amadey | d2df1d3734da45f8cab30f98313db9604c4f91ec2241964a8df8f6bf215779e0

Analysis

max time kernel
150s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
15-11-2022 07:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d2df1d3734da45f8cab30f98313db9604c4f91ec2241964a8df8f6bf215779e0.exe
Size

184KB
MD5

a40c5326642dcaefe755f0654bdca87a
SHA1

32e75b198ddc9957a54f69412796990e4f786428
SHA256

d2df1d3734da45f8cab30f98313db9604c4f91ec2241964a8df8f6bf215779e0
SHA512

fee90a7dd0521b69da3f6983bde47cf03c5e1990356a9103974e51dd94be77016dea3b5b25c8948f56d368e87622f0a9b8a19bdbe528b1a1d34a47af486b40b6
SSDEEP

1536:Fg0UBd/IKvOKb9FPEyqe5RWUsSJilA90IvmdgqM4TmvDE/uDlB42t23ZOwHuIPvf:FgvVqe51syzoFCD5HTtK0IPhzwBER

Score

10^/10

amadey djvu redline smokeloader vidar 517 mario23_10 rozena1114 backdoor collection discovery infostealer persistence ransomware spyware stealer trojan

Malware Config

Extracted

Family

djvu

http://fresherlights.com/lancer/get.php

Attributes

extension
.fate
offline_id
5IRhyFuF3rXlXBvF6jAWjHEAnAb432icDCcvZyt1
payload_url
http://uaery.top/dl/build2.exe
http://fresherlights.com/files/1/build3.exe
ransomnote
ATTENTION! Don't worry, you can return all your files! All your files like pictures, databases, documents and other important are encrypted with strongest encryption and unique key. The only method of recovering files is to purchase decrypt tool and unique key for you. This software will decrypt all your encrypted files. What guarantees you have? You can send one of your encrypted file from your PC and we decrypt it for free. But we can decrypt only 1 file for free. File must not contain valuable information. You can get and look video overview decrypt tool: https://we.tl/t-4wOUlYSwGo Price of private key and decrypt software is $980. Discount 50% available if you contact us first 72 hours, that's price for you is $490. Please note that you'll never restore your data without payment. Check your e-mail "Spam" or "Junk" folder if you don't get answer more than 6 hours. To get this software you need write on our e-mail: [email protected] Reserve e-mail address to contact us: [email protected] Your personal ID: 0603Jhyjd

rsa_pubkey.plain

Extracted

Family

redline

Botnet

mario23_10

167.235.252.160:10642

Attributes

auth_value
eca57cfb5172f71dc45986763bb98942

Extracted

Family

vidar

Version

55.7

Botnet

517

https://t.me/deadftx

https://www.ultimate-guitar.com/u/smbfupkuhrgc1

Attributes

profile_id
517

Extracted

Family

redline

Botnet

rozena1114

jalocliche.xyz:81

chardhesha.xyz:81

Attributes

auth_value
9fefd743a3b62bcd7c3e17a70fbdb3a8

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey

Detect Amadey credential stealer module 2 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dll	amadey_cred_module
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dll	amadey_cred_module

Detected Djvu ransomware 10 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2372-169-0x0000000002540000-0x000000000265B000-memory.dmp	family_djvu
behavioral1/memory/1832-174-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/1832-176-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/1832-171-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/1832-178-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/1832-200-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/3564-209-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/3564-211-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/3564-216-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/3564-263-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu

Detects Smokeloader packer 3 IoCs

Processes:

resource	yara_rule
behavioral1/memory/4076-133-0x0000000000830000-0x0000000000839000-memory.dmp	family_smokeloader
behavioral1/memory/1728-156-0x0000000000610000-0x0000000000619000-memory.dmp	family_smokeloader
behavioral1/memory/3760-165-0x00000000006E0000-0x00000000006E9000-memory.dmp	family_smokeloader

Djvu Ransomware
Ransomware which is a variant of the STOP family.
ransomware djvu
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 2 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2452-189-0x0000000000400000-0x0000000000460000-memory.dmp	family_redline
behavioral1/memory/3796-342-0x0000000000400000-0x0000000000428000-memory.dmp	family_redline

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
Vidar
Vidar is an infostealer based on Arkei stealer.
stealer vidar
Blocklisted process makes network request 3 IoCs

Processes:

rundll32.exerundll32.exe

flow pid process

149 2696 rundll32.exe
171 2696 rundll32.exe
181 4444 rundll32.exe
Downloads MZ/PE file

flow	pid	process
149	2696	rundll32.exe
171	2696	rundll32.exe
181	4444	rundll32.exe

Executes dropped EXE 19 IoCs

Processes:

3ECF.exe4076.exe4171.exe4412.exe4664.exe48C7.exe3ECF.exe3ECF.exe3ECF.exebuild2.exebuild3.exebuild2.exemstsca.exeB3F5.exeB742.exeBA31.exerovwer.exeCD9B.exerovwer.exe

pid	process
2372	3ECF.exe
1728	4076.exe
4068	4171.exe
3760	4412.exe
1104	4664.exe
1144	48C7.exe
1832	3ECF.exe
4136	3ECF.exe
3564	3ECF.exe
3136	build2.exe
3196	build3.exe
3056	build2.exe
448	mstsca.exe
4288	B3F5.exe
3112	B742.exe
4636	BA31.exe
2040	rovwer.exe
724	CD9B.exe
808	rovwer.exe

Checks computer location settings 2 TTPs 5 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

BA31.exerovwer.exe3ECF.exe3ECF.exebuild2.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	BA31.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	rovwer.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	3ECF.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	3ECF.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	build2.exe

Loads dropped DLL 7 IoCs

Processes:

regsvr32.exebuild2.exerundll32.exeB742.exerundll32.exe

pid process

2456 regsvr32.exe
3056 build2.exe
3056 build2.exe
2696 rundll32.exe
2696 rundll32.exe
3112 B742.exe
4444 rundll32.exe
Modifies file permissions 1 TTPs 1 IoCs
discovery

File Permissions Modification
T1222

Processes:

icacls.exe

pid process

2888 icacls.exe
Reads local data of messenger clients 2 TTPs
Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Uses the VBS compiler for execution 1 TTPs

Scripting
T1064
Accesses 2FA software files, possible credential harvesting 2 TTPs
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

pid	process
2456	regsvr32.exe
3056	build2.exe
3056	build2.exe
2696	rundll32.exe
2696	rundll32.exe
3112	B742.exe
4444	rundll32.exe

pid	process
2888	icacls.exe

Accesses Microsoft Outlook profiles 1 TTPs 4 IoCs

collection

Email Collection

T1114

Processes:

explorer.exerundll32.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	explorer.exe
Key opened	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	explorer.exe
Key opened	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	rundll32.exe
Key opened	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	explorer.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

3ECF.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\6156297a-4331-410d-a61a-18f0462535eb\\3ECF.exe\" --AutoStart"	3ECF.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

47 api.2ip.ua
28 api.2ip.ua
29 api.2ip.ua

flow	ioc
47	api.2ip.ua
28	api.2ip.ua
29	api.2ip.ua

Suspicious use of SetThreadContext 6 IoCs

Processes:

3ECF.exe48C7.exe3ECF.exebuild2.exeB742.exerundll32.exe

description	pid	process	target process
PID 2372 set thread context of 1832	2372	3ECF.exe	3ECF.exe
PID 1144 set thread context of 2452	1144	48C7.exe	vbc.exe
PID 4136 set thread context of 3564	4136	3ECF.exe	3ECF.exe
PID 3136 set thread context of 3056	3136	build2.exe	build2.exe
PID 3112 set thread context of 3796	3112	B742.exe	ngentask.exe
PID 2696 set thread context of 5100	2696	rundll32.exe	rundll32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 6 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
4852	3760	WerFault.exe	4412.exe
2368	4068	WerFault.exe	4171.exe
4652	4636	WerFault.exe	BA31.exe
1512	724	WerFault.exe	CD9B.exe
4080	4288	WerFault.exe	B3F5.exe
256	808	WerFault.exe	rovwer.exe

Checks SCSI registry key(s) 3 TTPs 9 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

d2df1d3734da45f8cab30f98313db9604c4f91ec2241964a8df8f6bf215779e0.exe4076.exe4664.exe

description	ioc	process
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	d2df1d3734da45f8cab30f98313db9604c4f91ec2241964a8df8f6bf215779e0.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	4076.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	4076.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	4076.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	d2df1d3734da45f8cab30f98313db9604c4f91ec2241964a8df8f6bf215779e0.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	4664.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	4664.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	4664.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	d2df1d3734da45f8cab30f98313db9604c4f91ec2241964a8df8f6bf215779e0.exe

