amadey | b03621290fa3291de14fb80c3f8ca5f35f94c90f662f5f4af53d69e3176e3057

Analysis

max time kernel
150s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
15-11-2022 10:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b03621290fa3291de14fb80c3f8ca5f35f94c90f662f5f4af53d69e3176e3057.exe
Size

173KB
MD5

c87dcd21b0dcb51699a4735ac76ad3de
SHA1

87d3d0a8aca200fc85ac9646b710141a4098932b
SHA256

b03621290fa3291de14fb80c3f8ca5f35f94c90f662f5f4af53d69e3176e3057
SHA512

bba293557550219edcb37d8fc88d366ff53164e6018beb20f4ecc4f72cc58afae0e8573449602b48a89db916b7643dd9b30d5767c37dcf0d8893cd57f9dfa8e8
SSDEEP

3072:C0lrFhKhmLqTNZZ/DRoz6bisK6XCE/gUumfWTa/7Oj:n7LqTNZF0AisKOVPA

Score

10^/10

amadey dcrat redline smokeloader xmrig rozena1114 backdoor collection discovery infostealer miner persistence rat spyware stealer trojan

Malware Config

Extracted

Family

redline

185.215.113.69:15544

Attributes

auth_value
9ed095938f02f2c8053c2ab30dea2c4e

Extracted

Family

redline

Botnet

rozena1114

jalocliche.xyz:81

chardhesha.xyz:81

Attributes

auth_value
9fefd743a3b62bcd7c3e17a70fbdb3a8

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey

DcRat 14 IoCs

DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

rat infostealer dcrat

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeb03621290fa3291de14fb80c3f8ca5f35f94c90f662f5f4af53d69e3176e3057.exeschtasks.exeschtasks.exe

pid	process
412	schtasks.exe
4864	schtasks.exe
3744	schtasks.exe
1112	schtasks.exe
4540	schtasks.exe
1220	schtasks.exe
4156	schtasks.exe
4140	schtasks.exe
3932	schtasks.exe
3964	schtasks.exe
2560	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	b03621290fa3291de14fb80c3f8ca5f35f94c90f662f5f4af53d69e3176e3057.exe
4500	schtasks.exe
4592	schtasks.exe

Detect Amadey credential stealer module 2 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dll	amadey_cred_module
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dll	amadey_cred_module

Detects Smokeloader packer 1 IoCs

Processes:

resource	yara_rule
behavioral2/memory/2796-133-0x0000000000730000-0x0000000000739000-memory.dmp	family_smokeloader

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 2 IoCs

Processes:

resource	yara_rule
behavioral2/memory/4492-180-0x00000000013A0000-0x00000000013C8000-memory.dmp	family_redline
behavioral2/memory/3488-246-0x0000000000400000-0x0000000000428000-memory.dmp	family_redline

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 2 IoCs

miner

Processes:

resource	yara_rule
C:\ProgramData\Dllhost\winlogson.exe	xmrig
C:\ProgramData\Dllhost\winlogson.exe	xmrig

Blocklisted process makes network request 1 IoCs

Processes:

rundll32.exe

flow pid process

183 1364 rundll32.exe
Downloads MZ/PE file
Executes dropped EXE 10 IoCs

Processes:

E4E6.exeEB11.exeEF39.exerovwer.exeAF.exerovwer.exeSystem.exedllhost.exerovwer.exewinlogson.exe

pid process

2248 E4E6.exe
4548 EB11.exe
1168 EF39.exe
2320 rovwer.exe
744 AF.exe
4692 rovwer.exe
4920 System.exe
1156 dllhost.exe
4008 rovwer.exe
3148 winlogson.exe

flow	pid	process
183	1364	rundll32.exe

pid	process
2248	E4E6.exe
4548	EB11.exe
1168	EF39.exe
2320	rovwer.exe
744	AF.exe
4692	rovwer.exe
4920	System.exe
1156	dllhost.exe
4008	rovwer.exe
3148	winlogson.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

EF39.exerovwer.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	EF39.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	rovwer.exe

Loads dropped DLL 3 IoCs

Processes:

EB11.exerundll32.exe

pid process

4548 EB11.exe
4548 EB11.exe
1364 rundll32.exe
Reads local data of messenger clients 2 TTPs
Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

pid	process
4548	EB11.exe
4548	EB11.exe
1364	rundll32.exe

Accesses Microsoft Outlook profiles 1 TTPs 1 IoCs

collection

Email Collection

T1114

Processes:

rundll32.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	rundll32.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 9 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

dllhost.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Cortana = "C:\\Program Files\\WindowsApps\\Microsoft.x64__8wekyb3gfdfdgd8bbwe\\Cortana.exe"	dllhost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MicrosoftEdgeUpd = "C:\\Program Files\\WindowsApps\\Microsoft.x64__8wekyb3gfdfdgd8bbwe/file.exe"	dllhost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OneDriveService = "C:\\Program Files\\WindowsApps\\Microsoft.x64__8wekyb3gfdfdgd8bbwe/file.exe"	dllhost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WmiPrvSE = "C:\\Windows\\System32\\wbem\\WmiPrvSE.exe"	dllhost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\AntiMalwareServiceExecutable = "C:\\ProgramData\\Microsoft\\Windows Defender\\Platform\\4.18.2111.5-0\\MsMpEng.exe"	dllhost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\NvStray = "C:\\Program Files\\WindowsApps\\Microsoft.x64__8wekyb3gfdfdgd8bbwe / file.exe"	dllhost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dllhost = "C:\\ProgramData\\Dllhost\\dllhost.exe"	dllhost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SecurityHealthSystray = "C:\\Windows\\System32\\SecurityHealthSystray.exe"	dllhost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WindowsDefender = "C:\\Program Files\\Windows Defender\\MpCmdRun.exe"	dllhost.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Suspicious use of SetThreadContext 2 IoCs

Processes:

AF.exeEB11.exe

description pid process target process

PID 744 set thread context of 4492 744 AF.exe vbc.exe
PID 4548 set thread context of 3488 4548 EB11.exe ngentask.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

description	pid	process	target process
PID 744 set thread context of 4492	744	AF.exe	vbc.exe
PID 4548 set thread context of 3488	4548	EB11.exe	ngentask.exe

Program crash 4 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
3932	1168	WerFault.exe	EF39.exe
2756	2248	WerFault.exe	E4E6.exe
3208	4692	WerFault.exe	rovwer.exe
4308	4008	WerFault.exe	rovwer.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

b03621290fa3291de14fb80c3f8ca5f35f94c90f662f5f4af53d69e3176e3057.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	b03621290fa3291de14fb80c3f8ca5f35f94c90f662f5f4af53d69e3176e3057.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	b03621290fa3291de14fb80c3f8ca5f35f94c90f662f5f4af53d69e3176e3057.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	b03621290fa3291de14fb80c3f8ca5f35f94c90f662f5f4af53d69e3176e3057.exe

