raccoon | 9f0c6ca016ddc2dba64ee16b0c9b68e98f85299d09cf455decc9f0550b1b1a77

Analysis

max time kernel
150s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20220721-en
resource tags

arch:x64arch:x86image:win10v2004-20220721-enlocale:en-usos:windows10-2004-x64system
submitted
04-08-2022 15:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9f0c6ca016ddc2dba64ee16b0c9b68e98f85299d09cf455decc9f0550b1b1a77.exe
Size

340KB
MD5

827c533e6030bf67b53460a3bf20813f
SHA1

46a5f78f7e79cd5f39ae76c925bc9ada1243be08
SHA256

9f0c6ca016ddc2dba64ee16b0c9b68e98f85299d09cf455decc9f0550b1b1a77
SHA512

57b45d28994722620d5496a0f267060345d385358dabf7bace2337f8975940d6dc39ea6bf5c677943176f55dc536b7c2bb1013671fa3909235b1bf53e9e07f7f

Score

10^/10

raccoon socelars 9ff0d3252fc925e8866300fd0964f332 discovery persistence spyware stealer vmprotect

Malware Config

Extracted

Family

socelars

https://hueduy.s3.eu-west-1.amazonaws.com/dkfjrg725/

Extracted

Family

raccoon

Botnet

9ff0d3252fc925e8866300fd0964f332

http://51.195.166.176

rc4.plain

Signatures

Process spawned unexpected child process 2 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

rundll32.exerundll32.exe

description	pid	pid_target	process	target process
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4884	4616	rundll32.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3604	4616	rundll32.exe

Raccoon
Raccoon is an infostealer written in C++ and first seen in 2019.
stealer raccoon

Raccoon Stealer payload 5 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1576-189-0x0000000000970000-0x000000000143E000-memory.dmp	family_raccoon
behavioral1/memory/1576-191-0x0000000000970000-0x000000000143E000-memory.dmp	family_raccoon
behavioral1/memory/1576-198-0x0000000000970000-0x000000000143E000-memory.dmp	family_raccoon
behavioral1/memory/1576-225-0x0000000000970000-0x000000000143E000-memory.dmp	family_raccoon
behavioral1/memory/1576-228-0x0000000000970000-0x000000000143E000-memory.dmp	family_raccoon

Socelars
Socelars is an infostealer targeting browser cookies and credit card credentials.
stealer socelars

Socelars payload 2 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\mp3studios_51.exe	family_socelars
C:\Users\Admin\AppData\Local\Temp\mp3studios_51.exe	family_socelars

Downloads MZ/PE file

Executes dropped EXE 17 IoCs

Processes:

70AD.exe8157.exe8919.exe8919.exe98E8.exeBCEC.exeCB93.exeCB93.exebuaeacdmoek.exeznLyAjp.exemp3studios_51.exeChiamando.exe.pif70AE.exe8F33.exe9C06.exeChiamando.exe.pifBE25.exe

pid	process
4820	70AD.exe
2328	8157.exe
4784	8919.exe
4612	8919.exe
1284	98E8.exe
4856	BCEC.exe
1408	CB93.exe
2376	CB93.exe
1576	buaeacdmoek.exe
1352	znLyAjp.exe
4308	mp3studios_51.exe
5004	Chiamando.exe.pif
2360	70AE.exe
796	8F33.exe
4948	9C06.exe
2112	Chiamando.exe.pif
2764	BE25.exe

VMProtect packed file 4 IoCs

Detects executables packed with VMProtect commercial packer.

vmprotect

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\98E8.exe	vmprotect
C:\Users\Admin\AppData\Local\Temp\98E8.exe	vmprotect
behavioral1/memory/1284-159-0x0000000140000000-0x000000014068C000-memory.dmp	vmprotect
behavioral1/memory/796-233-0x0000000140000000-0x000000014068C000-memory.dmp	vmprotect

Checks computer location settings 2 TTPs 4 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

8919.exeCB93.exeBCEC.exebuaeacdmoek.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2660308776-3705150086-26593515-1000\Control Panel\International\Geo\Nation	8919.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2660308776-3705150086-26593515-1000\Control Panel\International\Geo\Nation	CB93.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2660308776-3705150086-26593515-1000\Control Panel\International\Geo\Nation	BCEC.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2660308776-3705150086-26593515-1000\Control Panel\International\Geo\Nation	buaeacdmoek.exe

Loads dropped DLL 12 IoCs

Processes:

regsvr32.exerundll32.exerundll32.exebuaeacdmoek.exeChiamando.exe.pif

pid	process
3612	regsvr32.exe
5024	rundll32.exe
2504	rundll32.exe
1576	buaeacdmoek.exe
1576	buaeacdmoek.exe
1576	buaeacdmoek.exe
5004	Chiamando.exe.pif
5004	Chiamando.exe.pif
5004	Chiamando.exe.pif
5004	Chiamando.exe.pif
5004	Chiamando.exe.pif
5004	Chiamando.exe.pif

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

znLyAjp.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	znLyAjp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	znLyAjp.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

81 ip-api.com
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

Processes:

buaeacdmoek.exe

pid process

1576 buaeacdmoek.exe
1576 buaeacdmoek.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

Chiamando.exe.pif

description pid process target process

PID 5004 set thread context of 2112 5004 Chiamando.exe.pif Chiamando.exe.pif

flow	ioc
81	ip-api.com

pid	process
1576	buaeacdmoek.exe
1576	buaeacdmoek.exe

description	pid	process	target process
PID 5004 set thread context of 2112	5004	Chiamando.exe.pif	Chiamando.exe.pif

Drops file in Program Files directory 19 IoCs

Processes:

mp3studios_51.exe70AE.exe

description	ioc	process
File created	C:\Program Files\aieoplapobidheellikiicjfpamacpfd\icon.png	mp3studios_51.exe
File created	C:\Program Files\aieoplapobidheellikiicjfpamacpfd\js\aes.js	mp3studios_51.exe
File created	C:\Program Files\aieoplapobidheellikiicjfpamacpfd\js\jquery-3.3.1.min.js	mp3studios_51.exe
File opened for modification	C:\Program Files\aieoplapobidheellikiicjfpamacpfd\js\background.js	70AE.exe
File opened for modification	C:\Program Files\aieoplapobidheellikiicjfpamacpfd\manifest.json	70AE.exe
File created	C:\Program Files\aieoplapobidheellikiicjfpamacpfd\background.html	mp3studios_51.exe
File created	C:\Program Files\aieoplapobidheellikiicjfpamacpfd\manifest.json	mp3studios_51.exe
File opened for modification	C:\Program Files\aieoplapobidheellikiicjfpamacpfd\js\pad-nopadding.js	70AE.exe
File created	C:\Program Files\aieoplapobidheellikiicjfpamacpfd\js\background.js	mp3studios_51.exe
File created	C:\Program Files\aieoplapobidheellikiicjfpamacpfd\js\content.js	mp3studios_51.exe
File opened for modification	C:\Program Files\aieoplapobidheellikiicjfpamacpfd\js\background.js	mp3studios_51.exe
File opened for modification	C:\Program Files\aieoplapobidheellikiicjfpamacpfd\background.html	70AE.exe
File opened for modification	C:\Program Files\aieoplapobidheellikiicjfpamacpfd\js\mode-ecb.js	70AE.exe
File created	C:\Program Files\aieoplapobidheellikiicjfpamacpfd\js\mode-ecb.js	mp3studios_51.exe
File created	C:\Program Files\aieoplapobidheellikiicjfpamacpfd\js\pad-nopadding.js	mp3studios_51.exe
File opened for modification	C:\Program Files\aieoplapobidheellikiicjfpamacpfd\icon.png	70AE.exe
File opened for modification	C:\Program Files\aieoplapobidheellikiicjfpamacpfd\js\aes.js	70AE.exe
File opened for modification	C:\Program Files\aieoplapobidheellikiicjfpamacpfd\js\content.js	70AE.exe
File opened for modification	C:\Program Files\aieoplapobidheellikiicjfpamacpfd\js\jquery-3.3.1.min.js	70AE.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 5 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
4896	1284	WerFault.exe	98E8.exe
2996	5024	WerFault.exe	rundll32.exe
1792	2504	WerFault.exe	rundll32.exe
5024	796	WerFault.exe	8F33.exe
364	3300	WerFault.exe	explorer.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

9f0c6ca016ddc2dba64ee16b0c9b68e98f85299d09cf455decc9f0550b1b1a77.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	9f0c6ca016ddc2dba64ee16b0c9b68e98f85299d09cf455decc9f0550b1b1a77.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	9f0c6ca016ddc2dba64ee16b0c9b68e98f85299d09cf455decc9f0550b1b1a77.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	9f0c6ca016ddc2dba64ee16b0c9b68e98f85299d09cf455decc9f0550b1b1a77.exe

Enumerates processes with tasklist 1 TTPs 1 IoCs

Process Discovery
T1057

Processes:

tasklist.exe

pid process

4720 tasklist.exe

pid	process
4720	tasklist.exe

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

chrome.exechrome.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe

Kills process with taskkill 2 IoCs
evasion

Processes:

taskkill.exetaskkill.exe

pid process

1576 taskkill.exe
4672 taskkill.exe
Runs ping.exe 1 TTPs 2 IoCs

Remote System Discovery
T1018

Processes:

PING.EXEPING.EXE

pid process

3592 PING.EXE
4516 PING.EXE

pid	process
1576	taskkill.exe
4672	taskkill.exe

pid	process
3592	PING.EXE
4516	PING.EXE

Script User-Agent 2 IoCs

Uses user-agent string associated with script host/environment.