Checks processor information in registry 2 TTPs 20 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

rundll32.exebuild2.exe

description	ioc	process
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	rundll32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	rundll32.exe
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	rundll32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Status	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1	rundll32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Identifier	rundll32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	build2.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	build2.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Status	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\~MHz	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information	rundll32.exe
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Component Information	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\FeatureSet	rundll32.exe

Creates scheduled task(s) 1 TTPs 3 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exeschtasks.exe

pid process

2152 schtasks.exe
380 schtasks.exe
2076 schtasks.exe
Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

1088 timeout.exe

pid	process
2152	schtasks.exe
380	schtasks.exe
2076	schtasks.exe

pid	process
1088	timeout.exe

Modifies Internet Explorer settings 1 TTPs 4 IoCs

adware spyware

Modify Registry

T1112

Processes:

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser
Set value (data)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser\ITBar7Layout = 13000000000000000000000020000000100000000000000001000000010700005e01000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Internet Explorer\Toolbar
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\Locked = "1"

Modifies registry class 30 IoCs

Processes:

rundll32.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\SniffedFolderType = "Generic"
Set value (data)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0
Set value (data)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\MRUListEx = 00000000ffffffff
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0
Set value (data)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\MRUListEx = ffffffff
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags
Set value (data)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0 = 4e003100000000006f557940100054656d7000003a0009000400efbe0c551d9c6f5580402e0000000000000000000000000000000000000000000000000084290201540065006d007000000014000000
Set value (data)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\MRUListEx = 00000000ffffffff
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\WorkFolders
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\
Set value (data)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0 = 50003100000000000000000010004c6f63616c003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c00000014000000
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\NodeSlot = "1"
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\
Set value (data)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 00000000ffffffff
Set value (data)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 = 820074001c0043465346160031000000000000000000100041707044617461000000741a595e96dfd3488d671733bcee28bac5cdfadf9f6756418947c5c76bc0b67f400009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004100700070004400610074006100000042000000
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU
Set value (data)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 = 14001f44471a0359723fa74489c55595fe6b30ee0000
Set value (data)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff
Set value (data)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

pid process

2704

pid	process
2704

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

d2df1d3734da45f8cab30f98313db9604c4f91ec2241964a8df8f6bf215779e0.exe

pid	process
4076	d2df1d3734da45f8cab30f98313db9604c4f91ec2241964a8df8f6bf215779e0.exe
4076	d2df1d3734da45f8cab30f98313db9604c4f91ec2241964a8df8f6bf215779e0.exe
2704
2704
2704
2704
2704
2704
2704
2704
2704
2704
2704
2704
2704
2704
2704
2704
2704
2704
2704
2704
2704
2704
2704
2704
2704
2704
2704
2704
2704
2704
2704
2704
2704
2704
2704
2704
2704
2704
2704
2704
2704
2704
2704
2704
2704
2704
2704
2704
2704
2704
2704
2704
2704
2704
2704
2704
2704
2704
2704
2704
2704
2704

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

pid process

2704

pid	process
2704

Suspicious behavior: MapViewOfSection 25 IoCs

Processes:

d2df1d3734da45f8cab30f98313db9604c4f91ec2241964a8df8f6bf215779e0.exe4076.exe4664.exe

pid	process
4076	d2df1d3734da45f8cab30f98313db9604c4f91ec2241964a8df8f6bf215779e0.exe
2704
2704
2704
2704
1728	4076.exe
1104	4664.exe
2704
2704
2704
2704
2704
2704
2704
2704
2704
2704
2704
2704
2704
2704
2704
2704
2704
2704

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

vbc.exeB3F5.exe

description	pid	process
Token: SeShutdownPrivilege	2704
Token: SeCreatePagefilePrivilege	2704
Token: SeShutdownPrivilege	2704
Token: SeCreatePagefilePrivilege	2704
Token: SeShutdownPrivilege	2704
Token: SeCreatePagefilePrivilege	2704
Token: SeShutdownPrivilege	2704
Token: SeCreatePagefilePrivilege	2704
Token: SeShutdownPrivilege	2704
Token: SeCreatePagefilePrivilege	2704
Token: SeShutdownPrivilege	2704
Token: SeCreatePagefilePrivilege	2704
Token: SeShutdownPrivilege	2704
Token: SeCreatePagefilePrivilege	2704
Token: SeShutdownPrivilege	2704
Token: SeCreatePagefilePrivilege	2704
Token: SeShutdownPrivilege	2704
Token: SeCreatePagefilePrivilege	2704
Token: SeShutdownPrivilege	2704
Token: SeCreatePagefilePrivilege	2704
Token: SeShutdownPrivilege	2704
Token: SeCreatePagefilePrivilege	2704
Token: SeDebugPrivilege	2452	vbc.exe
Token: SeShutdownPrivilege	2704
Token: SeCreatePagefilePrivilege	2704
Token: SeDebugPrivilege	4288	B3F5.exe
Token: SeShutdownPrivilege	2704
Token: SeCreatePagefilePrivilege	2704
Token: SeShutdownPrivilege	2704
Token: SeCreatePagefilePrivilege	2704
Token: SeShutdownPrivilege	2704
Token: SeCreatePagefilePrivilege	2704
Token: SeShutdownPrivilege	2704
Token: SeCreatePagefilePrivilege	2704
Token: SeShutdownPrivilege	2704
Token: SeCreatePagefilePrivilege	2704
Token: SeShutdownPrivilege	2704
Token: SeCreatePagefilePrivilege	2704
Token: SeShutdownPrivilege	2704
Token: SeCreatePagefilePrivilege	2704
Token: SeShutdownPrivilege	2704
Token: SeCreatePagefilePrivilege	2704
Token: SeShutdownPrivilege	2704
Token: SeCreatePagefilePrivilege	2704
Token: SeShutdownPrivilege	2704
Token: SeCreatePagefilePrivilege	2704
Token: SeShutdownPrivilege	2704
Token: SeCreatePagefilePrivilege	2704
Token: SeShutdownPrivilege	2704
Token: SeCreatePagefilePrivilege	2704
Token: SeShutdownPrivilege	2704
Token: SeCreatePagefilePrivilege	2704
Token: SeShutdownPrivilege	2704
Token: SeCreatePagefilePrivilege	2704
Token: SeShutdownPrivilege	2704
Token: SeCreatePagefilePrivilege	2704
Token: SeShutdownPrivilege	2704
Token: SeCreatePagefilePrivilege	2704
Token: SeShutdownPrivilege	2704
Token: SeCreatePagefilePrivilege	2704
Token: SeShutdownPrivilege	2704
Token: SeCreatePagefilePrivilege	2704
Token: SeShutdownPrivilege	2704
Token: SeCreatePagefilePrivilege	2704