Creates scheduled task(s) 1 TTPs 13 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid	process
3744	schtasks.exe
1112	schtasks.exe
4540	schtasks.exe
4592	schtasks.exe
3932	schtasks.exe
2560	schtasks.exe
412	schtasks.exe
4864	schtasks.exe
1220	schtasks.exe
3964	schtasks.exe
4500	schtasks.exe
4156	schtasks.exe
4140	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

b03621290fa3291de14fb80c3f8ca5f35f94c90f662f5f4af53d69e3176e3057.exe

pid	process
2796	b03621290fa3291de14fb80c3f8ca5f35f94c90f662f5f4af53d69e3176e3057.exe
2796	b03621290fa3291de14fb80c3f8ca5f35f94c90f662f5f4af53d69e3176e3057.exe
2416
2416
2416
2416
2416
2416
2416
2416
2416
2416
2416
2416
2416
2416
2416
2416
2416
2416
2416
2416
2416
2416
2416
2416
2416
2416
2416
2416
2416
2416
2416
2416
2416
2416
2416
2416
2416
2416
2416
2416
2416
2416
2416
2416
2416
2416
2416
2416
2416
2416
2416
2416
2416
2416
2416
2416
2416
2416
2416
2416
2416
2416

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

pid process

2416
Suspicious behavior: LoadsDriver 1 IoCs

Processes:

pid process

660

pid	process
2416

pid	process
660

Suspicious behavior: MapViewOfSection 19 IoCs

Processes:

b03621290fa3291de14fb80c3f8ca5f35f94c90f662f5f4af53d69e3176e3057.exe

pid	process
2796	b03621290fa3291de14fb80c3f8ca5f35f94c90f662f5f4af53d69e3176e3057.exe
2416
2416
2416
2416
2416
2416
2416
2416
2416
2416
2416
2416
2416
2416
2416
2416
2416
2416

Suspicious use of AdjustPrivilegeToken 57 IoCs

Processes:

E4E6.exevbc.exeSystem.exepowershell.exepowershell.exepowershell.exedllhost.exewinlogson.exe

description	pid	process
Token: SeDebugPrivilege	2248	E4E6.exe
Token: SeShutdownPrivilege	2416
Token: SeCreatePagefilePrivilege	2416
Token: SeShutdownPrivilege	2416
Token: SeCreatePagefilePrivilege	2416
Token: SeShutdownPrivilege	2416
Token: SeCreatePagefilePrivilege	2416
Token: SeShutdownPrivilege	2416
Token: SeCreatePagefilePrivilege	2416
Token: SeShutdownPrivilege	2416
Token: SeCreatePagefilePrivilege	2416
Token: SeShutdownPrivilege	2416
Token: SeCreatePagefilePrivilege	2416
Token: SeShutdownPrivilege	2416
Token: SeCreatePagefilePrivilege	2416
Token: SeShutdownPrivilege	2416
Token: SeCreatePagefilePrivilege	2416
Token: SeShutdownPrivilege	2416
Token: SeCreatePagefilePrivilege	2416
Token: SeShutdownPrivilege	2416
Token: SeCreatePagefilePrivilege	2416
Token: SeShutdownPrivilege	2416
Token: SeCreatePagefilePrivilege	2416
Token: SeShutdownPrivilege	2416
Token: SeCreatePagefilePrivilege	2416
Token: SeShutdownPrivilege	2416
Token: SeCreatePagefilePrivilege	2416
Token: SeShutdownPrivilege	2416
Token: SeCreatePagefilePrivilege	2416
Token: SeShutdownPrivilege	2416
Token: SeCreatePagefilePrivilege	2416
Token: SeShutdownPrivilege	2416
Token: SeCreatePagefilePrivilege	2416
Token: SeDebugPrivilege	4492	vbc.exe
Token: SeShutdownPrivilege	2416
Token: SeCreatePagefilePrivilege	2416
Token: SeShutdownPrivilege	2416
Token: SeCreatePagefilePrivilege	2416
Token: SeShutdownPrivilege	2416
Token: SeCreatePagefilePrivilege	2416
Token: SeShutdownPrivilege	2416
Token: SeCreatePagefilePrivilege	2416
Token: SeDebugPrivilege	4920	System.exe
Token: SeDebugPrivilege	2328	powershell.exe
Token: SeDebugPrivilege	1600	powershell.exe
Token: SeDebugPrivilege	1224	powershell.exe
Token: SeDebugPrivilege	1156	dllhost.exe
Token: SeShutdownPrivilege	2416
Token: SeCreatePagefilePrivilege	2416
Token: SeShutdownPrivilege	2416
Token: SeCreatePagefilePrivilege	2416
Token: SeShutdownPrivilege	2416
Token: SeCreatePagefilePrivilege	2416
Token: SeShutdownPrivilege	2416
Token: SeCreatePagefilePrivilege	2416
Token: SeLockMemoryPrivilege	3148	winlogson.exe
Token: SeLockMemoryPrivilege	3148	winlogson.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

