amadey | 8324652e63748551690a637f91239ec267f614b86702d107a663cbf7e7c98a74

Analysis

max time kernel
150s
max time network
147s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
19-12-2022 09:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f2c597e9fa52dd47f91af87220519dac.exe
Size

214KB
MD5

f2c597e9fa52dd47f91af87220519dac
SHA1

ac1f095102f466d2672a4c3f71ab4f5479d639d5
SHA256

8324652e63748551690a637f91239ec267f614b86702d107a663cbf7e7c98a74
SHA512

ef5de1fc562089a62b058b5ff45c147293cda01738ac220e50bf5b6fc978dc8109c2a960e461430cfff1e2c5c8245e360eff1a23d551f84cc02ec00735f54c93
SSDEEP

3072:h42T7xL3aMRec4/VZ5blGlybltsWj+0P8/g3xoBLZG3ERWR3Le:G2vxL3jeNvlmyN0g3CJoU0V6

Score

10^/10

amadey danabot djvu redline smokeloader mario23_10 backdoor banker collection discovery infostealer persistence ransomware spyware stealer trojan

Malware Config

Extracted

Family

redline

Botnet

mario23_10

167.235.252.160:10642

Attributes

auth_value
eca57cfb5172f71dc45986763bb98942

Extracted

Family

amadey

Version

3.61

62.204.41.79/U7vfDb3kg/index.php

Extracted

Family

djvu

http://abibiall.com/lancer/get.php

Attributes

extension
.bttu
offline_id
8p2Go5ZmkbFk0DF2oJ6E8vGEogpBqqaGCWjto1t1
payload_url
http://uaery.top/dl/build2.exe

http://abibiall.com/files/1/build3.exe
ransomnote
ATTENTION! Don't worry, you can return all your files! All your files like pictures, databases, documents and other important are encrypted with strongest encryption and unique key. The only method of recovering files is to purchase decrypt tool and unique key for you. This software will decrypt all your encrypted files. What guarantees you have? You can send one of your encrypted file from your PC and we decrypt it for free. But we can decrypt only 1 file for free. File must not contain valuable information. You can get and look video overview decrypt tool: https://we.tl/t-Q5EougBEbU Price of private key and decrypt software is $980. Discount 50% available if you contact us first 72 hours, that's price for you is $490. Please note that you'll never restore your data without payment. Check your e-mail "Spam" or "Junk" folder if you don't get answer more than 6 hours. To get this software you need write on our e-mail: [email protected] Reserve e-mail address to contact us: [email protected] Your personal ID: 0619JOsie

rsa_pubkey.plain

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey
Danabot
Danabot is a modular banking Trojan that has been linked with other malware.
trojan banker danabot

Detect Amadey credential stealer module 4 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Roaming\bf045808586a24\cred64.dll	amadey_cred_module
C:\Users\Admin\AppData\Roaming\bf045808586a24\cred64.dll	amadey_cred_module
behavioral2/memory/1004-306-0x00000000008A0000-0x00000000008C4000-memory.dmp	amadey_cred_module
C:\Users\Admin\AppData\Roaming\bf045808586a24\cred64.dll	amadey_cred_module

Detected Djvu ransomware 10 IoCs

Processes:

resource	yara_rule
behavioral2/memory/4612-178-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral2/memory/812-174-0x0000000002140000-0x000000000225B000-memory.dmp	family_djvu
behavioral2/memory/4612-173-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral2/memory/4612-170-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral2/memory/4612-187-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral2/memory/4612-200-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral2/memory/4192-221-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral2/memory/4192-219-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral2/memory/4192-226-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral2/memory/4192-262-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu

Detects Smokeloader packer 2 IoCs

Processes:

resource	yara_rule
behavioral2/memory/5072-133-0x00000000001F0000-0x00000000001F9000-memory.dmp	family_smokeloader
behavioral2/memory/1804-179-0x0000000000570000-0x0000000000579000-memory.dmp	family_smokeloader

Djvu Ransomware
Ransomware which is a variant of the STOP family.
ransomware djvu
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 1 IoCs

Processes:

resource	yara_rule
behavioral2/memory/4468-144-0x0000000000400000-0x0000000000460000-memory.dmp	family_redline

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
Blocklisted process makes network request 2 IoCs

Processes:

rundll32.exerundll32.exe

flow pid process

133 2672 rundll32.exe
143 1004 rundll32.exe
Downloads MZ/PE file

flow	pid	process
133	2672	rundll32.exe
143	1004	rundll32.exe

Executes dropped EXE 20 IoCs

Processes:

C75C.exeC857.exeCC7E.exeCF3E.exeD2E9.exeD51C.exeC75C.exegntuud.exegntuud.exelinda5.exejoker.exeC75C.exeC75C.exebuild2.exebuild2.exebuild3.exemstsca.exegntuud.exe672C.exegntuud.exe

pid	process
812	C75C.exe
1840	C857.exe
1804	CC7E.exe
3152	CF3E.exe
1820	D2E9.exe
3520	D51C.exe
4612	C75C.exe
3460	gntuud.exe
1680	gntuud.exe
4136	linda5.exe
3068	joker.exe
4592	C75C.exe
4192	C75C.exe
3292	build2.exe
2684	build2.exe
1780	build3.exe
724	mstsca.exe
1820	gntuud.exe
4836	672C.exe
3068	gntuud.exe

Checks computer location settings 2 TTPs 7 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

C75C.exelinda5.exeC75C.exebuild2.exeD2E9.exeD51C.exegntuud.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	C75C.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	linda5.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	C75C.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	build2.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	D2E9.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	D51C.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	gntuud.exe

Loads dropped DLL 8 IoCs

Processes:

rundll32.exerundll32.exebuild2.exerundll32.exerundll32.exe

pid process

4076 rundll32.exe
4076 rundll32.exe
3852 rundll32.exe
2684 build2.exe
2684 build2.exe
2672 rundll32.exe
1004 rundll32.exe
1004 rundll32.exe
Modifies file permissions 1 TTPs 1 IoCs
discovery

File and Directory Permissions Modification
T1222

Processes:

icacls.exe

pid process

4772 icacls.exe
Reads local data of messenger clients 2 TTPs
Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses 2FA software files, possible credential harvesting 2 TTPs
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

pid	process
4076	rundll32.exe
4076	rundll32.exe
3852	rundll32.exe
2684	build2.exe
2684	build2.exe
2672	rundll32.exe
1004	rundll32.exe
1004	rundll32.exe

pid	process
4772	icacls.exe

Accesses Microsoft Outlook profiles 1 TTPs 4 IoCs

collection

Email Collection

T1114

Processes:

rundll32.exeexplorer.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	rundll32.exe
Key opened	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	explorer.exe
Key opened	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	explorer.exe
Key opened	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	explorer.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

gntuud.exeC75C.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\linda5.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000013051\\linda5.exe"	gntuud.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\df3ca667-9fb7-402b-aeb9-377dab3f93e5\\C75C.exe\" --AutoStart"	C75C.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\joker.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000014051\\joker.exe"	gntuud.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

27 api.2ip.ua
29 api.2ip.ua
45 api.2ip.ua

flow	ioc
27	api.2ip.ua
29	api.2ip.ua
45	api.2ip.ua

Suspicious use of SetThreadContext 5 IoCs

Processes:

C857.exeC75C.exeC75C.exebuild2.exerundll32.exe

description	pid	process	target process
PID 1840 set thread context of 4468	1840	C857.exe	AppLaunch.exe
PID 812 set thread context of 4612	812	C75C.exe	C75C.exe
PID 4592 set thread context of 4192	4592	C75C.exe	C75C.exe
PID 3292 set thread context of 2684	3292	build2.exe	build2.exe
PID 2672 set thread context of 3604	2672	rundll32.exe	rundll32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 4 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid pid_target process target process

4896 1840 WerFault.exe C857.exe
4132 3152 WerFault.exe CF3E.exe
2160 3068 WerFault.exe joker.exe
3564 4836 WerFault.exe 672C.exe

pid	pid_target	process	target process
4896	1840	WerFault.exe	C857.exe
4132	3152	WerFault.exe	CF3E.exe
2160	3068	WerFault.exe	joker.exe
3564	4836	WerFault.exe	672C.exe