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

rundll32.exe

pid process

5100 rundll32.exe
Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

pid process

2704
2704

pid	process
5100	rundll32.exe

pid	process
2704
2704

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

regsvr32.exe3ECF.exe3ECF.exe48C7.exe3ECF.exe3ECF.exe

description	pid	process	target process
PID 2704 wrote to memory of 4164	2704		regsvr32.exe
PID 2704 wrote to memory of 4164	2704		regsvr32.exe
PID 4164 wrote to memory of 2456	4164	regsvr32.exe	regsvr32.exe
PID 4164 wrote to memory of 2456	4164	regsvr32.exe	regsvr32.exe
PID 4164 wrote to memory of 2456	4164	regsvr32.exe	regsvr32.exe
PID 2704 wrote to memory of 2372	2704		3ECF.exe
PID 2704 wrote to memory of 2372	2704		3ECF.exe
PID 2704 wrote to memory of 2372	2704		3ECF.exe
PID 2704 wrote to memory of 1728	2704		4076.exe
PID 2704 wrote to memory of 1728	2704		4076.exe
PID 2704 wrote to memory of 1728	2704		4076.exe
PID 2704 wrote to memory of 4068	2704		4171.exe
PID 2704 wrote to memory of 4068	2704		4171.exe
PID 2704 wrote to memory of 4068	2704		4171.exe
PID 2704 wrote to memory of 3760	2704		4412.exe
PID 2704 wrote to memory of 3760	2704		4412.exe
PID 2704 wrote to memory of 3760	2704		4412.exe
PID 2704 wrote to memory of 1104	2704		4664.exe
PID 2704 wrote to memory of 1104	2704		4664.exe
PID 2704 wrote to memory of 1104	2704		4664.exe
PID 2704 wrote to memory of 1144	2704		48C7.exe
PID 2704 wrote to memory of 1144	2704		48C7.exe
PID 2704 wrote to memory of 1144	2704		48C7.exe
PID 2704 wrote to memory of 2376	2704		explorer.exe
PID 2704 wrote to memory of 2376	2704		explorer.exe
PID 2704 wrote to memory of 2376	2704		explorer.exe
PID 2704 wrote to memory of 2376	2704		explorer.exe
PID 2704 wrote to memory of 3256	2704		explorer.exe
PID 2704 wrote to memory of 3256	2704		explorer.exe
PID 2704 wrote to memory of 3256	2704		explorer.exe
PID 2372 wrote to memory of 1832	2372	3ECF.exe	3ECF.exe
PID 2372 wrote to memory of 1832	2372	3ECF.exe	3ECF.exe
PID 2372 wrote to memory of 1832	2372	3ECF.exe	3ECF.exe
PID 2372 wrote to memory of 1832	2372	3ECF.exe	3ECF.exe
PID 2372 wrote to memory of 1832	2372	3ECF.exe	3ECF.exe
PID 2372 wrote to memory of 1832	2372	3ECF.exe	3ECF.exe
PID 2372 wrote to memory of 1832	2372	3ECF.exe	3ECF.exe
PID 2372 wrote to memory of 1832	2372	3ECF.exe	3ECF.exe
PID 2372 wrote to memory of 1832	2372	3ECF.exe	3ECF.exe
PID 2372 wrote to memory of 1832	2372	3ECF.exe	3ECF.exe
PID 1832 wrote to memory of 2888	1832	3ECF.exe	icacls.exe
PID 1832 wrote to memory of 2888	1832	3ECF.exe	icacls.exe
PID 1832 wrote to memory of 2888	1832	3ECF.exe	icacls.exe
PID 1144 wrote to memory of 2452	1144	48C7.exe	vbc.exe
PID 1144 wrote to memory of 2452	1144	48C7.exe	vbc.exe
PID 1144 wrote to memory of 2452	1144	48C7.exe	vbc.exe
PID 1144 wrote to memory of 2452	1144	48C7.exe	vbc.exe
PID 1144 wrote to memory of 2452	1144	48C7.exe	vbc.exe
PID 1832 wrote to memory of 4136	1832	3ECF.exe	3ECF.exe
PID 1832 wrote to memory of 4136	1832	3ECF.exe	3ECF.exe
PID 1832 wrote to memory of 4136	1832	3ECF.exe	3ECF.exe
PID 4136 wrote to memory of 3564	4136	3ECF.exe	3ECF.exe
PID 4136 wrote to memory of 3564	4136	3ECF.exe	3ECF.exe
PID 4136 wrote to memory of 3564	4136	3ECF.exe	3ECF.exe
PID 4136 wrote to memory of 3564	4136	3ECF.exe	3ECF.exe
PID 4136 wrote to memory of 3564	4136	3ECF.exe	3ECF.exe
PID 4136 wrote to memory of 3564	4136	3ECF.exe	3ECF.exe
PID 4136 wrote to memory of 3564	4136	3ECF.exe	3ECF.exe
PID 4136 wrote to memory of 3564	4136	3ECF.exe	3ECF.exe
PID 4136 wrote to memory of 3564	4136	3ECF.exe	3ECF.exe
PID 4136 wrote to memory of 3564	4136	3ECF.exe	3ECF.exe
PID 3564 wrote to memory of 3136	3564	3ECF.exe	build2.exe
PID 3564 wrote to memory of 3136	3564	3ECF.exe	build2.exe
PID 3564 wrote to memory of 3136	3564	3ECF.exe	build2.exe

outlook_office_path 1 IoCs

Processes:

explorer.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	explorer.exe

outlook_win_path 1 IoCs

Processes:

rundll32.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	rundll32.exe

C:\Users\Admin\AppData\Local\Temp\d2df1d3734da45f8cab30f98313db9604c4f91ec2241964a8df8f6bf215779e0.exe
"C:\Users\Admin\AppData\Local\Temp\d2df1d3734da45f8cab30f98313db9604c4f91ec2241964a8df8f6bf215779e0.exe"
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:4076

C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\3DE4.dll
1⤵
- Suspicious use of WriteProcessMemory
PID:4164

C:\Windows\SysWOW64\regsvr32.exe
/s C:\Users\Admin\AppData\Local\Temp\3DE4.dll
2⤵
- Loads dropped DLL
PID:2456

C:\Users\Admin\AppData\Local\Temp\3ECF.exe
C:\Users\Admin\AppData\Local\Temp\3ECF.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2372

C:\Users\Admin\AppData\Local\Temp\3ECF.exe
C:\Users\Admin\AppData\Local\Temp\3ECF.exe
2⤵
- Executes dropped EXE
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1832

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Users\Admin\AppData\Local\6156297a-4331-410d-a61a-18f0462535eb" /deny *S-1-1-0:(OI)(CI)(DE,DC)
3⤵
- Modifies file permissions
PID:2888

C:\Users\Admin\AppData\Local\Temp\3ECF.exe
"C:\Users\Admin\AppData\Local\Temp\3ECF.exe" --Admin IsNotAutoStart IsNotTask
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4136

C:\Users\Admin\AppData\Local\Temp\3ECF.exe
"C:\Users\Admin\AppData\Local\Temp\3ECF.exe" --Admin IsNotAutoStart IsNotTask
4⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3564

C:\Users\Admin\AppData\Local\7e520158-9341-4351-bb78-7c640736886f\build2.exe
"C:\Users\Admin\AppData\Local\7e520158-9341-4351-bb78-7c640736886f\build2.exe"
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:3136

C:\Users\Admin\AppData\Local\7e520158-9341-4351-bb78-7c640736886f\build2.exe
"C:\Users\Admin\AppData\Local\7e520158-9341-4351-bb78-7c640736886f\build2.exe"
6⤵
- Executes dropped EXE
- Checks computer location settings
- Loads dropped DLL
- Checks processor information in registry
PID:3056

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c timeout /t 6 & del /f /q "C:\Users\Admin\AppData\Local\7e520158-9341-4351-bb78-7c640736886f\build2.exe" & exit
7⤵
PID:3168

C:\Windows\SysWOW64\timeout.exe
timeout /t 6
8⤵
- Delays execution with timeout.exe
PID:1088

C:\Users\Admin\AppData\Local\7e520158-9341-4351-bb78-7c640736886f\build3.exe
"C:\Users\Admin\AppData\Local\7e520158-9341-4351-bb78-7c640736886f\build3.exe"
5⤵
- Executes dropped EXE
PID:3196

C:\Windows\SysWOW64\schtasks.exe
/C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"
6⤵
- Creates scheduled task(s)
PID:2152

C:\Users\Admin\AppData\Local\Temp\4076.exe
C:\Users\Admin\AppData\Local\Temp\4076.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
PID:1728

C:\Users\Admin\AppData\Local\Temp\4171.exe
C:\Users\Admin\AppData\Local\Temp\4171.exe
1⤵
- Executes dropped EXE
PID:4068

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4068 -s 340
2⤵
- Program crash
PID:2368

C:\Users\Admin\AppData\Local\Temp\4412.exe
C:\Users\Admin\AppData\Local\Temp\4412.exe
1⤵
- Executes dropped EXE
PID:3760

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3760 -s 340
2⤵
- Program crash
PID:4852

C:\Users\Admin\AppData\Local\Temp\4664.exe
C:\Users\Admin\AppData\Local\Temp\4664.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
PID:1104

C:\Users\Admin\AppData\Local\Temp\48C7.exe
C:\Users\Admin\AppData\Local\Temp\48C7.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1144

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:2452

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
- Accesses Microsoft Outlook profiles
- outlook_office_path
PID:2376

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 3760 -ip 3760
1⤵
PID:2424

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
PID:3256

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 4068 -ip 4068
1⤵
PID:4468

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
1⤵
- Executes dropped EXE
PID:448

C:\Windows\SysWOW64\schtasks.exe
/C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"
2⤵
- Creates scheduled task(s)
PID:380

C:\Users\Admin\AppData\Local\Temp\B3F5.exe
C:\Users\Admin\AppData\Local\Temp\B3F5.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4288

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4288 -s 1220
2⤵
- Program crash
PID:4080

C:\Users\Admin\AppData\Local\Temp\B742.exe
C:\Users\Admin\AppData\Local\Temp\B742.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
PID:3112

C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe"
2⤵
PID:4428

C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe"
2⤵
PID:3796

C:\Users\Admin\AppData\Local\Temp\BA31.exe
C:\Users\Admin\AppData\Local\Temp\BA31.exe
1⤵
- Executes dropped EXE
- Checks computer location settings
PID:4636