winlogson.exe

pid process

3148 winlogson.exe

pid	process
3148	winlogson.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

EF39.exerovwer.execmd.exeAF.exe

description	pid	process	target process
PID 2416 wrote to memory of 2248	2416		E4E6.exe
PID 2416 wrote to memory of 2248	2416		E4E6.exe
PID 2416 wrote to memory of 2248	2416		E4E6.exe
PID 2416 wrote to memory of 4548	2416		EB11.exe
PID 2416 wrote to memory of 4548	2416		EB11.exe
PID 2416 wrote to memory of 4548	2416		EB11.exe
PID 2416 wrote to memory of 1168	2416		EF39.exe
PID 2416 wrote to memory of 1168	2416		EF39.exe
PID 2416 wrote to memory of 1168	2416		EF39.exe
PID 1168 wrote to memory of 2320	1168	EF39.exe	rovwer.exe
PID 1168 wrote to memory of 2320	1168	EF39.exe	rovwer.exe
PID 1168 wrote to memory of 2320	1168	EF39.exe	rovwer.exe
PID 2320 wrote to memory of 2560	2320	rovwer.exe	schtasks.exe
PID 2320 wrote to memory of 2560	2320	rovwer.exe	schtasks.exe
PID 2320 wrote to memory of 2560	2320	rovwer.exe	schtasks.exe
PID 2320 wrote to memory of 3724	2320	rovwer.exe	cmd.exe
PID 2320 wrote to memory of 3724	2320	rovwer.exe	cmd.exe
PID 2320 wrote to memory of 3724	2320	rovwer.exe	cmd.exe
PID 3724 wrote to memory of 4964	3724	cmd.exe	cmd.exe
PID 3724 wrote to memory of 4964	3724	cmd.exe	cmd.exe
PID 3724 wrote to memory of 4964	3724	cmd.exe	cmd.exe
PID 3724 wrote to memory of 1220	3724	cmd.exe	cacls.exe
PID 3724 wrote to memory of 1220	3724	cmd.exe	cacls.exe
PID 3724 wrote to memory of 1220	3724	cmd.exe	cacls.exe
PID 3724 wrote to memory of 2840	3724	cmd.exe	cacls.exe
PID 3724 wrote to memory of 2840	3724	cmd.exe	cacls.exe
PID 3724 wrote to memory of 2840	3724	cmd.exe	cacls.exe
PID 3724 wrote to memory of 4244	3724	cmd.exe	cmd.exe
PID 3724 wrote to memory of 4244	3724	cmd.exe	cmd.exe
PID 3724 wrote to memory of 4244	3724	cmd.exe	cmd.exe
PID 3724 wrote to memory of 1404	3724	cmd.exe	cacls.exe
PID 3724 wrote to memory of 1404	3724	cmd.exe	cacls.exe
PID 3724 wrote to memory of 1404	3724	cmd.exe	cacls.exe
PID 3724 wrote to memory of 1616	3724	cmd.exe	cacls.exe
PID 3724 wrote to memory of 1616	3724	cmd.exe	cacls.exe
PID 3724 wrote to memory of 1616	3724	cmd.exe	cacls.exe
PID 2416 wrote to memory of 744	2416		AF.exe
PID 2416 wrote to memory of 744	2416		AF.exe
PID 2416 wrote to memory of 744	2416		AF.exe
PID 2416 wrote to memory of 3968	2416		explorer.exe
PID 2416 wrote to memory of 3968	2416		explorer.exe
PID 2416 wrote to memory of 3968	2416		explorer.exe
PID 2416 wrote to memory of 3968	2416		explorer.exe
PID 744 wrote to memory of 4492	744	AF.exe	vbc.exe
PID 744 wrote to memory of 4492	744	AF.exe	vbc.exe
PID 744 wrote to memory of 4492	744	AF.exe	vbc.exe
PID 744 wrote to memory of 4492	744	AF.exe	vbc.exe
PID 744 wrote to memory of 4492	744	AF.exe	vbc.exe
PID 2416 wrote to memory of 4936	2416		explorer.exe
PID 2416 wrote to memory of 4936	2416		explorer.exe
PID 2416 wrote to memory of 4936	2416		explorer.exe
PID 2416 wrote to memory of 3692	2416		explorer.exe
PID 2416 wrote to memory of 3692	2416		explorer.exe
PID 2416 wrote to memory of 3692	2416		explorer.exe
PID 2416 wrote to memory of 3692	2416		explorer.exe
PID 2416 wrote to memory of 2796	2416		explorer.exe
PID 2416 wrote to memory of 2796	2416		explorer.exe
PID 2416 wrote to memory of 2796	2416		explorer.exe
PID 2416 wrote to memory of 3812	2416		explorer.exe
PID 2416 wrote to memory of 3812	2416		explorer.exe
PID 2416 wrote to memory of 3812	2416		explorer.exe
PID 2416 wrote to memory of 3812	2416		explorer.exe
PID 2416 wrote to memory of 1368	2416		explorer.exe
PID 2416 wrote to memory of 1368	2416		explorer.exe

outlook_win_path 1 IoCs

Processes:

rundll32.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	rundll32.exe

C:\Users\Admin\AppData\Local\Temp\b03621290fa3291de14fb80c3f8ca5f35f94c90f662f5f4af53d69e3176e3057.exe
"C:\Users\Admin\AppData\Local\Temp\b03621290fa3291de14fb80c3f8ca5f35f94c90f662f5f4af53d69e3176e3057.exe"
1⤵
- DcRat
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:2796

C:\Users\Admin\AppData\Local\Temp\E4E6.exe
C:\Users\Admin\AppData\Local\Temp\E4E6.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2248

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2248 -s 1264
2⤵
- Program crash
PID:2756

C:\Users\Admin\AppData\Local\Temp\EB11.exe
C:\Users\Admin\AppData\Local\Temp\EB11.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
PID:4548

C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe"
2⤵
PID:1564

C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe"
2⤵
PID:4268

C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe"
2⤵
PID:3488

C:\Users\Admin\AppData\Local\Temp\EF39.exe
C:\Users\Admin\AppData\Local\Temp\EF39.exe
1⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1168

C:\Users\Admin\AppData\Local\Temp\99e342142d\rovwer.exe
"C:\Users\Admin\AppData\Local\Temp\99e342142d\rovwer.exe"
2⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2320

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN rovwer.exe /TR "C:\Users\Admin\AppData\Local\Temp\99e342142d\rovwer.exe" /F
3⤵
- DcRat
- Creates scheduled task(s)
PID:2560

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "rovwer.exe" /P "Admin:N"&&CACLS "rovwer.exe" /P "Admin:R" /E&&echo Y|CACLS "..\99e342142d" /P "Admin:N"&&CACLS "..\99e342142d" /P "Admin:R" /E&&Exit
3⤵
- Suspicious use of WriteProcessMemory
PID:3724

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
4⤵
PID:4964

C:\Windows\SysWOW64\cacls.exe
CACLS "rovwer.exe" /P "Admin:N"
4⤵
PID:1220

C:\Windows\SysWOW64\cacls.exe
CACLS "rovwer.exe" /P "Admin:R" /E
4⤵
PID:2840

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
4⤵
PID:4244

C:\Windows\SysWOW64\cacls.exe
CACLS "..\99e342142d" /P "Admin:N"
4⤵
PID:1404

C:\Windows\SysWOW64\cacls.exe
CACLS "..\99e342142d" /P "Admin:R" /E
4⤵
PID:1616

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dll, Main
3⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Accesses Microsoft Outlook profiles
- outlook_win_path
PID:1364

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1168 -s 1136
2⤵
- Program crash
PID:3932

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 1168 -ip 1168
1⤵
PID:2392

C:\Users\Admin\AppData\Local\Temp\AF.exe
C:\Users\Admin\AppData\Local\Temp\AF.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:744

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:4492

C:\Users\Admin\AppData\Local\Temp\System.exe
"C:\Users\Admin\AppData\Local\Temp\System.exe"
3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4920

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /C chcp 1251 & powershell -Command Add-MpPreference -ExclusionPath "$ENV:USERPROFILE\Desktop" & powershell -Command Add-MpPreference -ExclusionPath "C:\ProgramData\Dllhost" & powershell -Command Add-MpPreference -ExclusionPath "C:\ProgramData\SystemData"
4⤵
PID:4088

C:\Windows\SysWOW64\chcp.com
chcp 1251
5⤵
PID:5076

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Add-MpPreference -ExclusionPath "$ENV:USERPROFILE\Desktop"
5⤵
- Suspicious use of AdjustPrivilegeToken
PID:2328

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Add-MpPreference -ExclusionPath "C:\ProgramData\Dllhost"
5⤵
- Suspicious use of AdjustPrivilegeToken
PID:1600

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Add-MpPreference -ExclusionPath "C:\ProgramData\SystemData"
5⤵
- Suspicious use of AdjustPrivilegeToken
PID:1224

