e3c2b761ce6a188e9669480d52368f3e865499a06813d939c23ad915d49cba62

Analysis

max time kernel
152s
max time network
179s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
23-11-2022 10:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e3c2b761ce6a188e9669480d52368f3e865499a06813d939c23ad915d49cba62.exe
Size

547KB
MD5

1a52955778b43f45abab5e588a951128
SHA1

13038a9c180a6e6ec9825b11fba951757652864b
SHA256

e3c2b761ce6a188e9669480d52368f3e865499a06813d939c23ad915d49cba62
SHA512

4f3567458b31ac2df6583cf4ad750c0a9afb253a691abfcf0e6f782604b4023b5e72e2f6fdf7c36d15dd64cfd5b3eb4860c4180c9fbea41cbbaf22c60e9ddaab
SSDEEP

12288:DpU6okHHkvPirg1OP7uMYgLiryi9SOEYU0xiXc5XAaJ:1Upkn4rc7uMYgLirVp4gJ

Score

8^/10

persistence

Malware Config

Signatures

Blocklisted process makes network request 21 IoCs

Processes:

rundll32.exe

flow	pid	process
4	268	rundll32.exe
6	268	rundll32.exe
8	268	rundll32.exe
10	268	rundll32.exe
12	268	rundll32.exe
14	268	rundll32.exe
17	268	rundll32.exe
18	268	rundll32.exe
20	268	rundll32.exe
22	268	rundll32.exe
24	268	rundll32.exe
26	268	rundll32.exe
28	268	rundll32.exe
29	268	rundll32.exe
31	268	rundll32.exe
32	268	rundll32.exe
33	268	rundll32.exe
34	268	rundll32.exe
35	268	rundll32.exe
36	268	rundll32.exe
37	268	rundll32.exe

Executes dropped EXE 2 IoCs

Processes:

file.exee3c2b761ce6a188e9669480d52368f3e865499a06813d939c23ad915d49cba62.exe

pid process

1920 file.exe
1312 e3c2b761ce6a188e9669480d52368f3e865499a06813d939c23ad915d49cba62.exe
Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

1112 cmd.exe

pid	process
1920	file.exe
1312	e3c2b761ce6a188e9669480d52368f3e865499a06813d939c23ad915d49cba62.exe

pid	process
1112	cmd.exe

Loads dropped DLL 9 IoCs

Processes:

e3c2b761ce6a188e9669480d52368f3e865499a06813d939c23ad915d49cba62.execmd.exerundll32.exee3c2b761ce6a188e9669480d52368f3e865499a06813d939c23ad915d49cba62.exe

pid	process
1188	e3c2b761ce6a188e9669480d52368f3e865499a06813d939c23ad915d49cba62.exe
1188	e3c2b761ce6a188e9669480d52368f3e865499a06813d939c23ad915d49cba62.exe
1112	cmd.exe
1112	cmd.exe
268	rundll32.exe
268	rundll32.exe
268	rundll32.exe
268	rundll32.exe
1312	e3c2b761ce6a188e9669480d52368f3e865499a06813d939c23ad915d49cba62.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

e3c2b761ce6a188e9669480d52368f3e865499a06813d939c23ad915d49cba62.exeExplorer.EXE

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Run\UgzoWrog = "regsvr32.exe \"C:\\ProgramData\\UgzoWrog\\UgzoWrog.dat\""	e3c2b761ce6a188e9669480d52368f3e865499a06813d939c23ad915d49cba62.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Run	Explorer.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Run\UgzoWrog = "regsvr32.exe \"C:\\ProgramData\\UgzoWrog\\UgzoWrog.dat\""	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Run	e3c2b761ce6a188e9669480d52368f3e865499a06813d939c23ad915d49cba62.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies Internet Explorer Protected Mode 1 TTPs 1 IoCs

Modify Registry

T1112

Processes:

Explorer.EXE

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\2500 = "3"	Explorer.EXE

Modifies Internet Explorer Protected Mode Banner 1 TTPs 1 IoCs

Modify Registry

T1112

Processes:

Explorer.EXE

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\Main\NoProtectedModeBanner = "1"	Explorer.EXE

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

Processes:

Explorer.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\Main	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\Main\TabProcGrowth = "0"	Explorer.EXE

Modifies registry class 8 IoCs

Processes:

rundll32.exee3c2b761ce6a188e9669480d52368f3e865499a06813d939c23ad915d49cba62.exeExplorer.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000_CLASSES\CLSID\{18715C6D-78DC-4319-BBB7-4A0C7BF06F4A}	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000_CLASSES\CLSID\{05967FD0-47C4-4EB4-956E-06D9193E47BE}	e3c2b761ce6a188e9669480d52368f3e865499a06813d939c23ad915d49cba62.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000_CLASSES\CLSID\{05967FD0-47C4-4EB4-956E-06D9193E47BE}\#sd = 433a5c55736572735c41646d696e5c417070446174615c4c6f63616c5c54656d705c653363326237363163653661313838653936363934383064353233363866336538363534393961303638313364393339633233616439313564343963626136322e65786500	e3c2b761ce6a188e9669480d52368f3e865499a06813d939c23ad915d49cba62.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000_CLASSES\CLSID\{05967FD0-47C4-4EB4-956E-06D9193E47BE}	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000_CLASSES\CLSID\{18715C6D-78DC-4319-BBB7-4A0C7BF06F4A}	Explorer.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000_CLASSES\CLSID\{18715C6D-78DC-4319-BBB7-4A0C7BF06F4A}\{5B21631C-511C-4BF5-88CE-36517D10189F} = b23aaf8c	Explorer.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000_CLASSES\CLSID\{05967FD0-47C4-4EB4-956E-06D9193E47BE}\#cert = 31	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000_CLASSES\CLSID\{05967FD0-47C4-4EB4-956E-06D9193E47BE}	rundll32.exe

Modifies system certificate store 2 TTPs 9 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

rundll32.exe

description	ioc	process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 0f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c1320000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	rundll32.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 040000000100000010000000410352dc0ff7501b16f0028eba6f45c50f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131900000001000000100000006cf252fec3e8f20996de5d4dd9aef42420000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	rundll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	rundll32.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f00000053000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	rundll32.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	rundll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13	rundll32.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 1900000001000000100000006cf252fec3e8f20996de5d4dd9aef424030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131d00000001000000100000004558d512eecb27464920897de7b66053140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc41560858910090000000100000016000000301406082b0601050507030406082b060105050703010b000000010000001e000000440053005400200052006f006f00740020004300410020005800330000000f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d20000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	rundll32.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	rundll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	rundll32.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

Processes:

e3c2b761ce6a188e9669480d52368f3e865499a06813d939c23ad915d49cba62.exewmiprvse.exe

pid process

1312 e3c2b761ce6a188e9669480d52368f3e865499a06813d939c23ad915d49cba62.exe
2036 wmiprvse.exe
2036 wmiprvse.exe
Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Explorer.EXE

pid process

1288 Explorer.EXE

pid	process
1312	e3c2b761ce6a188e9669480d52368f3e865499a06813d939c23ad915d49cba62.exe
2036	wmiprvse.exe
2036	wmiprvse.exe

pid	process
1288	Explorer.EXE

Suspicious use of AdjustPrivilegeToken 10 IoCs

Processes:

e3c2b761ce6a188e9669480d52368f3e865499a06813d939c23ad915d49cba62.exeExplorer.EXErundll32.exe

description	pid	process
Token: SeCreateGlobalPrivilege	1312	e3c2b761ce6a188e9669480d52368f3e865499a06813d939c23ad915d49cba62.exe
Token: SeDebugPrivilege	1312	e3c2b761ce6a188e9669480d52368f3e865499a06813d939c23ad915d49cba62.exe
Token: SeCreateGlobalPrivilege	1288	Explorer.EXE
Token: SeShutdownPrivilege	1288	Explorer.EXE
Token: SeDebugPrivilege	1288	Explorer.EXE
Token: SeCreateGlobalPrivilege	268	rundll32.exe
Token: SeShutdownPrivilege	268	rundll32.exe
Token: SeDebugPrivilege	268	rundll32.exe
Token: SeShutdownPrivilege	1288	Explorer.EXE
Token: SeShutdownPrivilege	1288	Explorer.EXE

Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

Explorer.EXE

pid process

1288 Explorer.EXE
1288 Explorer.EXE
Suspicious use of SendNotifyMessage 2 IoCs

Processes:

Explorer.EXE

pid process

1288 Explorer.EXE
1288 Explorer.EXE
Suspicious use of UnmapMainImage 1 IoCs

Processes:

e3c2b761ce6a188e9669480d52368f3e865499a06813d939c23ad915d49cba62.exe

pid process

1312 e3c2b761ce6a188e9669480d52368f3e865499a06813d939c23ad915d49cba62.exe

pid	process
1288	Explorer.EXE
1288	Explorer.EXE

pid	process
1288	Explorer.EXE
1288	Explorer.EXE

pid	process
1312	e3c2b761ce6a188e9669480d52368f3e865499a06813d939c23ad915d49cba62.exe

Suspicious use of WriteProcessMemory 35 IoCs

Processes:

e3c2b761ce6a188e9669480d52368f3e865499a06813d939c23ad915d49cba62.exefile.execmd.exee3c2b761ce6a188e9669480d52368f3e865499a06813d939c23ad915d49cba62.exe

description	pid	process	target process
PID 1188 wrote to memory of 1112	1188	e3c2b761ce6a188e9669480d52368f3e865499a06813d939c23ad915d49cba62.exe	cmd.exe
PID 1188 wrote to memory of 1112	1188	e3c2b761ce6a188e9669480d52368f3e865499a06813d939c23ad915d49cba62.exe	cmd.exe
PID 1188 wrote to memory of 1112	1188	e3c2b761ce6a188e9669480d52368f3e865499a06813d939c23ad915d49cba62.exe	cmd.exe
PID 1188 wrote to memory of 1112	1188	e3c2b761ce6a188e9669480d52368f3e865499a06813d939c23ad915d49cba62.exe	cmd.exe
PID 1188 wrote to memory of 1920	1188	e3c2b761ce6a188e9669480d52368f3e865499a06813d939c23ad915d49cba62.exe	file.exe
PID 1188 wrote to memory of 1920	1188	e3c2b761ce6a188e9669480d52368f3e865499a06813d939c23ad915d49cba62.exe	file.exe
PID 1188 wrote to memory of 1920	1188	e3c2b761ce6a188e9669480d52368f3e865499a06813d939c23ad915d49cba62.exe	file.exe
PID 1188 wrote to memory of 1920	1188	e3c2b761ce6a188e9669480d52368f3e865499a06813d939c23ad915d49cba62.exe	file.exe
PID 1920 wrote to memory of 268	1920	file.exe	rundll32.exe
PID 1920 wrote to memory of 268	1920	file.exe	rundll32.exe
PID 1920 wrote to memory of 268	1920	file.exe	rundll32.exe
PID 1920 wrote to memory of 268	1920	file.exe	rundll32.exe
PID 1920 wrote to memory of 268	1920	file.exe	rundll32.exe
PID 1920 wrote to memory of 268	1920	file.exe	rundll32.exe
PID 1920 wrote to memory of 268	1920	file.exe	rundll32.exe
PID 1920 wrote to memory of 1752	1920	file.exe	cmd.exe
PID 1920 wrote to memory of 1752	1920	file.exe	cmd.exe
PID 1920 wrote to memory of 1752	1920	file.exe	cmd.exe
PID 1920 wrote to memory of 1752	1920	file.exe	cmd.exe
PID 1112 wrote to memory of 1312	1112	cmd.exe	e3c2b761ce6a188e9669480d52368f3e865499a06813d939c23ad915d49cba62.exe
PID 1112 wrote to memory of 1312	1112	cmd.exe	e3c2b761ce6a188e9669480d52368f3e865499a06813d939c23ad915d49cba62.exe
PID 1112 wrote to memory of 1312	1112	cmd.exe	e3c2b761ce6a188e9669480d52368f3e865499a06813d939c23ad915d49cba62.exe
PID 1112 wrote to memory of 1312	1112	cmd.exe	e3c2b761ce6a188e9669480d52368f3e865499a06813d939c23ad915d49cba62.exe
PID 1312 wrote to memory of 1016	1312	e3c2b761ce6a188e9669480d52368f3e865499a06813d939c23ad915d49cba62.exe	spoolsv.exe
PID 1312 wrote to memory of 1016	1312	e3c2b761ce6a188e9669480d52368f3e865499a06813d939c23ad915d49cba62.exe	spoolsv.exe
PID 1312 wrote to memory of 1288	1312	e3c2b761ce6a188e9669480d52368f3e865499a06813d939c23ad915d49cba62.exe	Explorer.EXE
PID 1312 wrote to memory of 1288	1312	e3c2b761ce6a188e9669480d52368f3e865499a06813d939c23ad915d49cba62.exe	Explorer.EXE
PID 1312 wrote to memory of 1092	1312	e3c2b761ce6a188e9669480d52368f3e865499a06813d939c23ad915d49cba62.exe	sppsvc.exe
PID 1312 wrote to memory of 1092	1312	e3c2b761ce6a188e9669480d52368f3e865499a06813d939c23ad915d49cba62.exe	sppsvc.exe
PID 1312 wrote to memory of 1984	1312	e3c2b761ce6a188e9669480d52368f3e865499a06813d939c23ad915d49cba62.exe	WMIADAP.EXE
PID 1312 wrote to memory of 1984	1312	e3c2b761ce6a188e9669480d52368f3e865499a06813d939c23ad915d49cba62.exe	WMIADAP.EXE
PID 1312 wrote to memory of 2036	1312	e3c2b761ce6a188e9669480d52368f3e865499a06813d939c23ad915d49cba62.exe	wmiprvse.exe
PID 1312 wrote to memory of 2036	1312	e3c2b761ce6a188e9669480d52368f3e865499a06813d939c23ad915d49cba62.exe	wmiprvse.exe
PID 1312 wrote to memory of 268	1312	e3c2b761ce6a188e9669480d52368f3e865499a06813d939c23ad915d49cba62.exe	rundll32.exe
PID 1312 wrote to memory of 268	1312	e3c2b761ce6a188e9669480d52368f3e865499a06813d939c23ad915d49cba62.exe	rundll32.exe

