aurora | 5258abfc177c8904dd244715ac40b16f23ceb68871b708b7491228def45ccb6b

Analysis

max time kernel
131s
max time network
149s
platform
windows10-1703_x64
resource
win10-20220812-en
resource tags

arch:x64arch:x86image:win10-20220812-enlocale:en-usos:windows10-1703-x64system
submitted
12/01/2023, 10:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5258abfc177c8904dd244715ac40b16f23ceb68871b708b7491228def45ccb6b.exe
Size

267KB
MD5

997678fdecbe60806da2112650e431ec
SHA1

32395e9abe2ad1c427395ab3d062eaca83cc2f34
SHA256

5258abfc177c8904dd244715ac40b16f23ceb68871b708b7491228def45ccb6b
SHA512

bbd7975499c5aeb82fb74d0f4a05930cbef73ca3b717af3bf956316d07d2e2f81bd64fc74faa011ac114c6d2c00ecfee0cca6237c4d91f96beff7d924dd5e240
SSDEEP

3072:NPXE4v5LuqLX7Zh885gnRnQ9tgmk8x3dGeNLqpebzhN/DAI3JofXdPx76b5qWbym:h6qLz8pVQ9t9k8RdTLLbzf3ZoF5gq+

Score

10^/10

aurora dcrat djvu purecrypter smokeloader vidar 19 backdoor collection discovery infostealer loader persistence ransomware rat spyware stealer trojan

Malware Config

Extracted

Family

djvu

http://spaceris.com/lancer/get.php

Attributes

extension
.zouu
offline_id
7hl6KB3alcoZ6n4DhS2rApCezkIMzShntAiXWMt1
payload_url
http://uaery.top/dl/build2.exe

http://spaceris.com/files/1/build3.exe
ransomnote
ATTENTION! Don't worry, you can return all your files! All your files like pictures, databases, documents and other important are encrypted with strongest encryption and unique key. The only method of recovering files is to purchase decrypt tool and unique key for you. This software will decrypt all your encrypted files. What guarantees you have? You can send one of your encrypted file from your PC and we decrypt it for free. But we can decrypt only 1 file for free. File must not contain valuable information. You can get and look video overview decrypt tool: https://we.tl/t-N3pXlaPXFm Price of private key and decrypt software is $980. Discount 50% available if you contact us first 72 hours, that's price for you is $490. Please note that you'll never restore your data without payment. Check your e-mail "Spam" or "Junk" folder if you don't get answer more than 6 hours. To get this software you need write on our e-mail: [email protected] Reserve e-mail address to contact us: [email protected] Your personal ID: 0631JOsie

rsa_pubkey.plain

Extracted

Family

aurora

82.115.223.77:8081

Extracted

Family

vidar

Version

Botnet

https://t.me/tgdatapacks

https://steamcommunity.com/profiles/76561199469677637

Attributes

profile_id
19

Signatures

Aurora
Aurora is a crypto wallet stealer written in Golang.
stealer aurora

DcRat 4 IoCs

DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

rat infostealer dcrat

description	ioc	pid	Process
		4060	schtasks.exe
		1460	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI		5258abfc177c8904dd244715ac40b16f23ceb68871b708b7491228def45ccb6b.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000\Software\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\d4d187bc-2aa3-4ea9-ba21-755fd7323398\\B75E.exe\" --AutoStart"		B75E.exe

Detect PureCrypter loader 1 IoCs

loader

resource	yara_rule
behavioral1/memory/4228-1648-0x000000000F640000-0x000000000FFE8000-memory.dmp	family_purecrypter

Detected Djvu ransomware 8 IoCs

resource	yara_rule
behavioral1/memory/480-258-0x0000000002330000-0x000000000244B000-memory.dmp	family_djvu
behavioral1/memory/3552-253-0x0000000000424141-mapping.dmp	family_djvu
behavioral1/memory/3552-331-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/3552-422-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/480-445-0x0000000002330000-0x000000000244B000-memory.dmp	family_djvu
behavioral1/memory/5092-495-0x0000000000424141-mapping.dmp	family_djvu
behavioral1/memory/5092-602-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/5092-957-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu

Detects Smokeloader packer 1 IoCs

resource	yara_rule
behavioral1/memory/2784-264-0x0000000002C90000-0x0000000002C99000-memory.dmp	family_smokeloader

Djvu Ransomware
Ransomware which is a variant of the STOP family.
ransomware djvu
PureCrypter
PureCrypter is a loader which is intended for downloading and executing additional payloads.
trojan loader purecrypter
SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
Vidar
Vidar is an infostealer based on Arkei stealer.
stealer vidar

Blocklisted process makes network request 2 IoCs

flow	pid	Process
53	4160	rundll32.exe
55	4160	rundll32.exe

Downloads MZ/PE file

Executes dropped EXE 19 IoCs

pid	Process
480	B75E.exe
4632	C5E6.exe
2784	CAE8.exe
4652	CDD7.exe
3552	B75E.exe
4344	gtacfcs
316	B75E.exe
5092	B75E.exe
3892	build2.exe
2752	build3.exe
4992	build2.exe
2280	JCcyU0zDxj.exe
2144	7FF2.exe
1724	mstsca.exe
756	explorer.exe
344	A71.exe
4068	EF6.exe
4228	1224.exe
4380	1CE3.exe

Deletes itself 1 IoCs

pid	Process
2696	Process not Found

Loads dropped DLL 3 IoCs

pid	Process
4992	build2.exe
4992	build2.exe
4160	rundll32.exe

Modifies file permissions 1 TTPs 1 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
1496	icacls.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Uses the VBS compiler for execution 1 TTPs

Scripting
T1064
Accesses 2FA software files, possible credential harvesting 2 TTPs
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	rundll32.exe

Accesses Microsoft Outlook profiles 1 TTPs 4 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	rundll32.exe
Key opened	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	rundll32.exe
Key opened	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	rundll32.exe
Key opened	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	rundll32.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000\Software\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\d4d187bc-2aa3-4ea9-ba21-755fd7323398\\B75E.exe\" --AutoStart"	B75E.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Looks up external IP address via web service 3 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
9	api.2ip.ua
10	api.2ip.ua
22	api.2ip.ua

Suspicious use of SetThreadContext 5 IoCs

description	pid	Process	procid_target
PID 480 set thread context of 3552	480	B75E.exe	71
PID 4632 set thread context of 1728	4632	C5E6.exe	78
PID 316 set thread context of 5092	316	B75E.exe	80
PID 3892 set thread context of 4992	3892	build2.exe	96
PID 4160 set thread context of 4664	4160	rundll32.exe	106

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 2 IoCs

pid	pid_target	Process	procid_target
4520	4652	WerFault.exe	70
2412	4632	WerFault.exe	67

Checks SCSI registry key(s) 3 TTPs 12 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	gtacfcs
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	JCcyU0zDxj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	CAE8.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	CAE8.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	5258abfc177c8904dd244715ac40b16f23ceb68871b708b7491228def45ccb6b.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	CAE8.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	gtacfcs
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	gtacfcs
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	JCcyU0zDxj.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	JCcyU0zDxj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	5258abfc177c8904dd244715ac40b16f23ceb68871b708b7491228def45ccb6b.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	5258abfc177c8904dd244715ac40b16f23ceb68871b708b7491228def45ccb6b.exe

Checks processor information in registry 2 TTPs 23 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	rundll32.exe
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\FeatureSet	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	build2.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Previous Update Revision	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Configuration Data	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\VendorIdentifier	rundll32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Identifier	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\FeatureSet	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Component Information	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Status	rundll32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	build2.exe
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	rundll32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	rundll32.exe
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Status	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Previous Update Revision	rundll32.exe

Creates scheduled task(s) 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
4060	schtasks.exe
1460	schtasks.exe

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
516	timeout.exe

Gathers network information 2 TTPs 2 IoCs

Uses commandline utility to view network configuration.

