blacknet | 9a6c2d66166996817c6559638cf166178f579790aa0990558998c7d284fb9348

Analysis

max time kernel
57s
max time network
100s
platform
windows10-2004_x64
resource
win10v2004-20220901-en
resource tags

arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
submitted
16-11-2022 05:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9a6c2d66166996817c6559638cf166178f579790aa0990558998c7d284fb9348.exe
Size

233KB
MD5

5ca4d167e4df2aca3495c6651d5333ff
SHA1

387ec9692dc951d1c9c1cee6e089fc83a2d36a72
SHA256

9a6c2d66166996817c6559638cf166178f579790aa0990558998c7d284fb9348
SHA512

b24a12199564b756c07d0cbb109d1d69486fc9fcdbb333ccacab149b17db5746e25cea1d275f41d12c1473c53054aad7423c5c8055f09a7a557ecbb39cbb13be
SSDEEP

3072:/AXOkO0MlLMUwencKzYaS1/CEBOlXpL96BnntE35w1yTr5cBnpdNwkunP8CZ:/0xWlLMKncVB1yx8G361gr5AnpPwkuU

Score

10^/10

blacknet djvu redline smokeloader vidar 517 mario23_10 round3 backdoor collection discovery infostealer persistence ransomware spyware stealer trojan

Malware Config

Extracted

Family

djvu

http://fresherlights.com/lancer/get.php

Attributes

extension
.fate
offline_id
5IRhyFuF3rXlXBvF6jAWjHEAnAb432icDCcvZyt1
payload_url
http://uaery.top/dl/build2.exe
http://fresherlights.com/files/1/build3.exe
ransomnote
ATTENTION! Don't worry, you can return all your files! All your files like pictures, databases, documents and other important are encrypted with strongest encryption and unique key. The only method of recovering files is to purchase decrypt tool and unique key for you. This software will decrypt all your encrypted files. What guarantees you have? You can send one of your encrypted file from your PC and we decrypt it for free. But we can decrypt only 1 file for free. File must not contain valuable information. You can get and look video overview decrypt tool: https://we.tl/t-4wOUlYSwGo Price of private key and decrypt software is $980. Discount 50% available if you contact us first 72 hours, that's price for you is $490. Please note that you'll never restore your data without payment. Check your e-mail "Spam" or "Junk" folder if you don't get answer more than 6 hours. To get this software you need write on our e-mail: support@fishmail.top Reserve e-mail address to contact us: datarestorehelp@airmail.cc Your personal ID: 0603Jhyjd

rsa_pubkey.plain

Extracted

Family

redline

Botnet

mario23_10

167.235.252.160:10642

Attributes

auth_value
eca57cfb5172f71dc45986763bb98942

Extracted

Family

vidar

Version

55.7

Botnet

517

https://t.me/deadftx

https://www.ultimate-guitar.com/u/smbfupkuhrgc1

Attributes

profile_id
517

Extracted

Family

blacknet

Version

v3.7.0 Public

Botnet

Round3

http://zee.zight.ru

Mutex

BN[d396d077ee81b07d64cc8bbff27bbccb]

Attributes

antivm
true
elevate_uac
false
install_name
GPUpdate.exe
splitter
|BN|
start_name
e162b1333458a713bc6916cc8ac4110c
startup
false
usb_spread
false

aes.plain

Signatures

BlackNET
BlackNET is an open source remote access tool written in VB.NET.
trojan blacknet

BlackNET payload 1 IoCs

Processes:

resource	yara_rule
behavioral1/memory/4560-291-0x0000000000570000-0x0000000000592000-memory.dmp	family_blacknet

Contains code to disable Windows Defender 1 IoCs

A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.

Processes:

resource	yara_rule
behavioral1/memory/4560-291-0x0000000000570000-0x0000000000592000-memory.dmp	disable_win_def

Detected Djvu ransomware 10 IoCs

Processes:

resource	yara_rule
behavioral1/memory/3756-164-0x0000000002400000-0x000000000251B000-memory.dmp	family_djvu
behavioral1/memory/4624-171-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/4624-168-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/4624-165-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/4624-177-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/4624-191-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/2852-200-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/2852-202-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/2852-203-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/2852-262-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu

Detects Smokeloader packer 3 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2284-133-0x0000000000AD0000-0x0000000000AD9000-memory.dmp	family_smokeloader
behavioral1/memory/260-169-0x00000000006A0000-0x00000000006A9000-memory.dmp	family_smokeloader
behavioral1/memory/3948-179-0x00000000006E0000-0x00000000006E9000-memory.dmp	family_smokeloader

Djvu Ransomware
Ransomware which is a variant of the STOP family.
ransomware djvu
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 1 IoCs

Processes:

resource	yara_rule
behavioral1/memory/584-205-0x0000000000400000-0x0000000000460000-memory.dmp	family_redline

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
Vidar
Vidar is an infostealer based on Arkei stealer.
stealer vidar
Downloads MZ/PE file

Executes dropped EXE 15 IoCs

Processes:

21F0.exe232A.exe24B1.exe288B.exe2B2C.exe2E0B.exe21F0.exe21F0.exe21F0.exebuild2.exebuild3.exebuild2.exemstsca.exe9F06.exeA3CA.exe

pid	process
3756	21F0.exe
2360	232A.exe
260	24B1.exe
3508	288B.exe
3948	2B2C.exe
2160	2E0B.exe
4624	21F0.exe
2324	21F0.exe
2852	21F0.exe
4988	build2.exe
4764	build3.exe
4848	build2.exe
4484	mstsca.exe
3520	9F06.exe
2492	A3CA.exe

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

21F0.exe21F0.exebuild2.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	21F0.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	21F0.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	build2.exe

Loads dropped DLL 4 IoCs

Processes:

regsvr32.exebuild2.exe

pid process

948 regsvr32.exe
948 regsvr32.exe
4848 build2.exe
4848 build2.exe
Modifies file permissions 1 TTPs 1 IoCs
discovery

File Permissions Modification
T1222

Processes:

icacls.exe

pid process

5096 icacls.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Uses the VBS compiler for execution 1 TTPs

Scripting
T1064
Accesses 2FA software files, possible credential harvesting 2 TTPs
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

pid	process
948	regsvr32.exe
948	regsvr32.exe
4848	build2.exe
4848	build2.exe

pid	process
5096	icacls.exe

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

Processes:

explorer.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	explorer.exe
Key opened	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	explorer.exe
Key opened	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	explorer.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

21F0.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\125d9ff6-f4b1-41b2-816e-8dd1b9782f9b\\21F0.exe\" --AutoStart"	21F0.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

25 api.2ip.ua
26 api.2ip.ua
40 api.2ip.ua

flow	ioc
25	api.2ip.ua
26	api.2ip.ua
40	api.2ip.ua

Suspicious use of SetThreadContext 4 IoCs

Processes:

21F0.exe21F0.exe2E0B.exebuild2.exe

description	pid	process	target process
PID 3756 set thread context of 4624	3756	21F0.exe	21F0.exe
PID 2324 set thread context of 2852	2324	21F0.exe	21F0.exe
PID 2160 set thread context of 584	2160	2E0B.exe	vbc.exe
PID 4988 set thread context of 4848	4988	build2.exe	build2.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 4 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid pid_target process target process

