplore.exe
PID 5048 wrote to memory of 1476	5048	GUM.EXE	iexplore.exe
PID 5048 wrote to memory of 1476	5048	GUM.EXE	iexplore.exe
PID 5048 wrote to memory of 1476	5048	GUM.EXE	iexplore.exe
PID 5048 wrote to memory of 1476	5048	GUM.EXE	iexplore.exe
PID 5048 wrote to memory of 1476	5048	GUM.EXE	iexplore.exe
PID 5048 wrote to memory of 1476	5048	GUM.EXE	iexplore.exe
PID 3764 wrote to memory of 3152	3764	images.exe	cmd.exe
PID 3764 wrote to memory of 3152	3764	images.exe	cmd.exe
PID 3764 wrote to memory of 3152	3764	images.exe	cmd.exe
PID 3764 wrote to memory of 3152	3764	images.exe	cmd.exe
PID 3764 wrote to memory of 3152	3764	images.exe	cmd.exe
PID 5048 wrote to memory of 3176	5048	GUM.EXE	iexplore.exe
PID 5048 wrote to memory of 3176	5048	GUM.EXE	iexplore.exe
PID 5048 wrote to memory of 3176	5048	GUM.EXE	iexplore.exe

System policy modification 1 TTPs 1 IoCs
evasion

Modify Registry
T1112

Processes:

GUM.EXE

description ioc process

Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" GUM.EXE

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	GUM.EXE

outlook_office_path 1 IoCs

Processes:

images.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-3463845317-933582289-45817732-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	images.exe

outlook_win_path 1 IoCs

Processes:

images.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-3463845317-933582289-45817732-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	images.exe

C:\Users\Admin\AppData\Local\Temp\3-FRQ MOQ 001 08 2022PDT.exe
"C:\Users\Admin\AppData\Local\Temp\3-FRQ MOQ 001 08 2022PDT.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1124

C:\Users\Admin\AppData\Local\Temp\3-FRQ MOQ 001 08 2022PDT.exe
"{path}"
2⤵
PID:616

C:\Users\Admin\AppData\Local\Temp\3-FRQ MOQ 001 08 2022PDT.exe
"{path}"
2⤵
PID:1072

C:\Users\Admin\AppData\Local\Temp\3-FRQ MOQ 001 08 2022PDT.exe
"{path}"
2⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1140

C:\Users\Admin\AppData\Local\Temp\EGGMM.EXE
"C:\Users\Admin\AppData\Local\Temp\EGGMM.EXE"
3⤵
- Executes dropped EXE
- Accesses Microsoft Outlook profiles
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:256

C:\Users\Admin\AppData\Local\Temp\WXS.EXE
"C:\Users\Admin\AppData\Local\Temp\WXS.EXE"
3⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1820

C:\Users\Admin\AppData\Local\Temp\EGGMM.EXE
"C:\Users\Admin\AppData\Local\Temp\EGGMM.EXE"
4⤵
- Executes dropped EXE
- Accesses Microsoft Outlook profiles
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4488

C:\Users\Admin\AppData\Local\Temp\GUM.EXE
"C:\Users\Admin\AppData\Local\Temp\GUM.EXE"
4⤵
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:5048

C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Users\Admin\AppData\Local\Temp\GUM.EXE
5⤵
PID:4992

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4992 -s 84
6⤵
- Program crash
PID:3428

C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Users\Admin\AppData\Local\Temp\GUM.EXE
5⤵
PID:1476

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1476 -s 84
6⤵
- Program crash
PID:1680

C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Users\Admin\AppData\Local\Temp\GUM.EXE
5⤵
PID:3176

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3176 -s 84
6⤵
- Program crash
PID:1228

C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Users\Admin\AppData\Local\Temp\GUM.EXE
5⤵
PID:5112

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5112 -s 84
6⤵
- Program crash
PID:2220

C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Users\Admin\AppData\Local\Temp\GUM.EXE
5⤵
PID:2768

