amadey | 304ac147df967df0e2303d48de1ded9812063a20107cefdd8319b20de42deb70

Analysis

max time kernel
150s
max time network
141s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
18-12-2022 01:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e2f9ca7acd38048a5482f4b2049902ce1c4f5995.exe
Size

215KB
MD5

25e1c36abd30bb9789820a87925ed873
SHA1

e2f9ca7acd38048a5482f4b2049902ce1c4f5995
SHA256

304ac147df967df0e2303d48de1ded9812063a20107cefdd8319b20de42deb70
SHA512

bf7427c25e150933eae626c708df9d92586f4ab1b8ba757a8892587d12bf01716357fb204314a4b0ce0657ae8cc566286fccfe6bc2a4a6c69e83e7231da6ca8d
SSDEEP

6144:zbcLcA86KMnLLq3Vr5NgzHAF8oH40M2b:zQR8am3LWjAq

Score

10^/10

amadey danabot djvu redline smokeloader mario23_10 backdoor banker bootkit collection discovery infostealer persistence ransomware spyware stealer trojan

Malware Config

Extracted

Family

redline

Botnet

mario23_10

167.235.252.160:10642

Attributes

auth_value
eca57cfb5172f71dc45986763bb98942

Extracted

Family

djvu

http://abibiall.com/lancer/get.php

Attributes

extension
.bttu
offline_id
8p2Go5ZmkbFk0DF2oJ6E8vGEogpBqqaGCWjto1t1
payload_url
http://uaery.top/dl/build2.exe
http://abibiall.com/files/1/build3.exe
ransomnote
ATTENTION! Don't worry, you can return all your files! All your files like pictures, databases, documents and other important are encrypted with strongest encryption and unique key. The only method of recovering files is to purchase decrypt tool and unique key for you. This software will decrypt all your encrypted files. What guarantees you have? You can send one of your encrypted file from your PC and we decrypt it for free. But we can decrypt only 1 file for free. File must not contain valuable information. You can get and look video overview decrypt tool: https://we.tl/t-Q5EougBEbU Price of private key and decrypt software is $980. Discount 50% available if you contact us first 72 hours, that's price for you is $490. Please note that you'll never restore your data without payment. Check your e-mail "Spam" or "Junk" folder if you don't get answer more than 6 hours. To get this software you need write on our e-mail: [email protected] Reserve e-mail address to contact us: [email protected] Your personal ID: 0619JOsie

rsa_pubkey.plain

Extracted

Family

amadey

Version

3.50

31.41.244.237/jg94cVd30f/index.php

Extracted

Family

danabot

23.236.181.126:443

123.253.35.251:443

66.85.173.3:443

Attributes

embedded_hash
8F56CD73F6B5CD5D7B17B0BA61E70A82
type
loader

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey
Danabot
Danabot is a modular banking Trojan that has been linked with other malware.
trojan banker danabot

Detect Amadey credential stealer module 2 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Roaming\85f469ce401df1\cred64.dll	amadey_cred_module
C:\Users\Admin\AppData\Roaming\85f469ce401df1\cred64.dll	amadey_cred_module

Detected Djvu ransomware 10 IoCs

Processes:

resource	yara_rule
behavioral2/memory/4612-182-0x00000000020F0000-0x000000000220B000-memory.dmp	family_djvu
behavioral2/memory/4048-184-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral2/memory/4048-188-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral2/memory/4048-186-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral2/memory/4048-197-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral2/memory/4048-205-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral2/memory/1432-222-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral2/memory/1432-223-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral2/memory/1432-232-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral2/memory/1432-267-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu

Detects Smokeloader packer 2 IoCs

Processes:

resource	yara_rule
behavioral2/memory/4648-133-0x00000000001F0000-0x00000000001F9000-memory.dmp	family_smokeloader
behavioral2/memory/872-169-0x00000000001F0000-0x00000000001F9000-memory.dmp	family_smokeloader

Djvu Ransomware
Ransomware which is a variant of the STOP family.
ransomware djvu
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 1 IoCs

Processes:

resource	yara_rule
behavioral2/memory/944-159-0x0000000000700000-0x0000000000760000-memory.dmp	family_redline

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
Blocklisted process makes network request 2 IoCs

Processes:

rundll32.exerundll32.exe

flow pid process

126 4732 rundll32.exe
132 4076 rundll32.exe
Downloads MZ/PE file

flow	pid	process
126	4732	rundll32.exe
132	4076	rundll32.exe

Executes dropped EXE 19 IoCs

Processes:

CA3A.exeCD48.exeCED0.exeD077.exeD21E.exeD859.exeDDE7.exeD077.exegntuud.exeD077.exeD077.exelinda5.exebuild2.exebuild2.exebuild3.exegntuud.exemstsca.exe6662.exegntuud.exe

pid	process
2700	CA3A.exe
872	CD48.exe
4760	CED0.exe
4612	D077.exe
1948	D21E.exe
3748	D859.exe
3460	DDE7.exe
4048	D077.exe
2368	gntuud.exe
3876	D077.exe
1432	D077.exe
4192	linda5.exe
1984	build2.exe
3976	build2.exe
2572	build3.exe
3412	gntuud.exe
1656	mstsca.exe
4788	6662.exe
1192	gntuud.exe

Checks computer location settings 2 TTPs 6 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

D859.exeD077.exegntuud.exelinda5.exeD077.exebuild2.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	D859.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	D077.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	gntuud.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	linda5.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	D077.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	build2.exe

Loads dropped DLL 9 IoCs

Processes:

rundll32.exerundll32.exebuild2.exerundll32.exerundll32.exe

pid	process
3832	rundll32.exe
3832	rundll32.exe
2544	rundll32.exe
2544	rundll32.exe
3976	build2.exe
3976	build2.exe
4732	rundll32.exe
4732	rundll32.exe
4076	rundll32.exe

Modifies file permissions 1 TTPs 1 IoCs
discovery

File Permissions Modification
T1222

Processes:

icacls.exe

pid process

1496 icacls.exe
Reads local data of messenger clients 2 TTPs
Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses 2FA software files, possible credential harvesting 2 TTPs
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

pid	process
1496	icacls.exe

Accesses Microsoft Outlook profiles 1 TTPs 4 IoCs

collection

Email Collection

T1114

Processes:

explorer.exerundll32.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	explorer.exe
Key opened	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	rundll32.exe
Key opened	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	explorer.exe
Key opened	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	explorer.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

D077.exegntuud.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\5500a8f4-e84f-4f74-9d4e-040d9169c332\\D077.exe\" --AutoStart"	D077.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\linda5.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000016001\\linda5.exe"	gntuud.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

57 api.2ip.ua
58 api.2ip.ua
79 api.2ip.ua
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
bootkit persistence

Bootkit
T1067

Processes:

CA3A.exe

description ioc process

File opened for modification \??\PHYSICALDRIVE0 CA3A.exe

flow	ioc
57	api.2ip.ua
58	api.2ip.ua
79	api.2ip.ua

description	ioc	process
File opened for modification	\??\PHYSICALDRIVE0	CA3A.exe

Suspicious use of SetThreadContext 5 IoCs

Processes:

D21E.exeD077.exeD077.exebuild2.exerundll32.exe

description	pid	process	target process
PID 1948 set thread context of 944	1948	D21E.exe	AppLaunch.exe
PID 4612 set thread context of 4048	4612	D077.exe	D077.exe
PID 3876 set thread context of 1432	3876	D077.exe	D077.exe
PID 1984 set thread context of 3976	1984	build2.exe	build2.exe
PID 4732 set thread context of 4800	4732	rundll32.exe	rundll32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 7 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
4020	1948	WerFault.exe	D21E.exe
2520	4760	WerFault.exe	CED0.exe
4872	3748	WerFault.exe	D859.exe
4420	3460	WerFault.exe	DDE7.exe
3840	3412	WerFault.exe	gntuud.exe
4840	4788	WerFault.exe	6662.exe
3528	1192	WerFault.exe	gntuud.exe

Checks SCSI registry key(s) 3 TTPs 6 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

e2f9ca7acd38048a5482f4b2049902ce1c4f5995.exeCD48.exe

description	ioc	process
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	e2f9ca7acd38048a5482f4b2049902ce1c4f5995.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	e2f9ca7acd38048a5482f4b2049902ce1c4f5995.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	CD48.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	CD48.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	CD48.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	e2f9ca7acd38048a5482f4b2049902ce1c4f5995.exe

