aurora | fd8d1e70b3e9c7188a151be315a9daaf94af8d8da9950899a88af5cf9886e968

Resubmissions

09-08-2023 18:08

230809-wqxw6sed96 10

11-01-2023 19:15

230111-xx8gxshh71 10

Analysis

max time kernel
150s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
11-01-2023 19:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

file.exe
Size

321KB
MD5

3a4d880059c9a5cc560a6492ef9dd374
SHA1

fc94771824b10e6b49ded2d6813774515c53b21e
SHA256

fd8d1e70b3e9c7188a151be315a9daaf94af8d8da9950899a88af5cf9886e968
SHA512

f3999f1b3e11bb9838275171bc1f584cd7bc61e15ae1c93aec46623cc5597f9d428e637127b3bafb9bf93dcd50eb7e85953e7a96fd52d06597d25201d1cb241f
SSDEEP

6144:H/fZ25NhJaRFAl2E83mNVilP3Zi5RadxFzC:fB25NB82/83ZiWd

Malware Config

Extracted

Family

icedid

Campaign

3131022508

wagringamuk.com

Extracted

Family

djvu

http://spaceris.com/lancer/get.php

Attributes

extension
.zouu
offline_id
7hl6KB3alcoZ6n4DhS2rApCezkIMzShntAiXWMt1
payload_url
http://uaery.top/dl/build2.exe
http://spaceris.com/files/1/build3.exe
ransomnote
ATTENTION! Don't worry, you can return all your files! All your files like pictures, databases, documents and other important are encrypted with strongest encryption and unique key. The only method of recovering files is to purchase decrypt tool and unique key for you. This software will decrypt all your encrypted files. What guarantees you have? You can send one of your encrypted file from your PC and we decrypt it for free. But we can decrypt only 1 file for free. File must not contain valuable information. You can get and look video overview decrypt tool: https://we.tl/t-N3pXlaPXFm Price of private key and decrypt software is $980. Discount 50% available if you contact us first 72 hours, that's price for you is $490. Please note that you'll never restore your data without payment. Check your e-mail "Spam" or "Junk" folder if you don't get answer more than 6 hours. To get this software you need write on our e-mail: [email protected] Reserve e-mail address to contact us: [email protected] Your personal ID: 0631JOsie

rsa_pubkey.plain

Extracted

Family

aurora

82.115.223.77:8081

Extracted

Family

vidar

Version

Botnet

https://t.me/tgdatapacks

https://steamcommunity.com/profiles/76561199469677637

Attributes

profile_id
19

Extracted

Family

redline

Botnet

743920601

65.21.237.20:43077

Attributes

auth_value
4f6bf1eb2954713987bff37ccd52ac68

Signatures

Aurora
Aurora is a crypto wallet stealer written in Golang.
stealer aurora

DcRat 4 IoCs

DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

rat infostealer dcrat

Processes:

file.exeschtasks.exeF514.exeschtasks.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	file.exe
3152	schtasks.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\5c920b25-cdd4-42b5-977a-a69c14354eb4\\F514.exe\" --AutoStart"	F514.exe
1428	schtasks.exe

Detected Djvu ransomware 10 IoCs

Processes:

resource	yara_rule
behavioral2/memory/732-160-0x0000000002290000-0x00000000023AB000-memory.dmp	family_djvu
behavioral2/memory/224-162-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral2/memory/224-164-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral2/memory/224-165-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral2/memory/224-166-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral2/memory/224-176-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral2/memory/3836-180-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral2/memory/3836-182-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral2/memory/3836-188-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral2/memory/3836-227-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu

Detects Smokeloader packer 3 IoCs

Processes:

resource	yara_rule
behavioral2/memory/4844-133-0x0000000002190000-0x0000000002199000-memory.dmp	family_smokeloader
behavioral2/memory/4396-168-0x0000000001F10000-0x0000000001F19000-memory.dmp	family_smokeloader
behavioral2/memory/3912-240-0x0000000002CE0000-0x0000000002CE9000-memory.dmp	family_smokeloader

Djvu Ransomware
Ransomware which is a variant of the STOP family.
ransomware djvu
IcedID, BokBot
IcedID is a banking trojan capable of stealing credentials.
trojan banker icedid
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline
SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

Processes:

E7E7.exe

description pid process target process

PID 1820 created 1120 1820 E7E7.exe computerdefaults.exe
Vidar
Vidar is an infostealer based on Arkei stealer.
stealer vidar
Blocklisted process makes network request 6 IoCs

Processes:

rundll32.exerundll32.exe

flow pid process

130 4004 rundll32.exe
179 3404 rundll32.exe
182 3404 rundll32.exe
187 3404 rundll32.exe
189 3404 rundll32.exe
190 3404 rundll32.exe
Downloads MZ/PE file

description	pid	process	target process
PID 1820 created 1120	1820	E7E7.exe	computerdefaults.exe

flow	pid	process
130	4004	rundll32.exe
179	3404	rundll32.exe
182	3404	rundll32.exe
187	3404	rundll32.exe
189	3404	rundll32.exe
190	3404	rundll32.exe

Executes dropped EXE 21 IoCs

Processes:

F38C.exeF514.exeFA07.exeFB9E.exe42.exeF514.exeF514.exeF514.exebuild2.exebuild3.exebuild2.exemstsca.exeGHjsL5oybm.exe95DC.exeC7DA.exeD009.exeE7E7.exeF9AB.exeFE30.exeD54.exeIwhwwflmjnchqylwsotldpkjhsfkj3hjkh54.exe

pid	process
2108	F38C.exe
732	F514.exe
4396	FA07.exe
2304	FB9E.exe
4232	42.exe
224	F514.exe
3724	F514.exe
3836	F514.exe
1640	build2.exe
1836	build3.exe
4048	build2.exe
3184	mstsca.exe
3912	GHjsL5oybm.exe
4352	95DC.exe
420	C7DA.exe
2448	D009.exe
1820	E7E7.exe
4488	F9AB.exe
2288	FE30.exe
1260	D54.exe
1840	Iwhwwflmjnchqylwsotldpkjhsfkj3hjkh54.exe

Checks computer location settings 2 TTPs 4 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

F514.exeF514.exebuild2.exeD54.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	F514.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	F514.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	build2.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	D54.exe

Loads dropped DLL 4 IoCs

Processes:

build2.exerundll32.exerundll32.exe

pid process

4048 build2.exe
4048 build2.exe
4004 rundll32.exe
3404 rundll32.exe
Modifies file permissions 1 TTPs 1 IoCs
discovery

File Permissions Modification
T1222

Processes:

icacls.exe

pid process

3672 icacls.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Uses the VBS compiler for execution 1 TTPs

Scripting
T1064
Accesses 2FA software files, possible credential harvesting 2 TTPs
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

pid	process
4048	build2.exe
4048	build2.exe
4004	rundll32.exe
3404	rundll32.exe

pid	process
3672	icacls.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

F514.exeD54.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\5c920b25-cdd4-42b5-977a-a69c14354eb4\\F514.exe\" --AutoStart"	F514.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WindowsHost = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\WindowsPrograms\\WindowsHost.exe\""	D54.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

38 api.2ip.ua
39 api.2ip.ua
52 api.2ip.ua

flow	ioc
38	api.2ip.ua
39	api.2ip.ua
52	api.2ip.ua

Suspicious use of SetThreadContext 6 IoCs

Processes:

F514.exeF514.exe42.exebuild2.exeD54.exerundll32.exe

description	pid	process	target process
PID 732 set thread context of 224	732	F514.exe	F514.exe
PID 3724 set thread context of 3836	3724	F514.exe	F514.exe
PID 4232 set thread context of 5064	4232	42.exe	vbc.exe
PID 1640 set thread context of 4048	1640	build2.exe	build2.exe
PID 1260 set thread context of 4068	1260	D54.exe	MSBuild.exe
PID 4004 set thread context of 388	4004	rundll32.exe	rundll32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 3 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exe

pid pid_target process target process

4684 2304 WerFault.exe FB9E.exe
4408 4232 WerFault.exe 42.exe
2604 4352 WerFault.exe 95DC.exe

pid	pid_target	process	target process
4684	2304	WerFault.exe	FB9E.exe
4408	4232	WerFault.exe	42.exe
2604	4352	WerFault.exe	95DC.exe

Checks SCSI registry key(s) 3 TTPs 9 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

file.exeFA07.exeGHjsL5oybm.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	file.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	file.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	FA07.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	GHjsL5oybm.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	GHjsL5oybm.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	GHjsL5oybm.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	file.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	FA07.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	FA07.exe

Checks processor information in registry 2 TTPs 21 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

rundll32.exebuild2.exe

description	ioc	process
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	rundll32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	rundll32.exe
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\FeatureSet	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\VendorIdentifier	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Configuration Data	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\FeatureSet	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Identifier	rundll32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	rundll32.exe
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	rundll32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Status	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Platform Specific Field 1	rundll32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	build2.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	build2.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	rundll32.exe

Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exe

pid process

1428 schtasks.exe
3152 schtasks.exe
Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

4576 timeout.exe
Gathers network information 2 TTPs 2 IoCs
Uses commandline utility to view network configuration.

