blacknet | fa098da5c908e9ef45a25971e2a90a78673d241a6e9c67d1e4166a026ceefb12

Analysis

max time kernel
79s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
04-11-2022 05:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

file.exe
Size

183KB
MD5

8611fcd3c059993ae37c038f0682507a
SHA1

82a2f78e8594faff95889690b93fb37ed96ad242
SHA256

fa098da5c908e9ef45a25971e2a90a78673d241a6e9c67d1e4166a026ceefb12
SHA512

0586abd3654a75e709382bef587af6ed92c1f5ec5a75e7d581b0e3279395475de36b9541d6c6cb952168391c0c1285c46f72f63e96cd71944f9be4d83bc3e061
SSDEEP

3072:5pKvfIGP7fLv7LFVxtkfx5bjviLMdGB8zvufPpy7iyCDgUZiYVcCkoftuGTJ:5poTDfz7LvxtkLvgMdQImf4W42J4c

Score

10^/10

blacknet djvu redline smokeloader mario23_10 backdoor collection discovery infostealer persistence ransomware spyware stealer trojan

Malware Config

Extracted

Family

djvu

http://fresherlights.com/lancer/get.php

Attributes

extension
.bozq
offline_id
oHp5e4SJxdFtxfvKYmeX06F4C5cn0EcsF5Ak9Wt1
payload_url
http://uaery.top/dl/build2.exe
http://fresherlights.com/files/1/build3.exe
ransomnote
ATTENTION! Don't worry, you can return all your files! All your files like pictures, databases, documents and other important are encrypted with strongest encryption and unique key. The only method of recovering files is to purchase decrypt tool and unique key for you. This software will decrypt all your encrypted files. What guarantees you have? You can send one of your encrypted file from your PC and we decrypt it for free. But we can decrypt only 1 file for free. File must not contain valuable information. You can get and look video overview decrypt tool: https://we.tl/t-dyi5UcwIT9 Price of private key and decrypt software is $980. Discount 50% available if you contact us first 72 hours, that's price for you is $490. Please note that you'll never restore your data without payment. Check your e-mail "Spam" or "Junk" folder if you don't get answer more than 6 hours. To get this software you need write on our e-mail: support@fishmail.top Reserve e-mail address to contact us: datarestorehelp@airmail.cc Your personal ID: 0597Jhyjd

rsa_pubkey.plain

Extracted

Family

redline

Botnet

mario23_10

167.235.252.160:10642

Attributes

auth_value
eca57cfb5172f71dc45986763bb98942

Extracted

Family

blacknet

Attributes

antivm
false
elevate_uac
false
install_name
splitter
start_name
startup
false
usb_spread
false

Signatures

BlackNET
BlackNET is an open source remote access tool written in VB.NET.
trojan blacknet

BlackNET payload 2 IoCs

Processes:

resource	yara_rule
behavioral2/memory/93092-244-0x0000000000400000-0x0000000000426000-memory.dmp	family_blacknet
behavioral2/memory/50404-263-0x00000000048B0000-0x00000000048D2000-memory.dmp	family_blacknet

Contains code to disable Windows Defender 2 IoCs

A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.

Processes:

resource	yara_rule
behavioral2/memory/93092-244-0x0000000000400000-0x0000000000426000-memory.dmp	disable_win_def
behavioral2/memory/50404-263-0x00000000048B0000-0x00000000048D2000-memory.dmp	disable_win_def

Detected Djvu ransomware 10 IoCs

Processes:

resource	yara_rule
behavioral2/memory/3900-152-0x0000000002330000-0x000000000244B000-memory.dmp	family_djvu
behavioral2/memory/39088-165-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral2/memory/39088-167-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral2/memory/39088-168-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral2/memory/39088-169-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral2/memory/39088-198-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral2/memory/92364-205-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral2/memory/92364-206-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral2/memory/92364-212-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral2/memory/92364-235-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu

Detects Smokeloader packer 3 IoCs

Processes:

resource	yara_rule
behavioral2/memory/504-133-0x00000000006F0000-0x00000000006F9000-memory.dmp	family_smokeloader
behavioral2/memory/504-136-0x00000000006F0000-0x00000000006F9000-memory.dmp	family_smokeloader
behavioral2/memory/4676-162-0x0000000000690000-0x0000000000699000-memory.dmp	family_smokeloader

Djvu Ransomware
Ransomware which is a variant of the STOP family.
ransomware djvu
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 1 IoCs

Processes:

resource	yara_rule
behavioral2/memory/92100-185-0x0000000000400000-0x0000000000460000-memory.dmp	family_redline

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
Downloads MZ/PE file

Executes dropped EXE 12 IoCs

Processes:

3652.exe373D.exe38E4.exe3B95.exe373D.exe373D.exe373D.exebuild2.exebuild2.exebuild3.exeF978.exeF978.exe

pid	process
988	3652.exe
3900	373D.exe
4512	38E4.exe
4676	3B95.exe
39088	373D.exe
92260	373D.exe
92364	373D.exe
92548	build2.exe
92596	build2.exe
92644	build3.exe
93048	F978.exe
93092	F978.exe

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

373D.exe373D.exebuild2.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	373D.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	373D.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	build2.exe

Loads dropped DLL 4 IoCs

Processes:

regsvr32.exebuild2.exe

pid process

12852 regsvr32.exe
92596 build2.exe
92596 build2.exe
92596 build2.exe
Modifies file permissions 1 TTPs 1 IoCs
discovery

File Permissions Modification
T1222

Processes:

icacls.exe

pid process

84916 icacls.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses 2FA software files, possible credential harvesting 2 TTPs
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

pid	process
12852	regsvr32.exe
92596	build2.exe
92596	build2.exe
92596	build2.exe

pid	process
84916	icacls.exe

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

Processes:

explorer.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	explorer.exe
Key opened	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	explorer.exe
Key opened	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	explorer.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

373D.exeF978.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\ed00d6cd-3867-424c-ab2d-5fd89e4b0542\\373D.exe\" --AutoStart"	373D.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\d3f5d9b2bed7d09a6a916e85527c9d53 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\F978.exe"	F978.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\d3f5d9b2bed7d09a6a916e85527c9d53 = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\MyClient\\WindowsRework.exe"	F978.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

29 api.2ip.ua
30 api.2ip.ua
46 api.2ip.ua

flow	ioc
29	api.2ip.ua
30	api.2ip.ua
46	api.2ip.ua

Suspicious use of SetThreadContext 5 IoCs

Processes:

373D.exe38E4.exe373D.exebuild2.exeF978.exe

description	pid	process	target process
PID 3900 set thread context of 39088	3900	373D.exe	373D.exe
PID 4512 set thread context of 92100	4512	38E4.exe	AppLaunch.exe
PID 92260 set thread context of 92364	92260	373D.exe	373D.exe
PID 92548 set thread context of 92596	92548	build2.exe	build2.exe
PID 93048 set thread context of 93092	93048	F978.exe	F978.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 2 IoCs

Processes:

WerFault.exeWerFault.exe

pid pid_target process target process

92200 4512 WerFault.exe 38E4.exe
92892 988 WerFault.exe 3652.exe

pid	pid_target	process	target process
92200	4512	WerFault.exe	38E4.exe
92892	988	WerFault.exe	3652.exe

Checks SCSI registry key(s) 3 TTPs 6 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

3B95.exefile.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	3B95.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	3B95.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	3B95.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	file.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	file.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	file.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

build2.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	build2.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	build2.exe