Checks processor information in registry 2 TTPs 24 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

rundll32.exebuild2.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	rundll32.exe
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	rundll32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\FeatureSet	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Status	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\FeatureSet	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	rundll32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	build2.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Identifier	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Platform Specific Field 1	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Revision	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\VendorIdentifier	rundll32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Previous Update Revision	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Configuration Data	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	build2.exe
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	rundll32.exe
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Configuration Data	rundll32.exe

Creates scheduled task(s) 1 TTPs 3 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exeschtasks.exe

pid process

2364 schtasks.exe
4960 schtasks.exe
2304 schtasks.exe
Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

3940 timeout.exe

pid	process
2364	schtasks.exe
4960	schtasks.exe
2304	schtasks.exe

pid	process
3940	timeout.exe

Modifies Internet Explorer settings 1 TTPs 4 IoCs

adware spyware

Modify Registry

T1112

Processes:

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\Toolbar
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\Locked = "1"
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser
Set value (data)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser\ITBar7Layout = 13000000000000000000000020000000100000000000000001000000010700005e01000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000

Modifies registry class 30 IoCs

Processes:

rundll32.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1
Set value (data)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots
Set value (data)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 00000000ffffffff
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	rundll32.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\NodeSlot = "1"
Set value (data)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0 = 4e0031000000000092556d10100054656d7000003a0009000400efbe0c55ec98925573102e00000000000000000000000000000000000000000000000000ffc78a00540065006d007000000014000000
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0
Set value (data)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\MRUListEx = 00000000ffffffff
Set value (data)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\MRUListEx = 00000000ffffffff
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\WorkFolders
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 = 14001f44471a0359723fa74489c55595fe6b30ee0000
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\
Set value (data)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff
Set value (data)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\MRUListEx = ffffffff
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\SniffedFolderType = "Generic"
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU
Set value (data)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff
Set value (data)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 = 820074001c0043465346160031000000000000000000100041707044617461000000741a595e96dfd3488d671733bcee28bac5cdfadf9f6756418947c5c76bc0b67f400009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004100700070004400610074006100000042000000
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0
Set value (data)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0 = 50003100000000000000000010004c6f63616c003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c00000014000000
Set value (data)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags
Set value (data)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

pid process

2832

pid	process
2832

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

e2f9ca7acd38048a5482f4b2049902ce1c4f5995.exe

pid	process
4648	e2f9ca7acd38048a5482f4b2049902ce1c4f5995.exe
4648	e2f9ca7acd38048a5482f4b2049902ce1c4f5995.exe
2832
2832
2832
2832
2832
2832
2832
2832
2832
2832
2832
2832
2832
2832
2832
2832
2832
2832
2832
2832
2832
2832
2832
2832
2832
2832
2832
2832
2832
2832
2832
2832
2832
2832
2832
2832
2832
2832
2832
2832
2832
2832
2832
2832
2832
2832
2832
2832
2832
2832
2832
2832
2832
2832
2832
2832
2832
2832
2832
2832
2832
2832

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

pid process

2832
Suspicious behavior: MapViewOfSection 6 IoCs

Processes:

e2f9ca7acd38048a5482f4b2049902ce1c4f5995.exeCD48.exe

pid process

4648 e2f9ca7acd38048a5482f4b2049902ce1c4f5995.exe
2832
2832
2832
2832
872 CD48.exe

pid	process
2832

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

AppLaunch.exe

description	pid	process
Token: SeShutdownPrivilege	2832
Token: SeCreatePagefilePrivilege	2832
Token: SeShutdownPrivilege	2832
Token: SeCreatePagefilePrivilege	2832
Token: SeShutdownPrivilege	2832
Token: SeCreatePagefilePrivilege	2832
Token: SeShutdownPrivilege	2832
Token: SeCreatePagefilePrivilege	2832
Token: SeShutdownPrivilege	2832
Token: SeCreatePagefilePrivilege	2832
Token: SeShutdownPrivilege	2832
Token: SeCreatePagefilePrivilege	2832
Token: SeShutdownPrivilege	2832
Token: SeCreatePagefilePrivilege	2832
Token: SeShutdownPrivilege	2832
Token: SeCreatePagefilePrivilege	2832
Token: SeShutdownPrivilege	2832
Token: SeCreatePagefilePrivilege	2832
Token: SeShutdownPrivilege	2832
Token: SeCreatePagefilePrivilege	2832
Token: SeShutdownPrivilege	2832
Token: SeCreatePagefilePrivilege	2832
Token: SeShutdownPrivilege	2832
Token: SeCreatePagefilePrivilege	2832
Token: SeShutdownPrivilege	2832
Token: SeCreatePagefilePrivilege	2832
Token: SeShutdownPrivilege	2832
Token: SeCreatePagefilePrivilege	2832
Token: SeShutdownPrivilege	2832
Token: SeCreatePagefilePrivilege	2832
Token: SeDebugPrivilege	944	AppLaunch.exe
Token: SeShutdownPrivilege	2832
Token: SeCreatePagefilePrivilege	2832
Token: SeShutdownPrivilege	2832
Token: SeCreatePagefilePrivilege	2832
Token: SeShutdownPrivilege	2832
Token: SeCreatePagefilePrivilege	2832
Token: SeShutdownPrivilege	2832
Token: SeCreatePagefilePrivilege	2832
Token: SeShutdownPrivilege	2832
Token: SeCreatePagefilePrivilege	2832
Token: SeShutdownPrivilege	2832
Token: SeCreatePagefilePrivilege	2832
Token: SeShutdownPrivilege	2832
Token: SeCreatePagefilePrivilege	2832
Token: SeShutdownPrivilege	2832
Token: SeCreatePagefilePrivilege	2832
Token: SeShutdownPrivilege	2832
Token: SeCreatePagefilePrivilege	2832
Token: SeShutdownPrivilege	2832
Token: SeCreatePagefilePrivilege	2832
Token: SeShutdownPrivilege	2832
Token: SeCreatePagefilePrivilege	2832
Token: SeShutdownPrivilege	2832
Token: SeCreatePagefilePrivilege	2832
Token: SeShutdownPrivilege	2832
Token: SeCreatePagefilePrivilege	2832
Token: SeShutdownPrivilege	2832
Token: SeCreatePagefilePrivilege	2832
Token: SeShutdownPrivilege	2832
Token: SeCreatePagefilePrivilege	2832
Token: SeShutdownPrivilege	2832
Token: SeCreatePagefilePrivilege	2832
Token: SeShutdownPrivilege	2832

