blacknet | fa098da5c908e9ef45a25971e2a90a78673d241a6e9c67d1e4166a026ceefb12

Analysis

max time kernel
100s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
04-11-2022 05:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

file.exe
Size

183KB
MD5

8611fcd3c059993ae37c038f0682507a
SHA1

82a2f78e8594faff95889690b93fb37ed96ad242
SHA256

fa098da5c908e9ef45a25971e2a90a78673d241a6e9c67d1e4166a026ceefb12
SHA512

0586abd3654a75e709382bef587af6ed92c1f5ec5a75e7d581b0e3279395475de36b9541d6c6cb952168391c0c1285c46f72f63e96cd71944f9be4d83bc3e061
SSDEEP

3072:5pKvfIGP7fLv7LFVxtkfx5bjviLMdGB8zvufPpy7iyCDgUZiYVcCkoftuGTJ:5poTDfz7LvxtkLvgMdQImf4W42J4c

Score

10^/10

blacknet djvu redline smokeloader mario23_10 backdoor collection discovery infostealer persistence ransomware spyware stealer trojan

Malware Config

Extracted

Family

djvu

http://fresherlights.com/lancer/get.php

Attributes

extension
.bozq
offline_id
oHp5e4SJxdFtxfvKYmeX06F4C5cn0EcsF5Ak9Wt1
payload_url
http://uaery.top/dl/build2.exe
http://fresherlights.com/files/1/build3.exe
ransomnote
ATTENTION! Don't worry, you can return all your files! All your files like pictures, databases, documents and other important are encrypted with strongest encryption and unique key. The only method of recovering files is to purchase decrypt tool and unique key for you. This software will decrypt all your encrypted files. What guarantees you have? You can send one of your encrypted file from your PC and we decrypt it for free. But we can decrypt only 1 file for free. File must not contain valuable information. You can get and look video overview decrypt tool: https://we.tl/t-dyi5UcwIT9 Price of private key and decrypt software is $980. Discount 50% available if you contact us first 72 hours, that's price for you is $490. Please note that you'll never restore your data without payment. Check your e-mail "Spam" or "Junk" folder if you don't get answer more than 6 hours. To get this software you need write on our e-mail: support@fishmail.top Reserve e-mail address to contact us: datarestorehelp@airmail.cc Your personal ID: 0597Jhyjd

rsa_pubkey.plain

Extracted

Family

redline

Botnet

mario23_10

167.235.252.160:10642

Attributes

auth_value
eca57cfb5172f71dc45986763bb98942

Extracted

Family

blacknet

Attributes

antivm
false
elevate_uac
false
install_name
splitter
start_name
startup
false
usb_spread
false

Signatures

BlackNET
BlackNET is an open source remote access tool written in VB.NET.
trojan blacknet

BlackNET payload 2 IoCs

Processes:

resource	yara_rule
behavioral2/memory/78176-246-0x0000000000400000-0x0000000000426000-memory.dmp	family_blacknet
behavioral2/memory/28912-249-0x0000000004A00000-0x0000000004A22000-memory.dmp	family_blacknet

Contains code to disable Windows Defender 2 IoCs

A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.

Processes:

resource	yara_rule
behavioral2/memory/78176-246-0x0000000000400000-0x0000000000426000-memory.dmp	disable_win_def
behavioral2/memory/28912-249-0x0000000004A00000-0x0000000004A22000-memory.dmp	disable_win_def

Detected Djvu ransomware 10 IoCs

Processes:

resource	yara_rule
behavioral2/memory/4676-150-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral2/memory/4676-154-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral2/memory/1060-153-0x0000000002350000-0x000000000246B000-memory.dmp	family_djvu
behavioral2/memory/4676-156-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral2/memory/4676-147-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral2/memory/4676-195-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral2/memory/78244-201-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral2/memory/78244-202-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral2/memory/78244-207-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral2/memory/78244-233-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu

Detects Smokeloader packer 2 IoCs

Processes:

resource	yara_rule
behavioral2/memory/4540-133-0x00000000006D0000-0x00000000006D9000-memory.dmp	family_smokeloader
behavioral2/memory/10908-171-0x00000000006F0000-0x00000000006F9000-memory.dmp	family_smokeloader

Djvu Ransomware
Ransomware which is a variant of the STOP family.
ransomware djvu
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 1 IoCs

Processes:

resource	yara_rule
behavioral2/memory/67236-181-0x0000000000400000-0x0000000000460000-memory.dmp	family_redline

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
Downloads MZ/PE file

Executes dropped EXE 16 IoCs

Processes:

D9DA.exeDB62.exeDD76.exeDB62.exeDFF8.exeDB62.exeDB62.exebuild2.exebuild2.exebuild3.exemstsca.exeEF08.exeEF08.exeWindowsRework.exesvchosts.exeWindowsRework.exe

pid	process
4220	D9DA.exe
1060	DB62.exe
2592	DD76.exe
4676	DB62.exe
10908	DFF8.exe
78072	DB62.exe
78244	DB62.exe
78444	build2.exe
78524	build2.exe
78588	build3.exe
77964	mstsca.exe
28912	EF08.exe
78176	EF08.exe
1868	WindowsRework.exe
3980	svchosts.exe
1908	WindowsRework.exe

Checks computer location settings 2 TTPs 4 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

DB62.exeDB62.exebuild2.exeEF08.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	DB62.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	DB62.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	build2.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	EF08.exe

Loads dropped DLL 4 IoCs

Processes:

regsvr32.exebuild2.exe

pid process

38048 regsvr32.exe
78524 build2.exe
78524 build2.exe
78524 build2.exe
Modifies file permissions 1 TTPs 1 IoCs
discovery

File Permissions Modification
T1222

Processes:

icacls.exe

pid process

77856 icacls.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses 2FA software files, possible credential harvesting 2 TTPs
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

pid	process
38048	regsvr32.exe
78524	build2.exe
78524	build2.exe
78524	build2.exe

pid	process
77856	icacls.exe

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

Processes:

explorer.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	explorer.exe
Key opened	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	explorer.exe
Key opened	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	explorer.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

DB62.exeEF08.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\d550db81-d30f-468e-a03d-1b71b9d9f679\\DB62.exe\" --AutoStart"	DB62.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\d3f5d9b2bed7d09a6a916e85527c9d53 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\EF08.exe"	EF08.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\d3f5d9b2bed7d09a6a916e85527c9d53 = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\MyClient\\WindowsRework.exe"	EF08.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

26 api.2ip.ua
27 api.2ip.ua
45 api.2ip.ua

flow	ioc
26	api.2ip.ua
27	api.2ip.ua
45	api.2ip.ua

Suspicious use of SetThreadContext 6 IoCs

Processes:

DB62.exeDD76.exeDB62.exebuild2.exeEF08.exeWindowsRework.exe

description	pid	process	target process
PID 1060 set thread context of 4676	1060	DB62.exe	DB62.exe
PID 2592 set thread context of 67236	2592	DD76.exe	AppLaunch.exe
PID 78072 set thread context of 78244	78072	DB62.exe	DB62.exe
PID 78444 set thread context of 78524	78444	build2.exe	build2.exe
PID 28912 set thread context of 78176	28912	EF08.exe	EF08.exe
PID 1868 set thread context of 1908	1868	WindowsRework.exe	WindowsRework.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 2 IoCs

Processes:

WerFault.exeWerFault.exe

pid pid_target process target process

77996 2592 WerFault.exe DD76.exe
78792 4220 WerFault.exe D9DA.exe

pid	pid_target	process	target process
77996	2592	WerFault.exe	DD76.exe
78792	4220	WerFault.exe	D9DA.exe

Checks SCSI registry key(s) 3 TTPs 6 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

file.exeDFF8.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	file.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	file.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	file.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	DFF8.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	DFF8.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	DFF8.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

build2.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	build2.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	build2.exe

Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exe

pid process

78616 schtasks.exe
64372 schtasks.exe
Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

77852 timeout.exe

pid	process
78616	schtasks.exe
64372	schtasks.exe

pid	process
77852	timeout.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

file.exe

pid	process
4540	file.exe
4540	file.exe
676
676
676
676
676
676
676
676
676
676
676
676
676
676
676
676
676
676
676
676
676
676
676
676
676
676
676
676
676
676
676
676
676
676
676
676
676
676
676
676
676
676
676
676
676
676
676
676
676
676
676
676
676
676
676
676
676
676
676
676
676
676

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

pid process

676
Suspicious behavior: MapViewOfSection 6 IoCs

Processes:

file.exeDFF8.exe

pid process

4540 file.exe
676
676
676
676
10908 DFF8.exe

pid	process
676

Suspicious use of AdjustPrivilegeToken 35 IoCs

Processes:

D9DA.exeAppLaunch.exeEF08.exe

description	pid	process
Token: SeShutdownPrivilege	676
Token: SeCreatePagefilePrivilege	676
Token: SeShutdownPrivilege	676
Token: SeCreatePagefilePrivilege	676
Token: SeShutdownPrivilege	676
Token: SeCreatePagefilePrivilege	676
Token: SeShutdownPrivilege	676
Token: SeCreatePagefilePrivilege	676
Token: SeShutdownPrivilege	676
Token: SeCreatePagefilePrivilege	676
Token: SeDebugPrivilege	4220	D9DA.exe
Token: SeShutdownPrivilege	676
Token: SeCreatePagefilePrivilege	676
Token: SeShutdownPrivilege	676
Token: SeCreatePagefilePrivilege	676
Token: SeShutdownPrivilege	676
Token: SeCreatePagefilePrivilege	676
Token: SeDebugPrivilege	67236	AppLaunch.exe
Token: SeShutdownPrivilege	676
Token: SeCreatePagefilePrivilege	676
Token: SeShutdownPrivilege	676
Token: SeCreatePagefilePrivilege	676
Token: SeShutdownPrivilege	676
Token: SeCreatePagefilePrivilege	676
Token: SeShutdownPrivilege	676
Token: SeCreatePagefilePrivilege	676
Token: SeShutdownPrivilege	676
Token: SeCreatePagefilePrivilege	676
Token: SeShutdownPrivilege	676
Token: SeCreatePagefilePrivilege	676
Token: SeShutdownPrivilege	676
Token: SeCreatePagefilePrivilege	676
Token: SeDebugPrivilege	78176	EF08.exe
Token: SeShutdownPrivilege	676
Token: SeCreatePagefilePrivilege	676

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

DB62.exeregsvr32.exeDD76.exeDB62.exeDB62.exeDB62.exebuild2.exe

description	pid	process	target process
PID 676 wrote to memory of 4220	676		D9DA.exe
PID 676 wrote to memory of 4220	676		D9DA.exe
PID 676 wrote to memory of 4220	676		D9DA.exe
PID 676 wrote to memory of 1060	676		DB62.exe
PID 676 wrote to memory of 1060	676		DB62.exe
PID 676 wrote to memory of 1060	676		DB62.exe
PID 676 wrote to memory of 2592	676		DD76.exe
PID 676 wrote to memory of 2592	676		DD76.exe
PID 676 wrote to memory of 2592	676		DD76.exe
PID 1060 wrote to memory of 4676	1060	DB62.exe	DB62.exe
PID 1060 wrote to memory of 4676	1060	DB62.exe	DB62.exe
PID 1060 wrote to memory of 4676	1060	DB62.exe	DB62.exe
PID 1060 wrote to memory of 4676	1060	DB62.exe	DB62.exe
PID 1060 wrote to memory of 4676	1060	DB62.exe	DB62.exe
PID 1060 wrote to memory of 4676	1060	DB62.exe	DB62.exe
PID 1060 wrote to memory of 4676	1060	DB62.exe	DB62.exe
PID 1060 wrote to memory of 4676	1060	DB62.exe	DB62.exe
PID 1060 wrote to memory of 4676	1060	DB62.exe	DB62.exe
PID 1060 wrote to memory of 4676	1060	DB62.exe	DB62.exe
PID 676 wrote to memory of 10908	676		DFF8.exe
PID 676 wrote to memory of 10908	676		DFF8.exe
PID 676 wrote to memory of 10908	676		DFF8.exe
PID 676 wrote to memory of 30860	676		regsvr32.exe
PID 676 wrote to memory of 30860	676		regsvr32.exe
PID 676 wrote to memory of 38040	676		explorer.exe
PID 676 wrote to memory of 38040	676		explorer.exe
PID 676 wrote to memory of 38040	676		explorer.exe
PID 30860 wrote to memory of 38048	30860	regsvr32.exe	regsvr32.exe
PID 30860 wrote to memory of 38048	30860	regsvr32.exe	regsvr32.exe
PID 30860 wrote to memory of 38048	30860	regsvr32.exe	regsvr32.exe
PID 676 wrote to memory of 38040	676		explorer.exe
PID 676 wrote to memory of 50964	676		explorer.exe
PID 676 wrote to memory of 50964	676		explorer.exe
PID 676 wrote to memory of 50964	676		explorer.exe
PID 2592 wrote to memory of 67236	2592	DD76.exe	AppLaunch.exe
PID 2592 wrote to memory of 67236	2592	DD76.exe	AppLaunch.exe
PID 2592 wrote to memory of 67236	2592	DD76.exe	AppLaunch.exe
PID 2592 wrote to memory of 67236	2592	DD76.exe	AppLaunch.exe
PID 4676 wrote to memory of 77856	4676	DB62.exe	icacls.exe
PID 4676 wrote to memory of 77856	4676	DB62.exe	icacls.exe
PID 4676 wrote to memory of 77856	4676	DB62.exe	icacls.exe
PID 2592 wrote to memory of 67236	2592	DD76.exe	AppLaunch.exe
PID 4676 wrote to memory of 78072	4676	DB62.exe	DB62.exe
PID 4676 wrote to memory of 78072	4676	DB62.exe	DB62.exe
PID 4676 wrote to memory of 78072	4676	DB62.exe	DB62.exe
PID 78072 wrote to memory of 78244	78072	DB62.exe	DB62.exe
PID 78072 wrote to memory of 78244	78072	DB62.exe	DB62.exe
PID 78072 wrote to memory of 78244	78072	DB62.exe	DB62.exe
PID 78072 wrote to memory of 78244	78072	DB62.exe	DB62.exe
PID 78072 wrote to memory of 78244	78072	DB62.exe	DB62.exe
PID 78072 wrote to memory of 78244	78072	DB62.exe	DB62.exe
PID 78072 wrote to memory of 78244	78072	DB62.exe	DB62.exe
PID 78072 wrote to memory of 78244	78072	DB62.exe	DB62.exe
PID 78072 wrote to memory of 78244	78072	DB62.exe	DB62.exe
PID 78072 wrote to memory of 78244	78072	DB62.exe	DB62.exe
PID 78244 wrote to memory of 78444	78244	DB62.exe	build2.exe
PID 78244 wrote to memory of 78444	78244	DB62.exe	build2.exe
PID 78244 wrote to memory of 78444	78244	DB62.exe	build2.exe
PID 78444 wrote to memory of 78524	78444	build2.exe	build2.exe
PID 78444 wrote to memory of 78524	78444	build2.exe	build2.exe
PID 78444 wrote to memory of 78524	78444	build2.exe	build2.exe
PID 78444 wrote to memory of 78524	78444	build2.exe	build2.exe
PID 78444 wrote to memory of 78524	78444	build2.exe	build2.exe
PID 78444 wrote to memory of 78524	78444	build2.exe	build2.exe