Creates scheduled task(s) 1 TTPs 3 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exeschtasks.exe

pid process

92672 schtasks.exe
2480 schtasks.exe
2280 schtasks.exe
Delays execution with timeout.exe 2 IoCs
evasion

Processes:

timeout.exetimeout.exe

pid process

93028 timeout.exe
2248 timeout.exe

pid	process
92672	schtasks.exe
2480	schtasks.exe
2280	schtasks.exe

pid	process
93028	timeout.exe
2248	timeout.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

file.exe

pid	process
504	file.exe
504	file.exe
3068
3068
3068
3068
3068
3068
3068
3068
3068
3068
3068
3068
3068
3068
3068
3068
3068
3068
3068
3068
3068
3068
3068
3068
3068
3068
3068
3068
3068
3068
3068
3068
3068
3068
3068
3068
3068
3068
3068
3068
3068
3068
3068
3068
3068
3068
3068
3068
3068
3068
3068
3068
3068
3068
3068
3068
3068
3068
3068
3068
3068
3068

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

pid process

3068
Suspicious behavior: MapViewOfSection 6 IoCs

Processes:

file.exe3B95.exe

pid process

504 file.exe
3068
3068
3068
3068
4676 3B95.exe

pid	process
3068

Suspicious use of AdjustPrivilegeToken 33 IoCs

Processes:

3652.exeAppLaunch.exeF978.exe

description	pid	process
Token: SeShutdownPrivilege	3068
Token: SeCreatePagefilePrivilege	3068
Token: SeShutdownPrivilege	3068
Token: SeCreatePagefilePrivilege	3068
Token: SeShutdownPrivilege	3068
Token: SeCreatePagefilePrivilege	3068
Token: SeShutdownPrivilege	3068
Token: SeCreatePagefilePrivilege	3068
Token: SeShutdownPrivilege	3068
Token: SeCreatePagefilePrivilege	3068
Token: SeDebugPrivilege	988	3652.exe
Token: SeShutdownPrivilege	3068
Token: SeCreatePagefilePrivilege	3068
Token: SeShutdownPrivilege	3068
Token: SeCreatePagefilePrivilege	3068
Token: SeDebugPrivilege	92100	AppLaunch.exe
Token: SeShutdownPrivilege	3068
Token: SeCreatePagefilePrivilege	3068
Token: SeShutdownPrivilege	3068
Token: SeCreatePagefilePrivilege	3068
Token: SeShutdownPrivilege	3068
Token: SeCreatePagefilePrivilege	3068
Token: SeShutdownPrivilege	3068
Token: SeCreatePagefilePrivilege	3068
Token: SeShutdownPrivilege	3068
Token: SeCreatePagefilePrivilege	3068
Token: SeShutdownPrivilege	3068
Token: SeCreatePagefilePrivilege	3068
Token: SeShutdownPrivilege	3068
Token: SeCreatePagefilePrivilege	3068
Token: SeShutdownPrivilege	3068
Token: SeCreatePagefilePrivilege	3068
Token: SeDebugPrivilege	93092	F978.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

regsvr32.exe373D.exe373D.exe38E4.exe373D.exe373D.exebuild2.exe

description	pid	process	target process
PID 3068 wrote to memory of 988	3068		3652.exe
PID 3068 wrote to memory of 988	3068		3652.exe
PID 3068 wrote to memory of 988	3068		3652.exe
PID 3068 wrote to memory of 3900	3068		373D.exe
PID 3068 wrote to memory of 3900	3068		373D.exe
PID 3068 wrote to memory of 3900	3068		373D.exe
PID 3068 wrote to memory of 4512	3068		38E4.exe
PID 3068 wrote to memory of 4512	3068		38E4.exe
PID 3068 wrote to memory of 4512	3068		38E4.exe
PID 3068 wrote to memory of 4676	3068		3B95.exe
PID 3068 wrote to memory of 4676	3068		3B95.exe
PID 3068 wrote to memory of 4676	3068		3B95.exe
PID 3068 wrote to memory of 7228	3068		regsvr32.exe
PID 3068 wrote to memory of 7228	3068		regsvr32.exe
PID 3068 wrote to memory of 10536	3068		explorer.exe
PID 3068 wrote to memory of 10536	3068		explorer.exe
PID 3068 wrote to memory of 10536	3068		explorer.exe
PID 3068 wrote to memory of 10536	3068		explorer.exe
PID 7228 wrote to memory of 12852	7228	regsvr32.exe	regsvr32.exe
PID 7228 wrote to memory of 12852	7228	regsvr32.exe	regsvr32.exe
PID 7228 wrote to memory of 12852	7228	regsvr32.exe	regsvr32.exe
PID 3068 wrote to memory of 19716	3068		explorer.exe
PID 3068 wrote to memory of 19716	3068		explorer.exe
PID 3068 wrote to memory of 19716	3068		explorer.exe
PID 3900 wrote to memory of 39088	3900	373D.exe	373D.exe
PID 3900 wrote to memory of 39088	3900	373D.exe	373D.exe
PID 3900 wrote to memory of 39088	3900	373D.exe	373D.exe
PID 3900 wrote to memory of 39088	3900	373D.exe	373D.exe
PID 3900 wrote to memory of 39088	3900	373D.exe	373D.exe
PID 3900 wrote to memory of 39088	3900	373D.exe	373D.exe
PID 3900 wrote to memory of 39088	3900	373D.exe	373D.exe
PID 3900 wrote to memory of 39088	3900	373D.exe	373D.exe
PID 3900 wrote to memory of 39088	3900	373D.exe	373D.exe
PID 3900 wrote to memory of 39088	3900	373D.exe	373D.exe
PID 39088 wrote to memory of 84916	39088	373D.exe	icacls.exe
PID 39088 wrote to memory of 84916	39088	373D.exe	icacls.exe
PID 39088 wrote to memory of 84916	39088	373D.exe	icacls.exe
PID 4512 wrote to memory of 92100	4512	38E4.exe	AppLaunch.exe
PID 4512 wrote to memory of 92100	4512	38E4.exe	AppLaunch.exe
PID 4512 wrote to memory of 92100	4512	38E4.exe	AppLaunch.exe
PID 4512 wrote to memory of 92100	4512	38E4.exe	AppLaunch.exe
PID 4512 wrote to memory of 92100	4512	38E4.exe	AppLaunch.exe
PID 39088 wrote to memory of 92260	39088	373D.exe	373D.exe
PID 39088 wrote to memory of 92260	39088	373D.exe	373D.exe
PID 39088 wrote to memory of 92260	39088	373D.exe	373D.exe
PID 92260 wrote to memory of 92364	92260	373D.exe	373D.exe
PID 92260 wrote to memory of 92364	92260	373D.exe	373D.exe
PID 92260 wrote to memory of 92364	92260	373D.exe	373D.exe
PID 92260 wrote to memory of 92364	92260	373D.exe	373D.exe
PID 92260 wrote to memory of 92364	92260	373D.exe	373D.exe
PID 92260 wrote to memory of 92364	92260	373D.exe	373D.exe
PID 92260 wrote to memory of 92364	92260	373D.exe	373D.exe
PID 92260 wrote to memory of 92364	92260	373D.exe	373D.exe
PID 92260 wrote to memory of 92364	92260	373D.exe	373D.exe
PID 92260 wrote to memory of 92364	92260	373D.exe	373D.exe
PID 92364 wrote to memory of 92548	92364	373D.exe	build2.exe
PID 92364 wrote to memory of 92548	92364	373D.exe	build2.exe
PID 92364 wrote to memory of 92548	92364	373D.exe	build2.exe
PID 92548 wrote to memory of 92596	92548	build2.exe	build2.exe
PID 92548 wrote to memory of 92596	92548	build2.exe	build2.exe
PID 92548 wrote to memory of 92596	92548	build2.exe	build2.exe
PID 92548 wrote to memory of 92596	92548	build2.exe	build2.exe
PID 92548 wrote to memory of 92596	92548	build2.exe	build2.exe
PID 92548 wrote to memory of 92596	92548	build2.exe	build2.exe

outlook_office_path 1 IoCs

Processes:

explorer.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	explorer.exe

outlook_win_path 1 IoCs

Processes:

explorer.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	explorer.exe

C:\Users\Admin\AppData\Local\Temp\file.exe
"C:\Users\Admin\AppData\Local\Temp\file.exe"
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:504