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2768 -s 84
6⤵
- Program crash
PID:5004

C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Users\Admin\AppData\Local\Temp\GUM.EXE
5⤵
PID:4972

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4972 -s 84
6⤵
- Program crash
PID:2944

C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Users\Admin\AppData\Local\Temp\GUM.EXE
5⤵
PID:3616

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3616 -s 84
6⤵
- Program crash
PID:4576

C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Users\Admin\AppData\Local\Temp\GUM.EXE
5⤵
PID:3372

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3372 -s 84
6⤵
- Program crash
PID:3768

C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Users\Admin\AppData\Local\Temp\GUM.EXE
5⤵
PID:2928

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2928 -s 84
6⤵
- Program crash
PID:3088

C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Users\Admin\AppData\Local\Temp\GUM.EXE
5⤵
PID:3672

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3672 -s 84
6⤵
- Program crash
PID:4996

C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Users\Admin\AppData\Local\Temp\GUM.EXE
5⤵
PID:3068

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3068 -s 84
6⤵
- Program crash
PID:868

C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Users\Admin\AppData\Local\Temp\GUM.EXE
5⤵
PID:3872

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3872 -s 84
6⤵
- Program crash
PID:3132

C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Users\Admin\AppData\Local\Temp\GUM.EXE
5⤵
PID:3660

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3660 -s 84
6⤵
- Program crash
PID:5104

C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Users\Admin\AppData\Local\Temp\GUM.EXE
5⤵
PID:616

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 616 -s 84
6⤵
- Program crash
PID:2164

C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Users\Admin\AppData\Local\Temp\GUM.EXE
5⤵
PID:3792

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3792 -s 84
6⤵
- Program crash
PID:384

C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Users\Admin\AppData\Local\Temp\GUM.EXE
5⤵
PID:2200

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2200 -s 84
6⤵
- Program crash
PID:3368

C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Users\Admin\AppData\Local\Temp\GUM.EXE
5⤵
PID:3736

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3736 -s 84
6⤵
- Program crash
PID:4576

C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Users\Admin\AppData\Local\Temp\GUM.EXE
5⤵
PID:2032

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2032 -s 84
6⤵
- Program crash
PID:4996

C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Users\Admin\AppData\Local\Temp\GUM.EXE
5⤵
PID:3168

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3168 -s 84
6⤵
- Program crash
PID:3720

C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Users\Admin\AppData\Local\Temp\GUM.EXE
5⤵
PID:2560

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2560 -s 84
6⤵
- Program crash
PID:4160

C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Users\Admin\AppData\Local\Temp\GUM.EXE
5⤵
PID:4576

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4576 -s 12
6⤵
- Program crash
PID:2204

C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Users\Admin\AppData\Local\Temp\GUM.EXE
5⤵
PID:1540

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1540 -s 84
6⤵
- Program crash
PID:3536

C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Users\Admin\AppData\Local\Temp\GUM.EXE
5⤵
PID:2780

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2780 -s 84
6⤵
- Program crash
PID:1684

C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Users\Admin\AppData\Local\Temp\GUM.EXE
5⤵
PID:5004

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5004 -s 84
6⤵
- Program crash
PID:3132

C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Users\Admin\AppData\Local\Temp\GUM.EXE
5⤵
PID:2820

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2820 -s 84
6⤵
- Program crash
PID:3476

C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Users\Admin\AppData\Local\Temp\GUM.EXE
5⤵
PID:2128

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2128 -s 84
6⤵
- Program crash
PID:4952

C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Users\Admin\AppData\Local\Temp\GUM.EXE
5⤵
PID:868

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 868 -s 84
6⤵
- Program crash
PID:4204

C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Users\Admin\AppData\Local\Temp\GUM.EXE
5⤵
PID:384

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 384 -s 84
6⤵
- Program crash
PID:768