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

rundll32.exe

pid process

4800 rundll32.exe
Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

pid process

2832
2832

pid	process
4800	rundll32.exe

pid	process
2832
2832

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

D21E.exeD077.exeD859.exeD077.exegntuud.execmd.exe

description	pid	process	target process
PID 2832 wrote to memory of 2700	2832		CA3A.exe
PID 2832 wrote to memory of 2700	2832		CA3A.exe
PID 2832 wrote to memory of 2700	2832		CA3A.exe
PID 2832 wrote to memory of 872	2832		CD48.exe
PID 2832 wrote to memory of 872	2832		CD48.exe
PID 2832 wrote to memory of 872	2832		CD48.exe
PID 2832 wrote to memory of 4760	2832		CED0.exe
PID 2832 wrote to memory of 4760	2832		CED0.exe
PID 2832 wrote to memory of 4760	2832		CED0.exe
PID 2832 wrote to memory of 4612	2832		D077.exe
PID 2832 wrote to memory of 4612	2832		D077.exe
PID 2832 wrote to memory of 4612	2832		D077.exe
PID 2832 wrote to memory of 1948	2832		D21E.exe
PID 2832 wrote to memory of 1948	2832		D21E.exe
PID 2832 wrote to memory of 1948	2832		D21E.exe
PID 2832 wrote to memory of 3748	2832		D859.exe
PID 2832 wrote to memory of 3748	2832		D859.exe
PID 2832 wrote to memory of 3748	2832		D859.exe
PID 1948 wrote to memory of 944	1948	D21E.exe	AppLaunch.exe
PID 1948 wrote to memory of 944	1948	D21E.exe	AppLaunch.exe
PID 1948 wrote to memory of 944	1948	D21E.exe	AppLaunch.exe
PID 1948 wrote to memory of 944	1948	D21E.exe	AppLaunch.exe
PID 1948 wrote to memory of 944	1948	D21E.exe	AppLaunch.exe
PID 2832 wrote to memory of 3460	2832		DDE7.exe
PID 2832 wrote to memory of 3460	2832		DDE7.exe
PID 2832 wrote to memory of 3460	2832		DDE7.exe
PID 2832 wrote to memory of 2792	2832		explorer.exe
PID 2832 wrote to memory of 2792	2832		explorer.exe
PID 2832 wrote to memory of 2792	2832		explorer.exe
PID 2832 wrote to memory of 2792	2832		explorer.exe
PID 2832 wrote to memory of 4308	2832		explorer.exe
PID 2832 wrote to memory of 4308	2832		explorer.exe
PID 2832 wrote to memory of 4308	2832		explorer.exe
PID 4612 wrote to memory of 4048	4612	D077.exe	D077.exe
PID 4612 wrote to memory of 4048	4612	D077.exe	D077.exe
PID 4612 wrote to memory of 4048	4612	D077.exe	D077.exe
PID 4612 wrote to memory of 4048	4612	D077.exe	D077.exe
PID 4612 wrote to memory of 4048	4612	D077.exe	D077.exe
PID 4612 wrote to memory of 4048	4612	D077.exe	D077.exe
PID 4612 wrote to memory of 4048	4612	D077.exe	D077.exe
PID 4612 wrote to memory of 4048	4612	D077.exe	D077.exe
PID 4612 wrote to memory of 4048	4612	D077.exe	D077.exe
PID 4612 wrote to memory of 4048	4612	D077.exe	D077.exe
PID 3748 wrote to memory of 2368	3748	D859.exe	gntuud.exe
PID 3748 wrote to memory of 2368	3748	D859.exe	gntuud.exe
PID 3748 wrote to memory of 2368	3748	D859.exe	gntuud.exe
PID 4048 wrote to memory of 1496	4048	D077.exe	icacls.exe
PID 4048 wrote to memory of 1496	4048	D077.exe	icacls.exe
PID 4048 wrote to memory of 1496	4048	D077.exe	icacls.exe
PID 4048 wrote to memory of 3876	4048	D077.exe	D077.exe
PID 4048 wrote to memory of 3876	4048	D077.exe	D077.exe
PID 4048 wrote to memory of 3876	4048	D077.exe	D077.exe
PID 2368 wrote to memory of 2364	2368	gntuud.exe	schtasks.exe
PID 2368 wrote to memory of 2364	2368	gntuud.exe	schtasks.exe
PID 2368 wrote to memory of 2364	2368	gntuud.exe	schtasks.exe
PID 2368 wrote to memory of 1880	2368	gntuud.exe	cmd.exe
PID 2368 wrote to memory of 1880	2368	gntuud.exe	cmd.exe
PID 2368 wrote to memory of 1880	2368	gntuud.exe	cmd.exe
PID 1880 wrote to memory of 396	1880	cmd.exe	cmd.exe
PID 1880 wrote to memory of 396	1880	cmd.exe	cmd.exe
PID 1880 wrote to memory of 396	1880	cmd.exe	cmd.exe
PID 1880 wrote to memory of 4648	1880	cmd.exe	cacls.exe
PID 1880 wrote to memory of 4648	1880	cmd.exe	cacls.exe
PID 1880 wrote to memory of 4648	1880	cmd.exe	cacls.exe

outlook_office_path 1 IoCs

Processes:

explorer.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	explorer.exe

outlook_win_path 1 IoCs

Processes:

rundll32.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	rundll32.exe

C:\Users\Admin\AppData\Local\Temp\e2f9ca7acd38048a5482f4b2049902ce1c4f5995.exe
"C:\Users\Admin\AppData\Local\Temp\e2f9ca7acd38048a5482f4b2049902ce1c4f5995.exe"
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:4648

C:\Users\Admin\AppData\Local\Temp\CA3A.exe
C:\Users\Admin\AppData\Local\Temp\CA3A.exe
1⤵
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
PID:2700

C:\Users\Admin\AppData\Local\Temp\CD48.exe
C:\Users\Admin\AppData\Local\Temp\CD48.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
PID:872

C:\Users\Admin\AppData\Local\Temp\CED0.exe
C:\Users\Admin\AppData\Local\Temp\CED0.exe
1⤵
- Executes dropped EXE
PID:4760

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4760 -s 340
2⤵
- Program crash
PID:2520

C:\Users\Admin\AppData\Local\Temp\D077.exe
C:\Users\Admin\AppData\Local\Temp\D077.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4612

C:\Users\Admin\AppData\Local\Temp\D077.exe
C:\Users\Admin\AppData\Local\Temp\D077.exe
2⤵
- Executes dropped EXE
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4048

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Users\Admin\AppData\Local\5500a8f4-e84f-4f74-9d4e-040d9169c332" /deny *S-1-1-0:(OI)(CI)(DE,DC)
3⤵
- Modifies file permissions
PID:1496

C:\Users\Admin\AppData\Local\Temp\D077.exe
"C:\Users\Admin\AppData\Local\Temp\D077.exe" --Admin IsNotAutoStart IsNotTask
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:3876

C:\Users\Admin\AppData\Local\Temp\D077.exe
"C:\Users\Admin\AppData\Local\Temp\D077.exe" --Admin IsNotAutoStart IsNotTask
4⤵
- Executes dropped EXE
- Checks computer location settings
PID:1432

C:\Users\Admin\AppData\Local\72c4445b-9f06-4e5c-9ee7-1e00cf5c5482\build2.exe
"C:\Users\Admin\AppData\Local\72c4445b-9f06-4e5c-9ee7-1e00cf5c5482\build2.exe"
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:1984

C:\Users\Admin\AppData\Local\72c4445b-9f06-4e5c-9ee7-1e00cf5c5482\build2.exe
"C:\Users\Admin\AppData\Local\72c4445b-9f06-4e5c-9ee7-1e00cf5c5482\build2.exe"
6⤵
- Executes dropped EXE
- Checks computer location settings
- Loads dropped DLL
- Checks processor information in registry
PID:3976

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c timeout /t 6 & del /f /q "C:\Users\Admin\AppData\Local\72c4445b-9f06-4e5c-9ee7-1e00cf5c5482\build2.exe" & exit
7⤵
PID:2776

C:\Windows\SysWOW64\timeout.exe
timeout /t 6
8⤵
- Delays execution with timeout.exe
PID:3940

C:\Users\Admin\AppData\Local\72c4445b-9f06-4e5c-9ee7-1e00cf5c5482\build3.exe
"C:\Users\Admin\AppData\Local\72c4445b-9f06-4e5c-9ee7-1e00cf5c5482\build3.exe"
5⤵
- Executes dropped EXE
PID:2572

C:\Windows\SysWOW64\schtasks.exe
/C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"
6⤵
- Creates scheduled task(s)
PID:4960

C:\Users\Admin\AppData\Local\Temp\D21E.exe
C:\Users\Admin\AppData\Local\Temp\D21E.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1948

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:944

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1948 -s 312
2⤵
- Program crash
PID:4020

C:\Users\Admin\AppData\Local\Temp\D859.exe
C:\Users\Admin\AppData\Local\Temp\D859.exe
1⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3748

C:\Users\Admin\AppData\Local\Temp\9c69749b54\gntuud.exe
"C:\Users\Admin\AppData\Local\Temp\9c69749b54\gntuud.exe"
2⤵
- Executes dropped EXE
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2368

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN gntuud.exe /TR "C:\Users\Admin\AppData\Local\Temp\9c69749b54\gntuud.exe" /F
3⤵
- Creates scheduled task(s)
PID:2364

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "gntuud.exe" /P "Admin:N"&&CACLS "gntuud.exe" /P "Admin:R" /E&&echo Y|CACLS "..\9c69749b54" /P "Admin:N"&&CACLS "..\9c69749b54" /P "Admin:R" /E&&Exit
3⤵
- Suspicious use of WriteProcessMemory
PID:1880

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
4⤵
PID:396

C:\Windows\SysWOW64\cacls.exe
CACLS "gntuud.exe" /P "Admin:N"
4⤵
PID:4648

C:\Windows\SysWOW64\cacls.exe
CACLS "gntuud.exe" /P "Admin:R" /E
4⤵
PID:4300

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
4⤵
PID:4204

C:\Windows\SysWOW64\cacls.exe
CACLS "..\9c69749b54" /P "Admin:N"
4⤵
PID:4836

C:\Windows\SysWOW64\cacls.exe
CACLS "..\9c69749b54" /P "Admin:R" /E
4⤵
PID:1900

C:\Users\Admin\AppData\Local\Temp\1000016001\linda5.exe
"C:\Users\Admin\AppData\Local\Temp\1000016001\linda5.exe"
3⤵
- Executes dropped EXE
- Checks computer location settings
PID:4192

C:\Windows\SysWOW64\control.exe
"C:\Windows\System32\control.exe" .\USWH~.2
4⤵
PID:4968

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL .\USWH~.2
5⤵
- Loads dropped DLL
PID:3832