C:\Users\Admin\AppData\Local\Temp\99e342142d\rovwer.exe
"C:\Users\Admin\AppData\Local\Temp\99e342142d\rovwer.exe"
2⤵
- Executes dropped EXE
- Checks computer location settings
PID:2040

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN rovwer.exe /TR "C:\Users\Admin\AppData\Local\Temp\99e342142d\rovwer.exe" /F
3⤵
- Creates scheduled task(s)
PID:2076

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "rovwer.exe" /P "Admin:N"&&CACLS "rovwer.exe" /P "Admin:R" /E&&echo Y|CACLS "..\99e342142d" /P "Admin:N"&&CACLS "..\99e342142d" /P "Admin:R" /E&&Exit
3⤵
PID:1508

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
4⤵
PID:2336

C:\Windows\SysWOW64\cacls.exe
CACLS "rovwer.exe" /P "Admin:N"
4⤵
PID:3600

C:\Windows\SysWOW64\cacls.exe
CACLS "rovwer.exe" /P "Admin:R" /E
4⤵
PID:4832

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
4⤵
PID:1248

C:\Windows\SysWOW64\cacls.exe
CACLS "..\99e342142d" /P "Admin:N"
4⤵
PID:2308

C:\Windows\SysWOW64\cacls.exe
CACLS "..\99e342142d" /P "Admin:R" /E
4⤵
PID:2588

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dll, Main
3⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Accesses Microsoft Outlook profiles
- outlook_win_path
PID:4444

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4636 -s 1144
2⤵
- Program crash
PID:4652

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 4636 -ip 4636
1⤵
PID:4588

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:4856

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
PID:4232

C:\Users\Admin\AppData\Local\Temp\CD9B.exe
C:\Users\Admin\AppData\Local\Temp\CD9B.exe
1⤵
- Executes dropped EXE
PID:724

C:\Windows\SysWOW64\rundll32.exe
C:\Windows\system32\rundll32.exe C:\Users\Admin\AppData\Local\Temp\Hefurhy.dll,start
2⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Checks processor information in registry
PID:2696

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#61 16327
3⤵
- Modifies registry class
- Suspicious use of FindShellTrayWindow
PID:5100

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 724 -s 524
2⤵
- Program crash
PID:1512

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:3544

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
PID:2264

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:1328

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:1624

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 724 -ip 724
1⤵
PID:1072

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:2668

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
PID:1688

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:3660

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 4288 -ip 4288
1⤵
PID:3920

C:\Users\Admin\AppData\Local\Temp\99e342142d\rovwer.exe
C:\Users\Admin\AppData\Local\Temp\99e342142d\rovwer.exe
1⤵
- Executes dropped EXE
PID:808

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 808 -s 216
2⤵
- Program crash
PID:256

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 808 -ip 808
1⤵
PID:4472

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:1404

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scripting

T1064

Scheduled Task

T1053

Persistence

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

File Permissions Modification

T1222

Scripting

T1064

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Peripheral Device Discovery

T1120

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\mozglue.dll
Filesize
593KB

MD5
c8fd9be83bc728cc04beffafc2907fe9

SHA1
95ab9f701e0024cedfbd312bcfe4e726744c4f2e

SHA256
ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a

SHA512
fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040

Download Submit
C:\ProgramData\nss3.dll
Filesize
2.0MB

MD5
1cc453cdf74f31e4d913ff9c10acdde2

SHA1
6e85eae544d6e965f15fa5c39700fa7202f3aafe

SHA256
ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5

SHA512
dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\07CEF2F654E3ED6050FFC9B6EB844250_3431D4C539FB2CFCB781821E9902850D
Filesize
2KB

MD5
b00f59ce59a95f5fe629aff007e982fa

SHA1
8eb54eb49c540b80dba22e0a863f8122b48df410

SHA256
d3559d4f89073b9bd7764d42e0fd258f78d98b5344af368056696f5fb6a87c46

SHA512
6317a36087f2166e5a77a5761d7ad662c76b2989840af4e89e8a93845c8c7f47e6a26341be77db39ca687aacb5e50ad3730a5ee4b6d76669637b676a31b0efb3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E
Filesize
1KB

MD5
8245d5e076774cc6f63bf77f4650bf3b

SHA1
2efdf2d5967e180eb13f9633094b617e4e1a8656

SHA256
b4247c5d4cedfc5c553005c58ea254e62b12ced6a28a183fcc3823e4d1cfbc53

SHA512
a2eb33bdb4f996bb67508b8add8f042bf26223f427caefa1ef1388cdecd6f15eecbc197d88a59e64f1a0f7e8a14983ab96bbe6463f2cadf39e6637679f34ad54

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\07CEF2F654E3ED6050FFC9B6EB844250_3431D4C539FB2CFCB781821E9902850D
Filesize
488B

MD5
9e5fef485ec0e5b8cc936c1c6cc08a1b

SHA1
925bcbd3f79b35249663e9b5b8407191e62c5c60

SHA256
35ab8901c3fa69ccf03be4432a2f3aacd5dcd731d6ed4be823a8d1bae6cd0491

SHA512
ec5d080a1864544f367ea3678e877d8ad247cfb7bc4ab6b37d3bbecd4c9d93e906eede6d9e2fcf72ceb3672bd798eff3ff11d3137161ecb66f6185ab2322187b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E
Filesize
482B

MD5
7919e401971d66ae294477bd0b2fe6f6

SHA1
1b018b328fedf67d59c0e9972098806b6b980aee

SHA256
8b47aac5f50ff63585e01fcba8f525707bec9edaf45b4ca4217f47cb22d54dcb

SHA512
5946c56af5ec159f291c0218025252ad119f9e22eedc04e8e713e730c343399203c3408145efe090fc1732097f3a3f2a0ca45065cb54acfced6c92f2bcce7e06

Download Submit
C:\Users\Admin\AppData\Local\6156297a-4331-410d-a61a-18f0462535eb\3ECF.exe
Filesize
801KB

MD5
f499ee4717f26ed348a1c7b2ce14d809

SHA1
a032d944136eec161ecc5c2e3eb913055738ea3f

SHA256
c7b5306ec09e65428900e7acf48a574516387d496cabe49d8e19baf2245f4984

SHA512
160e6675540285a6ab142756d52bc946278d5185ea00216e4c2b85abd007787cb528633b187bad346db7ddf009cb97a0d80df44c20f3d779ac12d50ce8274216

Download Submit
C:\Users\Admin\AppData\Local\7e520158-9341-4351-bb78-7c640736886f\build2.exe
Filesize
388KB

MD5
8b401fc82a41458872b2e5345600f46f

SHA1
61bcf479e850a0cacc646529a3ec919968379a75

SHA256
2631ab16a328fb1e677dfffbebe122cf9b96540df841edcac6a5a20bd54d6214

SHA512
ee5652cfba1b32bd9baff0ce09d5396a38b44e4b8443d49c0fcbce897399704a05fc202aae19d3090f9164ff45bfa342cbab666a5cd13f0bd5e86d066e4a14bd

Download Submit
C:\Users\Admin\AppData\Local\7e520158-9341-4351-bb78-7c640736886f\build2.exe
Filesize
388KB

MD5
8b401fc82a41458872b2e5345600f46f

SHA1
61bcf479e850a0cacc646529a3ec919968379a75

SHA256
2631ab16a328fb1e677dfffbebe122cf9b96540df841edcac6a5a20bd54d6214

SHA512
ee5652cfba1b32bd9baff0ce09d5396a38b44e4b8443d49c0fcbce897399704a05fc202aae19d3090f9164ff45bfa342cbab666a5cd13f0bd5e86d066e4a14bd

Download Submit
C:\Users\Admin\AppData\Local\7e520158-9341-4351-bb78-7c640736886f\build2.exe
Filesize
388KB

MD5
8b401fc82a41458872b2e5345600f46f

SHA1
61bcf479e850a0cacc646529a3ec919968379a75

SHA256
2631ab16a328fb1e677dfffbebe122cf9b96540df841edcac6a5a20bd54d6214

SHA512
ee5652cfba1b32bd9baff0ce09d5396a38b44e4b8443d49c0fcbce897399704a05fc202aae19d3090f9164ff45bfa342cbab666a5cd13f0bd5e86d066e4a14bd

Download Submit
C:\Users\Admin\AppData\Local\7e520158-9341-4351-bb78-7c640736886f\build3.exe
Filesize
9KB

MD5
9ead10c08e72ae41921191f8db39bc16

SHA1
abe3bce01cd34afc88e2c838173f8c2bd0090ae1

SHA256
8d7f0e6b6877bdfb9f4531afafd0451f7d17f0ac24e2f2427e9b4ecc5452b9f0

SHA512
aa35dbc59a3589df2763e76a495ce5a9e62196628b4c1d098add38bd7f27c49edf93a66fb8507fb746e37ee32932da2460e440f241abe1a5a279abcc1e5ffe4a

