amadey | 86c6f92f4c539af101ee62858e2b0299342a97087f9e938775ccf0aa098fedfc

Analysis

max time kernel
150s
max time network
151s
platform
windows10-1703_x64
resource
win10-20220812-en
resource tags

arch:x64arch:x86image:win10-20220812-enlocale:en-usos:windows10-1703-x64system
submitted
30-12-2022 06:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

86c6f92f4c539af101ee62858e2b0299342a97087f9e938775ccf0aa098fedfc.exe
Size

234KB
MD5

8ccc3c5a43c4314fa532cb7c12c2df63
SHA1

56f0d922833e8dfa56f4b49c19fbba9a64fcb0f4
SHA256

86c6f92f4c539af101ee62858e2b0299342a97087f9e938775ccf0aa098fedfc
SHA512

887499cd8718ed25c1395d2c456f6837cdecbadcba338809f1533b126e982ae21d1ff713fd5ec66a1bed5d365c8a7b9f8831fcb1de1e4e9a1dfe5b7fa861804e
SSDEEP

3072:1U2XL9VRKwBhQvQbCObY7V6Ot5LX0LU8y5/LU8y5ri+eB6xuqqb53y1t/M:tL9We6I67MmLX0o5oBx3E5

Score

10^/10

amadey djvu lgoogloader smokeloader vidar 19 backdoor discovery downloader persistence ransomware spyware stealer trojan vmprotect

Malware Config

Extracted

Family

amadey

Version

3.63

62.204.41.67/g8sjnd3xe/index.php

Extracted

Family

djvu

http://ex3mall.com/lancer/get.php

Attributes

extension
.isza
offline_id
m3KmScxfDyEQzJYP8qjOSfP4FvpsOXlekGuMPzt1
payload_url
http://uaery.top/dl/build2.exe
http://ex3mall.com/files/1/build3.exe
ransomnote
ATTENTION! Don't worry, you can return all your files! All your files like pictures, databases, documents and other important are encrypted with strongest encryption and unique key. The only method of recovering files is to purchase decrypt tool and unique key for you. This software will decrypt all your encrypted files. What guarantees you have? You can send one of your encrypted file from your PC and we decrypt it for free. But we can decrypt only 1 file for free. File must not contain valuable information. You can get and look video overview decrypt tool: https://we.tl/t-oWam3yYrSr Price of private key and decrypt software is $980. Discount 50% available if you contact us first 72 hours, that's price for you is $490. Please note that you'll never restore your data without payment. Check your e-mail "Spam" or "Junk" folder if you don't get answer more than 6 hours. To get this software you need write on our e-mail: support@freshmail.top Reserve e-mail address to contact us: datarestorehelp@airmail.cc Your personal ID: 0622JOsie

rsa_pubkey.plain

Extracted

Family

vidar

Version

1.7

Botnet

https://t.me/robloxblackl

https://steamcommunity.com/profiles/76561199458928097

Attributes

profile_id
19

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey

Detected Djvu ransomware 7 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1584-354-0x00000000021A0000-0x00000000022BB000-memory.dmp	family_djvu
behavioral1/memory/2992-361-0x0000000000424141-mapping.dmp	family_djvu
behavioral1/memory/2992-489-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/2992-632-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/372-729-0x0000000000424141-mapping.dmp	family_djvu
behavioral1/memory/372-825-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/372-982-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu

Detects LgoogLoader payload 2 IoCs

Processes:

resource	yara_rule
behavioral1/memory/3900-699-0x0000000002450000-0x000000000245D000-memory.dmp	family_lgoogloader
behavioral1/memory/3136-770-0x0000000000E10000-0x0000000000E1D000-memory.dmp	family_lgoogloader

Detects Smokeloader packer 1 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2636-140-0x0000000002170000-0x0000000002179000-memory.dmp	family_smokeloader

Djvu Ransomware
Ransomware which is a variant of the STOP family.
ransomware djvu
LgoogLoader
A downloader capable of dropping and executing other malware families.
downloader lgoogloader
SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
Vidar
Vidar is an infostealer based on Arkei stealer.
stealer vidar
Downloads MZ/PE file

Executes dropped EXE 18 IoCs

Processes:

C1DF.exeCC40.exeD142.exeD75E.exeDA8B.exeC1DF.exeE683.exeE9B0.exeF0A6.exeF923.exeC1DF.exeC1DF.exebuild2.exebuild3.exebuild2.exe8806.exeSppyteaet.exemstsca.exe

pid	process
1584	C1DF.exe
1520	CC40.exe
3536	D142.exe
3992	D75E.exe
4500	DA8B.exe
2992	C1DF.exe
4356	E683.exe
416	E9B0.exe
3292	F0A6.exe
2292	F923.exe
4756	C1DF.exe
372	C1DF.exe
2720	build2.exe
2492	build3.exe
748	build2.exe
1260	8806.exe
3428	Sppyteaet.exe
1196	mstsca.exe

VMProtect packed file 4 IoCs

Detects executables packed with VMProtect commercial packer.

vmprotect

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\F0A6.exe	vmprotect
C:\Users\Admin\AppData\Local\Temp\F0A6.exe	vmprotect
C:\Users\Admin\AppData\Local\Temp\F923.exe	vmprotect
C:\Users\Admin\AppData\Local\Temp\F923.exe	vmprotect

Deletes itself 1 IoCs

Processes:

pid process

2724
Loads dropped DLL 4 IoCs

Processes:

regsvr32.exebuild2.exe

pid process

4712 regsvr32.exe
4712 regsvr32.exe
748 build2.exe
748 build2.exe
Modifies file permissions 1 TTPs 1 IoCs
discovery

File Permissions Modification
T1222

Processes:

icacls.exe

pid process

1056 icacls.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses 2FA software files, possible credential harvesting 2 TTPs
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

pid	process
2724

pid	process
4712	regsvr32.exe
4712	regsvr32.exe
748	build2.exe
748	build2.exe

pid	process
1056	icacls.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

C1DF.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000\Software\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\c9e8fc64-c29b-4c0f-a0cd-20f61b3c678a\\C1DF.exe\" --AutoStart"	C1DF.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

12 api.2ip.ua
13 api.2ip.ua
33 api.2ip.ua

flow	ioc
12	api.2ip.ua
13	api.2ip.ua
33	api.2ip.ua

Suspicious use of SetThreadContext 7 IoCs

Processes:

C1DF.exeE683.exeE9B0.exeC1DF.exebuild2.exe8806.exerundll32.exe

description	pid	process	target process
PID 1584 set thread context of 2992	1584	C1DF.exe	C1DF.exe
PID 4356 set thread context of 3900	4356	E683.exe	ngentask.exe
PID 416 set thread context of 3136	416	E9B0.exe	ngentask.exe
PID 4756 set thread context of 372	4756	C1DF.exe	C1DF.exe
PID 2720 set thread context of 748	2720	build2.exe	build2.exe
PID 1260 set thread context of 812	1260	8806.exe	rundll32.exe
PID 812 set thread context of 2864	812	rundll32.exe	rundll32.exe

Drops file in Windows directory 1 IoCs

Processes:

description ioc process

File created C:\Windows\rescache\_merged\3720402701\2219095117.pri
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 3 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exe

pid pid_target process target process

4724 4500 WerFault.exe DA8B.exe
4876 4356 WerFault.exe E683.exe
4452 416 WerFault.exe E9B0.exe

description	ioc	process
File created	C:\Windows\rescache\_merged\3720402701\2219095117.pri

pid	pid_target	process	target process
4724	4500	WerFault.exe	DA8B.exe
4876	4356	WerFault.exe	E683.exe
4452	416	WerFault.exe	E9B0.exe

Checks SCSI registry key(s) 3 TTPs 6 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

D75E.exe86c6f92f4c539af101ee62858e2b0299342a97087f9e938775ccf0aa098fedfc.exe

description	ioc	process
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	D75E.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	D75E.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	86c6f92f4c539af101ee62858e2b0299342a97087f9e938775ccf0aa098fedfc.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	86c6f92f4c539af101ee62858e2b0299342a97087f9e938775ccf0aa098fedfc.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	86c6f92f4c539af101ee62858e2b0299342a97087f9e938775ccf0aa098fedfc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	D75E.exe

Checks processor information in registry 2 TTPs 42 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