C:\Windows\system32\RunDll32.exe
C:\Windows\system32\RunDll32.exe Shell32.dll,Control_RunDLL .\USWH~.2
6⤵
PID:4700

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\SysWOW64\rundll32.exe" "C:\Windows\SysWOW64\shell32.dll",#44 .\USWH~.2
7⤵
- Loads dropped DLL
PID:2544

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\85f469ce401df1\cred64.dll, Main
3⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Accesses Microsoft Outlook profiles
- outlook_win_path
PID:4076

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3748 -s 1140
2⤵
- Program crash
PID:4872

C:\Users\Admin\AppData\Local\Temp\DDE7.exe
C:\Users\Admin\AppData\Local\Temp\DDE7.exe
1⤵
- Executes dropped EXE
PID:3460

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3460 -s 444
2⤵
- Program crash
PID:4420

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 1948 -ip 1948
1⤵
PID:3092

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
- Accesses Microsoft Outlook profiles
- outlook_office_path
PID:2792

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 4760 -ip 4760
1⤵
PID:3056

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
PID:4308

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 3748 -ip 3748
1⤵
PID:4880

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 576 -p 3460 -ip 3460
1⤵
PID:4400

C:\Users\Admin\AppData\Local\Temp\9c69749b54\gntuud.exe
C:\Users\Admin\AppData\Local\Temp\9c69749b54\gntuud.exe
1⤵
- Executes dropped EXE
PID:3412

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3412 -s 424
2⤵
- Program crash
PID:3840

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
1⤵
- Executes dropped EXE
PID:1656

C:\Windows\SysWOW64\schtasks.exe
/C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"
2⤵
- Creates scheduled task(s)
PID:2304

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 3412 -ip 3412
1⤵
PID:4436

C:\Users\Admin\AppData\Local\Temp\6662.exe
C:\Users\Admin\AppData\Local\Temp\6662.exe
1⤵
- Executes dropped EXE
PID:4788

C:\Windows\SysWOW64\rundll32.exe
C:\Windows\system32\rundll32.exe C:\Users\Admin\AppData\Local\Temp\Iseiuaqptde.dll,start
2⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Checks processor information in registry
PID:4732

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#61 20188
3⤵
- Modifies registry class
- Suspicious use of FindShellTrayWindow
PID:4800

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4788 -s 680
2⤵
- Program crash
PID:4840

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 4788 -ip 4788
1⤵
PID:4428

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:1020

C:\Users\Admin\AppData\Local\Temp\9c69749b54\gntuud.exe
C:\Users\Admin\AppData\Local\Temp\9c69749b54\gntuud.exe
1⤵
- Executes dropped EXE
PID:1192

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1192 -s 416
2⤵
- Program crash
PID:3528

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 584 -p 1192 -ip 1192
1⤵
PID:4272

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Registry Run Keys / Startup Folder

T1060

Bootkit

T1067

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

File Permissions Modification

T1222

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Peripheral Device Discovery

T1120

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\mozglue.dll
Filesize
133KB

MD5
8f73c08a9660691143661bf7332c3c27

SHA1
37fa65dd737c50fda710fdbde89e51374d0c204a

SHA256
3fe6b1c54b8cf28f571e0c5d6636b4069a8ab00b4f11dd842cfec00691d0c9cd

SHA512
0042ecf9b3571bb5eba2de893e8b2371df18f7c5a589f52ee66e4bfbaa15a5b8b7cc6a155792aaa8988528c27196896d5e82e1751c998bacea0d92395f66ad89

Download Submit
C:\ProgramData\nss3.dll
Filesize
1.2MB

MD5
bfac4e3c5908856ba17d41edcd455a51

SHA1
8eec7e888767aa9e4cca8ff246eb2aacb9170428

SHA256
e2935b5b28550d47dc971f456d6961f20d1633b4892998750140e0eaa9ae9d78

SHA512
2565bab776c4d732ffb1f9b415992a4c65b81bcd644a9a1df1333a269e322925fc1df4f76913463296efd7c88ef194c3056de2f1ca1357d7b5fe5ff0da877a66

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\07CEF2F654E3ED6050FFC9B6EB844250_3431D4C539FB2CFCB781821E9902850D
Filesize
2KB

MD5
602cebd424613d514b439fe78f14a48d

SHA1
d5d7580e513e9b4af91e1a8bcdd5401ab98636f6

SHA256
29fabef3eb6d67f8ff9b015375b8fa6b6bced5e8c1651f2199fcb183f33578aa

SHA512
fb2cda553e81eee089a166a0da126f9b4cff2ce5dba999ea87a4bfd1d396198f93e17391f408b2b5fa76e5a021717c4c349dede102e3e7eb1f51b44d407cb8b2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E
Filesize
1KB

MD5
13ed5d9cdfe44b69986cdcda2709fae4

SHA1
6f1ac25238f31888d91eda34e7b2dd92a4f379db

SHA256
c19bb0d55abcc511665e003cb64e5900a9a93dea9e6a8261356ea9f7f02d8126

SHA512
8b34e9dea82332ad2098fe1fdc24f9be1c2722b07d6c8427c4b8348b5dd014780933b369bdf97408e473d84259925c4427a005e86df3a83bd9cae3a93d5f3982

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\07CEF2F654E3ED6050FFC9B6EB844250_3431D4C539FB2CFCB781821E9902850D
Filesize
488B

MD5
afd43ede6cdb6f94022c4b7469542351

SHA1
9e95406cd6ce1df2ccc69d0140e6b89f49d05fcd

SHA256
7eb9791f346023bc3ca0a4d5a34763a37535aa1b598cac64b14d2f0b0c263902

SHA512
824c3202ae84a844e154589409837c7920ca4d41eaae5126c42c1165312ff87d8c4727fca4cf4f7027cac7a9620e8014ca66d1081ed0582470367825cbea1bb3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E
Filesize
482B

MD5
9807d5784d48b5a6f93eda7d76e19daf

SHA1
131ce0b41c90be6c2a1f7dfeb7e6f86d5a1cb0ab

SHA256
deb82190f485ef3ae40a6104b679bb3d70d99beba2b0c8bb115a227b60bcca9c

SHA512
f0319c11f921bacf9a25f4802587eb72917e93bc2d9254c401bd9447631b5afb18ca8ec2fabe939c1d70d011ff3819b69089fc4bc999b88443673fac8a299441

Download Submit
C:\Users\Admin\AppData\Local\5500a8f4-e84f-4f74-9d4e-040d9169c332\D077.exe
Filesize
733KB

MD5
84ddcfcb55c1aa1dfdce65c841fd3193

SHA1
c88b590c9b54f72148143a68c09906ad93aa5904

SHA256
4dc44761b41ba73b7f39b59deb8814f8ba4e8e40a81ea3118ba77a799fac2037

SHA512
a5bf595f8b511c0586c1858628907db17938c82eb404b704c2556124ecc6f5908c92ff426fd79c9ca03c328eb861ff3d94299ed2e26e3db2c13068d1a77c7dda

Download Submit
C:\Users\Admin\AppData\Local\72c4445b-9f06-4e5c-9ee7-1e00cf5c5482\build2.exe
Filesize
370KB

MD5
6a7892ece7e8bf85628e0e769560b7cb

SHA1
e13140e719218b14dd168467a63d481c7259df8c

SHA256
363dd986f98ab17b465354c93bd6f2b391b81593887dc88a0818d3d07264f844

SHA512
0091f76a7acf12ce121cc89702bbc7116cd91c4d69be1aaded7deabff92f7a913572d50b37b4ea0ac5cec28ceb4d2a505ed5dd7e98fa13ded39d1114a0ca7e7f

Download Submit
C:\Users\Admin\AppData\Local\72c4445b-9f06-4e5c-9ee7-1e00cf5c5482\build2.exe
Filesize
370KB

MD5
6a7892ece7e8bf85628e0e769560b7cb

SHA1
e13140e719218b14dd168467a63d481c7259df8c

SHA256
363dd986f98ab17b465354c93bd6f2b391b81593887dc88a0818d3d07264f844

SHA512
0091f76a7acf12ce121cc89702bbc7116cd91c4d69be1aaded7deabff92f7a913572d50b37b4ea0ac5cec28ceb4d2a505ed5dd7e98fa13ded39d1114a0ca7e7f

Download Submit
C:\Users\Admin\AppData\Local\72c4445b-9f06-4e5c-9ee7-1e00cf5c5482\build2.exe
Filesize
370KB