outlook_office_path 1 IoCs

Processes:

explorer.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	explorer.exe

outlook_win_path 1 IoCs

Processes:

explorer.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	explorer.exe

C:\Users\Admin\AppData\Local\Temp\file.exe
"C:\Users\Admin\AppData\Local\Temp\file.exe"
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:4540

C:\Users\Admin\AppData\Local\Temp\D9DA.exe
C:\Users\Admin\AppData\Local\Temp\D9DA.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4220

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4220 -s 1552
2⤵
- Program crash
PID:78792

C:\Users\Admin\AppData\Local\Temp\DB62.exe
C:\Users\Admin\AppData\Local\Temp\DB62.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1060

C:\Users\Admin\AppData\Local\Temp\DB62.exe
C:\Users\Admin\AppData\Local\Temp\DB62.exe
2⤵
- Executes dropped EXE
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4676

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Users\Admin\AppData\Local\d550db81-d30f-468e-a03d-1b71b9d9f679" /deny *S-1-1-0:(OI)(CI)(DE,DC)
3⤵
- Modifies file permissions
PID:77856

C:\Users\Admin\AppData\Local\Temp\DB62.exe
"C:\Users\Admin\AppData\Local\Temp\DB62.exe" --Admin IsNotAutoStart IsNotTask
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:78072

C:\Users\Admin\AppData\Local\Temp\DB62.exe
"C:\Users\Admin\AppData\Local\Temp\DB62.exe" --Admin IsNotAutoStart IsNotTask
4⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:78244

C:\Users\Admin\AppData\Local\87a26459-c9ee-4ba1-9432-29dced72f86d\build2.exe
"C:\Users\Admin\AppData\Local\87a26459-c9ee-4ba1-9432-29dced72f86d\build2.exe"
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:78444

C:\Users\Admin\AppData\Local\87a26459-c9ee-4ba1-9432-29dced72f86d\build2.exe
"C:\Users\Admin\AppData\Local\87a26459-c9ee-4ba1-9432-29dced72f86d\build2.exe"
6⤵
- Executes dropped EXE
- Checks computer location settings
- Loads dropped DLL
- Checks processor information in registry
PID:78524

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c timeout /t 6 & del /f /q "C:\Users\Admin\AppData\Local\87a26459-c9ee-4ba1-9432-29dced72f86d\build2.exe" & exit
7⤵
PID:78844

C:\Windows\SysWOW64\timeout.exe
timeout /t 6
8⤵
- Delays execution with timeout.exe
PID:77852

C:\Users\Admin\AppData\Local\87a26459-c9ee-4ba1-9432-29dced72f86d\build3.exe
"C:\Users\Admin\AppData\Local\87a26459-c9ee-4ba1-9432-29dced72f86d\build3.exe"
5⤵
- Executes dropped EXE
PID:78588

C:\Windows\SysWOW64\schtasks.exe
/C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"
6⤵
- Creates scheduled task(s)
PID:78616

C:\Users\Admin\AppData\Local\Temp\DD76.exe
C:\Users\Admin\AppData\Local\Temp\DD76.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2592

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:67236

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2592 -s 74412
2⤵
- Program crash
PID:77996

C:\Users\Admin\AppData\Local\Temp\DFF8.exe
C:\Users\Admin\AppData\Local\Temp\DFF8.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
PID:10908

C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\E4CB.dll
1⤵
- Suspicious use of WriteProcessMemory
PID:30860

C:\Windows\SysWOW64\regsvr32.exe
/s C:\Users\Admin\AppData\Local\Temp\E4CB.dll
2⤵
- Loads dropped DLL
PID:38048

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
- Accesses Microsoft Outlook profiles
- outlook_office_path
- outlook_win_path
PID:38040

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
PID:50964

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 2592 -ip 2592
1⤵
PID:77948

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 4220 -ip 4220
1⤵
PID:78772

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
1⤵
- Executes dropped EXE
PID:77964

C:\Windows\SysWOW64\schtasks.exe
/C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"
2⤵
- Creates scheduled task(s)
PID:64372

C:\Users\Admin\AppData\Local\Temp\EF08.exe
C:\Users\Admin\AppData\Local\Temp\EF08.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:28912

