djvu | 530b524647441f109327b0c602c1154cc290a3ac030513c5b8faf328fa5aa0a5

Analysis

max time kernel
150s
max time network
147s
platform
windows10-1703_x64
resource
win10-20220812-en
resource tags

arch:x64arch:x86image:win10-20220812-enlocale:en-usos:windows10-1703-x64system
submitted
02-10-2022 05:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

530b524647441f109327b0c602c1154cc290a3ac030513c5b8faf328fa5aa0a5.exe
Size

147KB
MD5

005bfff21d283023a0bcdf3906eec7f2
SHA1

e0410f89adbbeb175acd37501c53a43f8054ff04
SHA256

530b524647441f109327b0c602c1154cc290a3ac030513c5b8faf328fa5aa0a5
SHA512

8913c787f5c4dc24dc7766bd56f18201ba01135af938a44e264bab71a031bee5f14cd48d878a63be9cbbd19210d86e259cf165e73f3030ea3857511f272295cd
SSDEEP

3072:UVgtAs1vRwIcv3q7kWWLc7qYXj6vbQ22e3loD31t:tAs4VGJW4qYXj6v32e3+D31

Score

10^/10

djvu smokeloader backdoor collection discovery persistence ransomware spyware stealer trojan

Malware Config

Extracted

Family

djvu

http://winnlinne.com/lancer/get.php

Attributes

extension
.ofww
offline_id
xkNzhkB1wvgoDI7Uo0HPNLY3qCuwoFpP7nlhlut1
payload_url
http://rgyui.top/dl/build2.exe
http://winnlinne.com/files/1/build3.exe
ransomnote
ATTENTION! Don't worry, you can return all your files! All your files like pictures, databases, documents and other important are encrypted with strongest encryption and unique key. The only method of recovering files is to purchase decrypt tool and unique key for you. This software will decrypt all your encrypted files. What guarantees you have? You can send one of your encrypted file from your PC and we decrypt it for free. But we can decrypt only 1 file for free. File must not contain valuable information. You can get and look video overview decrypt tool: https://we.tl/t-EWKSsSJiVn Price of private key and decrypt software is $980. Discount 50% available if you contact us first 72 hours, that's price for you is $490. Please note that you'll never restore your data without payment. Check your e-mail "Spam" or "Junk" folder if you don't get answer more than 6 hours. To get this software you need write on our e-mail: [email protected] Reserve e-mail address to contact us: [email protected] Your personal ID: 0569Jhyjd

rsa_pubkey.plain

Signatures

Detected Djvu ransomware 3 IoCs

Processes:

resource	yara_rule
behavioral1/memory/4632-346-0x0000000002200000-0x000000000231B000-memory.dmp	family_djvu
behavioral1/memory/100332-362-0x0000000000424141-mapping.dmp	family_djvu
behavioral1/memory/100332-433-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu

Detects Smokeloader packer 1 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2452-147-0x0000000000720000-0x0000000000729000-memory.dmp	family_smokeloader

Djvu Ransomware
Ransomware which is a variant of the STOP family.
ransomware djvu
SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
Executes dropped EXE 5 IoCs

Processes:

322C.exe3A3B.exe4BD0.exe322C.exeerifteh

pid process

4632 322C.exe
3700 3A3B.exe
19368 4BD0.exe
100332 322C.exe
100624 erifteh
Deletes itself 1 IoCs

Processes:

pid process

2968
Loads dropped DLL 1 IoCs

Processes:

regsvr32.exe

pid process

83776 regsvr32.exe
Modifies file permissions 1 TTPs 1 IoCs
discovery

File Permissions Modification
T1222

Processes:

icacls.exe

pid process

100776 icacls.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

pid	process
4632	322C.exe
3700	3A3B.exe
19368	4BD0.exe
100332	322C.exe
100624	erifteh

pid	process
2968

pid	process
83776	regsvr32.exe

pid	process
100776	icacls.exe

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

Processes:

explorer.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	explorer.exe
Key opened	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	explorer.exe
Key opened	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	explorer.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

322C.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000\Software\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\2fe3c1fa-59da-4305-a5ec-ca9ab0935cbd\\322C.exe\" --AutoStart"	322C.exe

Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

12 api.2ip.ua
13 api.2ip.ua
Suspicious use of SetThreadContext 1 IoCs

Processes:

322C.exe

description pid process target process

PID 4632 set thread context of 100332 4632 322C.exe 322C.exe

flow	ioc
12	api.2ip.ua
13	api.2ip.ua

description	pid	process	target process
PID 4632 set thread context of 100332	4632	322C.exe	322C.exe

Checks SCSI registry key(s) 3 TTPs 6 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

erifteh530b524647441f109327b0c602c1154cc290a3ac030513c5b8faf328fa5aa0a5.exe

description	ioc	process
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	erifteh
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	erifteh
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	530b524647441f109327b0c602c1154cc290a3ac030513c5b8faf328fa5aa0a5.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	530b524647441f109327b0c602c1154cc290a3ac030513c5b8faf328fa5aa0a5.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	530b524647441f109327b0c602c1154cc290a3ac030513c5b8faf328fa5aa0a5.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	erifteh

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

530b524647441f109327b0c602c1154cc290a3ac030513c5b8faf328fa5aa0a5.exe

pid	process
2452	530b524647441f109327b0c602c1154cc290a3ac030513c5b8faf328fa5aa0a5.exe
2452	530b524647441f109327b0c602c1154cc290a3ac030513c5b8faf328fa5aa0a5.exe
2968
2968
2968
2968
2968
2968
2968
2968
2968
2968
2968
2968
2968
2968
2968
2968
2968
2968
2968
2968
2968
2968
2968
2968
2968
2968
2968
2968
2968
2968
2968
2968
2968
2968
2968
2968
2968
2968
2968
2968
2968
2968
2968
2968
2968
2968
2968
2968
2968
2968
2968
2968
2968
2968
2968
2968
2968
2968
2968
2968
2968
2968

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

pid process

2968
Suspicious behavior: MapViewOfSection 6 IoCs

Processes:

530b524647441f109327b0c602c1154cc290a3ac030513c5b8faf328fa5aa0a5.exeerifteh

pid process

2452 530b524647441f109327b0c602c1154cc290a3ac030513c5b8faf328fa5aa0a5.exe
2968
2968
2968
2968
100624 erifteh

pid	process
2968

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

wmic.exeWMIC.exe

description	pid	process
Token: SeShutdownPrivilege	2968
Token: SeCreatePagefilePrivilege	2968
Token: SeShutdownPrivilege	2968
Token: SeCreatePagefilePrivilege	2968
Token: SeShutdownPrivilege	2968
Token: SeCreatePagefilePrivilege	2968
Token: SeShutdownPrivilege	2968
Token: SeCreatePagefilePrivilege	2968
Token: SeShutdownPrivilege	2968
Token: SeCreatePagefilePrivilege	2968
Token: SeShutdownPrivilege	2968
Token: SeCreatePagefilePrivilege	2968
Token: SeIncreaseQuotaPrivilege	404	wmic.exe
Token: SeSecurityPrivilege	404	wmic.exe
Token: SeTakeOwnershipPrivilege	404	wmic.exe
Token: SeLoadDriverPrivilege	404	wmic.exe
Token: SeSystemProfilePrivilege	404	wmic.exe
Token: SeSystemtimePrivilege	404	wmic.exe
Token: SeProfSingleProcessPrivilege	404	wmic.exe
Token: SeIncBasePriorityPrivilege	404	wmic.exe
Token: SeCreatePagefilePrivilege	404	wmic.exe
Token: SeBackupPrivilege	404	wmic.exe
Token: SeRestorePrivilege	404	wmic.exe
Token: SeShutdownPrivilege	404	wmic.exe
Token: SeDebugPrivilege	404	wmic.exe
Token: SeSystemEnvironmentPrivilege	404	wmic.exe
Token: SeRemoteShutdownPrivilege	404	wmic.exe
Token: SeUndockPrivilege	404	wmic.exe
Token: SeManageVolumePrivilege	404	wmic.exe
Token: 33	404	wmic.exe
Token: 34	404	wmic.exe
Token: 35	404	wmic.exe
Token: 36	404	wmic.exe
Token: SeIncreaseQuotaPrivilege	404	wmic.exe
Token: SeSecurityPrivilege	404	wmic.exe
Token: SeTakeOwnershipPrivilege	404	wmic.exe
Token: SeLoadDriverPrivilege	404	wmic.exe
Token: SeSystemProfilePrivilege	404	wmic.exe
Token: SeSystemtimePrivilege	404	wmic.exe
Token: SeProfSingleProcessPrivilege	404	wmic.exe
Token: SeIncBasePriorityPrivilege	404	wmic.exe
Token: SeCreatePagefilePrivilege	404	wmic.exe
Token: SeBackupPrivilege	404	wmic.exe
Token: SeRestorePrivilege	404	wmic.exe
Token: SeShutdownPrivilege	404	wmic.exe
Token: SeDebugPrivilege	404	wmic.exe
Token: SeSystemEnvironmentPrivilege	404	wmic.exe
Token: SeRemoteShutdownPrivilege	404	wmic.exe
Token: SeUndockPrivilege	404	wmic.exe
Token: SeManageVolumePrivilege	404	wmic.exe
Token: 33	404	wmic.exe
Token: 34	404	wmic.exe
Token: 35	404	wmic.exe
Token: 36	404	wmic.exe
Token: SeShutdownPrivilege	2968
Token: SeCreatePagefilePrivilege	2968
Token: SeIncreaseQuotaPrivilege	100924	WMIC.exe
Token: SeSecurityPrivilege	100924	WMIC.exe
Token: SeTakeOwnershipPrivilege	100924	WMIC.exe
Token: SeLoadDriverPrivilege	100924	WMIC.exe
Token: SeSystemProfilePrivilege	100924	WMIC.exe
Token: SeSystemtimePrivilege	100924	WMIC.exe
Token: SeProfSingleProcessPrivilege	100924	WMIC.exe
Token: SeIncBasePriorityPrivilege	100924	WMIC.exe