C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Users\Admin\AppData\Local\Temp\GUM.EXE
5⤵
PID:2612

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2612 -s 84
6⤵
- Program crash
PID:5040

C:\Users\Admin\AppData\Local\Temp\WALL PAPER.EXE
"C:\Users\Admin\AppData\Local\Temp\WALL PAPER.EXE"
4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3108

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows" /f /v Load /t REG_SZ /d "C:\ProgramData\images.exe"
5⤵
- Suspicious use of WriteProcessMemory
PID:2876

C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows" /f /v Load /t REG_SZ /d "C:\ProgramData\images.exe"
6⤵
PID:3932

C:\ProgramData\images.exe
"C:\ProgramData\images.exe"
5⤵
- Executes dropped EXE
- Loads dropped DLL
- Accesses Microsoft Outlook profiles
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- outlook_office_path
- outlook_win_path
PID:3764

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe"
6⤵
PID:3152

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 4992 -ip 4992
1⤵
PID:3344

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 1476 -ip 1476
1⤵
PID:1184

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 3176 -ip 3176
1⤵
PID:1392

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 492 -p 5112 -ip 5112
1⤵
PID:744

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 2768 -ip 2768
1⤵
PID:380

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 4972 -ip 4972
1⤵
PID:1540

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 3616 -ip 3616
1⤵
PID:3408

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 3372 -ip 3372
1⤵
PID:388

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 576 -p 2928 -ip 2928
1⤵
PID:3640

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 492 -p 3672 -ip 3672
1⤵
PID:1684

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 600 -p 3068 -ip 3068
1⤵
PID:816

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 580 -p 3872 -ip 3872
1⤵
PID:1316

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 628 -p 3660 -ip 3660
1⤵
PID:2492

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 648 -p 616 -ip 616
1⤵
PID:1072

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 388 -p 3792 -ip 3792
1⤵
PID:1588

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 668 -p 2200 -ip 2200
1⤵
PID:3824

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 676 -p 3736 -ip 3736
1⤵
PID:3408

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 620 -p 2032 -ip 2032
1⤵
PID:1684

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 684 -p 3168 -ip 3168
1⤵
PID:3360

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 700 -p 2560 -ip 2560
1⤵
PID:3268

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 720 -p 4576 -ip 4576
1⤵
PID:908

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 716 -p 1540 -ip 1540
1⤵
PID:4452

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 720 -p 2780 -ip 2780
1⤵
PID:2392

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 740 -p 5004 -ip 5004
1⤵
PID:4328

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 728 -p 2820 -ip 2820
1⤵
PID:2256

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 736 -p 2128 -ip 2128
1⤵
PID:1124

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 732 -p 868 -ip 868
1⤵
PID:1440

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 736 -p 384 -ip 384
1⤵
PID:4724

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 748 -p 2612 -ip 2612
1⤵
PID:400

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Bypass User Account Control

T1088

Defense Evasion

Bypass User Account Control

T1088

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\images.exe
Filesize
152KB

MD5
d934bc77b8157ece0a3bbec1527cee9b

SHA1
841017a8d48040f1e0d593608c2506007ea9f997

SHA256
c6e161181e3f246471f546f84655f3de28e86860db5c449293a56efc17024aac

SHA512
5b3bfd6b2f2a7d7a70cd4d40b1fe74b7fc3945dc485f86d46230d19af050d91bc39d68494b9836bf8ebbd3151b3651c753d49d7072e85295e67be8dcc0043fc8

Download Submit
C:\ProgramData\images.exe
Filesize
152KB

MD5
d934bc77b8157ece0a3bbec1527cee9b

SHA1
841017a8d48040f1e0d593608c2506007ea9f997

SHA256
c6e161181e3f246471f546f84655f3de28e86860db5c449293a56efc17024aac

SHA512
5b3bfd6b2f2a7d7a70cd4d40b1fe74b7fc3945dc485f86d46230d19af050d91bc39d68494b9836bf8ebbd3151b3651c753d49d7072e85295e67be8dcc0043fc8