C:\Users\Admin\AppData\Local\Temp\EF08.exe
C:\Users\Admin\AppData\Local\Temp\EF08.exe
2⤵
- Executes dropped EXE
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
PID:78176

C:\Users\Admin\AppData\Roaming\Microsoft\MyClient\WindowsRework.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\MyClient\WindowsRework.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:1868

C:\Users\Admin\AppData\Roaming\Microsoft\MyClient\WindowsRework.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\MyClient\WindowsRework.exe"
4⤵
- Executes dropped EXE
PID:1908

C:\Users\Admin\AppData\Local\Temp\svchosts.exe
"C:\Users\Admin\AppData\Local\Temp\svchosts.exe"
3⤵
- Executes dropped EXE
PID:3980

C:\Users\Admin\AppData\Local\Temp\BD37.exe
C:\Users\Admin\AppData\Local\Temp\BD37.exe
1⤵
PID:3916

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

File Permissions Modification

T1222

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Peripheral Device Discovery

T1120

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Exfiltration

Command and Control

Web Service

T1102

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\mozglue.dll
Filesize
593KB

MD5
c8fd9be83bc728cc04beffafc2907fe9

SHA1
95ab9f701e0024cedfbd312bcfe4e726744c4f2e

SHA256
ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a

SHA512
fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040

Download Submit
C:\ProgramData\nss3.dll
Filesize
2.0MB

MD5
1cc453cdf74f31e4d913ff9c10acdde2

SHA1
6e85eae544d6e965f15fa5c39700fa7202f3aafe

SHA256
ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5

SHA512
dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571

Download Submit
C:\ProgramData\sqlite3.dll
Filesize
1.1MB

MD5
1f44d4d3087c2b202cf9c90ee9d04b0f

SHA1
106a3ebc9e39ab6ddb3ff987efb6527c956f192d

SHA256
4841020c8bd06b08fde6e44cbe2e2ab33439e1c8368e936ec5b00dc0584f7260

SHA512
b614c72a3c1ce681ebffa628e29aa50275cc80ca9267380960c5198ea4d0a3f2df6cfb7275491d220bad72f14fc94e6656501e9a061d102fb11e00cfda2beb45

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\07CEF2F654E3ED6050FFC9B6EB844250_3431D4C539FB2CFCB781821E9902850D
Filesize
2KB

MD5
bf72e427cb37a9eea765a22bd913f4a9

SHA1
65472f30a9b5e73ab656b220200c08d80aa102f5

SHA256
0bb3634c75731c7e50568ec1b894ce832b3a3b42990909c2bb6230c34756b1cc

SHA512
681d5f0ef428c2dcb175ac1f4f1c6f944401fbee2eb5932973e47ab05f9a9c55fbbfa8dd6a57ec623cc6c759a743f4c532195eaf9561e6b1e536e7181bf9d140

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E
Filesize
1KB

MD5
38bc9052d67fb7ff388671b512e76cb2

SHA1
097e30ab48d6130317a71cd53bd998c662d79171

SHA256
427acbd4b71e76709af64c7e94e63649ef51518d632afa3d24f06e5aebf95b9b

SHA512
a440c0983bbd454d421458d3203688b119bd56d7942fb6839868e183dcf9a838516aaa05295bf818149c39ce65509297ff8608241f62f82f289c35b17cc2043e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\07CEF2F654E3ED6050FFC9B6EB844250_3431D4C539FB2CFCB781821E9902850D
Filesize
488B

MD5
376eec09b27274e466edc960bf306f01

SHA1
3b21b8bdd77434cf202924d6d2e6197dbee62e81

SHA256
eeb656d136e2d69a9976171001d3d0dc3f54c30a2774275a8dd51c8b4ba7ae41

SHA512
2235d8a80da32441ab8875d982bfac0130e11759133bdc8a0f0bb86a5a06631a5cda2e4ef28db7d6ac566c26be88360233296828280e54e008d650667c56b44a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E
Filesize
482B

MD5
af7b27ba22adefac2cff3b8c2914b27c

SHA1
eceeeb9a3526d6286419a9cea9700d072ff86dbb

SHA256
f9d0a66b5d50a496c9491bd9e568d4a3d6b90c4be015e08dfee1451b7aae7e64

SHA512
a2a239afe41bdc4a8682b14b17ea4789b49083e6681fc073d51953c7e4f77bcae0c14a162d849e85793199c71d7c71cf0af37d24f7e8ea75165fdfac2d9b8d5d

Download Submit
C:\Users\Admin\AppData\Local\87a26459-c9ee-4ba1-9432-29dced72f86d\build2.exe
Filesize
323KB

MD5
efcd4db108fc262b0fba4f82692bfdf1

SHA1
5cc11f23b251c802e2e5497cc40d5702853e4f16

SHA256
1aacaadce5954ff321f06df9cf1785902ef0b1806599b8b0aa477ae211ff2976

SHA512
6c6cfe51f2686d26477934efe52a861c5a7bbd1baa4edac087c49058bca51d43b5be1214e22761ae63e98cd3e78c8aef51571835ac8e009cdc70c56439f2d15e

Download Submit
C:\Users\Admin\AppData\Local\87a26459-c9ee-4ba1-9432-29dced72f86d\build2.exe
Filesize
323KB

MD5
efcd4db108fc262b0fba4f82692bfdf1

SHA1
5cc11f23b251c802e2e5497cc40d5702853e4f16

SHA256
1aacaadce5954ff321f06df9cf1785902ef0b1806599b8b0aa477ae211ff2976

SHA512
6c6cfe51f2686d26477934efe52a861c5a7bbd1baa4edac087c49058bca51d43b5be1214e22761ae63e98cd3e78c8aef51571835ac8e009cdc70c56439f2d15e

Download Submit
C:\Users\Admin\AppData\Local\87a26459-c9ee-4ba1-9432-29dced72f86d\build2.exe
Filesize
323KB

MD5
efcd4db108fc262b0fba4f82692bfdf1

SHA1
5cc11f23b251c802e2e5497cc40d5702853e4f16

SHA256
1aacaadce5954ff321f06df9cf1785902ef0b1806599b8b0aa477ae211ff2976

SHA512
6c6cfe51f2686d26477934efe52a861c5a7bbd1baa4edac087c49058bca51d43b5be1214e22761ae63e98cd3e78c8aef51571835ac8e009cdc70c56439f2d15e

Download Submit
C:\Users\Admin\AppData\Local\87a26459-c9ee-4ba1-9432-29dced72f86d\build3.exe
Filesize
9KB