System Information Discovery

T1082

Command-Line Interface

T1059

pid	Process
2968	ipconfig.exe
220	ipconfig.exe

GoLang User-Agent 1 IoCs

Uses default user-agent string defined by GoLang HTTP packages.

description	flow	ioc
HTTP User-Agent header	29	Go-http-client/1.1

Modifies Internet Explorer settings 1 TTPs 4 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000\Software\Microsoft\Internet Explorer\Toolbar	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000\Software\Microsoft\Internet Explorer\Toolbar\Locked = "1"	Process not Found
Key created	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser	Process not Found
Set value (data)	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser\ITBar7Layout = 13000000000000000000000020000000100000000000000001000000010700005e01000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	Process not Found

Modifies registry class 36 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0	Process not Found
Set value (data)	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\MRUListEx = ffffffff	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0	Process not Found
Key created	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0	Process not Found
Key created	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 = 820074001c0043465346160031000000000000000000100041707044617461000000741a595e96dfd3488d671733bcee28bac5cdfadf9f6756418947c5c76bc0b67f400009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004100700070004400610074006100000042000000	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell	Process not Found
Set value (str)	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\SniffedFolderType = "Generic"	Process not Found
Key created	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 00000000ffffffff	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0 = 4e003100000000002c561d5d100054656d7000003a0009000400efbe0c5553882c561d5d2e000000000000000000000000000000000000000000000000003cec2401540065006d007000000014000000	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\MRUListEx = 00000000ffffffff	rundll32.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\NodeSlot = "1"	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	Process not Found
Set value (data)	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	Process not Found
Key created	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000_Classes\Local Settings	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\WorkFolders	Process not Found
Key created	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\MRUListEx = 00000000ffffffff	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\KnownFolderDerivedFolderType = "{57807898-8C4F-4462-BB63-71042380B109}"	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02	Process not Found
Key created	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0	Process not Found
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance	Process not Found
Key created	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance	Process not Found
Set value (data)	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0 = 50003100000000000000000010004c6f63616c003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c00000014000000	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 = 14001f44471a0359723fa74489c55595fe6b30ee0000	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1	rundll32.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
2696	Process not Found

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
5004	5258abfc177c8904dd244715ac40b16f23ceb68871b708b7491228def45ccb6b.exe
5004	5258abfc177c8904dd244715ac40b16f23ceb68871b708b7491228def45ccb6b.exe
2696	Process not Found
2696	Process not Found
2696	Process not Found
2696	Process not Found
2696	Process not Found
2696	Process not Found
2696	Process not Found
2696	Process not Found
2696	Process not Found
2696	Process not Found
2696	Process not Found
2696	Process not Found
2696	Process not Found
2696	Process not Found
2696	Process not Found
2696	Process not Found
2696	Process not Found
2696	Process not Found
2696	Process not Found
2696	Process not Found
2696	Process not Found
2696	Process not Found
2696	Process not Found
2696	Process not Found
2696	Process not Found
2696	Process not Found
2696	Process not Found
2696	Process not Found
2696	Process not Found
2696	Process not Found
2696	Process not Found
2696	Process not Found
2696	Process not Found
2696	Process not Found
2696	Process not Found
2696	Process not Found
2696	Process not Found
2696	Process not Found
2696	Process not Found
2696	Process not Found
2696	Process not Found
2696	Process not Found
2696	Process not Found
2696	Process not Found
2696	Process not Found
2696	Process not Found
2696	Process not Found
2696	Process not Found
2696	Process not Found
2696	Process not Found
2696	Process not Found
2696	Process not Found
2696	Process not Found
2696	Process not Found
2696	Process not Found
2696	Process not Found
2696	Process not Found
2696	Process not Found
2696	Process not Found
2696	Process not Found
2696	Process not Found
2696	Process not Found

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2696	Process not Found

Suspicious behavior: MapViewOfSection 22 IoCs

pid	Process
5004	5258abfc177c8904dd244715ac40b16f23ceb68871b708b7491228def45ccb6b.exe
2784	CAE8.exe
4344	gtacfcs
2280	JCcyU0zDxj.exe
2696	Process not Found
2696	Process not Found
2696	Process not Found
2696	Process not Found
2696	Process not Found
2696	Process not Found
2696	Process not Found
2696	Process not Found
2696	Process not Found
2696	Process not Found
2696	Process not Found
2696	Process not Found
2696	Process not Found
2696	Process not Found
2696	Process not Found
2696	Process not Found
2696	Process not Found
2696	Process not Found

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2696	Process not Found
Token: SeCreatePagefilePrivilege	2696	Process not Found
Token: SeShutdownPrivilege	2696	Process not Found
Token: SeCreatePagefilePrivilege	2696	Process not Found
Token: SeShutdownPrivilege	2696	Process not Found
Token: SeCreatePagefilePrivilege	2696	Process not Found
Token: SeShutdownPrivilege	2696	Process not Found
Token: SeCreatePagefilePrivilege	2696	Process not Found
Token: SeShutdownPrivilege	2696	Process not Found
Token: SeCreatePagefilePrivilege	2696	Process not Found
Token: SeShutdownPrivilege	2696	Process not Found
Token: SeCreatePagefilePrivilege	2696	Process not Found
Token: SeShutdownPrivilege	2696	Process not Found
Token: SeCreatePagefilePrivilege	2696	Process not Found
Token: SeShutdownPrivilege	2696	Process not Found
Token: SeCreatePagefilePrivilege	2696	Process not Found
Token: SeShutdownPrivilege	2696	Process not Found
Token: SeCreatePagefilePrivilege	2696	Process not Found
Token: SeShutdownPrivilege	2696	Process not Found
Token: SeCreatePagefilePrivilege	2696	Process not Found
Token: SeShutdownPrivilege	2696	Process not Found
Token: SeCreatePagefilePrivilege	2696	Process not Found
Token: SeIncreaseQuotaPrivilege	4144	wmic.exe
Token: SeSecurityPrivilege	4144	wmic.exe
Token: SeTakeOwnershipPrivilege	4144	wmic.exe
Token: SeLoadDriverPrivilege	4144	wmic.exe
Token: SeSystemProfilePrivilege	4144	wmic.exe
Token: SeSystemtimePrivilege	4144	wmic.exe
Token: SeProfSingleProcessPrivilege	4144	wmic.exe
Token: SeIncBasePriorityPrivilege	4144	wmic.exe
Token: SeCreatePagefilePrivilege	4144	wmic.exe
Token: SeBackupPrivilege	4144	wmic.exe
Token: SeRestorePrivilege	4144	wmic.exe
Token: SeShutdownPrivilege	4144	wmic.exe
Token: SeDebugPrivilege	4144	wmic.exe
Token: SeSystemEnvironmentPrivilege	4144	wmic.exe
Token: SeRemoteShutdownPrivilege	4144	wmic.exe
Token: SeUndockPrivilege	4144	wmic.exe
Token: SeManageVolumePrivilege	4144	wmic.exe
Token: 33	4144	wmic.exe
Token: 34	4144	wmic.exe
Token: 35	4144	wmic.exe
Token: 36	4144	wmic.exe
Token: SeIncreaseQuotaPrivilege	4144	wmic.exe
Token: SeSecurityPrivilege	4144	wmic.exe
Token: SeTakeOwnershipPrivilege	4144	wmic.exe
Token: SeLoadDriverPrivilege	4144	wmic.exe
Token: SeSystemProfilePrivilege	4144	wmic.exe
Token: SeSystemtimePrivilege	4144	wmic.exe
Token: SeProfSingleProcessPrivilege	4144	wmic.exe
Token: SeIncBasePriorityPrivilege	4144	wmic.exe
Token: SeCreatePagefilePrivilege	4144	wmic.exe
Token: SeBackupPrivilege	4144	wmic.exe
Token: SeRestorePrivilege	4144	wmic.exe
Token: SeShutdownPrivilege	4144	wmic.exe
Token: SeDebugPrivilege	4144	wmic.exe
Token: SeSystemEnvironmentPrivilege	4144	wmic.exe
Token: SeRemoteShutdownPrivilege	4144	wmic.exe
Token: SeUndockPrivilege	4144	wmic.exe
Token: SeManageVolumePrivilege	4144	wmic.exe
Token: 33	4144	wmic.exe
Token: 34	4144	wmic.exe
Token: 35	4144	wmic.exe
Token: 36	4144	wmic.exe

Suspicious use of FindShellTrayWindow 10 IoCs

pid	Process
4664	rundll32.exe
2696	Process not Found
2696	Process not Found
2696	Process not Found
2696	Process not Found
4160	rundll32.exe
2696	Process not Found
2696	Process not Found
2696	Process not Found
2696	Process not Found

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2696	Process not Found
2696	Process not Found

