danabot | ec3406a0384fdb6ee028dd252d9c023dc6e26867162aabe3adcf63482c89efe6

Analysis

max time kernel
150s
max time network
141s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
25/10/2022, 17:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ec3406a0384fdb6ee028dd252d9c023dc6e26867162aabe3adcf63482c89efe6.exe
Size

256KB
MD5

d45fa028f9141e8b0fe96fddba13a32a
SHA1

bf326d0329004cefa76bfba25e1dc1f4e6c0c0b2
SHA256

ec3406a0384fdb6ee028dd252d9c023dc6e26867162aabe3adcf63482c89efe6
SHA512

db9ddaa63dd476a502db47fdd219cbf464c48e948430a59475044e7736dcd84a52e543d23413ed10275b6de24e2547cf2d408eee2cec506ebf64d0f70163ffe0
SSDEEP

3072:PXVFAbCILiSnyOUVjfc8Rmo8L7C9KkOme9OcScJ1y1bF4u7:/LaRLtvUVjfczAxvUccJ1y1x4g

Score

10^/10

danabot smokeloader vidar 937 backdoor banker discovery spyware stealer trojan

Malware Config

Extracted

Family

danabot

49.0.50.0:57

51.0.52.0:0

53.0.54.0:1200

55.0.56.0:65535

Attributes

embedded_hash
569235DCA8F16ED8310BBACCB674F896
type
loader

Extracted

Family

vidar

Version

55.2

Botnet

937

https://t.me/slivetalks

https://c.im/@xinibin420

Attributes

profile_id
937

Signatures

Danabot
Danabot is a modular banking Trojan that has been linked with other malware.
trojan banker danabot

Detects Smokeloader packer 1 IoCs

resource	yara_rule
behavioral1/memory/4828-133-0x00000000001F0000-0x00000000001F9000-memory.dmp	family_smokeloader

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
Vidar
Vidar is an infostealer based on Arkei stealer.
stealer vidar

Blocklisted process makes network request 1 IoCs

flow	pid	Process
93	5036	rundll32.exe

Downloads MZ/PE file

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	cmd.exe

Executes dropped EXE 4 IoCs

pid	Process
2304	CB.exe
4912	A23C.exe
1800	19299745477717757255.exe
1424	Cert.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	A23C.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	19299745477717757255.exe

Loads dropped DLL 3 IoCs

pid	Process
4912	A23C.exe
4912	A23C.exe
4912	A23C.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses 2FA software files, possible credential harvesting 2 TTPs
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2304 set thread context of 5036	2304	CB.exe	129

Drops file in Program Files directory 1 IoCs

description	ioc	Process
File created	C:\Program Files\Google\Chrome\Application\chrome.exe	Cert.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 10 IoCs

pid	pid_target	Process	procid_target
4648	4912	WerFault.exe	94
3020	2304	WerFault.exe	89
604	2304	WerFault.exe	89
1872	2304	WerFault.exe	89
1496	2304	WerFault.exe	89
3316	2304	WerFault.exe	89
4312	2304	WerFault.exe	89
4584	2304	WerFault.exe	89
3096	2304	WerFault.exe	89
3516	2304	WerFault.exe	89

Checks SCSI registry key(s) 3 TTPs 39 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	svchost.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	ec3406a0384fdb6ee028dd252d9c023dc6e26867162aabe3adcf63482c89efe6.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	ec3406a0384fdb6ee028dd252d9c023dc6e26867162aabe3adcf63482c89efe6.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	ec3406a0384fdb6ee028dd252d9c023dc6e26867162aabe3adcf63482c89efe6.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	svchost.exe

Checks processor information in registry 2 TTPs 46 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Identifier	CB.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Configuration Data	CB.exe
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\FeatureSet	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Status	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	A23C.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	CB.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Status	rundll32.exe
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	rundll32.exe
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Configuration Data	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Previous Update Revision	CB.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	CB.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Status	CB.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Platform Specific Field 1	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Identifier	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Previous Update Revision	rundll32.exe
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	CB.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	CB.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	CB.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information	CB.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\FeatureSet	rundll32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Configuration Data	rundll32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	CB.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	CB.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1	CB.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\~MHz	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Previous Update Revision	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Configuration Data	CB.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Previous Update Revision	CB.exe
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	CB.exe
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	CB.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Component Information	CB.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1	rundll32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	A23C.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	CB.exe