System Information Discovery
T1082

Command-Line Interface
T1059

Processes:

ipconfig.exeipconfig.exe

pid process

4408 ipconfig.exe
3876 ipconfig.exe
GoLang User-Agent 1 IoCs
Uses default user-agent string defined by GoLang HTTP packages.

Processes:

description flow ioc

HTTP User-Agent header 63 Go-http-client/1.1

pid	process
1428	schtasks.exe
3152	schtasks.exe

pid	process
4576	timeout.exe

pid	process
4408	ipconfig.exe
3876	ipconfig.exe

description	flow	ioc
HTTP User-Agent header	63	Go-http-client/1.1

Modifies Internet Explorer settings 1 TTPs 4 IoCs

adware spyware

Modify Registry

T1112

Processes:

description	ioc	process
Set value (data)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser\ITBar7Layout = 13000000000000000000000020000000100000000000000001000000010700005e01000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\Toolbar
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\Locked = "1"
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser

Modifies registry class 30 IoCs

Processes:

rundll32.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\NodeSlot = "1"
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0
Set value (data)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\MRUListEx = 00000000ffffffff
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU
Set value (data)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 00000000ffffffff
Set value (data)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\MRUListEx = 00000000ffffffff
Set value (data)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff
Set value (data)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff
Set value (data)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\MRUListEx = ffffffff
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\WorkFolders
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 = 14001f44471a0359723fa74489c55595fe6b30ee0000
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0
Set value (data)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 = 820074001c0043465346160031000000000000000000100041707044617461000000741a595e96dfd3488d671733bcee28bac5cdfadf9f6756418947c5c76bc0b67f400009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004100700070004400610074006100000042000000
Set value (data)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0 = 4e003100000000002b5622a2100054656d7000003a0009000400efbe0c5519992b5622a22e00000000000000000000000000000000000000000000000000407cda00540065006d007000000014000000
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0
Set value (data)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\SniffedFolderType = "Generic"
Set value (data)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots
Set value (data)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0 = 50003100000000000000000010004c6f63616c003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c00000014000000
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

pid process

744

pid	process
744

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

file.exe

pid	process
4844	file.exe
4844	file.exe
744
744
744
744
744
744
744
744
744
744
744
744
744
744
744
744
744
744
744
744
744
744
744
744
744
744
744
744
744
744
744
744
744
744
744
744
744
744
744
744
744
744
744
744
744
744
744
744
744
744
744
744
744
744
744
744
744
744
744
744
744
744

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

pid process

744
Suspicious behavior: MapViewOfSection 21 IoCs

Processes:

file.exeFA07.exeGHjsL5oybm.exe

pid process

4844 file.exe
4396 FA07.exe
3912 GHjsL5oybm.exe
744
744
744
744
744
744
744
744
744
744
744
744
744
744
744
744
744
744

pid	process
744

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

wmic.exeWMIC.exe

description	pid	process
Token: SeShutdownPrivilege	744
Token: SeCreatePagefilePrivilege	744
Token: SeShutdownPrivilege	744
Token: SeCreatePagefilePrivilege	744
Token: SeShutdownPrivilege	744
Token: SeCreatePagefilePrivilege	744
Token: SeShutdownPrivilege	744
Token: SeCreatePagefilePrivilege	744
Token: SeShutdownPrivilege	744
Token: SeCreatePagefilePrivilege	744
Token: SeShutdownPrivilege	744
Token: SeCreatePagefilePrivilege	744
Token: SeShutdownPrivilege	744
Token: SeCreatePagefilePrivilege	744
Token: SeShutdownPrivilege	744
Token: SeCreatePagefilePrivilege	744
Token: SeIncreaseQuotaPrivilege	4452	wmic.exe
Token: SeSecurityPrivilege	4452	wmic.exe
Token: SeTakeOwnershipPrivilege	4452	wmic.exe
Token: SeLoadDriverPrivilege	4452	wmic.exe
Token: SeSystemProfilePrivilege	4452	wmic.exe
Token: SeSystemtimePrivilege	4452	wmic.exe
Token: SeProfSingleProcessPrivilege	4452	wmic.exe
Token: SeIncBasePriorityPrivilege	4452	wmic.exe
Token: SeCreatePagefilePrivilege	4452	wmic.exe
Token: SeBackupPrivilege	4452	wmic.exe
Token: SeRestorePrivilege	4452	wmic.exe
Token: SeShutdownPrivilege	4452	wmic.exe
Token: SeDebugPrivilege	4452	wmic.exe
Token: SeSystemEnvironmentPrivilege	4452	wmic.exe
Token: SeRemoteShutdownPrivilege	4452	wmic.exe
Token: SeUndockPrivilege	4452	wmic.exe
Token: SeManageVolumePrivilege	4452	wmic.exe
Token: 33	4452	wmic.exe
Token: 34	4452	wmic.exe
Token: 35	4452	wmic.exe
Token: 36	4452	wmic.exe
Token: SeIncreaseQuotaPrivilege	4452	wmic.exe
Token: SeSecurityPrivilege	4452	wmic.exe
Token: SeTakeOwnershipPrivilege	4452	wmic.exe
Token: SeLoadDriverPrivilege	4452	wmic.exe
Token: SeSystemProfilePrivilege	4452	wmic.exe
Token: SeSystemtimePrivilege	4452	wmic.exe
Token: SeProfSingleProcessPrivilege	4452	wmic.exe
Token: SeIncBasePriorityPrivilege	4452	wmic.exe
Token: SeCreatePagefilePrivilege	4452	wmic.exe
Token: SeBackupPrivilege	4452	wmic.exe
Token: SeRestorePrivilege	4452	wmic.exe
Token: SeShutdownPrivilege	4452	wmic.exe
Token: SeDebugPrivilege	4452	wmic.exe
Token: SeSystemEnvironmentPrivilege	4452	wmic.exe
Token: SeRemoteShutdownPrivilege	4452	wmic.exe
Token: SeUndockPrivilege	4452	wmic.exe
Token: SeManageVolumePrivilege	4452	wmic.exe
Token: 33	4452	wmic.exe
Token: 34	4452	wmic.exe
Token: 35	4452	wmic.exe
Token: 36	4452	wmic.exe
Token: SeShutdownPrivilege	744
Token: SeCreatePagefilePrivilege	744
Token: SeIncreaseQuotaPrivilege	2948	WMIC.exe
Token: SeSecurityPrivilege	2948	WMIC.exe
Token: SeTakeOwnershipPrivilege	2948	WMIC.exe
Token: SeLoadDriverPrivilege	2948	WMIC.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

rundll32.exe

pid process

388 rundll32.exe
Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

pid process

744
744

pid	process
388	rundll32.exe

pid	process
744
744

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

F514.exeF514.exeF514.exeF514.exe42.exebuild3.exevbc.execmd.exe

description	pid	process	target process
PID 744 wrote to memory of 2108	744		F38C.exe
PID 744 wrote to memory of 2108	744		F38C.exe
PID 744 wrote to memory of 732	744		F514.exe
PID 744 wrote to memory of 732	744		F514.exe
PID 744 wrote to memory of 732	744		F514.exe
PID 744 wrote to memory of 4396	744		FA07.exe
PID 744 wrote to memory of 4396	744		FA07.exe
PID 744 wrote to memory of 4396	744		FA07.exe
PID 744 wrote to memory of 2304	744		FB9E.exe
PID 744 wrote to memory of 2304	744		FB9E.exe
PID 744 wrote to memory of 2304	744		FB9E.exe
PID 744 wrote to memory of 4232	744		42.exe
PID 744 wrote to memory of 4232	744		42.exe
PID 744 wrote to memory of 4232	744		42.exe
PID 732 wrote to memory of 224	732	F514.exe	F514.exe
PID 732 wrote to memory of 224	732	F514.exe	F514.exe
PID 732 wrote to memory of 224	732	F514.exe	F514.exe
PID 732 wrote to memory of 224	732	F514.exe	F514.exe
PID 732 wrote to memory of 224	732	F514.exe	F514.exe
PID 732 wrote to memory of 224	732	F514.exe	F514.exe
PID 732 wrote to memory of 224	732	F514.exe	F514.exe
PID 732 wrote to memory of 224	732	F514.exe	F514.exe
PID 732 wrote to memory of 224	732	F514.exe	F514.exe
PID 732 wrote to memory of 224	732	F514.exe	F514.exe
PID 224 wrote to memory of 3672	224	F514.exe	icacls.exe
PID 224 wrote to memory of 3672	224	F514.exe	icacls.exe
PID 224 wrote to memory of 3672	224	F514.exe	icacls.exe
PID 224 wrote to memory of 3724	224	F514.exe	F514.exe
PID 224 wrote to memory of 3724	224	F514.exe	F514.exe
PID 224 wrote to memory of 3724	224	F514.exe	F514.exe
PID 3724 wrote to memory of 3836	3724	F514.exe	F514.exe
PID 3724 wrote to memory of 3836	3724	F514.exe	F514.exe
PID 3724 wrote to memory of 3836	3724	F514.exe	F514.exe
PID 3724 wrote to memory of 3836	3724	F514.exe	F514.exe
PID 3724 wrote to memory of 3836	3724	F514.exe	F514.exe
PID 3724 wrote to memory of 3836	3724	F514.exe	F514.exe
PID 3724 wrote to memory of 3836	3724	F514.exe	F514.exe
PID 3724 wrote to memory of 3836	3724	F514.exe	F514.exe
PID 3724 wrote to memory of 3836	3724	F514.exe	F514.exe
PID 3724 wrote to memory of 3836	3724	F514.exe	F514.exe
PID 3836 wrote to memory of 1640	3836	F514.exe	build2.exe
PID 3836 wrote to memory of 1640	3836	F514.exe	build2.exe
PID 3836 wrote to memory of 1640	3836	F514.exe	build2.exe
PID 4232 wrote to memory of 5064	4232	42.exe	vbc.exe
PID 4232 wrote to memory of 5064	4232	42.exe	vbc.exe
PID 4232 wrote to memory of 5064	4232	42.exe	vbc.exe
PID 4232 wrote to memory of 5064	4232	42.exe	vbc.exe
PID 4232 wrote to memory of 5064	4232	42.exe	vbc.exe
PID 3836 wrote to memory of 1836	3836	F514.exe	build3.exe
PID 3836 wrote to memory of 1836	3836	F514.exe	build3.exe
PID 3836 wrote to memory of 1836	3836	F514.exe	build3.exe
PID 1836 wrote to memory of 1428	1836	build3.exe	schtasks.exe
PID 1836 wrote to memory of 1428	1836	build3.exe	schtasks.exe
PID 1836 wrote to memory of 1428	1836	build3.exe	schtasks.exe
PID 5064 wrote to memory of 4452	5064	vbc.exe	wmic.exe
PID 5064 wrote to memory of 4452	5064	vbc.exe	wmic.exe
PID 5064 wrote to memory of 4452	5064	vbc.exe	wmic.exe
PID 5064 wrote to memory of 2736	5064	vbc.exe	cmd.exe
PID 5064 wrote to memory of 2736	5064	vbc.exe	cmd.exe
PID 5064 wrote to memory of 2736	5064	vbc.exe	cmd.exe
PID 2736 wrote to memory of 2948	2736	cmd.exe	WMIC.exe
PID 2736 wrote to memory of 2948	2736	cmd.exe	WMIC.exe
PID 2736 wrote to memory of 2948	2736	cmd.exe	WMIC.exe
PID 5064 wrote to memory of 3524	5064	vbc.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\file.exe
"C:\Users\Admin\AppData\Local\Temp\file.exe"
1⤵
- DcRat
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:4844