Checks SCSI registry key(s) 3 TTPs 6 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

f2c597e9fa52dd47f91af87220519dac.exeCC7E.exe

description	ioc	process
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	f2c597e9fa52dd47f91af87220519dac.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	f2c597e9fa52dd47f91af87220519dac.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	CC7E.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	CC7E.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	CC7E.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	f2c597e9fa52dd47f91af87220519dac.exe

Checks processor information in registry 2 TTPs 23 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

rundll32.exebuild2.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Platform Specific Field 1	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\FeatureSet	rundll32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	rundll32.exe
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	rundll32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information	rundll32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	build2.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Revision	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Status	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\VendorIdentifier	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Status	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Configuration Data	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\FeatureSet	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Previous Update Revision	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	build2.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	rundll32.exe
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	rundll32.exe
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Previous Update Revision	rundll32.exe

Creates scheduled task(s) 1 TTPs 3 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exeschtasks.exe

pid process

1192 schtasks.exe
380 schtasks.exe
4476 schtasks.exe
Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

892 timeout.exe

pid	process
1192	schtasks.exe
380	schtasks.exe
4476	schtasks.exe

pid	process
892	timeout.exe

Modifies Internet Explorer settings 1 TTPs 4 IoCs

adware spyware

Modify Registry

T1112

Processes:

description	ioc	process
Set value (data)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser\ITBar7Layout = 13000000000000000000000020000000100000000000000001000000010700005e01000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\Toolbar
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\Locked = "1"
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser

Modifies registry class 30 IoCs

Processes:

rundll32.exe

description	ioc	process
Set value (data)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 = 820074001c0043465346160031000000000000000000100041707044617461000000741a595e96dfd3488d671733bcee28bac5cdfadf9f6756418947c5c76bc0b67f400009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004100700070004400610074006100000042000000
Set value (data)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\MRUListEx = ffffffff
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots
Set value (data)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0 = 50003100000000000000000010004c6f63616c003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c00000014000000
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\WorkFolders
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\SniffedFolderType = "Generic"
Set value (data)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\
Set value (data)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 = 14001f44471a0359723fa74489c55595fe6b30ee0000
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	rundll32.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\NodeSlot = "1"
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1
Set value (data)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\MRUListEx = 00000000ffffffff
Set value (data)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0
Set value (data)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 00000000ffffffff
Set value (data)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\MRUListEx = 00000000ffffffff
Set value (data)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0 = 4e003100000000009355ac52100054656d7000003a0009000400efbe0c55ec989355af522e000000000000000000000000000000000000000000000000009d73d700540065006d007000000014000000
Set value (data)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

pid process

760

pid	process
760

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

f2c597e9fa52dd47f91af87220519dac.exe

pid	process
5072	f2c597e9fa52dd47f91af87220519dac.exe
5072	f2c597e9fa52dd47f91af87220519dac.exe
760
760
760
760
760
760
760
760
760
760
760
760
760
760
760
760
760
760
760
760
760
760
760
760
760
760
760
760
760
760
760
760
760
760
760
760
760
760
760
760
760
760
760
760
760
760
760
760
760
760
760
760
760
760
760
760
760
760
760
760
760
760

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

pid process

760
Suspicious behavior: MapViewOfSection 6 IoCs

Processes:

f2c597e9fa52dd47f91af87220519dac.exeCC7E.exe

pid process

5072 f2c597e9fa52dd47f91af87220519dac.exe
760
760
760
760
1804 CC7E.exe

pid	process
760

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

joker.exeAppLaunch.exe

description	pid	process
Token: SeShutdownPrivilege	760
Token: SeCreatePagefilePrivilege	760
Token: SeShutdownPrivilege	760
Token: SeCreatePagefilePrivilege	760
Token: SeShutdownPrivilege	760
Token: SeCreatePagefilePrivilege	760
Token: SeShutdownPrivilege	760
Token: SeCreatePagefilePrivilege	760
Token: SeShutdownPrivilege	760
Token: SeCreatePagefilePrivilege	760
Token: SeShutdownPrivilege	760
Token: SeCreatePagefilePrivilege	760
Token: SeShutdownPrivilege	760
Token: SeCreatePagefilePrivilege	760
Token: SeShutdownPrivilege	760
Token: SeCreatePagefilePrivilege	760
Token: SeShutdownPrivilege	760
Token: SeCreatePagefilePrivilege	760
Token: SeDebugPrivilege	3068	joker.exe
Token: SeDebugPrivilege	4468	AppLaunch.exe
Token: SeShutdownPrivilege	760
Token: SeCreatePagefilePrivilege	760
Token: SeShutdownPrivilege	760
Token: SeCreatePagefilePrivilege	760
Token: SeShutdownPrivilege	760
Token: SeCreatePagefilePrivilege	760
Token: SeShutdownPrivilege	760
Token: SeCreatePagefilePrivilege	760
Token: SeShutdownPrivilege	760
Token: SeCreatePagefilePrivilege	760
Token: SeShutdownPrivilege	760
Token: SeCreatePagefilePrivilege	760
Token: SeShutdownPrivilege	760
Token: SeCreatePagefilePrivilege	760
Token: SeShutdownPrivilege	760
Token: SeCreatePagefilePrivilege	760
Token: SeShutdownPrivilege	760
Token: SeCreatePagefilePrivilege	760
Token: SeShutdownPrivilege	760
Token: SeCreatePagefilePrivilege	760
Token: SeShutdownPrivilege	760
Token: SeCreatePagefilePrivilege	760
Token: SeShutdownPrivilege	760
Token: SeCreatePagefilePrivilege	760
Token: SeShutdownPrivilege	760
Token: SeCreatePagefilePrivilege	760
Token: SeShutdownPrivilege	760
Token: SeCreatePagefilePrivilege	760
Token: SeShutdownPrivilege	760
Token: SeCreatePagefilePrivilege	760
Token: SeShutdownPrivilege	760
Token: SeCreatePagefilePrivilege	760
Token: SeShutdownPrivilege	760
Token: SeCreatePagefilePrivilege	760
Token: SeShutdownPrivilege	760
Token: SeCreatePagefilePrivilege	760
Token: SeShutdownPrivilege	760
Token: SeCreatePagefilePrivilege	760
Token: SeShutdownPrivilege	760
Token: SeCreatePagefilePrivilege	760
Token: SeShutdownPrivilege	760
Token: SeCreatePagefilePrivilege	760
Token: SeShutdownPrivilege	760
Token: SeCreatePagefilePrivilege	760