MD5
9ead10c08e72ae41921191f8db39bc16

SHA1
abe3bce01cd34afc88e2c838173f8c2bd0090ae1

SHA256
8d7f0e6b6877bdfb9f4531afafd0451f7d17f0ac24e2f2427e9b4ecc5452b9f0

SHA512
aa35dbc59a3589df2763e76a495ce5a9e62196628b4c1d098add38bd7f27c49edf93a66fb8507fb746e37ee32932da2460e440f241abe1a5a279abcc1e5ffe4a

Download Submit
C:\Users\Admin\AppData\Local\87a26459-c9ee-4ba1-9432-29dced72f86d\build3.exe
Filesize
9KB

MD5
9ead10c08e72ae41921191f8db39bc16

SHA1
abe3bce01cd34afc88e2c838173f8c2bd0090ae1

SHA256
8d7f0e6b6877bdfb9f4531afafd0451f7d17f0ac24e2f2427e9b4ecc5452b9f0

SHA512
aa35dbc59a3589df2763e76a495ce5a9e62196628b4c1d098add38bd7f27c49edf93a66fb8507fb746e37ee32932da2460e440f241abe1a5a279abcc1e5ffe4a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\EF08.exe.log
Filesize
20B

MD5
b3ac9d09e3a47d5fd00c37e075a70ecb

SHA1
ad14e6d0e07b00bd10d77a06d68841b20675680b

SHA256
7a23c6e7ccd8811ecdf038d3a89d5c7d68ed37324bae2d4954125d9128fa9432

SHA512
09b609ee1061205aa45b3c954efc6c1a03c8fd6b3011ff88cf2c060e19b1d7fd51ee0cb9d02a39310125f3a66aa0146261bdee3d804f472034df711bc942e316

Download Submit
C:\Users\Admin\AppData\Local\Temp\BD37.exe
Filesize
703KB

MD5
4e06f9d0f3dd453df7137f20073c05d8

SHA1
7a273b77ae896a9cd6f5c53a0bda33dc45556732

SHA256
ff28f2cb4c45ad87829c0bdc731d524e90af663ea569fc9e71254d2873dbaaef

SHA512
0356ff96ebf119520e642899a7d2b773914abccab642372749a68d56dd0ebc73c8a55d17ad7ef5bad532ebe3788586bc24264d61d74e241266f94f6f43d9c364

Download Submit
C:\Users\Admin\AppData\Local\Temp\BD37.exe
Filesize
703KB

MD5
4e06f9d0f3dd453df7137f20073c05d8

SHA1
7a273b77ae896a9cd6f5c53a0bda33dc45556732

SHA256
ff28f2cb4c45ad87829c0bdc731d524e90af663ea569fc9e71254d2873dbaaef

SHA512
0356ff96ebf119520e642899a7d2b773914abccab642372749a68d56dd0ebc73c8a55d17ad7ef5bad532ebe3788586bc24264d61d74e241266f94f6f43d9c364

Download Submit
C:\Users\Admin\AppData\Local\Temp\D9DA.exe
Filesize
403KB

MD5
20fc27e56aeb4d8031e8952f5c367565

SHA1
23d1e5f43cf5ffcc1b23bdc0dbc82e2ca2c82f8d

SHA256
74529df015f3ac14d2a4f9744c8945bdb3998707ac66f47fd20fbb62ed126716

SHA512
e0b6ff5ce7fcac646b03c6458a91655aea4d6850010d3501aa1e788add16b4d63b57643ec78fe91e4344d19b75ba63cc7995ef0dfdc2b6b3a62dba181f0f7348

Download Submit
C:\Users\Admin\AppData\Local\Temp\D9DA.exe
Filesize
403KB

MD5
20fc27e56aeb4d8031e8952f5c367565

SHA1
23d1e5f43cf5ffcc1b23bdc0dbc82e2ca2c82f8d

SHA256
74529df015f3ac14d2a4f9744c8945bdb3998707ac66f47fd20fbb62ed126716

SHA512
e0b6ff5ce7fcac646b03c6458a91655aea4d6850010d3501aa1e788add16b4d63b57643ec78fe91e4344d19b75ba63cc7995ef0dfdc2b6b3a62dba181f0f7348

Download Submit
C:\Users\Admin\AppData\Local\Temp\DB62.exe
Filesize
729KB

MD5
4128acbedee976974a7f0c08272c33bc

SHA1
26e291a00f439a1c435e0b7c62c8357d87a879dd

SHA256
9a7527a421f977efc383e32c88ec073669f96d2d7381a1d8e36ec80a5a06da02

SHA512
1209c4d20a788b1b006b0d117cf0e194db65c38865ea2f6a4441e19993a207c367a45827f94ee6c743dfd7b4044185934f8d4eb79bfff9cb5c3f3446a4bcb16a

Download Submit
C:\Users\Admin\AppData\Local\Temp\DB62.exe
Filesize
729KB

MD5
4128acbedee976974a7f0c08272c33bc

SHA1
26e291a00f439a1c435e0b7c62c8357d87a879dd

SHA256
9a7527a421f977efc383e32c88ec073669f96d2d7381a1d8e36ec80a5a06da02

SHA512
1209c4d20a788b1b006b0d117cf0e194db65c38865ea2f6a4441e19993a207c367a45827f94ee6c743dfd7b4044185934f8d4eb79bfff9cb5c3f3446a4bcb16a

Download Submit
C:\Users\Admin\AppData\Local\Temp\DB62.exe
Filesize
729KB

MD5
4128acbedee976974a7f0c08272c33bc

SHA1
26e291a00f439a1c435e0b7c62c8357d87a879dd

SHA256
9a7527a421f977efc383e32c88ec073669f96d2d7381a1d8e36ec80a5a06da02

SHA512
1209c4d20a788b1b006b0d117cf0e194db65c38865ea2f6a4441e19993a207c367a45827f94ee6c743dfd7b4044185934f8d4eb79bfff9cb5c3f3446a4bcb16a

Download Submit
C:\Users\Admin\AppData\Local\Temp\DB62.exe
Filesize
729KB

MD5
4128acbedee976974a7f0c08272c33bc

SHA1
26e291a00f439a1c435e0b7c62c8357d87a879dd

SHA256
9a7527a421f977efc383e32c88ec073669f96d2d7381a1d8e36ec80a5a06da02

SHA512
1209c4d20a788b1b006b0d117cf0e194db65c38865ea2f6a4441e19993a207c367a45827f94ee6c743dfd7b4044185934f8d4eb79bfff9cb5c3f3446a4bcb16a