3700 3948 WerFault.exe 2B2C.exe
3212 2360 WerFault.exe 232A.exe
2420 3508 WerFault.exe 288B.exe
3708 2160 WerFault.exe 2E0B.exe

pid	pid_target	process	target process
3700	3948	WerFault.exe	2B2C.exe
3212	2360	WerFault.exe	232A.exe
2420	3508	WerFault.exe	288B.exe
3708	2160	WerFault.exe	2E0B.exe

Checks SCSI registry key(s) 3 TTPs 6 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

9a6c2d66166996817c6559638cf166178f579790aa0990558998c7d284fb9348.exe24B1.exe

description	ioc	process
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	9a6c2d66166996817c6559638cf166178f579790aa0990558998c7d284fb9348.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	24B1.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	24B1.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	24B1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	9a6c2d66166996817c6559638cf166178f579790aa0990558998c7d284fb9348.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	9a6c2d66166996817c6559638cf166178f579790aa0990558998c7d284fb9348.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

build2.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	build2.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	build2.exe

Creates scheduled task(s) 1 TTPs 4 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid process

1028 schtasks.exe
4188 schtasks.exe
4544 schtasks.exe
3568 schtasks.exe
Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

3952 timeout.exe

pid	process
1028	schtasks.exe
4188	schtasks.exe
4544	schtasks.exe
3568	schtasks.exe

pid	process
3952	timeout.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

9a6c2d66166996817c6559638cf166178f579790aa0990558998c7d284fb9348.exe

pid	process
2284	9a6c2d66166996817c6559638cf166178f579790aa0990558998c7d284fb9348.exe
2284	9a6c2d66166996817c6559638cf166178f579790aa0990558998c7d284fb9348.exe
2724
2724
2724
2724
2724
2724
2724
2724
2724
2724
2724
2724
2724
2724
2724
2724
2724
2724
2724
2724
2724
2724
2724
2724
2724
2724
2724
2724
2724
2724
2724
2724
2724
2724
2724
2724
2724
2724
2724
2724
2724
2724
2724
2724
2724
2724
2724
2724
2724
2724
2724
2724
2724
2724
2724
2724
2724
2724
2724
2724
2724
2724

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

pid process

2724
Suspicious behavior: MapViewOfSection 6 IoCs

Processes:

9a6c2d66166996817c6559638cf166178f579790aa0990558998c7d284fb9348.exe24B1.exe

pid process

2284 9a6c2d66166996817c6559638cf166178f579790aa0990558998c7d284fb9348.exe
2724
2724
2724
2724
260 24B1.exe

pid	process
2724

Suspicious use of AdjustPrivilegeToken 30 IoCs

Processes:

vbc.exe9F06.exe

description	pid	process
Token: SeShutdownPrivilege	2724
Token: SeCreatePagefilePrivilege	2724
Token: SeShutdownPrivilege	2724
Token: SeCreatePagefilePrivilege	2724
Token: SeShutdownPrivilege	2724
Token: SeCreatePagefilePrivilege	2724
Token: SeShutdownPrivilege	2724
Token: SeCreatePagefilePrivilege	2724
Token: SeShutdownPrivilege	2724
Token: SeCreatePagefilePrivilege	2724
Token: SeShutdownPrivilege	2724
Token: SeCreatePagefilePrivilege	2724
Token: SeShutdownPrivilege	2724
Token: SeCreatePagefilePrivilege	2724
Token: SeShutdownPrivilege	2724
Token: SeCreatePagefilePrivilege	2724
Token: SeShutdownPrivilege	2724
Token: SeCreatePagefilePrivilege	2724
Token: SeShutdownPrivilege	2724
Token: SeCreatePagefilePrivilege	2724
Token: SeShutdownPrivilege	2724
Token: SeCreatePagefilePrivilege	2724
Token: SeShutdownPrivilege	2724
Token: SeCreatePagefilePrivilege	2724
Token: SeShutdownPrivilege	2724
Token: SeCreatePagefilePrivilege	2724
Token: SeDebugPrivilege	584	vbc.exe
Token: SeShutdownPrivilege	2724
Token: SeCreatePagefilePrivilege	2724
Token: SeDebugPrivilege	3520	9F06.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

regsvr32.exe21F0.exe21F0.exe21F0.exe2E0B.exe21F0.exe

description	pid	process	target process
PID 2724 wrote to memory of 740	2724		regsvr32.exe
PID 2724 wrote to memory of 740	2724		regsvr32.exe
PID 2724 wrote to memory of 3756	2724		21F0.exe
PID 2724 wrote to memory of 3756	2724		21F0.exe
PID 2724 wrote to memory of 3756	2724		21F0.exe
PID 740 wrote to memory of 948	740	regsvr32.exe	regsvr32.exe
PID 740 wrote to memory of 948	740	regsvr32.exe	regsvr32.exe
PID 740 wrote to memory of 948	740	regsvr32.exe	regsvr32.exe
PID 2724 wrote to memory of 2360	2724		232A.exe
PID 2724 wrote to memory of 2360	2724		232A.exe
PID 2724 wrote to memory of 2360	2724		232A.exe
PID 2724 wrote to memory of 260	2724		24B1.exe
PID 2724 wrote to memory of 260	2724		24B1.exe
PID 2724 wrote to memory of 260	2724		24B1.exe
PID 2724 wrote to memory of 3508	2724		288B.exe
PID 2724 wrote to memory of 3508	2724		288B.exe
PID 2724 wrote to memory of 3508	2724		288B.exe
PID 2724 wrote to memory of 3948	2724		2B2C.exe
PID 2724 wrote to memory of 3948	2724		2B2C.exe
PID 2724 wrote to memory of 3948	2724		2B2C.exe
PID 2724 wrote to memory of 2160	2724		2E0B.exe
PID 2724 wrote to memory of 2160	2724		2E0B.exe
PID 2724 wrote to memory of 2160	2724		2E0B.exe
PID 2724 wrote to memory of 4488	2724		explorer.exe
PID 2724 wrote to memory of 4488	2724		explorer.exe
PID 2724 wrote to memory of 4488	2724		explorer.exe
PID 2724 wrote to memory of 4488	2724		explorer.exe
PID 3756 wrote to memory of 4624	3756	21F0.exe	21F0.exe
PID 3756 wrote to memory of 4624	3756	21F0.exe	21F0.exe
PID 3756 wrote to memory of 4624	3756	21F0.exe	21F0.exe
PID 3756 wrote to memory of 4624	3756	21F0.exe	21F0.exe
PID 3756 wrote to memory of 4624	3756	21F0.exe	21F0.exe
PID 3756 wrote to memory of 4624	3756	21F0.exe	21F0.exe
PID 3756 wrote to memory of 4624	3756	21F0.exe	21F0.exe
PID 3756 wrote to memory of 4624	3756	21F0.exe	21F0.exe
PID 3756 wrote to memory of 4624	3756	21F0.exe	21F0.exe
PID 3756 wrote to memory of 4624	3756	21F0.exe	21F0.exe
PID 2724 wrote to memory of 3548	2724		explorer.exe
PID 2724 wrote to memory of 3548	2724		explorer.exe
PID 2724 wrote to memory of 3548	2724		explorer.exe
PID 4624 wrote to memory of 5096	4624	21F0.exe	icacls.exe
PID 4624 wrote to memory of 5096	4624	21F0.exe	icacls.exe
PID 4624 wrote to memory of 5096	4624	21F0.exe	icacls.exe
PID 4624 wrote to memory of 2324	4624	21F0.exe	21F0.exe
PID 4624 wrote to memory of 2324	4624	21F0.exe	21F0.exe
PID 4624 wrote to memory of 2324	4624	21F0.exe	21F0.exe
PID 2324 wrote to memory of 2852	2324	21F0.exe	21F0.exe
PID 2324 wrote to memory of 2852	2324	21F0.exe	21F0.exe
PID 2324 wrote to memory of 2852	2324	21F0.exe	21F0.exe
PID 2324 wrote to memory of 2852	2324	21F0.exe	21F0.exe
PID 2324 wrote to memory of 2852	2324	21F0.exe	21F0.exe
PID 2324 wrote to memory of 2852	2324	21F0.exe	21F0.exe
PID 2324 wrote to memory of 2852	2324	21F0.exe	21F0.exe
PID 2324 wrote to memory of 2852	2324	21F0.exe	21F0.exe
PID 2324 wrote to memory of 2852	2324	21F0.exe	21F0.exe
PID 2324 wrote to memory of 2852	2324	21F0.exe	21F0.exe
PID 2160 wrote to memory of 584	2160	2E0B.exe	vbc.exe
PID 2160 wrote to memory of 584	2160	2E0B.exe	vbc.exe
PID 2160 wrote to memory of 584	2160	2E0B.exe	vbc.exe
PID 2160 wrote to memory of 584	2160	2E0B.exe	vbc.exe
PID 2160 wrote to memory of 584	2160	2E0B.exe	vbc.exe
PID 2852 wrote to memory of 4988	2852	21F0.exe	build2.exe
PID 2852 wrote to memory of 4988	2852	21F0.exe	build2.exe
PID 2852 wrote to memory of 4988	2852	21F0.exe	build2.exe