C:\Users\Admin\AppData\Local\Temp\F38C.exe
C:\Users\Admin\AppData\Local\Temp\F38C.exe
1⤵
- Executes dropped EXE
PID:2108

C:\Users\Admin\AppData\Local\Temp\F514.exe
C:\Users\Admin\AppData\Local\Temp\F514.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:732

C:\Users\Admin\AppData\Local\Temp\F514.exe
C:\Users\Admin\AppData\Local\Temp\F514.exe
2⤵
- DcRat
- Executes dropped EXE
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:224

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Users\Admin\AppData\Local\5c920b25-cdd4-42b5-977a-a69c14354eb4" /deny *S-1-1-0:(OI)(CI)(DE,DC)
3⤵
- Modifies file permissions
PID:3672

C:\Users\Admin\AppData\Local\Temp\F514.exe
"C:\Users\Admin\AppData\Local\Temp\F514.exe" --Admin IsNotAutoStart IsNotTask
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3724

C:\Users\Admin\AppData\Local\Temp\F514.exe
"C:\Users\Admin\AppData\Local\Temp\F514.exe" --Admin IsNotAutoStart IsNotTask
4⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3836

C:\Users\Admin\AppData\Local\59a27a92-5252-4a90-837b-244aec449f55\build2.exe
"C:\Users\Admin\AppData\Local\59a27a92-5252-4a90-837b-244aec449f55\build2.exe"
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:1640

C:\Users\Admin\AppData\Local\59a27a92-5252-4a90-837b-244aec449f55\build2.exe
"C:\Users\Admin\AppData\Local\59a27a92-5252-4a90-837b-244aec449f55\build2.exe"
6⤵
- Executes dropped EXE
- Checks computer location settings
- Loads dropped DLL
- Checks processor information in registry
PID:4048

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c timeout /t 6 & del /f /q "C:\Users\Admin\AppData\Local\59a27a92-5252-4a90-837b-244aec449f55\build2.exe" & exit
7⤵
PID:4344

C:\Windows\SysWOW64\timeout.exe
timeout /t 6
8⤵
- Delays execution with timeout.exe
PID:4576

C:\Users\Admin\AppData\Local\59a27a92-5252-4a90-837b-244aec449f55\build3.exe
"C:\Users\Admin\AppData\Local\59a27a92-5252-4a90-837b-244aec449f55\build3.exe"
5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1836

C:\Windows\SysWOW64\schtasks.exe
/C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"
6⤵
- DcRat
- Creates scheduled task(s)
PID:1428

C:\Users\Admin\AppData\Local\Temp\FA07.exe
C:\Users\Admin\AppData\Local\Temp\FA07.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
PID:4396

C:\Users\Admin\AppData\Local\Temp\FB9E.exe
C:\Users\Admin\AppData\Local\Temp\FB9E.exe
1⤵
- Executes dropped EXE
PID:2304

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2304 -s 344
2⤵
- Program crash
PID:4684

C:\Users\Admin\AppData\Local\Temp\42.exe
C:\Users\Admin\AppData\Local\Temp\42.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4232

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:5064

C:\Windows\SysWOW64\Wbem\wmic.exe
wmic os get Caption
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:4452

C:\Windows\SysWOW64\cmd.exe
cmd /C "wmic path win32_VideoController get name"
3⤵
- Suspicious use of WriteProcessMemory
PID:2736

C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic path win32_VideoController get name
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:2948

C:\Windows\SysWOW64\cmd.exe
cmd /C "wmic cpu get name"
3⤵
PID:3524

C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic cpu get name
4⤵
PID:1420

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell "" "start-process C:\Users\Admin\AppData\Local\Temp\GHjsL5oybm.exe"
3⤵
PID:4888

C:\Users\Admin\AppData\Local\Temp\GHjsL5oybm.exe
"C:\Users\Admin\AppData\Local\Temp\GHjsL5oybm.exe"
4⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
PID:3912

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4232 -s 140
2⤵
- Program crash
PID:4408

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 2304 -ip 2304
1⤵
PID:4016

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 4232 -ip 4232
1⤵
PID:4100

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
1⤵
- Executes dropped EXE
PID:3184

C:\Windows\SysWOW64\schtasks.exe
/C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"
2⤵
- DcRat
- Creates scheduled task(s)
PID:3152

C:\Users\Admin\AppData\Local\Temp\95DC.exe
C:\Users\Admin\AppData\Local\Temp\95DC.exe
1⤵
- Executes dropped EXE
PID:4352

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\system32\rundll32.exe" "C:\Users\Admin\AppData\Local\Temp\Qytyaworpiotpd.tmp",Edoqqdswdffqipe
2⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Checks processor information in registry
PID:4004

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#61 23803
3⤵
- Modifies registry class
- Suspicious use of FindShellTrayWindow
PID:388

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4352 -s 544
2⤵
- Program crash
PID:2604

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 4352 -ip 4352
1⤵
PID:1636

C:\Users\Admin\AppData\Local\Temp\C7DA.exe
C:\Users\Admin\AppData\Local\Temp\C7DA.exe
1⤵
- Executes dropped EXE
PID:420

C:\Users\Admin\AppData\Local\Temp\D009.exe
C:\Users\Admin\AppData\Local\Temp\D009.exe
1⤵
- Executes dropped EXE
PID:2448

C:\Users\Admin\AppData\Local\Temp\E7E7.exe
C:\Users\Admin\AppData\Local\Temp\E7E7.exe
1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Executes dropped EXE
PID:1820

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe
2⤵
PID:1504

C:\Windows\System32\computerdefaults.exe
C:\Windows\System32\computerdefaults.exe
2⤵
PID:1120

C:\Windows\SysWOW64\rundll32.exe
C:\Windows\system32\rundll32.exe C:\ProgramData\intel.dll, Entry
3⤵
- Blocklisted process makes network request
- Loads dropped DLL
PID:3404

C:\Users\Admin\AppData\Local\Temp\F9AB.exe
C:\Users\Admin\AppData\Local\Temp\F9AB.exe
1⤵
- Executes dropped EXE
PID:4488

C:\Users\Admin\AppData\Local\Temp\FE30.exe
C:\Users\Admin\AppData\Local\Temp\FE30.exe
1⤵
- Executes dropped EXE
PID:2288

C:\Users\Admin\AppData\Local\Temp\D54.exe
C:\Users\Admin\AppData\Local\Temp\D54.exe
1⤵
- Executes dropped EXE
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:1260

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c ipconfig/release
2⤵
PID:1812

C:\Windows\SysWOW64\ipconfig.exe
ipconfig /release
3⤵
- Gathers network information
PID:4408

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ENC cwB0AGEAcgB0AC0AcwBsAGUAZQBwACAALQBzAGUAYwBvAG4AZABzACAAMQAwAA==
2⤵
PID:532