Delays execution with timeout.exe 2 IoCs

evasion

pid	Process
3580	timeout.exe
3940	timeout.exe

Kills process with taskkill 1 IoCs

evasion

pid	Process
4956	taskkill.exe

Modifies Internet Explorer settings 1 TTPs 4 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser	Process not Found
Set value (data)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser\ITBar7Layout = 13000000000000000000000020000000100000000000000001000000010700005e01000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	Process not Found
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\Toolbar	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\Locked = "1"	Process not Found

Modifies registry class 21 IoCs

description	ioc	Process
Set value (data)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 00000000ffffffff	Process not Found
Set value (data)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02	Process not Found
Set value (data)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\MRUListEx = ffffffff	Process not Found
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell	Process not Found
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags	Process not Found
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	Process not Found
Set value (data)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	Process not Found
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	Process not Found
Set value (data)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	Process not Found
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings	CB.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 = 14001f50e04fd020ea3a6910a2d808002b30309d0000	Process not Found
Set value (data)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 = 19002f433a5c000000000000000000000000000000000000000000	Process not Found
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0	Process not Found
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\SniffedFolderType = "Generic"	Process not Found
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	Process not Found
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0	Process not Found
Set value (data)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\NodeSlot = "1"	Process not Found
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1	Process not Found
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings	rundll32.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
376	Process not Found

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4828	ec3406a0384fdb6ee028dd252d9c023dc6e26867162aabe3adcf63482c89efe6.exe
4828	ec3406a0384fdb6ee028dd252d9c023dc6e26867162aabe3adcf63482c89efe6.exe
376	Process not Found
376	Process not Found
376	Process not Found
376	Process not Found
376	Process not Found
376	Process not Found
376	Process not Found
376	Process not Found
376	Process not Found
376	Process not Found
376	Process not Found
376	Process not Found
376	Process not Found
376	Process not Found
376	Process not Found
376	Process not Found
376	Process not Found
376	Process not Found
376	Process not Found
376	Process not Found
376	Process not Found
376	Process not Found
376	Process not Found
376	Process not Found
376	Process not Found
376	Process not Found
376	Process not Found
376	Process not Found
376	Process not Found
376	Process not Found
376	Process not Found
376	Process not Found
376	Process not Found
376	Process not Found
376	Process not Found
376	Process not Found
376	Process not Found
376	Process not Found
376	Process not Found
376	Process not Found
376	Process not Found
376	Process not Found
376	Process not Found
376	Process not Found
376	Process not Found
376	Process not Found
376	Process not Found
376	Process not Found
376	Process not Found
376	Process not Found
376	Process not Found
376	Process not Found
376	Process not Found
376	Process not Found
376	Process not Found
376	Process not Found
376	Process not Found
376	Process not Found
376	Process not Found
376	Process not Found
376	Process not Found
376	Process not Found