Processes:

description	flow	ioc
HTTP User-Agent header	76	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	89	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

9f0c6ca016ddc2dba64ee16b0c9b68e98f85299d09cf455decc9f0550b1b1a77.exe

pid	process
1612	9f0c6ca016ddc2dba64ee16b0c9b68e98f85299d09cf455decc9f0550b1b1a77.exe
1612	9f0c6ca016ddc2dba64ee16b0c9b68e98f85299d09cf455decc9f0550b1b1a77.exe
3020
3020
3020
3020
3020
3020
3020
3020
3020
3020
3020
3020
3020
3020
3020
3020
3020
3020
3020
3020
3020
3020
3020
3020
3020
3020
3020
3020
3020
3020
3020
3020
3020
3020
3020
3020
3020
3020
3020
3020
3020
3020
3020
3020
3020
3020
3020
3020
3020
3020
3020
3020
3020
3020
3020
3020
3020
3020
3020
3020
3020
3020

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

pid process

3020
Suspicious behavior: MapViewOfSection 5 IoCs

Processes:

9f0c6ca016ddc2dba64ee16b0c9b68e98f85299d09cf455decc9f0550b1b1a77.exe

pid process

1612 9f0c6ca016ddc2dba64ee16b0c9b68e98f85299d09cf455decc9f0550b1b1a77.exe
3020
3020
3020
3020
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 9 IoCs

Processes:

chrome.exechrome.exe

pid process

2688 chrome.exe
2688 chrome.exe
2688 chrome.exe
2688 chrome.exe
2688 chrome.exe
1516 chrome.exe
1516 chrome.exe
1516 chrome.exe
1516 chrome.exe

pid	process
3020

pid	process
2688	chrome.exe
2688	chrome.exe
2688	chrome.exe
2688	chrome.exe
2688	chrome.exe
1516	chrome.exe
1516	chrome.exe
1516	chrome.exe
1516	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

mp3studios_51.exe

description	pid	process
Token: SeShutdownPrivilege	3020
Token: SeCreatePagefilePrivilege	3020
Token: SeShutdownPrivilege	3020
Token: SeCreatePagefilePrivilege	3020
Token: SeShutdownPrivilege	3020
Token: SeCreatePagefilePrivilege	3020
Token: SeShutdownPrivilege	3020
Token: SeCreatePagefilePrivilege	3020
Token: SeShutdownPrivilege	3020
Token: SeCreatePagefilePrivilege	3020
Token: SeShutdownPrivilege	3020
Token: SeCreatePagefilePrivilege	3020
Token: SeShutdownPrivilege	3020
Token: SeCreatePagefilePrivilege	3020
Token: SeShutdownPrivilege	3020
Token: SeCreatePagefilePrivilege	3020
Token: SeShutdownPrivilege	3020
Token: SeCreatePagefilePrivilege	3020
Token: SeShutdownPrivilege	3020
Token: SeCreatePagefilePrivilege	3020
Token: SeShutdownPrivilege	3020
Token: SeCreatePagefilePrivilege	3020
Token: SeShutdownPrivilege	3020
Token: SeCreatePagefilePrivilege	3020
Token: SeShutdownPrivilege	3020
Token: SeCreatePagefilePrivilege	3020
Token: SeShutdownPrivilege	3020
Token: SeCreatePagefilePrivilege	3020
Token: SeShutdownPrivilege	3020
Token: SeCreatePagefilePrivilege	3020
Token: SeShutdownPrivilege	3020
Token: SeCreatePagefilePrivilege	3020
Token: SeShutdownPrivilege	3020
Token: SeCreatePagefilePrivilege	3020
Token: SeShutdownPrivilege	3020
Token: SeCreatePagefilePrivilege	3020
Token: SeShutdownPrivilege	3020
Token: SeCreatePagefilePrivilege	3020
Token: SeShutdownPrivilege	3020
Token: SeCreatePagefilePrivilege	3020
Token: SeShutdownPrivilege	3020
Token: SeCreatePagefilePrivilege	3020
Token: SeShutdownPrivilege	3020
Token: SeCreatePagefilePrivilege	3020
Token: SeShutdownPrivilege	3020
Token: SeCreatePagefilePrivilege	3020
Token: SeShutdownPrivilege	3020
Token: SeCreatePagefilePrivilege	3020
Token: SeShutdownPrivilege	3020
Token: SeCreatePagefilePrivilege	3020
Token: SeCreateTokenPrivilege	4308	mp3studios_51.exe
Token: SeAssignPrimaryTokenPrivilege	4308	mp3studios_51.exe
Token: SeLockMemoryPrivilege	4308	mp3studios_51.exe
Token: SeIncreaseQuotaPrivilege	4308	mp3studios_51.exe
Token: SeMachineAccountPrivilege	4308	mp3studios_51.exe
Token: SeTcbPrivilege	4308	mp3studios_51.exe
Token: SeSecurityPrivilege	4308	mp3studios_51.exe
Token: SeTakeOwnershipPrivilege	4308	mp3studios_51.exe
Token: SeLoadDriverPrivilege	4308	mp3studios_51.exe
Token: SeSystemProfilePrivilege	4308	mp3studios_51.exe
Token: SeSystemtimePrivilege	4308	mp3studios_51.exe
Token: SeProfSingleProcessPrivilege	4308	mp3studios_51.exe
Token: SeIncBasePriorityPrivilege	4308	mp3studios_51.exe
Token: SeCreatePagefilePrivilege	4308	mp3studios_51.exe

Suspicious use of FindShellTrayWindow 60 IoCs

Processes:

Chiamando.exe.pifchrome.exechrome.exe

pid	process
5004	Chiamando.exe.pif
3020
3020
5004	Chiamando.exe.pif
5004	Chiamando.exe.pif
3020
3020
2688	chrome.exe
2688	chrome.exe
2688	chrome.exe
2688	chrome.exe
2688	chrome.exe
2688	chrome.exe
2688	chrome.exe
2688	chrome.exe
2688	chrome.exe
2688	chrome.exe
2688	chrome.exe
2688	chrome.exe
2688	chrome.exe
2688	chrome.exe
2688	chrome.exe
2688	chrome.exe
2688	chrome.exe
2688	chrome.exe
2688	chrome.exe
2688	chrome.exe
2688	chrome.exe
2688	chrome.exe
2688	chrome.exe
2688	chrome.exe
2688	chrome.exe
2688	chrome.exe
3020
1516	chrome.exe
1516	chrome.exe
1516	chrome.exe
1516	chrome.exe
1516	chrome.exe
1516	chrome.exe
1516	chrome.exe
1516	chrome.exe
1516	chrome.exe
1516	chrome.exe
1516	chrome.exe
1516	chrome.exe
1516	chrome.exe
1516	chrome.exe
1516	chrome.exe
1516	chrome.exe
1516	chrome.exe
1516	chrome.exe
1516	chrome.exe
1516	chrome.exe
1516	chrome.exe
1516	chrome.exe
1516	chrome.exe
1516	chrome.exe
1516	chrome.exe
1516	chrome.exe

Suspicious use of SendNotifyMessage 51 IoCs

Processes:

Chiamando.exe.pifchrome.exechrome.exe

pid	process
5004	Chiamando.exe.pif
5004	Chiamando.exe.pif
5004	Chiamando.exe.pif
2688	chrome.exe
2688	chrome.exe
2688	chrome.exe
2688	chrome.exe
2688	chrome.exe
2688	chrome.exe
2688	chrome.exe
2688	chrome.exe
2688	chrome.exe
2688	chrome.exe
2688	chrome.exe
2688	chrome.exe
2688	chrome.exe
2688	chrome.exe
2688	chrome.exe
2688	chrome.exe
2688	chrome.exe
2688	chrome.exe
2688	chrome.exe
2688	chrome.exe
2688	chrome.exe
2688	chrome.exe
2688	chrome.exe
2688	chrome.exe
1516	chrome.exe
1516	chrome.exe
1516	chrome.exe
1516	chrome.exe
1516	chrome.exe
1516	chrome.exe
1516	chrome.exe
1516	chrome.exe
1516	chrome.exe
1516	chrome.exe
1516	chrome.exe
1516	chrome.exe
1516	chrome.exe
1516	chrome.exe
1516	chrome.exe
1516	chrome.exe
1516	chrome.exe
1516	chrome.exe
1516	chrome.exe
1516	chrome.exe
1516	chrome.exe
1516	chrome.exe
1516	chrome.exe
1516	chrome.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

pid process

3020

pid	process
3020

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

regsvr32.exe8919.exerundll32.exeCB93.exeBCEC.exeznLyAjp.execmd.exerundll32.exemp3studios_51.execmd.execmd.exe

description	pid	process	target process
PID 3020 wrote to memory of 4464	3020		regsvr32.exe
PID 3020 wrote to memory of 4464	3020		regsvr32.exe
PID 4464 wrote to memory of 3612	4464	regsvr32.exe	regsvr32.exe
PID 4464 wrote to memory of 3612	4464	regsvr32.exe	regsvr32.exe
PID 4464 wrote to memory of 3612	4464	regsvr32.exe	regsvr32.exe
PID 3020 wrote to memory of 4820	3020		70AD.exe
PID 3020 wrote to memory of 4820	3020		70AD.exe
PID 3020 wrote to memory of 4820	3020		70AD.exe
PID 3020 wrote to memory of 2328	3020		8157.exe
PID 3020 wrote to memory of 2328	3020		8157.exe
PID 3020 wrote to memory of 2328	3020		8157.exe
PID 3020 wrote to memory of 4784	3020		8919.exe
PID 3020 wrote to memory of 4784	3020		8919.exe
PID 3020 wrote to memory of 4784	3020		8919.exe
PID 4784 wrote to memory of 4612	4784	8919.exe	8919.exe
PID 4784 wrote to memory of 4612	4784	8919.exe	8919.exe
PID 4784 wrote to memory of 4612	4784	8919.exe	8919.exe
PID 3020 wrote to memory of 1284	3020		98E8.exe
PID 3020 wrote to memory of 1284	3020		98E8.exe
PID 4884 wrote to memory of 5024	4884	rundll32.exe	rundll32.exe
PID 4884 wrote to memory of 5024	4884	rundll32.exe	rundll32.exe
PID 4884 wrote to memory of 5024	4884	rundll32.exe	rundll32.exe
PID 3020 wrote to memory of 4856	3020		BCEC.exe
PID 3020 wrote to memory of 4856	3020		BCEC.exe
PID 3020 wrote to memory of 4856	3020		BCEC.exe
PID 3020 wrote to memory of 1408	3020		CB93.exe
PID 3020 wrote to memory of 1408	3020		CB93.exe
PID 3020 wrote to memory of 1408	3020		CB93.exe
PID 1408 wrote to memory of 2376	1408	CB93.exe	CB93.exe
PID 1408 wrote to memory of 2376	1408	CB93.exe	CB93.exe
PID 1408 wrote to memory of 2376	1408	CB93.exe	CB93.exe
PID 4856 wrote to memory of 1576	4856	BCEC.exe	buaeacdmoek.exe
PID 4856 wrote to memory of 1576	4856	BCEC.exe	buaeacdmoek.exe
PID 4856 wrote to memory of 1576	4856	BCEC.exe	buaeacdmoek.exe
PID 4856 wrote to memory of 1352	4856	BCEC.exe	znLyAjp.exe
PID 4856 wrote to memory of 1352	4856	BCEC.exe	znLyAjp.exe
PID 4856 wrote to memory of 1352	4856	BCEC.exe	znLyAjp.exe
PID 4856 wrote to memory of 4308	4856	BCEC.exe	mp3studios_51.exe
PID 4856 wrote to memory of 4308	4856	BCEC.exe	mp3studios_51.exe
PID 4856 wrote to memory of 4308	4856	BCEC.exe	mp3studios_51.exe
PID 1352 wrote to memory of 4984	1352	znLyAjp.exe	fc.exe
PID 1352 wrote to memory of 4984	1352	znLyAjp.exe	fc.exe
PID 1352 wrote to memory of 4984	1352	znLyAjp.exe	fc.exe
PID 1352 wrote to memory of 3952	1352	znLyAjp.exe	cmd.exe
PID 1352 wrote to memory of 3952	1352	znLyAjp.exe	cmd.exe
PID 1352 wrote to memory of 3952	1352	znLyAjp.exe	cmd.exe
PID 3952 wrote to memory of 3800	3952	cmd.exe	cmd.exe
PID 3952 wrote to memory of 3800	3952	cmd.exe	cmd.exe
PID 3952 wrote to memory of 3800	3952	cmd.exe	cmd.exe
PID 3604 wrote to memory of 2504	3604	rundll32.exe	rundll32.exe
PID 3604 wrote to memory of 2504	3604	rundll32.exe	rundll32.exe
PID 3604 wrote to memory of 2504	3604	rundll32.exe	rundll32.exe
PID 4308 wrote to memory of 3452	4308	mp3studios_51.exe	cmd.exe
PID 4308 wrote to memory of 3452	4308	mp3studios_51.exe	cmd.exe
PID 4308 wrote to memory of 3452	4308	mp3studios_51.exe	cmd.exe
PID 3452 wrote to memory of 4672	3452	cmd.exe	taskkill.exe
PID 3452 wrote to memory of 4672	3452	cmd.exe	taskkill.exe
PID 3452 wrote to memory of 4672	3452	cmd.exe	taskkill.exe
PID 3800 wrote to memory of 4720	3800	cmd.exe	tasklist.exe
PID 3800 wrote to memory of 4720	3800	cmd.exe	tasklist.exe
PID 3800 wrote to memory of 4720	3800	cmd.exe	tasklist.exe
PID 3800 wrote to memory of 1596	3800	cmd.exe	find.exe
PID 3800 wrote to memory of 1596	3800	cmd.exe	find.exe
PID 3800 wrote to memory of 1596	3800	cmd.exe	find.exe

C:\Users\Admin\AppData\Local\Temp\9f0c6ca016ddc2dba64ee16b0c9b68e98f85299d09cf455decc9f0550b1b1a77.exe
"C:\Users\Admin\AppData\Local\Temp\9f0c6ca016ddc2dba64ee16b0c9b68e98f85299d09cf455decc9f0550b1b1a77.exe"
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:1612

C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\67E2.dll
1⤵
- Suspicious use of WriteProcessMemory
PID:4464

C:\Windows\SysWOW64\regsvr32.exe
/s C:\Users\Admin\AppData\Local\Temp\67E2.dll
2⤵
- Loads dropped DLL
PID:3612

C:\Users\Admin\AppData\Local\Temp\70AD.exe
C:\Users\Admin\AppData\Local\Temp\70AD.exe
1⤵
- Executes dropped EXE
PID:4820

C:\Users\Admin\AppData\Local\Temp\8157.exe
C:\Users\Admin\AppData\Local\Temp\8157.exe
1⤵
- Executes dropped EXE
PID:2328

C:\Users\Admin\AppData\Local\Temp\8919.exe
C:\Users\Admin\AppData\Local\Temp\8919.exe
1⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4784

C:\Users\Admin\AppData\Local\Temp\8919.exe
"C:\Users\Admin\AppData\Local\Temp\8919.exe" -hq
2⤵
- Executes dropped EXE
PID:4612

C:\Users\Admin\AppData\Local\Temp\98E8.exe
C:\Users\Admin\AppData\Local\Temp\98E8.exe
1⤵
- Executes dropped EXE
PID:1284