C:\Users\Admin\AppData\Local\Temp\Iwhwwflmjnchqylwsotldpkjhsfkj3hjkh54.exe
"C:\Users\Admin\AppData\Local\Temp\Iwhwwflmjnchqylwsotldpkjhsfkj3hjkh54.exe"
2⤵
- Executes dropped EXE
PID:1840

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c ipconfig/renew
2⤵
PID:1480

C:\Windows\SysWOW64\ipconfig.exe
ipconfig /renew
3⤵
- Gathers network information
PID:3876

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
2⤵
PID:448

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
2⤵
PID:4068

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:3564

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
PID:3912

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:3656

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
PID:1748

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:1768

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:1208

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:752

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
PID:2736

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:2604

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:2616

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scripting

T1064

Scheduled Task

T1053

Command-Line Interface

T1059

Persistence

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

File Permissions Modification

T1222

Scripting

T1064

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Peripheral Device Discovery

T1120

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\intel.dll
Filesize
221KB

MD5
a8375653ea2b8b06eb7e6f3760d11d7e

SHA1
f6b84d7179d8a3fd6e911d94e7cef4db71457df1

SHA256
1e88c720fba0938e82bd81bb75fea4e4edd2a612d0ad4913de334cd16bc972f2

SHA512
82182199246d9cfd8eb0682cdd11484fcda785390b98f0fa19fc7d0a34eea1ba56de5a6026a2228a1fe6cf582deda7c20de89adf5cb188786d9b7dfb0d0ff6f9

Download Submit
C:\ProgramData\intel.dll
Filesize
221KB

MD5
a8375653ea2b8b06eb7e6f3760d11d7e

SHA1
f6b84d7179d8a3fd6e911d94e7cef4db71457df1

SHA256
1e88c720fba0938e82bd81bb75fea4e4edd2a612d0ad4913de334cd16bc972f2

SHA512
82182199246d9cfd8eb0682cdd11484fcda785390b98f0fa19fc7d0a34eea1ba56de5a6026a2228a1fe6cf582deda7c20de89adf5cb188786d9b7dfb0d0ff6f9

Download Submit
C:\ProgramData\mozglue.dll
Filesize
133KB

MD5
8f73c08a9660691143661bf7332c3c27

SHA1
37fa65dd737c50fda710fdbde89e51374d0c204a

SHA256
3fe6b1c54b8cf28f571e0c5d6636b4069a8ab00b4f11dd842cfec00691d0c9cd

SHA512
0042ecf9b3571bb5eba2de893e8b2371df18f7c5a589f52ee66e4bfbaa15a5b8b7cc6a155792aaa8988528c27196896d5e82e1751c998bacea0d92395f66ad89

Download Submit
C:\ProgramData\nss3.dll
Filesize
1.2MB

MD5
bfac4e3c5908856ba17d41edcd455a51

SHA1
8eec7e888767aa9e4cca8ff246eb2aacb9170428

SHA256
e2935b5b28550d47dc971f456d6961f20d1633b4892998750140e0eaa9ae9d78

SHA512
2565bab776c4d732ffb1f9b415992a4c65b81bcd644a9a1df1333a269e322925fc1df4f76913463296efd7c88ef194c3056de2f1ca1357d7b5fe5ff0da877a66

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\07CEF2F654E3ED6050FFC9B6EB844250_3431D4C539FB2CFCB781821E9902850D
Filesize
2KB

MD5
61a9f01083346a0ee40dc68983932b14

SHA1
85737a00e510acc709a5ea03d04a666bf41eb912

SHA256
db745e7939f305e69baa8e6fda50687f545b5b9af3cffbd290f1223d7956c1e7

SHA512
80edf82ede77a5657e92ca9c6ec45fe28118f1f0372d33e377185f7043580ee136927922556795552b41b9bd03aaef9a0273758af375b56ad4470aa23ac88349

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\223DE96EE265046957A660ED7C9DD9E7_EFF9B9BA98DEAA773F261FA85A0B1771
Filesize
1KB

MD5
674500a7bab0b260aa09403d126204eb

SHA1
63f0a5474fb2c30ac23a224ff9cfcda7009abb72

SHA256
298fa716d7ed652783ad89d0ddf50435caef4f35c422afc689ea21f3f5f0d107

SHA512
37233a4f52a54ae43a03c3ccee875410385b4e520a0307093e332787bb86c3677d05ffdfb82d18bbb36ac43a6ddd12011591f7217230970b5ce7677a1ca7979c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7EEA265692AC7955311B9E4CB27AFC35_3F411C6719032639C08C134E44D08A86
Filesize
1KB

MD5
27ceb86384eae5123785ec9a99d7a82a

SHA1
a26a9db3d8749f700c8bdb555810a9d229728684

SHA256
97ab1083a8b2fb0a5b5a009088374deeef3877f7e9bff27b281f910eef43d797

SHA512
b05bc4184537369923b73c062842a7640734f4156f833459fd03a214b65e5c188d1a0d5de7cd9221e6bb071015b9fc5fa3a768ffcaab1150a0ac702c1f59cbbc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E
Filesize
1KB

MD5
deb5907196e6e5e0e915c276f65a6924

SHA1
62802115ee04a17e66297fbfd5ab8d933040ffdb

SHA256
48c65c4f7dfbf070a4e8157cd0ec68e495eb3f963668f3d51ae6fedcff7fcda1

SHA512
4881fd5f46e1846f4e4dd3cb0295c5b48f62181bba01f8113520d97ee31b1489429281778d1ac0d58d02a3343ad97d24a96ce1d2bdbb1ddda2f77e5101f51c43

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\EB2C4AB8B68FFA4B7733A9139239A396_D76DB901EE986B889F30D8CC06229E2D
Filesize
1KB

MD5
cb25b902cb00a5f817ff4e2d3c2ff512

SHA1
eb18d25b536b58ac2b70b7444bb95616915c798a

SHA256
8eb0284f8a54400a3e31f969fae9e81defe1fa3f9aefdda4f6a3f35227a5e587

SHA512
d02bf534f92cb0aca4176ce6674f40d1533fd7d73e5f176c2145a34a251f2434189d9c490e2e39e682c5d6c9c6067d78bd91f5c3173090a1f0e3c3364d584f45

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\07CEF2F654E3ED6050FFC9B6EB844250_3431D4C539FB2CFCB781821E9902850D
Filesize
488B

MD5
64412091db0f45c3b3b874fca834e218

SHA1
4357fb4cd9ae84ec01c34f207ae762151a558f63

SHA256
94b12ac2a928111f086c26336e68027d5fd730c7d743dbad3d3290ddf2ca4fe6

SHA512
593ecf05377ef874e6f922f66a079f1a454cc1189a07507e79bdfff04390c41ffa30b22ba35fe789a7bf3526d297d52d9f46f11d846ce48d4694f6929a8f771d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\223DE96EE265046957A660ED7C9DD9E7_EFF9B9BA98DEAA773F261FA85A0B1771
Filesize
450B

MD5
cfd5200468ca20b4561e49d536b74f1b

SHA1
8abac3f0e8e0384ef3d3eb27c2b1876a43061bfd

SHA256
c0c39dcc1a459a7ab51209e52342480d91076253dbb53303ce5c01465d271ac0

SHA512
cb84e19fe1e2f08367874a78fe325cfca5f08a7408adf39c2fbff1da7abdb304e392a7260c5bd683e622bf498f88315f7383854430e8755bb6fa8e217023503f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7EEA265692AC7955311B9E4CB27AFC35_3F411C6719032639C08C134E44D08A86
Filesize
482B

MD5
9f6f2feb04b8662fc9907be249c72b0f

SHA1
7f34ef3307815bbc4b4ca446b7306d4a0965856e

SHA256
763c83abd46fbc55573e597449323045e7df169dd4fd1e8cbe3b6a70db2f8811

SHA512
1f0e6daca94d786fa2bb9db9fe985fc3f2bc12868a35067dd9639728acdfc8aeec23ddcc6b2fff8bec6a0c81e7250546e9ff4d305524b18ff8b64e7c322cedb5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E
Filesize
482B

MD5
5d41cfd5676516ee25dc3b52690ecd74

SHA1
f4c825cc88aa0d48fbec9919d8b3df6f0ad7de4c

SHA256
042247a466bdb0a48fa2c287b37b9e54be19d6c26a55d9403a2e77c4ca60dd12

SHA512
2f8c9e7cb9ce40fde173ad17a2405fac09164dbda5c2f43fa65558c969dc7b6bb0a690b32725423e8eaa94b7cc27d938909238000920c22a2fb03889e918ed26

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\EB2C4AB8B68FFA4B7733A9139239A396_D76DB901EE986B889F30D8CC06229E2D
Filesize
458B

MD5
423dbe8bdc384a0c17da1b937a22a084

SHA1
1f98a54997dc09e70b93aa85cc533ad1d97e22cb

SHA256
ea72a9be0c8e86059b34268fd9fef271acf177c96d4b77c08484f6b9db36487d

SHA512
e81e407f135235d9ba6005da3680e50bfadc64a85339855ce100964fcd9024b2c14b3817490606f94c09a27ec53d29ab3560e07c828dfa3f8b048f4ab1c3e043

Download Submit
C:\Users\Admin\AppData\Local\59a27a92-5252-4a90-837b-244aec449f55\build2.exe
Filesize
422KB