C:\ProgramData\Dllhost\dllhost.exe
"C:\ProgramData\Dllhost\dllhost.exe"
4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
PID:1156

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "SecurityHealthSystray" /TR "C:\ProgramData\Dllhost\dllhost.exe"
5⤵
PID:4272

C:\Windows\SysWOW64\schtasks.exe
SCHTASKS /CREATE /SC HOURLY /TN "SecurityHealthSystray" /TR "C:\ProgramData\Dllhost\dllhost.exe"
6⤵
- DcRat
- Creates scheduled task(s)
PID:4500

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "WindowsDefender" /TR "C:\ProgramData\Dllhost\dllhost.exe"
5⤵
PID:3124

C:\Windows\SysWOW64\schtasks.exe
SCHTASKS /CREATE /SC HOURLY /TN "WindowsDefender" /TR "C:\ProgramData\Dllhost\dllhost.exe"
6⤵
- DcRat
- Creates scheduled task(s)
PID:4864

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "WmiPrvSE" /TR "C:\ProgramData\Dllhost\dllhost.exe"
5⤵
PID:1276

C:\Windows\SysWOW64\schtasks.exe
SCHTASKS /CREATE /SC HOURLY /TN "WmiPrvSE" /TR "C:\ProgramData\Dllhost\dllhost.exe"
6⤵
- DcRat
- Creates scheduled task(s)
PID:412

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "dllhost" /TR "C:\ProgramData\Dllhost\dllhost.exe"
5⤵
PID:3584

C:\Windows\SysWOW64\schtasks.exe
SCHTASKS /CREATE /SC HOURLY /TN "dllhost" /TR "C:\ProgramData\Dllhost\dllhost.exe"
6⤵
- DcRat
- Creates scheduled task(s)
PID:1112

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "AntiMalwareServiceExecutable" /TR "C:\ProgramData\Dllhost\dllhost.exe"
5⤵
PID:3440

C:\Windows\SysWOW64\schtasks.exe
SCHTASKS /CREATE /SC HOURLY /TN "AntiMalwareServiceExecutable" /TR "C:\ProgramData\Dllhost\dllhost.exe"
6⤵
- DcRat
- Creates scheduled task(s)
PID:4156

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "MicrosoftEdgeUpd" /TR "C:\ProgramData\Dllhost\dllhost.exe"
5⤵
PID:3160

C:\Windows\SysWOW64\schtasks.exe
SCHTASKS /CREATE /SC HOURLY /TN "MicrosoftEdgeUpd" /TR "C:\ProgramData\Dllhost\dllhost.exe"
6⤵
- DcRat
- Creates scheduled task(s)
PID:3744

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "OneDriveService" /TR "C:\ProgramData\Dllhost\dllhost.exe"
5⤵
PID:2708

C:\Windows\SysWOW64\schtasks.exe
SCHTASKS /CREATE /SC HOURLY /TN "OneDriveService" /TR "C:\ProgramData\Dllhost\dllhost.exe"
6⤵
- DcRat
- Creates scheduled task(s)
PID:4140

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "NvStray" /TR "C:\ProgramData\Dllhost\dllhost.exe"
5⤵
PID:4848

C:\Windows\SysWOW64\schtasks.exe
SCHTASKS /CREATE /SC HOURLY /TN "NvStray" /TR "C:\ProgramData\Dllhost\dllhost.exe"
6⤵
- DcRat
- Creates scheduled task(s)
PID:4540

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "WindowsDefenderServices\WindowsDefenderServicesService_bk8349" /TR "C:\ProgramData\Dllhost\dllhost.exe"
5⤵
PID:640

C:\Windows\SysWOW64\schtasks.exe
SCHTASKS /CREATE /SC HOURLY /TN "WindowsDefenderServices\WindowsDefenderServicesService_bk8349" /TR "C:\ProgramData\Dllhost\dllhost.exe"
6⤵
- DcRat
- Creates scheduled task(s)
PID:4592

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "AntiMalwareSericeExecutable\AntiMalwareSericeExecutableService_bk2155" /TR "C:\ProgramData\Dllhost\dllhost.exe"
5⤵
PID:4344

C:\Windows\SysWOW64\schtasks.exe
SCHTASKS /CREATE /SC HOURLY /TN "AntiMalwareSericeExecutable\AntiMalwareSericeExecutableService_bk2155" /TR "C:\ProgramData\Dllhost\dllhost.exe"
6⤵
- DcRat
- Creates scheduled task(s)
PID:3932

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "MicrosoftUpdateServices\MicrosoftUpdateServicesService_bk6296" /TR "C:\ProgramData\Dllhost\dllhost.exe"
5⤵
PID:4696

C:\Windows\SysWOW64\schtasks.exe
SCHTASKS /CREATE /SC HOURLY /TN "MicrosoftUpdateServices\MicrosoftUpdateServicesService_bk6296" /TR "C:\ProgramData\Dllhost\dllhost.exe"
6⤵
- DcRat
- Creates scheduled task(s)
PID:1220

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "SettingSysHost\SettingSysHostService_bk7308" /TR "C:\ProgramData\Dllhost\dllhost.exe"
5⤵
PID:1924

C:\Windows\SysWOW64\schtasks.exe
SCHTASKS /CREATE /SC HOURLY /TN "SettingSysHost\SettingSysHostService_bk7308" /TR "C:\ProgramData\Dllhost\dllhost.exe"
6⤵
- DcRat
- Creates scheduled task(s)
PID:3964

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c chcp 1251 & C:\ProgramData\Dllhost\winlogson.exe -c config.json
5⤵
PID:4656

C:\Windows\SysWOW64\chcp.com
chcp 1251
6⤵
PID:2644

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c chcp 1251 & C:\ProgramData\Dllhost\winlogson.exe -c config.json
5⤵
PID:1072

C:\Windows\SysWOW64\chcp.com
chcp 1251
6⤵
PID:3212

C:\ProgramData\Dllhost\winlogson.exe
C:\ProgramData\Dllhost\winlogson.exe -c config.json
6⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:3148

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:3968

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
PID:4936

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:3692

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
PID:2796

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:3812

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:1368

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:3476

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
PID:4408

C:\Users\Admin\AppData\Local\Temp\99e342142d\rovwer.exe
C:\Users\Admin\AppData\Local\Temp\99e342142d\rovwer.exe
1⤵
- Executes dropped EXE
PID:4692

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4692 -s 416
2⤵
- Program crash
PID:3208

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:4556

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 384 -p 2248 -ip 2248
1⤵
PID:4516

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 4692 -ip 4692
1⤵
PID:3388

C:\Users\Admin\AppData\Local\Temp\99e342142d\rovwer.exe
C:\Users\Admin\AppData\Local\Temp\99e342142d\rovwer.exe
1⤵
- Executes dropped EXE
PID:4008

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4008 -s 416
2⤵
- Program crash
PID:4308

