amadey | 2c25b70f08a34cc52989882c4715854c4f488dacfa2c4a615ce5f8c265b21862

Analysis

max time kernel
141s
max time network
161s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
19/01/2023, 02:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2c25b70f08a34cc52989882c4715854c4f488dacfa2c4.exe
Size

235KB
MD5

9630e11f88c832c3c7a5da18ef9cc0ac
SHA1

5bfadbe22a7b3a1db3cb5a7f2ec224f4e44c7bd0
SHA256

2c25b70f08a34cc52989882c4715854c4f488dacfa2c4a615ce5f8c265b21862
SHA512

da94fdf546709e7f18af019cd92e23af81d161b9e2730b65719381da052320191d957db16d06b26021f8de686a7fb6b20d9715fe7e64a0c7063a6b3051dab4cd
SSDEEP

6144:WfSsOzqs7nAV3QN2tW0J3SluVy3VYlSgXqgkX:jbN6J4uVy3VmSga

Malware Config

Extracted

Family

amadey

Version

3.66

62.204.41.121/ZxhssZx/index.php

maximumpushtodaynotnowbut.com/Nmkn5d9Dn/index.php

motiontodaynotgogoodnowok.com/Nmkn5d9Dn/index.php

sogoodnowtodaynow.com/Nmkn5d9Dn/index.php

Extracted

Family

redline

Botnet

@REDLINEVIP Cloud (TG: @FATHEROFCARDERS)

151.80.89.233:13553

Attributes

auth_value
fbee175162920530e6bf470c8003fa1a

Extracted

Family

eternity

http://eternityms33k74r7iuuxfda4sqsiei3o3lbtr5cpalf6f4skszpruad.onion

Extracted

Family

redline

Botnet

vertu

62.204.41.159:4062

Attributes

auth_value
fcf83997f362e2cd45c3f3c30912dd41

Extracted

Family

amadey

Version

3.65

77.73.134.27/8bmdh3Slb2/index.php

193.42.33.28/8bmdh3Slb2/index.php

Extracted

Family

redline

193.47.61.243:80

45.88.67.20:80

91.107.159.152:33685

Attributes

auth_value
e74a083712b9749c612d5e31999699a4

Extracted

Family

raccoon

Botnet

571391c08bcfc49c97149aeb137899e0

http://185.180.199.215

rc4.plain

Extracted

Family

redline

Botnet

@DridexxSupport ( http://t.me/DridexxHackingTutorials )

154.7.253.146:40762

Attributes

auth_value
ee07f3e6fb42718b666e27fe7bb35986

Extracted

Family

socelars

https://hdbywe.s3.us-west-2.amazonaws.com/sdfeas18/

Extracted

Family

redline

Botnet

redlin

45.88.67.183:7304

Attributes

auth_value
ec5a5f136c323a39d744feb362ef434a

Extracted

Family

xworm

sym.publicvm.com:6364

Mutex

Md5qBUoAJSZHv3e3

Attributes

install_file
USB.exe

aes.plain

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey
Eternity
Eternity Project is a malware kit offering an info stealer, clipper, worm, coin miner, ransomware, and DDoS bot.
eternity

Process spawned unexpected child process 1 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1600	2336	rundll32.exe	20

Raccoon
Raccoon is an infostealer written in C++ and first seen in 2019.
stealer raccoon
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline
Socelars
Socelars is an infostealer targeting browser cookies and credit card credentials.
stealer socelars

Socelars payload 2 IoCs

resource	yara_rule
behavioral2/files/0x0009000000022e18-331.dat	family_socelars
behavioral2/files/0x0009000000022e18-330.dat	family_socelars