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
376	Process not Found

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
4828	ec3406a0384fdb6ee028dd252d9c023dc6e26867162aabe3adcf63482c89efe6.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	4188	svchost.exe
Token: SeShutdownPrivilege	4188	svchost.exe
Token: SeCreatePagefilePrivilege	4188	svchost.exe
Token: SeShutdownPrivilege	376	Process not Found
Token: SeCreatePagefilePrivilege	376	Process not Found
Token: SeShutdownPrivilege	376	Process not Found
Token: SeCreatePagefilePrivilege	376	Process not Found
Token: SeShutdownPrivilege	376	Process not Found
Token: SeCreatePagefilePrivilege	376	Process not Found
Token: SeShutdownPrivilege	376	Process not Found
Token: SeCreatePagefilePrivilege	376	Process not Found
Token: SeShutdownPrivilege	376	Process not Found
Token: SeCreatePagefilePrivilege	376	Process not Found
Token: SeShutdownPrivilege	376	Process not Found
Token: SeCreatePagefilePrivilege	376	Process not Found
Token: SeShutdownPrivilege	376	Process not Found
Token: SeCreatePagefilePrivilege	376	Process not Found
Token: SeShutdownPrivilege	376	Process not Found
Token: SeCreatePagefilePrivilege	376	Process not Found
Token: SeShutdownPrivilege	376	Process not Found
Token: SeCreatePagefilePrivilege	376	Process not Found
Token: SeShutdownPrivilege	376	Process not Found
Token: SeCreatePagefilePrivilege	376	Process not Found
Token: SeShutdownPrivilege	376	Process not Found
Token: SeCreatePagefilePrivilege	376	Process not Found
Token: SeShutdownPrivilege	376	Process not Found
Token: SeCreatePagefilePrivilege	376	Process not Found
Token: SeShutdownPrivilege	376	Process not Found
Token: SeCreatePagefilePrivilege	376	Process not Found
Token: SeDebugPrivilege	4956	taskkill.exe
Token: SeShutdownPrivilege	376	Process not Found
Token: SeCreatePagefilePrivilege	376	Process not Found
Token: SeShutdownPrivilege	376	Process not Found
Token: SeCreatePagefilePrivilege	376	Process not Found
Token: SeShutdownPrivilege	376	Process not Found
Token: SeCreatePagefilePrivilege	376	Process not Found
Token: SeDebugPrivilege	1424	Cert.exe
Token: SeShutdownPrivilege	376	Process not Found
Token: SeCreatePagefilePrivilege	376	Process not Found
Token: SeShutdownPrivilege	376	Process not Found
Token: SeCreatePagefilePrivilege	376	Process not Found
Token: SeShutdownPrivilege	376	Process not Found
Token: SeCreatePagefilePrivilege	376	Process not Found
Token: SeShutdownPrivilege	376	Process not Found
Token: SeCreatePagefilePrivilege	376	Process not Found
Token: SeShutdownPrivilege	376	Process not Found
Token: SeCreatePagefilePrivilege	376	Process not Found
Token: SeShutdownPrivilege	376	Process not Found
Token: SeCreatePagefilePrivilege	376	Process not Found
Token: SeShutdownPrivilege	376	Process not Found
Token: SeCreatePagefilePrivilege	376	Process not Found
Token: SeShutdownPrivilege	376	Process not Found
Token: SeCreatePagefilePrivilege	376	Process not Found
Token: SeShutdownPrivilege	376	Process not Found
Token: SeCreatePagefilePrivilege	376	Process not Found
Token: SeShutdownPrivilege	376	Process not Found
Token: SeCreatePagefilePrivilege	376	Process not Found
Token: SeShutdownPrivilege	376	Process not Found
Token: SeCreatePagefilePrivilege	376	Process not Found
Token: SeShutdownPrivilege	376	Process not Found
Token: SeCreatePagefilePrivilege	376	Process not Found
Token: SeShutdownPrivilege	376	Process not Found
Token: SeCreatePagefilePrivilege	376	Process not Found
Token: SeShutdownPrivilege	376	Process not Found

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
1800	19299745477717757255.exe
5036	rundll32.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
1524	OpenWith.exe
376	Process not Found
376	Process not Found