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2696 wrote to memory of 480	2696	Process not Found	66
PID 2696 wrote to memory of 480	2696	Process not Found	66
PID 2696 wrote to memory of 480	2696	Process not Found	66
PID 2696 wrote to memory of 4632	2696	Process not Found	67
PID 2696 wrote to memory of 4632	2696	Process not Found	67
PID 2696 wrote to memory of 4632	2696	Process not Found	67
PID 2696 wrote to memory of 2784	2696	Process not Found	69
PID 2696 wrote to memory of 2784	2696	Process not Found	69
PID 2696 wrote to memory of 2784	2696	Process not Found	69
PID 2696 wrote to memory of 4652	2696	Process not Found	70
PID 2696 wrote to memory of 4652	2696	Process not Found	70
PID 2696 wrote to memory of 4652	2696	Process not Found	70
PID 480 wrote to memory of 3552	480	B75E.exe	71
PID 480 wrote to memory of 3552	480	B75E.exe	71
PID 480 wrote to memory of 3552	480	B75E.exe	71
PID 480 wrote to memory of 3552	480	B75E.exe	71
PID 480 wrote to memory of 3552	480	B75E.exe	71
PID 480 wrote to memory of 3552	480	B75E.exe	71
PID 480 wrote to memory of 3552	480	B75E.exe	71
PID 480 wrote to memory of 3552	480	B75E.exe	71
PID 480 wrote to memory of 3552	480	B75E.exe	71
PID 480 wrote to memory of 3552	480	B75E.exe	71
PID 3552 wrote to memory of 1496	3552	B75E.exe	75
PID 3552 wrote to memory of 1496	3552	B75E.exe	75
PID 3552 wrote to memory of 1496	3552	B75E.exe	75
PID 3552 wrote to memory of 316	3552	B75E.exe	76
PID 3552 wrote to memory of 316	3552	B75E.exe	76
PID 3552 wrote to memory of 316	3552	B75E.exe	76
PID 4632 wrote to memory of 1728	4632	C5E6.exe	78
PID 4632 wrote to memory of 1728	4632	C5E6.exe	78
PID 4632 wrote to memory of 1728	4632	C5E6.exe	78
PID 4632 wrote to memory of 1728	4632	C5E6.exe	78
PID 4632 wrote to memory of 1728	4632	C5E6.exe	78
PID 316 wrote to memory of 5092	316	B75E.exe	80
PID 316 wrote to memory of 5092	316	B75E.exe	80
PID 316 wrote to memory of 5092	316	B75E.exe	80
PID 316 wrote to memory of 5092	316	B75E.exe	80
PID 316 wrote to memory of 5092	316	B75E.exe	80
PID 316 wrote to memory of 5092	316	B75E.exe	80
PID 316 wrote to memory of 5092	316	B75E.exe	80
PID 316 wrote to memory of 5092	316	B75E.exe	80
PID 316 wrote to memory of 5092	316	B75E.exe	80
PID 316 wrote to memory of 5092	316	B75E.exe	80
PID 1728 wrote to memory of 4144	1728	vbc.exe	81
PID 1728 wrote to memory of 4144	1728	vbc.exe	81
PID 1728 wrote to memory of 4144	1728	vbc.exe	81
PID 1728 wrote to memory of 4988	1728	vbc.exe	84
PID 1728 wrote to memory of 4988	1728	vbc.exe	84
PID 1728 wrote to memory of 4988	1728	vbc.exe	84
PID 4988 wrote to memory of 4704	4988	cmd.exe	86
PID 4988 wrote to memory of 4704	4988	cmd.exe	86
PID 4988 wrote to memory of 4704	4988	cmd.exe	86
PID 1728 wrote to memory of 160	1728	vbc.exe	87
PID 1728 wrote to memory of 160	1728	vbc.exe	87
PID 1728 wrote to memory of 160	1728	vbc.exe	87
PID 160 wrote to memory of 2296	160	cmd.exe	89
PID 160 wrote to memory of 2296	160	cmd.exe	89
PID 160 wrote to memory of 2296	160	cmd.exe	89
PID 5092 wrote to memory of 3892	5092	B75E.exe	90
PID 5092 wrote to memory of 3892	5092	B75E.exe	90
PID 5092 wrote to memory of 3892	5092	B75E.exe	90
PID 1728 wrote to memory of 3340	1728	vbc.exe	91
PID 1728 wrote to memory of 3340	1728	vbc.exe	91
PID 1728 wrote to memory of 3340	1728	vbc.exe	91

outlook_office_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	rundll32.exe

outlook_win_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	rundll32.exe

C:\Users\Admin\AppData\Local\Temp\5258abfc177c8904dd244715ac40b16f23ceb68871b708b7491228def45ccb6b.exe
"C:\Users\Admin\AppData\Local\Temp\5258abfc177c8904dd244715ac40b16f23ceb68871b708b7491228def45ccb6b.exe"
1⤵
- DcRat
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:5004

C:\Users\Admin\AppData\Local\Temp\B75E.exe
C:\Users\Admin\AppData\Local\Temp\B75E.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:480
- C:\Users\Admin\AppData\Local\Temp\B75E.exe
  C:\Users\Admin\AppData\Local\Temp\B75E.exe
  2⤵
  - DcRat
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:3552
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Users\Admin\AppData\Local\d4d187bc-2aa3-4ea9-ba21-755fd7323398" /deny *S-1-1-0:(OI)(CI)(DE,DC)
    3⤵
    - Modifies file permissions
    PID:1496
- - C:\Users\Admin\AppData\Local\Temp\B75E.exe
    "C:\Users\Admin\AppData\Local\Temp\B75E.exe" --Admin IsNotAutoStart IsNotTask
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of WriteProcessMemory
    PID:316
  - - C:\Users\Admin\AppData\Local\Temp\B75E.exe
      "C:\Users\Admin\AppData\Local\Temp\B75E.exe" --Admin IsNotAutoStart IsNotTask
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:5092
    - - C:\Users\Admin\AppData\Local\c36e51a0-a213-480f-a643-2f1d068e4e1e\build2.exe
        
        "C:\Users\Admin\AppData\Local\c36e51a0-a213-480f-a643-2f1d068e4e1e\build2.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:3892
      - C:\Users\Admin\AppData\Local\c36e51a0-a213-480f-a643-2f1d068e4e1e\build2.exe
        
        "C:\Users\Admin\AppData\Local\c36e51a0-a213-480f-a643-2f1d068e4e1e\build2.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Checks processor information in registry
        
        PID:4992
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c timeout /t 6 & del /f /q "C:\Users\Admin\AppData\Local\c36e51a0-a213-480f-a643-2f1d068e4e1e\build2.exe" & exit
        7⤵
        
        PID:764
        
        C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 6
        8⤵
        Delays execution with timeout.exe
        
        PID:516
    - - C:\Users\Admin\AppData\Local\c36e51a0-a213-480f-a643-2f1d068e4e1e\build3.exe
        
        "C:\Users\Admin\AppData\Local\c36e51a0-a213-480f-a643-2f1d068e4e1e\build3.exe"
        5⤵
        Executes dropped EXE
        
        PID:2752
      - C:\Windows\SysWOW64\schtasks.exe
        
        /C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"
        6⤵
        DcRat
        Creates scheduled task(s)
        
        PID:4060

C:\Users\Admin\AppData\Local\Temp\C5E6.exe
C:\Users\Admin\AppData\Local\Temp\C5E6.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4632
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1728
- - C:\Windows\SysWOW64\Wbem\wmic.exe
    wmic os get Caption
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:4144
- - C:\Windows\SysWOW64\cmd.exe
    cmd /C "wmic path win32_VideoController get name"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4988
  - - C:\Windows\SysWOW64\Wbem\WMIC.exe
      wmic path win32_VideoController get name
      4⤵
      PID:4704
- - C:\Windows\SysWOW64\cmd.exe
    cmd /C "wmic cpu get name"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:160
  - - C:\Windows\SysWOW64\Wbem\WMIC.exe
      wmic cpu get name
      4⤵
      PID:2296
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    powershell "" "start-process C:\Users\Admin\AppData\Local\Temp\JCcyU0zDxj.exe"
    3⤵
    PID:3340
  - - C:\Users\Admin\AppData\Local\Temp\JCcyU0zDxj.exe
      "C:\Users\Admin\AppData\Local\Temp\JCcyU0zDxj.exe"
      4⤵
      Executes dropped EXE
      Checks SCSI registry key(s)
      Suspicious behavior: MapViewOfSection
      PID:2280
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4632 -s 236
  2⤵
  - Program crash
  PID:2412

C:\Users\Admin\AppData\Local\Temp\CAE8.exe
C:\Users\Admin\AppData\Local\Temp\CAE8.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
PID:2784

C:\Users\Admin\AppData\Local\Temp\CDD7.exe
C:\Users\Admin\AppData\Local\Temp\CDD7.exe
1⤵
- Executes dropped EXE
PID:4652
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4652 -s 484
  2⤵
  - Program crash
  PID:4520

C:\Users\Admin\AppData\Roaming\gtacfcs
C:\Users\Admin\AppData\Roaming\gtacfcs
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
PID:4344

C:\Users\Admin\AppData\Local\Temp\7FF2.exe
C:\Users\Admin\AppData\Local\Temp\7FF2.exe
1⤵
- Executes dropped EXE
PID:2144
- C:\Windows\SysWOW64\rundll32.exe
  "C:\Windows\system32\rundll32.exe" "C:\Users\Admin\AppData\Local\Temp\Qytyaworpiotpd.tmp",Edoqqdswdffqipe
  2⤵
  - Blocklisted process makes network request
  - Loads dropped DLL
  - Accesses Microsoft Outlook accounts
  - Accesses Microsoft Outlook profiles
  - Suspicious use of SetThreadContext
  - Checks processor information in registry
  - Suspicious use of FindShellTrayWindow
  - outlook_office_path
  - outlook_win_path
  PID:4160
- - C:\Windows\system32\rundll32.exe
    "C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#61 23791
    3⤵
    - Modifies registry class
    - Suspicious use of FindShellTrayWindow
    PID:4664
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /End /tn \Microsoft\Windows\Wininet\CacheTask
    3⤵
    PID:3532
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /Run /tn \Microsoft\Windows\Wininet\CacheTask
    3⤵
    PID:432