outlook_office_path 1 IoCs

Processes:

explorer.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	explorer.exe

outlook_win_path 1 IoCs

Processes:

explorer.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	explorer.exe

C:\Users\Admin\AppData\Local\Temp\9a6c2d66166996817c6559638cf166178f579790aa0990558998c7d284fb9348.exe
"C:\Users\Admin\AppData\Local\Temp\9a6c2d66166996817c6559638cf166178f579790aa0990558998c7d284fb9348.exe"
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:2284

C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\2143.dll
1⤵
- Suspicious use of WriteProcessMemory
PID:740

C:\Windows\SysWOW64\regsvr32.exe
/s C:\Users\Admin\AppData\Local\Temp\2143.dll
2⤵
- Loads dropped DLL
PID:948

C:\Users\Admin\AppData\Local\Temp\21F0.exe
C:\Users\Admin\AppData\Local\Temp\21F0.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3756

C:\Users\Admin\AppData\Local\Temp\21F0.exe
C:\Users\Admin\AppData\Local\Temp\21F0.exe
2⤵
- Executes dropped EXE
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4624

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Users\Admin\AppData\Local\125d9ff6-f4b1-41b2-816e-8dd1b9782f9b" /deny *S-1-1-0:(OI)(CI)(DE,DC)
3⤵
- Modifies file permissions
PID:5096

C:\Users\Admin\AppData\Local\Temp\21F0.exe
"C:\Users\Admin\AppData\Local\Temp\21F0.exe" --Admin IsNotAutoStart IsNotTask
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2324

C:\Users\Admin\AppData\Local\Temp\21F0.exe
"C:\Users\Admin\AppData\Local\Temp\21F0.exe" --Admin IsNotAutoStart IsNotTask
4⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2852

C:\Users\Admin\AppData\Local\1da7b8fd-d6a7-40c6-a6bf-53692362c7c1\build2.exe
"C:\Users\Admin\AppData\Local\1da7b8fd-d6a7-40c6-a6bf-53692362c7c1\build2.exe"
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:4988

C:\Users\Admin\AppData\Local\1da7b8fd-d6a7-40c6-a6bf-53692362c7c1\build2.exe
"C:\Users\Admin\AppData\Local\1da7b8fd-d6a7-40c6-a6bf-53692362c7c1\build2.exe"
6⤵
- Executes dropped EXE
- Checks computer location settings
- Loads dropped DLL
- Checks processor information in registry
PID:4848

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c timeout /t 6 & del /f /q "C:\Users\Admin\AppData\Local\1da7b8fd-d6a7-40c6-a6bf-53692362c7c1\build2.exe" & exit
7⤵
PID:112

C:\Windows\SysWOW64\timeout.exe
timeout /t 6
8⤵
- Delays execution with timeout.exe
PID:3952

C:\Users\Admin\AppData\Local\1da7b8fd-d6a7-40c6-a6bf-53692362c7c1\build3.exe
"C:\Users\Admin\AppData\Local\1da7b8fd-d6a7-40c6-a6bf-53692362c7c1\build3.exe"
5⤵
- Executes dropped EXE
PID:4764

C:\Windows\SysWOW64\schtasks.exe
/C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"
6⤵
- Creates scheduled task(s)
PID:3568

C:\Users\Admin\AppData\Local\Temp\232A.exe
C:\Users\Admin\AppData\Local\Temp\232A.exe
1⤵
- Executes dropped EXE
PID:2360

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2360 -s 344
2⤵
- Program crash
PID:3212

C:\Users\Admin\AppData\Local\Temp\24B1.exe
C:\Users\Admin\AppData\Local\Temp\24B1.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
PID:260

C:\Users\Admin\AppData\Local\Temp\288B.exe
C:\Users\Admin\AppData\Local\Temp\288B.exe
1⤵
- Executes dropped EXE
PID:3508

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3508 -s 344
2⤵
- Program crash
PID:2420

C:\Users\Admin\AppData\Local\Temp\2B2C.exe
C:\Users\Admin\AppData\Local\Temp\2B2C.exe
1⤵
- Executes dropped EXE
PID:3948

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3948 -s 340
2⤵
- Program crash
PID:3700

C:\Users\Admin\AppData\Local\Temp\2E0B.exe
C:\Users\Admin\AppData\Local\Temp\2E0B.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2160

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:584

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2160 -s 304
2⤵
- Program crash
PID:3708

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
- Accesses Microsoft Outlook profiles
- outlook_office_path
- outlook_win_path
PID:4488

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
PID:3548

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 2360 -ip 2360
1⤵
PID:3196

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 496 -p 3948 -ip 3948
1⤵
PID:3812

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 3508 -ip 3508
1⤵
PID:2232

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 2160 -ip 2160
1⤵
PID:1436

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
1⤵
- Executes dropped EXE
PID:4484

C:\Windows\SysWOW64\schtasks.exe
/C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"
2⤵
- Creates scheduled task(s)
PID:1028

C:\Users\Admin\AppData\Local\Temp\9F06.exe
C:\Users\Admin\AppData\Local\Temp\9F06.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3520

C:\Users\Admin\AppData\Local\Temp\A3CA.exe
C:\Users\Admin\AppData\Local\Temp\A3CA.exe
1⤵
- Executes dropped EXE
PID:2492

C:\Users\Admin\AppData\Local\Temp\ABBA.exe
C:\Users\Admin\AppData\Local\Temp\ABBA.exe
1⤵
PID:3964

C:\Windows\SysWOW64\cmd.exe
"cmd" /c copy "C:\Users\Admin\AppData\Local\Temp\ABBA.exe" "C:\Users\Admin\AppData\Roaming\RegStart\RegStart.exe"
2⤵
PID:4876