Suspicious use of WriteProcessMemory 53 IoCs

Processes:

regsvr32.exe3A3B.exe322C.exe4BD0.exe322C.execmd.execmd.exe

description	pid	process	target process
PID 2968 wrote to memory of 4632	2968		322C.exe
PID 2968 wrote to memory of 4632	2968		322C.exe
PID 2968 wrote to memory of 4632	2968		322C.exe
PID 2968 wrote to memory of 3700	2968		3A3B.exe
PID 2968 wrote to memory of 3700	2968		3A3B.exe
PID 2968 wrote to memory of 3700	2968		3A3B.exe
PID 2968 wrote to memory of 19368	2968		4BD0.exe
PID 2968 wrote to memory of 19368	2968		4BD0.exe
PID 2968 wrote to memory of 19368	2968		4BD0.exe
PID 2968 wrote to memory of 47036	2968		regsvr32.exe
PID 2968 wrote to memory of 47036	2968		regsvr32.exe
PID 2968 wrote to memory of 60804	2968		explorer.exe
PID 2968 wrote to memory of 60804	2968		explorer.exe
PID 2968 wrote to memory of 60804	2968		explorer.exe
PID 2968 wrote to memory of 60804	2968		explorer.exe
PID 47036 wrote to memory of 83776	47036	regsvr32.exe	regsvr32.exe
PID 47036 wrote to memory of 83776	47036	regsvr32.exe	regsvr32.exe
PID 47036 wrote to memory of 83776	47036	regsvr32.exe	regsvr32.exe
PID 2968 wrote to memory of 93472	2968		explorer.exe
PID 2968 wrote to memory of 93472	2968		explorer.exe
PID 2968 wrote to memory of 93472	2968		explorer.exe
PID 3700 wrote to memory of 100304	3700	3A3B.exe	AppLaunch.exe
PID 3700 wrote to memory of 100304	3700	3A3B.exe	AppLaunch.exe
PID 3700 wrote to memory of 100304	3700	3A3B.exe	AppLaunch.exe
PID 3700 wrote to memory of 100304	3700	3A3B.exe	AppLaunch.exe
PID 4632 wrote to memory of 100332	4632	322C.exe	322C.exe
PID 4632 wrote to memory of 100332	4632	322C.exe	322C.exe
PID 4632 wrote to memory of 100332	4632	322C.exe	322C.exe
PID 4632 wrote to memory of 100332	4632	322C.exe	322C.exe
PID 4632 wrote to memory of 100332	4632	322C.exe	322C.exe
PID 4632 wrote to memory of 100332	4632	322C.exe	322C.exe
PID 4632 wrote to memory of 100332	4632	322C.exe	322C.exe
PID 4632 wrote to memory of 100332	4632	322C.exe	322C.exe
PID 4632 wrote to memory of 100332	4632	322C.exe	322C.exe
PID 4632 wrote to memory of 100332	4632	322C.exe	322C.exe
PID 19368 wrote to memory of 404	19368	4BD0.exe	wmic.exe
PID 19368 wrote to memory of 404	19368	4BD0.exe	wmic.exe
PID 19368 wrote to memory of 404	19368	4BD0.exe	wmic.exe
PID 100332 wrote to memory of 100776	100332	322C.exe	icacls.exe
PID 100332 wrote to memory of 100776	100332	322C.exe	icacls.exe
PID 100332 wrote to memory of 100776	100332	322C.exe	icacls.exe
PID 19368 wrote to memory of 100856	19368	4BD0.exe	cmd.exe
PID 19368 wrote to memory of 100856	19368	4BD0.exe	cmd.exe
PID 19368 wrote to memory of 100856	19368	4BD0.exe	cmd.exe
PID 100856 wrote to memory of 100924	100856	cmd.exe	WMIC.exe
PID 100856 wrote to memory of 100924	100856	cmd.exe	WMIC.exe
PID 100856 wrote to memory of 100924	100856	cmd.exe	WMIC.exe
PID 19368 wrote to memory of 101260	19368	4BD0.exe	cmd.exe
PID 19368 wrote to memory of 101260	19368	4BD0.exe	cmd.exe
PID 19368 wrote to memory of 101260	19368	4BD0.exe	cmd.exe
PID 101260 wrote to memory of 101324	101260	cmd.exe	WMIC.exe
PID 101260 wrote to memory of 101324	101260	cmd.exe	WMIC.exe
PID 101260 wrote to memory of 101324	101260	cmd.exe	WMIC.exe