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Downloads MZ/PE file

Executes dropped EXE 31 IoCs

pid	Process
4372	nbveek.exe
3468	700K.exe
4616	qiv1ow16wzuw.exe
1612	14141.exe
2540	vertu.exe
4888	nbveek.exe
636	Player3.exe
1980	nbveek.exe
3432	huf6dcojjmd.exe
1988	ztf9phdgi2oi7q.exe
3576	pb1111.exe
4640	qiv1ow16wzuw.exe
4888	tcg05w40u9.exe
4436	Amadey.exe
1208	random.exe
4052	lbcr.exe
4468	bhada.exe
3020	ztf9phdgi2oi7q.exe
3932	nbveek.exe
4228	nbveek.exe
1388	random.exe
4400	nbveek.exe
732	lbcr.exe
3272	9mbpbo6qiofdjh.exe
876	neste.exe
1928	msve.exe
3656	AntiVirus.exe
1640	NATEppp.exe
4844	handdiy_1.exe
2276	myBUILDREDLINE.exe
3344	buildppb.exe

VMProtect packed file 3 IoCs

Detects executables packed with VMProtect commercial packer.

vmprotect

resource	yara_rule
behavioral2/files/0x0006000000022df0-216.dat	vmprotect
behavioral2/files/0x0006000000022df0-217.dat	vmprotect
behavioral2/memory/3576-224-0x0000000140000000-0x000000014061E000-memory.dmp	vmprotect

Checks computer location settings 2 TTPs 8 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Control Panel\International\Geo\Nation	random.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Control Panel\International\Geo\Nation	nbveek.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Control Panel\International\Geo\Nation	2c25b70f08a34cc52989882c4715854c4f488dacfa2c4.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Control Panel\International\Geo\Nation	nbveek.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Control Panel\International\Geo\Nation	Player3.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Control Panel\International\Geo\Nation	nbveek.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Control Panel\International\Geo\Nation	Amadey.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Control Panel\International\Geo\Nation	14141.exe

Loads dropped DLL 5 IoCs

pid	Process
1400	rundll32.exe
3812	rundll32.exe
3080	rundll32.exe
3636	rundll32.exe
3396	rundll32.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	vbc.exe
Key opened	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	vbc.exe
Key opened	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	vbc.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\vertu.exe = "C:\\Users\\Admin\\1000012052\\vertu.exe"	nbveek.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\neste.exe = "C:\\Users\\Admin\\1000042052\\neste.exe"	nbveek.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
15	ip-api.com

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

pid	Process
732	lbcr.exe

Suspicious use of SetThreadContext 10 IoCs

description	pid	Process	procid_target
PID 4616 set thread context of 4528	4616	qiv1ow16wzuw.exe	96
PID 3432 set thread context of 3764	3432	huf6dcojjmd.exe	140
PID 1988 set thread context of 4872	1988	ztf9phdgi2oi7q.exe	152
PID 4640 set thread context of 4300	4640	qiv1ow16wzuw.exe	153
PID 4888 set thread context of 4144	4888	tcg05w40u9.exe	159
PID 4468 set thread context of 4232	4468	bhada.exe	169
PID 3020 set thread context of 3192	3020	ztf9phdgi2oi7q.exe	177
PID 4052 set thread context of 732	4052	lbcr.exe	198
PID 3272 set thread context of 1644	3272	9mbpbo6qiofdjh.exe	204
PID 1640 set thread context of 4260	1640	NATEppp.exe	211

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 19 IoCs

pid	pid_target	Process	procid_target
3820	4616	WerFault.exe	94
3400	1612	WerFault.exe	99
4848	1612	WerFault.exe	99
3844	1612	WerFault.exe	99
4868	1612	WerFault.exe	99
3192	1612	WerFault.exe	99
4776	3432	WerFault.exe	138
4544	1612	WerFault.exe	99
1084	1988	WerFault.exe	143
4092	4888	WerFault.exe	157
852	4468	WerFault.exe	167
1488	1612	WerFault.exe	99
4660	3020	WerFault.exe	174
4300	4228	WerFault.exe	179
1968	3272	WerFault.exe	199
1208	4228	WerFault.exe	179
1256	1640	WerFault.exe	206
4280	3636	WerFault.exe	220
1480	3396	WerFault.exe	219