Download Submit
C:\Users\Admin\AppData\Local\Temp\DB62.exe
Filesize
729KB

MD5
4128acbedee976974a7f0c08272c33bc

SHA1
26e291a00f439a1c435e0b7c62c8357d87a879dd

SHA256
9a7527a421f977efc383e32c88ec073669f96d2d7381a1d8e36ec80a5a06da02

SHA512
1209c4d20a788b1b006b0d117cf0e194db65c38865ea2f6a4441e19993a207c367a45827f94ee6c743dfd7b4044185934f8d4eb79bfff9cb5c3f3446a4bcb16a

Download Submit
C:\Users\Admin\AppData\Local\Temp\DD76.exe
Filesize
569KB

MD5
db7f539c00d09631bccd44e890646024

SHA1
f33beb0c8c6b280516a7777357eb11e886af34db

SHA256
c8dcf8b8201a431cff06cb065b931ebc15ffb12de14ccb9bcd989104155e715c

SHA512
c4b4531accd9e38d7f71e15e75a498277f99ef6f8ab3817651292cc0cc4441acb7993a11f0ea5848f9fa09a015c3c487993fa29bf98cf2566c4987561e71c36a

Download Submit
C:\Users\Admin\AppData\Local\Temp\DD76.exe
Filesize
569KB

MD5
db7f539c00d09631bccd44e890646024

SHA1
f33beb0c8c6b280516a7777357eb11e886af34db

SHA256
c8dcf8b8201a431cff06cb065b931ebc15ffb12de14ccb9bcd989104155e715c

SHA512
c4b4531accd9e38d7f71e15e75a498277f99ef6f8ab3817651292cc0cc4441acb7993a11f0ea5848f9fa09a015c3c487993fa29bf98cf2566c4987561e71c36a

Download Submit
C:\Users\Admin\AppData\Local\Temp\DFF8.exe
Filesize
181KB

MD5
a580716c85ddeb8ec54931c0ad936681

SHA1
50a6d64889c3192dbf111cd0d24d46d1cf735177

SHA256
7315ab3fbe785acb4ad597e8a3e00f494dd17aeeb7bb2b0753efb770162054c1

SHA512
9960b9ec8d3819603f83d6a6743b51ed34676a3129d02fcc34179132ddc11358de6602834d95821631cc5682b4a5aaa7dfb1c550d3bb165e35c353484ed76229

Download Submit
C:\Users\Admin\AppData\Local\Temp\DFF8.exe
Filesize
181KB

MD5
a580716c85ddeb8ec54931c0ad936681

SHA1
50a6d64889c3192dbf111cd0d24d46d1cf735177

SHA256
7315ab3fbe785acb4ad597e8a3e00f494dd17aeeb7bb2b0753efb770162054c1

SHA512
9960b9ec8d3819603f83d6a6743b51ed34676a3129d02fcc34179132ddc11358de6602834d95821631cc5682b4a5aaa7dfb1c550d3bb165e35c353484ed76229

Download Submit
C:\Users\Admin\AppData\Local\Temp\E4CB.dll
Filesize
1.5MB

MD5
8e4a0c607db16c345cfbafbfdc54e75c

SHA1
dea1effd2eb667de38eec154d17f89cc7646231d

SHA256
fee01d5648c40e808abd9672ddb4d70c15df0edfcc6a61afbcbc690cceba6045

SHA512
c998c14cae8d99bb41f7b8d006fd29705ec98cf639a28a7d5bedb0248e8a4f1cb9e96f31d51e29bcf4eebc4ff0b367150887e4e516c9d1937555b24fd879f13f

Download Submit
C:\Users\Admin\AppData\Local\Temp\E4CB.dll
Filesize
1.5MB

MD5
8e4a0c607db16c345cfbafbfdc54e75c

SHA1
dea1effd2eb667de38eec154d17f89cc7646231d

SHA256
fee01d5648c40e808abd9672ddb4d70c15df0edfcc6a61afbcbc690cceba6045

SHA512
c998c14cae8d99bb41f7b8d006fd29705ec98cf639a28a7d5bedb0248e8a4f1cb9e96f31d51e29bcf4eebc4ff0b367150887e4e516c9d1937555b24fd879f13f

Download Submit
C:\Users\Admin\AppData\Local\Temp\EF08.exe
Filesize
185KB

MD5
ce9fbdc93576a35bc2d232a48ed54366

SHA1
9fc9f4c0125b50572e631a8a1d51ebfd594d3335

SHA256
6dd503b0dcfb6aceafee5e02e3df1882d33a6abce7a0127c615354f2e0b788d9

SHA512
d501cde2cfcb04ae851aaa0ae7934b13a6ab64f6866cc0bfb1f9ee3c65f3fe9e48948a40c1494cfdcc00cce75398c1240dec4be7dde31cb961a4250bd8635543

Download Submit
C:\Users\Admin\AppData\Local\Temp\EF08.exe
Filesize
185KB

MD5
ce9fbdc93576a35bc2d232a48ed54366

SHA1
9fc9f4c0125b50572e631a8a1d51ebfd594d3335

SHA256
6dd503b0dcfb6aceafee5e02e3df1882d33a6abce7a0127c615354f2e0b788d9

SHA512
d501cde2cfcb04ae851aaa0ae7934b13a6ab64f6866cc0bfb1f9ee3c65f3fe9e48948a40c1494cfdcc00cce75398c1240dec4be7dde31cb961a4250bd8635543

Download Submit
C:\Users\Admin\AppData\Local\Temp\EF08.exe
Filesize
185KB

MD5
ce9fbdc93576a35bc2d232a48ed54366

SHA1
9fc9f4c0125b50572e631a8a1d51ebfd594d3335

SHA256
6dd503b0dcfb6aceafee5e02e3df1882d33a6abce7a0127c615354f2e0b788d9

SHA512
d501cde2cfcb04ae851aaa0ae7934b13a6ab64f6866cc0bfb1f9ee3c65f3fe9e48948a40c1494cfdcc00cce75398c1240dec4be7dde31cb961a4250bd8635543

Download Submit
C:\Users\Admin\AppData\Local\Temp\svchosts.exe
Filesize
18KB

MD5
d133d370c3858c9811e70f95d554d2c6

SHA1
bb09b1253ce571a49b76951283883a3499588295

SHA256
87a1711030512dd414bcbab0659a2b51c0c16505bd8a068a282a1cc2c9fdf93b

SHA512
db4d41fca43e496b2b0d8d47d936a9ce204e3b6c4c669a8a9810362776a977b5337359b843fcd1d20004455d2c91f9790b3accb5352f4e55ec53c7e5d359d778