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 1284 -s 708
2⤵
- Program crash
PID:4896

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 452 -p 1284 -ip 1284
1⤵
PID:2520

C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\db.dll",global
1⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
PID:4884

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\db.dll",global
2⤵
- Loads dropped DLL
PID:5024

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5024 -s 608
3⤵
- Program crash
PID:2996

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 5024 -ip 5024
1⤵
PID:3088

C:\Users\Admin\AppData\Local\Temp\BCEC.exe
C:\Users\Admin\AppData\Local\Temp\BCEC.exe
1⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4856

C:\Users\Admin\AppData\Local\Temp\buaeacdmoek.exe
"C:\Users\Admin\AppData\Local\Temp\buaeacdmoek.exe"
2⤵
- Executes dropped EXE
- Checks computer location settings
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:1576

C:\Users\Admin\AppData\Local\Temp\znLyAjp.exe
"C:\Users\Admin\AppData\Local\Temp\znLyAjp.exe"
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1352

C:\Windows\SysWOW64\fc.exe
fc
3⤵
PID:4984

C:\Windows\SysWOW64\cmd.exe
cmd /c cmd < Bel.xls & ping -n 5 localhost
3⤵
- Suspicious use of WriteProcessMemory
PID:3952

C:\Windows\SysWOW64\cmd.exe
cmd
4⤵
- Suspicious use of WriteProcessMemory
PID:3800

C:\Windows\SysWOW64\tasklist.exe
tasklist /FI "imagename eq PSUAService.exe"
5⤵
- Enumerates processes with tasklist
PID:4720

C:\Windows\SysWOW64\find.exe
find /I /N "psuaservice.exe"
5⤵
PID:1596

C:\Windows\SysWOW64\findstr.exe
findstr /V /R "^phBHUZBJCXhpvtzymmPzZMfWZWQaqxSnGoozLPuRzxxDWWWaBxCbsMVvXFHXopIitOChWZxJzYZEaMZeZnQGSciUhLvyooIlMjmizIcCqStzMdrkFEYKaefJHIqkDfBlfPSuhSIdegFqsN$" Pel.xls
5⤵
PID:4804

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Chiamando.exe.pif
Chiamando.exe.pif H
5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:5004

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Chiamando.exe.pif
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Chiamando.exe.pif
6⤵
- Executes dropped EXE
PID:2112

C:\Windows\SysWOW64\PING.EXE
ping localhost -n 5
5⤵
- Runs ping.exe
PID:3592

C:\Windows\SysWOW64\PING.EXE
ping -n 5 localhost
4⤵
- Runs ping.exe
PID:4516

C:\Users\Admin\AppData\Local\Temp\mp3studios_51.exe
"C:\Users\Admin\AppData\Local\Temp\mp3studios_51.exe"
2⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4308

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im chrome.exe
3⤵
- Suspicious use of WriteProcessMemory
PID:3452

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im chrome.exe
4⤵
- Kills process with taskkill
PID:4672

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
3⤵
- Enumerates system info in registry
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2688

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=89.0.4389.114 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffdc5364f50,0x7ffdc5364f60,0x7ffdc5364f70
4⤵
PID:4068

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1664,4225521239157486270,16200150353318653306,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1672 /prefetch:2
4⤵
PID:2768

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1664,4225521239157486270,16200150353318653306,131072 --lang=en-US --service-sandbox-type=network --mojo-platform-channel-handle=1876 /prefetch:8
4⤵
PID:2912

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1664,4225521239157486270,16200150353318653306,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2280 /prefetch:8
4⤵
PID:4868

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1664,4225521239157486270,16200150353318653306,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3052 /prefetch:1
4⤵
PID:1204

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1664,4225521239157486270,16200150353318653306,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3184 /prefetch:1
4⤵
PID:2220

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1664,4225521239157486270,16200150353318653306,131072 --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3632 /prefetch:1
4⤵
PID:4420

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1664,4225521239157486270,16200150353318653306,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4076 /prefetch:1
4⤵
PID:1380

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1664,4225521239157486270,16200150353318653306,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4672 /prefetch:8
4⤵
PID:2760

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1664,4225521239157486270,16200150353318653306,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5084 /prefetch:8
4⤵
PID:3616

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1664,4225521239157486270,16200150353318653306,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5260 /prefetch:8
4⤵
PID:3608

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1664,4225521239157486270,16200150353318653306,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4968 /prefetch:8
4⤵
PID:4312

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1664,4225521239157486270,16200150353318653306,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5724 /prefetch:8
4⤵
PID:4632

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1664,4225521239157486270,16200150353318653306,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5760 /prefetch:8
4⤵
PID:2388

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1664,4225521239157486270,16200150353318653306,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5740 /prefetch:8
4⤵
PID:3044

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1664,4225521239157486270,16200150353318653306,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5748 /prefetch:8
4⤵
PID:3520

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1664,4225521239157486270,16200150353318653306,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4708 /prefetch:8
4⤵
PID:4392

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1664,4225521239157486270,16200150353318653306,131072 --disable-gpu-compositing --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5868 /prefetch:1
4⤵
PID:4004

C:\Users\Admin\AppData\Local\Temp\CB93.exe
C:\Users\Admin\AppData\Local\Temp\CB93.exe
1⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1408

C:\Users\Admin\AppData\Local\Temp\CB93.exe
"C:\Users\Admin\AppData\Local\Temp\CB93.exe" -hq
2⤵
- Executes dropped EXE
PID:2376

C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\db.dll",global
1⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
PID:3604

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\db.dll",global
2⤵
- Loads dropped DLL
PID:2504

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2504 -s 600
3⤵
- Program crash
PID:1792

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 2504 -ip 2504
1⤵
PID:4928

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1848

C:\Users\Admin\AppData\Local\Temp\70AE.exe
C:\Users\Admin\AppData\Local\Temp\70AE.exe
1⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:2360

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im chrome.exe
2⤵
PID:2756

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im chrome.exe
3⤵
- Kills process with taskkill
PID:1576

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
2⤵
- Enumerates system info in registry
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1516

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=89.0.4389.114 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffdc5364f50,0x7ffdc5364f60,0x7ffdc5364f70
3⤵
PID:4712

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1800,5130161579861868071,4453392548298780388,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2212 /prefetch:8
3⤵
PID:3168

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1800,5130161579861868071,4453392548298780388,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2820 /prefetch:1
3⤵
PID:4992

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1800,5130161579861868071,4453392548298780388,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2832 /prefetch:1
3⤵
PID:2900

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1800,5130161579861868071,4453392548298780388,131072 --lang=en-US --service-sandbox-type=network --mojo-platform-channel-handle=1860 /prefetch:8
3⤵
PID:2468

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1800,5130161579861868071,4453392548298780388,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1812 /prefetch:2
3⤵
PID:376

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1800,5130161579861868071,4453392548298780388,131072 --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3476 /prefetch:1
3⤵
PID:3384

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1800,5130161579861868071,4453392548298780388,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3828 /prefetch:1
3⤵
PID:3920

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1800,5130161579861868071,4453392548298780388,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4740 /prefetch:8
3⤵
PID:4428

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1800,5130161579861868071,4453392548298780388,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4984 /prefetch:8
3⤵
PID:4468

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1800,5130161579861868071,4453392548298780388,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4692 /prefetch:8
3⤵
PID:4112

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1800,5130161579861868071,4453392548298780388,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4928 /prefetch:8
3⤵
PID:2912

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1800,5130161579861868071,4453392548298780388,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4768 /prefetch:8
3⤵
PID:2184

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1612

C:\Users\Admin\AppData\Local\Temp\8F33.exe
C:\Users\Admin\AppData\Local\Temp\8F33.exe
1⤵
- Executes dropped EXE
PID:796

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 796 -s 928
2⤵
- Program crash
PID:5024

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 428 -p 796 -ip 796
1⤵
PID:2812

C:\Users\Admin\AppData\Local\Temp\9C06.exe
C:\Users\Admin\AppData\Local\Temp\9C06.exe
1⤵
- Executes dropped EXE
PID:4948

C:\Users\Admin\AppData\Local\Temp\BE25.exe
C:\Users\Admin\AppData\Local\Temp\BE25.exe
1⤵
- Executes dropped EXE
PID:2764

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:3300

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3300 -s 872
2⤵
- Program crash
PID:364