C:\Users\Admin\AppData\Local\Temp\3652.exe
C:\Users\Admin\AppData\Local\Temp\3652.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:988

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 988 -s 1268
2⤵
- Program crash
PID:92892

C:\Users\Admin\AppData\Local\Temp\373D.exe
C:\Users\Admin\AppData\Local\Temp\373D.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3900

C:\Users\Admin\AppData\Local\Temp\373D.exe
C:\Users\Admin\AppData\Local\Temp\373D.exe
2⤵
- Executes dropped EXE
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:39088

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Users\Admin\AppData\Local\ed00d6cd-3867-424c-ab2d-5fd89e4b0542" /deny *S-1-1-0:(OI)(CI)(DE,DC)
3⤵
- Modifies file permissions
PID:84916

C:\Users\Admin\AppData\Local\Temp\373D.exe
"C:\Users\Admin\AppData\Local\Temp\373D.exe" --Admin IsNotAutoStart IsNotTask
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:92260

C:\Users\Admin\AppData\Local\Temp\373D.exe
"C:\Users\Admin\AppData\Local\Temp\373D.exe" --Admin IsNotAutoStart IsNotTask
4⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:92364

C:\Users\Admin\AppData\Local\93d7915d-6473-4040-a8ff-b800b9bb7431\build2.exe
"C:\Users\Admin\AppData\Local\93d7915d-6473-4040-a8ff-b800b9bb7431\build2.exe"
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:92548

C:\Users\Admin\AppData\Local\93d7915d-6473-4040-a8ff-b800b9bb7431\build2.exe
"C:\Users\Admin\AppData\Local\93d7915d-6473-4040-a8ff-b800b9bb7431\build2.exe"
6⤵
- Executes dropped EXE
- Checks computer location settings
- Loads dropped DLL
- Checks processor information in registry
PID:92596

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c timeout /t 6 & del /f /q "C:\Users\Admin\AppData\Local\93d7915d-6473-4040-a8ff-b800b9bb7431\build2.exe" & exit
7⤵
PID:92968

C:\Windows\SysWOW64\timeout.exe
timeout /t 6
8⤵
- Delays execution with timeout.exe
PID:93028

C:\Users\Admin\AppData\Local\93d7915d-6473-4040-a8ff-b800b9bb7431\build3.exe
"C:\Users\Admin\AppData\Local\93d7915d-6473-4040-a8ff-b800b9bb7431\build3.exe"
5⤵
- Executes dropped EXE
PID:92644

C:\Windows\SysWOW64\schtasks.exe
/C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"
6⤵
- Creates scheduled task(s)
PID:92672

C:\Users\Admin\AppData\Local\Temp\38E4.exe
C:\Users\Admin\AppData\Local\Temp\38E4.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4512

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:92100

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4512 -s 88612
2⤵
- Program crash
PID:92200

C:\Users\Admin\AppData\Local\Temp\3B95.exe
C:\Users\Admin\AppData\Local\Temp\3B95.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
PID:4676

C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\3EB3.dll
1⤵
- Suspicious use of WriteProcessMemory
PID:7228

C:\Windows\SysWOW64\regsvr32.exe
/s C:\Users\Admin\AppData\Local\Temp\3EB3.dll
2⤵
- Loads dropped DLL
PID:12852

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
- Accesses Microsoft Outlook profiles
- outlook_office_path
- outlook_win_path
PID:10536

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
PID:19716

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 4512 -ip 4512
1⤵
PID:56380

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 360 -p 988 -ip 988
1⤵
PID:92872

C:\Users\Admin\AppData\Local\Temp\F978.exe
C:\Users\Admin\AppData\Local\Temp\F978.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:93048

C:\Users\Admin\AppData\Local\Temp\F978.exe
C:\Users\Admin\AppData\Local\Temp\F978.exe
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
PID:93092

C:\Users\Admin\AppData\Roaming\Microsoft\MyClient\WindowsRework.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\MyClient\WindowsRework.exe"
3⤵
PID:50404

C:\Users\Admin\AppData\Roaming\Microsoft\MyClient\WindowsRework.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\MyClient\WindowsRework.exe"
4⤵
PID:4564

C:\Users\Admin\AppData\Local\Temp\svchosts.exe
"C:\Users\Admin\AppData\Local\Temp\svchosts.exe"
3⤵
PID:3820

C:\Users\Admin\AppData\Local\Temp\48A3.exe
C:\Users\Admin\AppData\Local\Temp\48A3.exe
1⤵
PID:4900

C:\Users\Admin\AppData\Local\Temp\5BFD.exe
C:\Users\Admin\AppData\Local\Temp\5BFD.exe
1⤵
PID:2472

C:\Users\Admin\AppData\Roaming\CsEKSsCbCSUHsBFKUscCEESFBsSFkFUHCCUBfbUSAHShSSfKSchFBse.exe
"C:\Users\Admin\AppData\Roaming\CsEKSsCbCSUHsBFKUscCEESFBsSFkFUHCCUBfbUSAHShSSfKSchFBse.exe"
2⤵
PID:4560

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp6A6D.tmp.bat""
3⤵
PID:4524

C:\Windows\system32\timeout.exe
timeout 3
4⤵
- Delays execution with timeout.exe
PID:2248

C:\ProgramData\GhubSoftWalletTrust\LYKAA.exe
"C:\ProgramData\GhubSoftWalletTrust\LYKAA.exe"
4⤵
PID:4328

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc MINUTE /mo 5 /RL HIGHEST /tn "LYKAA" /tr "C:\ProgramData\GhubSoftWalletTrust\LYKAA.exe"
5⤵
PID:1052

C:\Windows\system32\schtasks.exe
schtasks /create /f /sc MINUTE /mo 5 /RL HIGHEST /tn "LYKAA" /tr "C:\ProgramData\GhubSoftWalletTrust\LYKAA.exe"
6⤵
- Creates scheduled task(s)
PID:2480

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
1⤵
PID:2008

C:\Windows\SysWOW64\schtasks.exe
/C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"
2⤵
- Creates scheduled task(s)
PID:2280

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

File Permissions Modification

T1222

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Peripheral Device Discovery

T1120

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Exfiltration

Command and Control

Web Service

T1102

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\GhubSoftWalletTrust\LYKAA.exe
Filesize
837KB

MD5
b71f097937ef3e6a757cda055babb005

SHA1
3fb167b8608824592d1707614cce46cfc643dd44

SHA256
917f533b13b2bac659f4a16d03ea4e1b30ee535c57c132b4d4f784fbd2c2a482

SHA512
d0fca6ef77597c68d8bbf671f4929764146be1dbeae2c6f66783be2922df09e9a7b983c603a295c1056b12f6cddf6e22eadea99bfc104266e4dae75b829b43aa