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0	vbc.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	vbc.exe

Creates scheduled task(s) 1 TTPs 5 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
2120	schtasks.exe
2952	schtasks.exe
1844	schtasks.exe
1924	schtasks.exe
360	schtasks.exe

Modifies registry class 5 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.y1dAMeVWr	lbcr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.y1dAMeVWr\ = "y1dAMeVWr"	lbcr.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\y1dAMeVWr\DefaultIcon	lbcr.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\y1dAMeVWr	lbcr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\y1dAMeVWr\DefaultIcon\ = "C:\\ProgramData\\y1dAMeVWr.ico"	lbcr.exe

Script User-Agent 1 IoCs

Uses user-agent string associated with script host/environment.

description	flow	ioc
HTTP User-Agent header	94	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious behavior: EnumeratesProcesses 18 IoCs

pid	Process
4528	vbc.exe
2540	vertu.exe
2540	vertu.exe
3468	700K.exe
3468	700K.exe
3468	700K.exe
3764	vbc.exe
3764	vbc.exe
3764	vbc.exe
732	lbcr.exe
732	lbcr.exe
4232	vbc.exe
4232	vbc.exe
4232	vbc.exe
732	lbcr.exe
732	lbcr.exe
732	lbcr.exe
732	lbcr.exe

Suspicious use of AdjustPrivilegeToken 57 IoCs

description	pid	Process
Token: SeDebugPrivilege	4528	vbc.exe
Token: SeDebugPrivilege	2540	vertu.exe
Token: SeDebugPrivilege	3468	700K.exe
Token: SeDebugPrivilege	3764	vbc.exe
Token: SeDebugPrivilege	4232	vbc.exe
Token: SeCreateTokenPrivilege	4844	handdiy_1.exe
Token: SeAssignPrimaryTokenPrivilege	4844	handdiy_1.exe
Token: SeLockMemoryPrivilege	4844	handdiy_1.exe
Token: SeIncreaseQuotaPrivilege	4844	handdiy_1.exe
Token: SeMachineAccountPrivilege	4844	handdiy_1.exe
Token: SeTcbPrivilege	4844	handdiy_1.exe
Token: SeSecurityPrivilege	4844	handdiy_1.exe
Token: SeTakeOwnershipPrivilege	4844	handdiy_1.exe
Token: SeLoadDriverPrivilege	4844	handdiy_1.exe
Token: SeSystemProfilePrivilege	4844	handdiy_1.exe
Token: SeSystemtimePrivilege	4844	handdiy_1.exe
Token: SeProfSingleProcessPrivilege	4844	handdiy_1.exe
Token: SeIncBasePriorityPrivilege	4844	handdiy_1.exe
Token: SeCreatePagefilePrivilege	4844	handdiy_1.exe
Token: SeCreatePermanentPrivilege	4844	handdiy_1.exe
Token: SeBackupPrivilege	4844	handdiy_1.exe
Token: SeRestorePrivilege	4844	handdiy_1.exe
Token: SeShutdownPrivilege	4844	handdiy_1.exe
Token: SeDebugPrivilege	4844	handdiy_1.exe
Token: SeAuditPrivilege	4844	handdiy_1.exe
Token: SeSystemEnvironmentPrivilege	4844	handdiy_1.exe
Token: SeChangeNotifyPrivilege	4844	handdiy_1.exe
Token: SeRemoteShutdownPrivilege	4844	handdiy_1.exe
Token: SeUndockPrivilege	4844	handdiy_1.exe
Token: SeSyncAgentPrivilege	4844	handdiy_1.exe
Token: SeEnableDelegationPrivilege	4844	handdiy_1.exe
Token: SeManageVolumePrivilege	4844	handdiy_1.exe
Token: SeImpersonatePrivilege	4844	handdiy_1.exe
Token: SeCreateGlobalPrivilege	4844	handdiy_1.exe
Token: 31	4844	handdiy_1.exe
Token: 32	4844	handdiy_1.exe
Token: 33	4844	handdiy_1.exe
Token: 34	4844	handdiy_1.exe
Token: 35	4844	handdiy_1.exe
Token: SeAssignPrimaryTokenPrivilege	732	lbcr.exe
Token: SeBackupPrivilege	732	lbcr.exe
Token: SeDebugPrivilege	732	lbcr.exe
Token: 36	732	lbcr.exe
Token: SeImpersonatePrivilege	732	lbcr.exe
Token: SeIncBasePriorityPrivilege	732	lbcr.exe
Token: SeIncreaseQuotaPrivilege	732	lbcr.exe
Token: 33	732	lbcr.exe
Token: SeManageVolumePrivilege	732	lbcr.exe
Token: SeProfSingleProcessPrivilege	732	lbcr.exe
Token: SeRestorePrivilege	732	lbcr.exe
Token: SeSecurityPrivilege	732	lbcr.exe
Token: SeSystemProfilePrivilege	732	lbcr.exe