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

rundll32.exe

pid process

3604 rundll32.exe
Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

pid process

760
760

pid	process
3604	rundll32.exe

pid	process
760
760

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

C857.exeC75C.exeD2E9.exeD51C.exegntuud.exeC75C.exelinda5.exe

description	pid	process	target process
PID 760 wrote to memory of 812	760		C75C.exe
PID 760 wrote to memory of 812	760		C75C.exe
PID 760 wrote to memory of 812	760		C75C.exe
PID 760 wrote to memory of 1840	760		C857.exe
PID 760 wrote to memory of 1840	760		C857.exe
PID 760 wrote to memory of 1840	760		C857.exe
PID 1840 wrote to memory of 4468	1840	C857.exe	AppLaunch.exe
PID 1840 wrote to memory of 4468	1840	C857.exe	AppLaunch.exe
PID 1840 wrote to memory of 4468	1840	C857.exe	AppLaunch.exe
PID 1840 wrote to memory of 4468	1840	C857.exe	AppLaunch.exe
PID 1840 wrote to memory of 4468	1840	C857.exe	AppLaunch.exe
PID 760 wrote to memory of 1804	760		CC7E.exe
PID 760 wrote to memory of 1804	760		CC7E.exe
PID 760 wrote to memory of 1804	760		CC7E.exe
PID 760 wrote to memory of 3152	760		CF3E.exe
PID 760 wrote to memory of 3152	760		CF3E.exe
PID 760 wrote to memory of 3152	760		CF3E.exe
PID 760 wrote to memory of 1820	760		D2E9.exe
PID 760 wrote to memory of 1820	760		D2E9.exe
PID 760 wrote to memory of 1820	760		D2E9.exe
PID 760 wrote to memory of 3520	760		D51C.exe
PID 760 wrote to memory of 3520	760		D51C.exe
PID 760 wrote to memory of 3520	760		D51C.exe
PID 812 wrote to memory of 4612	812	C75C.exe	C75C.exe
PID 812 wrote to memory of 4612	812	C75C.exe	C75C.exe
PID 812 wrote to memory of 4612	812	C75C.exe	C75C.exe
PID 760 wrote to memory of 4568	760		explorer.exe
PID 760 wrote to memory of 4568	760		explorer.exe
PID 760 wrote to memory of 4568	760		explorer.exe
PID 760 wrote to memory of 4568	760		explorer.exe
PID 1820 wrote to memory of 3460	1820	D2E9.exe	gntuud.exe
PID 1820 wrote to memory of 3460	1820	D2E9.exe	gntuud.exe
PID 1820 wrote to memory of 3460	1820	D2E9.exe	gntuud.exe
PID 812 wrote to memory of 4612	812	C75C.exe	C75C.exe
PID 812 wrote to memory of 4612	812	C75C.exe	C75C.exe
PID 812 wrote to memory of 4612	812	C75C.exe	C75C.exe
PID 812 wrote to memory of 4612	812	C75C.exe	C75C.exe
PID 812 wrote to memory of 4612	812	C75C.exe	C75C.exe
PID 812 wrote to memory of 4612	812	C75C.exe	C75C.exe
PID 812 wrote to memory of 4612	812	C75C.exe	C75C.exe
PID 3520 wrote to memory of 1680	3520	D51C.exe	gntuud.exe
PID 3520 wrote to memory of 1680	3520	D51C.exe	gntuud.exe
PID 3520 wrote to memory of 1680	3520	D51C.exe	gntuud.exe
PID 3460 wrote to memory of 1192	3460	gntuud.exe	schtasks.exe
PID 3460 wrote to memory of 1192	3460	gntuud.exe	schtasks.exe
PID 3460 wrote to memory of 1192	3460	gntuud.exe	schtasks.exe
PID 760 wrote to memory of 1072	760		explorer.exe
PID 760 wrote to memory of 1072	760		explorer.exe
PID 760 wrote to memory of 1072	760		explorer.exe
PID 3460 wrote to memory of 4136	3460	gntuud.exe	linda5.exe
PID 3460 wrote to memory of 4136	3460	gntuud.exe	linda5.exe
PID 3460 wrote to memory of 4136	3460	gntuud.exe	linda5.exe
PID 4612 wrote to memory of 4772	4612	C75C.exe	icacls.exe
PID 4612 wrote to memory of 4772	4612	C75C.exe	icacls.exe
PID 4612 wrote to memory of 4772	4612	C75C.exe	icacls.exe
PID 3460 wrote to memory of 3068	3460	gntuud.exe	joker.exe
PID 3460 wrote to memory of 3068	3460	gntuud.exe	joker.exe
PID 3460 wrote to memory of 3068	3460	gntuud.exe	joker.exe
PID 4612 wrote to memory of 4592	4612	C75C.exe	C75C.exe
PID 4612 wrote to memory of 4592	4612	C75C.exe	C75C.exe
PID 4612 wrote to memory of 4592	4612	C75C.exe	C75C.exe
PID 4136 wrote to memory of 4672	4136	linda5.exe	control.exe
PID 4136 wrote to memory of 4672	4136	linda5.exe	control.exe
PID 4136 wrote to memory of 4672	4136	linda5.exe	control.exe

outlook_office_path 1 IoCs

Processes:

explorer.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	explorer.exe

outlook_win_path 1 IoCs

Processes:

rundll32.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	rundll32.exe

C:\Users\Admin\AppData\Local\Temp\f2c597e9fa52dd47f91af87220519dac.exe
"C:\Users\Admin\AppData\Local\Temp\f2c597e9fa52dd47f91af87220519dac.exe"
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:5072

C:\Users\Admin\AppData\Local\Temp\C75C.exe
C:\Users\Admin\AppData\Local\Temp\C75C.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:812
- C:\Users\Admin\AppData\Local\Temp\C75C.exe
  C:\Users\Admin\AppData\Local\Temp\C75C.exe
  2⤵
  - Executes dropped EXE
  - Checks computer location settings
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:4612
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Users\Admin\AppData\Local\df3ca667-9fb7-402b-aeb9-377dab3f93e5" /deny *S-1-1-0:(OI)(CI)(DE,DC)
    3⤵
    - Modifies file permissions
    PID:4772
- - C:\Users\Admin\AppData\Local\Temp\C75C.exe
    "C:\Users\Admin\AppData\Local\Temp\C75C.exe" --Admin IsNotAutoStart IsNotTask
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    PID:4592
  - - C:\Users\Admin\AppData\Local\Temp\C75C.exe
      "C:\Users\Admin\AppData\Local\Temp\C75C.exe" --Admin IsNotAutoStart IsNotTask
      4⤵
      Executes dropped EXE
      Checks computer location settings
      PID:4192
    - - C:\Users\Admin\AppData\Local\8606c456-470f-41d9-8654-a9150827aa60\build2.exe
        
        "C:\Users\Admin\AppData\Local\8606c456-470f-41d9-8654-a9150827aa60\build2.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:3292
      - C:\Users\Admin\AppData\Local\8606c456-470f-41d9-8654-a9150827aa60\build2.exe
        
        "C:\Users\Admin\AppData\Local\8606c456-470f-41d9-8654-a9150827aa60\build2.exe"
        6⤵
        Executes dropped EXE
        Checks computer location settings
        Loads dropped DLL
        Checks processor information in registry
        
        PID:2684
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c timeout /t 6 & del /f /q "C:\Users\Admin\AppData\Local\8606c456-470f-41d9-8654-a9150827aa60\build2.exe" & exit
        7⤵
        
        PID:4208
        
        C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 6
        8⤵
        Delays execution with timeout.exe
        
        PID:892
    - - C:\Users\Admin\AppData\Local\8606c456-470f-41d9-8654-a9150827aa60\build3.exe
        
        "C:\Users\Admin\AppData\Local\8606c456-470f-41d9-8654-a9150827aa60\build3.exe"
        5⤵
        Executes dropped EXE
        
        PID:1780
      - C:\Windows\SysWOW64\schtasks.exe
        
        /C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"
        6⤵
        Creates scheduled task(s)
        
        PID:380

C:\Users\Admin\AppData\Local\Temp\C857.exe
C:\Users\Admin\AppData\Local\Temp\C857.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1840
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:4468
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1840 -s 292
  2⤵
  - Program crash
  PID:4896

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 1840 -ip 1840
1⤵
PID:4724

C:\Users\Admin\AppData\Local\Temp\CC7E.exe
C:\Users\Admin\AppData\Local\Temp\CC7E.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
PID:1804

C:\Users\Admin\AppData\Local\Temp\CF3E.exe
C:\Users\Admin\AppData\Local\Temp\CF3E.exe
1⤵
- Executes dropped EXE
PID:3152
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3152 -s 340
  2⤵
  - Program crash
  PID:4132

C:\Users\Admin\AppData\Local\Temp\D2E9.exe
C:\Users\Admin\AppData\Local\Temp\D2E9.exe
1⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1820
- C:\Users\Admin\AppData\Local\Temp\35731ceaf0\gntuud.exe
  "C:\Users\Admin\AppData\Local\Temp\35731ceaf0\gntuud.exe"
  2⤵
  - Executes dropped EXE
  - Checks computer location settings
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:3460
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN gntuud.exe /TR "C:\Users\Admin\AppData\Local\Temp\35731ceaf0\gntuud.exe" /F
    3⤵
    - Creates scheduled task(s)
    PID:1192
- - C:\Users\Admin\AppData\Local\Temp\1000013051\linda5.exe
    "C:\Users\Admin\AppData\Local\Temp\1000013051\linda5.exe"
    3⤵
    - Executes dropped EXE
    - Checks computer location settings
    - Suspicious use of WriteProcessMemory
    PID:4136
  - - C:\Windows\SysWOW64\control.exe
      "C:\Windows\System32\control.exe" .\~xTQ.Si
      4⤵
      PID:4672
    - - C:\Windows\SysWOW64\rundll32.exe
        
        "C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL .\~xTQ.Si
        5⤵
        Loads dropped DLL
        
        PID:4076
      - C:\Windows\system32\RunDll32.exe
        
        C:\Windows\system32\RunDll32.exe Shell32.dll,Control_RunDLL .\~xTQ.Si
        6⤵
        
        PID:2036
        
        C:\Windows\SysWOW64\rundll32.exe
        
        "C:\Windows\SysWOW64\rundll32.exe" "C:\Windows\SysWOW64\shell32.dll",#44 .\~xTQ.Si
        7⤵
        Loads dropped DLL
        