Suspicious use of WriteProcessMemory 34 IoCs

description	pid	Process	procid_target
PID 376 wrote to memory of 2304	376	Process not Found	89
PID 376 wrote to memory of 2304	376	Process not Found	89
PID 376 wrote to memory of 2304	376	Process not Found	89
PID 2304 wrote to memory of 3740	2304	CB.exe	90
PID 2304 wrote to memory of 3740	2304	CB.exe	90
PID 2304 wrote to memory of 3740	2304	CB.exe	90
PID 376 wrote to memory of 4912	376	Process not Found	94
PID 376 wrote to memory of 4912	376	Process not Found	94
PID 376 wrote to memory of 4912	376	Process not Found	94
PID 4912 wrote to memory of 1800	4912	A23C.exe	95
PID 4912 wrote to memory of 1800	4912	A23C.exe	95
PID 4912 wrote to memory of 1800	4912	A23C.exe	95
PID 4912 wrote to memory of 544	4912	A23C.exe	97
PID 4912 wrote to memory of 544	4912	A23C.exe	97
PID 4912 wrote to memory of 544	4912	A23C.exe	97
PID 1800 wrote to memory of 4128	1800	19299745477717757255.exe	98
PID 1800 wrote to memory of 4128	1800	19299745477717757255.exe	98
PID 1800 wrote to memory of 4128	1800	19299745477717757255.exe	98
PID 544 wrote to memory of 3580	544	cmd.exe	103
PID 544 wrote to memory of 3580	544	cmd.exe	103
PID 544 wrote to memory of 3580	544	cmd.exe	103
PID 4128 wrote to memory of 4956	4128	cmd.exe	104
PID 4128 wrote to memory of 4956	4128	cmd.exe	104
PID 4128 wrote to memory of 4956	4128	cmd.exe	104
PID 4128 wrote to memory of 3940	4128	cmd.exe	106
PID 4128 wrote to memory of 3940	4128	cmd.exe	106
PID 4128 wrote to memory of 3940	4128	cmd.exe	106
PID 1800 wrote to memory of 1424	1800	19299745477717757255.exe	107
PID 1800 wrote to memory of 1424	1800	19299745477717757255.exe	107
PID 1800 wrote to memory of 1424	1800	19299745477717757255.exe	107
PID 2304 wrote to memory of 5036	2304	CB.exe	129
PID 2304 wrote to memory of 5036	2304	CB.exe	129
PID 2304 wrote to memory of 5036	2304	CB.exe	129
PID 2304 wrote to memory of 5036	2304	CB.exe	129

C:\Users\Admin\AppData\Local\Temp\ec3406a0384fdb6ee028dd252d9c023dc6e26867162aabe3adcf63482c89efe6.exe
"C:\Users\Admin\AppData\Local\Temp\ec3406a0384fdb6ee028dd252d9c023dc6e26867162aabe3adcf63482c89efe6.exe"
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:4828

C:\Users\Admin\AppData\Local\Temp\CB.exe
C:\Users\Admin\AppData\Local\Temp\CB.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Checks processor information in registry
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2304
- C:\Windows\SysWOW64\agentactivationruntimestarter.exe
  C:\Windows\system32\agentactivationruntimestarter.exe
  2⤵
  PID:3740
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2304 -s 652
  2⤵
  - Program crash
  PID:3020
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2304 -s 1048
  2⤵
  - Program crash
  PID:604
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2304 -s 1056
  2⤵
  - Program crash
  PID:1872
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2304 -s 1132
  2⤵
  - Program crash
  PID:1496
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2304 -s 1120
  2⤵
  - Program crash
  PID:3316
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2304 -s 1112
  2⤵
  - Program crash
  PID:4312
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2304 -s 1136
  2⤵
  - Program crash
  PID:4584
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2304 -s 1036
  2⤵
  - Program crash
  PID:3096
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2304 -s 1428
  2⤵
  - Program crash
  PID:3516
- C:\Windows\SysWOW64\rundll32.exe
  "C:\Windows\syswow64\rundll32.exe" "C:\Windows\syswow64\shell32.dll",#61
  2⤵
  - Blocklisted process makes network request
  - Checks processor information in registry
  - Modifies registry class
  - Suspicious use of FindShellTrayWindow
  PID:5036

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k AarSvcGroup -p -s AarSvc
1⤵
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
PID:4188

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x300 0x464
1⤵
PID:600

C:\Users\Admin\AppData\Local\Temp\A23C.exe
C:\Users\Admin\AppData\Local\Temp\A23C.exe
1⤵
- Executes dropped EXE
- Checks computer location settings
- Loads dropped DLL
- Checks processor information in registry
- Suspicious use of WriteProcessMemory
PID:4912
- C:\ProgramData\19299745477717757255.exe
  "C:\ProgramData\19299745477717757255.exe"
  2⤵
  - Executes dropped EXE
  - Checks computer location settings
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:1800
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\FilesH.bat" "
    3⤵
    - Drops file in Drivers directory
    - Suspicious use of WriteProcessMemory
    PID:4128
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im Steam.exe
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:4956
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 1
      4⤵
      Delays execution with timeout.exe
      PID:3940
- - C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Cert.exe
    "C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Cert.exe"
    3⤵
    - Executes dropped EXE
    - Drops file in Program Files directory
    - Suspicious use of AdjustPrivilegeToken
    PID:1424
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c timeout /t 6 & del /f /q "C:\Users\Admin\AppData\Local\Temp\A23C.exe" & exit
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:544
- - C:\Windows\SysWOW64\timeout.exe
    timeout /t 6
    3⤵
    - Delays execution with timeout.exe
    PID:3580
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4912 -s 1956
  2⤵
  - Program crash
  PID:4648