C:\Windows\System32\spoolsv.exe
C:\Windows\System32\spoolsv.exe
1⤵
PID:1016

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Adds Run key to start application
- Modifies Internet Explorer Protected Mode
- Modifies Internet Explorer Protected Mode Banner
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1288

C:\Users\Admin\AppData\Local\Temp\e3c2b761ce6a188e9669480d52368f3e865499a06813d939c23ad915d49cba62.exe
"C:\Users\Admin\AppData\Local\Temp\e3c2b761ce6a188e9669480d52368f3e865499a06813d939c23ad915d49cba62.exe"
2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1188

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\_ms0474.bat" "C:\Users\Admin\AppData\Local\Temp\e3c2b761ce6a188e9669480d52368f3e865499a06813d939c23ad915d49cba62.exe""
3⤵
- Deletes itself
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1112

C:\Users\Admin\AppData\Local\Temp\e3c2b761ce6a188e9669480d52368f3e865499a06813d939c23ad915d49cba62.exe
"C:\Users\Admin\AppData\Local\Temp\e3c2b761ce6a188e9669480d52368f3e865499a06813d939c23ad915d49cba62.exe"
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:1312

C:\Users\Admin\AppData\Local\Temp\file.exe
C:\Users\Admin\AppData\Local\Temp\file.exe
3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1920

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" "C:\Users\Admin\AppData\Local\Temp\53CB.dll",ADB_Release
4⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Modifies registry class
- Modifies system certificate store
- Suspicious use of AdjustPrivilegeToken
PID:268

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\53CB.bat" "
4⤵
PID:1752

\\?\C:\Windows\system32\wbem\WMIADAP.EXE
wmiadap.exe /F /T /R
1⤵
PID:1984

C:\Windows\system32\sppsvc.exe
C:\Windows\system32\sppsvc.exe
1⤵
PID:1092

C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\wmiprvse.exe
1⤵
- Suspicious behavior: EnumeratesProcesses
PID:2036