        PID:3852
- - C:\Users\Admin\AppData\Local\Temp\1000014051\joker.exe
    "C:\Users\Admin\AppData\Local\Temp\1000014051\joker.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:3068
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3068 -s 1216
      4⤵
      Program crash
      PID:2160
- - C:\Windows\SysWOW64\rundll32.exe
    "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\bf045808586a24\cred64.dll, Main
    3⤵
    - Blocklisted process makes network request
    - Loads dropped DLL
    - Accesses Microsoft Outlook profiles
    - outlook_win_path
    PID:1004

C:\Users\Admin\AppData\Local\Temp\D51C.exe
C:\Users\Admin\AppData\Local\Temp\D51C.exe
1⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3520
- C:\Users\Admin\AppData\Local\Temp\35731ceaf0\gntuud.exe
  "C:\Users\Admin\AppData\Local\Temp\35731ceaf0\gntuud.exe"
  2⤵
  - Executes dropped EXE
  PID:1680

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
- Accesses Microsoft Outlook profiles
- outlook_office_path
PID:4568

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
PID:1072

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 3152 -ip 3152
1⤵
PID:4708

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 3068 -ip 3068
1⤵
PID:2864

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
1⤵
- Executes dropped EXE
PID:724
- C:\Windows\SysWOW64\schtasks.exe
  /C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"
  2⤵
  - Creates scheduled task(s)
  PID:4476

C:\Users\Admin\AppData\Local\Temp\35731ceaf0\gntuud.exe
C:\Users\Admin\AppData\Local\Temp\35731ceaf0\gntuud.exe
1⤵
- Executes dropped EXE
PID:1820

C:\Users\Admin\AppData\Local\Temp\672C.exe
C:\Users\Admin\AppData\Local\Temp\672C.exe
1⤵
- Executes dropped EXE
PID:4836
- C:\Windows\SysWOW64\rundll32.exe
  "C:\Windows\system32\rundll32.exe" "C:\Users\Admin\AppData\Local\Temp\Ipoetwsuqhd.tmp",Sufeidweoe
  2⤵
  - Blocklisted process makes network request
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - Checks processor information in registry
  PID:2672
- - C:\Windows\system32\rundll32.exe
    "C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#61 23958
    3⤵
    - Modifies registry class
    - Suspicious use of FindShellTrayWindow
    PID:3604
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4836 -s 536
  2⤵
  - Program crash
  PID:3564

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 576 -p 4836 -ip 4836
1⤵
PID:2316

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:2388

C:\Users\Admin\AppData\Local\Temp\35731ceaf0\gntuud.exe
C:\Users\Admin\AppData\Local\Temp\35731ceaf0\gntuud.exe
1⤵
- Executes dropped EXE
PID:3068

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

File and Directory Permissions Modification

T1222

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\mozglue.dll

Filesize
133KB

MD5
8f73c08a9660691143661bf7332c3c27

SHA1
37fa65dd737c50fda710fdbde89e51374d0c204a

SHA256
3fe6b1c54b8cf28f571e0c5d6636b4069a8ab00b4f11dd842cfec00691d0c9cd

SHA512
0042ecf9b3571bb5eba2de893e8b2371df18f7c5a589f52ee66e4bfbaa15a5b8b7cc6a155792aaa8988528c27196896d5e82e1751c998bacea0d92395f66ad89

Download Submit
C:\ProgramData\nss3.dll

Filesize
1.2MB

MD5
bfac4e3c5908856ba17d41edcd455a51

SHA1
8eec7e888767aa9e4cca8ff246eb2aacb9170428

SHA256
e2935b5b28550d47dc971f456d6961f20d1633b4892998750140e0eaa9ae9d78

SHA512
2565bab776c4d732ffb1f9b415992a4c65b81bcd644a9a1df1333a269e322925fc1df4f76913463296efd7c88ef194c3056de2f1ca1357d7b5fe5ff0da877a66

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\07CEF2F654E3ED6050FFC9B6EB844250_3431D4C539FB2CFCB781821E9902850D

Filesize
2KB

MD5
0f419c66dbc4946c001394e2910c173d

SHA1
e988a2291023e4c29b6442bfdeaacd9a83f0c640

SHA256
763aeee4de549d18d1e3a30be29961f5ffe2ce794179d13a06f44dd57a0b6b48

SHA512
c9d6c5459b055cecec7d7ed00f7774144b06fb2a4511bfc110a83577ed4517595a325f51e0579238d28550cf76de0a276f9d8bc322898c763b987a649e643918

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E

Filesize
1KB

MD5
c6964c598d970f6c97ea4092e97d517d

SHA1
690351843ee9c5dae635519f869192bb786207c6

SHA256
8901c2d40e486f904090f6ee8e107197cdb876c5bfe5fd7ce2d212e3330eba4a

SHA512
7fbaf67a4c6f9603c11ccfb42e65a42841c5f68baaf6817b84e0b48ad036636772adf06bc00b9b31ca33342b4c43854f6e5e750247bc718dd6ad1d5342e38aae

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\07CEF2F654E3ED6050FFC9B6EB844250_3431D4C539FB2CFCB781821E9902850D

Filesize
488B

MD5
fec2db91c7c65d1465b063bffc55a501

SHA1
d62a41e21d498607a56b545b85213cd0738cb7aa

SHA256
273cd890bc31549b86b4567016a813bb102c2a180bef7fbc52178352f9f0257b

SHA512
f322c613ef16e134e937320dd6e93597aaabd30158985f333c9ec02f61ebf802f552ed119cf8b31062246aafd2cacfb40451db6c34a373fdb7212359ef84d70d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E

Filesize
482B

MD5
a0c36f51610a76607ef3930d43dc617b

SHA1
6f3bda7a776bb06b25db80cafc94af964e93e4b1

SHA256
af37247c1d45e32b72d5e12c0caa0bab8bd5bbf447c2cb9bc83c198c0b7790ea

SHA512
27acf6a6b675927941d4395a5a4922e6af1117b03d6ba7a2215fcb36521ff796fe150f0231fd164b93ec6b870ee2ccc918383e6882dfd9c1bc1f6c7db3ffb3e8

Download Submit
C:\Users\Admin\AppData\Local\8606c456-470f-41d9-8654-a9150827aa60\build2.exe

Filesize
370KB

MD5
6a7892ece7e8bf85628e0e769560b7cb

SHA1
e13140e719218b14dd168467a63d481c7259df8c

SHA256
363dd986f98ab17b465354c93bd6f2b391b81593887dc88a0818d3d07264f844

SHA512
0091f76a7acf12ce121cc89702bbc7116cd91c4d69be1aaded7deabff92f7a913572d50b37b4ea0ac5cec28ceb4d2a505ed5dd7e98fa13ded39d1114a0ca7e7f

Download Submit
C:\Users\Admin\AppData\Local\8606c456-470f-41d9-8654-a9150827aa60\build2.exe

Filesize
370KB

MD5
6a7892ece7e8bf85628e0e769560b7cb

SHA1
e13140e719218b14dd168467a63d481c7259df8c

SHA256
363dd986f98ab17b465354c93bd6f2b391b81593887dc88a0818d3d07264f844

SHA512
0091f76a7acf12ce121cc89702bbc7116cd91c4d69be1aaded7deabff92f7a913572d50b37b4ea0ac5cec28ceb4d2a505ed5dd7e98fa13ded39d1114a0ca7e7f

Download Submit
C:\Users\Admin\AppData\Local\8606c456-470f-41d9-8654-a9150827aa60\build2.exe

Filesize
370KB

MD5
6a7892ece7e8bf85628e0e769560b7cb

SHA1
e13140e719218b14dd168467a63d481c7259df8c

SHA256
363dd986f98ab17b465354c93bd6f2b391b81593887dc88a0818d3d07264f844

SHA512
0091f76a7acf12ce121cc89702bbc7116cd91c4d69be1aaded7deabff92f7a913572d50b37b4ea0ac5cec28ceb4d2a505ed5dd7e98fa13ded39d1114a0ca7e7f

Download Submit
C:\Users\Admin\AppData\Local\8606c456-470f-41d9-8654-a9150827aa60\build3.exe