Download Submit
C:\Users\Admin\AppData\Local\7e520158-9341-4351-bb78-7c640736886f\build3.exe
Filesize
9KB

MD5
9ead10c08e72ae41921191f8db39bc16

SHA1
abe3bce01cd34afc88e2c838173f8c2bd0090ae1

SHA256
8d7f0e6b6877bdfb9f4531afafd0451f7d17f0ac24e2f2427e9b4ecc5452b9f0

SHA512
aa35dbc59a3589df2763e76a495ce5a9e62196628b4c1d098add38bd7f27c49edf93a66fb8507fb746e37ee32932da2460e440f241abe1a5a279abcc1e5ffe4a

Download Submit
C:\Users\Admin\AppData\Local\Temp\3DE4.dll
Filesize
2.4MB

MD5
0b2be34be0e0b244ec3d5d88512dd881

SHA1
4eae839ef8307766a57b0d1ccef3748000bc3612

SHA256
650c166ed7a20cd2d68cf96725625063c413f4b9028f63a975d6a62e0beaa8db

SHA512
89cf6a7c8391144daeafd79c8894567ef980ee4ca99d09f3b2e49150dbc6455aadcd94fd8a2abf1c8fe2c893fa30f1a126230ea3ac06e214d50105c19a708e63

Download Submit
C:\Users\Admin\AppData\Local\Temp\3DE4.dll
Filesize
2.4MB

MD5
0b2be34be0e0b244ec3d5d88512dd881

SHA1
4eae839ef8307766a57b0d1ccef3748000bc3612

SHA256
650c166ed7a20cd2d68cf96725625063c413f4b9028f63a975d6a62e0beaa8db

SHA512
89cf6a7c8391144daeafd79c8894567ef980ee4ca99d09f3b2e49150dbc6455aadcd94fd8a2abf1c8fe2c893fa30f1a126230ea3ac06e214d50105c19a708e63

Download Submit
C:\Users\Admin\AppData\Local\Temp\3ECF.exe
Filesize
801KB

MD5
f499ee4717f26ed348a1c7b2ce14d809

SHA1
a032d944136eec161ecc5c2e3eb913055738ea3f

SHA256
c7b5306ec09e65428900e7acf48a574516387d496cabe49d8e19baf2245f4984

SHA512
160e6675540285a6ab142756d52bc946278d5185ea00216e4c2b85abd007787cb528633b187bad346db7ddf009cb97a0d80df44c20f3d779ac12d50ce8274216

Download Submit
C:\Users\Admin\AppData\Local\Temp\3ECF.exe
Filesize
801KB

MD5
f499ee4717f26ed348a1c7b2ce14d809

SHA1
a032d944136eec161ecc5c2e3eb913055738ea3f

SHA256
c7b5306ec09e65428900e7acf48a574516387d496cabe49d8e19baf2245f4984

SHA512
160e6675540285a6ab142756d52bc946278d5185ea00216e4c2b85abd007787cb528633b187bad346db7ddf009cb97a0d80df44c20f3d779ac12d50ce8274216

Download Submit
C:\Users\Admin\AppData\Local\Temp\3ECF.exe
Filesize
801KB

MD5
f499ee4717f26ed348a1c7b2ce14d809

SHA1
a032d944136eec161ecc5c2e3eb913055738ea3f

SHA256
c7b5306ec09e65428900e7acf48a574516387d496cabe49d8e19baf2245f4984

SHA512
160e6675540285a6ab142756d52bc946278d5185ea00216e4c2b85abd007787cb528633b187bad346db7ddf009cb97a0d80df44c20f3d779ac12d50ce8274216

Download Submit
C:\Users\Admin\AppData\Local\Temp\3ECF.exe
Filesize
801KB

MD5
f499ee4717f26ed348a1c7b2ce14d809

SHA1
a032d944136eec161ecc5c2e3eb913055738ea3f

SHA256
c7b5306ec09e65428900e7acf48a574516387d496cabe49d8e19baf2245f4984

SHA512
160e6675540285a6ab142756d52bc946278d5185ea00216e4c2b85abd007787cb528633b187bad346db7ddf009cb97a0d80df44c20f3d779ac12d50ce8274216

Download Submit
C:\Users\Admin\AppData\Local\Temp\3ECF.exe
Filesize
801KB

MD5
f499ee4717f26ed348a1c7b2ce14d809

SHA1
a032d944136eec161ecc5c2e3eb913055738ea3f

SHA256
c7b5306ec09e65428900e7acf48a574516387d496cabe49d8e19baf2245f4984

SHA512
160e6675540285a6ab142756d52bc946278d5185ea00216e4c2b85abd007787cb528633b187bad346db7ddf009cb97a0d80df44c20f3d779ac12d50ce8274216

Download Submit
C:\Users\Admin\AppData\Local\Temp\4076.exe
Filesize
184KB

MD5
8b4940a4e3999442c81612530df72f45

SHA1
d40181310b12d9232f72aacdae905c3555d06c47

SHA256
bbc55bcfb3e19090c52ad195c6b9c548a3467674dd719a40e4a504b84e293f7d

SHA512
157a5e49627da2d1bb75d9ba789ae69950ef70e55352638c49ad5a96eca81d215ce291d8bfc4636c2820f69afd1a8557f15e2415571aa9aa1c992274c8eb8e9a

Download Submit
C:\Users\Admin\AppData\Local\Temp\4076.exe
Filesize
184KB

MD5
8b4940a4e3999442c81612530df72f45

SHA1
d40181310b12d9232f72aacdae905c3555d06c47

SHA256
bbc55bcfb3e19090c52ad195c6b9c548a3467674dd719a40e4a504b84e293f7d

SHA512
157a5e49627da2d1bb75d9ba789ae69950ef70e55352638c49ad5a96eca81d215ce291d8bfc4636c2820f69afd1a8557f15e2415571aa9aa1c992274c8eb8e9a

Download Submit
C:\Users\Admin\AppData\Local\Temp\4171.exe
Filesize
300KB

MD5
af635919dd56aa9284968c33a2791ec2

SHA1
69432aa6fd6a0c87cf45364ca23eca3b222697e3

SHA256
1f21061deb8e8f15b9cef07d3e180dc2286e6da0f862a7b8394bb90fd6ffffbd

SHA512
04df87f0544d6df997045e4e9897ff0db9d563a3381ded4cca877f3c879395b1a99e00bf783804a756651e49ee3bd75d3d675aa56fb52e09302be601a0438b8b

Download Submit
C:\Users\Admin\AppData\Local\Temp\4171.exe
Filesize
300KB

MD5
af635919dd56aa9284968c33a2791ec2

SHA1
69432aa6fd6a0c87cf45364ca23eca3b222697e3

SHA256
1f21061deb8e8f15b9cef07d3e180dc2286e6da0f862a7b8394bb90fd6ffffbd

SHA512
04df87f0544d6df997045e4e9897ff0db9d563a3381ded4cca877f3c879395b1a99e00bf783804a756651e49ee3bd75d3d675aa56fb52e09302be601a0438b8b

Download Submit
C:\Users\Admin\AppData\Local\Temp\4412.exe
Filesize
183KB

MD5
ac7aa8e209ef921b311b20e3f929cd92

SHA1
23a3cb835ade16bc8417d411380fc5b3c952f60d

SHA256
f566496db220c4746c696c0796d9055e3dda90ea0d5eaeb81837f81a9557a0b8

SHA512
457a87e5dd9fb8f0715517ad042f569357250bc4adf812c4e536d5a3c9542ba357e70815e5dd09ba995842d597d4bd3c8cd56d9648e59daa22e77a4c4c83819e

Download Submit
C:\Users\Admin\AppData\Local\Temp\4412.exe
Filesize
183KB

MD5
ac7aa8e209ef921b311b20e3f929cd92

SHA1
23a3cb835ade16bc8417d411380fc5b3c952f60d

SHA256
f566496db220c4746c696c0796d9055e3dda90ea0d5eaeb81837f81a9557a0b8

SHA512
457a87e5dd9fb8f0715517ad042f569357250bc4adf812c4e536d5a3c9542ba357e70815e5dd09ba995842d597d4bd3c8cd56d9648e59daa22e77a4c4c83819e

Download Submit
C:\Users\Admin\AppData\Local\Temp\4664.exe
Filesize
308KB

MD5
f298d7d30544c0919a947633647c05c7

SHA1
515c28a649f221ff84aeff33432e93bf4c4d72cd

SHA256
be2145311dd98963363b01295b62a810ab1e37f18e9556c8cafba1e9f32787fe

SHA512
2c4799ef04aad9c149b08a3fc5d1c86d96da4f147a8cff6f8d291a532f17e3416ab7a81648d2891d4abd981503b3f3b55f2928ea17c9b30e8e313cf8282d970b