C:\Windows\SysWOW64\cmd.exe
"cmd" /c schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\RegStart\RegStart.exe'" /f
2⤵
PID:4276

C:\Windows\SysWOW64\cmd.exe
"cmd" /c mkdir "C:\Users\Admin\AppData\Roaming\RegStart"
2⤵
PID:4436

C:\Users\Admin\AppData\Local\Temp\ABBA.exe
"C:\Users\Admin\AppData\Local\Temp\ABBA.exe"
2⤵
PID:4560

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"powershell" Get-MpPreference -verbose
3⤵
PID:1096

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "GPUpdate.exe" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\GPUpdate.exe" /rl HIGHEST /f
3⤵
- Creates scheduled task(s)
PID:4544

C:\Users\Admin\AppData\Roaming\Microsoft\MyClient\GPUpdate.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\MyClient\GPUpdate.exe"
3⤵
PID:1516

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\RegStart\RegStart.exe'" /f
1⤵
- Creates scheduled task(s)
PID:4188

C:\Users\Admin\AppData\Local\Temp\BCC2.exe
C:\Users\Admin\AppData\Local\Temp\BCC2.exe
1⤵
PID:3860

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scripting

T1064

Scheduled Task

T1053

Persistence

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

File Permissions Modification

T1222

Scripting

T1064

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Peripheral Device Discovery

T1120

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Exfiltration

Command and Control

Web Service

T1102

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\mozglue.dll
Filesize
593KB

MD5
c8fd9be83bc728cc04beffafc2907fe9

SHA1
95ab9f701e0024cedfbd312bcfe4e726744c4f2e

SHA256
ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a

SHA512
fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040

Download Submit
C:\ProgramData\nss3.dll
Filesize
2.0MB

MD5
1cc453cdf74f31e4d913ff9c10acdde2

SHA1
6e85eae544d6e965f15fa5c39700fa7202f3aafe

SHA256
ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5

SHA512
dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\07CEF2F654E3ED6050FFC9B6EB844250_3431D4C539FB2CFCB781821E9902850D
Filesize
2KB

MD5
b00f59ce59a95f5fe629aff007e982fa

SHA1
8eb54eb49c540b80dba22e0a863f8122b48df410

SHA256
d3559d4f89073b9bd7764d42e0fd258f78d98b5344af368056696f5fb6a87c46

SHA512
6317a36087f2166e5a77a5761d7ad662c76b2989840af4e89e8a93845c8c7f47e6a26341be77db39ca687aacb5e50ad3730a5ee4b6d76669637b676a31b0efb3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E
Filesize
1KB

MD5
8245d5e076774cc6f63bf77f4650bf3b

SHA1
2efdf2d5967e180eb13f9633094b617e4e1a8656

SHA256
b4247c5d4cedfc5c553005c58ea254e62b12ced6a28a183fcc3823e4d1cfbc53

SHA512
a2eb33bdb4f996bb67508b8add8f042bf26223f427caefa1ef1388cdecd6f15eecbc197d88a59e64f1a0f7e8a14983ab96bbe6463f2cadf39e6637679f34ad54

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\07CEF2F654E3ED6050FFC9B6EB844250_3431D4C539FB2CFCB781821E9902850D
Filesize
488B

MD5
c0d6675af0f3b1a602c408533e9f09c6

SHA1
698526f86a2a76393c3828c3b120a045cb1f0778

SHA256
bf86b0529577305fe3483356bd0b25e0df4721d63989ea9ee6ca4f2cc4cbc4de

SHA512
1410d607a6a6157af305f1ba2e100e2f28763ec61eaab660c15ba5036ec86cb9eb7473c682798eb1c418d15a27d5bd7b6e4f74d3b0230e8caa5118bea5e50920

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E
Filesize
482B

MD5
e542831db48c0bd420c124a91de2b521

SHA1
27a5e6a19dc790dd806447a0ca55b405bc72ec35

SHA256
d621d68ff2e29acba82a1510d53376521670afacf96323cae3e8c74ce5875122

SHA512
3d05ce2cb07baa58b16741f0b37363c69fef392ba6de3a1c13f5e4de0549dc255e5a519eb95896aaf0cadb081dde0e2cc403c6aea40d519c8121f78a8335f664

Download Submit
C:\Users\Admin\AppData\Local\125d9ff6-f4b1-41b2-816e-8dd1b9782f9b\21F0.exe
Filesize
713KB

MD5
a37ba1ad6cca41dc758263e7a1ca8375

SHA1
36ff2742ce4fd0955006241513618f9f39f99634

SHA256
8dd9dd543aed06b4c4bebe27ad4e090f31dd13b4d57998c2d24439ab3389e8a5

SHA512
cff9632e84e2e86da31f8e1440adfac7beba2b7f8461507129343d07a1796e28a38e94111964ecb53b141c60060c63d443556cf52241aa4a445dfc85135f7ca3

Download Submit
C:\Users\Admin\AppData\Local\1da7b8fd-d6a7-40c6-a6bf-53692362c7c1\build2.exe
Filesize
388KB

MD5
8b401fc82a41458872b2e5345600f46f

SHA1
61bcf479e850a0cacc646529a3ec919968379a75

SHA256
2631ab16a328fb1e677dfffbebe122cf9b96540df841edcac6a5a20bd54d6214

SHA512
ee5652cfba1b32bd9baff0ce09d5396a38b44e4b8443d49c0fcbce897399704a05fc202aae19d3090f9164ff45bfa342cbab666a5cd13f0bd5e86d066e4a14bd

Download Submit
C:\Users\Admin\AppData\Local\1da7b8fd-d6a7-40c6-a6bf-53692362c7c1\build2.exe
Filesize
388KB

MD5
8b401fc82a41458872b2e5345600f46f

SHA1
61bcf479e850a0cacc646529a3ec919968379a75

SHA256
2631ab16a328fb1e677dfffbebe122cf9b96540df841edcac6a5a20bd54d6214

SHA512
ee5652cfba1b32bd9baff0ce09d5396a38b44e4b8443d49c0fcbce897399704a05fc202aae19d3090f9164ff45bfa342cbab666a5cd13f0bd5e86d066e4a14bd

Download Submit
C:\Users\Admin\AppData\Local\1da7b8fd-d6a7-40c6-a6bf-53692362c7c1\build2.exe
Filesize
388KB

MD5
8b401fc82a41458872b2e5345600f46f

SHA1
61bcf479e850a0cacc646529a3ec919968379a75

SHA256
2631ab16a328fb1e677dfffbebe122cf9b96540df841edcac6a5a20bd54d6214

SHA512
ee5652cfba1b32bd9baff0ce09d5396a38b44e4b8443d49c0fcbce897399704a05fc202aae19d3090f9164ff45bfa342cbab666a5cd13f0bd5e86d066e4a14bd

Download Submit
C:\Users\Admin\AppData\Local\1da7b8fd-d6a7-40c6-a6bf-53692362c7c1\build3.exe
Filesize
9KB

MD5
9ead10c08e72ae41921191f8db39bc16

SHA1
abe3bce01cd34afc88e2c838173f8c2bd0090ae1

SHA256
8d7f0e6b6877bdfb9f4531afafd0451f7d17f0ac24e2f2427e9b4ecc5452b9f0

SHA512
aa35dbc59a3589df2763e76a495ce5a9e62196628b4c1d098add38bd7f27c49edf93a66fb8507fb746e37ee32932da2460e440f241abe1a5a279abcc1e5ffe4a