MD5
866933fee5234be619d89a6d6a60bd88

SHA1
fd279d026264dbb75ea46be965ea163d94d67f0c

SHA256
ab6396ad69a961a9f879e58725ed66fa01f7add478b61cbaf4db1f26a9e47185

SHA512
fab7b9cfa5c38cff35068334b8525fcc1c6a5ca694f379db3322fc1bd8df9bbfa3446504297fec4c42c55e805fee2be9f96a3eff8eed7db72816a080aff7933d

Download Submit
C:\Users\Admin\AppData\Local\59a27a92-5252-4a90-837b-244aec449f55\build2.exe
Filesize
422KB

MD5
866933fee5234be619d89a6d6a60bd88

SHA1
fd279d026264dbb75ea46be965ea163d94d67f0c

SHA256
ab6396ad69a961a9f879e58725ed66fa01f7add478b61cbaf4db1f26a9e47185

SHA512
fab7b9cfa5c38cff35068334b8525fcc1c6a5ca694f379db3322fc1bd8df9bbfa3446504297fec4c42c55e805fee2be9f96a3eff8eed7db72816a080aff7933d

Download Submit
C:\Users\Admin\AppData\Local\59a27a92-5252-4a90-837b-244aec449f55\build2.exe
Filesize
422KB

MD5
866933fee5234be619d89a6d6a60bd88

SHA1
fd279d026264dbb75ea46be965ea163d94d67f0c

SHA256
ab6396ad69a961a9f879e58725ed66fa01f7add478b61cbaf4db1f26a9e47185

SHA512
fab7b9cfa5c38cff35068334b8525fcc1c6a5ca694f379db3322fc1bd8df9bbfa3446504297fec4c42c55e805fee2be9f96a3eff8eed7db72816a080aff7933d

Download Submit
C:\Users\Admin\AppData\Local\59a27a92-5252-4a90-837b-244aec449f55\build3.exe
Filesize
9KB

MD5
9ead10c08e72ae41921191f8db39bc16

SHA1
abe3bce01cd34afc88e2c838173f8c2bd0090ae1

SHA256
8d7f0e6b6877bdfb9f4531afafd0451f7d17f0ac24e2f2427e9b4ecc5452b9f0

SHA512
aa35dbc59a3589df2763e76a495ce5a9e62196628b4c1d098add38bd7f27c49edf93a66fb8507fb746e37ee32932da2460e440f241abe1a5a279abcc1e5ffe4a

Download Submit
C:\Users\Admin\AppData\Local\59a27a92-5252-4a90-837b-244aec449f55\build3.exe
Filesize
9KB

MD5
9ead10c08e72ae41921191f8db39bc16

SHA1
abe3bce01cd34afc88e2c838173f8c2bd0090ae1

SHA256
8d7f0e6b6877bdfb9f4531afafd0451f7d17f0ac24e2f2427e9b4ecc5452b9f0

SHA512
aa35dbc59a3589df2763e76a495ce5a9e62196628b4c1d098add38bd7f27c49edf93a66fb8507fb746e37ee32932da2460e440f241abe1a5a279abcc1e5ffe4a

Download Submit
C:\Users\Admin\AppData\Local\5c920b25-cdd4-42b5-977a-a69c14354eb4\F514.exe
Filesize
827KB

MD5
5d09682b08307cf7e7d4ee43b3b04791

SHA1
8668ef968def3d1e58bc5d3bb57088f0550a3b2d

SHA256
b0fe9334ec54815e8eda224488e34d41fcdaef253cad3c7cb751b273b3dc91e3

SHA512
a362e95e79b100178bce102b015e3d0107cd3df808980d84b63bc940ee7c90221f06cc2dc9f087b7e15e20ec994418483f5b913d954badf60d70f6c56b96f4d0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
Filesize
1KB

MD5
def65711d78669d7f8e69313be4acf2e

SHA1
6522ebf1de09eeb981e270bd95114bc69a49cda6

SHA256
aa1c97cdbce9a848f1db2ad483f19caa535b55a3a1ef2ad1260e0437002bc82c

SHA512
05b2f9cd9bc3b46f52fded320b68e05f79b2b3ceaeb13e5d87ae9f8cd8e6c90bbb4ffa4da8192c2bfe0f58826cabff2e99e7c5cc8dd47037d4eb7bfc6f2710a7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
15KB

MD5
07fd8db6ff76a0b7e1fb2a919d1af689

SHA1
1a6355cd500d1ae67e72d6b94946c07783966d6a

SHA256
46a4dc2397d79efe89dcd65f373555abbd7947f3d24b0eb3f1e33cd9a29d7cf4

SHA512
4013b56b4ea238b5bd0979988b77e2b0aa1647e73b4c2632004607752cd7d67b4bd73e89fa7216b6f8d0cf45fb725b81cca4be71aee1d8f0337bfce7fe21d2c6

Download Submit
C:\Users\Admin\AppData\Local\Temp\42.exe
Filesize
4.5MB

MD5
1a450a1a716cdb1bc3bd0b7467c2f157

SHA1
195d2f7052897360b07cf68a9f05794fcb41d88e

SHA256
88076120630d47c184b949cb272e69a1df48244300e1f10b09443ef3140d554b

SHA512
de0ba52dc6e62b2da6105c2149e1b3040762634617b6918378ad8c65ef4f59516adeaa6ba74e52369694ab0eeed3ed3a7dc78c275920c27936d467d5168b1188

Download Submit
C:\Users\Admin\AppData\Local\Temp\42.exe
Filesize
4.5MB

MD5
1a450a1a716cdb1bc3bd0b7467c2f157

SHA1
195d2f7052897360b07cf68a9f05794fcb41d88e

SHA256
88076120630d47c184b949cb272e69a1df48244300e1f10b09443ef3140d554b

SHA512
de0ba52dc6e62b2da6105c2149e1b3040762634617b6918378ad8c65ef4f59516adeaa6ba74e52369694ab0eeed3ed3a7dc78c275920c27936d467d5168b1188

Download Submit
C:\Users\Admin\AppData\Local\Temp\95DC.exe
Filesize
1.1MB

MD5
7a66992f14ec9015181ed2d580c190ff

SHA1
9674bf45d8017f7753ddd6e106a8974bb87860c0

SHA256
34d3c6e0521570cf69ae828b240b19b3314e9b63d534d9a62ce81f6ac5eee8f7

SHA512
e499c16f7cd9516e72745618443630bc9ca0218bc31118c49dde9ca63ffb067e65fd8b62c0326c80204156ffc030d1163910440197905be7333f64f056776dc7

Download Submit
C:\Users\Admin\AppData\Local\Temp\95DC.exe
Filesize
1.1MB

MD5
7a66992f14ec9015181ed2d580c190ff

SHA1
9674bf45d8017f7753ddd6e106a8974bb87860c0

SHA256
34d3c6e0521570cf69ae828b240b19b3314e9b63d534d9a62ce81f6ac5eee8f7

SHA512
e499c16f7cd9516e72745618443630bc9ca0218bc31118c49dde9ca63ffb067e65fd8b62c0326c80204156ffc030d1163910440197905be7333f64f056776dc7

Download Submit
C:\Users\Admin\AppData\Local\Temp\C7DA.exe
Filesize
338KB

MD5
322740661a3e59ff7e4fc4482c17b6cd

SHA1
107b0dad706cd1acaf76cd31caea9fff87a0cd0b

SHA256
b9cbe1bc0246eb38236e67fb2039168c2998a205809843f16f771722d1d67d0f

SHA512
a46b00879932f217b8ff5d4d88fe61a4ed747e2ffa66b8bcb1f08286f336fe2d56714b23bace9dc3219668632d3028d4f0bf337b83ddf7a2c6f8815743c0de86

Download Submit
C:\Users\Admin\AppData\Local\Temp\C7DA.exe
Filesize
338KB

MD5
322740661a3e59ff7e4fc4482c17b6cd

SHA1
107b0dad706cd1acaf76cd31caea9fff87a0cd0b

SHA256
b9cbe1bc0246eb38236e67fb2039168c2998a205809843f16f771722d1d67d0f

SHA512
a46b00879932f217b8ff5d4d88fe61a4ed747e2ffa66b8bcb1f08286f336fe2d56714b23bace9dc3219668632d3028d4f0bf337b83ddf7a2c6f8815743c0de86

Download Submit
C:\Users\Admin\AppData\Local\Temp\D009.exe
Filesize
4KB

MD5
9748489855d9dd82ab09da5e3e55b19e

SHA1
6ed2bf6a1a53a59cd2137812cb43b5032817f6a1

SHA256
05bdd09d934144589f7b90ac4ef6e8d7743c35f551219d98bc7fc933f98a157b

SHA512
7eebbc3e42aad1af304ba38ca0c74e5f2293a630d98d4cfd48957f5f288bcb52cf323421c2b166e3b459450d5ef024167f8729b7b4b66651a34c3c3d4581a2be

Download Submit
C:\Users\Admin\AppData\Local\Temp\D009.exe
Filesize
4KB

MD5
9748489855d9dd82ab09da5e3e55b19e

SHA1
6ed2bf6a1a53a59cd2137812cb43b5032817f6a1

SHA256
05bdd09d934144589f7b90ac4ef6e8d7743c35f551219d98bc7fc933f98a157b

SHA512
7eebbc3e42aad1af304ba38ca0c74e5f2293a630d98d4cfd48957f5f288bcb52cf323421c2b166e3b459450d5ef024167f8729b7b4b66651a34c3c3d4581a2be