outlook_office_path 1 IoCs

Processes:

explorer.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	explorer.exe

outlook_win_path 1 IoCs

Processes:

explorer.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	explorer.exe

C:\Users\Admin\AppData\Local\Temp\530b524647441f109327b0c602c1154cc290a3ac030513c5b8faf328fa5aa0a5.exe
"C:\Users\Admin\AppData\Local\Temp\530b524647441f109327b0c602c1154cc290a3ac030513c5b8faf328fa5aa0a5.exe"
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:2452

C:\Users\Admin\AppData\Local\Temp\322C.exe
C:\Users\Admin\AppData\Local\Temp\322C.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4632

C:\Users\Admin\AppData\Local\Temp\322C.exe
C:\Users\Admin\AppData\Local\Temp\322C.exe
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:100332

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Users\Admin\AppData\Local\2fe3c1fa-59da-4305-a5ec-ca9ab0935cbd" /deny *S-1-1-0:(OI)(CI)(DE,DC)
3⤵
- Modifies file permissions
PID:100776

C:\Users\Admin\AppData\Local\Temp\3A3B.exe
C:\Users\Admin\AppData\Local\Temp\3A3B.exe
1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3700

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
2⤵
PID:100304

C:\Users\Admin\AppData\Local\Temp\4BD0.exe
C:\Users\Admin\AppData\Local\Temp\4BD0.exe
1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:19368

C:\Windows\SysWOW64\Wbem\wmic.exe
wmic os get Caption
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:404

C:\Windows\SysWOW64\cmd.exe
cmd /C "wmic path win32_VideoController get name"
2⤵
- Suspicious use of WriteProcessMemory
PID:100856

C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic path win32_VideoController get name
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:100924

C:\Windows\SysWOW64\cmd.exe
cmd /C "wmic cpu get name"
2⤵
- Suspicious use of WriteProcessMemory
PID:101260

C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic cpu get name
3⤵
PID:101324

C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\51EC.dll
1⤵
- Suspicious use of WriteProcessMemory
PID:47036

C:\Windows\SysWOW64\regsvr32.exe
/s C:\Users\Admin\AppData\Local\Temp\51EC.dll
2⤵
- Loads dropped DLL
PID:83776

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
- Accesses Microsoft Outlook profiles
- outlook_office_path
- outlook_win_path
PID:60804

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
PID:93472

C:\Users\Admin\AppData\Roaming\erifteh
C:\Users\Admin\AppData\Roaming\erifteh
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
PID:100624