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Install Root Certificate

T1130

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\UgzoWrog\UgzoWrog.dat

Filesize
238KB

MD5
67eab80b318c4f072a4f7968f8cd88bf

SHA1
b7462c4528cc2d9d377afa5ca0aa233e67d22ee4

SHA256
8fefe4f401b63ccdd0160d41b421a4f09b3179d7bcfb84776d50ad1a9160b825

SHA512
8cd191ae3d28fedf97f3c266a70c5fb733c9564fd418849920246a6762ca0164e176d053a9004b5e999521c4c16ba756506d3f83f1fe4c32164ca4347738d722

Download Submit
C:\Users\Admin\AppData\Local\Temp\53CB.bat

Filesize
139B

MD5
7c6c4df5f6e99ed4abfec3157ca23ca9

SHA1
d05dbffe2c9724638d3f05bbdace181acd0d1d82

SHA256
d108fa1794cfaf3905e1d8e4cb9326bb11cf3ee92f6dc95af5bc26e625fda76d

SHA512
5a565b5976ed58a8bcad1799a3f796f09c71c677f533d9e943f150b738c1b5a8124d9432f1f5eeb43b30ea7712c8b080f04dcc929b0f058406286f8fc9a75b1f

Download Submit
C:\Users\Admin\AppData\Local\Temp\53CB.dll

Filesize
123KB

MD5
c8eb6040fd02d77660d19057a38ff769

SHA1
b491c14d8cfb48636f6095b7b16555e9a575d57f

SHA256
366affd094cc63e2c19c5d57a6866b487889dab5d1b07c084fff94262d8a390b

SHA512
36d8bc7f18bbb62cfaf012a1e0539301d7eb1104b2f3bd79025f72e2a8f688e8d2b20f229253f8d387e25cb67f60e4306b6dab2b7e054f439c1a750bec896e56

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ms0474.bat

Filesize
226B

MD5
abbebbf46f0242dbb04b8647f1b03a8f

SHA1
2f2596b8504e21d99c4cb54bbbcc481f748665ea

SHA256
0aaa80fe61419a944ed417120dddbe56a0013e25a150530bfa8b3655c102cfa2

SHA512
972de260a8e5c25000833578845789fdf5392fb8ea80fdebd5cc53549aa295f31ab184e3f1f625e0755cc6fb9f03c4c364b276c0eb5e25ad887bdf07dc0724e7

Download Submit
C:\Users\Admin\AppData\Local\Temp\cr_5_inst.exe.org

Filesize
408KB

MD5
05654199c10803af0962ca8c6c4dae9d

SHA1
56ad6edc953505ff26de1d09b8cddc53df83b31c

SHA256
12f55872d62d8c03541af8950b023c7ad176dcec3f2f32c6d6f8b7e2375bae77

SHA512
55d49841989f4fb41c7ba2cf2e9da3cc7cefeba63d93e2c3f50b7d6e15dde362492ca4cae2872ab8f977dbcde58c5def0ea83f5590114707868fffad6b23e52d

Download Submit
C:\Users\Admin\AppData\Local\Temp\e3c2b761ce6a188e9669480d52368f3e865499a06813d939c23ad915d49cba62.exe

Filesize
408KB

MD5
05654199c10803af0962ca8c6c4dae9d

SHA1
56ad6edc953505ff26de1d09b8cddc53df83b31c

SHA256
12f55872d62d8c03541af8950b023c7ad176dcec3f2f32c6d6f8b7e2375bae77

SHA512
55d49841989f4fb41c7ba2cf2e9da3cc7cefeba63d93e2c3f50b7d6e15dde362492ca4cae2872ab8f977dbcde58c5def0ea83f5590114707868fffad6b23e52d

Download Submit
C:\Users\Admin\AppData\Local\Temp\e3c2b761ce6a188e9669480d52368f3e865499a06813d939c23ad915d49cba62.exe

Filesize
408KB

MD5
05654199c10803af0962ca8c6c4dae9d

SHA1
56ad6edc953505ff26de1d09b8cddc53df83b31c

SHA256
12f55872d62d8c03541af8950b023c7ad176dcec3f2f32c6d6f8b7e2375bae77

SHA512
55d49841989f4fb41c7ba2cf2e9da3cc7cefeba63d93e2c3f50b7d6e15dde362492ca4cae2872ab8f977dbcde58c5def0ea83f5590114707868fffad6b23e52d