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 396 -p 3300 -ip 3300
1⤵
PID:4284

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
PID:8

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Peripheral Device Discovery

T1120

Process Discovery

T1057

Remote System Discovery

T1018

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Web Service

T1102

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\aieoplapobidheellikiicjfpamacpfd\background.html
Filesize
786B

MD5
9ffe618d587a0685d80e9f8bb7d89d39

SHA1
8e9cae42c911027aafae56f9b1a16eb8dd7a739c

SHA256
a1064146f622fe68b94cd65a0e8f273b583449fbacfd6fd75fec1eaaf2ec8d6e

SHA512
a4e1f53d1e3bf0ff6893f188a510c6b3da37b99b52ddd560d4c90226cb14de6c9e311ee0a93192b1a26db2d76382eb2350dc30ab9db7cbd9ca0a80a507ea1a12

Download Submit
C:\Program Files\aieoplapobidheellikiicjfpamacpfd\icon.png
Filesize
6KB

MD5
c8d8c174df68910527edabe6b5278f06

SHA1
8ac53b3605fea693b59027b9b471202d150f266f

SHA256
9434dd7008059a60d6d5ced8c8a63ab5cae407e7152da98ca4dda408510f08f5

SHA512
d439e5124399d1901934319535b7156c0ca8d76b5aa4ddf1dd0b598d43582f6d23c16f96be74d3cd5fe764396da55ca51811d08695f356f12f7a8a71bcc7e45c

Download Submit
C:\Program Files\aieoplapobidheellikiicjfpamacpfd\js\aes.js
Filesize
13KB

MD5
4ff108e4584780dce15d610c142c3e62

SHA1
77e4519962e2f6a9fc93342137dbb31c33b76b04

SHA256
fc7e184beeda61bf6427938a84560f52348976bb55e807b224eb53930e97ef6a

SHA512
d6eee0fc02205a3422c16ad120cad8d871563d8fcd4bde924654eac5a37026726328f9a47240cf89ed6c9e93ba5f89c833e84e65eee7db2b4d7d1b4240deaef2

Download Submit
C:\Program Files\aieoplapobidheellikiicjfpamacpfd\js\background.js
Filesize
19KB

MD5
286278df39ffe54ddd48cf6ab1683686

SHA1
6a560bc3751af8befa966160f4ca4b070b12fd2a

SHA256
31b0e811045d0cf1809d2049233f00a108a73cbdbceb0caae67faa198e8ab6d3

SHA512
4712fdfe2ad8c66fa57a270fedb6fb30ff110345788967859334be7d0a551e0edd8f4554a2a53792da9f9936ea146dfe4db7bfb2b0e47db0a945e4b9e4e3e2d2

Download Submit
C:\Program Files\aieoplapobidheellikiicjfpamacpfd\js\content.js
Filesize
3KB

MD5
f79618c53614380c5fdc545699afe890

SHA1
7804a4621cd9405b6def471f3ebedb07fb17e90a

SHA256
f3f30c5c271f80b0a3a329b11d8e72eb404d0c0dc9c66fa162ca97ccaa1e963c

SHA512
c4e0c4df6ac92351591859a7c4358b3dcd342e00051bf561e68e3fcc2c94fdd8d14bd0a042d88dca33f6c7e952938786378d804f56e84b4eab99e2a5fee96a4c

Download Submit
C:\Program Files\aieoplapobidheellikiicjfpamacpfd\js\jquery-3.3.1.min.js
Filesize
84KB

MD5
a09e13ee94d51c524b7e2a728c7d4039

SHA1
0dc32db4aa9c5f03f3b38c47d883dbd4fed13aae

SHA256
160a426ff2894252cd7cebbdd6d6b7da8fcd319c65b70468f10b6690c45d02ef

SHA512
f8da8f95b6ed33542a88af19028e18ae3d9ce25350a06bfc3fbf433ed2b38fefa5e639cddfdac703fc6caa7f3313d974b92a3168276b3a016ceb28f27db0714a

Download Submit
C:\Program Files\aieoplapobidheellikiicjfpamacpfd\js\mode-ecb.js
Filesize
604B

MD5
23231681d1c6f85fa32e725d6d63b19b

SHA1
f69315530b49ac743b0e012652a3a5efaed94f17

SHA256
03164b1ac43853fecdbf988ce900016fb174cf65b03e41c0a9a7bf3a95e8c26a

SHA512
36860113871707a08401f29ab2828545932e57a4ae99e727d8ca2a9f85518d3db3a4e5e4d46ac2b6ba09494fa9727c033d77c36c4bdc376ae048541222724bc2

Download Submit
C:\Program Files\aieoplapobidheellikiicjfpamacpfd\js\pad-nopadding.js
Filesize
268B

MD5
0f26002ee3b4b4440e5949a969ea7503

SHA1
31fc518828fe4894e8077ec5686dce7b1ed281d7

SHA256
282308ebc3702c44129438f8299839ca4d392a0a09fdf0737f08ef1e4aff937d

SHA512
4290a1aee5601fcbf1eb2beec9b4924c30cd218e94ae099b87ba72c9a4fa077e39d218fc723b8465d259028a6961cc07c0cd6896aa2f67e83f833ca023a80b11

Download Submit
C:\Program Files\aieoplapobidheellikiicjfpamacpfd\manifest.json
Filesize
1KB

MD5
6da6b303170ccfdca9d9e75abbfb59f3

SHA1
1a8070080f50a303f73eba253ba49c1e6d400df6

SHA256
66f5620e3bfe4692b14f62baad60e3269327327565ff8b2438e98ce8ed021333

SHA512
872957b63e8a0d10791877e5d204022c08c8e8101807d7ebe6fd537d812ad09e14d8555ccf53dc00525a22c02773aa45b8fa643c05247fb0ce6012382855a89a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\103621DE9CD5414CC2538780B4B75751
Filesize
717B

MD5
ec8ff3b1ded0246437b1472c69dd1811

SHA1
d813e874c2524e3a7da6c466c67854ad16800326

SHA256
e634c2d1ed20e0638c95597adf4c9d392ebab932d3353f18af1e4421f4bb9cab

SHA512
e967b804cbf2d6da30a532cbc62557d09bd236807790040c6bee5584a482dc09d724fc1d9ac0de6aa5b4e8b1fff72c8ab3206222cc2c95a91035754ac1257552

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\103621DE9CD5414CC2538780B4B75751
Filesize
192B

MD5
9b8ca681db253b427e4a360c483f9912

SHA1
afd10a20df6d26283767484b2f193e168964614a

SHA256
15efe98830caa155865f7bfe9e1785de497c95fc3be03611dface96ae09a85f0

SHA512
1fc71a45621f75437ecc2ad75f104987be3405abd517b552f561f012a34215046848805938753ddb13649195d4f67b1a44e1e9cecf6b8031468fb44c4f0ea019

Download Submit
C:\Users\Admin\AppData\LocalLow\mozglue.dll
Filesize
612KB

MD5
f07d9977430e762b563eaadc2b94bbfa

SHA1
da0a05b2b8d269fb73558dfcf0ed5c167f6d3877

SHA256
4191faf7e5eb105a0f4c5c6ed3e9e9c71014e8aa39bbee313bc92d1411e9e862

SHA512
6afd512e4099643bba3fc7700dd72744156b78b7bda10263ba1f8571d1e282133a433215a9222a7799f9824f244a2bc80c2816a62de1497017a4b26d562b7eaf

Download Submit
C:\Users\Admin\AppData\LocalLow\nss3.dll
Filesize
1.9MB

MD5
f67d08e8c02574cbc2f1122c53bfb976

SHA1
6522992957e7e4d074947cad63189f308a80fcf2

SHA256
c65b7afb05ee2b2687e6280594019068c3d3829182dfe8604ce4adf2116cc46e

SHA512
2e9d0a211d2b085514f181852fae6e7ca6aed4d29f396348bedb59c556e39621810a9a74671566a49e126ec73a60d0f781fa9085eb407df1eefd942c18853be5

Download Submit
C:\Users\Admin\AppData\LocalLow\sqlite3.dll
Filesize
1.0MB

MD5
dbf4f8dcefb8056dc6bae4b67ff810ce

SHA1
bbac1dd8a07c6069415c04b62747d794736d0689

SHA256
47b64311719000fa8c432165a0fdcdfed735d5b54977b052de915b1cbbbf9d68

SHA512
b572ca2f2e4a5cc93e4fcc7a18c0ae6df888aa4c55bc7da591e316927a4b5cfcbdda6e60018950be891ff3b26f470cc5cce34d217c2d35074322ab84c32a25d1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences
Filesize
16KB