Download Submit
C:\ProgramData\GhubSoftWalletTrust\LYKAA.exe
Filesize
837KB

MD5
b71f097937ef3e6a757cda055babb005

SHA1
3fb167b8608824592d1707614cce46cfc643dd44

SHA256
917f533b13b2bac659f4a16d03ea4e1b30ee535c57c132b4d4f784fbd2c2a482

SHA512
d0fca6ef77597c68d8bbf671f4929764146be1dbeae2c6f66783be2922df09e9a7b983c603a295c1056b12f6cddf6e22eadea99bfc104266e4dae75b829b43aa

Download Submit
C:\ProgramData\mozglue.dll
Filesize
593KB

MD5
c8fd9be83bc728cc04beffafc2907fe9

SHA1
95ab9f701e0024cedfbd312bcfe4e726744c4f2e

SHA256
ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a

SHA512
fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040

Download Submit
C:\ProgramData\nss3.dll
Filesize
2.0MB

MD5
1cc453cdf74f31e4d913ff9c10acdde2

SHA1
6e85eae544d6e965f15fa5c39700fa7202f3aafe

SHA256
ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5

SHA512
dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571

Download Submit
C:\ProgramData\sqlite3.dll
Filesize
1.1MB

MD5
1f44d4d3087c2b202cf9c90ee9d04b0f

SHA1
106a3ebc9e39ab6ddb3ff987efb6527c956f192d

SHA256
4841020c8bd06b08fde6e44cbe2e2ab33439e1c8368e936ec5b00dc0584f7260

SHA512
b614c72a3c1ce681ebffa628e29aa50275cc80ca9267380960c5198ea4d0a3f2df6cfb7275491d220bad72f14fc94e6656501e9a061d102fb11e00cfda2beb45

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\07CEF2F654E3ED6050FFC9B6EB844250_3431D4C539FB2CFCB781821E9902850D
Filesize
2KB

MD5
bf72e427cb37a9eea765a22bd913f4a9

SHA1
65472f30a9b5e73ab656b220200c08d80aa102f5

SHA256
0bb3634c75731c7e50568ec1b894ce832b3a3b42990909c2bb6230c34756b1cc

SHA512
681d5f0ef428c2dcb175ac1f4f1c6f944401fbee2eb5932973e47ab05f9a9c55fbbfa8dd6a57ec623cc6c759a743f4c532195eaf9561e6b1e536e7181bf9d140

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E
Filesize
1KB

MD5
38bc9052d67fb7ff388671b512e76cb2

SHA1
097e30ab48d6130317a71cd53bd998c662d79171

SHA256
427acbd4b71e76709af64c7e94e63649ef51518d632afa3d24f06e5aebf95b9b

SHA512
a440c0983bbd454d421458d3203688b119bd56d7942fb6839868e183dcf9a838516aaa05295bf818149c39ce65509297ff8608241f62f82f289c35b17cc2043e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\07CEF2F654E3ED6050FFC9B6EB844250_3431D4C539FB2CFCB781821E9902850D
Filesize
488B

MD5
ad60a0412146543517c09563f17c4ef6

SHA1
ba3fc20a0efb989d50f8fa5a5a175f67bca815b7

SHA256
af9773d72e96f1a50de9c2b520fec254901fb4df75e0493e14083daf4fe76e90

SHA512
a2b49292bcf91497d37785e1b2fd70ccc5e4808ed63ad57110705520d197575e08ebd189fb7ea203a7aaf0f5672f4d4cdc436a7c2c07647ec451cadd57ebca5d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E
Filesize
482B

MD5
0f6493a6e9ec549e0d9445fa4a22e9dc

SHA1
91683fde940d5c50a8dffe7fb8a2c175b798f98e

SHA256
abf59015bfbf3f79099bd541e7aad24b0be818ee6b0c4bcfa7470bafc6f55d4f

SHA512
d4679451c4afb037cea4af9d3271f6cc2578e5691042cc930a54d983d0c8be0f6b6c9a773150dc49c57f329977652a2dc03f1310cebc597a26f535bf1d3c24be

Download Submit
C:\Users\Admin\AppData\Local\93d7915d-6473-4040-a8ff-b800b9bb7431\build2.exe
Filesize
323KB

MD5
efcd4db108fc262b0fba4f82692bfdf1

SHA1
5cc11f23b251c802e2e5497cc40d5702853e4f16

SHA256
1aacaadce5954ff321f06df9cf1785902ef0b1806599b8b0aa477ae211ff2976

SHA512
6c6cfe51f2686d26477934efe52a861c5a7bbd1baa4edac087c49058bca51d43b5be1214e22761ae63e98cd3e78c8aef51571835ac8e009cdc70c56439f2d15e

Download Submit
C:\Users\Admin\AppData\Local\93d7915d-6473-4040-a8ff-b800b9bb7431\build2.exe
Filesize
323KB

MD5
efcd4db108fc262b0fba4f82692bfdf1

SHA1
5cc11f23b251c802e2e5497cc40d5702853e4f16

SHA256
1aacaadce5954ff321f06df9cf1785902ef0b1806599b8b0aa477ae211ff2976

SHA512
6c6cfe51f2686d26477934efe52a861c5a7bbd1baa4edac087c49058bca51d43b5be1214e22761ae63e98cd3e78c8aef51571835ac8e009cdc70c56439f2d15e

Download Submit
C:\Users\Admin\AppData\Local\93d7915d-6473-4040-a8ff-b800b9bb7431\build2.exe
Filesize
323KB

MD5
efcd4db108fc262b0fba4f82692bfdf1

SHA1
5cc11f23b251c802e2e5497cc40d5702853e4f16

SHA256
1aacaadce5954ff321f06df9cf1785902ef0b1806599b8b0aa477ae211ff2976

SHA512
6c6cfe51f2686d26477934efe52a861c5a7bbd1baa4edac087c49058bca51d43b5be1214e22761ae63e98cd3e78c8aef51571835ac8e009cdc70c56439f2d15e

Download Submit
C:\Users\Admin\AppData\Local\93d7915d-6473-4040-a8ff-b800b9bb7431\build3.exe
Filesize
9KB

MD5
9ead10c08e72ae41921191f8db39bc16

SHA1
abe3bce01cd34afc88e2c838173f8c2bd0090ae1

SHA256
8d7f0e6b6877bdfb9f4531afafd0451f7d17f0ac24e2f2427e9b4ecc5452b9f0

SHA512
aa35dbc59a3589df2763e76a495ce5a9e62196628b4c1d098add38bd7f27c49edf93a66fb8507fb746e37ee32932da2460e440f241abe1a5a279abcc1e5ffe4a

Download Submit
C:\Users\Admin\AppData\Local\93d7915d-6473-4040-a8ff-b800b9bb7431\build3.exe
Filesize
9KB

MD5
9ead10c08e72ae41921191f8db39bc16

SHA1
abe3bce01cd34afc88e2c838173f8c2bd0090ae1

SHA256
8d7f0e6b6877bdfb9f4531afafd0451f7d17f0ac24e2f2427e9b4ecc5452b9f0

SHA512
aa35dbc59a3589df2763e76a495ce5a9e62196628b4c1d098add38bd7f27c49edf93a66fb8507fb746e37ee32932da2460e440f241abe1a5a279abcc1e5ffe4a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\F978.exe.log
Filesize
20B