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

File Permissions Modification

T1222

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\322C.exe
Filesize
804KB

MD5
882a96452e0073218ab82ebc8844281b

SHA1
e36ad67193b1e3175290d68284eea511d5bb2a17

SHA256
398688e1e89e802326e6867bd0c3197f10de218371d70a61cff39dd9a80a8a60

SHA512
e5d798d6c2a4dd7207307fdd9133ae2fb5c758c37da7cdc35a435c2288141a847b04d3546cf1e965eeeca5849b8ac8bb3b7a58b56ece83d9ba1e3b3b9315f482

Download Submit
C:\Users\Admin\AppData\Local\Temp\322C.exe
Filesize
804KB

MD5
882a96452e0073218ab82ebc8844281b

SHA1
e36ad67193b1e3175290d68284eea511d5bb2a17

SHA256
398688e1e89e802326e6867bd0c3197f10de218371d70a61cff39dd9a80a8a60

SHA512
e5d798d6c2a4dd7207307fdd9133ae2fb5c758c37da7cdc35a435c2288141a847b04d3546cf1e965eeeca5849b8ac8bb3b7a58b56ece83d9ba1e3b3b9315f482

Download Submit
C:\Users\Admin\AppData\Local\Temp\322C.exe
Filesize
804KB

MD5
882a96452e0073218ab82ebc8844281b

SHA1
e36ad67193b1e3175290d68284eea511d5bb2a17

SHA256
398688e1e89e802326e6867bd0c3197f10de218371d70a61cff39dd9a80a8a60

SHA512
e5d798d6c2a4dd7207307fdd9133ae2fb5c758c37da7cdc35a435c2288141a847b04d3546cf1e965eeeca5849b8ac8bb3b7a58b56ece83d9ba1e3b3b9315f482

Download Submit
C:\Users\Admin\AppData\Local\Temp\3A3B.exe
Filesize
2.5MB

MD5
99ea18707cb7f61e6bf3786fbcde6e1a

SHA1
c09027e682f02dde830c7a46b7b0abd9f77d494f

SHA256
8a4bbf48c2a52917b43037f21d752f9c951f6f79610f5760bb4dd528bfaa9026

SHA512
8e3cb87e10a294eb7deb576380b8cf08af52a4c37a31bbd4c913ba93acd6b5f7dcd1d71784ef815606fa3c1c0b807f9ccf0b95780a3eda0735134dc6d9fdb0a9

Download Submit
C:\Users\Admin\AppData\Local\Temp\3A3B.exe
Filesize
2.5MB

MD5
99ea18707cb7f61e6bf3786fbcde6e1a

SHA1
c09027e682f02dde830c7a46b7b0abd9f77d494f

SHA256
8a4bbf48c2a52917b43037f21d752f9c951f6f79610f5760bb4dd528bfaa9026

SHA512
8e3cb87e10a294eb7deb576380b8cf08af52a4c37a31bbd4c913ba93acd6b5f7dcd1d71784ef815606fa3c1c0b807f9ccf0b95780a3eda0735134dc6d9fdb0a9

Download Submit
C:\Users\Admin\AppData\Local\Temp\4BD0.exe
Filesize
4.3MB

MD5
2d15abcdb5de415d9c0207dec739b0c5

SHA1
bf55ab060271af30c0cfb4957456f1fb3855cf81

SHA256
d9afb8bbca758ba120b6c1c51e45168d08ce6c4af8506139c7530ee2f094ca57

SHA512
c1da3a0126add57548f3551c0ab59daa37dd87ebee05c2b9f1dedac855890fc617991239562d6749fc97520b080c8af412d0a293bdba6dffd62a9e1e150d5a34

Download Submit
C:\Users\Admin\AppData\Local\Temp\4BD0.exe
Filesize
4.3MB

MD5
2d15abcdb5de415d9c0207dec739b0c5

SHA1
bf55ab060271af30c0cfb4957456f1fb3855cf81

SHA256
d9afb8bbca758ba120b6c1c51e45168d08ce6c4af8506139c7530ee2f094ca57

SHA512
c1da3a0126add57548f3551c0ab59daa37dd87ebee05c2b9f1dedac855890fc617991239562d6749fc97520b080c8af412d0a293bdba6dffd62a9e1e150d5a34

Download Submit
C:\Users\Admin\AppData\Local\Temp\51EC.dll
Filesize
1.5MB

MD5
f00bd800ac435d01168b059946ef9deb

SHA1
d64cbf43577e896943e0f88fffb8c737e98dd552

SHA256
82d8404a410a769d3730385dc35157dd452475d3a846fc7780d6589e39a7cffb

SHA512
188f75b2566f9a670e05d7a55f988e8bd1f1422a93f70127bd9681642f72ccbefe7b56d04da76476393f6ab151c12f8c08ba7d6622bcd8d2fa4cebb019ece612