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.exe

Filesize
214KB

MD5
28f96a57fa5ff663926e9bad51a1d0cb

SHA1
a75995f94854dea8799650a2f4a97980b71199d2

SHA256
19972cc87c7653aff9620461ce459b996b1f9b030d7c8031df0c8265b73f670d

SHA512
104a8be2c460f73ac953711f677c8666b5831bebd64ec01b722c14270f4ceaef1f3564b00006f47bb25c42f67137d746b72be57e3d2bcb9bd98908784ef3339b

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.exe

Filesize
214KB

MD5
28f96a57fa5ff663926e9bad51a1d0cb

SHA1
a75995f94854dea8799650a2f4a97980b71199d2

SHA256
19972cc87c7653aff9620461ce459b996b1f9b030d7c8031df0c8265b73f670d

SHA512
104a8be2c460f73ac953711f677c8666b5831bebd64ec01b722c14270f4ceaef1f3564b00006f47bb25c42f67137d746b72be57e3d2bcb9bd98908784ef3339b

Download Submit
\ProgramData\UgzoWrog\UgzoWrog.dat

Filesize
238KB

MD5
67eab80b318c4f072a4f7968f8cd88bf

SHA1
b7462c4528cc2d9d377afa5ca0aa233e67d22ee4

SHA256
8fefe4f401b63ccdd0160d41b421a4f09b3179d7bcfb84776d50ad1a9160b825

SHA512
8cd191ae3d28fedf97f3c266a70c5fb733c9564fd418849920246a6762ca0164e176d053a9004b5e999521c4c16ba756506d3f83f1fe4c32164ca4347738d722

Download Submit
\Users\Admin\AppData\Local\Temp\53CB.dll

Filesize
123KB

MD5
c8eb6040fd02d77660d19057a38ff769

SHA1
b491c14d8cfb48636f6095b7b16555e9a575d57f

SHA256
366affd094cc63e2c19c5d57a6866b487889dab5d1b07c084fff94262d8a390b

SHA512
36d8bc7f18bbb62cfaf012a1e0539301d7eb1104b2f3bd79025f72e2a8f688e8d2b20f229253f8d387e25cb67f60e4306b6dab2b7e054f439c1a750bec896e56

Download Submit
\Users\Admin\AppData\Local\Temp\53CB.dll

Filesize
123KB

MD5
c8eb6040fd02d77660d19057a38ff769

SHA1
b491c14d8cfb48636f6095b7b16555e9a575d57f

SHA256
366affd094cc63e2c19c5d57a6866b487889dab5d1b07c084fff94262d8a390b

SHA512
36d8bc7f18bbb62cfaf012a1e0539301d7eb1104b2f3bd79025f72e2a8f688e8d2b20f229253f8d387e25cb67f60e4306b6dab2b7e054f439c1a750bec896e56

Download Submit
\Users\Admin\AppData\Local\Temp\53CB.dll

Filesize
123KB

MD5
c8eb6040fd02d77660d19057a38ff769

SHA1
b491c14d8cfb48636f6095b7b16555e9a575d57f

SHA256
366affd094cc63e2c19c5d57a6866b487889dab5d1b07c084fff94262d8a390b

SHA512
36d8bc7f18bbb62cfaf012a1e0539301d7eb1104b2f3bd79025f72e2a8f688e8d2b20f229253f8d387e25cb67f60e4306b6dab2b7e054f439c1a750bec896e56

Download Submit
\Users\Admin\AppData\Local\Temp\53CB.dll

Filesize
123KB

MD5
c8eb6040fd02d77660d19057a38ff769

SHA1
b491c14d8cfb48636f6095b7b16555e9a575d57f

SHA256
366affd094cc63e2c19c5d57a6866b487889dab5d1b07c084fff94262d8a390b

SHA512
36d8bc7f18bbb62cfaf012a1e0539301d7eb1104b2f3bd79025f72e2a8f688e8d2b20f229253f8d387e25cb67f60e4306b6dab2b7e054f439c1a750bec896e56

Download Submit
\Users\Admin\AppData\Local\Temp\e3c2b761ce6a188e9669480d52368f3e865499a06813d939c23ad915d49cba62.exe