Download Submit
C:\Users\Admin\AppData\Local\1da7b8fd-d6a7-40c6-a6bf-53692362c7c1\build3.exe
Filesize
9KB

MD5
9ead10c08e72ae41921191f8db39bc16

SHA1
abe3bce01cd34afc88e2c838173f8c2bd0090ae1

SHA256
8d7f0e6b6877bdfb9f4531afafd0451f7d17f0ac24e2f2427e9b4ecc5452b9f0

SHA512
aa35dbc59a3589df2763e76a495ce5a9e62196628b4c1d098add38bd7f27c49edf93a66fb8507fb746e37ee32932da2460e440f241abe1a5a279abcc1e5ffe4a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\ABBA.exe.log
Filesize
612B

MD5
4bc94363628f46b343c5e8e2da62ca26

SHA1
8a41ac46e24d790e11a407d0e957c4a6be6056c4

SHA256
c8e1d0b306825b2c9a3ed32a461dd191ceb861205425fdfb687a4889684a3e1a

SHA512
cf8ede5b84ba775d8ff89752530fa899d6b2e6424549202ab782a3caa92c0d9a31e9b2f660b51eedc932a68ba25e9ec228bb965cdc183e600ea8aa5a6736f829

Download Submit
C:\Users\Admin\AppData\Local\Temp\2143.dll
Filesize
2.3MB

MD5
91e57b74fffc60ddd7c000c9c748bd14

SHA1
2b7da9f3998af0ceba1ce03b32bd1daa4490b062

SHA256
51ed516800a48c2643dc35a44850acb4336e241c9ce9987f9a2c64ca8f1f5599

SHA512
984fd73a8f5f32e842e21fbba58c971467ff85abb22159457e1cb8c1b889ec8fb0357771543942547ebb898e8ff59d163dc5b008c04fb4d8805c364760133d9e

Download Submit
C:\Users\Admin\AppData\Local\Temp\2143.dll
Filesize
2.3MB

MD5
91e57b74fffc60ddd7c000c9c748bd14

SHA1
2b7da9f3998af0ceba1ce03b32bd1daa4490b062

SHA256
51ed516800a48c2643dc35a44850acb4336e241c9ce9987f9a2c64ca8f1f5599

SHA512
984fd73a8f5f32e842e21fbba58c971467ff85abb22159457e1cb8c1b889ec8fb0357771543942547ebb898e8ff59d163dc5b008c04fb4d8805c364760133d9e

Download Submit
C:\Users\Admin\AppData\Local\Temp\2143.dll
Filesize
2.3MB

MD5
91e57b74fffc60ddd7c000c9c748bd14

SHA1
2b7da9f3998af0ceba1ce03b32bd1daa4490b062

SHA256
51ed516800a48c2643dc35a44850acb4336e241c9ce9987f9a2c64ca8f1f5599

SHA512
984fd73a8f5f32e842e21fbba58c971467ff85abb22159457e1cb8c1b889ec8fb0357771543942547ebb898e8ff59d163dc5b008c04fb4d8805c364760133d9e

Download Submit
C:\Users\Admin\AppData\Local\Temp\21F0.exe
Filesize
713KB

MD5
a37ba1ad6cca41dc758263e7a1ca8375

SHA1
36ff2742ce4fd0955006241513618f9f39f99634

SHA256
8dd9dd543aed06b4c4bebe27ad4e090f31dd13b4d57998c2d24439ab3389e8a5

SHA512
cff9632e84e2e86da31f8e1440adfac7beba2b7f8461507129343d07a1796e28a38e94111964ecb53b141c60060c63d443556cf52241aa4a445dfc85135f7ca3

Download Submit
C:\Users\Admin\AppData\Local\Temp\21F0.exe
Filesize
713KB

MD5
a37ba1ad6cca41dc758263e7a1ca8375

SHA1
36ff2742ce4fd0955006241513618f9f39f99634

SHA256
8dd9dd543aed06b4c4bebe27ad4e090f31dd13b4d57998c2d24439ab3389e8a5

SHA512
cff9632e84e2e86da31f8e1440adfac7beba2b7f8461507129343d07a1796e28a38e94111964ecb53b141c60060c63d443556cf52241aa4a445dfc85135f7ca3

Download Submit
C:\Users\Admin\AppData\Local\Temp\21F0.exe
Filesize
713KB

MD5
a37ba1ad6cca41dc758263e7a1ca8375

SHA1
36ff2742ce4fd0955006241513618f9f39f99634

SHA256
8dd9dd543aed06b4c4bebe27ad4e090f31dd13b4d57998c2d24439ab3389e8a5

SHA512
cff9632e84e2e86da31f8e1440adfac7beba2b7f8461507129343d07a1796e28a38e94111964ecb53b141c60060c63d443556cf52241aa4a445dfc85135f7ca3

Download Submit
C:\Users\Admin\AppData\Local\Temp\21F0.exe
Filesize
713KB

MD5
a37ba1ad6cca41dc758263e7a1ca8375

SHA1
36ff2742ce4fd0955006241513618f9f39f99634

SHA256
8dd9dd543aed06b4c4bebe27ad4e090f31dd13b4d57998c2d24439ab3389e8a5

SHA512
cff9632e84e2e86da31f8e1440adfac7beba2b7f8461507129343d07a1796e28a38e94111964ecb53b141c60060c63d443556cf52241aa4a445dfc85135f7ca3

Download Submit
C:\Users\Admin\AppData\Local\Temp\21F0.exe
Filesize
713KB

MD5
a37ba1ad6cca41dc758263e7a1ca8375

SHA1
36ff2742ce4fd0955006241513618f9f39f99634

SHA256
8dd9dd543aed06b4c4bebe27ad4e090f31dd13b4d57998c2d24439ab3389e8a5

SHA512
cff9632e84e2e86da31f8e1440adfac7beba2b7f8461507129343d07a1796e28a38e94111964ecb53b141c60060c63d443556cf52241aa4a445dfc85135f7ca3

Download Submit
C:\Users\Admin\AppData\Local\Temp\232A.exe
Filesize
233KB

MD5
69a0f9003668899aad45e8a37a5738a4

SHA1
fef3c738a728fb4a6f3abed2a1ca1ef7444d83f8

SHA256
ea2abcb9d129638646863e59669f9ae9f9dcddf1c4df19350edb6606e7495f7b

SHA512
28469314d7122aa5415ed00aeaac1dfa78d9b866e01a97d636355f3c19914799317ae40a5e923f232465fb7244da203a425ca29ddd17dd57d4f2d958dd23d578

Download Submit
C:\Users\Admin\AppData\Local\Temp\232A.exe
Filesize
233KB

MD5
69a0f9003668899aad45e8a37a5738a4

SHA1
fef3c738a728fb4a6f3abed2a1ca1ef7444d83f8

SHA256
ea2abcb9d129638646863e59669f9ae9f9dcddf1c4df19350edb6606e7495f7b

SHA512
28469314d7122aa5415ed00aeaac1dfa78d9b866e01a97d636355f3c19914799317ae40a5e923f232465fb7244da203a425ca29ddd17dd57d4f2d958dd23d578