Download Submit
C:\Users\Admin\AppData\Local\Temp\4664.exe
Filesize
308KB

MD5
f298d7d30544c0919a947633647c05c7

SHA1
515c28a649f221ff84aeff33432e93bf4c4d72cd

SHA256
be2145311dd98963363b01295b62a810ab1e37f18e9556c8cafba1e9f32787fe

SHA512
2c4799ef04aad9c149b08a3fc5d1c86d96da4f147a8cff6f8d291a532f17e3416ab7a81648d2891d4abd981503b3f3b55f2928ea17c9b30e8e313cf8282d970b

Download Submit
C:\Users\Admin\AppData\Local\Temp\48C7.exe
Filesize
444KB

MD5
a5b82c255a572484fd4d1804bfade913

SHA1
d8f8fbbe752f4da43d145f91514c520a10226a25

SHA256
8a1cacf8902a75f42457be995b57eaf0ed9528e7e71a3eb42c68a1f6d5b05c46

SHA512
db99745560a4dd467785771fdbe1209e0d9209b86c3c90b690555f72956135fe7fab0413f11f20930e8f1e786d9bc3881007ad6a9b0b774ec0d30162689cc6f3

Download Submit
C:\Users\Admin\AppData\Local\Temp\48C7.exe
Filesize
444KB

MD5
a5b82c255a572484fd4d1804bfade913

SHA1
d8f8fbbe752f4da43d145f91514c520a10226a25

SHA256
8a1cacf8902a75f42457be995b57eaf0ed9528e7e71a3eb42c68a1f6d5b05c46

SHA512
db99745560a4dd467785771fdbe1209e0d9209b86c3c90b690555f72956135fe7fab0413f11f20930e8f1e786d9bc3881007ad6a9b0b774ec0d30162689cc6f3

Download Submit
C:\Users\Admin\AppData\Local\Temp\99e342142d\rovwer.exe
Filesize
242KB

MD5
a12b477f3a02a42eeae121a8ce166030

SHA1
31a368c8958fd1a8f8f18058b3e2133d0f55ba8a

SHA256
5618e1e649535b53a235907afb1e279d3143a8d93c63afcdfe75978d6aa1cc6c

SHA512
6fcb63813bb21c0dd60be6b5b3686c40a9f6e690cfa180443b1e9f771b9c2afaef20990c0c62c091b0344c64c84b58c19dcd4edbe0b40bb326c467b40df33374

Download Submit
C:\Users\Admin\AppData\Local\Temp\99e342142d\rovwer.exe
Filesize
242KB

MD5
a12b477f3a02a42eeae121a8ce166030

SHA1
31a368c8958fd1a8f8f18058b3e2133d0f55ba8a

SHA256
5618e1e649535b53a235907afb1e279d3143a8d93c63afcdfe75978d6aa1cc6c

SHA512
6fcb63813bb21c0dd60be6b5b3686c40a9f6e690cfa180443b1e9f771b9c2afaef20990c0c62c091b0344c64c84b58c19dcd4edbe0b40bb326c467b40df33374

Download Submit
C:\Users\Admin\AppData\Local\Temp\99e342142d\rovwer.exe
Filesize
242KB

MD5
a12b477f3a02a42eeae121a8ce166030

SHA1
31a368c8958fd1a8f8f18058b3e2133d0f55ba8a

SHA256
5618e1e649535b53a235907afb1e279d3143a8d93c63afcdfe75978d6aa1cc6c

SHA512
6fcb63813bb21c0dd60be6b5b3686c40a9f6e690cfa180443b1e9f771b9c2afaef20990c0c62c091b0344c64c84b58c19dcd4edbe0b40bb326c467b40df33374

Download Submit
C:\Users\Admin\AppData\Local\Temp\B3F5.exe
Filesize
321KB

MD5
a71363fba6c7f3f5158c0c562b026d72

SHA1
735639a2785c9d074ee23fb25716acd1b145268a

SHA256
cf7ac9403e1a5930c0903675c9b63dffe9a0c361b06355dc81722766d085358d

SHA512
520bdb785f142d863a5f803d26636e2d61da7ccb5bd8d3e629a38a82cdd4a050894b0bd67a56a72515c4d65a03bd90d15dd1709d6b92997292ceb37576b20b28

Download Submit
C:\Users\Admin\AppData\Local\Temp\B3F5.exe
Filesize
321KB

MD5
a71363fba6c7f3f5158c0c562b026d72

SHA1
735639a2785c9d074ee23fb25716acd1b145268a

SHA256
cf7ac9403e1a5930c0903675c9b63dffe9a0c361b06355dc81722766d085358d

SHA512
520bdb785f142d863a5f803d26636e2d61da7ccb5bd8d3e629a38a82cdd4a050894b0bd67a56a72515c4d65a03bd90d15dd1709d6b92997292ceb37576b20b28

Download Submit
C:\Users\Admin\AppData\Local\Temp\B742.exe
Filesize
1.1MB

MD5
5e7c07b9aa0668fa2971747bb4fade1e

SHA1
7fae544f73f2a8fb7a340a20ec47f76370fbd487

SHA256
431a1c4ceae3411f5476eed27fc30ebd55138afb4c4e9dac3db9d4b8addbb361

SHA512
5c9c65c99f0c8a5aaa2beac1a0c4304a1cb2ea808eeb6bbe11c2852d6e9fbad8bb68faa5f778848dade617e1c5ee1fb9dae566d7a064b05fdaa30a03019b868f

Download Submit
C:\Users\Admin\AppData\Local\Temp\B742.exe
Filesize
1.1MB

MD5
5e7c07b9aa0668fa2971747bb4fade1e

SHA1
7fae544f73f2a8fb7a340a20ec47f76370fbd487

SHA256
431a1c4ceae3411f5476eed27fc30ebd55138afb4c4e9dac3db9d4b8addbb361

SHA512
5c9c65c99f0c8a5aaa2beac1a0c4304a1cb2ea808eeb6bbe11c2852d6e9fbad8bb68faa5f778848dade617e1c5ee1fb9dae566d7a064b05fdaa30a03019b868f

Download Submit
C:\Users\Admin\AppData\Local\Temp\BA31.exe
Filesize
242KB

MD5
a12b477f3a02a42eeae121a8ce166030

SHA1
31a368c8958fd1a8f8f18058b3e2133d0f55ba8a

SHA256
5618e1e649535b53a235907afb1e279d3143a8d93c63afcdfe75978d6aa1cc6c

SHA512
6fcb63813bb21c0dd60be6b5b3686c40a9f6e690cfa180443b1e9f771b9c2afaef20990c0c62c091b0344c64c84b58c19dcd4edbe0b40bb326c467b40df33374

Download Submit
C:\Users\Admin\AppData\Local\Temp\BA31.exe
Filesize
242KB

MD5
a12b477f3a02a42eeae121a8ce166030

SHA1
31a368c8958fd1a8f8f18058b3e2133d0f55ba8a

SHA256
5618e1e649535b53a235907afb1e279d3143a8d93c63afcdfe75978d6aa1cc6c

SHA512
6fcb63813bb21c0dd60be6b5b3686c40a9f6e690cfa180443b1e9f771b9c2afaef20990c0c62c091b0344c64c84b58c19dcd4edbe0b40bb326c467b40df33374

Download Submit
C:\Users\Admin\AppData\Local\Temp\CD9B.exe
Filesize
2.9MB

MD5
c81e5980e431ad89ef52a285187e7d14

SHA1
c847f6b2f68bfe4ec8e3fd3cd588b6ab5fb3ed8e

SHA256
90f7621cd8c17c54249af1b0f3ab1dd74ae9862baeecf31481129324a2a45118

SHA512
863fb28d4477a3a68d414077f6bd5560182e36d016b7ca9853cefbe5076e1b7b28c23f6f86dfa3367d1eeb9009a74797ec9e26fefca9bb69f6bfd88409ec9f8c

Download Submit
C:\Users\Admin\AppData\Local\Temp\CD9B.exe
Filesize
2.9MB

MD5
c81e5980e431ad89ef52a285187e7d14

SHA1
c847f6b2f68bfe4ec8e3fd3cd588b6ab5fb3ed8e

SHA256
90f7621cd8c17c54249af1b0f3ab1dd74ae9862baeecf31481129324a2a45118

SHA512
863fb28d4477a3a68d414077f6bd5560182e36d016b7ca9853cefbe5076e1b7b28c23f6f86dfa3367d1eeb9009a74797ec9e26fefca9bb69f6bfd88409ec9f8c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Hefurhy.dll
Filesize
4.3MB