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 4912 -ip 4912
1⤵
PID:1860

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 496 -p 2304 -ip 2304
1⤵
PID:1256

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 2304 -ip 2304
1⤵
PID:4692

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 2304 -ip 2304
1⤵
PID:4264

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 2304 -ip 2304
1⤵
PID:1500

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 2304 -ip 2304
1⤵
PID:4728

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 2304 -ip 2304
1⤵
PID:1260

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 2304 -ip 2304
1⤵
PID:4676

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:1524

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 580 -p 2304 -ip 2304
1⤵
PID:4760

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 576 -p 2304 -ip 2304
1⤵
PID:4712

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\19299745477717757255.exe

Filesize
389KB

MD5
5ec52400b61c5b586e24a85fa0a2318f

SHA1
579d8cfcf508c81e6e45e47186f33221d47563f3

SHA256
26f22547e17e37af41e6fca415a9fffb43c951c8c3d7129b1d4f8f358cf24ccd

SHA512
b7482d0d97b195a868fe77a882aa2b2d3009c908474dc8a66cc04325d7d3617732d5ac2e7fba8f7255d7cb283c114bbf276cddb336a6a30698b507b6181bba3b

Download Submit
C:\ProgramData\19299745477717757255.exe

Filesize
389KB

MD5
5ec52400b61c5b586e24a85fa0a2318f

SHA1
579d8cfcf508c81e6e45e47186f33221d47563f3

SHA256
26f22547e17e37af41e6fca415a9fffb43c951c8c3d7129b1d4f8f358cf24ccd

SHA512
b7482d0d97b195a868fe77a882aa2b2d3009c908474dc8a66cc04325d7d3617732d5ac2e7fba8f7255d7cb283c114bbf276cddb336a6a30698b507b6181bba3b

Download Submit
C:\ProgramData\mozglue.dll

Filesize
593KB

MD5
c8fd9be83bc728cc04beffafc2907fe9

SHA1
95ab9f701e0024cedfbd312bcfe4e726744c4f2e

SHA256
ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a

SHA512
fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040

Download Submit
C:\ProgramData\nss3.dll

Filesize
2.0MB

MD5
1cc453cdf74f31e4d913ff9c10acdde2

SHA1
6e85eae544d6e965f15fa5c39700fa7202f3aafe

SHA256
ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5

SHA512
dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571

Download Submit
C:\ProgramData\sqlite3.dll

Filesize
1.1MB

MD5
1f44d4d3087c2b202cf9c90ee9d04b0f

SHA1
106a3ebc9e39ab6ddb3ff987efb6527c956f192d

SHA256
4841020c8bd06b08fde6e44cbe2e2ab33439e1c8368e936ec5b00dc0584f7260

SHA512
b614c72a3c1ce681ebffa628e29aa50275cc80ca9267380960c5198ea4d0a3f2df6cfb7275491d220bad72f14fc94e6656501e9a061d102fb11e00cfda2beb45

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Cert.exe

Filesize
275KB

MD5
119ee6d6dcfa21f32dd9db95b365f256

SHA1
42d7f74eab4682928b03e577e2f5b9e6a2d95356

SHA256
ca128762eff2a68d3c319bd81574e423c79f59b1e445646ebe83b9c2135c5146

SHA512
cb4b8a2f037f1e0ab6a06094895ce9afffaaa428142c63259fa4d899ea53e06c581f5379156bb5f5c577daec8ed8d3e4e315d504771176f2c1a9fb8904a54b7e