Download Submit
C:\Users\Admin\AppData\Local\Temp\24B1.exe
Filesize
194KB

MD5
ed213e4bc29a858d02c8a098726af415

SHA1
294d8ec598e036293003fec60a0ccf380866cdb1

SHA256
2864bdc94206d96289b3eefdaca92291d6b71b47707ba81b5970c5fdf7dbe71b

SHA512
08c72701a3b59b5cbd9da6b0cd1569250912e84c7ed95436709d1b8685cbadf053c7b7794bd8d8130cde1ab28043f8454d4a455250c2ab9adee0d6de318a9b83

Download Submit
C:\Users\Admin\AppData\Local\Temp\24B1.exe
Filesize
194KB

MD5
ed213e4bc29a858d02c8a098726af415

SHA1
294d8ec598e036293003fec60a0ccf380866cdb1

SHA256
2864bdc94206d96289b3eefdaca92291d6b71b47707ba81b5970c5fdf7dbe71b

SHA512
08c72701a3b59b5cbd9da6b0cd1569250912e84c7ed95436709d1b8685cbadf053c7b7794bd8d8130cde1ab28043f8454d4a455250c2ab9adee0d6de318a9b83

Download Submit
C:\Users\Admin\AppData\Local\Temp\288B.exe
Filesize
234KB

MD5
19a78f2402f65d4bbeeaa65a2f4facf6

SHA1
af355b32b36b3c87ef1581e618a80348a1377862

SHA256
f65a178e29a850ae74d62a3ad260fca44fea2fdda73d5cf542d94e658850383f

SHA512
53352a6e3bc62a8f66c9b9f448e99248aa398b3c8ea79139184895c9c06180164074ddd0f08e6c8933286995c5af0a7b2a4c2c3deaf15c64dee74c415715bd68

Download Submit
C:\Users\Admin\AppData\Local\Temp\288B.exe
Filesize
234KB

MD5
19a78f2402f65d4bbeeaa65a2f4facf6

SHA1
af355b32b36b3c87ef1581e618a80348a1377862

SHA256
f65a178e29a850ae74d62a3ad260fca44fea2fdda73d5cf542d94e658850383f

SHA512
53352a6e3bc62a8f66c9b9f448e99248aa398b3c8ea79139184895c9c06180164074ddd0f08e6c8933286995c5af0a7b2a4c2c3deaf15c64dee74c415715bd68

Download Submit
C:\Users\Admin\AppData\Local\Temp\2B2C.exe
Filesize
193KB

MD5
5546cfd7b05f3cd179b1feeeb6a0783e

SHA1
bb5296a2d61d502e9c5fa96aadc7e31dbd3fea9b

SHA256
21d561f3ac5da5e3760216e1d22817ff13bb7234508dfe960df939884da98f47

SHA512
20f10d819a39918fbfdd4fe5635501f21912d0138b607437d2cf29041a36808a29969c93b2014e9f317ca9dc9a742540503f08689a0af4caaac45197ffe87503

Download Submit
C:\Users\Admin\AppData\Local\Temp\2B2C.exe
Filesize
193KB

MD5
5546cfd7b05f3cd179b1feeeb6a0783e

SHA1
bb5296a2d61d502e9c5fa96aadc7e31dbd3fea9b

SHA256
21d561f3ac5da5e3760216e1d22817ff13bb7234508dfe960df939884da98f47

SHA512
20f10d819a39918fbfdd4fe5635501f21912d0138b607437d2cf29041a36808a29969c93b2014e9f317ca9dc9a742540503f08689a0af4caaac45197ffe87503

Download Submit
C:\Users\Admin\AppData\Local\Temp\2E0B.exe
Filesize
456KB

MD5
ffdaa25a575d34a97a33a00d7a5ea8e7

SHA1
9212e5bec1044f778efd7c6f5b476801a645ea33

SHA256
4aeb2a312b9110271a96098aa5fa3351ad7e79d5a05517de13928e26a434869a

SHA512
6ba9234b1613516e2da4e899b79c7a94db4b7d62f88d7a2b50a7a43b656d497799b0b5e3fe7820238328287eee6c53589b077abc1b1ef5b0dc7888cd9303ee11

Download Submit
C:\Users\Admin\AppData\Local\Temp\2E0B.exe
Filesize
456KB

MD5
ffdaa25a575d34a97a33a00d7a5ea8e7

SHA1
9212e5bec1044f778efd7c6f5b476801a645ea33

SHA256
4aeb2a312b9110271a96098aa5fa3351ad7e79d5a05517de13928e26a434869a

SHA512
6ba9234b1613516e2da4e899b79c7a94db4b7d62f88d7a2b50a7a43b656d497799b0b5e3fe7820238328287eee6c53589b077abc1b1ef5b0dc7888cd9303ee11

Download Submit
C:\Users\Admin\AppData\Local\Temp\9F06.exe
Filesize
329KB

MD5
957f697616f3a61b537fa480ce31950d

SHA1
026d5a939ae7fa96d97891144d37d848a05ff997

SHA256
8d8ddb38644a73a9111064359d82fb5bbeba1a3dea9662b8f6025dd9f6cf54aa

SHA512
675dc3fb116aa41b6388047a277d5241227f982c4a5353b3e87004973af7cb93749db6e0abc1bcd036b169ffdd384de92bc231e54ea08813419b6611c266ec18

Download Submit
C:\Users\Admin\AppData\Local\Temp\9F06.exe
Filesize
329KB

MD5
957f697616f3a61b537fa480ce31950d

SHA1
026d5a939ae7fa96d97891144d37d848a05ff997

SHA256
8d8ddb38644a73a9111064359d82fb5bbeba1a3dea9662b8f6025dd9f6cf54aa

SHA512
675dc3fb116aa41b6388047a277d5241227f982c4a5353b3e87004973af7cb93749db6e0abc1bcd036b169ffdd384de92bc231e54ea08813419b6611c266ec18

Download Submit
C:\Users\Admin\AppData\Local\Temp\A3CA.exe
Filesize
4.2MB

MD5
a62965dde47512afd390806c88f6821b

SHA1
f389db3ccfd224c398e33375521ae18b5dc6b8fd

SHA256
e3277990b72605b6007680f0709c1d6b7e2e178b71d6d3f45635ae1d085b1400

SHA512
89dc8bd1ace718ba9326b3b12ac9aeca4e7d32afffd58676657966fa8e6c984eb346e88654e97603f47d0194d452e8da03d97acfd64be34ac10191f7ff30cacf

Download Submit
C:\Users\Admin\AppData\Local\Temp\ABBA.exe
Filesize
356KB

MD5
354d20e21be15dd24eb8a9b2b18a8407

SHA1
f3c9182f5a8a45ee8f9cbcf2e4584c38ff670533

SHA256
0cfd96c0bef9061e95adbc2f00f6e0bd39c1103ca4761c9af850528d28455b44

SHA512
7bcfd0d2bca8a7bc3f0836c012438125cabdac11e7978f3d8a55ace928fe98ceac8ddf7cab146847ad9c9299c9231711df5b52cb0e429bcb5f519fae7353edb5

Download Submit
C:\Users\Admin\AppData\Local\Temp\ABBA.exe
Filesize
356KB

MD5
354d20e21be15dd24eb8a9b2b18a8407

SHA1
f3c9182f5a8a45ee8f9cbcf2e4584c38ff670533

SHA256
0cfd96c0bef9061e95adbc2f00f6e0bd39c1103ca4761c9af850528d28455b44

SHA512
7bcfd0d2bca8a7bc3f0836c012438125cabdac11e7978f3d8a55ace928fe98ceac8ddf7cab146847ad9c9299c9231711df5b52cb0e429bcb5f519fae7353edb5