MD5
b3ac9d09e3a47d5fd00c37e075a70ecb

SHA1
ad14e6d0e07b00bd10d77a06d68841b20675680b

SHA256
7a23c6e7ccd8811ecdf038d3a89d5c7d68ed37324bae2d4954125d9128fa9432

SHA512
09b609ee1061205aa45b3c954efc6c1a03c8fd6b3011ff88cf2c060e19b1d7fd51ee0cb9d02a39310125f3a66aa0146261bdee3d804f472034df711bc942e316

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\WindowsRework.exe.log
Filesize
20B

MD5
b3ac9d09e3a47d5fd00c37e075a70ecb

SHA1
ad14e6d0e07b00bd10d77a06d68841b20675680b

SHA256
7a23c6e7ccd8811ecdf038d3a89d5c7d68ed37324bae2d4954125d9128fa9432

SHA512
09b609ee1061205aa45b3c954efc6c1a03c8fd6b3011ff88cf2c060e19b1d7fd51ee0cb9d02a39310125f3a66aa0146261bdee3d804f472034df711bc942e316

Download Submit
C:\Users\Admin\AppData\Local\Temp\3652.exe
Filesize
403KB

MD5
20fc27e56aeb4d8031e8952f5c367565

SHA1
23d1e5f43cf5ffcc1b23bdc0dbc82e2ca2c82f8d

SHA256
74529df015f3ac14d2a4f9744c8945bdb3998707ac66f47fd20fbb62ed126716

SHA512
e0b6ff5ce7fcac646b03c6458a91655aea4d6850010d3501aa1e788add16b4d63b57643ec78fe91e4344d19b75ba63cc7995ef0dfdc2b6b3a62dba181f0f7348

Download Submit
C:\Users\Admin\AppData\Local\Temp\3652.exe
Filesize
403KB

MD5
20fc27e56aeb4d8031e8952f5c367565

SHA1
23d1e5f43cf5ffcc1b23bdc0dbc82e2ca2c82f8d

SHA256
74529df015f3ac14d2a4f9744c8945bdb3998707ac66f47fd20fbb62ed126716

SHA512
e0b6ff5ce7fcac646b03c6458a91655aea4d6850010d3501aa1e788add16b4d63b57643ec78fe91e4344d19b75ba63cc7995ef0dfdc2b6b3a62dba181f0f7348

Download Submit
C:\Users\Admin\AppData\Local\Temp\373D.exe
Filesize
729KB

MD5
4128acbedee976974a7f0c08272c33bc

SHA1
26e291a00f439a1c435e0b7c62c8357d87a879dd

SHA256
9a7527a421f977efc383e32c88ec073669f96d2d7381a1d8e36ec80a5a06da02

SHA512
1209c4d20a788b1b006b0d117cf0e194db65c38865ea2f6a4441e19993a207c367a45827f94ee6c743dfd7b4044185934f8d4eb79bfff9cb5c3f3446a4bcb16a

Download Submit
C:\Users\Admin\AppData\Local\Temp\373D.exe
Filesize
729KB

MD5
4128acbedee976974a7f0c08272c33bc

SHA1
26e291a00f439a1c435e0b7c62c8357d87a879dd

SHA256
9a7527a421f977efc383e32c88ec073669f96d2d7381a1d8e36ec80a5a06da02

SHA512
1209c4d20a788b1b006b0d117cf0e194db65c38865ea2f6a4441e19993a207c367a45827f94ee6c743dfd7b4044185934f8d4eb79bfff9cb5c3f3446a4bcb16a

Download Submit
C:\Users\Admin\AppData\Local\Temp\373D.exe
Filesize
729KB

MD5
4128acbedee976974a7f0c08272c33bc

SHA1
26e291a00f439a1c435e0b7c62c8357d87a879dd

SHA256
9a7527a421f977efc383e32c88ec073669f96d2d7381a1d8e36ec80a5a06da02

SHA512
1209c4d20a788b1b006b0d117cf0e194db65c38865ea2f6a4441e19993a207c367a45827f94ee6c743dfd7b4044185934f8d4eb79bfff9cb5c3f3446a4bcb16a

Download Submit
C:\Users\Admin\AppData\Local\Temp\373D.exe
Filesize
729KB

MD5
4128acbedee976974a7f0c08272c33bc

SHA1
26e291a00f439a1c435e0b7c62c8357d87a879dd

SHA256
9a7527a421f977efc383e32c88ec073669f96d2d7381a1d8e36ec80a5a06da02

SHA512
1209c4d20a788b1b006b0d117cf0e194db65c38865ea2f6a4441e19993a207c367a45827f94ee6c743dfd7b4044185934f8d4eb79bfff9cb5c3f3446a4bcb16a

Download Submit
C:\Users\Admin\AppData\Local\Temp\373D.exe
Filesize
729KB

MD5
4128acbedee976974a7f0c08272c33bc

SHA1
26e291a00f439a1c435e0b7c62c8357d87a879dd

SHA256
9a7527a421f977efc383e32c88ec073669f96d2d7381a1d8e36ec80a5a06da02

SHA512
1209c4d20a788b1b006b0d117cf0e194db65c38865ea2f6a4441e19993a207c367a45827f94ee6c743dfd7b4044185934f8d4eb79bfff9cb5c3f3446a4bcb16a

Download Submit
C:\Users\Admin\AppData\Local\Temp\38E4.exe
Filesize
569KB

MD5
db7f539c00d09631bccd44e890646024

SHA1
f33beb0c8c6b280516a7777357eb11e886af34db

SHA256
c8dcf8b8201a431cff06cb065b931ebc15ffb12de14ccb9bcd989104155e715c

SHA512
c4b4531accd9e38d7f71e15e75a498277f99ef6f8ab3817651292cc0cc4441acb7993a11f0ea5848f9fa09a015c3c487993fa29bf98cf2566c4987561e71c36a

Download Submit
C:\Users\Admin\AppData\Local\Temp\38E4.exe
Filesize
569KB

MD5
db7f539c00d09631bccd44e890646024

SHA1
f33beb0c8c6b280516a7777357eb11e886af34db

SHA256
c8dcf8b8201a431cff06cb065b931ebc15ffb12de14ccb9bcd989104155e715c

SHA512
c4b4531accd9e38d7f71e15e75a498277f99ef6f8ab3817651292cc0cc4441acb7993a11f0ea5848f9fa09a015c3c487993fa29bf98cf2566c4987561e71c36a

Download Submit
C:\Users\Admin\AppData\Local\Temp\3B95.exe
Filesize
181KB

MD5
a580716c85ddeb8ec54931c0ad936681

SHA1
50a6d64889c3192dbf111cd0d24d46d1cf735177

SHA256
7315ab3fbe785acb4ad597e8a3e00f494dd17aeeb7bb2b0753efb770162054c1

SHA512
9960b9ec8d3819603f83d6a6743b51ed34676a3129d02fcc34179132ddc11358de6602834d95821631cc5682b4a5aaa7dfb1c550d3bb165e35c353484ed76229

Download Submit
C:\Users\Admin\AppData\Local\Temp\3B95.exe
Filesize
181KB

MD5
a580716c85ddeb8ec54931c0ad936681

SHA1
50a6d64889c3192dbf111cd0d24d46d1cf735177

SHA256
7315ab3fbe785acb4ad597e8a3e00f494dd17aeeb7bb2b0753efb770162054c1

SHA512
9960b9ec8d3819603f83d6a6743b51ed34676a3129d02fcc34179132ddc11358de6602834d95821631cc5682b4a5aaa7dfb1c550d3bb165e35c353484ed76229