Filesize
9KB

MD5
9ead10c08e72ae41921191f8db39bc16

SHA1
abe3bce01cd34afc88e2c838173f8c2bd0090ae1

SHA256
8d7f0e6b6877bdfb9f4531afafd0451f7d17f0ac24e2f2427e9b4ecc5452b9f0

SHA512
aa35dbc59a3589df2763e76a495ce5a9e62196628b4c1d098add38bd7f27c49edf93a66fb8507fb746e37ee32932da2460e440f241abe1a5a279abcc1e5ffe4a

Download Submit
C:\Users\Admin\AppData\Local\8606c456-470f-41d9-8654-a9150827aa60\build3.exe

Filesize
9KB

MD5
9ead10c08e72ae41921191f8db39bc16

SHA1
abe3bce01cd34afc88e2c838173f8c2bd0090ae1

SHA256
8d7f0e6b6877bdfb9f4531afafd0451f7d17f0ac24e2f2427e9b4ecc5452b9f0

SHA512
aa35dbc59a3589df2763e76a495ce5a9e62196628b4c1d098add38bd7f27c49edf93a66fb8507fb746e37ee32932da2460e440f241abe1a5a279abcc1e5ffe4a

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000013051\linda5.exe

Filesize
1.7MB

MD5
439d717a27db362c26512f8415ef0fc4

SHA1
a821a3003fb586bed33870b65f3b63e7eb8e07b2

SHA256
3cf536d32d940a26d4283037c805817a81ebd55346d9350b15b0ef80ab4538f4

SHA512
660ab9d7dff75a7e36e181d686ea7a19710ae4db16a341632690a32b36ae5e607db59dccca92abf40e03352c3f8524720079f76272a4db785f71c65c84d1bdf3

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000013051\linda5.exe

Filesize
1.7MB

MD5
439d717a27db362c26512f8415ef0fc4

SHA1
a821a3003fb586bed33870b65f3b63e7eb8e07b2

SHA256
3cf536d32d940a26d4283037c805817a81ebd55346d9350b15b0ef80ab4538f4

SHA512
660ab9d7dff75a7e36e181d686ea7a19710ae4db16a341632690a32b36ae5e607db59dccca92abf40e03352c3f8524720079f76272a4db785f71c65c84d1bdf3

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000014051\joker.exe

Filesize
406KB

MD5
6ab636c162f3683573f0a46ca34fad78

SHA1
99853578ad9b3d99f2201e103fa9cbea7beca58e

SHA256
9aefb8168bc9a3e250172fc3ae2b82c1d5f668441562f319ff9e343dafe156e6

SHA512
13f4c5a87df8eba75301afce34ef7d35720682749ea6e45e290311f0778b1d6f0d7a92815e5baf3b8c02cfe40a976a0d7a6ba15afa534dd6c0b12193c37d74b1

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000014051\joker.exe

Filesize
406KB

MD5
6ab636c162f3683573f0a46ca34fad78

SHA1
99853578ad9b3d99f2201e103fa9cbea7beca58e

SHA256
9aefb8168bc9a3e250172fc3ae2b82c1d5f668441562f319ff9e343dafe156e6

SHA512
13f4c5a87df8eba75301afce34ef7d35720682749ea6e45e290311f0778b1d6f0d7a92815e5baf3b8c02cfe40a976a0d7a6ba15afa534dd6c0b12193c37d74b1

Download Submit
C:\Users\Admin\AppData\Local\Temp\35731ceaf0\gntuud.exe

Filesize
233KB

MD5
30bfff5f826b2587eb0af8103ebb4375

SHA1
5b7bc30f5b133c237f35de24f85f799d51a6f0c4

SHA256
7260966d2c686f00653db013c8236f9846c8a153203fa331bda98de97acc1068

SHA512
53bd20b5050d9feda80497fcff38c07aa5d84c62be6dbf278830fc5fc2679f94af3a570da853747b59126de18620917498d36b5dff9138c19fc8b74b2a0a36ec

Download Submit
C:\Users\Admin\AppData\Local\Temp\35731ceaf0\gntuud.exe

Filesize
233KB

MD5
30bfff5f826b2587eb0af8103ebb4375

SHA1
5b7bc30f5b133c237f35de24f85f799d51a6f0c4

SHA256
7260966d2c686f00653db013c8236f9846c8a153203fa331bda98de97acc1068

SHA512
53bd20b5050d9feda80497fcff38c07aa5d84c62be6dbf278830fc5fc2679f94af3a570da853747b59126de18620917498d36b5dff9138c19fc8b74b2a0a36ec

Download Submit
C:\Users\Admin\AppData\Local\Temp\35731ceaf0\gntuud.exe

Filesize
233KB

MD5
30bfff5f826b2587eb0af8103ebb4375

SHA1
5b7bc30f5b133c237f35de24f85f799d51a6f0c4

SHA256
7260966d2c686f00653db013c8236f9846c8a153203fa331bda98de97acc1068

SHA512
53bd20b5050d9feda80497fcff38c07aa5d84c62be6dbf278830fc5fc2679f94af3a570da853747b59126de18620917498d36b5dff9138c19fc8b74b2a0a36ec

Download Submit
C:\Users\Admin\AppData\Local\Temp\35731ceaf0\gntuud.exe

Filesize
233KB

MD5
30bfff5f826b2587eb0af8103ebb4375

SHA1
5b7bc30f5b133c237f35de24f85f799d51a6f0c4

SHA256
7260966d2c686f00653db013c8236f9846c8a153203fa331bda98de97acc1068

SHA512
53bd20b5050d9feda80497fcff38c07aa5d84c62be6dbf278830fc5fc2679f94af3a570da853747b59126de18620917498d36b5dff9138c19fc8b74b2a0a36ec

Download Submit
C:\Users\Admin\AppData\Local\Temp\35731ceaf0\gntuud.exe

Filesize
233KB

MD5
30bfff5f826b2587eb0af8103ebb4375

SHA1
5b7bc30f5b133c237f35de24f85f799d51a6f0c4

SHA256
7260966d2c686f00653db013c8236f9846c8a153203fa331bda98de97acc1068

SHA512
53bd20b5050d9feda80497fcff38c07aa5d84c62be6dbf278830fc5fc2679f94af3a570da853747b59126de18620917498d36b5dff9138c19fc8b74b2a0a36ec

Download Submit
C:\Users\Admin\AppData\Local\Temp\35731ceaf0\gntuud.exe

Filesize
233KB

MD5
30bfff5f826b2587eb0af8103ebb4375

SHA1
5b7bc30f5b133c237f35de24f85f799d51a6f0c4

SHA256
7260966d2c686f00653db013c8236f9846c8a153203fa331bda98de97acc1068

SHA512
53bd20b5050d9feda80497fcff38c07aa5d84c62be6dbf278830fc5fc2679f94af3a570da853747b59126de18620917498d36b5dff9138c19fc8b74b2a0a36ec

Download Submit
C:\Users\Admin\AppData\Local\Temp\672C.exe

Filesize
1.1MB

MD5
d4fe627b0bc66a57bfdb76c531c06ce6

SHA1
1a9ff0a579460a2e90266ebbfbad127514a74e7a

SHA256
9292bc6aec169cc1f3f223470669c6307f1d3e61687544c0a228846c1cf0df97

SHA512
bea169646b86ca0659efe0989856d58098efcc70d8b8953045635ddd7d4293aed656771d8d0a1e5e4e87a4f272b8e6b69f4eeacd7d7f7220d5b6e50535aa2617

Download Submit
C:\Users\Admin\AppData\Local\Temp\672C.exe

Filesize
1.1MB

MD5
d4fe627b0bc66a57bfdb76c531c06ce6

SHA1
1a9ff0a579460a2e90266ebbfbad127514a74e7a

SHA256
9292bc6aec169cc1f3f223470669c6307f1d3e61687544c0a228846c1cf0df97

SHA512
bea169646b86ca0659efe0989856d58098efcc70d8b8953045635ddd7d4293aed656771d8d0a1e5e4e87a4f272b8e6b69f4eeacd7d7f7220d5b6e50535aa2617

Download Submit
C:\Users\Admin\AppData\Local\Temp\C75C.exe

Filesize
733KB

MD5
84ddcfcb55c1aa1dfdce65c841fd3193

SHA1
c88b590c9b54f72148143a68c09906ad93aa5904

SHA256
4dc44761b41ba73b7f39b59deb8814f8ba4e8e40a81ea3118ba77a799fac2037

SHA512
a5bf595f8b511c0586c1858628907db17938c82eb404b704c2556124ecc6f5908c92ff426fd79c9ca03c328eb861ff3d94299ed2e26e3db2c13068d1a77c7dda