Download Submit
C:\Users\Admin\AppData\Roaming\erifteh
Filesize
147KB

MD5
005bfff21d283023a0bcdf3906eec7f2

SHA1
e0410f89adbbeb175acd37501c53a43f8054ff04

SHA256
530b524647441f109327b0c602c1154cc290a3ac030513c5b8faf328fa5aa0a5

SHA512
8913c787f5c4dc24dc7766bd56f18201ba01135af938a44e264bab71a031bee5f14cd48d878a63be9cbbd19210d86e259cf165e73f3030ea3857511f272295cd

Download Submit
C:\Users\Admin\AppData\Roaming\erifteh
Filesize
147KB

MD5
005bfff21d283023a0bcdf3906eec7f2

SHA1
e0410f89adbbeb175acd37501c53a43f8054ff04

SHA256
530b524647441f109327b0c602c1154cc290a3ac030513c5b8faf328fa5aa0a5

SHA512
8913c787f5c4dc24dc7766bd56f18201ba01135af938a44e264bab71a031bee5f14cd48d878a63be9cbbd19210d86e259cf165e73f3030ea3857511f272295cd

Download Submit
\Users\Admin\AppData\Local\Temp\51EC.dll
Filesize
1.5MB

MD5
f00bd800ac435d01168b059946ef9deb

SHA1
d64cbf43577e896943e0f88fffb8c737e98dd552

SHA256
82d8404a410a769d3730385dc35157dd452475d3a846fc7780d6589e39a7cffb

SHA512
188f75b2566f9a670e05d7a55f988e8bd1f1422a93f70127bd9681642f72ccbefe7b56d04da76476393f6ab151c12f8c08ba7d6622bcd8d2fa4cebb019ece612