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
1⤵
- Executes dropped EXE
PID:1724
- C:\Windows\SysWOW64\schtasks.exe
  /C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"
  2⤵
  - DcRat
  - Creates scheduled task(s)
  PID:1460

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4844

C:\Users\Admin\AppData\Local\Temp\F746.exe
C:\Users\Admin\AppData\Local\Temp\F746.exe
1⤵
PID:756

C:\Users\Admin\AppData\Local\Temp\A71.exe
C:\Users\Admin\AppData\Local\Temp\A71.exe
1⤵
- Executes dropped EXE
PID:344

C:\Users\Admin\AppData\Local\Temp\EF6.exe
C:\Users\Admin\AppData\Local\Temp\EF6.exe
1⤵
- Executes dropped EXE
PID:4068

C:\Users\Admin\AppData\Local\Temp\1224.exe
C:\Users\Admin\AppData\Local\Temp\1224.exe
1⤵
- Executes dropped EXE
PID:4228
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c ipconfig/release
  2⤵
  PID:584
- - C:\Windows\SysWOW64\ipconfig.exe
    ipconfig /release
    3⤵
    - Gathers network information
    PID:220
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ENC cwB0AGEAcgB0AC0AcwBsAGUAZQBwACAALQBzAGUAYwBvAG4AZABzACAAMQAwAA==
  2⤵
  PID:308
- C:\Users\Admin\AppData\Local\Temp\Gpwangiscadatahub.exe
  "C:\Users\Admin\AppData\Local\Temp\Gpwangiscadatahub.exe"
  2⤵
  PID:3424
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c ipconfig/renew
  2⤵
  PID:4132
- - C:\Windows\SysWOW64\ipconfig.exe
    ipconfig /renew
    3⤵
    - Gathers network information
    PID:2968

C:\Users\Admin\AppData\Local\Temp\1CE3.exe
C:\Users\Admin\AppData\Local\Temp\1CE3.exe
1⤵
- Executes dropped EXE
PID:4380
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ENC cwB0AGEAcgB0AC0AcwBsAGUAZQBwACAALQBzAGUAYwBvAG4AZABzACAAMgAwAA==
  2⤵
  PID:3864

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:3600

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
PID:3336

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:3944

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
- Executes dropped EXE
PID:756

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:4280

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:2848

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:224

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
PID:3564

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:1156

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Command-Line Interface

T1059

Scheduled Task

T1053

Scripting

T1064

Persistence

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

File and Directory Permissions Modification

T1222

Modify Registry

T1112

Scripting

T1064

Credential Access

Credentials in Files

T1081

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\07CEF2F654E3ED6050FFC9B6EB844250_3431D4C539FB2CFCB781821E9902850D

Filesize
2KB

MD5
601b920be0ad16def87b9ec3e1a91938

SHA1
aba2e6c5da479ff7380f714a8536bd9a9cdec729

SHA256
2ba194594a0d55b2bc4efc4b8eb5432b2788e1eb7192b83326fcdca28e9ce2b8

SHA512
1b91d61b37d9276967f0940e81fd844a9295bac488a9923dfcfd586175597e4573d8817dbf711808a5dad7d32e21b953c872501f23b39051b1332ee174f7e387

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E

Filesize
1KB

MD5
deb5907196e6e5e0e915c276f65a6924

SHA1
62802115ee04a17e66297fbfd5ab8d933040ffdb

SHA256
48c65c4f7dfbf070a4e8157cd0ec68e495eb3f963668f3d51ae6fedcff7fcda1

SHA512
4881fd5f46e1846f4e4dd3cb0295c5b48f62181bba01f8113520d97ee31b1489429281778d1ac0d58d02a3343ad97d24a96ce1d2bdbb1ddda2f77e5101f51c43

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\07CEF2F654E3ED6050FFC9B6EB844250_3431D4C539FB2CFCB781821E9902850D

Filesize
488B

MD5
17d6431920ad796d5ee464dda80a9f2c

SHA1
1491d16ea4d58906a0b753dec7c134012d631d3f

SHA256
425f829dec8c2d0dcfac1ca5953fa29d545520a91d50f50b0fdbb1755818b333

SHA512
97ff3621a0f2ed8c3f69cd4a67c12c7ef5d5e82c752b03b35cde4222c73bf44df279d7bf694e9d338f91c9289875b1d307ddf4c1abf5e6904d1fc0e58e5049e7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E

Filesize
482B

MD5
5d74f392bb6ce168e36c209d0f5e6fce

SHA1
0c95a7524132a771cc3e326e84b3b3b9f0048df0

SHA256
caaf016d4b52b08bed043f731ca324d655c300c185616f8ce65b208f38612b35

SHA512
d184d2dfd49769e29d1fd094bece931686dfca6c8f738a4a4402625ea0c68c2928ad6d37e07f9e98433e20e07fc58ce23faef774ce2809205207903cc68c0908

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
6bf0e5945fb9da68e1b03bdaed5f6f8d

SHA1
eed3802c8e4abe3b327c100c99c53d3bbcf8a33d

SHA256
dda58fd16fee83a65c05936b1a070187f2c360024650ecaf857c5e060a6a55f1

SHA512
977a393fdad2b162aa42194ddad6ec8bcab24f81980ff01b1c22c4d59ac268bb5ce947105c968de1a8a66b35023280a1e7709dfea5053385f87141389ebecb25

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
15KB

MD5
248e3e81c51e26985fdb7bcc8cb7b5e1

SHA1
32599b88ebc930c8f0dd05661a6879ced1d4406c

SHA256
5fd0d0f14fbddb05a8d566b9a4fd237a620801ef6694bbdf3cf870dd97889ac0

SHA512
aa990813c9689a752980ca5a9d12bd8f85c86e1ffcc798ec2701980c876e7d04433d170bed83e38d19e58b4d7f5b599050197e191a8ee363de32a0f5ff2a0df2

Download Submit
C:\Users\Admin\AppData\Local\Temp\1224.exe

Filesize
976KB

MD5
d1e9f82dd227a45c97dcda1eeaffb3df

SHA1
4f432ddcdcc07b39cd731f0f5f6be8b85cad4f36

SHA256
76bdef9de3117ff2a00febc3b411bd576365644fb339e9af93766e11feaa535d

SHA512
33b9b7d563f083cae2c14869059090a80b97d9e5c385b55a969ed1684015c493eaf1ca47d8c284e69bed74a5880f22a461fcfb051ad2fe17b40f0c87ac2e2223

Download Submit
C:\Users\Admin\AppData\Local\Temp\1224.exe

Filesize
976KB

MD5
d1e9f82dd227a45c97dcda1eeaffb3df

SHA1
4f432ddcdcc07b39cd731f0f5f6be8b85cad4f36

SHA256
76bdef9de3117ff2a00febc3b411bd576365644fb339e9af93766e11feaa535d

SHA512
33b9b7d563f083cae2c14869059090a80b97d9e5c385b55a969ed1684015c493eaf1ca47d8c284e69bed74a5880f22a461fcfb051ad2fe17b40f0c87ac2e2223

Download Submit
C:\Users\Admin\AppData\Local\Temp\1CE3.exe

Filesize
856KB

MD5
27920b4452dd61e11d45b7492be5d60d

SHA1
3e0e092ea0b55aa9dbc9b3c47b4b580df67aa2e4

SHA256
9eb8492af6b08a8db39d61520692cb668fe4300ffa26ac74d432fe047d8b39cb

SHA512
1d629fff6af64c3c6afcdbe1fd5b5972380093b7fc58ca6e5cf505f46a4b99b32e5e8b96029ea4473ac48d49881dbe8fec64472bb10c6ff5c1315005797519a3

Download Submit
C:\Users\Admin\AppData\Local\Temp\1CE3.exe

Filesize
856KB

MD5
27920b4452dd61e11d45b7492be5d60d

SHA1
3e0e092ea0b55aa9dbc9b3c47b4b580df67aa2e4

SHA256
9eb8492af6b08a8db39d61520692cb668fe4300ffa26ac74d432fe047d8b39cb

SHA512
1d629fff6af64c3c6afcdbe1fd5b5972380093b7fc58ca6e5cf505f46a4b99b32e5e8b96029ea4473ac48d49881dbe8fec64472bb10c6ff5c1315005797519a3

Download Submit
C:\Users\Admin\AppData\Local\Temp\7FF2.exe

Filesize
1.1MB

MD5
d968603400385504899ea908609f661f

SHA1
c2d2d1af8fa4ad42d047f2e6adb9a1cadd4479ac

SHA256
cbe943784c80646fc399c9399086ee6a748927ded34f1b0ee867e12f213d8ead

SHA512
ff37b41d5363b4241f0c277c1fe32cf19346b9476f491e3cae6b69317767fad0f64786465986d48a382f7e75da7da0ed375f77e2c6a9cb885b5bbbf71de34d75