Token: SeTakeOwnershipPrivilege	732	lbcr.exe
Token: SeShutdownPrivilege	732	lbcr.exe
Token: SeDebugPrivilege	732	lbcr.exe
Token: SeDebugPrivilege	4260	vbc.exe
Token: SeDebugPrivilege	876	neste.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3388 wrote to memory of 4372	3388	2c25b70f08a34cc52989882c4715854c4f488dacfa2c4.exe	82
PID 3388 wrote to memory of 4372	3388	2c25b70f08a34cc52989882c4715854c4f488dacfa2c4.exe	82
PID 3388 wrote to memory of 4372	3388	2c25b70f08a34cc52989882c4715854c4f488dacfa2c4.exe	82
PID 4372 wrote to memory of 2120	4372	nbveek.exe	83
PID 4372 wrote to memory of 2120	4372	nbveek.exe	83
PID 4372 wrote to memory of 2120	4372	nbveek.exe	83
PID 4372 wrote to memory of 2004	4372	nbveek.exe	85
PID 4372 wrote to memory of 2004	4372	nbveek.exe	85
PID 4372 wrote to memory of 2004	4372	nbveek.exe	85
PID 2004 wrote to memory of 744	2004	cmd.exe	87
PID 2004 wrote to memory of 744	2004	cmd.exe	87
PID 2004 wrote to memory of 744	2004	cmd.exe	87
PID 2004 wrote to memory of 1932	2004	cmd.exe	88
PID 2004 wrote to memory of 1932	2004	cmd.exe	88
PID 2004 wrote to memory of 1932	2004	cmd.exe	88
PID 2004 wrote to memory of 2736	2004	cmd.exe	89
PID 2004 wrote to memory of 2736	2004	cmd.exe	89
PID 2004 wrote to memory of 2736	2004	cmd.exe	89
PID 2004 wrote to memory of 2100	2004	cmd.exe	90
PID 2004 wrote to memory of 2100	2004	cmd.exe	90
PID 2004 wrote to memory of 2100	2004	cmd.exe	90
PID 2004 wrote to memory of 1620	2004	cmd.exe	91
PID 2004 wrote to memory of 1620	2004	cmd.exe	91
PID 2004 wrote to memory of 1620	2004	cmd.exe	91
PID 2004 wrote to memory of 2568	2004	cmd.exe	92
PID 2004 wrote to memory of 2568	2004	cmd.exe	92
PID 2004 wrote to memory of 2568	2004	cmd.exe	92
PID 4372 wrote to memory of 3468	4372	nbveek.exe	93
PID 4372 wrote to memory of 3468	4372	nbveek.exe	93
PID 4372 wrote to memory of 3468	4372	nbveek.exe	93
PID 4372 wrote to memory of 4616	4372	nbveek.exe	94
PID 4372 wrote to memory of 4616	4372	nbveek.exe	94
PID 4372 wrote to memory of 4616	4372	nbveek.exe	94
PID 4616 wrote to memory of 4528	4616	qiv1ow16wzuw.exe	96
PID 4616 wrote to memory of 4528	4616	qiv1ow16wzuw.exe	96
PID 4616 wrote to memory of 4528	4616	qiv1ow16wzuw.exe	96
PID 4616 wrote to memory of 4528	4616	qiv1ow16wzuw.exe	96
PID 4616 wrote to memory of 4528	4616	qiv1ow16wzuw.exe	96
PID 4372 wrote to memory of 1612	4372	nbveek.exe	99
PID 4372 wrote to memory of 1612	4372	nbveek.exe	99
PID 4372 wrote to memory of 1612	4372	nbveek.exe	99
PID 4372 wrote to memory of 2540	4372	nbveek.exe	100
PID 4372 wrote to memory of 2540	4372	nbveek.exe	100
PID 4372 wrote to memory of 2540	4372	nbveek.exe	100
PID 4528 wrote to memory of 2524	4528	vbc.exe	104
PID 4528 wrote to memory of 2524	4528	vbc.exe	104
PID 4528 wrote to memory of 2524	4528	vbc.exe	104
PID 2524 wrote to memory of 4624	2524	cmd.exe	106
PID 2524 wrote to memory of 4624	2524	cmd.exe	106
PID 2524 wrote to memory of 4624	2524	cmd.exe	106
PID 2524 wrote to memory of 2380	2524	cmd.exe	109
PID 2524 wrote to memory of 2380	2524	cmd.exe	109
PID 2524 wrote to memory of 2380	2524	cmd.exe	109
PID 2524 wrote to memory of 4144	2524	cmd.exe	110
PID 2524 wrote to memory of 4144	2524	cmd.exe	110
PID 2524 wrote to memory of 4144	2524	cmd.exe	110
PID 4528 wrote to memory of 3452	4528	vbc.exe	116
PID 4528 wrote to memory of 3452	4528	vbc.exe	116
PID 4528 wrote to memory of 3452	4528	vbc.exe	116
PID 3452 wrote to memory of 4884	3452	cmd.exe	118
PID 3452 wrote to memory of 4884	3452	cmd.exe	118
PID 3452 wrote to memory of 4884	3452	cmd.exe	118
PID 3452 wrote to memory of 4816	3452	cmd.exe	119
PID 3452 wrote to memory of 4816	3452	cmd.exe	119