Download Submit
memory/404-426-0x0000000000000000-mapping.dmp

Download
memory/2452-134-0x0000000077A60000-0x0000000077BEE000-memory.dmp

Filesize
1.6MB

Download
memory/2452-156-0x0000000077A60000-0x0000000077BEE000-memory.dmp

Filesize
1.6MB

Download
memory/2452-121-0x0000000077A60000-0x0000000077BEE000-memory.dmp

Filesize
1.6MB

Download
memory/2452-135-0x0000000077A60000-0x0000000077BEE000-memory.dmp

Filesize
1.6MB

Download
memory/2452-136-0x0000000077A60000-0x0000000077BEE000-memory.dmp

Filesize
1.6MB

Download
memory/2452-137-0x0000000077A60000-0x0000000077BEE000-memory.dmp

Filesize
1.6MB

Download
memory/2452-138-0x0000000077A60000-0x0000000077BEE000-memory.dmp

Filesize
1.6MB

Download
memory/2452-139-0x0000000077A60000-0x0000000077BEE000-memory.dmp

Filesize
1.6MB

Download
memory/2452-140-0x0000000077A60000-0x0000000077BEE000-memory.dmp

Filesize
1.6MB

Download
memory/2452-142-0x0000000077A60000-0x0000000077BEE000-memory.dmp

Filesize
1.6MB

Download
memory/2452-143-0x0000000077A60000-0x0000000077BEE000-memory.dmp

Filesize
1.6MB

Download
memory/2452-144-0x0000000077A60000-0x0000000077BEE000-memory.dmp

Filesize
1.6MB

Download
memory/2452-145-0x0000000077A60000-0x0000000077BEE000-memory.dmp

Filesize
1.6MB

Download
memory/2452-146-0x0000000000590000-0x000000000063E000-memory.dmp

Filesize
696KB

Download
memory/2452-147-0x0000000000720000-0x0000000000729000-memory.dmp

Filesize
36KB

Download
memory/2452-148-0x0000000000400000-0x0000000000582000-memory.dmp

Filesize
1.5MB

Download
memory/2452-149-0x0000000077A60000-0x0000000077BEE000-memory.dmp

Filesize
1.6MB

Download
memory/2452-150-0x0000000077A60000-0x0000000077BEE000-memory.dmp

Filesize
1.6MB

Download
memory/2452-151-0x0000000077A60000-0x0000000077BEE000-memory.dmp

Filesize
1.6MB

Download
memory/2452-152-0x0000000077A60000-0x0000000077BEE000-memory.dmp

Filesize
1.6MB

Download
memory/2452-153-0x0000000077A60000-0x0000000077BEE000-memory.dmp

Filesize
1.6MB

Download
memory/2452-154-0x0000000077A60000-0x0000000077BEE000-memory.dmp

Filesize
1.6MB

Download
memory/2452-155-0x0000000077A60000-0x0000000077BEE000-memory.dmp

Filesize
1.6MB

Download
memory/2452-133-0x0000000077A60000-0x0000000077BEE000-memory.dmp

Filesize
1.6MB

Download
memory/2452-157-0x0000000077A60000-0x0000000077BEE000-memory.dmp

Filesize
1.6MB

Download
memory/2452-158-0x0000000000400000-0x0000000000582000-memory.dmp

Filesize
1.5MB

Download
memory/2452-132-0x0000000077A60000-0x0000000077BEE000-memory.dmp

Filesize
1.6MB

Download
memory/2452-131-0x0000000077A60000-0x0000000077BEE000-memory.dmp

Filesize
1.6MB

Download
memory/2452-130-0x0000000077A60000-0x0000000077BEE000-memory.dmp

Filesize
1.6MB

Download
memory/2452-129-0x0000000077A60000-0x0000000077BEE000-memory.dmp

Filesize
1.6MB

Download
memory/2452-128-0x0000000077A60000-0x0000000077BEE000-memory.dmp

Filesize
1.6MB

Download
memory/2452-127-0x0000000077A60000-0x0000000077BEE000-memory.dmp

Filesize
1.6MB

Download
memory/2452-126-0x0000000077A60000-0x0000000077BEE000-memory.dmp

Filesize
1.6MB

Download
memory/2452-125-0x0000000077A60000-0x0000000077BEE000-memory.dmp

Filesize
1.6MB

Download
memory/2452-124-0x0000000077A60000-0x0000000077BEE000-memory.dmp

Filesize
1.6MB

Download
memory/2452-123-0x0000000077A60000-0x0000000077BEE000-memory.dmp

Filesize
1.6MB

Download
memory/2452-122-0x0000000077A60000-0x0000000077BEE000-memory.dmp

Filesize
1.6MB

Download
memory/2452-120-0x0000000077A60000-0x0000000077BEE000-memory.dmp

Filesize
1.6MB

Download
memory/3700-194-0x0000000077A60000-0x0000000077BEE000-memory.dmp

Filesize
1.6MB

Download
memory/3700-192-0x0000000077A60000-0x0000000077BEE000-memory.dmp

Filesize
1.6MB

Download
memory/3700-193-0x0000000077A60000-0x0000000077BEE000-memory.dmp

Filesize
1.6MB

Download
memory/3700-184-0x0000000077A60000-0x0000000077BEE000-memory.dmp

Filesize
1.6MB

Download
memory/3700-185-0x0000000077A60000-0x0000000077BEE000-memory.dmp

Filesize
1.6MB

Download
memory/3700-187-0x0000000077A60000-0x0000000077BEE000-memory.dmp

Filesize
1.6MB

Download
memory/3700-189-0x0000000077A60000-0x0000000077BEE000-memory.dmp