Download Submit
C:\Users\Admin\AppData\Local\Temp\D54.exe
Filesize
976KB

MD5
65abb47a2e20764cc72afb0ffb5db36e

SHA1
b734b77de71565b307272e9b76519d7ee1fbd468

SHA256
0c9720d53f929fa105c068e3383bf62bc5bb6f964796de182d21306270b2a496

SHA512
8d385b4581145fa5ea2cc4185f27c9f71b29e1f73b917710270e96d5d1c1a7530db6ebd1c1185ebb9fb8742628b7b8a74641dcdcac62407a7dcf64169e6f4658

Download Submit
C:\Users\Admin\AppData\Local\Temp\D54.exe
Filesize
976KB

MD5
65abb47a2e20764cc72afb0ffb5db36e

SHA1
b734b77de71565b307272e9b76519d7ee1fbd468

SHA256
0c9720d53f929fa105c068e3383bf62bc5bb6f964796de182d21306270b2a496

SHA512
8d385b4581145fa5ea2cc4185f27c9f71b29e1f73b917710270e96d5d1c1a7530db6ebd1c1185ebb9fb8742628b7b8a74641dcdcac62407a7dcf64169e6f4658

Download Submit
C:\Users\Admin\AppData\Local\Temp\E7E7.exe
Filesize
273KB

MD5
a05183b5af3370cc1bcc933c061d8596

SHA1
d8e5157a786191e35847c3fa25a07d6fc4462ac3

SHA256
a22e9b633917deb3d58c264577786289e3e0fbf5cd76a93debf52c5f630ba58e

SHA512
9fb93e8b34aec3917f06a18a042cdcc7d27fc76c155b9ee63d387c8d5ebe70c04c9dec4b86088f14bb16053f6fdb959013e592c16fa74267cc3fade7dda0f42e

Download Submit
C:\Users\Admin\AppData\Local\Temp\E7E7.exe
Filesize
273KB

MD5
a05183b5af3370cc1bcc933c061d8596

SHA1
d8e5157a786191e35847c3fa25a07d6fc4462ac3

SHA256
a22e9b633917deb3d58c264577786289e3e0fbf5cd76a93debf52c5f630ba58e

SHA512
9fb93e8b34aec3917f06a18a042cdcc7d27fc76c155b9ee63d387c8d5ebe70c04c9dec4b86088f14bb16053f6fdb959013e592c16fa74267cc3fade7dda0f42e

Download Submit
C:\Users\Admin\AppData\Local\Temp\F38C.exe
Filesize
747KB

MD5
02ff76dbe2bb9fc49ddea931896601d3

SHA1
037f7708d988957d49243b2e93df0878e22e0030

SHA256
30ac60ce48ad9a04c19803d9b4dbee395ad362ad782b8912fce238a90f1cced0

SHA512
79a9a33b4a61346bfd8440a0c71996a3606d4bc4026e8cf8a5361d1bd02d91fd5802af37e879a799e75881dbb0c577c9e8a7c529f4ffb7f8b47e33935f1e5f85

Download Submit
C:\Users\Admin\AppData\Local\Temp\F38C.exe
Filesize
747KB

MD5
02ff76dbe2bb9fc49ddea931896601d3

SHA1
037f7708d988957d49243b2e93df0878e22e0030

SHA256
30ac60ce48ad9a04c19803d9b4dbee395ad362ad782b8912fce238a90f1cced0

SHA512
79a9a33b4a61346bfd8440a0c71996a3606d4bc4026e8cf8a5361d1bd02d91fd5802af37e879a799e75881dbb0c577c9e8a7c529f4ffb7f8b47e33935f1e5f85

Download Submit
C:\Users\Admin\AppData\Local\Temp\F514.exe
Filesize
827KB

MD5
5d09682b08307cf7e7d4ee43b3b04791

SHA1
8668ef968def3d1e58bc5d3bb57088f0550a3b2d

SHA256
b0fe9334ec54815e8eda224488e34d41fcdaef253cad3c7cb751b273b3dc91e3

SHA512
a362e95e79b100178bce102b015e3d0107cd3df808980d84b63bc940ee7c90221f06cc2dc9f087b7e15e20ec994418483f5b913d954badf60d70f6c56b96f4d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\F514.exe
Filesize
827KB

MD5
5d09682b08307cf7e7d4ee43b3b04791

SHA1
8668ef968def3d1e58bc5d3bb57088f0550a3b2d

SHA256
b0fe9334ec54815e8eda224488e34d41fcdaef253cad3c7cb751b273b3dc91e3

SHA512
a362e95e79b100178bce102b015e3d0107cd3df808980d84b63bc940ee7c90221f06cc2dc9f087b7e15e20ec994418483f5b913d954badf60d70f6c56b96f4d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\F514.exe
Filesize
827KB

MD5
5d09682b08307cf7e7d4ee43b3b04791

SHA1
8668ef968def3d1e58bc5d3bb57088f0550a3b2d

SHA256
b0fe9334ec54815e8eda224488e34d41fcdaef253cad3c7cb751b273b3dc91e3

SHA512
a362e95e79b100178bce102b015e3d0107cd3df808980d84b63bc940ee7c90221f06cc2dc9f087b7e15e20ec994418483f5b913d954badf60d70f6c56b96f4d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\F514.exe
Filesize
827KB

MD5
5d09682b08307cf7e7d4ee43b3b04791

SHA1
8668ef968def3d1e58bc5d3bb57088f0550a3b2d

SHA256
b0fe9334ec54815e8eda224488e34d41fcdaef253cad3c7cb751b273b3dc91e3

SHA512
a362e95e79b100178bce102b015e3d0107cd3df808980d84b63bc940ee7c90221f06cc2dc9f087b7e15e20ec994418483f5b913d954badf60d70f6c56b96f4d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\F514.exe
Filesize
827KB

MD5
5d09682b08307cf7e7d4ee43b3b04791

SHA1
8668ef968def3d1e58bc5d3bb57088f0550a3b2d

SHA256
b0fe9334ec54815e8eda224488e34d41fcdaef253cad3c7cb751b273b3dc91e3

SHA512
a362e95e79b100178bce102b015e3d0107cd3df808980d84b63bc940ee7c90221f06cc2dc9f087b7e15e20ec994418483f5b913d954badf60d70f6c56b96f4d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\F9AB.exe
Filesize
4KB

MD5
9748489855d9dd82ab09da5e3e55b19e

SHA1
6ed2bf6a1a53a59cd2137812cb43b5032817f6a1

SHA256
05bdd09d934144589f7b90ac4ef6e8d7743c35f551219d98bc7fc933f98a157b

SHA512
7eebbc3e42aad1af304ba38ca0c74e5f2293a630d98d4cfd48957f5f288bcb52cf323421c2b166e3b459450d5ef024167f8729b7b4b66651a34c3c3d4581a2be

Download Submit
C:\Users\Admin\AppData\Local\Temp\F9AB.exe
Filesize
4KB

MD5
9748489855d9dd82ab09da5e3e55b19e

SHA1
6ed2bf6a1a53a59cd2137812cb43b5032817f6a1

SHA256
05bdd09d934144589f7b90ac4ef6e8d7743c35f551219d98bc7fc933f98a157b

SHA512
7eebbc3e42aad1af304ba38ca0c74e5f2293a630d98d4cfd48957f5f288bcb52cf323421c2b166e3b459450d5ef024167f8729b7b4b66651a34c3c3d4581a2be

Download Submit
C:\Users\Admin\AppData\Local\Temp\FA07.exe
Filesize
320KB

MD5
b0ad477a4ca4a8a67f8ca0f8e43d8ef5

SHA1
b23b74f93f5c2eb4b0ba1b36ff7f27d1240ffbd0

SHA256
7b4477362fa5411d483f384852249d5638c0bf93a4e913a7868d37883686f725

SHA512
900da510c37c0d060d16b407995e26d8e79a69f13c62d91375c4d4946cd50a81648bdbe75f26d78625dc0abb1452b313de8ab8c58e1cbe4f4117b3e3cb766fad

Download Submit
C:\Users\Admin\AppData\Local\Temp\FA07.exe
Filesize
320KB

MD5
b0ad477a4ca4a8a67f8ca0f8e43d8ef5

SHA1
b23b74f93f5c2eb4b0ba1b36ff7f27d1240ffbd0

SHA256
7b4477362fa5411d483f384852249d5638c0bf93a4e913a7868d37883686f725

SHA512
900da510c37c0d060d16b407995e26d8e79a69f13c62d91375c4d4946cd50a81648bdbe75f26d78625dc0abb1452b313de8ab8c58e1cbe4f4117b3e3cb766fad

Download Submit
C:\Users\Admin\AppData\Local\Temp\FB9E.exe
Filesize
327KB

MD5
1d04438d49e15bad354bc606852e43dd

SHA1
febdfc26cf1a443bd22ab4b0745ce21fece43556

SHA256
1747f4f45223125c112798c43414259280c6d6ffc19ebb2bd29094a795603c77

SHA512
4655c62461be893a9982e8ee99a514394412af543a49204c3080f710ff0ab7dab0a21fc4660f76d295a731ea87947dea0fbd9194188b66838435e156cb434e24