Filesize
408KB

MD5
05654199c10803af0962ca8c6c4dae9d

SHA1
56ad6edc953505ff26de1d09b8cddc53df83b31c

SHA256
12f55872d62d8c03541af8950b023c7ad176dcec3f2f32c6d6f8b7e2375bae77

SHA512
55d49841989f4fb41c7ba2cf2e9da3cc7cefeba63d93e2c3f50b7d6e15dde362492ca4cae2872ab8f977dbcde58c5def0ea83f5590114707868fffad6b23e52d

Download Submit
\Users\Admin\AppData\Local\Temp\e3c2b761ce6a188e9669480d52368f3e865499a06813d939c23ad915d49cba62.exe

Filesize
408KB

MD5
05654199c10803af0962ca8c6c4dae9d

SHA1
56ad6edc953505ff26de1d09b8cddc53df83b31c

SHA256
12f55872d62d8c03541af8950b023c7ad176dcec3f2f32c6d6f8b7e2375bae77

SHA512
55d49841989f4fb41c7ba2cf2e9da3cc7cefeba63d93e2c3f50b7d6e15dde362492ca4cae2872ab8f977dbcde58c5def0ea83f5590114707868fffad6b23e52d

Download Submit
\Users\Admin\AppData\Local\Temp\file.exe

Filesize
214KB

MD5
28f96a57fa5ff663926e9bad51a1d0cb

SHA1
a75995f94854dea8799650a2f4a97980b71199d2

SHA256
19972cc87c7653aff9620461ce459b996b1f9b030d7c8031df0c8265b73f670d

SHA512
104a8be2c460f73ac953711f677c8666b5831bebd64ec01b722c14270f4ceaef1f3564b00006f47bb25c42f67137d746b72be57e3d2bcb9bd98908784ef3339b

Download Submit
\Users\Admin\AppData\Local\Temp\file.exe

Filesize
214KB

MD5
28f96a57fa5ff663926e9bad51a1d0cb

SHA1
a75995f94854dea8799650a2f4a97980b71199d2

SHA256
19972cc87c7653aff9620461ce459b996b1f9b030d7c8031df0c8265b73f670d

SHA512
104a8be2c460f73ac953711f677c8666b5831bebd64ec01b722c14270f4ceaef1f3564b00006f47bb25c42f67137d746b72be57e3d2bcb9bd98908784ef3339b

Download Submit
memory/268-110-0x0000000002280000-0x0000000002375000-memory.dmp

Filesize
980KB

Download
memory/268-108-0x0000000002280000-0x0000000002375000-memory.dmp

Filesize
980KB

Download
memory/268-105-0x0000000002280000-0x0000000002375000-memory.dmp

Filesize
980KB

Download
memory/268-62-0x0000000000000000-mapping.dmp

Download
memory/268-99-0x0000000002280000-0x0000000002375000-memory.dmp

Filesize
980KB

Download
memory/1016-85-0x0000000001D30000-0x0000000001D82000-memory.dmp

Filesize
328KB

Download
memory/1112-55-0x0000000000000000-mapping.dmp

Download
memory/1188-54-0x00000000759F1000-0x00000000759F3000-memory.dmp

Filesize
8KB

Download
memory/1288-100-0x0000000002CA0000-0x0000000002D09000-memory.dmp

Filesize
420KB

Download
memory/1288-109-0x0000000002CA0000-0x0000000002D09000-memory.dmp

Filesize
420KB

Download
memory/1288-90-0x0000000002B60000-0x0000000002BB2000-memory.dmp

Filesize
328KB

Download
memory/1312-67-0x0000000000000000-mapping.dmp

Download
memory/1312-80-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1312-83-0x0000000074F50000-0x0000000074F81000-memory.dmp

Filesize
196KB

Download
memory/1312-104-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/1312-106-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1312-107-0x0000000074F50000-0x0000000074F81000-memory.dmp

Filesize
196KB

Download
memory/1312-89-0x0000000074F50000-0x0000000074FB4000-memory.dmp

Filesize
400KB

Download
memory/1312-73-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/1752-63-0x0000000000000000-mapping.dmp

Download
memory/1920-58-0x0000000000000000-mapping.dmp

Download