Download Submit
C:\Users\Admin\AppData\Local\Temp\svchosts.exe
Filesize
18KB

MD5
d133d370c3858c9811e70f95d554d2c6

SHA1
bb09b1253ce571a49b76951283883a3499588295

SHA256
87a1711030512dd414bcbab0659a2b51c0c16505bd8a068a282a1cc2c9fdf93b

SHA512
db4d41fca43e496b2b0d8d47d936a9ce204e3b6c4c669a8a9810362776a977b5337359b843fcd1d20004455d2c91f9790b3accb5352f4e55ec53c7e5d359d778

Download Submit
C:\Users\Admin\AppData\Local\d550db81-d30f-468e-a03d-1b71b9d9f679\DB62.exe
Filesize
729KB

MD5
4128acbedee976974a7f0c08272c33bc

SHA1
26e291a00f439a1c435e0b7c62c8357d87a879dd

SHA256
9a7527a421f977efc383e32c88ec073669f96d2d7381a1d8e36ec80a5a06da02

SHA512
1209c4d20a788b1b006b0d117cf0e194db65c38865ea2f6a4441e19993a207c367a45827f94ee6c743dfd7b4044185934f8d4eb79bfff9cb5c3f3446a4bcb16a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\MyClient\WindowsRework.exe
Filesize
185KB

MD5
ce9fbdc93576a35bc2d232a48ed54366

SHA1
9fc9f4c0125b50572e631a8a1d51ebfd594d3335

SHA256
6dd503b0dcfb6aceafee5e02e3df1882d33a6abce7a0127c615354f2e0b788d9

SHA512
d501cde2cfcb04ae851aaa0ae7934b13a6ab64f6866cc0bfb1f9ee3c65f3fe9e48948a40c1494cfdcc00cce75398c1240dec4be7dde31cb961a4250bd8635543

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\MyClient\WindowsRework.exe
Filesize
185KB

MD5
ce9fbdc93576a35bc2d232a48ed54366

SHA1
9fc9f4c0125b50572e631a8a1d51ebfd594d3335

SHA256
6dd503b0dcfb6aceafee5e02e3df1882d33a6abce7a0127c615354f2e0b788d9

SHA512
d501cde2cfcb04ae851aaa0ae7934b13a6ab64f6866cc0bfb1f9ee3c65f3fe9e48948a40c1494cfdcc00cce75398c1240dec4be7dde31cb961a4250bd8635543

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\MyClient\WindowsRework.exe
Filesize
185KB

MD5
ce9fbdc93576a35bc2d232a48ed54366

SHA1
9fc9f4c0125b50572e631a8a1d51ebfd594d3335

SHA256
6dd503b0dcfb6aceafee5e02e3df1882d33a6abce7a0127c615354f2e0b788d9

SHA512
d501cde2cfcb04ae851aaa0ae7934b13a6ab64f6866cc0bfb1f9ee3c65f3fe9e48948a40c1494cfdcc00cce75398c1240dec4be7dde31cb961a4250bd8635543

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
Filesize
9KB

MD5
9ead10c08e72ae41921191f8db39bc16

SHA1
abe3bce01cd34afc88e2c838173f8c2bd0090ae1

SHA256
8d7f0e6b6877bdfb9f4531afafd0451f7d17f0ac24e2f2427e9b4ecc5452b9f0

SHA512
aa35dbc59a3589df2763e76a495ce5a9e62196628b4c1d098add38bd7f27c49edf93a66fb8507fb746e37ee32932da2460e440f241abe1a5a279abcc1e5ffe4a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
Filesize
9KB

MD5
9ead10c08e72ae41921191f8db39bc16

SHA1
abe3bce01cd34afc88e2c838173f8c2bd0090ae1

SHA256
8d7f0e6b6877bdfb9f4531afafd0451f7d17f0ac24e2f2427e9b4ecc5452b9f0

SHA512
aa35dbc59a3589df2763e76a495ce5a9e62196628b4c1d098add38bd7f27c49edf93a66fb8507fb746e37ee32932da2460e440f241abe1a5a279abcc1e5ffe4a