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 4008 -ip 4008
1⤵
PID:3428

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scripting

T1064

Scheduled Task

T1053

Persistence

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Scripting

T1064

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Peripheral Device Discovery

T1120

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Dllhost\dllhost.exe
Filesize
60KB

MD5
9a4febef8d60ba3a7039d023231c6dec

SHA1
2b94634c21c98db8a77d3ceef4a57ea8009afd50

SHA256
efc5f8d9cf611f8f8857840f49a111bac24b16966fc69a17f3757cbcf7f3bbe0

SHA512
bfe7dca34d63289b56288dc6171b58951c3ef27c90e316ca5ce6da812a6a887b30c9967fff59067b23d68fe02d6ff746037c9b2563077f092f2a2abade3cea62

Download Submit
C:\ProgramData\Dllhost\dllhost.exe
Filesize
60KB

MD5
9a4febef8d60ba3a7039d023231c6dec

SHA1
2b94634c21c98db8a77d3ceef4a57ea8009afd50

SHA256
efc5f8d9cf611f8f8857840f49a111bac24b16966fc69a17f3757cbcf7f3bbe0

SHA512
bfe7dca34d63289b56288dc6171b58951c3ef27c90e316ca5ce6da812a6a887b30c9967fff59067b23d68fe02d6ff746037c9b2563077f092f2a2abade3cea62

Download Submit
C:\ProgramData\Dllhost\winlogson.exe
Filesize
5.1MB

MD5
2a0d26b8b02bb2d17994d2a9a38d61db

SHA1
889a9cb0a044c1f675e63ea6ea065a8cf914e2ab

SHA256
3c54646213638e7bd8d0538c28e414824f5eaf31faf19a40eec608179b1074f1

SHA512
07245fb329b5fc9b68e1e88a52b7ab464bafd45442193e4b61cf6788ec0e10cdec2cfa2f59f49fe4a3f8a78a205d62ec0701a3b82a5e8f4257016821fee524ee

Download Submit
C:\ProgramData\Dllhost\winlogson.exe
Filesize
5.1MB

MD5
2a0d26b8b02bb2d17994d2a9a38d61db

SHA1
889a9cb0a044c1f675e63ea6ea065a8cf914e2ab

SHA256
3c54646213638e7bd8d0538c28e414824f5eaf31faf19a40eec608179b1074f1

SHA512
07245fb329b5fc9b68e1e88a52b7ab464bafd45442193e4b61cf6788ec0e10cdec2cfa2f59f49fe4a3f8a78a205d62ec0701a3b82a5e8f4257016821fee524ee

Download Submit
C:\ProgramData\SystemFiles\config.json
Filesize
312B

MD5
d2331fa006f1bead56d37e9ad1a3c8b5

SHA1
bcb2435656dee2237cabf0ed0c47a323911f9ee2

SHA256
d3ca0a24fa743b85949bda09ee7341526df31dd43512b14bee5ba79a9042abc0

SHA512
3c0594b256245d6a8fd37d9d546a02419c6103c30b9d99b32aeae808d873037aed9d91ecd211d5bc00faf78cfd2df1bd59d36e76e0acd5e4519b151de2a3e6ab

Download Submit
C:\ProgramData\SystemFiles\sys_rh.bin
Filesize
1KB

MD5
deef78846d9e76fbe7db17a879f1d21b

SHA1
c38ca7ac4b322ccbd169866f27110f4306ee4d9c

SHA256
ea0822964c4fcd8f07975703f362c09e20a29fcb2ba3dc9ea97b3f001fb738a4

SHA512
b96d811d98f6293808de909788d1c111a43b9aa99004aea155d2810c7f4a06137a472e5381937ae9b016376bc346e2eaf18e34557271ce21384baba165f38f0f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
Filesize
2KB

MD5
968cb9309758126772781b83adb8a28f

SHA1
8da30e71accf186b2ba11da1797cf67f8f78b47c

SHA256
92099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a

SHA512
4bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
18KB

MD5
aba1673a903ee6f3f26251ab57430a35

SHA1
9234995a56671a7c51d163a3415feb89bb70dc24

SHA256
12ba1b564949435fe5b0544b8c7fbdd32f6bacac64887dd2c0d059cac8f7a12f

SHA512
c905616f6f7d2fe67bb95980dea3eb82269953a7d166bb2eda1248b6db4543cdcf12398a06081126f60642bf9ace6d11e2795cb6603da6eb7b364e6ff7c52a26

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
18KB

MD5
f9fd106cb80fe2bce51afa86ed5bb95b

SHA1
5e754ed00e9c5e7d97fa31395e98bde8d2dd575b

SHA256
2d47c367634d9e6ce350cfdd0fa816b7dbfd4db651d3ad895bfd701e041c3f18

SHA512
136c3fde317ce96fdeebe9f2c4a97278abdb96b8cdfb06360f46e1c6e35e644209d2ea17d1819cdac30e5e87f55b17a2be2193959b3954ce30463aad017570f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\99e342142d\rovwer.exe
Filesize
242KB

MD5
19617bdb19b1aeb574c718a27abc3c31

SHA1
369cd7c11f56a89d0f97e4cefdbe02d7120e0b25

SHA256
ec1c329fd6890269a1b97f2684d00923a2c251c564f92795c446ca02c9cebf07

SHA512
b5664d14bfedab6d536a37d9cc3f83059e2aaa566505514674c8c21cac86dd21b5125e136d75580ff8a11e10bf37eada8a4c0e29040545e13066cb66c0c8a753

Download Submit
C:\Users\Admin\AppData\Local\Temp\99e342142d\rovwer.exe
Filesize
242KB

MD5
19617bdb19b1aeb574c718a27abc3c31

SHA1
369cd7c11f56a89d0f97e4cefdbe02d7120e0b25

SHA256
ec1c329fd6890269a1b97f2684d00923a2c251c564f92795c446ca02c9cebf07

SHA512
b5664d14bfedab6d536a37d9cc3f83059e2aaa566505514674c8c21cac86dd21b5125e136d75580ff8a11e10bf37eada8a4c0e29040545e13066cb66c0c8a753

Download Submit
C:\Users\Admin\AppData\Local\Temp\99e342142d\rovwer.exe
Filesize
242KB

MD5
19617bdb19b1aeb574c718a27abc3c31

SHA1
369cd7c11f56a89d0f97e4cefdbe02d7120e0b25

SHA256
ec1c329fd6890269a1b97f2684d00923a2c251c564f92795c446ca02c9cebf07

SHA512
b5664d14bfedab6d536a37d9cc3f83059e2aaa566505514674c8c21cac86dd21b5125e136d75580ff8a11e10bf37eada8a4c0e29040545e13066cb66c0c8a753

Download Submit
C:\Users\Admin\AppData\Local\Temp\99e342142d\rovwer.exe
Filesize
242KB