8806.exerundll32.exebuild2.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Status	8806.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Previous Update Revision	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Component Information	rundll32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	8806.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information	8806.exe
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	8806.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	8806.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Identifier	8806.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\FeatureSet	8806.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Previous Update Revision	8806.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	rundll32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	build2.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Configuration Data	rundll32.exe
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	8806.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	8806.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\FeatureSet	rundll32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	build2.exe
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	rundll32.exe
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\VendorIdentifier	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	rundll32.exe
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	8806.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1	8806.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	rundll32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	8806.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	8806.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	8806.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Status	8806.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Configuration Data	8806.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Revision	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1	rundll32.exe
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	8806.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\VendorIdentifier	8806.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString	8806.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Status	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	rundll32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	8806.exe

Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exe

pid process

4428 schtasks.exe
4520 schtasks.exe
Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

2388 timeout.exe

pid	process
4428	schtasks.exe
4520	schtasks.exe

pid	process
2388	timeout.exe

Modifies Internet Explorer settings 1 TTPs 4 IoCs

adware spyware

Modify Registry

T1112

Processes:

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser
Set value (data)	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser\ITBar7Layout = 13000000000000000000000020000000100000000000000001000000010700005e01000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
Key created	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000\Software\Microsoft\Internet Explorer\Toolbar
Set value (int)	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000\Software\Microsoft\Internet Explorer\Toolbar\Locked = "1"

Modifies registry class 53 IoCs

Processes:

rundll32.exerundll32.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\MRUListEx = 00000000ffffffff	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\0	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 0202
Key created	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU
Set value (data)	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02
Key created	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000_Classes\Local Settings	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags
Set value (data)	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\MRUListEx = 00000000ffffffff	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0
Key created	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell
Key created	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\WorkFolders
Set value (data)	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1 = 14001f44471a0359723fa74489c55595fe6b30ee0000	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\KnownFolderDerivedFolderType = "{57807898-8C4F-4462-BB63-71042380B109}"	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1
Key created	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0
Set value (data)	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\MRUListEx = ffffffff
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance
Set value (data)	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0 = 820074001c0043465346160031000000000000000000100041707044617461000000741a595e96dfd3488d671733bcee28bac5cdfadf9f6756418947c5c76bc0b67f400009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004100700070004400610074006100000042000000	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\MRUListEx = 00000000ffffffff	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 = 19002f433a5c000000000000000000000000000000000000000000
Key created	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 00000000ffffffff
Set value (data)	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 0100000000000000ffffffff	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\SniffedFolderType = "Generic"
Key created	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell
Key created	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1
Set value (str)	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\SniffedFolderType = "Generic"
Key created	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\0\MRUListEx = ffffffff	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\KnownFolderDerivedFolderType = "{57807898-8C4F-4462-BB63-71042380B109}"
Key created	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance
Set value (data)	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 0100000000000000ffffffff
Set value (data)	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots
Set value (data)	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 = 14001f50e04fd020ea3a6910a2d808002b30309d0000
Set value (int)	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\0\NodeSlot = "2"	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\0
Set value (data)	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0
Key created	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0
Key created	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 0202	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000_Classes\Local Settings	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff
Key created	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff
Set value (int)	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\NodeSlot = "1"
Set value (data)	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0 = 50003100000000000000000010004c6f63616c003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c00000014000000	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\0 = 4e003100000000009e557738100054656d7000003a0009000400efbe0c5553889e5577382e000000000000000000000000000000000000000000000000000eb46000540065006d007000000014000000	rundll32.exe

Suspicious behavior: AddClipboardFormatListener 2 IoCs

Processes:

pid process

2724
2724

pid	process
2724
2724

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

86c6f92f4c539af101ee62858e2b0299342a97087f9e938775ccf0aa098fedfc.exe

pid	process
2636	86c6f92f4c539af101ee62858e2b0299342a97087f9e938775ccf0aa098fedfc.exe
2636	86c6f92f4c539af101ee62858e2b0299342a97087f9e938775ccf0aa098fedfc.exe
2724
2724
2724
2724
2724
2724
2724
2724
2724
2724
2724
2724
2724
2724
2724
2724
2724
2724
2724
2724
2724
2724
2724
2724
2724
2724
2724
2724
2724
2724
2724
2724
2724
2724
2724
2724
2724
2724
2724
2724
2724
2724
2724
2724
2724
2724
2724
2724
2724
2724
2724
2724
2724
2724
2724
2724
2724
2724
2724
2724
2724
2724

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

pid process

2724
Suspicious behavior: MapViewOfSection 2 IoCs

Processes:

86c6f92f4c539af101ee62858e2b0299342a97087f9e938775ccf0aa098fedfc.exeD75E.exe

pid process

2636 86c6f92f4c539af101ee62858e2b0299342a97087f9e938775ccf0aa098fedfc.exe
3992 D75E.exe

pid	process
2724

Suspicious use of AdjustPrivilegeToken 29 IoCs

Processes:

Sppyteaet.exe

description	pid	process
Token: SeShutdownPrivilege	2724
Token: SeCreatePagefilePrivilege	2724
Token: SeShutdownPrivilege	2724
Token: SeCreatePagefilePrivilege	2724
Token: SeShutdownPrivilege	2724
Token: SeCreatePagefilePrivilege	2724
Token: SeShutdownPrivilege	2724
Token: SeCreatePagefilePrivilege	2724
Token: SeShutdownPrivilege	2724
Token: SeCreatePagefilePrivilege	2724
Token: SeShutdownPrivilege	2724
Token: SeCreatePagefilePrivilege	2724
Token: SeShutdownPrivilege	2724
Token: SeCreatePagefilePrivilege	2724
Token: SeShutdownPrivilege	2724
Token: SeCreatePagefilePrivilege	2724
Token: SeShutdownPrivilege	2724
Token: SeCreatePagefilePrivilege	2724
Token: SeShutdownPrivilege	2724
Token: SeCreatePagefilePrivilege	2724
Token: SeShutdownPrivilege	2724
Token: SeCreatePagefilePrivilege	2724
Token: SeShutdownPrivilege	2724
Token: SeCreatePagefilePrivilege	2724
Token: SeShutdownPrivilege	2724
Token: SeCreatePagefilePrivilege	2724
Token: SeDebugPrivilege	3428	Sppyteaet.exe
Token: SeShutdownPrivilege	2724
Token: SeCreatePagefilePrivilege	2724

Suspicious use of FindShellTrayWindow 3 IoCs

Processes:

Sppyteaet.exerundll32.exerundll32.exe

pid process

3428 Sppyteaet.exe
812 rundll32.exe
2864 rundll32.exe
Suspicious use of SendNotifyMessage 1 IoCs

Processes:

Sppyteaet.exe

pid process

3428 Sppyteaet.exe
Suspicious use of SetWindowsHookEx 4 IoCs

Processes:

pid process

2724
2724
2724
2724

pid	process
3428	Sppyteaet.exe
812	rundll32.exe
2864	rundll32.exe

pid	process
3428	Sppyteaet.exe

pid	process
2724
2724
2724
2724

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

regsvr32.exeC1DF.exeC1DF.exeE683.exeE9B0.exeC1DF.exe

description	pid	process	target process
PID 2724 wrote to memory of 1504	2724		regsvr32.exe
PID 2724 wrote to memory of 1504	2724		regsvr32.exe
PID 1504 wrote to memory of 4712	1504	regsvr32.exe	regsvr32.exe
PID 1504 wrote to memory of 4712	1504	regsvr32.exe	regsvr32.exe
PID 1504 wrote to memory of 4712	1504	regsvr32.exe	regsvr32.exe
PID 2724 wrote to memory of 1584	2724		C1DF.exe
PID 2724 wrote to memory of 1584	2724		C1DF.exe
PID 2724 wrote to memory of 1584	2724		C1DF.exe
PID 2724 wrote to memory of 1520	2724		CC40.exe
PID 2724 wrote to memory of 1520	2724		CC40.exe
PID 2724 wrote to memory of 1520	2724		CC40.exe
PID 2724 wrote to memory of 3536	2724		D142.exe
PID 2724 wrote to memory of 3536	2724		D142.exe
PID 2724 wrote to memory of 3536	2724		D142.exe
PID 2724 wrote to memory of 3992	2724		D75E.exe
PID 2724 wrote to memory of 3992	2724		D75E.exe
PID 2724 wrote to memory of 3992	2724		D75E.exe
PID 2724 wrote to memory of 4500	2724		DA8B.exe
PID 2724 wrote to memory of 4500	2724		DA8B.exe
PID 2724 wrote to memory of 4500	2724		DA8B.exe
PID 1584 wrote to memory of 2992	1584	C1DF.exe	C1DF.exe
PID 1584 wrote to memory of 2992	1584	C1DF.exe	C1DF.exe
PID 1584 wrote to memory of 2992	1584	C1DF.exe	C1DF.exe
PID 1584 wrote to memory of 2992	1584	C1DF.exe	C1DF.exe
PID 1584 wrote to memory of 2992	1584	C1DF.exe	C1DF.exe
PID 1584 wrote to memory of 2992	1584	C1DF.exe	C1DF.exe
PID 1584 wrote to memory of 2992	1584	C1DF.exe	C1DF.exe
PID 1584 wrote to memory of 2992	1584	C1DF.exe	C1DF.exe
PID 1584 wrote to memory of 2992	1584	C1DF.exe	C1DF.exe
PID 1584 wrote to memory of 2992	1584	C1DF.exe	C1DF.exe
PID 2724 wrote to memory of 4356	2724		E683.exe
PID 2724 wrote to memory of 4356	2724		E683.exe
PID 2724 wrote to memory of 4356	2724		E683.exe
PID 2724 wrote to memory of 416	2724		E9B0.exe
PID 2724 wrote to memory of 416	2724		E9B0.exe
PID 2724 wrote to memory of 416	2724		E9B0.exe
PID 2724 wrote to memory of 3292	2724		F0A6.exe
PID 2724 wrote to memory of 3292	2724		F0A6.exe
PID 2724 wrote to memory of 2292	2724		F923.exe
PID 2724 wrote to memory of 2292	2724		F923.exe
PID 2992 wrote to memory of 1056	2992	C1DF.exe	icacls.exe
PID 2992 wrote to memory of 1056	2992	C1DF.exe	icacls.exe
PID 2992 wrote to memory of 1056	2992	C1DF.exe	icacls.exe
PID 2992 wrote to memory of 4756	2992	C1DF.exe	C1DF.exe
PID 2992 wrote to memory of 4756	2992	C1DF.exe	C1DF.exe
PID 2992 wrote to memory of 4756	2992	C1DF.exe	C1DF.exe
PID 4356 wrote to memory of 3900	4356	E683.exe	ngentask.exe
PID 4356 wrote to memory of 3900	4356	E683.exe	ngentask.exe
PID 4356 wrote to memory of 3900	4356	E683.exe	ngentask.exe
PID 4356 wrote to memory of 3900	4356	E683.exe	ngentask.exe
PID 4356 wrote to memory of 3900	4356	E683.exe	ngentask.exe
PID 416 wrote to memory of 4984	416	E9B0.exe	ngentask.exe
PID 416 wrote to memory of 4984	416	E9B0.exe	ngentask.exe
PID 416 wrote to memory of 4984	416	E9B0.exe	ngentask.exe
PID 416 wrote to memory of 3136	416	E9B0.exe	ngentask.exe
PID 416 wrote to memory of 3136	416	E9B0.exe	ngentask.exe
PID 416 wrote to memory of 3136	416	E9B0.exe	ngentask.exe
PID 416 wrote to memory of 3136	416	E9B0.exe	ngentask.exe
PID 416 wrote to memory of 3136	416	E9B0.exe	ngentask.exe
PID 4756 wrote to memory of 372	4756	C1DF.exe	C1DF.exe
PID 4756 wrote to memory of 372	4756	C1DF.exe	C1DF.exe
PID 4756 wrote to memory of 372	4756	C1DF.exe	C1DF.exe
PID 4756 wrote to memory of 372	4756	C1DF.exe	C1DF.exe
PID 4756 wrote to memory of 372	4756	C1DF.exe	C1DF.exe

C:\Users\Admin\AppData\Local\Temp\86c6f92f4c539af101ee62858e2b0299342a97087f9e938775ccf0aa098fedfc.exe
"C:\Users\Admin\AppData\Local\Temp\86c6f92f4c539af101ee62858e2b0299342a97087f9e938775ccf0aa098fedfc.exe"
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:2636

C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\BFF9.dll
1⤵
- Suspicious use of WriteProcessMemory
PID:1504

C:\Windows\SysWOW64\regsvr32.exe
/s C:\Users\Admin\AppData\Local\Temp\BFF9.dll
2⤵
- Loads dropped DLL
PID:4712

C:\Users\Admin\AppData\Local\Temp\C1DF.exe
C:\Users\Admin\AppData\Local\Temp\C1DF.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1584

C:\Users\Admin\AppData\Local\Temp\C1DF.exe
C:\Users\Admin\AppData\Local\Temp\C1DF.exe
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2992

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Users\Admin\AppData\Local\c9e8fc64-c29b-4c0f-a0cd-20f61b3c678a" /deny *S-1-1-0:(OI)(CI)(DE,DC)
3⤵
- Modifies file permissions
PID:1056

C:\Users\Admin\AppData\Local\Temp\C1DF.exe
"C:\Users\Admin\AppData\Local\Temp\C1DF.exe" --Admin IsNotAutoStart IsNotTask
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4756

C:\Users\Admin\AppData\Local\Temp\C1DF.exe
"C:\Users\Admin\AppData\Local\Temp\C1DF.exe" --Admin IsNotAutoStart IsNotTask
4⤵
- Executes dropped EXE
PID:372

C:\Users\Admin\AppData\Local\548e365c-7fcf-496e-b3b6-1b0ba0838a32\build2.exe
"C:\Users\Admin\AppData\Local\548e365c-7fcf-496e-b3b6-1b0ba0838a32\build2.exe"
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:2720

C:\Users\Admin\AppData\Local\548e365c-7fcf-496e-b3b6-1b0ba0838a32\build2.exe
"C:\Users\Admin\AppData\Local\548e365c-7fcf-496e-b3b6-1b0ba0838a32\build2.exe"
6⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks processor information in registry
PID:748

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c timeout /t 6 & del /f /q "C:\Users\Admin\AppData\Local\548e365c-7fcf-496e-b3b6-1b0ba0838a32\build2.exe" & exit
7⤵
PID:4692

C:\Windows\SysWOW64\timeout.exe
timeout /t 6
8⤵
- Delays execution with timeout.exe
PID:2388

C:\Users\Admin\AppData\Local\548e365c-7fcf-496e-b3b6-1b0ba0838a32\build3.exe
"C:\Users\Admin\AppData\Local\548e365c-7fcf-496e-b3b6-1b0ba0838a32\build3.exe"
5⤵
- Executes dropped EXE
PID:2492

C:\Windows\SysWOW64\schtasks.exe
/C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"
6⤵
- Creates scheduled task(s)
PID:4428

C:\Users\Admin\AppData\Local\Temp\CC40.exe
C:\Users\Admin\AppData\Local\Temp\CC40.exe
1⤵
- Executes dropped EXE
PID:1520

C:\Users\Admin\AppData\Local\Temp\D142.exe
C:\Users\Admin\AppData\Local\Temp\D142.exe
1⤵
- Executes dropped EXE
PID:3536

C:\Users\Admin\AppData\Local\Temp\D75E.exe
C:\Users\Admin\AppData\Local\Temp\D75E.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
PID:3992

C:\Users\Admin\AppData\Local\Temp\DA8B.exe
C:\Users\Admin\AppData\Local\Temp\DA8B.exe
1⤵
- Executes dropped EXE
PID:4500

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4500 -s 476
2⤵
- Program crash
PID:4724

C:\Users\Admin\AppData\Local\Temp\E683.exe
C:\Users\Admin\AppData\Local\Temp\E683.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4356

C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe"
2⤵
PID:3900

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4356 -s 1156
2⤵
- Program crash
PID:4876

C:\Users\Admin\AppData\Local\Temp\E9B0.exe
C:\Users\Admin\AppData\Local\Temp\E9B0.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:416

C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe"
2⤵
PID:4984

C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe"
2⤵
PID:3136

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 416 -s 1168
2⤵
- Program crash
PID:4452