Download Submit
C:\Users\Admin\AppData\Local\Temp\3EB3.dll
Filesize
1.5MB

MD5
8e4a0c607db16c345cfbafbfdc54e75c

SHA1
dea1effd2eb667de38eec154d17f89cc7646231d

SHA256
fee01d5648c40e808abd9672ddb4d70c15df0edfcc6a61afbcbc690cceba6045

SHA512
c998c14cae8d99bb41f7b8d006fd29705ec98cf639a28a7d5bedb0248e8a4f1cb9e96f31d51e29bcf4eebc4ff0b367150887e4e516c9d1937555b24fd879f13f

Download Submit
C:\Users\Admin\AppData\Local\Temp\3EB3.dll
Filesize
1.5MB

MD5
8e4a0c607db16c345cfbafbfdc54e75c

SHA1
dea1effd2eb667de38eec154d17f89cc7646231d

SHA256
fee01d5648c40e808abd9672ddb4d70c15df0edfcc6a61afbcbc690cceba6045

SHA512
c998c14cae8d99bb41f7b8d006fd29705ec98cf639a28a7d5bedb0248e8a4f1cb9e96f31d51e29bcf4eebc4ff0b367150887e4e516c9d1937555b24fd879f13f

Download Submit
C:\Users\Admin\AppData\Local\Temp\48A3.exe
Filesize
703KB

MD5
4e06f9d0f3dd453df7137f20073c05d8

SHA1
7a273b77ae896a9cd6f5c53a0bda33dc45556732

SHA256
ff28f2cb4c45ad87829c0bdc731d524e90af663ea569fc9e71254d2873dbaaef

SHA512
0356ff96ebf119520e642899a7d2b773914abccab642372749a68d56dd0ebc73c8a55d17ad7ef5bad532ebe3788586bc24264d61d74e241266f94f6f43d9c364

Download Submit
C:\Users\Admin\AppData\Local\Temp\48A3.exe
Filesize
703KB

MD5
4e06f9d0f3dd453df7137f20073c05d8

SHA1
7a273b77ae896a9cd6f5c53a0bda33dc45556732

SHA256
ff28f2cb4c45ad87829c0bdc731d524e90af663ea569fc9e71254d2873dbaaef

SHA512
0356ff96ebf119520e642899a7d2b773914abccab642372749a68d56dd0ebc73c8a55d17ad7ef5bad532ebe3788586bc24264d61d74e241266f94f6f43d9c364

Download Submit
C:\Users\Admin\AppData\Local\Temp\5BFD.exe
Filesize
1.1MB

MD5
532f80cb0ccfd2fcad21bca6044b2ff7

SHA1
47d26fb23e4192469fff7693922ef239cea1d5cf

SHA256
44673c9ea35c6aa5fcb5481674afe921ae12a2f8f485d38c0ffc0accb0f406de

SHA512
d4cc16c884f8ce0792e578ac548d2a3f1fc794bfb83276e8329877bb07067997651405625a4a39993848beea8a46308f2ca6f01ca6b3ca41e9b4c87885e7ebb8

Download Submit
C:\Users\Admin\AppData\Local\Temp\5BFD.exe
Filesize
1.1MB

MD5
532f80cb0ccfd2fcad21bca6044b2ff7

SHA1
47d26fb23e4192469fff7693922ef239cea1d5cf

SHA256
44673c9ea35c6aa5fcb5481674afe921ae12a2f8f485d38c0ffc0accb0f406de

SHA512
d4cc16c884f8ce0792e578ac548d2a3f1fc794bfb83276e8329877bb07067997651405625a4a39993848beea8a46308f2ca6f01ca6b3ca41e9b4c87885e7ebb8

Download Submit
C:\Users\Admin\AppData\Local\Temp\F978.exe
Filesize
185KB

MD5
ce9fbdc93576a35bc2d232a48ed54366

SHA1
9fc9f4c0125b50572e631a8a1d51ebfd594d3335

SHA256
6dd503b0dcfb6aceafee5e02e3df1882d33a6abce7a0127c615354f2e0b788d9

SHA512
d501cde2cfcb04ae851aaa0ae7934b13a6ab64f6866cc0bfb1f9ee3c65f3fe9e48948a40c1494cfdcc00cce75398c1240dec4be7dde31cb961a4250bd8635543

Download Submit
C:\Users\Admin\AppData\Local\Temp\F978.exe
Filesize
185KB

MD5
ce9fbdc93576a35bc2d232a48ed54366

SHA1
9fc9f4c0125b50572e631a8a1d51ebfd594d3335

SHA256
6dd503b0dcfb6aceafee5e02e3df1882d33a6abce7a0127c615354f2e0b788d9

SHA512
d501cde2cfcb04ae851aaa0ae7934b13a6ab64f6866cc0bfb1f9ee3c65f3fe9e48948a40c1494cfdcc00cce75398c1240dec4be7dde31cb961a4250bd8635543

Download Submit
C:\Users\Admin\AppData\Local\Temp\F978.exe
Filesize
185KB

MD5
ce9fbdc93576a35bc2d232a48ed54366

SHA1
9fc9f4c0125b50572e631a8a1d51ebfd594d3335

SHA256
6dd503b0dcfb6aceafee5e02e3df1882d33a6abce7a0127c615354f2e0b788d9

SHA512
d501cde2cfcb04ae851aaa0ae7934b13a6ab64f6866cc0bfb1f9ee3c65f3fe9e48948a40c1494cfdcc00cce75398c1240dec4be7dde31cb961a4250bd8635543

Download Submit
C:\Users\Admin\AppData\Local\Temp\svchosts.exe
Filesize
18KB

MD5
d133d370c3858c9811e70f95d554d2c6

SHA1
bb09b1253ce571a49b76951283883a3499588295

SHA256
87a1711030512dd414bcbab0659a2b51c0c16505bd8a068a282a1cc2c9fdf93b

SHA512
db4d41fca43e496b2b0d8d47d936a9ce204e3b6c4c669a8a9810362776a977b5337359b843fcd1d20004455d2c91f9790b3accb5352f4e55ec53c7e5d359d778

Download Submit
C:\Users\Admin\AppData\Local\Temp\svchosts.exe
Filesize
18KB

MD5
d133d370c3858c9811e70f95d554d2c6

SHA1
bb09b1253ce571a49b76951283883a3499588295

SHA256
87a1711030512dd414bcbab0659a2b51c0c16505bd8a068a282a1cc2c9fdf93b

SHA512
db4d41fca43e496b2b0d8d47d936a9ce204e3b6c4c669a8a9810362776a977b5337359b843fcd1d20004455d2c91f9790b3accb5352f4e55ec53c7e5d359d778

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp6A6D.tmp.bat
Filesize
153B

MD5
546b6325076c65a8e4c6ca5493a923b3

SHA1
1707cb778bb42161171ed88bf6695ec80d13ed15

SHA256
a1686354dd3e2e62f42f227933c0892f11b0d55eb2dc4e2d661d9c8a340d35fe

SHA512
3b815063343409ec427bde3b035a573d275e40b6d47245c1f914f4e871731933dccab137e78e0d6687414fdb9da39c3b64ae35f0912da3d1ab79059daa7c60b5