MD5
19617bdb19b1aeb574c718a27abc3c31

SHA1
369cd7c11f56a89d0f97e4cefdbe02d7120e0b25

SHA256
ec1c329fd6890269a1b97f2684d00923a2c251c564f92795c446ca02c9cebf07

SHA512
b5664d14bfedab6d536a37d9cc3f83059e2aaa566505514674c8c21cac86dd21b5125e136d75580ff8a11e10bf37eada8a4c0e29040545e13066cb66c0c8a753

Download Submit
C:\Users\Admin\AppData\Local\Temp\AF.exe
Filesize
217KB

MD5
026a3f832f10eeca25bd46d9575f29c7

SHA1
ef72d1785eddcc143e6fcedcacca8e6164f3de8e

SHA256
54354b50e25cf77d0fac9e628d59de7c2f0dcce15128b0c526b09ddaac6fb220

SHA512
3c8f07dd25f6400e5265ac25b21b4fa45610b6ab9237010251bbb205ac1b62249ded6411916d689a06276162f989049e8a60937251c20536274920b1d9c4af46

Download Submit
C:\Users\Admin\AppData\Local\Temp\AF.exe
Filesize
217KB

MD5
026a3f832f10eeca25bd46d9575f29c7

SHA1
ef72d1785eddcc143e6fcedcacca8e6164f3de8e

SHA256
54354b50e25cf77d0fac9e628d59de7c2f0dcce15128b0c526b09ddaac6fb220

SHA512
3c8f07dd25f6400e5265ac25b21b4fa45610b6ab9237010251bbb205ac1b62249ded6411916d689a06276162f989049e8a60937251c20536274920b1d9c4af46

Download Submit
C:\Users\Admin\AppData\Local\Temp\E4E6.exe
Filesize
323KB

MD5
1d416404d5a3423202e65c81eadc2f22

SHA1
ef2c4cfb9d67e4534ea1fd93e86b88d4b900fe0c

SHA256
583d50b7f8d18c45b1e55a57e480b2f129214e59e5c3a08080ce24967bd89579

SHA512
4ebc527f90cfe0f35528e24ed57e3d021f656b5fa806fcc7a85e535ddc15431b594419d5143387e29d7b49ae17df5f4cd15bdbab95241822dbbcadbb9c588e5c

Download Submit
C:\Users\Admin\AppData\Local\Temp\E4E6.exe
Filesize
323KB

MD5
1d416404d5a3423202e65c81eadc2f22

SHA1
ef2c4cfb9d67e4534ea1fd93e86b88d4b900fe0c

SHA256
583d50b7f8d18c45b1e55a57e480b2f129214e59e5c3a08080ce24967bd89579

SHA512
4ebc527f90cfe0f35528e24ed57e3d021f656b5fa806fcc7a85e535ddc15431b594419d5143387e29d7b49ae17df5f4cd15bdbab95241822dbbcadbb9c588e5c

Download Submit
C:\Users\Admin\AppData\Local\Temp\EB11.exe
Filesize
1.1MB

MD5
5e7c07b9aa0668fa2971747bb4fade1e

SHA1
7fae544f73f2a8fb7a340a20ec47f76370fbd487

SHA256
431a1c4ceae3411f5476eed27fc30ebd55138afb4c4e9dac3db9d4b8addbb361

SHA512
5c9c65c99f0c8a5aaa2beac1a0c4304a1cb2ea808eeb6bbe11c2852d6e9fbad8bb68faa5f778848dade617e1c5ee1fb9dae566d7a064b05fdaa30a03019b868f

Download Submit
C:\Users\Admin\AppData\Local\Temp\EB11.exe
Filesize
1.1MB

MD5
5e7c07b9aa0668fa2971747bb4fade1e

SHA1
7fae544f73f2a8fb7a340a20ec47f76370fbd487

SHA256
431a1c4ceae3411f5476eed27fc30ebd55138afb4c4e9dac3db9d4b8addbb361

SHA512
5c9c65c99f0c8a5aaa2beac1a0c4304a1cb2ea808eeb6bbe11c2852d6e9fbad8bb68faa5f778848dade617e1c5ee1fb9dae566d7a064b05fdaa30a03019b868f

Download Submit
C:\Users\Admin\AppData\Local\Temp\EF39.exe
Filesize
242KB

MD5
19617bdb19b1aeb574c718a27abc3c31

SHA1
369cd7c11f56a89d0f97e4cefdbe02d7120e0b25

SHA256
ec1c329fd6890269a1b97f2684d00923a2c251c564f92795c446ca02c9cebf07

SHA512
b5664d14bfedab6d536a37d9cc3f83059e2aaa566505514674c8c21cac86dd21b5125e136d75580ff8a11e10bf37eada8a4c0e29040545e13066cb66c0c8a753

Download Submit
C:\Users\Admin\AppData\Local\Temp\EF39.exe
Filesize
242KB

MD5
19617bdb19b1aeb574c718a27abc3c31

SHA1
369cd7c11f56a89d0f97e4cefdbe02d7120e0b25

SHA256
ec1c329fd6890269a1b97f2684d00923a2c251c564f92795c446ca02c9cebf07

SHA512
b5664d14bfedab6d536a37d9cc3f83059e2aaa566505514674c8c21cac86dd21b5125e136d75580ff8a11e10bf37eada8a4c0e29040545e13066cb66c0c8a753

Download Submit
C:\Users\Admin\AppData\Local\Temp\System.exe
Filesize
56KB

MD5
cabd16d0692837cbbe6da0bcc3d84ebc

SHA1
29d428754879c181be0ac0139a7ff764f0ad31b2

SHA256
2a2aa00b1a5540347dd1cfddb5c41eadfd1b25cca087f0d96594c5669ea53a7e

SHA512
80493d57bb9596882f0e02fdfbda892b6e820876cae31d04dc1e594162d5824f7e12abe85d676d605052cce8e04ecadd0b0eafbd59d97807a12186158064d8e8

Download Submit
C:\Users\Admin\AppData\Local\Temp\System.exe
Filesize
56KB

MD5
cabd16d0692837cbbe6da0bcc3d84ebc

SHA1
29d428754879c181be0ac0139a7ff764f0ad31b2

SHA256
2a2aa00b1a5540347dd1cfddb5c41eadfd1b25cca087f0d96594c5669ea53a7e

SHA512
80493d57bb9596882f0e02fdfbda892b6e820876cae31d04dc1e594162d5824f7e12abe85d676d605052cce8e04ecadd0b0eafbd59d97807a12186158064d8e8

Download Submit
C:\Users\Admin\AppData\Local\Temp\advapi32.dll
Filesize
1.1MB

MD5
486536825ff5e3219a8702319e064907

SHA1
34f7f9211e2fd9c166fb36ed1d4121ebd427bebd

SHA256
6ab2023a2bd76692a694a812bf86c341696810c61666586c09a343832f05dc01

SHA512
f77404db724b9f8e93d84f2f9f0cee10b05638bda4445facbfd262eca52f073e285c10f153133fc35f9a426eb84e87e8e0b320f2815b2405ca3ada7ac2fded4c