C:\Users\Admin\AppData\Local\Temp\F0A6.exe
C:\Users\Admin\AppData\Local\Temp\F0A6.exe
1⤵
- Executes dropped EXE
PID:3292

C:\Users\Admin\AppData\Local\Temp\F923.exe
C:\Users\Admin\AppData\Local\Temp\F923.exe
1⤵
- Executes dropped EXE
PID:2292

C:\Users\Admin\AppData\Local\Temp\8806.exe
C:\Users\Admin\AppData\Local\Temp\8806.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Checks processor information in registry
PID:1260

C:\Users\Admin\AppData\Local\Temp\Sppyteaet.exe
"C:\Users\Admin\AppData\Local\Temp\Sppyteaet.exe"
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3428

C:\Windows\syswow64\rundll32.exe
"C:\Windows\syswow64\rundll32.exe" "C:\Windows\syswow64\shell32.dll",#61
2⤵
- Suspicious use of SetThreadContext
- Checks processor information in registry
- Modifies registry class
- Suspicious use of FindShellTrayWindow
PID:812

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#61 25503
3⤵
- Modifies registry class
- Suspicious use of FindShellTrayWindow
PID:2864

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
1⤵
- Executes dropped EXE
PID:1196

C:\Windows\SysWOW64\schtasks.exe
/C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"
2⤵
- Creates scheduled task(s)
PID:4520

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4436

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

File Permissions Modification

T1222

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Peripheral Device Discovery

T1120

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\07CEF2F654E3ED6050FFC9B6EB844250_3431D4C539FB2CFCB781821E9902850D
Filesize
2KB

MD5
9d77c9193735a61912ff3bccb47168a7

SHA1
aee81c528117867ca69f22f93aa2ca710f908b6e

SHA256
79b78c9e1d9c4fb6c08413757fee9d3d2fdb15415f6b8b9cd9c3bd67a235ba95

SHA512
c70ae8ed0d68f38b217f4b6ac809050f27f71e6de140712c56ecf7c55896ae518993c55193bc282097580a3f7c869424789aa3c3cc8ecc81c394f8e15c1f77bb

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E
Filesize
1KB

MD5
a2b3de2676790ac64a1bc51ba3e667d1

SHA1
2a7f7090fed2ddd299339197428a9fafc3fd349b

SHA256
aa8cdcc9c8c19d24037aa62dfb529b22d25a7eb3927d35f59572c153c81c5a4a

SHA512
ab9e80a077a2fe486630e4d7fb159994224fce41c6fbc6197cc600e4fac86d504e8b3d1670ca628fb45792498be42a80e1c6b0af4b3e7451bc039222ea123ef5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\07CEF2F654E3ED6050FFC9B6EB844250_3431D4C539FB2CFCB781821E9902850D
Filesize
488B

MD5
728626bffee18bbfbfbe9c46b81e607b

SHA1
5b6ac4f534c1c5d2d81c8e2cc8dbd604ffeb6fe5

SHA256
9cfd907c30f9bc278af69d5d909bb2e27b071a954b7431fc437c9f04f83af4e3

SHA512
07d66779405da5d035b415c0fc1d62d66430d0e6010a1949120355d54738def0d22720f05f98a0603103f594e55c1e0c0fa832c2dffbb854cb421bdc06775d7e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E
Filesize
482B

MD5
0b42910165178181afc75b2a5879778d

SHA1
c68fbaeeea4fe7c3e021dbaa20a9edcbff433f07

SHA256
fd89f101f68d390cf9c03e3b49480e5da55e53a7a7cbcaec585b34595338f0f9

SHA512
2507588eb4622d74c21e66e7b89f3d718b83a997e460059d00fe9621850df6fbec573b2febf36b87c1f8014eb01c4dd477a22663f288f74e1adef0aecf1c50bd

Download Submit
C:\Users\Admin\AppData\Local\548e365c-7fcf-496e-b3b6-1b0ba0838a32\build2.exe
Filesize
407KB

MD5
3b6782cde711c6e73e09611c5041060e

SHA1
412d9f6e64ebee4287eccff782f04943e5381d4f

SHA256
740912c948f5c370a23fa34da6fca7ffa1abc420edefcbe3c7a74170c9f47e8c

SHA512
d7883a046d9b153094f9f3e5970b78a9084de8472d219a325006a7652cdf5427641a0c10beef4aceaa4ad9d92ea1a2ccf8104588e51760200e7e85be37524c4e

Download Submit
C:\Users\Admin\AppData\Local\548e365c-7fcf-496e-b3b6-1b0ba0838a32\build2.exe
Filesize
407KB

MD5
3b6782cde711c6e73e09611c5041060e

SHA1
412d9f6e64ebee4287eccff782f04943e5381d4f

SHA256
740912c948f5c370a23fa34da6fca7ffa1abc420edefcbe3c7a74170c9f47e8c

SHA512
d7883a046d9b153094f9f3e5970b78a9084de8472d219a325006a7652cdf5427641a0c10beef4aceaa4ad9d92ea1a2ccf8104588e51760200e7e85be37524c4e

Download Submit
C:\Users\Admin\AppData\Local\548e365c-7fcf-496e-b3b6-1b0ba0838a32\build2.exe
Filesize
407KB

MD5
3b6782cde711c6e73e09611c5041060e

SHA1
412d9f6e64ebee4287eccff782f04943e5381d4f

SHA256
740912c948f5c370a23fa34da6fca7ffa1abc420edefcbe3c7a74170c9f47e8c

SHA512
d7883a046d9b153094f9f3e5970b78a9084de8472d219a325006a7652cdf5427641a0c10beef4aceaa4ad9d92ea1a2ccf8104588e51760200e7e85be37524c4e

Download Submit
C:\Users\Admin\AppData\Local\548e365c-7fcf-496e-b3b6-1b0ba0838a32\build3.exe
Filesize
9KB

MD5
9ead10c08e72ae41921191f8db39bc16

SHA1
abe3bce01cd34afc88e2c838173f8c2bd0090ae1

SHA256
8d7f0e6b6877bdfb9f4531afafd0451f7d17f0ac24e2f2427e9b4ecc5452b9f0

SHA512
aa35dbc59a3589df2763e76a495ce5a9e62196628b4c1d098add38bd7f27c49edf93a66fb8507fb746e37ee32932da2460e440f241abe1a5a279abcc1e5ffe4a

Download Submit
C:\Users\Admin\AppData\Local\548e365c-7fcf-496e-b3b6-1b0ba0838a32\build3.exe
Filesize
9KB

MD5
9ead10c08e72ae41921191f8db39bc16

SHA1
abe3bce01cd34afc88e2c838173f8c2bd0090ae1

SHA256
8d7f0e6b6877bdfb9f4531afafd0451f7d17f0ac24e2f2427e9b4ecc5452b9f0

SHA512
aa35dbc59a3589df2763e76a495ce5a9e62196628b4c1d098add38bd7f27c49edf93a66fb8507fb746e37ee32932da2460e440f241abe1a5a279abcc1e5ffe4a

Download Submit
C:\Users\Admin\AppData\Local\Temp\8806.exe
Filesize
5.5MB

MD5
2d05d40bf8b8f7a5fef6ee03635ee661

SHA1
a2bb2e61aad5f942ab02e1c8a1799514dab87f67

SHA256
cb5580ed90a07c4c082f91679745742de742b1846d25b52e2b7d5791df4eddb7

SHA512
e3955e705f7d39eb49019cf4815cbb5f4030c33404b546e5f381f17fe34479d34d46c2634226bb1420fb9fe0359f93ddd33837a1cc2fb6c9e91b88eef8f6689d

Download Submit
C:\Users\Admin\AppData\Local\Temp\8806.exe
Filesize
5.5MB

MD5
2d05d40bf8b8f7a5fef6ee03635ee661

SHA1
a2bb2e61aad5f942ab02e1c8a1799514dab87f67

SHA256
cb5580ed90a07c4c082f91679745742de742b1846d25b52e2b7d5791df4eddb7

SHA512
e3955e705f7d39eb49019cf4815cbb5f4030c33404b546e5f381f17fe34479d34d46c2634226bb1420fb9fe0359f93ddd33837a1cc2fb6c9e91b88eef8f6689d