Download Submit
C:\Users\Admin\AppData\Local\Temp\7FF2.exe

Filesize
1.1MB

MD5
d968603400385504899ea908609f661f

SHA1
c2d2d1af8fa4ad42d047f2e6adb9a1cadd4479ac

SHA256
cbe943784c80646fc399c9399086ee6a748927ded34f1b0ee867e12f213d8ead

SHA512
ff37b41d5363b4241f0c277c1fe32cf19346b9476f491e3cae6b69317767fad0f64786465986d48a382f7e75da7da0ed375f77e2c6a9cb885b5bbbf71de34d75

Download Submit
C:\Users\Admin\AppData\Local\Temp\A71.exe

Filesize
4KB

MD5
9748489855d9dd82ab09da5e3e55b19e

SHA1
6ed2bf6a1a53a59cd2137812cb43b5032817f6a1

SHA256
05bdd09d934144589f7b90ac4ef6e8d7743c35f551219d98bc7fc933f98a157b

SHA512
7eebbc3e42aad1af304ba38ca0c74e5f2293a630d98d4cfd48957f5f288bcb52cf323421c2b166e3b459450d5ef024167f8729b7b4b66651a34c3c3d4581a2be

Download Submit
C:\Users\Admin\AppData\Local\Temp\A71.exe

Filesize
4KB

MD5
9748489855d9dd82ab09da5e3e55b19e

SHA1
6ed2bf6a1a53a59cd2137812cb43b5032817f6a1

SHA256
05bdd09d934144589f7b90ac4ef6e8d7743c35f551219d98bc7fc933f98a157b

SHA512
7eebbc3e42aad1af304ba38ca0c74e5f2293a630d98d4cfd48957f5f288bcb52cf323421c2b166e3b459450d5ef024167f8729b7b4b66651a34c3c3d4581a2be

Download Submit
C:\Users\Admin\AppData\Local\Temp\B75E.exe

Filesize
827KB

MD5
5d09682b08307cf7e7d4ee43b3b04791

SHA1
8668ef968def3d1e58bc5d3bb57088f0550a3b2d

SHA256
b0fe9334ec54815e8eda224488e34d41fcdaef253cad3c7cb751b273b3dc91e3

SHA512
a362e95e79b100178bce102b015e3d0107cd3df808980d84b63bc940ee7c90221f06cc2dc9f087b7e15e20ec994418483f5b913d954badf60d70f6c56b96f4d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\B75E.exe

Filesize
827KB

MD5
5d09682b08307cf7e7d4ee43b3b04791

SHA1
8668ef968def3d1e58bc5d3bb57088f0550a3b2d

SHA256
b0fe9334ec54815e8eda224488e34d41fcdaef253cad3c7cb751b273b3dc91e3

SHA512
a362e95e79b100178bce102b015e3d0107cd3df808980d84b63bc940ee7c90221f06cc2dc9f087b7e15e20ec994418483f5b913d954badf60d70f6c56b96f4d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\B75E.exe

Filesize
827KB

MD5
5d09682b08307cf7e7d4ee43b3b04791

SHA1
8668ef968def3d1e58bc5d3bb57088f0550a3b2d

SHA256
b0fe9334ec54815e8eda224488e34d41fcdaef253cad3c7cb751b273b3dc91e3

SHA512
a362e95e79b100178bce102b015e3d0107cd3df808980d84b63bc940ee7c90221f06cc2dc9f087b7e15e20ec994418483f5b913d954badf60d70f6c56b96f4d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\B75E.exe

Filesize
827KB

MD5
5d09682b08307cf7e7d4ee43b3b04791

SHA1
8668ef968def3d1e58bc5d3bb57088f0550a3b2d

SHA256
b0fe9334ec54815e8eda224488e34d41fcdaef253cad3c7cb751b273b3dc91e3

SHA512
a362e95e79b100178bce102b015e3d0107cd3df808980d84b63bc940ee7c90221f06cc2dc9f087b7e15e20ec994418483f5b913d954badf60d70f6c56b96f4d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\B75E.exe

Filesize
827KB

MD5
5d09682b08307cf7e7d4ee43b3b04791

SHA1
8668ef968def3d1e58bc5d3bb57088f0550a3b2d

SHA256
b0fe9334ec54815e8eda224488e34d41fcdaef253cad3c7cb751b273b3dc91e3

SHA512
a362e95e79b100178bce102b015e3d0107cd3df808980d84b63bc940ee7c90221f06cc2dc9f087b7e15e20ec994418483f5b913d954badf60d70f6c56b96f4d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\C5E6.exe

Filesize
4.5MB

MD5
1a450a1a716cdb1bc3bd0b7467c2f157

SHA1
195d2f7052897360b07cf68a9f05794fcb41d88e

SHA256
88076120630d47c184b949cb272e69a1df48244300e1f10b09443ef3140d554b

SHA512
de0ba52dc6e62b2da6105c2149e1b3040762634617b6918378ad8c65ef4f59516adeaa6ba74e52369694ab0eeed3ed3a7dc78c275920c27936d467d5168b1188

Download Submit
C:\Users\Admin\AppData\Local\Temp\C5E6.exe

Filesize
4.5MB

MD5
1a450a1a716cdb1bc3bd0b7467c2f157

SHA1
195d2f7052897360b07cf68a9f05794fcb41d88e

SHA256
88076120630d47c184b949cb272e69a1df48244300e1f10b09443ef3140d554b

SHA512
de0ba52dc6e62b2da6105c2149e1b3040762634617b6918378ad8c65ef4f59516adeaa6ba74e52369694ab0eeed3ed3a7dc78c275920c27936d467d5168b1188

Download Submit
C:\Users\Admin\AppData\Local\Temp\CAE8.exe

Filesize
268KB

MD5
187b45f6a08b3a64147dcbea634cbf64

SHA1
ab621954088719c929fea03466f60cbe1c12e257

SHA256
4071be26071340339075d49126220e2734a964f08d781f07cc3950329b6ad275

SHA512
929bc24443d99f9f3f5060beae158146e0ebb9b1dc17014283541d9aa58a59029ce2b0d0e36cd3e22df594cbcec8a38ed82fbb3f03322e871af3f680921169b8

Download Submit
C:\Users\Admin\AppData\Local\Temp\CAE8.exe

Filesize
268KB

MD5
187b45f6a08b3a64147dcbea634cbf64

SHA1
ab621954088719c929fea03466f60cbe1c12e257

SHA256
4071be26071340339075d49126220e2734a964f08d781f07cc3950329b6ad275

SHA512
929bc24443d99f9f3f5060beae158146e0ebb9b1dc17014283541d9aa58a59029ce2b0d0e36cd3e22df594cbcec8a38ed82fbb3f03322e871af3f680921169b8

Download Submit
C:\Users\Admin\AppData\Local\Temp\CDD7.exe

Filesize
320KB

MD5
ab088adec027a227808f33d4007e4626

SHA1
53ec99c530366d22ebb889272d3e9ab04ba608ac

SHA256
95df5a1e6f0e456b2c68743474926c76a2897c54e971cbb0668efa19c2e24744

SHA512
045e887fe2173bbd87c486c31a28d12c41be045ad299032b1b166a958fe218db5fdaf88112124c54de1ce636bedc55eabb4dd761d22d20ce57b7412f99311587

Download Submit
C:\Users\Admin\AppData\Local\Temp\CDD7.exe

Filesize
320KB

MD5
ab088adec027a227808f33d4007e4626

SHA1
53ec99c530366d22ebb889272d3e9ab04ba608ac

SHA256
95df5a1e6f0e456b2c68743474926c76a2897c54e971cbb0668efa19c2e24744

SHA512
045e887fe2173bbd87c486c31a28d12c41be045ad299032b1b166a958fe218db5fdaf88112124c54de1ce636bedc55eabb4dd761d22d20ce57b7412f99311587

Download Submit
C:\Users\Admin\AppData\Local\Temp\EF6.exe

Filesize
4KB

MD5
9748489855d9dd82ab09da5e3e55b19e

SHA1
6ed2bf6a1a53a59cd2137812cb43b5032817f6a1

SHA256
05bdd09d934144589f7b90ac4ef6e8d7743c35f551219d98bc7fc933f98a157b

SHA512
7eebbc3e42aad1af304ba38ca0c74e5f2293a630d98d4cfd48957f5f288bcb52cf323421c2b166e3b459450d5ef024167f8729b7b4b66651a34c3c3d4581a2be

Download Submit
C:\Users\Admin\AppData\Local\Temp\EF6.exe

Filesize
4KB

MD5
9748489855d9dd82ab09da5e3e55b19e

SHA1
6ed2bf6a1a53a59cd2137812cb43b5032817f6a1

SHA256
05bdd09d934144589f7b90ac4ef6e8d7743c35f551219d98bc7fc933f98a157b

SHA512
7eebbc3e42aad1af304ba38ca0c74e5f2293a630d98d4cfd48957f5f288bcb52cf323421c2b166e3b459450d5ef024167f8729b7b4b66651a34c3c3d4581a2be