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Cert.exe

Filesize
275KB

MD5
119ee6d6dcfa21f32dd9db95b365f256

SHA1
42d7f74eab4682928b03e577e2f5b9e6a2d95356

SHA256
ca128762eff2a68d3c319bd81574e423c79f59b1e445646ebe83b9c2135c5146

SHA512
cb4b8a2f037f1e0ab6a06094895ce9afffaaa428142c63259fa4d899ea53e06c581f5379156bb5f5c577daec8ed8d3e4e315d504771176f2c1a9fb8904a54b7e

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\FilesH.bat

Filesize
475B

MD5
979e62632d7fcd1c5f022d524dac901a

SHA1
0335075559e0e2b3d095920eae545a635fb1f61e

SHA256
6f90b594a016a0814d30cbb0aa665ebede4b710927efd5ef96ec518088b1e553

SHA512
dad192359ffc7f42d832b0e841553b9342293705db0adefa19edf6c47953bb61a0787cf2f7e0022ee52c5fab3571af7c2167e25ca93903c33693f825c07b961d

Download Submit
C:\Users\Admin\AppData\Local\Temp\A23C.exe

Filesize
343KB

MD5
ba97a8ba982684ffd26140b002fcf5f6

SHA1
8d0b982e8e9aaf3a84e3b17ebc910d26d341b1f7

SHA256
a3282df5188935d442674443e22d2f8bc5d5390a778b386a675d2a66a619d47b

SHA512
27823fba4a49841df28e5cd99dc68d9a258213cafade5aacaabac60461bdc273751aba808c7008374b3c7861664c7b1b301556c9b2e5ada8bf6c435e05a5ea8f

Download Submit
C:\Users\Admin\AppData\Local\Temp\A23C.exe

Filesize
343KB

MD5
ba97a8ba982684ffd26140b002fcf5f6

SHA1
8d0b982e8e9aaf3a84e3b17ebc910d26d341b1f7

SHA256
a3282df5188935d442674443e22d2f8bc5d5390a778b386a675d2a66a619d47b

SHA512
27823fba4a49841df28e5cd99dc68d9a258213cafade5aacaabac60461bdc273751aba808c7008374b3c7861664c7b1b301556c9b2e5ada8bf6c435e05a5ea8f

Download Submit
C:\Users\Admin\AppData\Local\Temp\AdobeSFX.log

Filesize
1KB

MD5
f100bb8b2cb884eaeb980fec005fda2a

SHA1
35b381fb5f67e27d337a9be9a9a80f99a62ade7b

SHA256
ab5bbad92eb5b118a83152c34f7d011cd7ebd55e0774e7649b5bd6084c6bb807

SHA512
f199706af09ab1ec2fd2e1a23055f1d898271bb27ef067b992dece2677e74854023188a7c7c2f8836e7f64854b0bc6b190684b300f0da973d8bd96c3497346b2

Download Submit
C:\Users\Admin\AppData\Local\Temp\CB.exe

Filesize
8.4MB

MD5
f918ede92fd01b0f8d9370b98c7c63bc

SHA1
89c0440dfaa5ce9506a3151c1a9e94ef0dbc374a

SHA256
f8d1cf7824eeada220b0557cfcd4ad773fe08d54a42f74befdfb7fb379eecca8

SHA512
37de27f2194498a7bef0ccc7a5580001c8af21fb1fdabab131b8af26576e574ab23ea08da341d69ff2529303e39227c755db99f8957db4dbeaec9a906c963053

Download Submit
C:\Users\Admin\AppData\Local\Temp\CB.exe

Filesize
8.4MB

MD5
f918ede92fd01b0f8d9370b98c7c63bc

SHA1
89c0440dfaa5ce9506a3151c1a9e94ef0dbc374a

SHA256
f8d1cf7824eeada220b0557cfcd4ad773fe08d54a42f74befdfb7fb379eecca8

SHA512
37de27f2194498a7bef0ccc7a5580001c8af21fb1fdabab131b8af26576e574ab23ea08da341d69ff2529303e39227c755db99f8957db4dbeaec9a906c963053

Download Submit
C:\Users\Admin\AppData\Local\Temp\Microsoft .NET Framework 4.7.2 Setup_20220812_191749306.html