Download Submit
C:\Users\Admin\AppData\Local\Temp\BFF9.dll
Filesize
584KB

MD5
71bb495869bfff145090bdb878800130

SHA1
5d1e298129bc9c8bf6d1b5d3d9f321a8858e9ab5

SHA256
9475ff9c5e05af184d06a10b33225f74e89cb941495a82bf4038df98169a432f

SHA512
ef22db3f32bf5cd34bc69245c41e9eea8bff7b61c8062631a0817744155e802c7caf4f2711ff653572a15903fc07b1af283cd2289d75f268c22eec14ae173c73

Download Submit
C:\Users\Admin\AppData\Local\Temp\C1DF.exe
Filesize
826KB

MD5
1f0c02e18c9022bbf820745cb3991518

SHA1
6b6ce6fcc05cb140971f5e84e33d7ed1734e91e7

SHA256
51eeb6af44e5101356644ac8ab7372649738cdc2e0dcdd0678b27061fddfb5f9

SHA512
15e72393bf51b266b69df4556f861982c9fa9870c134ce72d7fc228d0a5e967ca29e5f1da0a2cad83959818f547d85c76bcfe27d808d3393428471a8952dac4b

Download Submit
C:\Users\Admin\AppData\Local\Temp\C1DF.exe
Filesize
826KB

MD5
1f0c02e18c9022bbf820745cb3991518

SHA1
6b6ce6fcc05cb140971f5e84e33d7ed1734e91e7

SHA256
51eeb6af44e5101356644ac8ab7372649738cdc2e0dcdd0678b27061fddfb5f9

SHA512
15e72393bf51b266b69df4556f861982c9fa9870c134ce72d7fc228d0a5e967ca29e5f1da0a2cad83959818f547d85c76bcfe27d808d3393428471a8952dac4b

Download Submit
C:\Users\Admin\AppData\Local\Temp\C1DF.exe
Filesize
826KB

MD5
1f0c02e18c9022bbf820745cb3991518

SHA1
6b6ce6fcc05cb140971f5e84e33d7ed1734e91e7

SHA256
51eeb6af44e5101356644ac8ab7372649738cdc2e0dcdd0678b27061fddfb5f9

SHA512
15e72393bf51b266b69df4556f861982c9fa9870c134ce72d7fc228d0a5e967ca29e5f1da0a2cad83959818f547d85c76bcfe27d808d3393428471a8952dac4b

Download Submit
C:\Users\Admin\AppData\Local\Temp\C1DF.exe
Filesize
826KB

MD5
1f0c02e18c9022bbf820745cb3991518

SHA1
6b6ce6fcc05cb140971f5e84e33d7ed1734e91e7

SHA256
51eeb6af44e5101356644ac8ab7372649738cdc2e0dcdd0678b27061fddfb5f9

SHA512
15e72393bf51b266b69df4556f861982c9fa9870c134ce72d7fc228d0a5e967ca29e5f1da0a2cad83959818f547d85c76bcfe27d808d3393428471a8952dac4b

Download Submit
C:\Users\Admin\AppData\Local\Temp\C1DF.exe
Filesize
826KB

MD5
1f0c02e18c9022bbf820745cb3991518

SHA1
6b6ce6fcc05cb140971f5e84e33d7ed1734e91e7

SHA256
51eeb6af44e5101356644ac8ab7372649738cdc2e0dcdd0678b27061fddfb5f9

SHA512
15e72393bf51b266b69df4556f861982c9fa9870c134ce72d7fc228d0a5e967ca29e5f1da0a2cad83959818f547d85c76bcfe27d808d3393428471a8952dac4b

Download Submit
C:\Users\Admin\AppData\Local\Temp\CC40.exe
Filesize
235KB

MD5
b2d52da50280eb51ffeb63d39c5f6844

SHA1
3e79393d0f31bdd9c954c1c541833c18cf6613bc

SHA256
c16516d51277d0c4902cf23a48b0b3f63e50e8e70efe7f0ea81e4f6a7d7d3b33

SHA512
894a17aaf52a2eee890df13f0e3a59e850fb658b88b13cf253c281263369024f8bee040b0295a6580b43b25b618c6efb740ddac8005a0c40e3c70ce6d551687c

Download Submit
C:\Users\Admin\AppData\Local\Temp\CC40.exe
Filesize
235KB

MD5
b2d52da50280eb51ffeb63d39c5f6844

SHA1
3e79393d0f31bdd9c954c1c541833c18cf6613bc

SHA256
c16516d51277d0c4902cf23a48b0b3f63e50e8e70efe7f0ea81e4f6a7d7d3b33

SHA512
894a17aaf52a2eee890df13f0e3a59e850fb658b88b13cf253c281263369024f8bee040b0295a6580b43b25b618c6efb740ddac8005a0c40e3c70ce6d551687c

Download Submit
C:\Users\Admin\AppData\Local\Temp\D142.exe
Filesize
235KB

MD5
b2d52da50280eb51ffeb63d39c5f6844

SHA1
3e79393d0f31bdd9c954c1c541833c18cf6613bc

SHA256
c16516d51277d0c4902cf23a48b0b3f63e50e8e70efe7f0ea81e4f6a7d7d3b33

SHA512
894a17aaf52a2eee890df13f0e3a59e850fb658b88b13cf253c281263369024f8bee040b0295a6580b43b25b618c6efb740ddac8005a0c40e3c70ce6d551687c

Download Submit
C:\Users\Admin\AppData\Local\Temp\D142.exe
Filesize
235KB

MD5
b2d52da50280eb51ffeb63d39c5f6844

SHA1
3e79393d0f31bdd9c954c1c541833c18cf6613bc

SHA256
c16516d51277d0c4902cf23a48b0b3f63e50e8e70efe7f0ea81e4f6a7d7d3b33

SHA512
894a17aaf52a2eee890df13f0e3a59e850fb658b88b13cf253c281263369024f8bee040b0295a6580b43b25b618c6efb740ddac8005a0c40e3c70ce6d551687c

Download Submit
C:\Users\Admin\AppData\Local\Temp\D75E.exe
Filesize
234KB

MD5
bb7bcaea99ae1b8d07280557d3eaa4e0

SHA1
0bfcb365f813eafed62ea4ecc22720b7547ff31d

SHA256
f56043bd1fbdcea413e764b50531e4b98aff17c618fa66f6eccaffe0a19ae7e9

SHA512
cf0193959a6ccb17e31daede5700946640786121fad2a8e7e6a80e0015a632d07d013d3cad2ddb0be38ec53ce4b14847bef02c820c86a5eb8c542b57ef333df2

Download Submit
C:\Users\Admin\AppData\Local\Temp\D75E.exe
Filesize
234KB

MD5
bb7bcaea99ae1b8d07280557d3eaa4e0

SHA1
0bfcb365f813eafed62ea4ecc22720b7547ff31d

SHA256
f56043bd1fbdcea413e764b50531e4b98aff17c618fa66f6eccaffe0a19ae7e9

SHA512
cf0193959a6ccb17e31daede5700946640786121fad2a8e7e6a80e0015a632d07d013d3cad2ddb0be38ec53ce4b14847bef02c820c86a5eb8c542b57ef333df2

Download Submit
C:\Users\Admin\AppData\Local\Temp\DA8B.exe
Filesize
328KB

MD5
26cc06395d63ede7cad4296ad358f689

SHA1
3149c5cc96f746cd0d87773c8a14c6686720cc5b

SHA256
a9ea037f4ac2927ad28185f8239900b7176509dfd254ac7b038bbc8559943557

SHA512
6d44c2f9455e2447bd7ae134e0efc8ada70963742bef04892f97250535ed80add765bf39dfbb5e7f626ce79040daa41c733b3645431dd607060dbf394c89214b

Download Submit
C:\Users\Admin\AppData\Local\Temp\DA8B.exe
Filesize
328KB

MD5
26cc06395d63ede7cad4296ad358f689

SHA1
3149c5cc96f746cd0d87773c8a14c6686720cc5b

SHA256
a9ea037f4ac2927ad28185f8239900b7176509dfd254ac7b038bbc8559943557

SHA512
6d44c2f9455e2447bd7ae134e0efc8ada70963742bef04892f97250535ed80add765bf39dfbb5e7f626ce79040daa41c733b3645431dd607060dbf394c89214b