Download Submit
C:\Users\Admin\AppData\Local\Temp\advapi32.dll
Filesize
1.1MB

MD5
486536825ff5e3219a8702319e064907

SHA1
34f7f9211e2fd9c166fb36ed1d4121ebd427bebd

SHA256
6ab2023a2bd76692a694a812bf86c341696810c61666586c09a343832f05dc01

SHA512
f77404db724b9f8e93d84f2f9f0cee10b05638bda4445facbfd262eca52f073e285c10f153133fc35f9a426eb84e87e8e0b320f2815b2405ca3ada7ac2fded4c

Download Submit
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dll
Filesize
126KB

MD5
507e9dc7b9c42f535b6df96d79179835

SHA1
acf41fb549750023115f060071aa5ca8c33f249e

SHA256
3b82a0ea49d855327b64073872ebb6b63eee056e182be6b1935aa512628252af

SHA512
70907ec4c395b0d2219bfe98907ec130bfcbc6d4bec7bd73965a9b1e422553e27daaead3d6647620fcf5392d85a2e975bce0f7c79c0bc665dd33ce65f7d44302

Download Submit
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dll
Filesize
126KB

MD5
507e9dc7b9c42f535b6df96d79179835

SHA1
acf41fb549750023115f060071aa5ca8c33f249e

SHA256
3b82a0ea49d855327b64073872ebb6b63eee056e182be6b1935aa512628252af

SHA512
70907ec4c395b0d2219bfe98907ec130bfcbc6d4bec7bd73965a9b1e422553e27daaead3d6647620fcf5392d85a2e975bce0f7c79c0bc665dd33ce65f7d44302