Filesize
94KB

MD5
da6b45af25ddc7d9a34a5a425b253bb2

SHA1
b94cc8311d176c735ef39586086ba5293808c3a9

SHA256
fe6525b8436cfb0df02ae2cd7e7054bd706b3fa6f68ba4ded69308ed0bbfc350

SHA512
6a56d232768ad1f999bea5c61c58561e870c26c5de539d73e84984c0a806093251d060a359c55de71f46442f0752e96f6375ac8d8a79d7f957486c1e0e4c6e23

Download Submit
C:\Users\Admin\AppData\Local\Temp\Syhidsduo.tmp

Filesize
3.3MB

MD5
13d0ff809f24a408728fd6fe00241020

SHA1
fde8484da982eceb86cf6959460ffc4ce33271a9

SHA256
db9190e9eb5298547a3d266f298ec1e7ede0426841da9512f2827f1e7c027520

SHA512
38dd1c523eb9f5aa1c3da0e95f4064f22fc191ce8cea20803c5f60fcbc40d83f5c3545529863ca18f4e65b3ea7a8eddc247ae0db11c6ffa70af560998611e768

Download Submit
C:\Users\Admin\AppData\Local\Temp\TMKNGOMU-20220812-1924.log

Filesize
56KB

MD5
942061e415bb8ead9b5a5218d5c14343

SHA1
6017ef310882921100fa81965ff75e420200507d

SHA256
1226acee43898580e53859127ed657800319973cb60df51155e5c8a7ce45e895

SHA512
b0a93f95992a6389ba9913d8ca29aaba421f25aea2463244468f3279185f88dddd3db4ecc9d58e4c73ac9901465548df24150978f3bc8a943376a176f605cddd

Download Submit
C:\Users\Admin\AppData\Local\Temp\wct168.tmp

Filesize
62KB

MD5
7185e716980842db27c3b3a88e1fe804

SHA1
e4615379cd4797629b4cc3da157f4d4a5412fb2b

SHA256
094754a618b102b7ad0800dd4c9c02c882cf2d1e7996ba864f422fa4312427e1

SHA512
dea331907f5f1de407ca07e24be7ad808fa43a0eef2d1b5009721f937ab2a8f77832e332d5ac3d9662e5b02ecaabbec0f4228af279fa6562be4dccb6c829246c

Download Submit
C:\Users\Admin\AppData\Local\Temp\wct1F1D.tmp

Filesize
62KB

MD5
7185e716980842db27c3b3a88e1fe804

SHA1
e4615379cd4797629b4cc3da157f4d4a5412fb2b

SHA256
094754a618b102b7ad0800dd4c9c02c882cf2d1e7996ba864f422fa4312427e1

SHA512
dea331907f5f1de407ca07e24be7ad808fa43a0eef2d1b5009721f937ab2a8f77832e332d5ac3d9662e5b02ecaabbec0f4228af279fa6562be4dccb6c829246c

Download Submit
C:\Users\Admin\AppData\Local\Temp\wct5D7C.tmp

Filesize
62KB

MD5
7185e716980842db27c3b3a88e1fe804

SHA1
e4615379cd4797629b4cc3da157f4d4a5412fb2b

SHA256
094754a618b102b7ad0800dd4c9c02c882cf2d1e7996ba864f422fa4312427e1

SHA512
dea331907f5f1de407ca07e24be7ad808fa43a0eef2d1b5009721f937ab2a8f77832e332d5ac3d9662e5b02ecaabbec0f4228af279fa6562be4dccb6c829246c

Download Submit
C:\Users\Admin\AppData\Local\Temp\wmsetup.log

Filesize
697B

MD5
97135e1ef652cacbca26f832ec7c2ee2

SHA1
b2691d8e35a78fa4bbf86a480638da8f48b169aa

SHA256
3b113453a1a98b0d6b6e07bd35eca1f0a1992f2c2d69ab22c80ae54d194bc9dd

SHA512
fd3180cac2443538ea32868fe5169148554923cae0e296a0863c46dfa5326495b8dc75a0b0fb52639149f38c01cd569b340db9956ba96159c825124cb23633a5