Download Submit
C:\Users\Admin\AppData\Local\Temp\E683.exe
Filesize
1.9MB

MD5
3bf7bbc0f949e65080db6e99d3767e13

SHA1
2b3c06b550d5a2171e40a7edc390c88aa258c422

SHA256
d06bf8cf6f3e3c5869453c9e444d66390f2c2ddec8d8ebe6cec0207a368d31f3

SHA512
d70cdcbe611289c08b2a5787b173f220372d9c43137e96ff18a019c8078c1737f72a8bdfc6cfbf77e7c406196981cc339e47c73b13c43ce85c24b8762d93b87d

Download Submit
C:\Users\Admin\AppData\Local\Temp\E683.exe
Filesize
1.9MB

MD5
3bf7bbc0f949e65080db6e99d3767e13

SHA1
2b3c06b550d5a2171e40a7edc390c88aa258c422

SHA256
d06bf8cf6f3e3c5869453c9e444d66390f2c2ddec8d8ebe6cec0207a368d31f3

SHA512
d70cdcbe611289c08b2a5787b173f220372d9c43137e96ff18a019c8078c1737f72a8bdfc6cfbf77e7c406196981cc339e47c73b13c43ce85c24b8762d93b87d

Download Submit
C:\Users\Admin\AppData\Local\Temp\E9B0.exe
Filesize
1.9MB

MD5
3bf7bbc0f949e65080db6e99d3767e13

SHA1
2b3c06b550d5a2171e40a7edc390c88aa258c422

SHA256
d06bf8cf6f3e3c5869453c9e444d66390f2c2ddec8d8ebe6cec0207a368d31f3

SHA512
d70cdcbe611289c08b2a5787b173f220372d9c43137e96ff18a019c8078c1737f72a8bdfc6cfbf77e7c406196981cc339e47c73b13c43ce85c24b8762d93b87d

Download Submit
C:\Users\Admin\AppData\Local\Temp\E9B0.exe
Filesize
1.9MB

MD5
3bf7bbc0f949e65080db6e99d3767e13

SHA1
2b3c06b550d5a2171e40a7edc390c88aa258c422

SHA256
d06bf8cf6f3e3c5869453c9e444d66390f2c2ddec8d8ebe6cec0207a368d31f3

SHA512
d70cdcbe611289c08b2a5787b173f220372d9c43137e96ff18a019c8078c1737f72a8bdfc6cfbf77e7c406196981cc339e47c73b13c43ce85c24b8762d93b87d

Download Submit
C:\Users\Admin\AppData\Local\Temp\F0A6.exe
Filesize
3.5MB

MD5
ba2d41ce64789f113baa25ad6014d9ef

SHA1
2a613d52de7beddced943814a65f66d8e465fc58

SHA256
fc78c2fc16065bc118f812c5b9df3fa2d2194fee2e684393d151270c7a89c646

SHA512
1029c6936334ba5905dbe6cbd190e8c6f200a20545e6ad65ac35ccd7e10aed217648e74c103acfcf5136d239ec7b241ab379e52c9f7502fd5d9da793c4f78301

Download Submit
C:\Users\Admin\AppData\Local\Temp\F0A6.exe
Filesize
3.5MB

MD5
ba2d41ce64789f113baa25ad6014d9ef

SHA1
2a613d52de7beddced943814a65f66d8e465fc58

SHA256
fc78c2fc16065bc118f812c5b9df3fa2d2194fee2e684393d151270c7a89c646

SHA512
1029c6936334ba5905dbe6cbd190e8c6f200a20545e6ad65ac35ccd7e10aed217648e74c103acfcf5136d239ec7b241ab379e52c9f7502fd5d9da793c4f78301

Download Submit
C:\Users\Admin\AppData\Local\Temp\F923.exe
Filesize
3.5MB

MD5
ba2d41ce64789f113baa25ad6014d9ef

SHA1
2a613d52de7beddced943814a65f66d8e465fc58

SHA256
fc78c2fc16065bc118f812c5b9df3fa2d2194fee2e684393d151270c7a89c646

SHA512
1029c6936334ba5905dbe6cbd190e8c6f200a20545e6ad65ac35ccd7e10aed217648e74c103acfcf5136d239ec7b241ab379e52c9f7502fd5d9da793c4f78301

Download Submit
C:\Users\Admin\AppData\Local\Temp\F923.exe
Filesize
3.5MB

MD5
ba2d41ce64789f113baa25ad6014d9ef

SHA1
2a613d52de7beddced943814a65f66d8e465fc58

SHA256
fc78c2fc16065bc118f812c5b9df3fa2d2194fee2e684393d151270c7a89c646

SHA512
1029c6936334ba5905dbe6cbd190e8c6f200a20545e6ad65ac35ccd7e10aed217648e74c103acfcf5136d239ec7b241ab379e52c9f7502fd5d9da793c4f78301

Download Submit
C:\Users\Admin\AppData\Local\Temp\Sppyteaet.exe
Filesize
1.3MB

MD5
ff6a5732355485b459248f586c2b6945

SHA1
07da3f03ef18e2eaddfceb050b68e93fd533f7a3

SHA256
366ee3319c995b995fcfcc3f2228a18a09d0461a94964b4b4ad9a89dcbf669f4

SHA512
379fd03ebec85a9b15caf0aa8ba5a43c76199391ba3a2b29d20426501294e66d8f07c219e05355b47702e5a836d1a89015533f72da6bbe2ded57ee5d24056749

Download Submit
C:\Users\Admin\AppData\Local\Temp\Sppyteaet.exe
Filesize
1.3MB

MD5
ff6a5732355485b459248f586c2b6945

SHA1
07da3f03ef18e2eaddfceb050b68e93fd533f7a3

SHA256
366ee3319c995b995fcfcc3f2228a18a09d0461a94964b4b4ad9a89dcbf669f4

SHA512
379fd03ebec85a9b15caf0aa8ba5a43c76199391ba3a2b29d20426501294e66d8f07c219e05355b47702e5a836d1a89015533f72da6bbe2ded57ee5d24056749

Download Submit
C:\Users\Admin\AppData\Local\Temp\cb465ca805\nbveek.exe
Filesize
235KB

MD5
b2d52da50280eb51ffeb63d39c5f6844

SHA1
3e79393d0f31bdd9c954c1c541833c18cf6613bc

SHA256
c16516d51277d0c4902cf23a48b0b3f63e50e8e70efe7f0ea81e4f6a7d7d3b33

SHA512
894a17aaf52a2eee890df13f0e3a59e850fb658b88b13cf253c281263369024f8bee040b0295a6580b43b25b618c6efb740ddac8005a0c40e3c70ce6d551687c

Download Submit
C:\Users\Admin\AppData\Local\c9e8fc64-c29b-4c0f-a0cd-20f61b3c678a\C1DF.exe
Filesize
826KB

MD5
1f0c02e18c9022bbf820745cb3991518

SHA1
6b6ce6fcc05cb140971f5e84e33d7ed1734e91e7

SHA256
51eeb6af44e5101356644ac8ab7372649738cdc2e0dcdd0678b27061fddfb5f9

SHA512
15e72393bf51b266b69df4556f861982c9fa9870c134ce72d7fc228d0a5e967ca29e5f1da0a2cad83959818f547d85c76bcfe27d808d3393428471a8952dac4b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
Filesize
9KB

MD5
9ead10c08e72ae41921191f8db39bc16

SHA1
abe3bce01cd34afc88e2c838173f8c2bd0090ae1

SHA256
8d7f0e6b6877bdfb9f4531afafd0451f7d17f0ac24e2f2427e9b4ecc5452b9f0

SHA512
aa35dbc59a3589df2763e76a495ce5a9e62196628b4c1d098add38bd7f27c49edf93a66fb8507fb746e37ee32932da2460e440f241abe1a5a279abcc1e5ffe4a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
Filesize
9KB

MD5
9ead10c08e72ae41921191f8db39bc16

SHA1
abe3bce01cd34afc88e2c838173f8c2bd0090ae1

SHA256
8d7f0e6b6877bdfb9f4531afafd0451f7d17f0ac24e2f2427e9b4ecc5452b9f0

SHA512
aa35dbc59a3589df2763e76a495ce5a9e62196628b4c1d098add38bd7f27c49edf93a66fb8507fb746e37ee32932da2460e440f241abe1a5a279abcc1e5ffe4a