MD5
6a7892ece7e8bf85628e0e769560b7cb

SHA1
e13140e719218b14dd168467a63d481c7259df8c

SHA256
363dd986f98ab17b465354c93bd6f2b391b81593887dc88a0818d3d07264f844

SHA512
0091f76a7acf12ce121cc89702bbc7116cd91c4d69be1aaded7deabff92f7a913572d50b37b4ea0ac5cec28ceb4d2a505ed5dd7e98fa13ded39d1114a0ca7e7f

Download Submit
C:\Users\Admin\AppData\Local\72c4445b-9f06-4e5c-9ee7-1e00cf5c5482\build3.exe
Filesize
9KB

MD5
9ead10c08e72ae41921191f8db39bc16

SHA1
abe3bce01cd34afc88e2c838173f8c2bd0090ae1

SHA256
8d7f0e6b6877bdfb9f4531afafd0451f7d17f0ac24e2f2427e9b4ecc5452b9f0

SHA512
aa35dbc59a3589df2763e76a495ce5a9e62196628b4c1d098add38bd7f27c49edf93a66fb8507fb746e37ee32932da2460e440f241abe1a5a279abcc1e5ffe4a

Download Submit
C:\Users\Admin\AppData\Local\72c4445b-9f06-4e5c-9ee7-1e00cf5c5482\build3.exe
Filesize
9KB

MD5
9ead10c08e72ae41921191f8db39bc16

SHA1
abe3bce01cd34afc88e2c838173f8c2bd0090ae1

SHA256
8d7f0e6b6877bdfb9f4531afafd0451f7d17f0ac24e2f2427e9b4ecc5452b9f0

SHA512
aa35dbc59a3589df2763e76a495ce5a9e62196628b4c1d098add38bd7f27c49edf93a66fb8507fb746e37ee32932da2460e440f241abe1a5a279abcc1e5ffe4a

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000016001\linda5.exe
Filesize
1.8MB

MD5
0f513d4d87e268e0af657c8857fe4698

SHA1
126d3251eae449ea5a29e193f7d80ab795184162

SHA256
d8453d10f03730cd37a361137376a5982c57e2b220f3f9663b9082fb68e9731a

SHA512
97417667128b373bb511546a96b6e926c736613fb1aecf6bdc105665c50a01998f8e8de317a82e1a68da26a34adafab1f8f7eeb7886b6cdf27dcb440dda43fd3

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000016001\linda5.exe
Filesize
1.8MB

MD5
0f513d4d87e268e0af657c8857fe4698

SHA1
126d3251eae449ea5a29e193f7d80ab795184162

SHA256
d8453d10f03730cd37a361137376a5982c57e2b220f3f9663b9082fb68e9731a

SHA512
97417667128b373bb511546a96b6e926c736613fb1aecf6bdc105665c50a01998f8e8de317a82e1a68da26a34adafab1f8f7eeb7886b6cdf27dcb440dda43fd3

Download Submit
C:\Users\Admin\AppData\Local\Temp\6662.exe
Filesize
2.4MB

MD5
48ad5d3d9fca6ac790392cb17626c439

SHA1
7c82d7fbeb2351cd88eaf3b4782d0612e564ec4a

SHA256
d0fc9d579acc772729a961dea697ce8133a5c71cca139990215f7b09cc54f049

SHA512
e829509d92643a8e2fbf29edebbf1feadfa2dd568b6530bd215852cc774071da1977a9d960b0c73603e4fbc633efccfd7d62f1277aebed0430d2a7c148c2d129

Download Submit
C:\Users\Admin\AppData\Local\Temp\6662.exe
Filesize
2.4MB

MD5
48ad5d3d9fca6ac790392cb17626c439

SHA1
7c82d7fbeb2351cd88eaf3b4782d0612e564ec4a

SHA256
d0fc9d579acc772729a961dea697ce8133a5c71cca139990215f7b09cc54f049

SHA512
e829509d92643a8e2fbf29edebbf1feadfa2dd568b6530bd215852cc774071da1977a9d960b0c73603e4fbc633efccfd7d62f1277aebed0430d2a7c148c2d129

Download Submit
C:\Users\Admin\AppData\Local\Temp\9c69749b54\gntuud.exe
Filesize
273KB

MD5
67d588981512c4db6508225a1d7b1644

SHA1
baaa04249099b2faede5550e4410a82651f64d46

SHA256
90ef4449f93dcfbec1e10bd8495f39a241cec7e98a4595c4e94dfc0b490dc334

SHA512
fa9e721f52355e5e74aeb363a21dd9f1baac7877488bd724940c607aba8dac621d311edc5db4032cec9a7261e8ef0b55fff6f3ae6511ba1c56f60b82826ccb7b

Download Submit
C:\Users\Admin\AppData\Local\Temp\9c69749b54\gntuud.exe
Filesize
273KB

MD5
67d588981512c4db6508225a1d7b1644

SHA1
baaa04249099b2faede5550e4410a82651f64d46

SHA256
90ef4449f93dcfbec1e10bd8495f39a241cec7e98a4595c4e94dfc0b490dc334

SHA512
fa9e721f52355e5e74aeb363a21dd9f1baac7877488bd724940c607aba8dac621d311edc5db4032cec9a7261e8ef0b55fff6f3ae6511ba1c56f60b82826ccb7b

Download Submit
C:\Users\Admin\AppData\Local\Temp\9c69749b54\gntuud.exe
Filesize
273KB

MD5
67d588981512c4db6508225a1d7b1644

SHA1
baaa04249099b2faede5550e4410a82651f64d46

SHA256
90ef4449f93dcfbec1e10bd8495f39a241cec7e98a4595c4e94dfc0b490dc334

SHA512
fa9e721f52355e5e74aeb363a21dd9f1baac7877488bd724940c607aba8dac621d311edc5db4032cec9a7261e8ef0b55fff6f3ae6511ba1c56f60b82826ccb7b

Download Submit
C:\Users\Admin\AppData\Local\Temp\9c69749b54\gntuud.exe
Filesize
273KB

MD5
67d588981512c4db6508225a1d7b1644

SHA1
baaa04249099b2faede5550e4410a82651f64d46

SHA256
90ef4449f93dcfbec1e10bd8495f39a241cec7e98a4595c4e94dfc0b490dc334

SHA512
fa9e721f52355e5e74aeb363a21dd9f1baac7877488bd724940c607aba8dac621d311edc5db4032cec9a7261e8ef0b55fff6f3ae6511ba1c56f60b82826ccb7b

Download Submit
C:\Users\Admin\AppData\Local\Temp\CA3A.exe
Filesize
552KB

MD5
27503351226b133437242663d8f339a3

SHA1
97baa24723a0eae9c9926839332e057e76c77013

SHA256
d588d7eda98a8ecff42e69e50568996d8350f96b1d40eb1c969c3afc48d55bfe

SHA512
527191d9a83f61966e07b3a825c48a4b6d278d91fc48e4bbf7cf0b75ccdb65d47814e1d7f6b768b582dd3ad9f410865d59c584015b96e1acef5eedba8dfd0cb8

Download Submit
C:\Users\Admin\AppData\Local\Temp\CA3A.exe
Filesize
552KB

MD5
27503351226b133437242663d8f339a3

SHA1
97baa24723a0eae9c9926839332e057e76c77013

SHA256
d588d7eda98a8ecff42e69e50568996d8350f96b1d40eb1c969c3afc48d55bfe

SHA512
527191d9a83f61966e07b3a825c48a4b6d278d91fc48e4bbf7cf0b75ccdb65d47814e1d7f6b768b582dd3ad9f410865d59c584015b96e1acef5eedba8dfd0cb8

Download Submit
C:\Users\Admin\AppData\Local\Temp\CD48.exe
Filesize
215KB

MD5
0c12af9b2c0b3ab5bcb398e219995b17

SHA1
c104074a5ef217e88a92899e9b5caf4f3b729da0

SHA256
5423e534bc4687b2018b38f1894eaeee35eb892a20fd64d66eceebf0cf64d96a

SHA512
8f301ec3486ceb2b341b51782af2b254caba574796864ee2d8091824309b6bf66d924791c8f74b7355199a259fb428669681b7d7259146d563177eb3a5ac0ae3

Download Submit
C:\Users\Admin\AppData\Local\Temp\CD48.exe
Filesize
215KB

MD5
0c12af9b2c0b3ab5bcb398e219995b17

SHA1
c104074a5ef217e88a92899e9b5caf4f3b729da0

SHA256
5423e534bc4687b2018b38f1894eaeee35eb892a20fd64d66eceebf0cf64d96a

SHA512
8f301ec3486ceb2b341b51782af2b254caba574796864ee2d8091824309b6bf66d924791c8f74b7355199a259fb428669681b7d7259146d563177eb3a5ac0ae3