Download Submit
C:\Users\Admin\AppData\Local\Temp\C75C.exe

Filesize
733KB

MD5
84ddcfcb55c1aa1dfdce65c841fd3193

SHA1
c88b590c9b54f72148143a68c09906ad93aa5904

SHA256
4dc44761b41ba73b7f39b59deb8814f8ba4e8e40a81ea3118ba77a799fac2037

SHA512
a5bf595f8b511c0586c1858628907db17938c82eb404b704c2556124ecc6f5908c92ff426fd79c9ca03c328eb861ff3d94299ed2e26e3db2c13068d1a77c7dda

Download Submit
C:\Users\Admin\AppData\Local\Temp\C75C.exe

Filesize
733KB

MD5
84ddcfcb55c1aa1dfdce65c841fd3193

SHA1
c88b590c9b54f72148143a68c09906ad93aa5904

SHA256
4dc44761b41ba73b7f39b59deb8814f8ba4e8e40a81ea3118ba77a799fac2037

SHA512
a5bf595f8b511c0586c1858628907db17938c82eb404b704c2556124ecc6f5908c92ff426fd79c9ca03c328eb861ff3d94299ed2e26e3db2c13068d1a77c7dda

Download Submit
C:\Users\Admin\AppData\Local\Temp\C75C.exe

Filesize
733KB

MD5
84ddcfcb55c1aa1dfdce65c841fd3193

SHA1
c88b590c9b54f72148143a68c09906ad93aa5904

SHA256
4dc44761b41ba73b7f39b59deb8814f8ba4e8e40a81ea3118ba77a799fac2037

SHA512
a5bf595f8b511c0586c1858628907db17938c82eb404b704c2556124ecc6f5908c92ff426fd79c9ca03c328eb861ff3d94299ed2e26e3db2c13068d1a77c7dda

Download Submit
C:\Users\Admin\AppData\Local\Temp\C75C.exe

Filesize
733KB

MD5
84ddcfcb55c1aa1dfdce65c841fd3193

SHA1
c88b590c9b54f72148143a68c09906ad93aa5904

SHA256
4dc44761b41ba73b7f39b59deb8814f8ba4e8e40a81ea3118ba77a799fac2037

SHA512
a5bf595f8b511c0586c1858628907db17938c82eb404b704c2556124ecc6f5908c92ff426fd79c9ca03c328eb861ff3d94299ed2e26e3db2c13068d1a77c7dda

Download Submit
C:\Users\Admin\AppData\Local\Temp\C857.exe

Filesize
387KB

MD5
4494ad792d3d806dcf0aaf8a52444014

SHA1
f4fee1fba7fafec5cd0fb8ae4f01aef33c327642

SHA256
d2556c2e2772327cc1ef509527c28b2aed8c27dd05e47c5c53aa3a221564abe1

SHA512
fa7f44031130932300fd374d3ca6cee0a45033752468e22c5f8155150e06dfddc6a378357d3db8e006663fc7f6e461940ecdb669fa912d83b6b6cc972715179b

Download Submit
C:\Users\Admin\AppData\Local\Temp\C857.exe

Filesize
387KB

MD5
4494ad792d3d806dcf0aaf8a52444014

SHA1
f4fee1fba7fafec5cd0fb8ae4f01aef33c327642

SHA256
d2556c2e2772327cc1ef509527c28b2aed8c27dd05e47c5c53aa3a221564abe1

SHA512
fa7f44031130932300fd374d3ca6cee0a45033752468e22c5f8155150e06dfddc6a378357d3db8e006663fc7f6e461940ecdb669fa912d83b6b6cc972715179b

Download Submit
C:\Users\Admin\AppData\Local\Temp\CC7E.exe

Filesize
305KB

MD5
7e2587f9abd6549a88072d135730580a

SHA1
3035343a78141807b53c016387cbc1518da1dabf

SHA256
1fb7dd7192b8a4eb7deaccf37ea4cc8ddef62784cce137fd4e5445800e2d6875

SHA512
7d7fbe4a9b9b4c290b1a756fb0e076a2b8752b074e0845c86970526136ccb23c8691575ea52f06a0199fb8ae261432f9ea075b34fa55b52107e2db25cd0b7d46

Download Submit
C:\Users\Admin\AppData\Local\Temp\CC7E.exe

Filesize
305KB

MD5
7e2587f9abd6549a88072d135730580a

SHA1
3035343a78141807b53c016387cbc1518da1dabf

SHA256
1fb7dd7192b8a4eb7deaccf37ea4cc8ddef62784cce137fd4e5445800e2d6875

SHA512
7d7fbe4a9b9b4c290b1a756fb0e076a2b8752b074e0845c86970526136ccb23c8691575ea52f06a0199fb8ae261432f9ea075b34fa55b52107e2db25cd0b7d46

Download Submit
C:\Users\Admin\AppData\Local\Temp\CF3E.exe

Filesize
214KB

MD5
3c134a8fcade6812f2ca56e4cdca71f6

SHA1
9a4d60da544803bdf0b1e4114fe8c2b775eb5ef7

SHA256
9d7423f987c3277f9f3babd60b6c0ad8e0edbf64c8ef4902d5578a686c51bb43

SHA512
11b73494eafdb8a66afe9c7d6f894001e6898985ef9d0db85c8ac431ced740d3ab11aa19d88a0a6ec807b19318db01a34d1fe816b621c003aec6b9b5ce8e6c33

Download Submit
C:\Users\Admin\AppData\Local\Temp\CF3E.exe

Filesize
214KB

MD5
3c134a8fcade6812f2ca56e4cdca71f6

SHA1
9a4d60da544803bdf0b1e4114fe8c2b775eb5ef7

SHA256
9d7423f987c3277f9f3babd60b6c0ad8e0edbf64c8ef4902d5578a686c51bb43

SHA512
11b73494eafdb8a66afe9c7d6f894001e6898985ef9d0db85c8ac431ced740d3ab11aa19d88a0a6ec807b19318db01a34d1fe816b621c003aec6b9b5ce8e6c33

Download Submit
C:\Users\Admin\AppData\Local\Temp\D2E9.exe

Filesize
233KB

MD5
30bfff5f826b2587eb0af8103ebb4375

SHA1
5b7bc30f5b133c237f35de24f85f799d51a6f0c4

SHA256
7260966d2c686f00653db013c8236f9846c8a153203fa331bda98de97acc1068

SHA512
53bd20b5050d9feda80497fcff38c07aa5d84c62be6dbf278830fc5fc2679f94af3a570da853747b59126de18620917498d36b5dff9138c19fc8b74b2a0a36ec

Download Submit
C:\Users\Admin\AppData\Local\Temp\D2E9.exe

Filesize
233KB

MD5
30bfff5f826b2587eb0af8103ebb4375

SHA1
5b7bc30f5b133c237f35de24f85f799d51a6f0c4

SHA256
7260966d2c686f00653db013c8236f9846c8a153203fa331bda98de97acc1068

SHA512
53bd20b5050d9feda80497fcff38c07aa5d84c62be6dbf278830fc5fc2679f94af3a570da853747b59126de18620917498d36b5dff9138c19fc8b74b2a0a36ec

Download Submit
C:\Users\Admin\AppData\Local\Temp\D51C.exe

Filesize
233KB

MD5
30bfff5f826b2587eb0af8103ebb4375

SHA1
5b7bc30f5b133c237f35de24f85f799d51a6f0c4

SHA256
7260966d2c686f00653db013c8236f9846c8a153203fa331bda98de97acc1068

SHA512
53bd20b5050d9feda80497fcff38c07aa5d84c62be6dbf278830fc5fc2679f94af3a570da853747b59126de18620917498d36b5dff9138c19fc8b74b2a0a36ec

Download Submit
C:\Users\Admin\AppData\Local\Temp\D51C.exe

Filesize
233KB

MD5
30bfff5f826b2587eb0af8103ebb4375

SHA1
5b7bc30f5b133c237f35de24f85f799d51a6f0c4

SHA256
7260966d2c686f00653db013c8236f9846c8a153203fa331bda98de97acc1068

SHA512
53bd20b5050d9feda80497fcff38c07aa5d84c62be6dbf278830fc5fc2679f94af3a570da853747b59126de18620917498d36b5dff9138c19fc8b74b2a0a36ec