MD5
1092abd23850e15e95d1209d9e3338b7

SHA1
fdb0cbe7705efeb513348fcda7f02d44836b4b0c

SHA256
bd9dc959f66679e4d28a507846d3e53eaa9111c4e33d0615e51688d0ee55f80e

SHA512
6e5c96cec727a4596764e24f565f19b0564f1d97ebd0579b60beb11015d4780d35d2a8d7c2b92687f1a0b40f770606549a17bdeb1876dfe9b3fa71a7b8ce6992

Download Submit
C:\Users\Admin\AppData\Local\Temp\67E2.dll
Filesize
1.6MB

MD5
5b0579107c97e240a56d84920dacb561

SHA1
13e4dd52630bf51045dc9a6d758611762de3ea56

SHA256
8d50a4fdce0519907f0839158f5d76134b03a09bf5b7d5a26aab456ed3126022

SHA512
16264e7527e7d0a9ba9b59eb9ef97f46186746a8eec19a7e72761f456b8f148e62b4c657841f720fb5dfd9c1ce6adebcd383985e0d2074c5369c79a7d0778eb3

Download Submit
C:\Users\Admin\AppData\Local\Temp\67E2.dll
Filesize
1.6MB

MD5
5b0579107c97e240a56d84920dacb561

SHA1
13e4dd52630bf51045dc9a6d758611762de3ea56

SHA256
8d50a4fdce0519907f0839158f5d76134b03a09bf5b7d5a26aab456ed3126022

SHA512
16264e7527e7d0a9ba9b59eb9ef97f46186746a8eec19a7e72761f456b8f148e62b4c657841f720fb5dfd9c1ce6adebcd383985e0d2074c5369c79a7d0778eb3

Download Submit
C:\Users\Admin\AppData\Local\Temp\70AD.exe
Filesize
1.0MB

MD5
0260760e44605dd3402d72d749206bbf

SHA1
82a7c00647ad5bd78aac2a38b389f908b6cdb40b

SHA256
3860806ef4272970c3456bdeb0b3d199a5beb9c916bc3833e09a0357b891de1a

SHA512
fe93ae186bd80adf64d51e4900040160704775e82060cac26a72eced4bcd48b9e7bcffd692741160264b1de52018894a51e170eb56544828e965ae7b35320856

Download Submit
C:\Users\Admin\AppData\Local\Temp\70AD.exe
Filesize
1.0MB

MD5
0260760e44605dd3402d72d749206bbf

SHA1
82a7c00647ad5bd78aac2a38b389f908b6cdb40b

SHA256
3860806ef4272970c3456bdeb0b3d199a5beb9c916bc3833e09a0357b891de1a

SHA512
fe93ae186bd80adf64d51e4900040160704775e82060cac26a72eced4bcd48b9e7bcffd692741160264b1de52018894a51e170eb56544828e965ae7b35320856

Download Submit
C:\Users\Admin\AppData\Local\Temp\8157.exe
Filesize
1.1MB

MD5
fd2ec40096b9580b8b1c59b764b5f4b2

SHA1
9db220d90f9317636846f16ef2e7b9f52068848f

SHA256
c169ae33c22593003f30c37ab4cf59172b762ea1674df82e000bad6f49f24fd8

SHA512
12d371fa2775eb25f6a738c7de2c0550685f4946f2014eb48004fd7efcdb0a7c82eab5530d9130622ddbd9a226323e85a7ebab6ec6264fab677731dfab051b84

Download Submit
C:\Users\Admin\AppData\Local\Temp\8157.exe
Filesize
1.1MB

MD5
fd2ec40096b9580b8b1c59b764b5f4b2

SHA1
9db220d90f9317636846f16ef2e7b9f52068848f

SHA256
c169ae33c22593003f30c37ab4cf59172b762ea1674df82e000bad6f49f24fd8

SHA512
12d371fa2775eb25f6a738c7de2c0550685f4946f2014eb48004fd7efcdb0a7c82eab5530d9130622ddbd9a226323e85a7ebab6ec6264fab677731dfab051b84

Download Submit
C:\Users\Admin\AppData\Local\Temp\8919.exe
Filesize
76KB

MD5
91c1e8f4da22bda4a24dd23066e0d8b4

SHA1
6bfcb55cc76d8b06962dc47aec445499fcbc3621

SHA256
5ac72de7f6ad06775c3a616d1e14185b1eba82e1f03790a647c05e7289663cb5

SHA512
e1fde55633bc42812216ce3b38fbf70248ef4fae76766821c8434f9b336ccdec20f1d71cf227e74c79c952cac0a87d9e4f783dede872a89b1a5a3f5829f681ff

Download Submit
C:\Users\Admin\AppData\Local\Temp\8919.exe
Filesize
76KB

MD5
91c1e8f4da22bda4a24dd23066e0d8b4

SHA1
6bfcb55cc76d8b06962dc47aec445499fcbc3621

SHA256
5ac72de7f6ad06775c3a616d1e14185b1eba82e1f03790a647c05e7289663cb5

SHA512
e1fde55633bc42812216ce3b38fbf70248ef4fae76766821c8434f9b336ccdec20f1d71cf227e74c79c952cac0a87d9e4f783dede872a89b1a5a3f5829f681ff

Download Submit
C:\Users\Admin\AppData\Local\Temp\8919.exe
Filesize
76KB

MD5
91c1e8f4da22bda4a24dd23066e0d8b4

SHA1
6bfcb55cc76d8b06962dc47aec445499fcbc3621

SHA256
5ac72de7f6ad06775c3a616d1e14185b1eba82e1f03790a647c05e7289663cb5

SHA512
e1fde55633bc42812216ce3b38fbf70248ef4fae76766821c8434f9b336ccdec20f1d71cf227e74c79c952cac0a87d9e4f783dede872a89b1a5a3f5829f681ff

Download Submit
C:\Users\Admin\AppData\Local\Temp\98E8.exe
Filesize
3.7MB

MD5
ba1b640cafc93dafb0f78aedfee3b146

SHA1
c44971948fc7745fdd72ec7493c485633d0a7e91

SHA256
4d39e940c908fafd2d1384f0aa398e54e5305424ed3b6fe5ed7121c5e22cc72b

SHA512
45ffecec7c204ffc628e1b6aaed94f221fbfd17f91d906b8fa3608c1f160dd9a407590e302ecae487bc73ba0a1229934c1c7ae1ada47d9f9c147e9622909baf5

Download Submit
C:\Users\Admin\AppData\Local\Temp\98E8.exe
Filesize
3.7MB

MD5
ba1b640cafc93dafb0f78aedfee3b146

SHA1
c44971948fc7745fdd72ec7493c485633d0a7e91

SHA256
4d39e940c908fafd2d1384f0aa398e54e5305424ed3b6fe5ed7121c5e22cc72b

SHA512
45ffecec7c204ffc628e1b6aaed94f221fbfd17f91d906b8fa3608c1f160dd9a407590e302ecae487bc73ba0a1229934c1c7ae1ada47d9f9c147e9622909baf5

Download Submit
C:\Users\Admin\AppData\Local\Temp\BCEC.exe
Filesize
9.6MB

MD5
fd17d0406345aa0821765da404b18c5f

SHA1
1ee12945b125bce9c163fa0be61b3b24683d0f3d

SHA256
8d7bb4d07a4e3cefbc54f70aa7b783433f3c527ac0f4a03c1d84a4f7ba0a8e2e

SHA512
46b4fbf2f99d91c93cdacd1f7e67f5c96c2adf5a8298670a527809ae758c4f22a27bab4136daa6561fa794760b2af1d400a6437b1a4a66bfcd90c43dfb7f4e1c

Download Submit
C:\Users\Admin\AppData\Local\Temp\BCEC.exe
Filesize
9.6MB

MD5
fd17d0406345aa0821765da404b18c5f

SHA1
1ee12945b125bce9c163fa0be61b3b24683d0f3d

SHA256
8d7bb4d07a4e3cefbc54f70aa7b783433f3c527ac0f4a03c1d84a4f7ba0a8e2e

SHA512
46b4fbf2f99d91c93cdacd1f7e67f5c96c2adf5a8298670a527809ae758c4f22a27bab4136daa6561fa794760b2af1d400a6437b1a4a66bfcd90c43dfb7f4e1c