Download Submit
C:\Users\Admin\AppData\Local\Temp\ABBA.exe
Filesize
356KB

MD5
354d20e21be15dd24eb8a9b2b18a8407

SHA1
f3c9182f5a8a45ee8f9cbcf2e4584c38ff670533

SHA256
0cfd96c0bef9061e95adbc2f00f6e0bd39c1103ca4761c9af850528d28455b44

SHA512
7bcfd0d2bca8a7bc3f0836c012438125cabdac11e7978f3d8a55ace928fe98ceac8ddf7cab146847ad9c9299c9231711df5b52cb0e429bcb5f519fae7353edb5

Download Submit
C:\Users\Admin\AppData\Local\Temp\BCC2.exe
Filesize
3.0MB

MD5
36da8ca92f8725823be3112ad6387a19

SHA1
daff6fee3427fcc8d5578c38473e9cef64af8bf6

SHA256
c1ec537c48cc89eb36163eea90e1b6de9a0d5a23ee1b9fd6b9188057bb168fe2

SHA512
a52e8ff50df8260bfb8368a1c53959fedf0b609c5cf5fb1d3fde5de0b800603e637f9afac939bddb7234e2215ba2b83a28af0fbc4cc5fbb2c7c2012c1b30ac2d

Download Submit
C:\Users\Admin\AppData\Local\Temp\BCC2.exe
Filesize
3.0MB

MD5
36da8ca92f8725823be3112ad6387a19

SHA1
daff6fee3427fcc8d5578c38473e9cef64af8bf6

SHA256
c1ec537c48cc89eb36163eea90e1b6de9a0d5a23ee1b9fd6b9188057bb168fe2

SHA512
a52e8ff50df8260bfb8368a1c53959fedf0b609c5cf5fb1d3fde5de0b800603e637f9afac939bddb7234e2215ba2b83a28af0fbc4cc5fbb2c7c2012c1b30ac2d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\MyClient\GPUpdate.exe
Filesize
356KB

MD5
354d20e21be15dd24eb8a9b2b18a8407

SHA1
f3c9182f5a8a45ee8f9cbcf2e4584c38ff670533

SHA256
0cfd96c0bef9061e95adbc2f00f6e0bd39c1103ca4761c9af850528d28455b44

SHA512
7bcfd0d2bca8a7bc3f0836c012438125cabdac11e7978f3d8a55ace928fe98ceac8ddf7cab146847ad9c9299c9231711df5b52cb0e429bcb5f519fae7353edb5

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\MyClient\GPUpdate.exe
Filesize
356KB

MD5
354d20e21be15dd24eb8a9b2b18a8407

SHA1
f3c9182f5a8a45ee8f9cbcf2e4584c38ff670533

SHA256
0cfd96c0bef9061e95adbc2f00f6e0bd39c1103ca4761c9af850528d28455b44

SHA512
7bcfd0d2bca8a7bc3f0836c012438125cabdac11e7978f3d8a55ace928fe98ceac8ddf7cab146847ad9c9299c9231711df5b52cb0e429bcb5f519fae7353edb5

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
Filesize
9KB

MD5
9ead10c08e72ae41921191f8db39bc16

SHA1
abe3bce01cd34afc88e2c838173f8c2bd0090ae1

SHA256
8d7f0e6b6877bdfb9f4531afafd0451f7d17f0ac24e2f2427e9b4ecc5452b9f0

SHA512
aa35dbc59a3589df2763e76a495ce5a9e62196628b4c1d098add38bd7f27c49edf93a66fb8507fb746e37ee32932da2460e440f241abe1a5a279abcc1e5ffe4a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
Filesize
9KB

MD5
9ead10c08e72ae41921191f8db39bc16

SHA1
abe3bce01cd34afc88e2c838173f8c2bd0090ae1

SHA256
8d7f0e6b6877bdfb9f4531afafd0451f7d17f0ac24e2f2427e9b4ecc5452b9f0

SHA512
aa35dbc59a3589df2763e76a495ce5a9e62196628b4c1d098add38bd7f27c49edf93a66fb8507fb746e37ee32932da2460e440f241abe1a5a279abcc1e5ffe4a

Download Submit
memory/112-259-0x0000000000000000-mapping.dmp

Download
memory/260-172-0x0000000000400000-0x0000000000596000-memory.dmp

Filesize
1.6MB

Download
memory/260-148-0x0000000000000000-mapping.dmp

Download
memory/260-169-0x00000000006A0000-0x00000000006A9000-memory.dmp

Filesize
36KB

Download
memory/260-166-0x0000000000888000-0x0000000000899000-memory.dmp

Filesize
68KB

Download
memory/260-188-0x0000000000400000-0x0000000000596000-memory.dmp

Filesize
1.6MB

Download
memory/584-217-0x0000000005420000-0x000000000545C000-memory.dmp

Filesize
240KB

Download
memory/584-204-0x0000000000000000-mapping.dmp

Download
memory/584-216-0x00000000053C0000-0x00000000053D2000-memory.dmp

Filesize
72KB

Download
memory/584-215-0x0000000005490000-0x000000000559A000-memory.dmp

Filesize
1.0MB

Download
memory/584-264-0x0000000008BE0000-0x000000000910C000-memory.dmp

Filesize
5.2MB

Download
memory/584-263-0x0000000006830000-0x00000000069F2000-memory.dmp

Filesize
1.8MB

Download
memory/584-214-0x0000000005950000-0x0000000005F68000-memory.dmp

Filesize
6.1MB

Download
memory/584-255-0x0000000006AB0000-0x0000000007054000-memory.dmp

Filesize
5.6MB

Download
memory/584-254-0x0000000006460000-0x00000000064F2000-memory.dmp

Filesize
584KB

Download
memory/584-253-0x0000000005730000-0x0000000005796000-memory.dmp

Filesize
408KB

Download
memory/584-205-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/740-136-0x0000000000000000-mapping.dmp