Download Submit
C:\Users\Admin\AppData\Local\ed00d6cd-3867-424c-ab2d-5fd89e4b0542\373D.exe
Filesize
729KB

MD5
4128acbedee976974a7f0c08272c33bc

SHA1
26e291a00f439a1c435e0b7c62c8357d87a879dd

SHA256
9a7527a421f977efc383e32c88ec073669f96d2d7381a1d8e36ec80a5a06da02

SHA512
1209c4d20a788b1b006b0d117cf0e194db65c38865ea2f6a4441e19993a207c367a45827f94ee6c743dfd7b4044185934f8d4eb79bfff9cb5c3f3446a4bcb16a

Download Submit
C:\Users\Admin\AppData\Roaming\CsEKSsCbCSUHsBFKUscCEESFBsSFkFUHCCUBfbUSAHShSSfKSchFBse.exe
Filesize
837KB

MD5
b71f097937ef3e6a757cda055babb005

SHA1
3fb167b8608824592d1707614cce46cfc643dd44

SHA256
917f533b13b2bac659f4a16d03ea4e1b30ee535c57c132b4d4f784fbd2c2a482

SHA512
d0fca6ef77597c68d8bbf671f4929764146be1dbeae2c6f66783be2922df09e9a7b983c603a295c1056b12f6cddf6e22eadea99bfc104266e4dae75b829b43aa

Download Submit
C:\Users\Admin\AppData\Roaming\CsEKSsCbCSUHsBFKUscCEESFBsSFkFUHCCUBfbUSAHShSSfKSchFBse.exe
Filesize
837KB

MD5
b71f097937ef3e6a757cda055babb005

SHA1
3fb167b8608824592d1707614cce46cfc643dd44

SHA256
917f533b13b2bac659f4a16d03ea4e1b30ee535c57c132b4d4f784fbd2c2a482

SHA512
d0fca6ef77597c68d8bbf671f4929764146be1dbeae2c6f66783be2922df09e9a7b983c603a295c1056b12f6cddf6e22eadea99bfc104266e4dae75b829b43aa

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\MyClient\WindowsRework.exe
Filesize
185KB

MD5
ce9fbdc93576a35bc2d232a48ed54366

SHA1
9fc9f4c0125b50572e631a8a1d51ebfd594d3335

SHA256
6dd503b0dcfb6aceafee5e02e3df1882d33a6abce7a0127c615354f2e0b788d9

SHA512
d501cde2cfcb04ae851aaa0ae7934b13a6ab64f6866cc0bfb1f9ee3c65f3fe9e48948a40c1494cfdcc00cce75398c1240dec4be7dde31cb961a4250bd8635543

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\MyClient\WindowsRework.exe
Filesize
185KB

MD5
ce9fbdc93576a35bc2d232a48ed54366

SHA1
9fc9f4c0125b50572e631a8a1d51ebfd594d3335

SHA256
6dd503b0dcfb6aceafee5e02e3df1882d33a6abce7a0127c615354f2e0b788d9

SHA512
d501cde2cfcb04ae851aaa0ae7934b13a6ab64f6866cc0bfb1f9ee3c65f3fe9e48948a40c1494cfdcc00cce75398c1240dec4be7dde31cb961a4250bd8635543

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\MyClient\WindowsRework.exe
Filesize
185KB

MD5
ce9fbdc93576a35bc2d232a48ed54366

SHA1
9fc9f4c0125b50572e631a8a1d51ebfd594d3335

SHA256
6dd503b0dcfb6aceafee5e02e3df1882d33a6abce7a0127c615354f2e0b788d9

SHA512
d501cde2cfcb04ae851aaa0ae7934b13a6ab64f6866cc0bfb1f9ee3c65f3fe9e48948a40c1494cfdcc00cce75398c1240dec4be7dde31cb961a4250bd8635543

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
Filesize
9KB

MD5
9ead10c08e72ae41921191f8db39bc16

SHA1
abe3bce01cd34afc88e2c838173f8c2bd0090ae1

SHA256
8d7f0e6b6877bdfb9f4531afafd0451f7d17f0ac24e2f2427e9b4ecc5452b9f0

SHA512
aa35dbc59a3589df2763e76a495ce5a9e62196628b4c1d098add38bd7f27c49edf93a66fb8507fb746e37ee32932da2460e440f241abe1a5a279abcc1e5ffe4a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
Filesize
9KB

MD5
9ead10c08e72ae41921191f8db39bc16

SHA1
abe3bce01cd34afc88e2c838173f8c2bd0090ae1

SHA256
8d7f0e6b6877bdfb9f4531afafd0451f7d17f0ac24e2f2427e9b4ecc5452b9f0

SHA512
aa35dbc59a3589df2763e76a495ce5a9e62196628b4c1d098add38bd7f27c49edf93a66fb8507fb746e37ee32932da2460e440f241abe1a5a279abcc1e5ffe4a