Download Submit
C:\Users\Admin\AppData\Local\Temp\CB93.exe
Filesize
76KB

MD5
91c1e8f4da22bda4a24dd23066e0d8b4

SHA1
6bfcb55cc76d8b06962dc47aec445499fcbc3621

SHA256
5ac72de7f6ad06775c3a616d1e14185b1eba82e1f03790a647c05e7289663cb5

SHA512
e1fde55633bc42812216ce3b38fbf70248ef4fae76766821c8434f9b336ccdec20f1d71cf227e74c79c952cac0a87d9e4f783dede872a89b1a5a3f5829f681ff

Download Submit
C:\Users\Admin\AppData\Local\Temp\CB93.exe
Filesize
76KB

MD5
91c1e8f4da22bda4a24dd23066e0d8b4

SHA1
6bfcb55cc76d8b06962dc47aec445499fcbc3621

SHA256
5ac72de7f6ad06775c3a616d1e14185b1eba82e1f03790a647c05e7289663cb5

SHA512
e1fde55633bc42812216ce3b38fbf70248ef4fae76766821c8434f9b336ccdec20f1d71cf227e74c79c952cac0a87d9e4f783dede872a89b1a5a3f5829f681ff

Download Submit
C:\Users\Admin\AppData\Local\Temp\CB93.exe
Filesize
76KB

MD5
91c1e8f4da22bda4a24dd23066e0d8b4

SHA1
6bfcb55cc76d8b06962dc47aec445499fcbc3621

SHA256
5ac72de7f6ad06775c3a616d1e14185b1eba82e1f03790a647c05e7289663cb5

SHA512
e1fde55633bc42812216ce3b38fbf70248ef4fae76766821c8434f9b336ccdec20f1d71cf227e74c79c952cac0a87d9e4f783dede872a89b1a5a3f5829f681ff

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Bel.xls
Filesize
9KB

MD5
3c7abc6e86cd6353d3f9231fe948dfad

SHA1
d783c9b9cae3b30a37bf901e11af7bc92067406d

SHA256
129b585eff2b904fd4c464904583162d281483d88f8177f84c643fd359cd6929

SHA512
5a5a5c5e98d09689285994a74bc4ed40e973f2a09f06d67e3ddd3f7ef38c2a508f31cf250af154ecbefdfc1bf9f43f1b7021fd0cc674c3414102d7901029d035

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Chiamando.exe.pif
Filesize
924KB

MD5
6987e4cd3f256462f422326a7ef115b9

SHA1
71672a495b4603ecfec40a65254cb3ba8766bbe0

SHA256
3e26723394ade92f8163b5643960189cb07358b0f96529a477d37176d68aa0a0

SHA512
4b1d7f7ffee39a2d65504767beeddd4c3374807a93889b14e7e73db11e478492dec349aedca03ce828f21a66bb666a68d3735443f4249556e10825a4cd7dfeb4

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Chiamando.exe.pif
Filesize
924KB

MD5
6987e4cd3f256462f422326a7ef115b9

SHA1
71672a495b4603ecfec40a65254cb3ba8766bbe0

SHA256
3e26723394ade92f8163b5643960189cb07358b0f96529a477d37176d68aa0a0

SHA512
4b1d7f7ffee39a2d65504767beeddd4c3374807a93889b14e7e73db11e478492dec349aedca03ce828f21a66bb666a68d3735443f4249556e10825a4cd7dfeb4

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Pel.xls
Filesize
924KB

MD5
1f7e72e83c4e2450a1c180ebfe26e1a9

SHA1
ce31fd11fff9361bf2edf8041a987a3dbd7fc21c

SHA256
6c153dfe5472be6e231658d40324301421d0b402494021f2ef32f92caf50eb51

SHA512
ef357503699134788925db8685ef7c84e90b09b00b55bd4f21ad4745ef5fabec61d2a096d00064b2704c5b1cecf79818d083fc86bbc48fbb616f82c51fdd3f97

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Sgomento.xls
Filesize
1.1MB

MD5
54387b9aaa708f58c31dc227810c1e3e

SHA1
7575d973b492f6ad48185a6cb35dc06ba5529a8d

SHA256
404700ec34e975502cb3e68d87f3b661e0d94af974fe9d12a8b48a8c34e60873

SHA512
cacc9b03f4b976fac2bc51aa4b76c2697c2d8a9dfdf946e635f476c78950bbf037dc0a9824a5300966c3948a15d437207da17dc0b7cda6be5e07c5d6bc275ea4

Download Submit
C:\Users\Admin\AppData\Local\Temp\buaeacdmoek.exe
Filesize
7.0MB

MD5
c1094dc49b34caa6d96b4c31e9e27e26

SHA1
c7883434ddcf7f21760f67e5bbc1f28aca1e7236

SHA256
249d2b563329d815e7ea451f6c60e17652d2a00f3fd235d0f5ac187b7077e611

SHA512
662adec87a208078d1b73c7fb5e929ddfa537161da467f0537ef4747d548072733beb6e0414dae56471fc88a86cedd4122b31d7e41e7b8638960db2e27a9813f

Download Submit
C:\Users\Admin\AppData\Local\Temp\buaeacdmoek.exe
Filesize
7.0MB

MD5
c1094dc49b34caa6d96b4c31e9e27e26

SHA1
c7883434ddcf7f21760f67e5bbc1f28aca1e7236

SHA256
249d2b563329d815e7ea451f6c60e17652d2a00f3fd235d0f5ac187b7077e611

SHA512
662adec87a208078d1b73c7fb5e929ddfa537161da467f0537ef4747d548072733beb6e0414dae56471fc88a86cedd4122b31d7e41e7b8638960db2e27a9813f

Download Submit
C:\Users\Admin\AppData\Local\Temp\db.dat
Filesize
557KB

MD5
720ec3d97f3cd9e1dc34b7ad51451892

SHA1
8c417926a14a0cd2d268d088658022f49e3dda4b

SHA256
6c05e113ed295140f979f4a8864eac92e119e013e74e6ed3d849a66217e34c6a

SHA512
0d681247d1f7f5932779da58d59de2dd0e01e904acc8702bea93676f029b2dd0745b961f833d49ef4a6af712a3a3ba51364533741cd605d39442fe2993279dee

Download Submit
C:\Users\Admin\AppData\Local\Temp\db.dat
Filesize
557KB

MD5
720ec3d97f3cd9e1dc34b7ad51451892

SHA1
8c417926a14a0cd2d268d088658022f49e3dda4b

SHA256
6c05e113ed295140f979f4a8864eac92e119e013e74e6ed3d849a66217e34c6a

SHA512
0d681247d1f7f5932779da58d59de2dd0e01e904acc8702bea93676f029b2dd0745b961f833d49ef4a6af712a3a3ba51364533741cd605d39442fe2993279dee

Download Submit
C:\Users\Admin\AppData\Local\Temp\db.dll
Filesize
52KB

MD5
8defa1d8ec654dc658423940185a576a

SHA1
dd35cf0908cd5edbf189737686c3e33e4267d8b8

SHA256
94ce3e910e9bfd474528848e8c2b2968925fce018674cef64f225b09f25eba4a

SHA512
d110348773a84dffcd2f39f98e4019c6638129fefa3ed90de4a10ed4db3b03171a81d2e87b269ac97cffadfd17f9ef701f2e4952ae61c5703eac2d68273e0328

Download Submit
C:\Users\Admin\AppData\Local\Temp\db.dll
Filesize
52KB

MD5
8defa1d8ec654dc658423940185a576a

SHA1
dd35cf0908cd5edbf189737686c3e33e4267d8b8

SHA256
94ce3e910e9bfd474528848e8c2b2968925fce018674cef64f225b09f25eba4a

SHA512
d110348773a84dffcd2f39f98e4019c6638129fefa3ed90de4a10ed4db3b03171a81d2e87b269ac97cffadfd17f9ef701f2e4952ae61c5703eac2d68273e0328

Download Submit
C:\Users\Admin\AppData\Local\Temp\db.dll
Filesize
52KB

MD5
8defa1d8ec654dc658423940185a576a

SHA1
dd35cf0908cd5edbf189737686c3e33e4267d8b8

SHA256
94ce3e910e9bfd474528848e8c2b2968925fce018674cef64f225b09f25eba4a

SHA512
d110348773a84dffcd2f39f98e4019c6638129fefa3ed90de4a10ed4db3b03171a81d2e87b269ac97cffadfd17f9ef701f2e4952ae61c5703eac2d68273e0328