Download Submit
C:\Users\Admin\AppData\Local\Temp\F746.exe

Filesize
4KB

MD5
9748489855d9dd82ab09da5e3e55b19e

SHA1
6ed2bf6a1a53a59cd2137812cb43b5032817f6a1

SHA256
05bdd09d934144589f7b90ac4ef6e8d7743c35f551219d98bc7fc933f98a157b

SHA512
7eebbc3e42aad1af304ba38ca0c74e5f2293a630d98d4cfd48957f5f288bcb52cf323421c2b166e3b459450d5ef024167f8729b7b4b66651a34c3c3d4581a2be

Download Submit
C:\Users\Admin\AppData\Local\Temp\F746.exe

Filesize
4KB

MD5
9748489855d9dd82ab09da5e3e55b19e

SHA1
6ed2bf6a1a53a59cd2137812cb43b5032817f6a1

SHA256
05bdd09d934144589f7b90ac4ef6e8d7743c35f551219d98bc7fc933f98a157b

SHA512
7eebbc3e42aad1af304ba38ca0c74e5f2293a630d98d4cfd48957f5f288bcb52cf323421c2b166e3b459450d5ef024167f8729b7b4b66651a34c3c3d4581a2be

Download Submit
C:\Users\Admin\AppData\Local\Temp\Gpwangiscadatahub.exe

Filesize
9.4MB

MD5
bf41699ea8e7a4ddc8989a616909c05d

SHA1
1f39ca29bec36d9971fd67a04e48108afa487b39

SHA256
ef351d1015aeebc0983a645de1e76d10aba040bff485ac82faed27c9445d2fe1

SHA512
72e36bd0b99fa346f18589e24e8036811c5d76b3ecb6124428798cc64df1c2b0471934f61046bd8e6776296188e7db4461a8c1f51fec1899916aeafab4ce2634

Download Submit
C:\Users\Admin\AppData\Local\Temp\Gpwangiscadatahub.exe

Filesize
8.1MB

MD5
07f554f84e51a769fa49b1fb5ea76a64

SHA1
e725feb2059f62a3fe215a4a5bf7895f2e8a5f30

SHA256
98c4fe9292fbb198aca21b9938ef2ca6ede8e658ac7c554cbccff86bb87164aa

SHA512
f96bc41efc1f32a22e8212fd0e29b5d4a15fd5d03240f1c98b1f7f1f065e1b3220e0e27955fab9c43e82c6ee8f77e2b174bf33c03a20d7f61714076e40d2896c

Download Submit
C:\Users\Admin\AppData\Local\Temp\JCcyU0zDxj.exe

Filesize
214KB

MD5
c6917bc242058814f64360de5b4320be

SHA1
4c1959cc707acb43a1466d166e151c517164edc2

SHA256
732c3e3887c7e83b84fd96c6a8a2377235a29995c8656c1616dee40f8be81516

SHA512
2bf75a0ebcbd5ff7b65a47b9b8016081c272acb6b4fe1b487a6928e682dd93e5809cd2354f4d21acbef0703c4d1b6c87af4c0d731e2799be1a6197815ec1b6bb

Download Submit
C:\Users\Admin\AppData\Local\Temp\JCcyU0zDxj.exe

Filesize
214KB

MD5
c6917bc242058814f64360de5b4320be

SHA1
4c1959cc707acb43a1466d166e151c517164edc2

SHA256
732c3e3887c7e83b84fd96c6a8a2377235a29995c8656c1616dee40f8be81516

SHA512
2bf75a0ebcbd5ff7b65a47b9b8016081c272acb6b4fe1b487a6928e682dd93e5809cd2354f4d21acbef0703c4d1b6c87af4c0d731e2799be1a6197815ec1b6bb

Download Submit
C:\Users\Admin\AppData\Local\Temp\Qytyaworpiotpd.tmp

Filesize
752KB

MD5
710af73b2d7e92d33fac751318c08101

SHA1
2208c96a528b1d96e18ae47ab274f303e4099fff

SHA256
72021339c18f79141f9867c30616cbbdc517471e44d16bfe81063e5c7dba56c3

SHA512
1f19138b8412b871ccf33ec351d28157b6571bc02cb1d338fc4c06bd77e9518bbdb3392d63b9bcdde2bd94746c232f90b4796363f83cecfd49e0470b6495ac1a

Download Submit
C:\Users\Admin\AppData\Local\c36e51a0-a213-480f-a643-2f1d068e4e1e\build2.exe

Filesize
422KB

MD5
866933fee5234be619d89a6d6a60bd88

SHA1
fd279d026264dbb75ea46be965ea163d94d67f0c

SHA256
ab6396ad69a961a9f879e58725ed66fa01f7add478b61cbaf4db1f26a9e47185

SHA512
fab7b9cfa5c38cff35068334b8525fcc1c6a5ca694f379db3322fc1bd8df9bbfa3446504297fec4c42c55e805fee2be9f96a3eff8eed7db72816a080aff7933d

Download Submit
C:\Users\Admin\AppData\Local\c36e51a0-a213-480f-a643-2f1d068e4e1e\build2.exe

Filesize
422KB

MD5
866933fee5234be619d89a6d6a60bd88

SHA1
fd279d026264dbb75ea46be965ea163d94d67f0c

SHA256
ab6396ad69a961a9f879e58725ed66fa01f7add478b61cbaf4db1f26a9e47185

SHA512
fab7b9cfa5c38cff35068334b8525fcc1c6a5ca694f379db3322fc1bd8df9bbfa3446504297fec4c42c55e805fee2be9f96a3eff8eed7db72816a080aff7933d

Download Submit
C:\Users\Admin\AppData\Local\c36e51a0-a213-480f-a643-2f1d068e4e1e\build2.exe

Filesize
422KB

MD5
866933fee5234be619d89a6d6a60bd88

SHA1
fd279d026264dbb75ea46be965ea163d94d67f0c

SHA256
ab6396ad69a961a9f879e58725ed66fa01f7add478b61cbaf4db1f26a9e47185

SHA512
fab7b9cfa5c38cff35068334b8525fcc1c6a5ca694f379db3322fc1bd8df9bbfa3446504297fec4c42c55e805fee2be9f96a3eff8eed7db72816a080aff7933d

Download Submit
C:\Users\Admin\AppData\Local\c36e51a0-a213-480f-a643-2f1d068e4e1e\build3.exe

Filesize
9KB

MD5
9ead10c08e72ae41921191f8db39bc16

SHA1
abe3bce01cd34afc88e2c838173f8c2bd0090ae1

SHA256
8d7f0e6b6877bdfb9f4531afafd0451f7d17f0ac24e2f2427e9b4ecc5452b9f0

SHA512
aa35dbc59a3589df2763e76a495ce5a9e62196628b4c1d098add38bd7f27c49edf93a66fb8507fb746e37ee32932da2460e440f241abe1a5a279abcc1e5ffe4a

Download Submit
C:\Users\Admin\AppData\Local\c36e51a0-a213-480f-a643-2f1d068e4e1e\build3.exe

Filesize
9KB

MD5
9ead10c08e72ae41921191f8db39bc16

SHA1
abe3bce01cd34afc88e2c838173f8c2bd0090ae1

SHA256
8d7f0e6b6877bdfb9f4531afafd0451f7d17f0ac24e2f2427e9b4ecc5452b9f0

SHA512
aa35dbc59a3589df2763e76a495ce5a9e62196628b4c1d098add38bd7f27c49edf93a66fb8507fb746e37ee32932da2460e440f241abe1a5a279abcc1e5ffe4a

Download Submit
C:\Users\Admin\AppData\Local\d4d187bc-2aa3-4ea9-ba21-755fd7323398\B75E.exe

Filesize
827KB

MD5
5d09682b08307cf7e7d4ee43b3b04791

SHA1
8668ef968def3d1e58bc5d3bb57088f0550a3b2d

SHA256
b0fe9334ec54815e8eda224488e34d41fcdaef253cad3c7cb751b273b3dc91e3

SHA512
a362e95e79b100178bce102b015e3d0107cd3df808980d84b63bc940ee7c90221f06cc2dc9f087b7e15e20ec994418483f5b913d954badf60d70f6c56b96f4d0

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

Filesize
9KB

MD5
9ead10c08e72ae41921191f8db39bc16

SHA1
abe3bce01cd34afc88e2c838173f8c2bd0090ae1

SHA256
8d7f0e6b6877bdfb9f4531afafd0451f7d17f0ac24e2f2427e9b4ecc5452b9f0

SHA512
aa35dbc59a3589df2763e76a495ce5a9e62196628b4c1d098add38bd7f27c49edf93a66fb8507fb746e37ee32932da2460e440f241abe1a5a279abcc1e5ffe4a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

Filesize
9KB

MD5
9ead10c08e72ae41921191f8db39bc16

SHA1
abe3bce01cd34afc88e2c838173f8c2bd0090ae1

SHA256
8d7f0e6b6877bdfb9f4531afafd0451f7d17f0ac24e2f2427e9b4ecc5452b9f0

SHA512
aa35dbc59a3589df2763e76a495ce5a9e62196628b4c1d098add38bd7f27c49edf93a66fb8507fb746e37ee32932da2460e440f241abe1a5a279abcc1e5ffe4a