Download Submit
C:\Users\Admin\AppData\Local\Temp\FB9E.exe
Filesize
327KB

MD5
1d04438d49e15bad354bc606852e43dd

SHA1
febdfc26cf1a443bd22ab4b0745ce21fece43556

SHA256
1747f4f45223125c112798c43414259280c6d6ffc19ebb2bd29094a795603c77

SHA512
4655c62461be893a9982e8ee99a514394412af543a49204c3080f710ff0ab7dab0a21fc4660f76d295a731ea87947dea0fbd9194188b66838435e156cb434e24

Download Submit
C:\Users\Admin\AppData\Local\Temp\FE30.exe
Filesize
4KB

MD5
9748489855d9dd82ab09da5e3e55b19e

SHA1
6ed2bf6a1a53a59cd2137812cb43b5032817f6a1

SHA256
05bdd09d934144589f7b90ac4ef6e8d7743c35f551219d98bc7fc933f98a157b

SHA512
7eebbc3e42aad1af304ba38ca0c74e5f2293a630d98d4cfd48957f5f288bcb52cf323421c2b166e3b459450d5ef024167f8729b7b4b66651a34c3c3d4581a2be

Download Submit
C:\Users\Admin\AppData\Local\Temp\FE30.exe
Filesize
4KB

MD5
9748489855d9dd82ab09da5e3e55b19e

SHA1
6ed2bf6a1a53a59cd2137812cb43b5032817f6a1

SHA256
05bdd09d934144589f7b90ac4ef6e8d7743c35f551219d98bc7fc933f98a157b

SHA512
7eebbc3e42aad1af304ba38ca0c74e5f2293a630d98d4cfd48957f5f288bcb52cf323421c2b166e3b459450d5ef024167f8729b7b4b66651a34c3c3d4581a2be

Download Submit
C:\Users\Admin\AppData\Local\Temp\GHjsL5oybm.exe
Filesize
214KB

MD5
c6917bc242058814f64360de5b4320be

SHA1
4c1959cc707acb43a1466d166e151c517164edc2

SHA256
732c3e3887c7e83b84fd96c6a8a2377235a29995c8656c1616dee40f8be81516

SHA512
2bf75a0ebcbd5ff7b65a47b9b8016081c272acb6b4fe1b487a6928e682dd93e5809cd2354f4d21acbef0703c4d1b6c87af4c0d731e2799be1a6197815ec1b6bb

Download Submit
C:\Users\Admin\AppData\Local\Temp\GHjsL5oybm.exe
Filesize
214KB

MD5
c6917bc242058814f64360de5b4320be

SHA1
4c1959cc707acb43a1466d166e151c517164edc2

SHA256
732c3e3887c7e83b84fd96c6a8a2377235a29995c8656c1616dee40f8be81516

SHA512
2bf75a0ebcbd5ff7b65a47b9b8016081c272acb6b4fe1b487a6928e682dd93e5809cd2354f4d21acbef0703c4d1b6c87af4c0d731e2799be1a6197815ec1b6bb

Download Submit
C:\Users\Admin\AppData\Local\Temp\Iwhwwflmjnchqylwsotldpkjhsfkj3hjkh54.exe
Filesize
200KB

MD5
ee2e25daf0fe98f9e5d3bd1898f9913a

SHA1
e98706c52a37848beaa3623592c6ff6a8b2faf5b

SHA256
6255901c51fb16a8638004f7f953903391eb40fb96d49f27616a8ca537334983

SHA512
dc03a6c07f6fa778915f586b05aa0c8c2b3cd2f4c3672cedd2ec7fb47857dffba05b50d843490cd00d8f9913fde74d0617e27c1410618a1ead826537fbea8c38

Download Submit
C:\Users\Admin\AppData\Local\Temp\Iwhwwflmjnchqylwsotldpkjhsfkj3hjkh54.exe
Filesize
200KB

MD5
ee2e25daf0fe98f9e5d3bd1898f9913a

SHA1
e98706c52a37848beaa3623592c6ff6a8b2faf5b

SHA256
6255901c51fb16a8638004f7f953903391eb40fb96d49f27616a8ca537334983

SHA512
dc03a6c07f6fa778915f586b05aa0c8c2b3cd2f4c3672cedd2ec7fb47857dffba05b50d843490cd00d8f9913fde74d0617e27c1410618a1ead826537fbea8c38

Download Submit
C:\Users\Admin\AppData\Local\Temp\Qytyaworpiotpd.tmp
Filesize
752KB

MD5
710af73b2d7e92d33fac751318c08101

SHA1
2208c96a528b1d96e18ae47ab274f303e4099fff

SHA256
72021339c18f79141f9867c30616cbbdc517471e44d16bfe81063e5c7dba56c3

SHA512
1f19138b8412b871ccf33ec351d28157b6571bc02cb1d338fc4c06bd77e9518bbdb3392d63b9bcdde2bd94746c232f90b4796363f83cecfd49e0470b6495ac1a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Qytyaworpiotpd.tmp
Filesize
752KB

MD5
710af73b2d7e92d33fac751318c08101

SHA1
2208c96a528b1d96e18ae47ab274f303e4099fff

SHA256
72021339c18f79141f9867c30616cbbdc517471e44d16bfe81063e5c7dba56c3

SHA512
1f19138b8412b871ccf33ec351d28157b6571bc02cb1d338fc4c06bd77e9518bbdb3392d63b9bcdde2bd94746c232f90b4796363f83cecfd49e0470b6495ac1a

Download Submit
C:\Users\Admin\AppData\Local\bowsakkdestx.txt
Filesize
563B

MD5
3c66ee468dfa0688e6d22ca20d761140

SHA1
965c713cd69439ee5662125f0390a2324a7859bf

SHA256
4b230d2eaf9e5441f56db135faca2c761001787249d2358133e4f368061a1ea3

SHA512
4b29902d881bf20305322cc6a7bffb312187be86f4efa658a9d3c455e84f9f8b0d07f6f2bb6dac42ac050dc6f8d876e2b9df0ef4d5d1bb7e9be1223d652e04c6

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
Filesize
9KB

MD5
9ead10c08e72ae41921191f8db39bc16

SHA1
abe3bce01cd34afc88e2c838173f8c2bd0090ae1

SHA256
8d7f0e6b6877bdfb9f4531afafd0451f7d17f0ac24e2f2427e9b4ecc5452b9f0

SHA512
aa35dbc59a3589df2763e76a495ce5a9e62196628b4c1d098add38bd7f27c49edf93a66fb8507fb746e37ee32932da2460e440f241abe1a5a279abcc1e5ffe4a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
Filesize
9KB

MD5
9ead10c08e72ae41921191f8db39bc16

SHA1
abe3bce01cd34afc88e2c838173f8c2bd0090ae1

SHA256
8d7f0e6b6877bdfb9f4531afafd0451f7d17f0ac24e2f2427e9b4ecc5452b9f0

SHA512
aa35dbc59a3589df2763e76a495ce5a9e62196628b4c1d098add38bd7f27c49edf93a66fb8507fb746e37ee32932da2460e440f241abe1a5a279abcc1e5ffe4a

Download Submit
memory/224-165-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/224-162-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/224-176-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/224-164-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/224-166-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/224-161-0x0000000000000000-mapping.dmp

Download
memory/388-381-0x00007FF7167E6890-mapping.dmp

Download
memory/388-383-0x000001AFA53F0000-0x000001AFA5530000-memory.dmp

Filesize
1.2MB

Download
memory/388-382-0x000001AFA53F0000-0x000001AFA5530000-memory.dmp

Filesize
1.2MB

Download
memory/420-285-0x000000000050D000-0x0000000000527000-memory.dmp

Filesize
104KB

Download
memory/420-302-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/420-287-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/420-286-0x0000000001F80000-0x0000000001FAA000-memory.dmp