Download Submit
memory/1060-155-0x000000000216D000-0x00000000021FE000-memory.dmp

Filesize
580KB

Download
memory/1060-139-0x0000000000000000-mapping.dmp

Download
memory/1060-144-0x000000000216D000-0x00000000021FE000-memory.dmp

Filesize
580KB

Download
memory/1060-153-0x0000000002350000-0x000000000246B000-memory.dmp

Filesize
1.1MB

Download
memory/1868-253-0x0000000000000000-mapping.dmp

Download
memory/1868-267-0x00000000006B4000-0x00000000006C2000-memory.dmp

Filesize
56KB

Download
memory/1868-266-0x0000000073950000-0x0000000073F01000-memory.dmp

Filesize
5.7MB

Download
memory/1868-262-0x00000000006B4000-0x00000000006C2000-memory.dmp

Filesize
56KB

Download
memory/1868-259-0x0000000073950000-0x0000000073F01000-memory.dmp

Filesize
5.7MB

Download
memory/1908-269-0x0000000073950000-0x0000000073F01000-memory.dmp

Filesize
5.7MB

Download
memory/1908-272-0x00000000099A4000-0x00000000099A7000-memory.dmp

Filesize
12KB

Download
memory/1908-270-0x0000000000489000-0x000000000048F000-memory.dmp

Filesize
24KB

Download
memory/1908-274-0x0000000073950000-0x0000000073F01000-memory.dmp

Filesize
5.7MB

Download
memory/1908-263-0x0000000000000000-mapping.dmp

Download
memory/1908-271-0x00000000099A0000-0x00000000099A4000-memory.dmp

Filesize
16KB

Download
memory/2592-142-0x0000000000000000-mapping.dmp

Download
memory/3916-280-0x0000000000000000-mapping.dmp

Download
memory/3980-268-0x00007FFA0E850000-0x00007FFA0F286000-memory.dmp

Filesize
10.2MB

Download
memory/3980-258-0x0000000000000000-mapping.dmp

Download
memory/4220-176-0x0000000007AD0000-0x0000000007B0C000-memory.dmp

Filesize
240KB

Download
memory/4220-165-0x0000000000400000-0x0000000002C53000-memory.dmp

Filesize
40.3MB

Download
memory/4220-227-0x0000000002F79000-0x0000000002FAA000-memory.dmp

Filesize
196KB

Download
memory/4220-231-0x0000000002F79000-0x0000000002FAA000-memory.dmp

Filesize
196KB

Download
memory/4220-175-0x0000000007AB0000-0x0000000007AC2000-memory.dmp

Filesize
72KB

Download
memory/4220-174-0x0000000007980000-0x0000000007A8A000-memory.dmp

Filesize
1.0MB

Download
memory/4220-173-0x0000000007B60000-0x0000000008178000-memory.dmp

Filesize
6.1MB

Download
memory/4220-221-0x0000000000400000-0x0000000002C53000-memory.dmp

Filesize
40.3MB

Download
memory/4220-213-0x0000000008E00000-0x000000000932C000-memory.dmp

Filesize
5.2MB

Download
memory/4220-166-0x00000000071F0000-0x0000000007794000-memory.dmp

Filesize
5.6MB

Download
memory/4220-167-0x0000000007820000-0x00000000078B2000-memory.dmp

Filesize
584KB

Download
memory/4220-232-0x0000000000400000-0x0000000002C53000-memory.dmp

Filesize
40.3MB

Download
memory/4220-208-0x00000000083F0000-0x0000000008456000-memory.dmp

Filesize
408KB

Download
memory/4220-161-0x0000000002F79000-0x0000000002FAA000-memory.dmp

Filesize
196KB

Download
memory/4220-162-0x0000000002EC0000-0x0000000002EFE000-memory.dmp

Filesize
248KB

Download
memory/4220-136-0x0000000000000000-mapping.dmp

Download
memory/4220-212-0x0000000008C30000-0x0000000008DF2000-memory.dmp

Filesize
1.8MB

Download
memory/4540-135-0x0000000000400000-0x0000000000588000-memory.dmp

Filesize
1.5MB

Download
memory/4540-132-0x000000000082D000-0x000000000083E000-memory.dmp

Filesize
68KB

Download
memory/4540-134-0x0000000000400000-0x0000000000588000-memory.dmp

Filesize
1.5MB

Download
memory/4540-133-0x00000000006D0000-0x00000000006D9000-memory.dmp

Filesize
36KB

Download
memory/4676-150-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/4676-195-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/4676-146-0x0000000000000000-mapping.dmp

Download
memory/4676-154-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/4676-156-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/4676-147-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/10908-148-0x0000000000000000-mapping.dmp

Download
memory/10908-171-0x00000000006F0000-0x00000000006F9000-memory.dmp

Filesize
36KB

Download
memory/10908-172-0x0000000000400000-0x0000000000588000-memory.dmp

Filesize
1.5MB

Download
memory/10908-177-0x000000000078D000-0x000000000079D000-memory.dmp

Filesize
64KB

Download
memory/10908-189-0x0000000000400000-0x0000000000588000-memory.dmp

Filesize
1.5MB

Download
memory/28912-243-0x0000000073950000-0x0000000073F01000-memory.dmp

Filesize
5.7MB

Download
memory/28912-240-0x0000000000000000-mapping.dmp

Download
memory/28912-251-0x0000000073950000-0x0000000073F01000-memory.dmp

Filesize
5.7MB

Download
memory/28912-249-0x0000000004A00000-0x0000000004A22000-memory.dmp

Filesize
136KB

Download
memory/28912-248-0x00000000004A0000-0x00000000005A0000-memory.dmp

Filesize
1024KB

Download
memory/30860-157-0x0000000000000000-mapping.dmp

Download
memory/38040-168-0x0000000000A00000-0x0000000000A75000-memory.dmp

Filesize
468KB

Download
memory/38040-160-0x0000000000000000-mapping.dmp

Download
memory/38040-169-0x0000000000790000-0x00000000007FB000-memory.dmp

Filesize
428KB

Download
memory/38048-190-0x0000000003200000-0x00000000032B5000-memory.dmp

Filesize
724KB

Download
memory/38048-196-0x0000000003030000-0x0000000003124000-memory.dmp

Filesize
976KB

Download
memory/38048-178-0x0000000002E30000-0x0000000002F24000-memory.dmp

Filesize
976KB

Download
memory/38048-159-0x0000000000000000-mapping.dmp

Download
memory/38048-179-0x0000000003030000-0x0000000003124000-memory.dmp

Filesize
976KB

Download
memory/38048-191-0x0000000003200000-0x00000000032B5000-memory.dmp

Filesize
724KB

Download
memory/38048-188-0x0000000003130000-0x00000000031F7000-memory.dmp

Filesize
796KB

Download
memory/50964-170-0x0000000000F20000-0x0000000000F2C000-memory.dmp

Filesize
48KB

Download
memory/50964-164-0x0000000000000000-mapping.dmp

Download
memory/64372-239-0x0000000000000000-mapping.dmp

Download
memory/67236-181-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/67236-180-0x0000000000000000-mapping.dmp

Download
memory/77852-236-0x0000000000000000-mapping.dmp

Download
memory/77856-185-0x0000000000000000-mapping.dmp

Download
memory/78072-198-0x00000000008AF000-0x0000000000940000-memory.dmp

Filesize
580KB

Download
memory/78072-192-0x0000000000000000-mapping.dmp

Download
memory/78176-256-0x0000000000A39000-0x0000000000A3F000-memory.dmp

Filesize
24KB

Download
memory/78176-273-0x0000000073950000-0x0000000073F01000-memory.dmp

Filesize
5.7MB

Download
memory/78176-279-0x000000000A4F4000-0x000000000A4F7000-memory.dmp

Filesize
12KB

Download
memory/78176-278-0x000000000A4F0000-0x000000000A4F4000-memory.dmp

Filesize
16KB

Download
memory/78176-257-0x000000000A4F0000-0x000000000A4F4000-memory.dmp

Filesize
16KB

Download
memory/78176-277-0x0000000000A39000-0x0000000000A3F000-memory.dmp

Filesize
24KB

Download
memory/78176-252-0x0000000073950000-0x0000000073F01000-memory.dmp

Filesize
5.7MB

Download
memory/78176-276-0x0000000073950000-0x0000000073F01000-memory.dmp

Filesize
5.7MB

Download
memory/78176-275-0x000000000A4F4000-0x000000000A4F7000-memory.dmp

Filesize
12KB

Download
memory/78176-246-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/78176-245-0x0000000000000000-mapping.dmp

Download
memory/78244-233-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/78244-197-0x0000000000000000-mapping.dmp

Download
memory/78244-201-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/78244-202-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/78244-207-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/78444-220-0x0000000000750000-0x00000000007A9000-memory.dmp

Filesize
356KB

Download
memory/78444-209-0x0000000000000000-mapping.dmp

Download
memory/78444-218-0x0000000000848000-0x0000000000875000-memory.dmp

Filesize
180KB

Download
memory/78524-235-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/78524-214-0x0000000000000000-mapping.dmp

Download
memory/78524-222-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/78524-219-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/78524-215-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/78524-217-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/78588-223-0x0000000000000000-mapping.dmp

Download
memory/78616-226-0x0000000000000000-mapping.dmp

Download
memory/78844-234-0x0000000000000000-mapping.dmp

Download