Download Submit
C:\Users\Admin\AppData\Roaming\gtacfcs

Filesize
267KB

MD5
997678fdecbe60806da2112650e431ec

SHA1
32395e9abe2ad1c427395ab3d062eaca83cc2f34

SHA256
5258abfc177c8904dd244715ac40b16f23ceb68871b708b7491228def45ccb6b

SHA512
bbd7975499c5aeb82fb74d0f4a05930cbef73ca3b717af3bf956316d07d2e2f81bd64fc74faa011ac114c6d2c00ecfee0cca6237c4d91f96beff7d924dd5e240

Download Submit
C:\Users\Admin\AppData\Roaming\gtacfcs

Filesize
267KB

MD5
997678fdecbe60806da2112650e431ec

SHA1
32395e9abe2ad1c427395ab3d062eaca83cc2f34

SHA256
5258abfc177c8904dd244715ac40b16f23ceb68871b708b7491228def45ccb6b

SHA512
bbd7975499c5aeb82fb74d0f4a05930cbef73ca3b717af3bf956316d07d2e2f81bd64fc74faa011ac114c6d2c00ecfee0cca6237c4d91f96beff7d924dd5e240

Download Submit
\ProgramData\mozglue.dll

Filesize
133KB

MD5
8f73c08a9660691143661bf7332c3c27

SHA1
37fa65dd737c50fda710fdbde89e51374d0c204a

SHA256
3fe6b1c54b8cf28f571e0c5d6636b4069a8ab00b4f11dd842cfec00691d0c9cd

SHA512
0042ecf9b3571bb5eba2de893e8b2371df18f7c5a589f52ee66e4bfbaa15a5b8b7cc6a155792aaa8988528c27196896d5e82e1751c998bacea0d92395f66ad89

Download Submit
\ProgramData\nss3.dll

Filesize
1.2MB

MD5
bfac4e3c5908856ba17d41edcd455a51

SHA1
8eec7e888767aa9e4cca8ff246eb2aacb9170428

SHA256
e2935b5b28550d47dc971f456d6961f20d1633b4892998750140e0eaa9ae9d78

SHA512
2565bab776c4d732ffb1f9b415992a4c65b81bcd644a9a1df1333a269e322925fc1df4f76913463296efd7c88ef194c3056de2f1ca1357d7b5fe5ff0da877a66

Download Submit
\Users\Admin\AppData\Local\Temp\Qytyaworpiotpd.tmp

Filesize
752KB

MD5
710af73b2d7e92d33fac751318c08101

SHA1
2208c96a528b1d96e18ae47ab274f303e4099fff

SHA256
72021339c18f79141f9867c30616cbbdc517471e44d16bfe81063e5c7dba56c3

SHA512
1f19138b8412b871ccf33ec351d28157b6571bc02cb1d338fc4c06bd77e9518bbdb3392d63b9bcdde2bd94746c232f90b4796363f83cecfd49e0470b6495ac1a

Download Submit
memory/480-157-0x0000000077BE0000-0x0000000077D6E000-memory.dmp

Filesize
1.6MB

Download
memory/480-170-0x0000000077BE0000-0x0000000077D6E000-memory.dmp

Filesize
1.6MB

Download
memory/480-171-0x0000000077BE0000-0x0000000077D6E000-memory.dmp

Filesize
1.6MB

Download
memory/480-173-0x0000000077BE0000-0x0000000077D6E000-memory.dmp

Filesize
1.6MB

Download
memory/480-172-0x0000000077BE0000-0x0000000077D6E000-memory.dmp

Filesize
1.6MB

Download
memory/480-175-0x0000000077BE0000-0x0000000077D6E000-memory.dmp

Filesize
1.6MB

Download
memory/480-174-0x0000000077BE0000-0x0000000077D6E000-memory.dmp

Filesize
1.6MB

Download
memory/480-176-0x0000000077BE0000-0x0000000077D6E000-memory.dmp

Filesize
1.6MB

Download
memory/480-177-0x0000000077BE0000-0x0000000077D6E000-memory.dmp

Filesize
1.6MB

Download
memory/480-178-0x0000000077BE0000-0x0000000077D6E000-memory.dmp

Filesize
1.6MB

Download
memory/480-179-0x0000000077BE0000-0x0000000077D6E000-memory.dmp

Filesize
1.6MB

Download
memory/480-180-0x0000000077BE0000-0x0000000077D6E000-memory.dmp

Filesize
1.6MB

Download
memory/480-164-0x0000000077BE0000-0x0000000077D6E000-memory.dmp

Filesize
1.6MB

Download
memory/480-254-0x0000000002150000-0x00000000021EB000-memory.dmp

Filesize
620KB

Download
memory/480-161-0x0000000077BE0000-0x0000000077D6E000-memory.dmp

Filesize
1.6MB

Download
memory/480-160-0x0000000077BE0000-0x0000000077D6E000-memory.dmp

Filesize
1.6MB

Download
memory/480-445-0x0000000002330000-0x000000000244B000-memory.dmp

Filesize
1.1MB

Download
memory/480-165-0x0000000077BE0000-0x0000000077D6E000-memory.dmp

Filesize
1.6MB

Download
memory/480-166-0x0000000077BE0000-0x0000000077D6E000-memory.dmp

Filesize
1.6MB

Download
memory/480-162-0x0000000077BE0000-0x0000000077D6E000-memory.dmp

Filesize
1.6MB

Download
memory/480-159-0x0000000077BE0000-0x0000000077D6E000-memory.dmp

Filesize
1.6MB

Download
memory/480-168-0x0000000077BE0000-0x0000000077D6E000-memory.dmp

Filesize
1.6MB

Download
memory/480-158-0x0000000077BE0000-0x0000000077D6E000-memory.dmp

Filesize
1.6MB

Download
memory/480-167-0x0000000077BE0000-0x0000000077D6E000-memory.dmp

Filesize
1.6MB

Download
memory/480-169-0x0000000077BE0000-0x0000000077D6E000-memory.dmp

Filesize
1.6MB

Download
memory/480-156-0x0000000077BE0000-0x0000000077D6E000-memory.dmp

Filesize
1.6MB

Download
memory/480-258-0x0000000002330000-0x000000000244B000-memory.dmp

Filesize
1.1MB

Download
memory/756-1462-0x00000000003B0000-0x00000000003B8000-memory.dmp

Filesize
32KB

Download
memory/2144-1202-0x0000000004870000-0x0000000004953000-memory.dmp

Filesize
908KB

Download
memory/2144-1204-0x00000000049C0000-0x0000000004AE0000-memory.dmp

Filesize
1.1MB

Download
memory/2144-1324-0x0000000000400000-0x0000000002C7B000-memory.dmp

Filesize
40.5MB

Download
memory/2144-1211-0x0000000000400000-0x0000000002C7B000-memory.dmp

Filesize
40.5MB

Download
memory/2280-1169-0x0000000000400000-0x0000000002B9D000-memory.dmp

Filesize
39.6MB

Download
memory/2280-1090-0x0000000000400000-0x0000000002B9D000-memory.dmp

Filesize
39.6MB

Download
memory/2280-1081-0x0000000002BA0000-0x0000000002CEA000-memory.dmp

Filesize
1.3MB

Download
memory/2280-1079-0x0000000002E77000-0x0000000002E87000-memory.dmp

Filesize
64KB

Download
memory/2784-276-0x0000000000400000-0x0000000002BAA000-memory.dmp

Filesize
39.7MB

Download
memory/2784-264-0x0000000002C90000-0x0000000002C99000-memory.dmp

Filesize
36KB

Download
memory/2784-261-0x0000000002CC0000-0x0000000002E0A000-memory.dmp

Filesize
1.3MB

Download
memory/2784-369-0x0000000000400000-0x0000000002BAA000-memory.dmp

Filesize
39.7MB

Download
memory/3336-1630-0x0000000000190000-0x000000000019F000-memory.dmp

Filesize
60KB

Download
memory/3336-1629-0x00000000001A0000-0x00000000001A9000-memory.dmp

Filesize
36KB

Download
memory/3340-1006-0x0000000008D70000-0x0000000008D92000-memory.dmp

Filesize
136KB

Download
memory/3340-988-0x00000000076C0000-0x00000000076DC000-memory.dmp

Filesize
112KB

Download
memory/3340-1007-0x0000000009380000-0x000000000987E000-memory.dmp

Filesize
5.0MB

Download
memory/3340-1005-0x0000000008D10000-0x0000000008D2A000-memory.dmp

Filesize
104KB

Download
memory/3340-1004-0x0000000008DE0000-0x0000000008E74000-memory.dmp

Filesize
592KB

Download
memory/3340-993-0x0000000007F00000-0x0000000007F76000-memory.dmp

Filesize
472KB

Download
memory/3340-963-0x0000000006F10000-0x0000000006F76000-memory.dmp

Filesize
408KB

Download
memory/3340-965-0x0000000007620000-0x0000000007686000-memory.dmp

Filesize
408KB

Download
memory/3340-989-0x0000000008120000-0x000000000816B000-memory.dmp

Filesize
300KB

Download
memory/3340-955-0x0000000006E70000-0x0000000006E92000-memory.dmp

Filesize
136KB

Download
memory/3340-971-0x00000000078A0000-0x0000000007BF0000-memory.dmp

Filesize
3.3MB

Download
memory/3340-887-0x0000000004420000-0x0000000004456000-memory.dmp

Filesize
216KB

Download
memory/3340-901-0x0000000006FF0000-0x0000000007618000-memory.dmp

Filesize
6.2MB

Download
memory/3552-331-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/3552-422-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/3892-941-0x000000000078B000-0x00000000007B8000-memory.dmp