Download Submit
\ProgramData\mozglue.dll
Filesize
133KB

MD5
8f73c08a9660691143661bf7332c3c27

SHA1
37fa65dd737c50fda710fdbde89e51374d0c204a

SHA256
3fe6b1c54b8cf28f571e0c5d6636b4069a8ab00b4f11dd842cfec00691d0c9cd

SHA512
0042ecf9b3571bb5eba2de893e8b2371df18f7c5a589f52ee66e4bfbaa15a5b8b7cc6a155792aaa8988528c27196896d5e82e1751c998bacea0d92395f66ad89

Download Submit
\ProgramData\nss3.dll
Filesize
1.2MB

MD5
bfac4e3c5908856ba17d41edcd455a51

SHA1
8eec7e888767aa9e4cca8ff246eb2aacb9170428

SHA256
e2935b5b28550d47dc971f456d6961f20d1633b4892998750140e0eaa9ae9d78

SHA512
2565bab776c4d732ffb1f9b415992a4c65b81bcd644a9a1df1333a269e322925fc1df4f76913463296efd7c88ef194c3056de2f1ca1357d7b5fe5ff0da877a66

Download Submit
\Users\Admin\AppData\Local\Temp\BFF9.dll
Filesize
584KB

MD5
71bb495869bfff145090bdb878800130

SHA1
5d1e298129bc9c8bf6d1b5d3d9f321a8858e9ab5

SHA256
9475ff9c5e05af184d06a10b33225f74e89cb941495a82bf4038df98169a432f

SHA512
ef22db3f32bf5cd34bc69245c41e9eea8bff7b61c8062631a0817744155e802c7caf4f2711ff653572a15903fc07b1af283cd2289d75f268c22eec14ae173c73

Download Submit
\Users\Admin\AppData\Local\Temp\BFF9.dll
Filesize
584KB

MD5
71bb495869bfff145090bdb878800130

SHA1
5d1e298129bc9c8bf6d1b5d3d9f321a8858e9ab5

SHA256
9475ff9c5e05af184d06a10b33225f74e89cb941495a82bf4038df98169a432f

SHA512
ef22db3f32bf5cd34bc69245c41e9eea8bff7b61c8062631a0817744155e802c7caf4f2711ff653572a15903fc07b1af283cd2289d75f268c22eec14ae173c73

Download Submit
memory/372-729-0x0000000000424141-mapping.dmp

Download
memory/372-825-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/372-982-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/416-406-0x0000000000000000-mapping.dmp

Download
memory/416-863-0x000000000EF00000-0x000000000F214000-memory.dmp

Filesize
3.1MB

Download
memory/416-574-0x0000000002650000-0x00000000027FF000-memory.dmp

Filesize
1.7MB

Download
memory/416-606-0x000000000EF00000-0x000000000F214000-memory.dmp

Filesize
3.1MB

Download
memory/416-857-0x0000000002650000-0x00000000027FF000-memory.dmp

Filesize
1.7MB

Download
memory/748-1084-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/748-1074-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/748-920-0x00000000004219EC-mapping.dmp

Download
memory/748-962-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/812-1370-0x00000000050D0000-0x0000000005C14000-memory.dmp

Filesize
11.3MB

Download
memory/812-1301-0x0000000002C00000-0x0000000003625000-memory.dmp

Filesize
10.1MB

Download
memory/812-1317-0x00000000050D0000-0x0000000005C14000-memory.dmp

Filesize
11.3MB

Download
memory/812-1246-0x00000000000F5FB0-mapping.dmp

Download
memory/812-1369-0x0000000002C00000-0x0000000003625000-memory.dmp

Filesize
10.1MB

Download
memory/1056-548-0x0000000000000000-mapping.dmp

Download
memory/1260-1423-0x0000000000400000-0x00000000009B4000-memory.dmp

Filesize
5.7MB

Download
memory/1260-1341-0x0000000000400000-0x00000000009B4000-memory.dmp

Filesize
5.7MB

Download
memory/1260-1340-0x0000000002600000-0x0000000002B6F000-memory.dmp

Filesize
5.4MB

Download
memory/1260-1112-0x0000000000000000-mapping.dmp

Download
memory/1260-1252-0x00000000070B0000-0x0000000007BF4000-memory.dmp

Filesize
11.3MB

Download
memory/1260-1156-0x0000000002600000-0x0000000002B6F000-memory.dmp

Filesize
5.4MB

Download
memory/1260-1158-0x0000000002B70000-0x0000000003123000-memory.dmp

Filesize
5.7MB

Download
memory/1260-1159-0x0000000000400000-0x00000000009B4000-memory.dmp

Filesize
5.7MB

Download
memory/1504-156-0x0000000000000000-mapping.dmp

Download
memory/1520-209-0x0000000000000000-mapping.dmp

Download
memory/1584-354-0x00000000021A0000-0x00000000022BB000-memory.dmp

Filesize
1.1MB

Download
memory/1584-167-0x00000000776D0000-0x000000007785E000-memory.dmp

Filesize
1.6MB

Download
memory/1584-169-0x00000000776D0000-0x000000007785E000-memory.dmp

Filesize
1.6MB

Download
memory/1584-174-0x00000000776D0000-0x000000007785E000-memory.dmp

Filesize
1.6MB

Download
memory/1584-178-0x00000000776D0000-0x000000007785E000-memory.dmp

Filesize
1.6MB

Download
memory/1584-180-0x00000000776D0000-0x000000007785E000-memory.dmp

Filesize
1.6MB

Download
memory/1584-171-0x00000000776D0000-0x000000007785E000-memory.dmp

Filesize
1.6MB

Download
memory/1584-350-0x0000000000960000-0x0000000000A00000-memory.dmp

Filesize
640KB

Download
memory/1584-164-0x0000000000000000-mapping.dmp

Download
memory/1584-186-0x00000000776D0000-0x000000007785E000-memory.dmp

Filesize
1.6MB

Download
memory/1584-168-0x00000000776D0000-0x000000007785E000-memory.dmp

Filesize
1.6MB

Download
memory/1584-188-0x00000000776D0000-0x000000007785E000-memory.dmp

Filesize
1.6MB

Download
memory/1584-190-0x00000000776D0000-0x000000007785E000-memory.dmp

Filesize
1.6MB

Download
memory/1584-173-0x00000000776D0000-0x000000007785E000-memory.dmp

Filesize
1.6MB

Download
memory/1584-176-0x00000000776D0000-0x000000007785E000-memory.dmp

Filesize
1.6MB

Download
memory/1584-182-0x00000000776D0000-0x000000007785E000-memory.dmp

Filesize
1.6MB

Download
memory/1584-184-0x00000000776D0000-0x000000007785E000-memory.dmp

Filesize
1.6MB

Download
memory/2292-502-0x0000000000000000-mapping.dmp

Download
memory/2388-1089-0x0000000000000000-mapping.dmp

Download
memory/2492-859-0x0000000000000000-mapping.dmp

Download
memory/2636-132-0x00000000776D0000-0x000000007785E000-memory.dmp

Filesize
1.6MB

Download
memory/2636-147-0x00000000776D0000-0x000000007785E000-memory.dmp

Filesize
1.6MB

Download
memory/2636-118-0x00000000776D0000-0x000000007785E000-memory.dmp

Filesize
1.6MB

Download
memory/2636-126-0x00000000776D0000-0x000000007785E000-memory.dmp

Filesize
1.6MB

Download
memory/2636-125-0x00000000776D0000-0x000000007785E000-memory.dmp

Filesize
1.6MB

Download
memory/2636-124-0x00000000776D0000-0x000000007785E000-memory.dmp

Filesize
1.6MB

Download
memory/2636-127-0x00000000776D0000-0x000000007785E000-memory.dmp

Filesize
1.6MB

Download
memory/2636-154-0x00000000776D0000-0x000000007785E000-memory.dmp

Filesize
1.6MB

Download
memory/2636-155-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/2636-128-0x00000000776D0000-0x000000007785E000-memory.dmp