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ipoetwsuqhd.tmp

Filesize
726KB

MD5
6ea8a6cc5fed6c664df1b3ef7c56b55d

SHA1
6b244d708706441095ae97294928967ddf28432b

SHA256
2c7500ac5ebb0116e640747b8a5f0a2648f7d2f5f516ebb398b864cccc626fbe

SHA512
4a328a66df407e4c9fa230287104771ea3b5dd8265d60314797426101a8be19d13bc57de2388f0f90b20ada82d950e156ef4267c029080a6254b80eefd8b8741

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ipoetwsuqhd.tmp

Filesize
726KB

MD5
6ea8a6cc5fed6c664df1b3ef7c56b55d

SHA1
6b244d708706441095ae97294928967ddf28432b

SHA256
2c7500ac5ebb0116e640747b8a5f0a2648f7d2f5f516ebb398b864cccc626fbe

SHA512
4a328a66df407e4c9fa230287104771ea3b5dd8265d60314797426101a8be19d13bc57de2388f0f90b20ada82d950e156ef4267c029080a6254b80eefd8b8741

Download Submit
C:\Users\Admin\AppData\Local\Temp\~xTQ.Si

Filesize
1.3MB

MD5
af9989641d3b6aede6edf53b8f2f14b7

SHA1
859bb7ea8d2c6bd9d9662e4fc6984c32188b7b4c

SHA256
a1ca38f2ea99da2a990275e3f237b6d48f9989c4d8b7b455b109a7c151f923a4

SHA512
b93a2506ed00788a409e6580141e5bd0d0def99783483bbfbb3670efb2fb05c19e40a1f6bcc24123b9d194b0d40358c83d8d6739d875f35b95b4bac5f6ba34ee

Download Submit
C:\Users\Admin\AppData\Local\Temp\~xTQ.Si

Filesize
1.3MB

MD5
af9989641d3b6aede6edf53b8f2f14b7

SHA1
859bb7ea8d2c6bd9d9662e4fc6984c32188b7b4c

SHA256
a1ca38f2ea99da2a990275e3f237b6d48f9989c4d8b7b455b109a7c151f923a4

SHA512
b93a2506ed00788a409e6580141e5bd0d0def99783483bbfbb3670efb2fb05c19e40a1f6bcc24123b9d194b0d40358c83d8d6739d875f35b95b4bac5f6ba34ee

Download Submit
C:\Users\Admin\AppData\Local\Temp\~xTQ.Si

Filesize
1.3MB

MD5
af9989641d3b6aede6edf53b8f2f14b7

SHA1
859bb7ea8d2c6bd9d9662e4fc6984c32188b7b4c

SHA256
a1ca38f2ea99da2a990275e3f237b6d48f9989c4d8b7b455b109a7c151f923a4

SHA512
b93a2506ed00788a409e6580141e5bd0d0def99783483bbfbb3670efb2fb05c19e40a1f6bcc24123b9d194b0d40358c83d8d6739d875f35b95b4bac5f6ba34ee

Download Submit
C:\Users\Admin\AppData\Local\Temp\~xTQ.Si

Filesize
1.3MB

MD5
af9989641d3b6aede6edf53b8f2f14b7

SHA1
859bb7ea8d2c6bd9d9662e4fc6984c32188b7b4c

SHA256
a1ca38f2ea99da2a990275e3f237b6d48f9989c4d8b7b455b109a7c151f923a4

SHA512
b93a2506ed00788a409e6580141e5bd0d0def99783483bbfbb3670efb2fb05c19e40a1f6bcc24123b9d194b0d40358c83d8d6739d875f35b95b4bac5f6ba34ee

Download Submit
C:\Users\Admin\AppData\Local\df3ca667-9fb7-402b-aeb9-377dab3f93e5\C75C.exe

Filesize
733KB

MD5
84ddcfcb55c1aa1dfdce65c841fd3193

SHA1
c88b590c9b54f72148143a68c09906ad93aa5904

SHA256
4dc44761b41ba73b7f39b59deb8814f8ba4e8e40a81ea3118ba77a799fac2037

SHA512
a5bf595f8b511c0586c1858628907db17938c82eb404b704c2556124ecc6f5908c92ff426fd79c9ca03c328eb861ff3d94299ed2e26e3db2c13068d1a77c7dda

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

Filesize
9KB

MD5
9ead10c08e72ae41921191f8db39bc16

SHA1
abe3bce01cd34afc88e2c838173f8c2bd0090ae1

SHA256
8d7f0e6b6877bdfb9f4531afafd0451f7d17f0ac24e2f2427e9b4ecc5452b9f0

SHA512
aa35dbc59a3589df2763e76a495ce5a9e62196628b4c1d098add38bd7f27c49edf93a66fb8507fb746e37ee32932da2460e440f241abe1a5a279abcc1e5ffe4a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

Filesize
9KB

MD5
9ead10c08e72ae41921191f8db39bc16

SHA1
abe3bce01cd34afc88e2c838173f8c2bd0090ae1

SHA256
8d7f0e6b6877bdfb9f4531afafd0451f7d17f0ac24e2f2427e9b4ecc5452b9f0

SHA512
aa35dbc59a3589df2763e76a495ce5a9e62196628b4c1d098add38bd7f27c49edf93a66fb8507fb746e37ee32932da2460e440f241abe1a5a279abcc1e5ffe4a

Download Submit
C:\Users\Admin\AppData\Roaming\bf045808586a24\cred64.dll

Filesize
126KB

MD5
af364df1b3d1011a1e53cc43a0f47931

SHA1
40a1afe04bb41b40c0369ac5d4707fc74583d2a3

SHA256
3357dbe44c1e509faa7b63e62b70600ef38fbc44aa9a7a4037b1edeb9c5528c2

SHA512
e25a6185d047a29797c34d43c4bed82fb3c062f057fa0d28f19bdf6b067e1166a232b981797c0d7e371bf3faa2e5b3ca00bdf8a0a8303221bdcc8b126c669f69

Download Submit
C:\Users\Admin\AppData\Roaming\bf045808586a24\cred64.dll

Filesize
126KB

MD5
af364df1b3d1011a1e53cc43a0f47931

SHA1
40a1afe04bb41b40c0369ac5d4707fc74583d2a3

SHA256
3357dbe44c1e509faa7b63e62b70600ef38fbc44aa9a7a4037b1edeb9c5528c2

SHA512
e25a6185d047a29797c34d43c4bed82fb3c062f057fa0d28f19bdf6b067e1166a232b981797c0d7e371bf3faa2e5b3ca00bdf8a0a8303221bdcc8b126c669f69

Download Submit
C:\Users\Admin\AppData\Roaming\bf045808586a24\cred64.dll

Filesize
126KB

MD5
af364df1b3d1011a1e53cc43a0f47931

SHA1
40a1afe04bb41b40c0369ac5d4707fc74583d2a3

SHA256
3357dbe44c1e509faa7b63e62b70600ef38fbc44aa9a7a4037b1edeb9c5528c2

SHA512
e25a6185d047a29797c34d43c4bed82fb3c062f057fa0d28f19bdf6b067e1166a232b981797c0d7e371bf3faa2e5b3ca00bdf8a0a8303221bdcc8b126c669f69

Download Submit
memory/380-251-0x0000000000000000-mapping.dmp

Download
memory/812-136-0x0000000000000000-mapping.dmp

Download
memory/812-174-0x0000000002140000-0x000000000225B000-memory.dmp

Filesize
1.1MB

Download
memory/812-171-0x00000000006CD000-0x000000000075E000-memory.dmp

Filesize
580KB

Download
memory/892-292-0x0000000000000000-mapping.dmp

Download
memory/1004-306-0x00000000008A0000-0x00000000008C4000-memory.dmp

Filesize
144KB

Download
memory/1004-302-0x0000000000000000-mapping.dmp

Download
memory/1072-185-0x0000000000C10000-0x0000000000C1C000-memory.dmp

Filesize
48KB

Download
memory/1072-184-0x0000000000000000-mapping.dmp

Download
memory/1192-183-0x0000000000000000-mapping.dmp

Download
memory/1680-177-0x0000000000000000-mapping.dmp

Download
memory/1780-248-0x0000000000000000-mapping.dmp

Download
memory/1804-149-0x0000000000000000-mapping.dmp

Download
memory/1804-179-0x0000000000570000-0x0000000000579000-memory.dmp

Filesize
36KB

Download
memory/1804-180-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/1804-215-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/1804-176-0x00000000005A9000-0x00000000005BE000-memory.dmp