Download Submit
memory/1424-167-0x0000000000FB0000-0x0000000000FFA000-memory.dmp

Filesize
296KB

Download
memory/1424-168-0x0000000006D20000-0x0000000006D42000-memory.dmp

Filesize
136KB

Download
memory/2304-180-0x0000000007F00000-0x0000000008040000-memory.dmp

Filesize
1.2MB

Download
memory/2304-178-0x0000000007F00000-0x0000000008040000-memory.dmp

Filesize
1.2MB

Download
memory/2304-198-0x00000000072A0000-0x0000000007D52000-memory.dmp

Filesize
10.7MB

Download
memory/2304-140-0x0000000003908000-0x0000000004143000-memory.dmp

Filesize
8.2MB

Download
memory/2304-141-0x00000000058F0000-0x00000000062C6000-memory.dmp

Filesize
9.8MB

Download
memory/2304-142-0x0000000000400000-0x0000000003455000-memory.dmp

Filesize
48.3MB

Download
memory/2304-184-0x0000000000400000-0x0000000003455000-memory.dmp

Filesize
48.3MB

Download
memory/2304-181-0x0000000007F00000-0x0000000008040000-memory.dmp

Filesize
1.2MB

Download
memory/2304-179-0x00000000072A0000-0x0000000007D52000-memory.dmp

Filesize
10.7MB

Download
memory/2304-177-0x0000000007F00000-0x0000000008040000-memory.dmp

Filesize
1.2MB

Download
memory/2304-143-0x0000000000400000-0x0000000003455000-memory.dmp

Filesize
48.3MB

Download
memory/2304-169-0x0000000000400000-0x0000000003455000-memory.dmp

Filesize
48.3MB

Download
memory/2304-170-0x0000000000400000-0x0000000003455000-memory.dmp

Filesize
48.3MB

Download
memory/2304-171-0x00000000072A0000-0x0000000007D52000-memory.dmp

Filesize
10.7MB

Download
memory/2304-172-0x00000000072A0000-0x0000000007D52000-memory.dmp

Filesize
10.7MB

Download
memory/2304-173-0x0000000007F00000-0x0000000008040000-memory.dmp

Filesize
1.2MB

Download
memory/2304-174-0x0000000007F00000-0x0000000008040000-memory.dmp

Filesize
1.2MB

Download
memory/2304-175-0x0000000007F00000-0x0000000008040000-memory.dmp

Filesize
1.2MB

Download
memory/2304-176-0x0000000007F00000-0x0000000008040000-memory.dmp

Filesize
1.2MB

Download
memory/4828-132-0x0000000002C72000-0x0000000002C88000-memory.dmp

Filesize
88KB

Download
memory/4828-133-0x00000000001F0000-0x00000000001F9000-memory.dmp

Filesize
36KB

Download
memory/4828-134-0x0000000000400000-0x0000000002C2E000-memory.dmp

Filesize
40.2MB

Download
memory/4828-135-0x0000000000400000-0x0000000002C2E000-memory.dmp

Filesize
40.2MB

Download
memory/4912-147-0x0000000002C93000-0x0000000002CBF000-memory.dmp

Filesize
176KB

Download
memory/4912-148-0x00000000048A0000-0x00000000048E9000-memory.dmp

Filesize
292KB

Download
memory/4912-149-0x0000000000400000-0x0000000002C44000-memory.dmp

Filesize
40.3MB

Download
memory/4912-162-0x0000000002C93000-0x0000000002CBF000-memory.dmp

Filesize
176KB

Download
memory/4912-166-0x0000000000400000-0x0000000002C44000-memory.dmp

Filesize
40.3MB

Download
memory/5036-189-0x00000000034C0000-0x0000000003F72000-memory.dmp

Filesize
10.7MB

Download
memory/5036-185-0x0000000001080000-0x0000000001A12000-memory.dmp

Filesize
9.6MB

Download
memory/5036-187-0x00000000041D0000-0x0000000004310000-memory.dmp

Filesize
1.2MB

Download
memory/5036-186-0x00000000041D0000-0x0000000004310000-memory.dmp

Filesize
1.2MB

Download
memory/5036-197-0x00000000034C0000-0x0000000003F72000-memory.dmp

Filesize
10.7MB

Download
memory/5036-183-0x00000000034C0000-0x0000000003F72000-memory.dmp

Filesize
10.7MB

Download