Download Submit
C:\Users\Admin\AppData\Local\Temp\CED0.exe
Filesize
215KB

MD5
1b5839200d61b75247362f4e5d776034

SHA1
1d7a87f2670436c2314f0e3d6f6af2675d3c7d12

SHA256
83a6d3afbfefe962fa8a71ed9cdcb26dd4ffc54ddb640565f6261f4b12721e56

SHA512
afa921e0f7dc567d1d3d3c2bbcd12595d76236e3e7fed6b585b6be9e8ee36d1e870a7e1bcbac5f366136611e40adc78a83183433cceda16fb20ec5dfd7de14f9

Download Submit
C:\Users\Admin\AppData\Local\Temp\CED0.exe
Filesize
215KB

MD5
1b5839200d61b75247362f4e5d776034

SHA1
1d7a87f2670436c2314f0e3d6f6af2675d3c7d12

SHA256
83a6d3afbfefe962fa8a71ed9cdcb26dd4ffc54ddb640565f6261f4b12721e56

SHA512
afa921e0f7dc567d1d3d3c2bbcd12595d76236e3e7fed6b585b6be9e8ee36d1e870a7e1bcbac5f366136611e40adc78a83183433cceda16fb20ec5dfd7de14f9

Download Submit
C:\Users\Admin\AppData\Local\Temp\D077.exe
Filesize
733KB

MD5
84ddcfcb55c1aa1dfdce65c841fd3193

SHA1
c88b590c9b54f72148143a68c09906ad93aa5904

SHA256
4dc44761b41ba73b7f39b59deb8814f8ba4e8e40a81ea3118ba77a799fac2037

SHA512
a5bf595f8b511c0586c1858628907db17938c82eb404b704c2556124ecc6f5908c92ff426fd79c9ca03c328eb861ff3d94299ed2e26e3db2c13068d1a77c7dda

Download Submit
C:\Users\Admin\AppData\Local\Temp\D077.exe
Filesize
733KB

MD5
84ddcfcb55c1aa1dfdce65c841fd3193

SHA1
c88b590c9b54f72148143a68c09906ad93aa5904

SHA256
4dc44761b41ba73b7f39b59deb8814f8ba4e8e40a81ea3118ba77a799fac2037

SHA512
a5bf595f8b511c0586c1858628907db17938c82eb404b704c2556124ecc6f5908c92ff426fd79c9ca03c328eb861ff3d94299ed2e26e3db2c13068d1a77c7dda

Download Submit
C:\Users\Admin\AppData\Local\Temp\D077.exe
Filesize
733KB

MD5
84ddcfcb55c1aa1dfdce65c841fd3193

SHA1
c88b590c9b54f72148143a68c09906ad93aa5904

SHA256
4dc44761b41ba73b7f39b59deb8814f8ba4e8e40a81ea3118ba77a799fac2037

SHA512
a5bf595f8b511c0586c1858628907db17938c82eb404b704c2556124ecc6f5908c92ff426fd79c9ca03c328eb861ff3d94299ed2e26e3db2c13068d1a77c7dda

Download Submit
C:\Users\Admin\AppData\Local\Temp\D077.exe
Filesize
733KB

MD5
84ddcfcb55c1aa1dfdce65c841fd3193

SHA1
c88b590c9b54f72148143a68c09906ad93aa5904

SHA256
4dc44761b41ba73b7f39b59deb8814f8ba4e8e40a81ea3118ba77a799fac2037

SHA512
a5bf595f8b511c0586c1858628907db17938c82eb404b704c2556124ecc6f5908c92ff426fd79c9ca03c328eb861ff3d94299ed2e26e3db2c13068d1a77c7dda

Download Submit
C:\Users\Admin\AppData\Local\Temp\D077.exe
Filesize
733KB

MD5
84ddcfcb55c1aa1dfdce65c841fd3193

SHA1
c88b590c9b54f72148143a68c09906ad93aa5904

SHA256
4dc44761b41ba73b7f39b59deb8814f8ba4e8e40a81ea3118ba77a799fac2037

SHA512
a5bf595f8b511c0586c1858628907db17938c82eb404b704c2556124ecc6f5908c92ff426fd79c9ca03c328eb861ff3d94299ed2e26e3db2c13068d1a77c7dda

Download Submit
C:\Users\Admin\AppData\Local\Temp\D21E.exe
Filesize
387KB

MD5
4494ad792d3d806dcf0aaf8a52444014

SHA1
f4fee1fba7fafec5cd0fb8ae4f01aef33c327642

SHA256
d2556c2e2772327cc1ef509527c28b2aed8c27dd05e47c5c53aa3a221564abe1

SHA512
fa7f44031130932300fd374d3ca6cee0a45033752468e22c5f8155150e06dfddc6a378357d3db8e006663fc7f6e461940ecdb669fa912d83b6b6cc972715179b

Download Submit
C:\Users\Admin\AppData\Local\Temp\D21E.exe
Filesize
387KB

MD5
4494ad792d3d806dcf0aaf8a52444014

SHA1
f4fee1fba7fafec5cd0fb8ae4f01aef33c327642

SHA256
d2556c2e2772327cc1ef509527c28b2aed8c27dd05e47c5c53aa3a221564abe1

SHA512
fa7f44031130932300fd374d3ca6cee0a45033752468e22c5f8155150e06dfddc6a378357d3db8e006663fc7f6e461940ecdb669fa912d83b6b6cc972715179b

Download Submit
C:\Users\Admin\AppData\Local\Temp\D859.exe
Filesize
273KB

MD5
67d588981512c4db6508225a1d7b1644

SHA1
baaa04249099b2faede5550e4410a82651f64d46

SHA256
90ef4449f93dcfbec1e10bd8495f39a241cec7e98a4595c4e94dfc0b490dc334

SHA512
fa9e721f52355e5e74aeb363a21dd9f1baac7877488bd724940c607aba8dac621d311edc5db4032cec9a7261e8ef0b55fff6f3ae6511ba1c56f60b82826ccb7b

Download Submit
C:\Users\Admin\AppData\Local\Temp\D859.exe
Filesize
273KB

MD5
67d588981512c4db6508225a1d7b1644

SHA1
baaa04249099b2faede5550e4410a82651f64d46

SHA256
90ef4449f93dcfbec1e10bd8495f39a241cec7e98a4595c4e94dfc0b490dc334

SHA512
fa9e721f52355e5e74aeb363a21dd9f1baac7877488bd724940c607aba8dac621d311edc5db4032cec9a7261e8ef0b55fff6f3ae6511ba1c56f60b82826ccb7b

Download Submit
C:\Users\Admin\AppData\Local\Temp\DDE7.exe
Filesize
272KB

MD5
d3e9911f5726e550a5c1fd145c410dd1

SHA1
a3f6f20eaf804f71619b21c83e7943ae695a799e

SHA256
305e06bdb1406a6d9056b8447d1c49829445ddc26f009cc908fe1552f01aadbb

SHA512
c699e32575b946ea556fef328c1a4b8cf17893372d01944f241991961cee3682fd2c20b2f281f53c01f7ba31865452e89297c82a7dd4920338aba5ab406f3f02

Download Submit
C:\Users\Admin\AppData\Local\Temp\DDE7.exe
Filesize
272KB

MD5
d3e9911f5726e550a5c1fd145c410dd1

SHA1
a3f6f20eaf804f71619b21c83e7943ae695a799e

SHA256
305e06bdb1406a6d9056b8447d1c49829445ddc26f009cc908fe1552f01aadbb

SHA512
c699e32575b946ea556fef328c1a4b8cf17893372d01944f241991961cee3682fd2c20b2f281f53c01f7ba31865452e89297c82a7dd4920338aba5ab406f3f02

Download Submit
C:\Users\Admin\AppData\Local\Temp\Iseiuaqptde.dll
Filesize
2.4MB

MD5
319124592655a480adfda15c4f6d154c

SHA1
56b1bddf03e7108781c03238b3b8692e371bdb8e

SHA256
291bcc6a11b3cb39bf6924a374bfdcd0453d566163d9ea7279f111029f41aaf0

SHA512
5bd8dac4817db6fd04010bbc60d2542e81077a2ae32ac7b0f3950600096fee3bde924840c27b9d6bc3ff59b779929e27dcf57b21b98812ee42e1c2ded7647d97