Filesize
84KB

Download
memory/1820-159-0x0000000000000000-mapping.dmp

Download
memory/1840-142-0x000000000088E000-0x0000000000890000-memory.dmp

Filesize
8KB

Download
memory/1840-139-0x0000000000000000-mapping.dmp

Download
memory/2036-231-0x0000000000000000-mapping.dmp

Download
memory/2672-310-0x0000000004740000-0x0000000004880000-memory.dmp

Filesize
1.2MB

Download
memory/2672-309-0x0000000004740000-0x0000000004880000-memory.dmp

Filesize
1.2MB

Download
memory/2672-313-0x0000000004740000-0x0000000004880000-memory.dmp

Filesize
1.2MB

Download
memory/2672-314-0x0000000004740000-0x0000000004880000-memory.dmp

Filesize
1.2MB

Download
memory/2672-307-0x00000000059F0000-0x0000000006115000-memory.dmp

Filesize
7.1MB

Download
memory/2672-296-0x0000000000000000-mapping.dmp

Download
memory/2672-308-0x00000000059F0000-0x0000000006115000-memory.dmp

Filesize
7.1MB

Download
memory/2672-321-0x00000000059F0000-0x0000000006115000-memory.dmp

Filesize
7.1MB

Download
memory/2672-312-0x0000000004740000-0x0000000004880000-memory.dmp

Filesize
1.2MB

Download
memory/2672-318-0x00000000047B9000-0x00000000047BB000-memory.dmp

Filesize
8KB

Download
memory/2672-311-0x0000000004740000-0x0000000004880000-memory.dmp

Filesize
1.2MB

Download
memory/2684-264-0x0000000060900000-0x0000000060992000-memory.dmp

Filesize
584KB

Download
memory/2684-242-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/2684-244-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/2684-246-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/2684-291-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/2684-241-0x0000000000000000-mapping.dmp

Download
memory/2684-252-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/2684-289-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/3068-213-0x0000000001FA0000-0x0000000001FEB000-memory.dmp

Filesize
300KB

Download
memory/3068-263-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/3068-193-0x0000000000000000-mapping.dmp

Download
memory/3068-207-0x0000000004C20000-0x00000000051C4000-memory.dmp

Filesize
5.6MB

Download
memory/3068-212-0x0000000000618000-0x0000000000647000-memory.dmp

Filesize
188KB

Download
memory/3068-261-0x00000000065E0000-0x0000000006630000-memory.dmp

Filesize
320KB

Download
memory/3068-260-0x0000000006540000-0x00000000065B6000-memory.dmp

Filesize
472KB

Download
memory/3068-254-0x0000000000618000-0x0000000000647000-memory.dmp

Filesize
188KB

Download
memory/3068-214-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/3152-197-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/3152-196-0x0000000000733000-0x0000000000744000-memory.dmp

Filesize
68KB

Download
memory/3152-156-0x0000000000000000-mapping.dmp

Download
memory/3292-245-0x0000000000662000-0x0000000000693000-memory.dmp

Filesize
196KB

Download
memory/3292-238-0x0000000000000000-mapping.dmp

Download
memory/3292-247-0x00000000005B0000-0x0000000000607000-memory.dmp

Filesize
348KB

Download
memory/3460-169-0x0000000000000000-mapping.dmp

Download
memory/3520-162-0x0000000000000000-mapping.dmp

Download
memory/3604-319-0x0000000000E90000-0x00000000010A9000-memory.dmp

Filesize
2.1MB

Download
memory/3604-317-0x00000249DFB70000-0x00000249DFCB0000-memory.dmp

Filesize
1.2MB

Download
memory/3604-320-0x00000249DE1A0000-0x00000249DE3CA000-memory.dmp

Filesize
2.2MB

Download
memory/3604-315-0x00007FF75C0A6890-mapping.dmp

Download
memory/3604-316-0x00000249DFB70000-0x00000249DFCB0000-memory.dmp

Filesize
1.2MB

Download
memory/3852-232-0x0000000000000000-mapping.dmp

Download
memory/3852-259-0x0000000003340000-0x0000000003466000-memory.dmp

Filesize
1.1MB

Download
memory/3852-237-0x0000000003340000-0x0000000003466000-memory.dmp

Filesize
1.1MB

Download
memory/3852-236-0x00000000030E0000-0x000000000320A000-memory.dmp

Filesize
1.2MB

Download
memory/3852-255-0x0000000003470000-0x0000000003551000-memory.dmp

Filesize
900KB

Download
memory/3852-256-0x0000000003560000-0x000000000362B000-memory.dmp

Filesize
812KB

Download
memory/4076-211-0x00000000029B0000-0x0000000002AD6000-memory.dmp

Filesize
1.1MB

Download
memory/4076-206-0x00000000023D0000-0x0000000002515000-memory.dmp

Filesize
1.3MB

Download
memory/4076-253-0x00000000029B0000-0x0000000002AD6000-memory.dmp

Filesize
1.1MB

Download
memory/4076-210-0x0000000002750000-0x000000000287A000-memory.dmp

Filesize
1.2MB

Download
memory/4076-227-0x0000000002AE0000-0x0000000002BC1000-memory.dmp

Filesize
900KB

Download
memory/4076-228-0x0000000002BD0000-0x0000000002C9B000-memory.dmp

Filesize
812KB

Download
memory/4076-202-0x0000000000000000-mapping.dmp

Download
memory/4136-188-0x0000000000000000-mapping.dmp

Download
memory/4192-262-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/4192-216-0x0000000000000000-mapping.dmp

Download
memory/4192-221-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/4192-219-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/4192-226-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/4208-290-0x0000000000000000-mapping.dmp

Download
memory/4468-235-0x0000000007D10000-0x000000000823C000-memory.dmp

Filesize
5.2MB

Download
memory/4468-152-0x0000000005A80000-0x0000000006098000-memory.dmp

Filesize
6.1MB

Download
memory/4468-143-0x0000000000000000-mapping.dmp

Download
memory/4468-209-0x0000000005A00000-0x0000000005A66000-memory.dmp

Filesize
408KB

Download
memory/4468-144-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/4468-155-0x0000000005500000-0x000000000553C000-memory.dmp

Filesize
240KB

Download
memory/4468-208-0x0000000005960000-0x00000000059F2000-memory.dmp

Filesize
584KB

Download
memory/4468-234-0x0000000006960000-0x0000000006B22000-memory.dmp

Filesize
1.8MB

Download
memory/4468-153-0x0000000005570000-0x000000000567A000-memory.dmp

Filesize
1.0MB

Download
memory/4468-154-0x00000000054A0000-0x00000000054B2000-memory.dmp

Filesize
72KB

Download
memory/4476-287-0x0000000000000000-mapping.dmp

Download
memory/4568-182-0x0000000000F20000-0x0000000000F8B000-memory.dmp

Filesize
428KB

Download
memory/4568-186-0x0000000000F20000-0x0000000000F8B000-memory.dmp

Filesize
428KB

Download
memory/4568-167-0x0000000000000000-mapping.dmp

Download
memory/4592-199-0x0000000000000000-mapping.dmp

Download
memory/4592-220-0x0000000000674000-0x0000000000705000-memory.dmp

Filesize
580KB

Download
memory/4612-178-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/4612-173-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/4612-200-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/4612-170-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/4612-187-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/4612-168-0x0000000000000000-mapping.dmp

Download
memory/4672-198-0x0000000000000000-mapping.dmp

Download
memory/4772-190-0x0000000000000000-mapping.dmp

Download
memory/4836-293-0x0000000000000000-mapping.dmp

Download
memory/4836-299-0x0000000001FDE000-0x00000000020B4000-memory.dmp

Filesize
856KB

Download
memory/4836-300-0x0000000002260000-0x0000000002375000-memory.dmp

Filesize
1.1MB

Download
memory/4836-301-0x0000000000400000-0x0000000000517000-memory.dmp

Filesize
1.1MB

Download
memory/5072-132-0x0000000000682000-0x0000000000692000-memory.dmp

Filesize
64KB

Download
memory/5072-135-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/5072-134-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/5072-133-0x00000000001F0000-0x00000000001F9000-memory.dmp

Filesize
36KB

Download