Filesize
1.6MB

Download
memory/2636-129-0x00000000776D0000-0x000000007785E000-memory.dmp

Filesize
1.6MB

Download
memory/2636-131-0x00000000776D0000-0x000000007785E000-memory.dmp

Filesize
1.6MB

Download
memory/2636-152-0x00000000776D0000-0x000000007785E000-memory.dmp

Filesize
1.6MB

Download
memory/2636-153-0x00000000776D0000-0x000000007785E000-memory.dmp

Filesize
1.6MB

Download
memory/2636-130-0x00000000776D0000-0x000000007785E000-memory.dmp

Filesize
1.6MB

Download
memory/2636-151-0x00000000776D0000-0x000000007785E000-memory.dmp

Filesize
1.6MB

Download
memory/2636-150-0x00000000776D0000-0x000000007785E000-memory.dmp

Filesize
1.6MB

Download
memory/2636-134-0x00000000776D0000-0x000000007785E000-memory.dmp

Filesize
1.6MB

Download
memory/2636-135-0x00000000776D0000-0x000000007785E000-memory.dmp

Filesize
1.6MB

Download
memory/2636-136-0x00000000776D0000-0x000000007785E000-memory.dmp

Filesize
1.6MB

Download
memory/2636-137-0x00000000776D0000-0x000000007785E000-memory.dmp

Filesize
1.6MB

Download
memory/2636-139-0x00000000776D0000-0x000000007785E000-memory.dmp

Filesize
1.6MB

Download
memory/2636-123-0x00000000776D0000-0x000000007785E000-memory.dmp

Filesize
1.6MB

Download
memory/2636-140-0x0000000002170000-0x0000000002179000-memory.dmp

Filesize
36KB

Download
memory/2636-138-0x00000000004C0000-0x000000000056E000-memory.dmp

Filesize
696KB

Download
memory/2636-122-0x00000000776D0000-0x000000007785E000-memory.dmp

Filesize
1.6MB

Download
memory/2636-142-0x00000000776D0000-0x000000007785E000-memory.dmp

Filesize
1.6MB

Download
memory/2636-121-0x00000000776D0000-0x000000007785E000-memory.dmp

Filesize
1.6MB

Download
memory/2636-141-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/2636-143-0x00000000776D0000-0x000000007785E000-memory.dmp

Filesize
1.6MB

Download
memory/2636-149-0x00000000776D0000-0x000000007785E000-memory.dmp

Filesize
1.6MB

Download
memory/2636-144-0x00000000776D0000-0x000000007785E000-memory.dmp

Filesize
1.6MB

Download
memory/2636-145-0x00000000776D0000-0x000000007785E000-memory.dmp

Filesize
1.6MB

Download
memory/2636-146-0x00000000776D0000-0x000000007785E000-memory.dmp

Filesize
1.6MB

Download
memory/2636-119-0x00000000776D0000-0x000000007785E000-memory.dmp

Filesize
1.6MB

Download
memory/2636-148-0x00000000776D0000-0x000000007785E000-memory.dmp

Filesize
1.6MB

Download
memory/2636-120-0x00000000776D0000-0x000000007785E000-memory.dmp

Filesize
1.6MB

Download
memory/2720-846-0x0000000000000000-mapping.dmp

Download
memory/2724-1254-0x0000000007DC3000-0x0000000007DC5000-memory.dmp

Filesize
8KB

Download
memory/2864-1424-0x000002165B400000-0x000002165B6AB000-memory.dmp

Filesize
2.7MB

Download
memory/2864-1355-0x000002165B400000-0x000002165B6AB000-memory.dmp

Filesize
2.7MB

Download
memory/2864-1354-0x0000000000EC0000-0x000000000115A000-memory.dmp

Filesize
2.6MB

Download
memory/2864-1346-0x00007FF7F5785FD0-mapping.dmp

Download
memory/2992-361-0x0000000000424141-mapping.dmp

Download
memory/2992-632-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/2992-489-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/3136-767-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3136-768-0x0000000000DF0000-0x0000000000DF9000-memory.dmp

Filesize
36KB

Download
memory/3136-770-0x0000000000E10000-0x0000000000E1D000-memory.dmp

Filesize
52KB

Download
memory/3292-449-0x0000000000000000-mapping.dmp

Download
memory/3428-1170-0x0000000000000000-mapping.dmp

Download
memory/3536-237-0x0000000000000000-mapping.dmp

Download
memory/3900-699-0x0000000002450000-0x000000000245D000-memory.dmp

Filesize
52KB

Download
memory/3900-694-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3900-696-0x0000000000870000-0x0000000000879000-memory.dmp

Filesize
36KB

Download
memory/3992-444-0x0000000000520000-0x000000000066A000-memory.dmp

Filesize
1.3MB

Download
memory/3992-450-0x0000000000460000-0x000000000050E000-memory.dmp

Filesize
696KB

Download
memory/3992-567-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/3992-455-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/3992-284-0x0000000000000000-mapping.dmp

Download
memory/4356-860-0x000000000B6A0000-0x000000000B9B4000-memory.dmp

Filesize
3.1MB

Download
memory/4356-856-0x0000000002B60000-0x0000000002D13000-memory.dmp

Filesize
1.7MB

Download
memory/4356-390-0x0000000000000000-mapping.dmp

Download
memory/4356-605-0x000000000B6A0000-0x000000000B9B4000-memory.dmp

Filesize
3.1MB

Download
memory/4356-571-0x0000000002B60000-0x0000000002D13000-memory.dmp

Filesize
1.7MB

Download
memory/4428-917-0x0000000000000000-mapping.dmp

Download
memory/4500-532-0x0000000000580000-0x00000000006CA000-memory.dmp

Filesize
1.3MB

Download
memory/4500-538-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/4500-535-0x0000000000580000-0x00000000006CA000-memory.dmp

Filesize
1.3MB

Download
memory/4500-824-0x0000000000580000-0x00000000006CA000-memory.dmp

Filesize
1.3MB

Download
memory/4500-823-0x0000000000580000-0x00000000006CA000-memory.dmp

Filesize
1.3MB

Download
memory/4500-314-0x0000000000000000-mapping.dmp

Download
memory/4520-1404-0x0000000000000000-mapping.dmp

Download
memory/4692-1082-0x0000000000000000-mapping.dmp

Download
memory/4712-179-0x00000000776D0000-0x000000007785E000-memory.dmp

Filesize
1.6MB

Download
memory/4712-192-0x00000000776D0000-0x000000007785E000-memory.dmp

Filesize
1.6MB

Download
memory/4712-172-0x00000000776D0000-0x000000007785E000-memory.dmp

Filesize
1.6MB

Download
memory/4712-165-0x00000000776D0000-0x000000007785E000-memory.dmp

Filesize
1.6MB

Download
memory/4712-181-0x00000000776D0000-0x000000007785E000-memory.dmp

Filesize
1.6MB

Download
memory/4712-160-0x00000000776D0000-0x000000007785E000-memory.dmp

Filesize
1.6MB

Download
memory/4712-175-0x00000000776D0000-0x000000007785E000-memory.dmp

Filesize
1.6MB

Download
memory/4712-163-0x00000000776D0000-0x000000007785E000-memory.dmp

Filesize
1.6MB

Download
memory/4712-159-0x00000000776D0000-0x000000007785E000-memory.dmp

Filesize
1.6MB

Download
memory/4712-191-0x00000000776D0000-0x000000007785E000-memory.dmp

Filesize
1.6MB

Download
memory/4712-170-0x00000000776D0000-0x000000007785E000-memory.dmp

Filesize
1.6MB

Download
memory/4712-183-0x00000000776D0000-0x000000007785E000-memory.dmp

Filesize
1.6MB

Download
memory/4712-189-0x00000000776D0000-0x000000007785E000-memory.dmp

Filesize
1.6MB

Download
memory/4712-158-0x0000000000000000-mapping.dmp

Download
memory/4712-268-0x0000000000AF0000-0x0000000000AF6000-memory.dmp

Filesize
24KB

Download
memory/4712-187-0x00000000776D0000-0x000000007785E000-memory.dmp

Filesize
1.6MB

Download
memory/4712-185-0x00000000776D0000-0x000000007785E000-memory.dmp

Filesize
1.6MB

Download
memory/4712-161-0x00000000776D0000-0x000000007785E000-memory.dmp

Filesize
1.6MB

Download
memory/4712-162-0x00000000776D0000-0x000000007785E000-memory.dmp

Filesize
1.6MB

Download
memory/4756-629-0x0000000000000000-mapping.dmp

Download
memory/4756-725-0x0000000000A20000-0x0000000000AB2000-memory.dmp

Filesize
584KB

Download