Download Submit
C:\Users\Admin\AppData\Local\Temp\Iseiuaqptde.dll
Filesize
2.4MB

MD5
319124592655a480adfda15c4f6d154c

SHA1
56b1bddf03e7108781c03238b3b8692e371bdb8e

SHA256
291bcc6a11b3cb39bf6924a374bfdcd0453d566163d9ea7279f111029f41aaf0

SHA512
5bd8dac4817db6fd04010bbc60d2542e81077a2ae32ac7b0f3950600096fee3bde924840c27b9d6bc3ff59b779929e27dcf57b21b98812ee42e1c2ded7647d97

Download Submit
C:\Users\Admin\AppData\Local\Temp\Iseiuaqptde.dll
Filesize
2.4MB

MD5
319124592655a480adfda15c4f6d154c

SHA1
56b1bddf03e7108781c03238b3b8692e371bdb8e

SHA256
291bcc6a11b3cb39bf6924a374bfdcd0453d566163d9ea7279f111029f41aaf0

SHA512
5bd8dac4817db6fd04010bbc60d2542e81077a2ae32ac7b0f3950600096fee3bde924840c27b9d6bc3ff59b779929e27dcf57b21b98812ee42e1c2ded7647d97

Download Submit
C:\Users\Admin\AppData\Local\Temp\USWH~.2
Filesize
1.8MB

MD5
f2f6857d1dcabd7e2f872d37769da2cd

SHA1
3185de380b37caa4329f96cd2e3bccbf62bc24d6

SHA256
2ac7fc50a4c299e474b3e5cfd39ffbd0c178d939fd927d1f56841a596a1ad3e7

SHA512
966c56da13c9f680d4fe633ff918803bfff349c21eecba18f2d95d1f490a37ae2dd2e8f8a1451b09c4ef8ac6b242b2fe4d93457376453935e4bd396cd22ee2ad

Download Submit
C:\Users\Admin\AppData\Local\Temp\USwH~.2
Filesize
1.8MB

MD5
f2f6857d1dcabd7e2f872d37769da2cd

SHA1
3185de380b37caa4329f96cd2e3bccbf62bc24d6

SHA256
2ac7fc50a4c299e474b3e5cfd39ffbd0c178d939fd927d1f56841a596a1ad3e7

SHA512
966c56da13c9f680d4fe633ff918803bfff349c21eecba18f2d95d1f490a37ae2dd2e8f8a1451b09c4ef8ac6b242b2fe4d93457376453935e4bd396cd22ee2ad

Download Submit
C:\Users\Admin\AppData\Local\Temp\USwH~.2
Filesize
1.8MB

MD5
f2f6857d1dcabd7e2f872d37769da2cd

SHA1
3185de380b37caa4329f96cd2e3bccbf62bc24d6

SHA256
2ac7fc50a4c299e474b3e5cfd39ffbd0c178d939fd927d1f56841a596a1ad3e7

SHA512
966c56da13c9f680d4fe633ff918803bfff349c21eecba18f2d95d1f490a37ae2dd2e8f8a1451b09c4ef8ac6b242b2fe4d93457376453935e4bd396cd22ee2ad

Download Submit
C:\Users\Admin\AppData\Local\Temp\USwH~.2
Filesize
1.8MB

MD5
f2f6857d1dcabd7e2f872d37769da2cd

SHA1
3185de380b37caa4329f96cd2e3bccbf62bc24d6

SHA256
2ac7fc50a4c299e474b3e5cfd39ffbd0c178d939fd927d1f56841a596a1ad3e7

SHA512
966c56da13c9f680d4fe633ff918803bfff349c21eecba18f2d95d1f490a37ae2dd2e8f8a1451b09c4ef8ac6b242b2fe4d93457376453935e4bd396cd22ee2ad

Download Submit
C:\Users\Admin\AppData\Local\Temp\USwH~.2
Filesize
1.8MB

MD5
f2f6857d1dcabd7e2f872d37769da2cd

SHA1
3185de380b37caa4329f96cd2e3bccbf62bc24d6

SHA256
2ac7fc50a4c299e474b3e5cfd39ffbd0c178d939fd927d1f56841a596a1ad3e7

SHA512
966c56da13c9f680d4fe633ff918803bfff349c21eecba18f2d95d1f490a37ae2dd2e8f8a1451b09c4ef8ac6b242b2fe4d93457376453935e4bd396cd22ee2ad

Download Submit
C:\Users\Admin\AppData\Roaming\85f469ce401df1\cred64.dll
Filesize
126KB

MD5
c0fd0167e213b6148333351bd16ed1fb

SHA1
1cfb2b42686557656dead53e02d1db3f2a848026

SHA256
c7d804e8fb096769b0e199102bdf8efa97dfae1a9b57a479819971146877368b

SHA512
d514f35e62a5380b4ad96a3e0cddf82b53b1cf273e5ac542f040f30a75efd3c246fa2194e4bb273572cd2436a435a608e2b919f6df9fa4ebbf452b0d297b0cf9

Download Submit
C:\Users\Admin\AppData\Roaming\85f469ce401df1\cred64.dll
Filesize
126KB

MD5
c0fd0167e213b6148333351bd16ed1fb

SHA1
1cfb2b42686557656dead53e02d1db3f2a848026

SHA256
c7d804e8fb096769b0e199102bdf8efa97dfae1a9b57a479819971146877368b

SHA512
d514f35e62a5380b4ad96a3e0cddf82b53b1cf273e5ac542f040f30a75efd3c246fa2194e4bb273572cd2436a435a608e2b919f6df9fa4ebbf452b0d297b0cf9

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
Filesize
9KB

MD5
9ead10c08e72ae41921191f8db39bc16

SHA1
abe3bce01cd34afc88e2c838173f8c2bd0090ae1

SHA256
8d7f0e6b6877bdfb9f4531afafd0451f7d17f0ac24e2f2427e9b4ecc5452b9f0

SHA512
aa35dbc59a3589df2763e76a495ce5a9e62196628b4c1d098add38bd7f27c49edf93a66fb8507fb746e37ee32932da2460e440f241abe1a5a279abcc1e5ffe4a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
Filesize
9KB

MD5
9ead10c08e72ae41921191f8db39bc16

SHA1
abe3bce01cd34afc88e2c838173f8c2bd0090ae1

SHA256
8d7f0e6b6877bdfb9f4531afafd0451f7d17f0ac24e2f2427e9b4ecc5452b9f0

SHA512
aa35dbc59a3589df2763e76a495ce5a9e62196628b4c1d098add38bd7f27c49edf93a66fb8507fb746e37ee32932da2460e440f241abe1a5a279abcc1e5ffe4a

Download Submit
memory/396-208-0x0000000000000000-mapping.dmp

Download
memory/872-168-0x0000000000773000-0x0000000000784000-memory.dmp

Filesize
68KB

Download
memory/872-169-0x00000000001F0000-0x00000000001F9000-memory.dmp

Filesize
36KB

Download
memory/872-170-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/872-195-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/872-139-0x0000000000000000-mapping.dmp

Download
memory/944-173-0x0000000004E60000-0x0000000004F6A000-memory.dmp

Filesize
1.0MB

Download
memory/944-174-0x0000000004C10000-0x0000000004C22000-memory.dmp

Filesize
72KB

Download
memory/944-224-0x0000000006430000-0x00000000069D4000-memory.dmp

Filesize
5.6MB

Download
memory/944-172-0x0000000005370000-0x0000000005988000-memory.dmp

Filesize
6.1MB

Download
memory/944-244-0x0000000008600000-0x0000000008B2C000-memory.dmp

Filesize
5.2MB

Download
memory/944-176-0x0000000004D90000-0x0000000004DCC000-memory.dmp

Filesize
240KB

Download
memory/944-218-0x0000000005C30000-0x0000000005CC2000-memory.dmp

Filesize
584KB

Download
memory/944-216-0x0000000005090000-0x00000000050F6000-memory.dmp

Filesize
408KB

Download
memory/944-158-0x0000000000000000-mapping.dmp

Download
memory/944-243-0x0000000006250000-0x0000000006412000-memory.dmp

Filesize
1.8MB

Download
memory/944-159-0x0000000000700000-0x0000000000760000-memory.dmp

Filesize
384KB

Download
memory/1432-217-0x0000000000000000-mapping.dmp

Download
memory/1432-232-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/1432-267-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/1432-223-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/1432-222-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/1496-201-0x0000000000000000-mapping.dmp

Download
memory/1880-207-0x0000000000000000-mapping.dmp

Download
memory/1900-215-0x0000000000000000-mapping.dmp

Download
memory/1948-148-0x0000000000000000-mapping.dmp

Download
memory/1984-254-0x00000000005D0000-0x0000000000627000-memory.dmp

Filesize
348KB

Download
memory/1984-245-0x0000000000000000-mapping.dmp

Download
memory/1984-252-0x0000000000822000-0x0000000000853000-memory.dmp

Filesize
196KB

Download
memory/2304-263-0x0000000000000000-mapping.dmp

Download
memory/2364-206-0x0000000000000000-mapping.dmp

Download
memory/2368-264-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/2368-210-0x00000000007F3000-0x0000000000812000-memory.dmp