Download
memory/948-189-0x0000000002EC0000-0x0000000002F8B000-memory.dmp

Filesize
812KB

Download
memory/948-193-0x0000000002FA0000-0x0000000003057000-memory.dmp

Filesize
732KB

Download
memory/948-196-0x0000000002D60000-0x0000000002EA1000-memory.dmp

Filesize
1.3MB

Download
memory/948-144-0x0000000002460000-0x00000000026AA000-memory.dmp

Filesize
2.3MB

Download
memory/948-155-0x0000000002A60000-0x0000000002C13000-memory.dmp

Filesize
1.7MB

Download
memory/948-141-0x0000000000000000-mapping.dmp

Download
memory/948-156-0x0000000002D60000-0x0000000002EA1000-memory.dmp

Filesize
1.3MB

Download
memory/948-194-0x0000000002FA0000-0x0000000003057000-memory.dmp

Filesize
732KB

Download
memory/1028-258-0x0000000000000000-mapping.dmp

Download
memory/1096-300-0x00000000057E0000-0x0000000005E08000-memory.dmp

Filesize
6.2MB

Download
memory/1096-299-0x0000000004FB0000-0x0000000004FE6000-memory.dmp

Filesize
216KB

Download
memory/1096-308-0x0000000074180000-0x00000000741CC000-memory.dmp

Filesize
304KB

Download
memory/1096-307-0x0000000006B40000-0x0000000006B72000-memory.dmp

Filesize
200KB

Download
memory/1096-302-0x0000000005E80000-0x0000000005EE6000-memory.dmp

Filesize
408KB

Download
memory/1096-306-0x0000000006560000-0x000000000657E000-memory.dmp

Filesize
120KB

Download
memory/1096-298-0x0000000000000000-mapping.dmp

Download
memory/1096-309-0x0000000006B20000-0x0000000006B3E000-memory.dmp

Filesize
120KB

Download
memory/1096-301-0x00000000057A0000-0x00000000057C2000-memory.dmp

Filesize
136KB

Download
memory/1516-310-0x0000000000000000-mapping.dmp

Download
memory/2160-159-0x0000000000000000-mapping.dmp

Download
memory/2284-135-0x0000000000400000-0x000000000083E000-memory.dmp

Filesize
4.2MB

Download
memory/2284-133-0x0000000000AD0000-0x0000000000AD9000-memory.dmp

Filesize
36KB

Download
memory/2284-134-0x0000000000400000-0x000000000083E000-memory.dmp

Filesize
4.2MB

Download
memory/2284-132-0x0000000000B2D000-0x0000000000B43000-memory.dmp

Filesize
88KB

Download
memory/2324-201-0x00000000022BC000-0x000000000234E000-memory.dmp

Filesize
584KB

Download
memory/2324-190-0x0000000000000000-mapping.dmp

Download
memory/2360-145-0x0000000000000000-mapping.dmp

Download
memory/2360-181-0x0000000000400000-0x000000000083E000-memory.dmp

Filesize
4.2MB

Download
memory/2360-180-0x000000000096D000-0x0000000000983000-memory.dmp

Filesize
88KB

Download
memory/2492-275-0x0000000000400000-0x0000000000C8F000-memory.dmp

Filesize
8.6MB

Download
memory/2492-279-0x0000000077DA0000-0x0000000077F43000-memory.dmp

Filesize
1.6MB

Download
memory/2492-285-0x0000000005A70000-0x0000000005AC0000-memory.dmp

Filesize
320KB

Download
memory/2492-274-0x0000000000400000-0x0000000000C8F000-memory.dmp

Filesize
8.6MB

Download
memory/2492-283-0x0000000005390000-0x0000000005406000-memory.dmp

Filesize
472KB

Download
memory/2492-268-0x0000000000000000-mapping.dmp

Download
memory/2492-273-0x0000000000400000-0x0000000000C8F000-memory.dmp

Filesize
8.6MB

Download
memory/2492-276-0x0000000000400000-0x0000000000C8F000-memory.dmp

Filesize
8.6MB

Download
memory/2492-286-0x0000000000400000-0x0000000000C8F000-memory.dmp

Filesize
8.6MB

Download
memory/2492-277-0x0000000000400000-0x0000000000C8F000-memory.dmp

Filesize
8.6MB

Download
memory/2492-278-0x0000000000400000-0x0000000000C8F000-memory.dmp

Filesize
8.6MB

Download
memory/2852-203-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/2852-202-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/2852-200-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/2852-262-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/2852-197-0x0000000000000000-mapping.dmp

Download
memory/3508-151-0x0000000000000000-mapping.dmp

Download
memory/3508-185-0x0000000000400000-0x000000000083E000-memory.dmp

Filesize
4.2MB

Download
memory/3508-184-0x000000000099D000-0x00000000009B3000-memory.dmp

Filesize
88KB

Download
memory/3520-272-0x0000000000400000-0x00000000005A8000-memory.dmp

Filesize
1.7MB

Download
memory/3520-271-0x0000000000820000-0x000000000085E000-memory.dmp

Filesize
248KB

Download
memory/3520-270-0x00000000008B8000-0x00000000008E9000-memory.dmp

Filesize
196KB

Download
memory/3520-265-0x0000000000000000-mapping.dmp

Download
memory/3548-175-0x00000000009D0000-0x00000000009DC000-memory.dmp

Filesize
48KB

Download
memory/3548-173-0x0000000000000000-mapping.dmp

Download
memory/3568-224-0x0000000000000000-mapping.dmp

Download
memory/3756-138-0x0000000000000000-mapping.dmp

Download
memory/3756-162-0x000000000229A000-0x000000000232C000-memory.dmp

Filesize
584KB

Download
memory/3756-164-0x0000000002400000-0x000000000251B000-memory.dmp

Filesize
1.1MB

Download
memory/3860-303-0x0000000000000000-mapping.dmp

Download
memory/3948-154-0x0000000000000000-mapping.dmp

Download
memory/3948-179-0x00000000006E0000-0x00000000006E9000-memory.dmp

Filesize
36KB

Download
memory/3948-182-0x0000000000400000-0x0000000000595000-memory.dmp

Filesize
1.6MB

Download
memory/3948-178-0x00000000008C8000-0x00000000008D9000-memory.dmp

Filesize
68KB

Download
memory/3952-261-0x0000000000000000-mapping.dmp

Download
memory/3964-284-0x0000000000DF0000-0x0000000000E4E000-memory.dmp

Filesize
376KB

Download
memory/3964-280-0x0000000000000000-mapping.dmp

Download
memory/4188-296-0x0000000000000000-mapping.dmp

Download
memory/4276-293-0x0000000000000000-mapping.dmp

Download
memory/4436-290-0x0000000000000000-mapping.dmp

Download
memory/4488-183-0x0000000000650000-0x00000000006BB000-memory.dmp

Filesize
428KB

Download
memory/4488-174-0x0000000000650000-0x00000000006BB000-memory.dmp

Filesize
428KB

Download
memory/4488-161-0x0000000000000000-mapping.dmp

Download
memory/4488-176-0x00000000006C0000-0x0000000000735000-memory.dmp

Filesize
468KB

Download
memory/4544-311-0x0000000000000000-mapping.dmp

Download
memory/4560-297-0x0000000004D30000-0x0000000004D86000-memory.dmp

Filesize
344KB

Download
memory/4560-292-0x0000000004A00000-0x0000000004A9C000-memory.dmp

Filesize
624KB

Download
memory/4560-295-0x0000000004AF0000-0x0000000004AFA000-memory.dmp

Filesize
40KB

Download
memory/4560-291-0x0000000000570000-0x0000000000592000-memory.dmp

Filesize
136KB

Download
memory/4560-287-0x0000000000000000-mapping.dmp

Download
memory/4560-314-0x0000000004AA0000-0x0000000005044000-memory.dmp

Filesize
5.6MB

Download
memory/4624-168-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/4624-163-0x0000000000000000-mapping.dmp

Download
memory/4624-191-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/4624-177-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/4624-165-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/4624-171-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/4764-221-0x0000000000000000-mapping.dmp

Download
memory/4848-225-0x0000000000000000-mapping.dmp

Download
memory/4848-226-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/4848-228-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/4848-230-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/4848-260-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/4848-233-0x0000000061E00000-0x0000000061EF3000-memory.dmp

Filesize
972KB

Download
memory/4848-232-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/4876-294-0x0000000000000000-mapping.dmp

Download
memory/4988-218-0x0000000000000000-mapping.dmp

Download
memory/4988-229-0x00000000008F2000-0x000000000091E000-memory.dmp

Filesize
176KB

Download
memory/4988-231-0x00000000009E0000-0x0000000000A2B000-memory.dmp

Filesize
300KB

Download
memory/5096-186-0x0000000000000000-mapping.dmp

Download