MD5
cef603b490efa9f11dd0b8c57ec97792

SHA1
2155a67b22774ec7885af9492f828b38510bdb92

SHA256
bf3e9fc2c055d319fb1a1a2a5af8b56534cce3ea9d9b874e34e9771aa40077bd

SHA512
f0b0bca8996c0e72cdeb9c7b2b50f58de104e8f311a3d6ffd53c998bd294df1ab902cc5d46d702e844482c0ec96c7b33e16e53e77577b9be4dc2edb68ba78e53

Download Submit
C:\Users\Admin\AppData\Local\Temp\Hefurhy.dll
Filesize
4.3MB

MD5
cef603b490efa9f11dd0b8c57ec97792

SHA1
2155a67b22774ec7885af9492f828b38510bdb92

SHA256
bf3e9fc2c055d319fb1a1a2a5af8b56534cce3ea9d9b874e34e9771aa40077bd

SHA512
f0b0bca8996c0e72cdeb9c7b2b50f58de104e8f311a3d6ffd53c998bd294df1ab902cc5d46d702e844482c0ec96c7b33e16e53e77577b9be4dc2edb68ba78e53

Download Submit
C:\Users\Admin\AppData\Local\Temp\Hefurhy.dll
Filesize
4.3MB

MD5
cef603b490efa9f11dd0b8c57ec97792

SHA1
2155a67b22774ec7885af9492f828b38510bdb92

SHA256
bf3e9fc2c055d319fb1a1a2a5af8b56534cce3ea9d9b874e34e9771aa40077bd

SHA512
f0b0bca8996c0e72cdeb9c7b2b50f58de104e8f311a3d6ffd53c998bd294df1ab902cc5d46d702e844482c0ec96c7b33e16e53e77577b9be4dc2edb68ba78e53

Download Submit
C:\Users\Admin\AppData\Local\Temp\advapi32.dll
Filesize
1.1MB

MD5
486536825ff5e3219a8702319e064907

SHA1
34f7f9211e2fd9c166fb36ed1d4121ebd427bebd

SHA256
6ab2023a2bd76692a694a812bf86c341696810c61666586c09a343832f05dc01

SHA512
f77404db724b9f8e93d84f2f9f0cee10b05638bda4445facbfd262eca52f073e285c10f153133fc35f9a426eb84e87e8e0b320f2815b2405ca3ada7ac2fded4c

Download Submit
C:\Users\Admin\AppData\Local\Temp\advapi32.dll
Filesize
1.1MB

MD5
486536825ff5e3219a8702319e064907

SHA1
34f7f9211e2fd9c166fb36ed1d4121ebd427bebd

SHA256
6ab2023a2bd76692a694a812bf86c341696810c61666586c09a343832f05dc01

SHA512
f77404db724b9f8e93d84f2f9f0cee10b05638bda4445facbfd262eca52f073e285c10f153133fc35f9a426eb84e87e8e0b320f2815b2405ca3ada7ac2fded4c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
Filesize
9KB

MD5
9ead10c08e72ae41921191f8db39bc16

SHA1
abe3bce01cd34afc88e2c838173f8c2bd0090ae1

SHA256
8d7f0e6b6877bdfb9f4531afafd0451f7d17f0ac24e2f2427e9b4ecc5452b9f0

SHA512
aa35dbc59a3589df2763e76a495ce5a9e62196628b4c1d098add38bd7f27c49edf93a66fb8507fb746e37ee32932da2460e440f241abe1a5a279abcc1e5ffe4a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
Filesize
9KB

MD5
9ead10c08e72ae41921191f8db39bc16

SHA1
abe3bce01cd34afc88e2c838173f8c2bd0090ae1

SHA256
8d7f0e6b6877bdfb9f4531afafd0451f7d17f0ac24e2f2427e9b4ecc5452b9f0

SHA512
aa35dbc59a3589df2763e76a495ce5a9e62196628b4c1d098add38bd7f27c49edf93a66fb8507fb746e37ee32932da2460e440f241abe1a5a279abcc1e5ffe4a

Download Submit
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dll
Filesize
126KB

MD5
507e9dc7b9c42f535b6df96d79179835

SHA1
acf41fb549750023115f060071aa5ca8c33f249e

SHA256
3b82a0ea49d855327b64073872ebb6b63eee056e182be6b1935aa512628252af

SHA512
70907ec4c395b0d2219bfe98907ec130bfcbc6d4bec7bd73965a9b1e422553e27daaead3d6647620fcf5392d85a2e975bce0f7c79c0bc665dd33ce65f7d44302

Download Submit
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dll
Filesize
126KB

MD5
507e9dc7b9c42f535b6df96d79179835

SHA1
acf41fb549750023115f060071aa5ca8c33f249e

SHA256
3b82a0ea49d855327b64073872ebb6b63eee056e182be6b1935aa512628252af

SHA512
70907ec4c395b0d2219bfe98907ec130bfcbc6d4bec7bd73965a9b1e422553e27daaead3d6647620fcf5392d85a2e975bce0f7c79c0bc665dd33ce65f7d44302

Download Submit
memory/380-255-0x0000000000000000-mapping.dmp

Download
memory/724-295-0x0000000000000000-mapping.dmp

Download
memory/724-308-0x00000000027D0000-0x0000000002AD1000-memory.dmp

Filesize
3.0MB

Download
memory/724-311-0x0000000000400000-0x0000000000846000-memory.dmp

Filesize
4.3MB

Download
memory/724-310-0x00000000024FD000-0x00000000027C0000-memory.dmp

Filesize
2.8MB

Download
memory/1088-262-0x0000000000000000-mapping.dmp

Download
memory/1104-185-0x0000000000400000-0x0000000000850000-memory.dmp

Filesize
4.3MB

Download
memory/1104-183-0x0000000000A43000-0x0000000000A59000-memory.dmp

Filesize
88KB

Download
memory/1104-204-0x0000000000400000-0x0000000000850000-memory.dmp

Filesize
4.3MB

Download
memory/1104-152-0x0000000000000000-mapping.dmp

Download
memory/1144-157-0x0000000000000000-mapping.dmp

Download
memory/1248-291-0x0000000000000000-mapping.dmp

Download
memory/1328-312-0x0000000001200000-0x0000000001222000-memory.dmp

Filesize
136KB

Download
memory/1328-309-0x0000000000000000-mapping.dmp

Download
memory/1508-287-0x0000000000000000-mapping.dmp

Download
memory/1624-314-0x0000000000000000-mapping.dmp

Download
memory/1688-325-0x0000000000000000-mapping.dmp

Download
memory/1728-155-0x0000000000749000-0x000000000075A000-memory.dmp

Filesize
68KB

Download
memory/1728-142-0x0000000000000000-mapping.dmp

Download
memory/1728-158-0x0000000000400000-0x0000000000593000-memory.dmp

Filesize
1.6MB

Download
memory/1728-156-0x0000000000610000-0x0000000000619000-memory.dmp

Filesize
36KB

Download
memory/1728-181-0x0000000000400000-0x0000000000593000-memory.dmp

Filesize
1.6MB

Download
memory/1832-176-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/1832-200-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/1832-178-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/1832-171-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/1832-174-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/1832-168-0x0000000000000000-mapping.dmp

Download
memory/2040-284-0x0000000000400000-0x00000000005A1000-memory.dmp

Filesize
1.6MB

Download
memory/2040-277-0x0000000000000000-mapping.dmp

Download
memory/2040-283-0x00000000007E8000-0x0000000000807000-memory.dmp

Filesize
124KB

Download
memory/2076-285-0x0000000000000000-mapping.dmp

Download
memory/2152-223-0x0000000000000000-mapping.dmp

Download
memory/2264-307-0x0000000000CB0000-0x0000000000CBC000-memory.dmp

Filesize
48KB

Download
memory/2264-302-0x0000000000000000-mapping.dmp

Download
memory/2264-306-0x0000000000CC0000-0x0000000000CC6000-memory.dmp

Filesize
24KB

Download
memory/2308-299-0x0000000000000000-mapping.dmp

Download
memory/2336-288-0x0000000000000000-mapping.dmp

Download
memory/2372-175-0x0000000000950000-0x00000000009E2000-memory.dmp

Filesize
584KB

Download
memory/2372-169-0x0000000002540000-0x000000000265B000-memory.dmp

Filesize
1.1MB

Download
memory/2372-139-0x0000000000000000-mapping.dmp

Download
memory/2376-177-0x0000000000470000-0x00000000004E5000-memory.dmp

Filesize
468KB

Download
memory/2376-160-0x0000000000000000-mapping.dmp

Download
memory/2376-170-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/2376-184-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/2452-258-0x0000000006790000-0x0000000006952000-memory.dmp