Download Submit
memory/504-132-0x00000000007CD000-0x00000000007DE000-memory.dmp

Filesize
68KB

Download
memory/504-133-0x00000000006F0000-0x00000000006F9000-memory.dmp

Filesize
36KB

Download
memory/504-137-0x0000000000400000-0x0000000000588000-memory.dmp

Filesize
1.5MB

Download
memory/504-136-0x00000000006F0000-0x00000000006F9000-memory.dmp

Filesize
36KB

Download
memory/504-135-0x00000000007CD000-0x00000000007DE000-memory.dmp

Filesize
68KB

Download
memory/504-134-0x0000000000400000-0x0000000000588000-memory.dmp

Filesize
1.5MB

Download
memory/988-178-0x0000000004880000-0x00000000048BE000-memory.dmp

Filesize
248KB

Download
memory/988-182-0x0000000007C10000-0x0000000007C4C000-memory.dmp

Filesize
240KB

Download
memory/988-233-0x0000000000400000-0x0000000002C53000-memory.dmp

Filesize
40.3MB

Download
memory/988-177-0x0000000002DF9000-0x0000000002E2A000-memory.dmp

Filesize
196KB

Download
memory/988-180-0x0000000007AC0000-0x0000000007BCA000-memory.dmp

Filesize
1.0MB

Download
memory/988-179-0x0000000007CA0000-0x00000000082B8000-memory.dmp

Filesize
6.1MB

Download
memory/988-138-0x0000000000000000-mapping.dmp

Download
memory/988-181-0x0000000007BF0000-0x0000000007C02000-memory.dmp

Filesize
72KB

Download
memory/988-173-0x0000000000400000-0x0000000002C53000-memory.dmp

Filesize
40.3MB

Download
memory/988-199-0x0000000000400000-0x0000000002C53000-memory.dmp

Filesize
40.3MB

Download
memory/988-200-0x0000000002DF9000-0x0000000002E2A000-memory.dmp

Filesize
196KB

Download
memory/988-207-0x0000000008530000-0x0000000008596000-memory.dmp

Filesize
408KB

Download
memory/988-176-0x0000000007930000-0x00000000079C2000-memory.dmp

Filesize
584KB

Download
memory/988-175-0x0000000007380000-0x0000000007924000-memory.dmp

Filesize
5.6MB

Download
memory/988-234-0x0000000002DF9000-0x0000000002E2A000-memory.dmp

Filesize
196KB

Download
memory/1052-297-0x0000000000000000-mapping.dmp

Download
memory/2248-292-0x0000000000000000-mapping.dmp

Download
memory/2280-307-0x0000000000000000-mapping.dmp

Download
memory/2472-278-0x0000000000000000-mapping.dmp

Download
memory/2472-287-0x00007FFFEB410000-0x00007FFFEBED1000-memory.dmp

Filesize
10.8MB

Download
memory/2472-281-0x00000000003E0000-0x0000000000500000-memory.dmp

Filesize
1.1MB

Download
memory/2472-282-0x00007FFFEB410000-0x00007FFFEBED1000-memory.dmp

Filesize
10.8MB

Download
memory/2480-298-0x0000000000000000-mapping.dmp

Download
memory/3820-255-0x0000000000000000-mapping.dmp

Download
memory/3820-259-0x00007FFFEBEE0000-0x00007FFFEC916000-memory.dmp

Filesize
10.2MB

Download
memory/3900-150-0x000000000229B000-0x000000000232C000-memory.dmp

Filesize
580KB

Download
memory/3900-152-0x0000000002330000-0x000000000244B000-memory.dmp

Filesize
1.1MB

Download
memory/3900-141-0x0000000000000000-mapping.dmp

Download
memory/4328-293-0x0000000000000000-mapping.dmp

Download
memory/4512-144-0x0000000000000000-mapping.dmp

Download
memory/4524-289-0x0000000000000000-mapping.dmp

Download
memory/4560-283-0x0000000000000000-mapping.dmp

Download
memory/4560-286-0x00000000002D0000-0x00000000003A6000-memory.dmp

Filesize
856KB

Download
memory/4564-264-0x0000000000000000-mapping.dmp

Download
memory/4564-270-0x00000000736A0000-0x0000000073C51000-memory.dmp

Filesize
5.7MB

Download
memory/4564-277-0x00000000736A0000-0x0000000073C51000-memory.dmp

Filesize
5.7MB

Download
memory/4676-147-0x0000000000000000-mapping.dmp

Download
memory/4676-174-0x0000000000400000-0x0000000000588000-memory.dmp

Filesize
1.5MB

Download
memory/4676-161-0x00000000008CD000-0x00000000008DD000-memory.dmp

Filesize
64KB

Download
memory/4676-162-0x0000000000690000-0x0000000000699000-memory.dmp

Filesize
36KB

Download
memory/4676-163-0x0000000000400000-0x0000000000588000-memory.dmp

Filesize
1.5MB

Download
memory/4900-273-0x0000000000000000-mapping.dmp

Download
memory/7228-151-0x0000000000000000-mapping.dmp

Download
memory/10536-159-0x0000000001000000-0x0000000001075000-memory.dmp

Filesize
468KB

Download
memory/10536-160-0x0000000000D40000-0x0000000000DAB000-memory.dmp

Filesize
428KB

Download
memory/10536-172-0x0000000000D40000-0x0000000000DAB000-memory.dmp

Filesize
428KB

Download
memory/10536-153-0x0000000000000000-mapping.dmp

Download
memory/12852-195-0x00000000030C0000-0x00000000031B4000-memory.dmp

Filesize
976KB

Download
memory/12852-192-0x0000000003290000-0x0000000003345000-memory.dmp

Filesize
724KB

Download
memory/12852-191-0x0000000003290000-0x0000000003345000-memory.dmp

Filesize
724KB

Download
memory/12852-190-0x00000000031C0000-0x0000000003287000-memory.dmp

Filesize
796KB

Download
memory/12852-171-0x00000000030C0000-0x00000000031B4000-memory.dmp

Filesize
976KB

Download
memory/12852-170-0x0000000002EC0000-0x0000000002FB4000-memory.dmp

Filesize
976KB

Download
memory/12852-155-0x0000000000000000-mapping.dmp

Download
memory/19716-157-0x0000000000000000-mapping.dmp

Download
memory/19716-158-0x0000000000A30000-0x0000000000A3C000-memory.dmp

Filesize
48KB

Download
memory/39088-169-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/39088-164-0x0000000000000000-mapping.dmp

Download
memory/39088-165-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/39088-167-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/39088-168-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/39088-198-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/50404-258-0x00000000736A0000-0x0000000073C51000-memory.dmp

Filesize
5.7MB

Download
memory/50404-262-0x00000000006F5000-0x0000000000703000-memory.dmp

Filesize
56KB

Download
memory/50404-251-0x0000000000000000-mapping.dmp

Download
memory/50404-269-0x00000000006F5000-0x0000000000703000-memory.dmp

Filesize
56KB

Download
memory/50404-268-0x00000000736A0000-0x0000000073C51000-memory.dmp

Filesize
5.7MB

Download
memory/50404-263-0x00000000048B0000-0x00000000048D2000-memory.dmp

Filesize
136KB

Download
memory/50404-260-0x00000000006F5000-0x0000000000703000-memory.dmp

Filesize
56KB

Download
memory/84916-183-0x0000000000000000-mapping.dmp

Download
memory/92100-184-0x0000000000000000-mapping.dmp

Download
memory/92100-185-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/92100-229-0x0000000007670000-0x0000000007B9C000-memory.dmp

Filesize
5.2MB

Download
memory/92100-228-0x00000000063B0000-0x0000000006572000-memory.dmp

Filesize
1.8MB

Download
memory/92260-202-0x0000000002323000-0x00000000023B4000-memory.dmp

Filesize
580KB

Download
memory/92260-196-0x0000000000000000-mapping.dmp

Download
memory/92364-206-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/92364-201-0x0000000000000000-mapping.dmp

Download
memory/92364-212-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/92364-205-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/92364-235-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/92548-213-0x0000000000000000-mapping.dmp

Download
memory/92548-221-0x00000000006E8000-0x0000000000715000-memory.dmp

Filesize
180KB

Download
memory/92548-222-0x00000000021E0000-0x0000000002239000-memory.dmp

Filesize
356KB

Download
memory/92596-216-0x0000000000000000-mapping.dmp

Download
memory/92596-220-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/92596-219-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/92596-237-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/92596-217-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/92596-223-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/92644-224-0x0000000000000000-mapping.dmp

Download
memory/92672-227-0x0000000000000000-mapping.dmp

Download
memory/92968-236-0x0000000000000000-mapping.dmp

Download
memory/93028-238-0x0000000000000000-mapping.dmp

Download
memory/93048-246-0x0000000000673000-0x0000000000681000-memory.dmp

Filesize
56KB

Download
memory/93048-239-0x0000000000000000-mapping.dmp

Download
memory/93048-242-0x0000000000673000-0x0000000000681000-memory.dmp

Filesize
56KB

Download
memory/93048-248-0x0000000002470000-0x00000000024B3000-memory.dmp

Filesize
268KB

Download
memory/93048-249-0x00000000736A0000-0x0000000073C51000-memory.dmp

Filesize
5.7MB

Download
memory/93092-276-0x000000000A870000-0x000000000A874000-memory.dmp

Filesize
16KB

Download
memory/93092-252-0x0000000000BD9000-0x0000000000BDF000-memory.dmp

Filesize
24KB

Download
memory/93092-271-0x00000000736A0000-0x0000000073C51000-memory.dmp

Filesize
5.7MB

Download
memory/93092-243-0x0000000000000000-mapping.dmp

Download
memory/93092-244-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/93092-272-0x0000000000BD9000-0x0000000000BDF000-memory.dmp

Filesize
24KB

Download
memory/93092-261-0x000000000A870000-0x000000000A874000-memory.dmp

Filesize
16KB

Download
memory/93092-250-0x00000000736A0000-0x0000000073C51000-memory.dmp

Filesize
5.7MB

Download