Download Submit
C:\Users\Admin\AppData\Local\Temp\db.dll
Filesize
52KB

MD5
8defa1d8ec654dc658423940185a576a

SHA1
dd35cf0908cd5edbf189737686c3e33e4267d8b8

SHA256
94ce3e910e9bfd474528848e8c2b2968925fce018674cef64f225b09f25eba4a

SHA512
d110348773a84dffcd2f39f98e4019c6638129fefa3ed90de4a10ed4db3b03171a81d2e87b269ac97cffadfd17f9ef701f2e4952ae61c5703eac2d68273e0328

Download Submit
C:\Users\Admin\AppData\Local\Temp\mp3studios_51.exe
Filesize
1.4MB

MD5
c521a65d11dca76a0ac886f15e0ba15b

SHA1
56154763cc5c5073682c583ee86e99bb2dec14d2

SHA256
43fe43a7462d892ae08bfdb50dc07249796bf90631a4975ea75738291b484f13

SHA512
77f7fcb92f1cec4f0de7fc2d5cc226db66f73aebbfd1b65e869e5bb57a1a0995160ecb5c00a0aae2d2993d0a9b3d445bbc8889fefce36f8942feb7198889b486

Download Submit
C:\Users\Admin\AppData\Local\Temp\mp3studios_51.exe
Filesize
1.4MB

MD5
c521a65d11dca76a0ac886f15e0ba15b

SHA1
56154763cc5c5073682c583ee86e99bb2dec14d2

SHA256
43fe43a7462d892ae08bfdb50dc07249796bf90631a4975ea75738291b484f13

SHA512
77f7fcb92f1cec4f0de7fc2d5cc226db66f73aebbfd1b65e869e5bb57a1a0995160ecb5c00a0aae2d2993d0a9b3d445bbc8889fefce36f8942feb7198889b486

Download Submit
C:\Users\Admin\AppData\Local\Temp\znLyAjp.exe
Filesize
981KB

MD5
949d021b13c25170d83986aa22869926

SHA1
4662f1ed7e5e37f9d716ddc915b6b8603e31ca7b

SHA256
8b54f808618be321efc042286e61403307f264da1af129bbeaa140efb73f0605

SHA512
d553894db214e7e0010c859061457aee49c79d77e4867840aefb210356f8165968a62f54237b09c3756b67d886c11ced6cf2ecaac44c826021745eb39270e1aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\znLyAjp.exe
Filesize
981KB

MD5
949d021b13c25170d83986aa22869926

SHA1
4662f1ed7e5e37f9d716ddc915b6b8603e31ca7b

SHA256
8b54f808618be321efc042286e61403307f264da1af129bbeaa140efb73f0605

SHA512
d553894db214e7e0010c859061457aee49c79d77e4867840aefb210356f8165968a62f54237b09c3756b67d886c11ced6cf2ecaac44c826021745eb39270e1aa

Download Submit
\??\pipe\crashpad_2688_SPPZEMGYWQAZEQSZ
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/8-250-0x0000000000100000-0x000000000010C000-memory.dmp

Filesize
48KB

Download
memory/8-249-0x0000000000000000-mapping.dmp

Download
memory/796-233-0x0000000140000000-0x000000014068C000-memory.dmp

Filesize
6.5MB

Download
memory/796-232-0x0000000000000000-mapping.dmp

Download
memory/1284-159-0x0000000140000000-0x000000014068C000-memory.dmp

Filesize
6.5MB

Download
memory/1284-156-0x0000000000000000-mapping.dmp

Download
memory/1352-180-0x0000000000000000-mapping.dmp

Download
memory/1408-172-0x0000000000000000-mapping.dmp

Download
memory/1576-225-0x0000000000970000-0x000000000143E000-memory.dmp

Filesize
10.8MB

Download
memory/1576-228-0x0000000000970000-0x000000000143E000-memory.dmp

Filesize
10.8MB

Download
memory/1576-198-0x0000000000970000-0x000000000143E000-memory.dmp

Filesize
10.8MB

Download
memory/1576-191-0x0000000000970000-0x000000000143E000-memory.dmp

Filesize
10.8MB

Download
memory/1576-231-0x0000000000000000-mapping.dmp

Download
memory/1576-177-0x0000000000000000-mapping.dmp

Download
memory/1576-189-0x0000000000970000-0x000000000143E000-memory.dmp

Filesize
10.8MB

Download
memory/1596-205-0x0000000000000000-mapping.dmp

Download
memory/1612-132-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/1612-131-0x00000000021B0000-0x00000000021B9000-memory.dmp

Filesize
36KB

Download
memory/1612-130-0x00000000005AE000-0x00000000005BF000-memory.dmp

Filesize
68KB

Download
memory/1612-133-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/2112-243-0x0000000002FE0000-0x0000000002FE9000-memory.dmp

Filesize
36KB

Download
memory/2112-237-0x0000000000000000-mapping.dmp

Download
memory/2112-239-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2112-241-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2112-242-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2112-244-0x0000000003010000-0x000000000301D000-memory.dmp

Filesize
52KB

Download
memory/2328-143-0x0000000000000000-mapping.dmp

Download
memory/2360-229-0x0000000000000000-mapping.dmp

Download
memory/2376-175-0x0000000000000000-mapping.dmp

Download
memory/2504-195-0x0000000000000000-mapping.dmp

Download
memory/2756-230-0x0000000000000000-mapping.dmp

Download
memory/2764-245-0x0000000000000000-mapping.dmp

Download
memory/3300-251-0x0000000000C00000-0x0000000000C6B000-memory.dmp

Filesize
428KB

Download
memory/3300-248-0x0000000000C00000-0x0000000000C6B000-memory.dmp

Filesize
428KB

Download
memory/3300-247-0x0000000000C70000-0x0000000000CE4000-memory.dmp

Filesize
464KB

Download
memory/3300-246-0x0000000000000000-mapping.dmp

Download
memory/3452-199-0x0000000000000000-mapping.dmp

Download
memory/3592-211-0x0000000000000000-mapping.dmp

Download
memory/3612-142-0x00000000044A0000-0x0000000004593000-memory.dmp

Filesize
972KB

Download
memory/3612-151-0x0000000002C30000-0x0000000002CE2000-memory.dmp

Filesize
712KB

Download
memory/3612-155-0x00000000044A0000-0x0000000004593000-memory.dmp

Filesize
972KB

Download
memory/3612-149-0x0000000002B60000-0x0000000002C29000-memory.dmp

Filesize
804KB

Download
memory/3612-136-0x0000000000000000-mapping.dmp

Download
memory/3612-141-0x0000000004280000-0x00000000043A5000-memory.dmp

Filesize
1.1MB

Download
memory/3800-193-0x0000000000000000-mapping.dmp

Download
memory/3952-188-0x0000000000000000-mapping.dmp

Download
memory/4308-183-0x0000000000000000-mapping.dmp

Download
memory/4464-134-0x0000000000000000-mapping.dmp

Download
memory/4516-224-0x0000000000000000-mapping.dmp

Download
memory/4612-150-0x0000000000000000-mapping.dmp

Download
memory/4672-200-0x0000000000000000-mapping.dmp

Download
memory/4720-204-0x0000000000000000-mapping.dmp

Download
memory/4784-146-0x0000000000000000-mapping.dmp

Download
memory/4804-206-0x0000000000000000-mapping.dmp

Download
memory/4820-138-0x0000000000000000-mapping.dmp

Download
memory/4856-186-0x0000000007C60000-0x0000000007CF2000-memory.dmp

Filesize
584KB

Download
memory/4856-171-0x0000000005F90000-0x0000000006534000-memory.dmp

Filesize
5.6MB

Download
memory/4856-170-0x0000000000710000-0x00000000010A6000-memory.dmp

Filesize
9.6MB

Download
memory/4856-167-0x0000000000000000-mapping.dmp

Download
memory/4948-238-0x0000000000000000-mapping.dmp

Download
memory/4984-187-0x0000000000000000-mapping.dmp

Download
memory/5004-209-0x0000000000000000-mapping.dmp

Download
memory/5024-164-0x0000000000000000-mapping.dmp

Download