Download Submit
C:\Users\Admin\AppData\Local\Temp\EGGMM.EXE
Filesize
126KB

MD5
350dfc66657d2d9b2231bf8bfe33497b

SHA1
0fb28b28c416d21f1db2d54355e89fa8ec3e3324

SHA256
a2bb808321745ce0239b5a84c78a801644d903ce8a6ab87193337aaf2d01fc31

SHA512
635132ff935ea13048839d2c535d5abbae53c77d332df7c7628dbbb5db94ffc3b5be7820bb116da94433d6c814b5b4b6811bcc32b22cae3adffb086664e010e5

Download Submit
C:\Users\Admin\AppData\Local\Temp\EGGMM.EXE
Filesize
126KB

MD5
350dfc66657d2d9b2231bf8bfe33497b

SHA1
0fb28b28c416d21f1db2d54355e89fa8ec3e3324

SHA256
a2bb808321745ce0239b5a84c78a801644d903ce8a6ab87193337aaf2d01fc31

SHA512
635132ff935ea13048839d2c535d5abbae53c77d332df7c7628dbbb5db94ffc3b5be7820bb116da94433d6c814b5b4b6811bcc32b22cae3adffb086664e010e5

Download Submit
C:\Users\Admin\AppData\Local\Temp\EGGMM.EXE
Filesize
126KB

MD5
350dfc66657d2d9b2231bf8bfe33497b

SHA1
0fb28b28c416d21f1db2d54355e89fa8ec3e3324

SHA256
a2bb808321745ce0239b5a84c78a801644d903ce8a6ab87193337aaf2d01fc31

SHA512
635132ff935ea13048839d2c535d5abbae53c77d332df7c7628dbbb5db94ffc3b5be7820bb116da94433d6c814b5b4b6811bcc32b22cae3adffb086664e010e5

Download Submit
C:\Users\Admin\AppData\Local\Temp\GUM.EXE
Filesize
172KB

MD5
81912e3dd162ce7c96114a84d0d58b29

SHA1
2def8b1c48c9e550f57c9dab915c5232a7113d57

SHA256
f91cf396d6cc0e3803aa25fd0770e9a252196ae616e032e4880668c8ded74dc0

SHA512
893b3c4483d0a307cad24c73fce27bc4e02438439fc5b07d596146bdb92767e53e60642ff6264ce80891b10c0a7f2a3f5b397560a47ee6e1244d6e5e9a80f341

Download Submit
C:\Users\Admin\AppData\Local\Temp\GUM.EXE
Filesize
172KB

MD5
81912e3dd162ce7c96114a84d0d58b29

SHA1
2def8b1c48c9e550f57c9dab915c5232a7113d57

SHA256
f91cf396d6cc0e3803aa25fd0770e9a252196ae616e032e4880668c8ded74dc0

SHA512
893b3c4483d0a307cad24c73fce27bc4e02438439fc5b07d596146bdb92767e53e60642ff6264ce80891b10c0a7f2a3f5b397560a47ee6e1244d6e5e9a80f341

Download Submit
C:\Users\Admin\AppData\Local\Temp\WALL PAPER.EXE
Filesize
152KB

MD5
d934bc77b8157ece0a3bbec1527cee9b

SHA1
841017a8d48040f1e0d593608c2506007ea9f997

SHA256
c6e161181e3f246471f546f84655f3de28e86860db5c449293a56efc17024aac

SHA512
5b3bfd6b2f2a7d7a70cd4d40b1fe74b7fc3945dc485f86d46230d19af050d91bc39d68494b9836bf8ebbd3151b3651c753d49d7072e85295e67be8dcc0043fc8