Filesize
1.6MB

Download
memory/3700-180-0x0000000000000000-mapping.dmp

Download
memory/4632-173-0x0000000077A60000-0x0000000077BEE000-memory.dmp

Filesize
1.6MB

Download
memory/4632-169-0x0000000077A60000-0x0000000077BEE000-memory.dmp

Filesize
1.6MB

Download
memory/4632-181-0x0000000077A60000-0x0000000077BEE000-memory.dmp

Filesize
1.6MB

Download
memory/4632-183-0x0000000077A60000-0x0000000077BEE000-memory.dmp

Filesize
1.6MB

Download
memory/4632-179-0x0000000077A60000-0x0000000077BEE000-memory.dmp

Filesize
1.6MB

Download
memory/4632-186-0x0000000077A60000-0x0000000077BEE000-memory.dmp

Filesize
1.6MB

Download
memory/4632-188-0x0000000077A60000-0x0000000077BEE000-memory.dmp

Filesize
1.6MB

Download
memory/4632-190-0x0000000077A60000-0x0000000077BEE000-memory.dmp

Filesize
1.6MB

Download
memory/4632-177-0x0000000077A60000-0x0000000077BEE000-memory.dmp

Filesize
1.6MB

Download
memory/4632-176-0x0000000077A60000-0x0000000077BEE000-memory.dmp

Filesize
1.6MB

Download
memory/4632-175-0x0000000077A60000-0x0000000077BEE000-memory.dmp

Filesize
1.6MB

Download
memory/4632-174-0x0000000077A60000-0x0000000077BEE000-memory.dmp

Filesize
1.6MB

Download
memory/4632-172-0x0000000077A60000-0x0000000077BEE000-memory.dmp

Filesize
1.6MB

Download
memory/4632-171-0x0000000077A60000-0x0000000077BEE000-memory.dmp

Filesize
1.6MB

Download
memory/4632-170-0x0000000077A60000-0x0000000077BEE000-memory.dmp

Filesize
1.6MB

Download
memory/4632-164-0x0000000077A60000-0x0000000077BEE000-memory.dmp

Filesize
1.6MB

Download
memory/4632-163-0x0000000077A60000-0x0000000077BEE000-memory.dmp

Filesize
1.6MB

Download
memory/4632-167-0x0000000077A60000-0x0000000077BEE000-memory.dmp

Filesize
1.6MB

Download
memory/4632-166-0x0000000077A60000-0x0000000077BEE000-memory.dmp

Filesize
1.6MB

Download
memory/4632-162-0x0000000077A60000-0x0000000077BEE000-memory.dmp

Filesize
1.6MB

Download
memory/4632-346-0x0000000002200000-0x000000000231B000-memory.dmp

Filesize
1.1MB

Download
memory/4632-165-0x0000000077A60000-0x0000000077BEE000-memory.dmp

Filesize
1.6MB

Download
memory/4632-159-0x0000000000000000-mapping.dmp

Download
memory/4632-161-0x0000000077A60000-0x0000000077BEE000-memory.dmp

Filesize
1.6MB

Download
memory/4632-178-0x0000000077A60000-0x0000000077BEE000-memory.dmp

Filesize
1.6MB

Download
memory/4632-345-0x00000000020A0000-0x0000000002141000-memory.dmp

Filesize
644KB

Download
memory/19368-205-0x0000000000000000-mapping.dmp

Download
memory/47036-221-0x0000000000000000-mapping.dmp

Download
memory/60804-461-0x0000000000A90000-0x0000000000AFB000-memory.dmp

Filesize
428KB

Download
memory/60804-229-0x0000000000000000-mapping.dmp

Download
memory/60804-387-0x0000000000A90000-0x0000000000AFB000-memory.dmp

Filesize
428KB

Download
memory/60804-369-0x0000000000B00000-0x0000000000B75000-memory.dmp

Filesize
468KB

Download
memory/83776-494-0x0000000005260000-0x000000000536E000-memory.dmp

Filesize
1.1MB

Download
memory/83776-234-0x0000000000000000-mapping.dmp

Download
memory/83776-565-0x0000000005260000-0x000000000536E000-memory.dmp

Filesize
1.1MB

Download
memory/83776-493-0x0000000005030000-0x0000000005143000-memory.dmp

Filesize
1.1MB

Download
memory/93472-270-0x0000000001000000-0x0000000001007000-memory.dmp

Filesize
28KB

Download
memory/93472-273-0x0000000000DF0000-0x0000000000DFC000-memory.dmp

Filesize
48KB

Download
memory/93472-243-0x0000000000000000-mapping.dmp

Download
memory/100332-362-0x0000000000424141-mapping.dmp

Download
memory/100332-433-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/100624-721-0x0000000000400000-0x0000000000582000-memory.dmp

Filesize
1.5MB

Download
memory/100624-720-0x0000000000400000-0x0000000000582000-memory.dmp

Filesize
1.5MB

Download
memory/100624-719-0x0000000000779000-0x000000000078A000-memory.dmp

Filesize
68KB

Download
memory/100776-510-0x0000000000000000-mapping.dmp

Download
memory/100856-528-0x0000000000000000-mapping.dmp

Download
memory/100924-535-0x0000000000000000-mapping.dmp

Download
memory/101260-609-0x0000000000000000-mapping.dmp

Download
memory/101324-615-0x0000000000000000-mapping.dmp

Download