Filesize
168KB

Download
memory/420-277-0x0000000000000000-mapping.dmp

Download
memory/448-370-0x0000000000000000-mapping.dmp

Download
memory/532-332-0x0000000000000000-mapping.dmp

Download
memory/732-160-0x0000000002290000-0x00000000023AB000-memory.dmp

Filesize
1.1MB

Download
memory/732-159-0x0000000001FAF000-0x0000000002040000-memory.dmp

Filesize
580KB

Download
memory/732-145-0x0000000000000000-mapping.dmp

Download
memory/752-342-0x0000000000000000-mapping.dmp

Download
memory/1208-339-0x0000000000000000-mapping.dmp

Download
memory/1260-315-0x00000000009B0000-0x00000000009B8000-memory.dmp

Filesize
32KB

Download
memory/1260-312-0x0000000000000000-mapping.dmp

Download
memory/1260-316-0x0000000005250000-0x00000000052E2000-memory.dmp

Filesize
584KB

Download
memory/1260-317-0x0000000002DE0000-0x0000000002DEA000-memory.dmp

Filesize
40KB

Download
memory/1420-212-0x0000000000000000-mapping.dmp

Download
memory/1428-207-0x0000000000000000-mapping.dmp

Download
memory/1480-368-0x0000000000000000-mapping.dmp

Download
memory/1640-218-0x0000000001FB0000-0x0000000001FFC000-memory.dmp

Filesize
304KB

Download
memory/1640-217-0x000000000055D000-0x000000000058A000-memory.dmp

Filesize
180KB

Download
memory/1640-189-0x0000000000000000-mapping.dmp

Download
memory/1748-328-0x0000000000720000-0x0000000000726000-memory.dmp

Filesize
24KB

Download
memory/1748-327-0x0000000000000000-mapping.dmp

Download
memory/1748-329-0x0000000000710000-0x000000000071C000-memory.dmp

Filesize
48KB

Download
memory/1768-334-0x0000000000000000-mapping.dmp

Download
memory/1768-336-0x0000000001430000-0x0000000001452000-memory.dmp

Filesize
136KB

Download
memory/1768-337-0x0000000001400000-0x0000000001427000-memory.dmp

Filesize
156KB

Download
memory/1812-330-0x0000000000000000-mapping.dmp

Download
memory/1820-289-0x0000000000000000-mapping.dmp

Download
memory/1836-204-0x0000000000000000-mapping.dmp

Download
memory/1840-360-0x0000000000000000-mapping.dmp

Download
memory/2108-139-0x0000000140000000-0x0000000140008000-memory.dmp

Filesize
32KB

Download
memory/2108-148-0x0000000000400000-0x00000000004C2000-memory.dmp

Filesize
776KB

Download
memory/2108-136-0x0000000000000000-mapping.dmp

Download
memory/2288-308-0x0000000000000000-mapping.dmp

Download
memory/2288-311-0x00007FFDF4180000-0x00007FFDF4C41000-memory.dmp

Filesize
10.8MB

Download
memory/2304-170-0x000000000056D000-0x0000000000583000-memory.dmp

Filesize
88KB

Download
memory/2304-153-0x0000000000000000-mapping.dmp

Download
memory/2304-171-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/2448-283-0x0000000000DA0000-0x0000000000DA8000-memory.dmp

Filesize
32KB

Download
memory/2448-284-0x00007FFDF4180000-0x00007FFDF4C41000-memory.dmp

Filesize
10.8MB

Download
memory/2448-280-0x0000000000000000-mapping.dmp

Download
memory/2604-348-0x0000000000000000-mapping.dmp

Download
memory/2736-345-0x0000000000000000-mapping.dmp

Download
memory/2736-209-0x0000000000000000-mapping.dmp

Download
memory/2948-210-0x0000000000000000-mapping.dmp

Download
memory/3152-233-0x0000000000000000-mapping.dmp

Download
memory/3404-303-0x0000000005E30000-0x000000000635C000-memory.dmp

Filesize
5.2MB

Download
memory/3404-301-0x00000000055F0000-0x00000000057B2000-memory.dmp

Filesize
1.8MB

Download
memory/3404-296-0x0000000000000000-mapping.dmp

Download
memory/3524-211-0x0000000000000000-mapping.dmp

Download
memory/3564-320-0x00000000004E0000-0x00000000004EB000-memory.dmp

Filesize
44KB

Download
memory/3564-319-0x00000000004F0000-0x00000000004F7000-memory.dmp

Filesize
28KB

Download
memory/3564-318-0x0000000000000000-mapping.dmp

Download
memory/3656-326-0x0000000000BD0000-0x0000000000BD9000-memory.dmp

Filesize
36KB

Download
memory/3656-325-0x0000000000BE0000-0x0000000000BE5000-memory.dmp

Filesize
20KB

Download
memory/3656-324-0x0000000000000000-mapping.dmp

Download
memory/3672-172-0x0000000000000000-mapping.dmp

Download
memory/3724-181-0x0000000002053000-0x00000000020E4000-memory.dmp

Filesize
580KB

Download
memory/3724-174-0x0000000000000000-mapping.dmp

Download
memory/3836-227-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/3836-180-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/3836-177-0x0000000000000000-mapping.dmp

Download
memory/3836-182-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/3836-188-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/3876-369-0x0000000000000000-mapping.dmp

Download
memory/3912-322-0x0000000001080000-0x0000000001089000-memory.dmp

Filesize
36KB

Download
memory/3912-239-0x0000000002E49000-0x0000000002E59000-memory.dmp

Filesize
64KB

Download
memory/3912-323-0x0000000000DF0000-0x0000000000DFF000-memory.dmp

Filesize
60KB

Download
memory/3912-240-0x0000000002CE0000-0x0000000002CE9000-memory.dmp

Filesize
36KB

Download
memory/3912-321-0x0000000000000000-mapping.dmp

Download
memory/3912-241-0x0000000000400000-0x0000000002B9D000-memory.dmp

Filesize
39.6MB

Download
memory/3912-243-0x0000000000400000-0x0000000002B9D000-memory.dmp

Filesize
39.6MB

Download
memory/3912-237-0x0000000000000000-mapping.dmp

Download
memory/4004-378-0x00000000046F0000-0x0000000004830000-memory.dmp

Filesize
1.2MB

Download
memory/4004-357-0x00000000046F0000-0x0000000004830000-memory.dmp

Filesize
1.2MB

Download
memory/4004-352-0x00000000061C0000-0x0000000006D1B000-memory.dmp

Filesize
11.4MB

Download
memory/4004-377-0x00000000046F0000-0x0000000004830000-memory.dmp

Filesize
1.2MB

Download
memory/4004-271-0x0000000000000000-mapping.dmp

Download
memory/4004-356-0x00000000046F0000-0x0000000004830000-memory.dmp

Filesize
1.2MB

Download
memory/4004-379-0x00000000046F0000-0x0000000004830000-memory.dmp

Filesize
1.2MB

Download
memory/4004-380-0x00000000046F0000-0x0000000004830000-memory.dmp

Filesize
1.2MB

Download
memory/4048-213-0x0000000000000000-mapping.dmp

Download
memory/4048-214-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/4048-244-0x00000000509A0000-0x0000000050A32000-memory.dmp

Filesize
584KB

Download
memory/4048-216-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/4048-242-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/4048-266-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/4048-220-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/4048-219-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/4068-371-0x0000000000000000-mapping.dmp

Download
memory/4232-203-0x0000000000F20000-0x000000000139E000-memory.dmp

Filesize
4.5MB

Download
memory/4232-156-0x0000000000000000-mapping.dmp

Download
memory/4344-265-0x0000000000000000-mapping.dmp

Download
memory/4352-276-0x0000000000400000-0x0000000000523000-memory.dmp

Filesize
1.1MB

Download
memory/4352-274-0x000000000216A000-0x000000000224B000-memory.dmp

Filesize
900KB

Download
memory/4352-275-0x0000000002350000-0x0000000002470000-memory.dmp

Filesize
1.1MB

Download
memory/4352-268-0x0000000000000000-mapping.dmp

Download
memory/4396-183-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/4396-169-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/4396-168-0x0000000001F10000-0x0000000001F19000-memory.dmp

Filesize
36KB

Download
memory/4396-167-0x0000000000460000-0x0000000000560000-memory.dmp

Filesize
1024KB

Download
memory/4396-149-0x0000000000000000-mapping.dmp

Download
memory/4408-331-0x0000000000000000-mapping.dmp

Download
memory/4452-208-0x0000000000000000-mapping.dmp

Download
memory/4488-307-0x00007FFDF4180000-0x00007FFDF4C41000-memory.dmp

Filesize
10.8MB

Download
memory/4488-304-0x0000000000000000-mapping.dmp

Download
memory/4576-267-0x0000000000000000-mapping.dmp

Download
memory/4844-133-0x0000000002190000-0x0000000002199000-memory.dmp

Filesize
36KB

Download
memory/4844-132-0x00000000005EE000-0x0000000000603000-memory.dmp

Filesize
84KB

Download
memory/4844-135-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/4844-134-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/4888-228-0x00000000064F0000-0x000000000650E000-memory.dmp

Filesize
120KB

Download
memory/4888-232-0x0000000006A00000-0x0000000006A1A000-memory.dmp

Filesize
104KB

Download
memory/4888-224-0x0000000005560000-0x0000000005582000-memory.dmp

Filesize
136KB

Download
memory/4888-226-0x0000000005EC0000-0x0000000005F26000-memory.dmp

Filesize
408KB

Download
memory/4888-221-0x0000000000000000-mapping.dmp

Download
memory/4888-222-0x0000000002BD0000-0x0000000002C06000-memory.dmp

Filesize
216KB

Download
memory/4888-231-0x0000000006A80000-0x0000000006B16000-memory.dmp

Filesize
600KB

Download
memory/4888-225-0x0000000005E50000-0x0000000005EB6000-memory.dmp

Filesize
408KB

Download
memory/4888-234-0x0000000006A50000-0x0000000006A72000-memory.dmp

Filesize
136KB

Download
memory/4888-235-0x0000000007A80000-0x0000000008024000-memory.dmp

Filesize
5.6MB

Download
memory/4888-223-0x0000000005820000-0x0000000005E48000-memory.dmp

Filesize
6.2MB

Download
memory/5064-193-0x0000000000400000-0x0000000000876000-memory.dmp

Filesize
4.5MB

Download
memory/5064-192-0x0000000000000000-mapping.dmp

Download
memory/5064-202-0x0000000000400000-0x0000000000876000-memory.dmp

Filesize
4.5MB

Download