Download Submit
C:\Users\Admin\AppData\Local\Temp\WALL PAPER.EXE
Filesize
152KB

MD5
d934bc77b8157ece0a3bbec1527cee9b

SHA1
841017a8d48040f1e0d593608c2506007ea9f997

SHA256
c6e161181e3f246471f546f84655f3de28e86860db5c449293a56efc17024aac

SHA512
5b3bfd6b2f2a7d7a70cd4d40b1fe74b7fc3945dc485f86d46230d19af050d91bc39d68494b9836bf8ebbd3151b3651c753d49d7072e85295e67be8dcc0043fc8

Download Submit
C:\Users\Admin\AppData\Local\Temp\WXS.EXE
Filesize
503KB

MD5
f801b47ec91f5f75b0f5804506665b14

SHA1
6ca1c47f85abaed4a3cc414b6200360ca658b2c5

SHA256
62ae48d339e52a1b5be82e703025f2be10d6025f97fd784d40f2781d6ee886ec

SHA512
1e3910895b9bbd23d4adf174683f83ce8b000dba606034bfb2bfaa18ffbf2293ebc4eb47bdebda46d2f326f74c963be005ddb440aa2449a21918c40a8d974322

Download Submit
C:\Users\Admin\AppData\Local\Temp\WXS.EXE
Filesize
503KB

MD5
f801b47ec91f5f75b0f5804506665b14

SHA1
6ca1c47f85abaed4a3cc414b6200360ca658b2c5

SHA256
62ae48d339e52a1b5be82e703025f2be10d6025f97fd784d40f2781d6ee886ec

SHA512
1e3910895b9bbd23d4adf174683f83ce8b000dba606034bfb2bfaa18ffbf2293ebc4eb47bdebda46d2f326f74c963be005ddb440aa2449a21918c40a8d974322

Download Submit
C:\Users\Admin\AppData\Local\Temp\freebl3.dll
Filesize
326KB

MD5
ef12ab9d0b231b8f898067b2114b1bc0

SHA1
6d90f27b2105945f9bb77039e8b892070a5f9442

SHA256
2b00fc4f541ac10c94e3556ff28e30a801811c36422546a546a445aca3f410f7

SHA512
2aa62bfba556ad8f042942dd25aa071ff6677c257904377c1ec956fd9e862abcbf379e0cfd8c630c303a32ece75618c24e3eef58bddb705c427985b944689193

Download Submit
C:\Users\Admin\AppData\Local\Temp\mozglue.dll
Filesize
133KB

MD5
75f8cc548cabf0cc800c25047e4d3124

SHA1
602676768f9faecd35b48c38a0632781dfbde10c

SHA256
fb419a60305f17359e2ac0510233ee80e845885eee60607715c67dd88e501ef0

SHA512
ed831c9c769aef3be253c52542cf032afa0a8fa5fe25ca704db65ee6883c608220df7102ac2b99ee9c2e599a0f5db99fd86894a4b169e68440eb1b0d0012672f

Download Submit
C:\Users\Admin\AppData\Local\Temp\msvcp140.dll
Filesize
429KB

MD5
109f0f02fd37c84bfc7508d4227d7ed5

SHA1
ef7420141bb15ac334d3964082361a460bfdb975

SHA256
334e69ac9367f708ce601a6f490ff227d6c20636da5222f148b25831d22e13d4

SHA512
46eb62b65817365c249b48863d894b4669e20fcb3992e747cd5c9fdd57968e1b2cf7418d1c9340a89865eadda362b8db51947eb4427412eb83b35994f932fd39

Download Submit
C:\Users\Admin\AppData\Local\Temp\nss3.dll
Filesize
1.2MB

MD5
d7858e8449004e21b01d468e9fd04b82

SHA1
9524352071ede21c167e7e4f106e9526dc23ef4e

SHA256
78758bf7f3b3b5e3477e38354acd32d787bc1286c8bd9b873471b9c195e638db

SHA512
1e2c981e6c0ca36c60c6e9cae9548b866d5c524df837095b30d618d9c322def7134c20de820105400dd1b58076b66d90274f67773ac6ba914f611b419babb440