Download Submit
memory/412-289-0x0000000000000000-mapping.dmp

Download
memory/640-283-0x0000000000000000-mapping.dmp

Download
memory/744-175-0x0000000000000000-mapping.dmp

Download
memory/1072-309-0x0000000000000000-mapping.dmp

Download
memory/1112-291-0x0000000000000000-mapping.dmp

Download
memory/1156-271-0x0000000000000000-mapping.dmp

Download
memory/1168-156-0x0000000000869000-0x0000000000888000-memory.dmp

Filesize
124KB

Download
memory/1168-158-0x0000000000400000-0x00000000005A1000-memory.dmp

Filesize
1.6MB

Download
memory/1168-167-0x0000000000400000-0x00000000005A1000-memory.dmp

Filesize
1.6MB

Download
memory/1168-166-0x0000000000869000-0x0000000000888000-memory.dmp

Filesize
124KB

Download
memory/1168-149-0x0000000000000000-mapping.dmp

Download
memory/1168-157-0x0000000000800000-0x000000000083E000-memory.dmp

Filesize
248KB

Download
memory/1220-297-0x0000000000000000-mapping.dmp

Download
memory/1220-165-0x0000000000000000-mapping.dmp

Download
memory/1224-268-0x0000000000000000-mapping.dmp

Download
memory/1276-277-0x0000000000000000-mapping.dmp

Download
memory/1364-302-0x0000000000000000-mapping.dmp

Download
memory/1368-203-0x0000000000000000-mapping.dmp

Download
memory/1368-207-0x0000000000790000-0x0000000000799000-memory.dmp

Filesize
36KB

Download
memory/1368-206-0x00000000007A0000-0x00000000007A5000-memory.dmp

Filesize
20KB

Download
memory/1404-170-0x0000000000000000-mapping.dmp

Download
memory/1564-233-0x0000000000000000-mapping.dmp

Download
memory/1600-264-0x0000000000000000-mapping.dmp

Download
memory/1616-171-0x0000000000000000-mapping.dmp

Download
memory/1924-286-0x0000000000000000-mapping.dmp

Download
memory/2248-140-0x0000000004D40000-0x00000000052E4000-memory.dmp

Filesize
5.6MB

Download
memory/2248-137-0x0000000000000000-mapping.dmp

Download
memory/2248-154-0x0000000005540000-0x0000000005552000-memory.dmp

Filesize
72KB

Download
memory/2248-191-0x0000000005E80000-0x0000000005EE6000-memory.dmp

Filesize
408KB

Download
memory/2248-152-0x00000000055E0000-0x0000000005BF8000-memory.dmp

Filesize
6.1MB

Download
memory/2248-155-0x0000000005560000-0x000000000559C000-memory.dmp

Filesize
240KB

Download
memory/2248-216-0x0000000000769000-0x000000000079A000-memory.dmp

Filesize
196KB

Download
memory/2248-145-0x00000000052F0000-0x0000000005382000-memory.dmp

Filesize
584KB

Download
memory/2248-153-0x0000000005410000-0x000000000551A000-memory.dmp

Filesize
1.0MB

Download
memory/2248-147-0x0000000000400000-0x00000000005A8000-memory.dmp

Filesize
1.7MB

Download
memory/2248-198-0x0000000007500000-0x00000000076C2000-memory.dmp

Filesize
1.8MB

Download
memory/2248-199-0x00000000076E0000-0x0000000007C0C000-memory.dmp

Filesize
5.2MB

Download
memory/2248-200-0x0000000000769000-0x000000000079A000-memory.dmp

Filesize
196KB

Download
memory/2248-144-0x0000000000769000-0x000000000079A000-memory.dmp

Filesize
196KB

Download
memory/2248-146-0x0000000000700000-0x000000000073E000-memory.dmp

Filesize
248KB

Download
memory/2248-217-0x0000000000400000-0x00000000005A8000-memory.dmp

Filesize
1.7MB

Download
memory/2320-174-0x0000000000400000-0x00000000005A1000-memory.dmp

Filesize
1.6MB

Download
memory/2320-173-0x0000000000858000-0x0000000000877000-memory.dmp

Filesize
124KB

Download
memory/2320-159-0x0000000000000000-mapping.dmp

Download
memory/2320-219-0x0000000000400000-0x00000000005A1000-memory.dmp

Filesize
1.6MB

Download
memory/2320-218-0x0000000000858000-0x0000000000877000-memory.dmp

Filesize
124KB

Download
memory/2328-238-0x0000000000000000-mapping.dmp

Download
memory/2328-239-0x0000000002460000-0x0000000002496000-memory.dmp

Filesize
216KB

Download
memory/2328-240-0x0000000004BF0000-0x0000000005218000-memory.dmp

Filesize
6.2MB

Download
memory/2328-241-0x00000000052A0000-0x00000000052C2000-memory.dmp

Filesize
136KB

Download
memory/2328-242-0x0000000005370000-0x00000000053D6000-memory.dmp

Filesize
408KB

Download
memory/2560-162-0x0000000000000000-mapping.dmp

Download
memory/2644-301-0x0000000000000000-mapping.dmp

Download
memory/2708-281-0x0000000000000000-mapping.dmp

Download
memory/2796-132-0x0000000000838000-0x0000000000849000-memory.dmp

Filesize
68KB

Download
memory/2796-194-0x0000000000000000-mapping.dmp

Download
memory/2796-133-0x0000000000730000-0x0000000000739000-memory.dmp

Filesize
36KB

Download
memory/2796-134-0x0000000000400000-0x0000000000591000-memory.dmp

Filesize
1.6MB

Download
memory/2796-136-0x0000000000400000-0x0000000000591000-memory.dmp

Filesize
1.6MB

Download
memory/2796-135-0x0000000000838000-0x0000000000849000-memory.dmp

Filesize
68KB

Download
memory/2796-234-0x0000000000EE0000-0x0000000000EE6000-memory.dmp

Filesize
24KB

Download
memory/2796-196-0x0000000000ED0000-0x0000000000EDC000-memory.dmp

Filesize
48KB

Download
memory/2796-195-0x0000000000EE0000-0x0000000000EE6000-memory.dmp

Filesize
24KB

Download
memory/2840-168-0x0000000000000000-mapping.dmp

Download
memory/3124-276-0x0000000000000000-mapping.dmp

Download
memory/3148-311-0x0000000000000000-mapping.dmp

Download
memory/3148-314-0x000002C214E10000-0x000002C214E30000-memory.dmp

Filesize
128KB

Download
memory/3160-280-0x0000000000000000-mapping.dmp

Download
memory/3212-310-0x0000000000000000-mapping.dmp

Download
memory/3440-278-0x0000000000000000-mapping.dmp

Download
memory/3476-208-0x00000000010E0000-0x00000000010EB000-memory.dmp

Filesize
44KB

Download
memory/3476-210-0x00000000010F0000-0x00000000010F6000-memory.dmp

Filesize
24KB

Download
memory/3476-247-0x00000000010F0000-0x00000000010F6000-memory.dmp

Filesize
24KB

Download
memory/3476-205-0x0000000000000000-mapping.dmp

Download
memory/3488-243-0x0000000000000000-mapping.dmp

Download
memory/3488-244-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/3488-246-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/3584-279-0x0000000000000000-mapping.dmp

Download
memory/3692-190-0x0000000000000000-mapping.dmp

Download
memory/3692-232-0x00000000010C0000-0x00000000010C5000-memory.dmp

Filesize
20KB

Download
memory/3692-192-0x00000000010C0000-0x00000000010C5000-memory.dmp

Filesize
20KB

Download
memory/3692-193-0x00000000010B0000-0x00000000010B9000-memory.dmp

Filesize
36KB

Download
memory/3724-163-0x0000000000000000-mapping.dmp

Download
memory/3744-292-0x0000000000000000-mapping.dmp

Download
memory/3812-202-0x0000000001000000-0x0000000001022000-memory.dmp

Filesize
136KB

Download
memory/3812-197-0x0000000000000000-mapping.dmp

Download
memory/3812-204-0x0000000000DD0000-0x0000000000DF7000-memory.dmp

Filesize
156KB

Download
memory/3932-296-0x0000000000000000-mapping.dmp

Download
memory/3964-298-0x0000000000000000-mapping.dmp

Download
memory/3968-224-0x0000000000C80000-0x0000000000C87000-memory.dmp

Filesize
28KB

Download
memory/3968-178-0x0000000000000000-mapping.dmp

Download
memory/3968-186-0x0000000000C70000-0x0000000000C7B000-memory.dmp

Filesize
44KB

Download
memory/3968-185-0x0000000000C80000-0x0000000000C87000-memory.dmp

Filesize
28KB

Download
memory/4088-236-0x0000000000000000-mapping.dmp

Download
memory/4140-293-0x0000000000000000-mapping.dmp

Download
memory/4156-290-0x0000000000000000-mapping.dmp

Download
memory/4244-169-0x0000000000000000-mapping.dmp

Download
memory/4268-235-0x0000000000000000-mapping.dmp

Download
memory/4272-275-0x0000000000000000-mapping.dmp

Download
memory/4344-284-0x0000000000000000-mapping.dmp

Download
memory/4408-209-0x0000000000000000-mapping.dmp

Download
memory/4408-214-0x0000000000B40000-0x0000000000B47000-memory.dmp

Filesize
28KB

Download
memory/4408-211-0x0000000000B30000-0x0000000000B3D000-memory.dmp

Filesize
52KB

Download
memory/4492-179-0x0000000000000000-mapping.dmp

Download
memory/4492-180-0x00000000013A0000-0x00000000013C8000-memory.dmp

Filesize
160KB

Download
memory/4500-288-0x0000000000000000-mapping.dmp

Download
memory/4540-294-0x0000000000000000-mapping.dmp

Download
memory/4548-201-0x00000000025B7000-0x0000000002AC5000-memory.dmp

Filesize
5.1MB

Download
memory/4548-148-0x00000000025B7000-0x0000000002AC5000-memory.dmp

Filesize
5.1MB

Download
memory/4548-172-0x0000000002BD4000-0x0000000002CD2000-memory.dmp

Filesize
1016KB

Download
memory/4548-223-0x000000000CF00000-0x000000000D07F000-memory.dmp

Filesize
1.5MB

Download
memory/4548-141-0x0000000000000000-mapping.dmp

Download
memory/4548-225-0x000000000CF00000-0x000000000D07F000-memory.dmp

Filesize
1.5MB

Download
memory/4556-213-0x0000000000000000-mapping.dmp

Download
memory/4556-215-0x0000000000C30000-0x0000000000C3B000-memory.dmp

Filesize
44KB

Download
memory/4556-220-0x0000000000C40000-0x0000000000C48000-memory.dmp

Filesize
32KB

Download
memory/4592-295-0x0000000000000000-mapping.dmp

Download
memory/4656-300-0x0000000000000000-mapping.dmp

Download
memory/4692-222-0x0000000000400000-0x00000000005A1000-memory.dmp

Filesize
1.6MB

Download
memory/4692-221-0x000000000063C000-0x000000000065B000-memory.dmp

Filesize
124KB

Download
memory/4696-285-0x0000000000000000-mapping.dmp

Download
memory/4848-282-0x0000000000000000-mapping.dmp

Download
memory/4864-287-0x0000000000000000-mapping.dmp

Download
memory/4920-230-0x00000000008A0000-0x00000000008B4000-memory.dmp

Filesize
80KB

Download
memory/4920-231-0x0000000005170000-0x000000000517A000-memory.dmp

Filesize
40KB

Download
memory/4920-227-0x0000000000000000-mapping.dmp

Download
memory/4936-187-0x0000000000000000-mapping.dmp

Download
memory/4936-226-0x0000000000940000-0x0000000000949000-memory.dmp

Filesize
36KB

Download
memory/4936-189-0x0000000000930000-0x000000000093F000-memory.dmp

Filesize
60KB

Download
memory/4936-188-0x0000000000940000-0x0000000000949000-memory.dmp

Filesize
36KB

Download
memory/4964-164-0x0000000000000000-mapping.dmp

Download
memory/5076-237-0x0000000000000000-mapping.dmp

Download