Filesize
1.8MB

Download
memory/2452-202-0x00000000055A0000-0x00000000056AA000-memory.dmp

Filesize
1.0MB

Download
memory/2452-251-0x0000000006B70000-0x0000000007114000-memory.dmp

Filesize
5.6MB

Download
memory/2452-205-0x0000000005440000-0x000000000547C000-memory.dmp

Filesize
240KB

Download
memory/2452-253-0x0000000005A00000-0x0000000005A66000-memory.dmp

Filesize
408KB

Download
memory/2452-189-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/2452-203-0x00000000053E0000-0x00000000053F2000-memory.dmp

Filesize
72KB

Download
memory/2452-188-0x0000000000000000-mapping.dmp

Download
memory/2452-242-0x0000000005790000-0x0000000005822000-memory.dmp

Filesize
584KB

Download
memory/2452-201-0x0000000005AB0000-0x00000000060C8000-memory.dmp

Filesize
6.1MB

Download
memory/2452-259-0x0000000008D40000-0x000000000926C000-memory.dmp

Filesize
5.2MB

Download
memory/2456-162-0x0000000002C50000-0x0000000002E19000-memory.dmp

Filesize
1.8MB

Download
memory/2456-192-0x00000000031A0000-0x0000000003253000-memory.dmp

Filesize
716KB

Download
memory/2456-190-0x00000000031A0000-0x0000000003253000-memory.dmp

Filesize
716KB

Download
memory/2456-138-0x0000000000000000-mapping.dmp

Download
memory/2456-182-0x00000000030D0000-0x0000000003197000-memory.dmp

Filesize
796KB

Download
memory/2456-163-0x0000000002F70000-0x00000000030C2000-memory.dmp

Filesize
1.3MB

Download
memory/2456-197-0x0000000002F70000-0x00000000030C2000-memory.dmp

Filesize
1.3MB

Download
memory/2588-303-0x0000000000000000-mapping.dmp

Download
memory/2668-323-0x0000000000000000-mapping.dmp

Download
memory/2696-315-0x0000000000000000-mapping.dmp

Download
memory/2696-322-0x0000000002050000-0x00000000024A1000-memory.dmp

Filesize
4.3MB

Download
memory/2696-361-0x00000000030D0000-0x0000000003C5C000-memory.dmp

Filesize
11.5MB

Download
memory/2696-365-0x0000000003D20000-0x0000000003E60000-memory.dmp

Filesize
1.2MB

Download
memory/2696-372-0x0000000003D20000-0x0000000003E60000-memory.dmp

Filesize
1.2MB

Download
memory/2696-370-0x0000000003D20000-0x0000000003E60000-memory.dmp

Filesize
1.2MB

Download
memory/2696-364-0x0000000003D20000-0x0000000003E60000-memory.dmp

Filesize
1.2MB

Download
memory/2696-369-0x0000000003D20000-0x0000000003E60000-memory.dmp

Filesize
1.2MB

Download
memory/2696-371-0x0000000003D20000-0x0000000003E60000-memory.dmp

Filesize
1.2MB

Download
memory/2696-362-0x00000000030D0000-0x0000000003C5C000-memory.dmp

Filesize
11.5MB

Download
memory/2888-186-0x0000000000000000-mapping.dmp

Download
memory/3056-227-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/3056-229-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/3056-231-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/3056-261-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/3056-224-0x0000000000000000-mapping.dmp

Download
memory/3056-232-0x0000000061E00000-0x0000000061EF3000-memory.dmp

Filesize
972KB

Download
memory/3056-225-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/3112-267-0x0000000000000000-mapping.dmp

Download
memory/3112-324-0x000000000FC20000-0x000000000FD9F000-memory.dmp

Filesize
1.5MB

Download
memory/3112-270-0x000000000266F000-0x0000000002B7D000-memory.dmp

Filesize
5.1MB

Download
memory/3136-217-0x0000000000000000-mapping.dmp

Download
memory/3136-228-0x00000000009F2000-0x0000000000A1E000-memory.dmp

Filesize
176KB

Download
memory/3136-230-0x0000000000B20000-0x0000000000B6B000-memory.dmp

Filesize
300KB

Download
memory/3168-260-0x0000000000000000-mapping.dmp

Download
memory/3196-220-0x0000000000000000-mapping.dmp

Download
memory/3256-172-0x0000000000BE0000-0x0000000000BEC000-memory.dmp

Filesize
48KB

Download
memory/3256-166-0x0000000000000000-mapping.dmp

Download
memory/3544-300-0x0000000000000000-mapping.dmp

Download
memory/3544-305-0x00000000003B0000-0x00000000003B9000-memory.dmp

Filesize
36KB

Download
memory/3544-304-0x00000000003C0000-0x00000000003C5000-memory.dmp

Filesize
20KB

Download
memory/3564-211-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/3564-206-0x0000000000000000-mapping.dmp

Download
memory/3564-209-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/3564-263-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/3564-216-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/3600-289-0x0000000000000000-mapping.dmp

Download
memory/3660-333-0x0000000000000000-mapping.dmp

Download
memory/3760-149-0x0000000000000000-mapping.dmp

Download
memory/3760-164-0x0000000000839000-0x000000000084A000-memory.dmp

Filesize
68KB

Download
memory/3760-167-0x0000000000400000-0x0000000000593000-memory.dmp

Filesize
1.6MB

Download
memory/3760-165-0x00000000006E0000-0x00000000006E9000-memory.dmp

Filesize
36KB

Download
memory/3796-339-0x0000000000000000-mapping.dmp

Download
memory/3796-342-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/3796-340-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/4068-179-0x00000000009D3000-0x00000000009E8000-memory.dmp

Filesize
84KB

Download
memory/4068-146-0x0000000000000000-mapping.dmp

Download
memory/4068-180-0x0000000000400000-0x000000000084E000-memory.dmp

Filesize
4.3MB

Download
memory/4076-133-0x0000000000830000-0x0000000000839000-memory.dmp

Filesize
36KB

Download
memory/4076-134-0x0000000000400000-0x0000000000593000-memory.dmp

Filesize
1.6MB

Download
memory/4076-135-0x0000000000400000-0x0000000000593000-memory.dmp

Filesize
1.6MB

Download
memory/4076-132-0x0000000000868000-0x0000000000879000-memory.dmp

Filesize
68KB

Download
memory/4136-198-0x0000000000000000-mapping.dmp

Download
memory/4136-210-0x00000000008DE000-0x0000000000970000-memory.dmp

Filesize
584KB

Download
memory/4164-136-0x0000000000000000-mapping.dmp

Download
memory/4232-301-0x0000000000AA0000-0x0000000000AA9000-memory.dmp

Filesize
36KB

Download
memory/4232-292-0x0000000000000000-mapping.dmp

Download
memory/4232-296-0x0000000000A90000-0x0000000000A9F000-memory.dmp

Filesize
60KB

Download
memory/4288-271-0x00000000006F0000-0x000000000072E000-memory.dmp

Filesize
248KB

Download
memory/4288-264-0x0000000000000000-mapping.dmp

Download
memory/4288-276-0x0000000000859000-0x000000000088A000-memory.dmp

Filesize
196KB

Download
memory/4288-272-0x0000000000400000-0x00000000005A8000-memory.dmp

Filesize
1.7MB

Download
memory/4428-338-0x0000000000000000-mapping.dmp

Download
memory/4444-379-0x0000000000000000-mapping.dmp

Download
memory/4636-282-0x0000000000400000-0x00000000005A1000-memory.dmp

Filesize
1.6MB

Download
memory/4636-281-0x0000000000640000-0x000000000067E000-memory.dmp

Filesize
248KB

Download
memory/4636-280-0x0000000000709000-0x0000000000728000-memory.dmp

Filesize
124KB

Download
memory/4636-273-0x0000000000000000-mapping.dmp

Download
memory/4832-290-0x0000000000000000-mapping.dmp

Download
memory/4856-286-0x0000000000000000-mapping.dmp

Download
memory/4856-294-0x0000000000D30000-0x0000000000D3B000-memory.dmp

Filesize
44KB

Download
memory/4856-293-0x0000000000D40000-0x0000000000D47000-memory.dmp

Filesize
28KB

Download
memory/5100-373-0x00007FF7CF9B6890-mapping.dmp

Download
memory/5100-374-0x0000023463F20000-0x0000023464060000-memory.dmp

Filesize
1.2MB

Download
memory/5100-375-0x0000023463F20000-0x0000023464060000-memory.dmp

Filesize
1.2MB

Download