Download Submit
C:\Users\Admin\AppData\Local\Temp\softokn3.dll
Filesize
141KB

MD5
471c983513694ac3002590345f2be0da

SHA1
6612b9af4ff6830fa9b7d4193078434ef72f775b

SHA256
bb3ff746471116c6ad0339fa0522aa2a44a787e33a29c7b27649a054ecd4d00f

SHA512
a9b0fb923bc3b567e933de10b141a3e9213640e3d790b4c4d753cf220d55593ae8026102909969ba6bfc22da3b2fcd01e30a9f5a74bd14a0fdec9beaf0fb1410

Download Submit
C:\Users\Admin\AppData\Local\Temp\vcruntime140.dll
Filesize
81KB

MD5
7587bf9cb4147022cd5681b015183046

SHA1
f2106306a8f6f0da5afb7fc765cfa0757ad5a628

SHA256
c40bb03199a2054dabfc7a8e01d6098e91de7193619effbd0f142a7bf031c14d

SHA512
0b63e4979846ceba1b1ed8470432ea6aa18cca66b5f5322d17b14bc0dfa4b2ee09ca300a016e16a01db5123e4e022820698f46d9bad1078bd24675b4b181e91f

Download Submit
memory/256-144-0x0000000000000000-mapping.dmp

Download
memory/256-162-0x0000000006A50000-0x0000000006C12000-memory.dmp

Filesize
1.8MB

Download
memory/256-150-0x0000000000E60000-0x0000000000E86000-memory.dmp

Filesize
152KB

Download
memory/616-137-0x0000000000000000-mapping.dmp

Download
memory/1072-138-0x0000000000000000-mapping.dmp

Download
memory/1124-133-0x0000000007DB0000-0x0000000008354000-memory.dmp

Filesize
5.6MB

Download
memory/1124-134-0x00000000078E0000-0x0000000007972000-memory.dmp

Filesize
584KB

Download
memory/1124-135-0x0000000007980000-0x0000000007A1C000-memory.dmp

Filesize
624KB

Download
memory/1124-136-0x00000000078B0000-0x00000000078BA000-memory.dmp

Filesize
40KB

Download
memory/1124-132-0x0000000000900000-0x0000000000A3C000-memory.dmp

Filesize
1.2MB

Download
memory/1140-142-0x0000000000400000-0x00000000004AF000-memory.dmp

Filesize
700KB

Download
memory/1140-141-0x0000000000400000-0x00000000004AF000-memory.dmp

Filesize
700KB

Download
memory/1140-139-0x0000000000000000-mapping.dmp

Download
memory/1140-143-0x0000000000400000-0x00000000004AF000-memory.dmp

Filesize
700KB

Download
memory/1140-151-0x0000000000400000-0x00000000004AF000-memory.dmp

Filesize
700KB

Download
memory/1140-140-0x0000000000400000-0x00000000004AF000-memory.dmp

Filesize
700KB

Download
memory/1820-147-0x0000000000000000-mapping.dmp

Download
memory/2876-163-0x0000000000000000-mapping.dmp

Download
memory/3108-157-0x0000000000000000-mapping.dmp

Download
memory/3152-168-0x0000000000000000-mapping.dmp

Download
memory/3152-169-0x0000000001400000-0x0000000001401000-memory.dmp

Filesize
4KB

Download
memory/3764-171-0x00000000040B0000-0x0000000004134000-memory.dmp

Filesize
528KB

Download
memory/3764-170-0x0000000003BB0000-0x0000000003D50000-memory.dmp

Filesize
1.6MB

Download
memory/3764-164-0x0000000000000000-mapping.dmp

Download
memory/3932-167-0x0000000000000000-mapping.dmp

Download
memory/4488-152-0x0000000000000000-mapping.dmp

Download
memory/5048-154-0x0000000000000000-mapping.dmp

Download