Filesize
124KB

Download
memory/2368-192-0x0000000000000000-mapping.dmp

Download
memory/2368-211-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/2544-278-0x00000000033F0000-0x000000000353A000-memory.dmp

Filesize
1.3MB

Download
memory/2544-273-0x0000000000000000-mapping.dmp

Download
memory/2544-276-0x0000000002FD0000-0x0000000003198000-memory.dmp

Filesize
1.8MB

Download
memory/2544-321-0x0000000003690000-0x00000000037D6000-memory.dmp

Filesize
1.3MB

Download
memory/2544-318-0x00000000038D0000-0x00000000039A7000-memory.dmp

Filesize
860KB

Download
memory/2544-280-0x0000000003690000-0x00000000037D6000-memory.dmp

Filesize
1.3MB

Download
memory/2544-317-0x00000000037E0000-0x00000000038D0000-memory.dmp

Filesize
960KB

Download
memory/2572-256-0x0000000000000000-mapping.dmp

Download
memory/2700-151-0x0000000000400000-0x00000000004A7000-memory.dmp

Filesize
668KB

Download
memory/2700-153-0x00000000005F0000-0x000000000065B000-memory.dmp

Filesize
428KB

Download
memory/2700-152-0x0000000000723000-0x0000000000784000-memory.dmp

Filesize
388KB

Download
memory/2700-136-0x0000000000000000-mapping.dmp

Download
memory/2700-155-0x0000000000400000-0x00000000004A7000-memory.dmp

Filesize
668KB

Download
memory/2700-240-0x0000000000400000-0x00000000004A7000-memory.dmp

Filesize
668KB

Download
memory/2700-239-0x0000000000723000-0x0000000000784000-memory.dmp

Filesize
388KB

Download
memory/2776-302-0x0000000000000000-mapping.dmp

Download
memory/2792-167-0x0000000000000000-mapping.dmp

Download
memory/2792-191-0x0000000000120000-0x000000000018B000-memory.dmp

Filesize
428KB

Download
memory/2792-178-0x0000000000400000-0x0000000000475000-memory.dmp

Filesize
468KB

Download
memory/2792-171-0x0000000000120000-0x000000000018B000-memory.dmp

Filesize
428KB

Download
memory/3412-265-0x00000000004B4000-0x00000000004D3000-memory.dmp

Filesize
124KB

Download
memory/3412-266-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/3460-164-0x0000000000000000-mapping.dmp

Download
memory/3460-196-0x00000000006B3000-0x00000000006D2000-memory.dmp

Filesize
124KB

Download
memory/3460-198-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/3748-200-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/3748-154-0x0000000000000000-mapping.dmp

Download
memory/3748-187-0x0000000000563000-0x0000000000582000-memory.dmp

Filesize
124KB

Download
memory/3748-189-0x00000000004F0000-0x000000000052E000-memory.dmp

Filesize
248KB

Download
memory/3748-190-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/3748-199-0x0000000000563000-0x0000000000582000-memory.dmp

Filesize
124KB

Download
memory/3832-269-0x0000000003060000-0x0000000003137000-memory.dmp

Filesize
860KB

Download
memory/3832-242-0x0000000002E20000-0x0000000002F66000-memory.dmp

Filesize
1.3MB

Download
memory/3832-241-0x0000000002B80000-0x0000000002CCA000-memory.dmp

Filesize
1.3MB

Download
memory/3832-234-0x0000000000000000-mapping.dmp

Download
memory/3832-277-0x0000000002E20000-0x0000000002F66000-memory.dmp

Filesize
1.3MB

Download
memory/3832-238-0x0000000002760000-0x0000000002928000-memory.dmp

Filesize
1.8MB

Download
memory/3832-268-0x0000000002F70000-0x0000000003060000-memory.dmp

Filesize
960KB

Download
memory/3876-203-0x0000000000000000-mapping.dmp

Download
memory/3876-219-0x0000000000750000-0x00000000007E1000-memory.dmp

Filesize
580KB

Download
memory/3940-304-0x0000000000000000-mapping.dmp

Download
memory/3976-301-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/3976-303-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/3976-255-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/3976-253-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/3976-251-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/3976-249-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/3976-248-0x0000000000000000-mapping.dmp

Download
memory/3976-279-0x0000000060900000-0x0000000060992000-memory.dmp

Filesize
584KB

Download
memory/4048-186-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/4048-183-0x0000000000000000-mapping.dmp

Download
memory/4048-197-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/4048-188-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/4048-205-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/4048-184-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/4076-328-0x0000000000000000-mapping.dmp

Download
memory/4192-229-0x0000000000000000-mapping.dmp

Download
memory/4204-213-0x0000000000000000-mapping.dmp

Download
memory/4300-212-0x0000000000000000-mapping.dmp

Download
memory/4308-175-0x0000000000000000-mapping.dmp

Download
memory/4308-177-0x0000000000990000-0x000000000099C000-memory.dmp

Filesize
48KB

Download
memory/4612-145-0x0000000000000000-mapping.dmp

Download
memory/4612-181-0x00000000007BE000-0x000000000084F000-memory.dmp

Filesize
580KB

Download
memory/4612-182-0x00000000020F0000-0x000000000220B000-memory.dmp

Filesize
1.1MB

Download
memory/4648-209-0x0000000000000000-mapping.dmp

Download
memory/4648-135-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/4648-132-0x00000000007B2000-0x00000000007C3000-memory.dmp

Filesize
68KB

Download
memory/4648-133-0x00000000001F0000-0x00000000001F9000-memory.dmp

Filesize
36KB

Download
memory/4648-134-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/4700-272-0x0000000000000000-mapping.dmp

Download
memory/4732-308-0x0000000000000000-mapping.dmp

Download
memory/4732-332-0x0000000004390000-0x00000000044D0000-memory.dmp

Filesize
1.2MB

Download
memory/4732-334-0x0000000004390000-0x00000000044D0000-memory.dmp

Filesize
1.2MB

Download
memory/4732-333-0x0000000004390000-0x00000000044D0000-memory.dmp

Filesize
1.2MB

Download
memory/4732-312-0x0000000002BA0000-0x0000000002E11000-memory.dmp

Filesize
2.4MB

Download
memory/4732-316-0x0000000002BA0000-0x0000000002E11000-memory.dmp

Filesize
2.4MB

Download
memory/4732-331-0x0000000004390000-0x00000000044D0000-memory.dmp

Filesize
1.2MB

Download
memory/4732-327-0x0000000004390000-0x00000000044D0000-memory.dmp

Filesize
1.2MB

Download
memory/4732-326-0x0000000004390000-0x00000000044D0000-memory.dmp

Filesize
1.2MB

Download
memory/4732-322-0x0000000002BA0000-0x0000000002E11000-memory.dmp

Filesize
2.4MB

Download
memory/4732-323-0x0000000003BA0000-0x00000000042C5000-memory.dmp

Filesize
7.1MB

Download
memory/4732-324-0x0000000003BA0000-0x00000000042C5000-memory.dmp

Filesize
7.1MB

Download
memory/4732-325-0x0000000003BA0000-0x00000000042C5000-memory.dmp

Filesize
7.1MB

Download
memory/4760-180-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/4760-179-0x0000000000763000-0x0000000000774000-memory.dmp

Filesize
68KB

Download
memory/4760-142-0x0000000000000000-mapping.dmp

Download
memory/4788-315-0x0000000000400000-0x0000000000791000-memory.dmp

Filesize
3.6MB

Download
memory/4788-305-0x0000000000000000-mapping.dmp

Download
memory/4788-314-0x00000000026A0000-0x0000000002A25000-memory.dmp

Filesize
3.5MB

Download
memory/4788-313-0x0000000000AA6000-0x0000000000CF1000-memory.dmp

Filesize
2.3MB

Download
memory/4800-335-0x00007FF659AB6890-mapping.dmp

Download
memory/4800-336-0x0000021608D10000-0x0000021608E50000-memory.dmp

Filesize
1.2MB

Download
memory/4800-337-0x0000021608D10000-0x0000021608E50000-memory.dmp

Filesize
1.2MB

Download
memory/4836-214-0x0000000000000000-mapping.dmp

Download
memory/4960-259-0x0000000000000000-mapping.dmp

Download
memory/4968-233-0x0000000000000000-mapping.dmp

Download