Filesize
180KB

Download
memory/3892-945-0x0000000000700000-0x000000000074C000-memory.dmp

Filesize
304KB

Download
memory/4160-1395-0x00000000063D0000-0x0000000006F2B000-memory.dmp

Filesize
11.4MB

Download
memory/4160-1481-0x00000000063D0000-0x0000000006F2B000-memory.dmp

Filesize
11.4MB

Download
memory/4160-1406-0x00000000070E7000-0x00000000070E9000-memory.dmp

Filesize
8KB

Download
memory/4160-1486-0x00000000070E7000-0x00000000070E9000-memory.dmp

Filesize
8KB

Download
memory/4228-1525-0x0000000000970000-0x0000000000978000-memory.dmp

Filesize
32KB

Download
memory/4228-1529-0x00000000051A0000-0x0000000005232000-memory.dmp

Filesize
584KB

Download
memory/4228-1648-0x000000000F640000-0x000000000FFE8000-memory.dmp

Filesize
9.7MB

Download
memory/4228-1545-0x0000000005320000-0x000000000532A000-memory.dmp

Filesize
40KB

Download
memory/4344-414-0x0000000000400000-0x0000000002BAA000-memory.dmp

Filesize
39.7MB

Download
memory/4344-407-0x0000000002BB0000-0x0000000002C5E000-memory.dmp

Filesize
696KB

Download
memory/4344-487-0x0000000000400000-0x0000000002BAA000-memory.dmp

Filesize
39.7MB

Download
memory/4344-406-0x0000000002BB0000-0x0000000002C5E000-memory.dmp

Filesize
696KB

Download
memory/4380-1633-0x00000000003C0000-0x000000000049A000-memory.dmp

Filesize
872KB

Download
memory/4632-186-0x0000000077BE0000-0x0000000077D6E000-memory.dmp

Filesize
1.6MB

Download
memory/4632-187-0x0000000077BE0000-0x0000000077D6E000-memory.dmp

Filesize
1.6MB

Download
memory/4632-185-0x0000000077BE0000-0x0000000077D6E000-memory.dmp

Filesize
1.6MB

Download
memory/4632-188-0x0000000077BE0000-0x0000000077D6E000-memory.dmp

Filesize
1.6MB

Download
memory/4632-184-0x0000000077BE0000-0x0000000077D6E000-memory.dmp

Filesize
1.6MB

Download
memory/4632-458-0x00000000001D0000-0x000000000064E000-memory.dmp

Filesize
4.5MB

Download
memory/4632-189-0x0000000077BE0000-0x0000000077D6E000-memory.dmp

Filesize
1.6MB

Download
memory/4652-334-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/4652-332-0x00000000004F0000-0x000000000063A000-memory.dmp

Filesize
1.3MB

Download
memory/4652-486-0x00000000004F0000-0x000000000063A000-memory.dmp

Filesize
1.3MB

Download
memory/4664-1419-0x00000000007E0000-0x0000000000A8A000-memory.dmp

Filesize
2.7MB

Download
memory/4664-1420-0x0000022D8CAA0000-0x0000022D8CD5B000-memory.dmp

Filesize
2.7MB

Download
memory/4992-987-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/4992-1235-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/4992-1175-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/5004-139-0x0000000077BE0000-0x0000000077D6E000-memory.dmp

Filesize
1.6MB

Download
memory/5004-128-0x0000000077BE0000-0x0000000077D6E000-memory.dmp

Filesize
1.6MB

Download
memory/5004-136-0x0000000077BE0000-0x0000000077D6E000-memory.dmp

Filesize
1.6MB

Download
memory/5004-127-0x0000000077BE0000-0x0000000077D6E000-memory.dmp

Filesize
1.6MB

Download
memory/5004-126-0x0000000077BE0000-0x0000000077D6E000-memory.dmp

Filesize
1.6MB

Download
memory/5004-137-0x0000000077BE0000-0x0000000077D6E000-memory.dmp

Filesize
1.6MB

Download
memory/5004-138-0x0000000077BE0000-0x0000000077D6E000-memory.dmp

Filesize
1.6MB

Download
memory/5004-124-0x0000000077BE0000-0x0000000077D6E000-memory.dmp

Filesize
1.6MB

Download
memory/5004-125-0x0000000077BE0000-0x0000000077D6E000-memory.dmp

Filesize
1.6MB

Download
memory/5004-135-0x0000000077BE0000-0x0000000077D6E000-memory.dmp

Filesize
1.6MB

Download
memory/5004-123-0x0000000077BE0000-0x0000000077D6E000-memory.dmp

Filesize
1.6MB

Download
memory/5004-122-0x0000000077BE0000-0x0000000077D6E000-memory.dmp

Filesize
1.6MB

Download
memory/5004-132-0x0000000077BE0000-0x0000000077D6E000-memory.dmp

Filesize
1.6MB

Download
memory/5004-130-0x0000000077BE0000-0x0000000077D6E000-memory.dmp

Filesize
1.6MB

Download
memory/5004-134-0x0000000077BE0000-0x0000000077D6E000-memory.dmp

Filesize
1.6MB

Download
memory/5004-140-0x0000000077BE0000-0x0000000077D6E000-memory.dmp

Filesize
1.6MB

Download
memory/5004-121-0x0000000077BE0000-0x0000000077D6E000-memory.dmp

Filesize
1.6MB

Download
memory/5004-120-0x0000000077BE0000-0x0000000077D6E000-memory.dmp

Filesize
1.6MB

Download
memory/5004-141-0x0000000077BE0000-0x0000000077D6E000-memory.dmp

Filesize
1.6MB

Download
memory/5004-143-0x0000000077BE0000-0x0000000077D6E000-memory.dmp

Filesize
1.6MB

Download
memory/5004-142-0x0000000002E8A000-0x0000000002E9B000-memory.dmp

Filesize
68KB

Download
memory/5004-131-0x0000000077BE0000-0x0000000077D6E000-memory.dmp

Filesize
1.6MB

Download
memory/5004-129-0x0000000077BE0000-0x0000000077D6E000-memory.dmp

Filesize
1.6MB

Download
memory/5004-144-0x0000000002CE0000-0x0000000002E2A000-memory.dmp

Filesize
1.3MB

Download
memory/5004-145-0x0000000077BE0000-0x0000000077D6E000-memory.dmp

Filesize
1.6MB

Download
memory/5004-146-0x0000000077BE0000-0x0000000077D6E000-memory.dmp

Filesize
1.6MB

Download
memory/5004-147-0x0000000077BE0000-0x0000000077D6E000-memory.dmp

Filesize
1.6MB

Download
memory/5004-116-0x0000000077BE0000-0x0000000077D6E000-memory.dmp

Filesize
1.6MB

Download
memory/5004-148-0x0000000077BE0000-0x0000000077D6E000-memory.dmp

Filesize
1.6MB

Download
memory/5004-153-0x0000000000400000-0x0000000002BAA000-memory.dmp

Filesize
39.7MB

Download
memory/5004-133-0x0000000077BE0000-0x0000000077D6E000-memory.dmp

Filesize
1.6MB

Download
memory/5004-149-0x0000000077BE0000-0x0000000077D6E000-memory.dmp

Filesize
1.6MB

Download
memory/5004-150-0x0000000077BE0000-0x0000000077D6E000-memory.dmp

Filesize
1.6MB

Download
memory/5004-151-0x0000000000400000-0x0000000002BAA000-memory.dmp

Filesize
39.7MB

Download
memory/5004-115-0x0000000077BE0000-0x0000000077D6E000-memory.dmp

Filesize
1.6MB

Download
memory/5004-119-0x0000000077BE0000-0x0000000077D6E000-memory.dmp

Filesize
1.6MB

Download
memory/5004-118-0x0000000077BE0000-0x0000000077D6E000-memory.dmp

Filesize
1.6MB

Download
memory/5004-152-0x0000000002E8A000-0x0000000002E9B000-memory.dmp

Filesize
68KB

Download
memory/5004-117-0x0000000077BE0000-0x0000000077D6E000-memory.dmp

Filesize
1.6MB

Download
memory/5092-602-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/5092-957-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download