outlook_office_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	vbc.exe

outlook_win_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	vbc.exe

C:\Users\Admin\AppData\Local\Temp\2c25b70f08a34cc52989882c4715854c4f488dacfa2c4.exe
"C:\Users\Admin\AppData\Local\Temp\2c25b70f08a34cc52989882c4715854c4f488dacfa2c4.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3388
- C:\Users\Admin\AppData\Local\Temp\9e0894bcc4\nbveek.exe
  "C:\Users\Admin\AppData\Local\Temp\9e0894bcc4\nbveek.exe"
  2⤵
  - Executes dropped EXE
  - Checks computer location settings
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:4372
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN nbveek.exe /TR "C:\Users\Admin\AppData\Local\Temp\9e0894bcc4\nbveek.exe" /F
    3⤵
    - Creates scheduled task(s)
    PID:2120
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /k echo Y|CACLS "nbveek.exe" /P "Admin:N"&&CACLS "nbveek.exe" /P "Admin:R" /E&&echo Y|CACLS "..\9e0894bcc4" /P "Admin:N"&&CACLS "..\9e0894bcc4" /P "Admin:R" /E&&Exit
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2004
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /S /D /c" echo Y"
      4⤵
      PID:744
  - - C:\Windows\SysWOW64\cacls.exe
      CACLS "nbveek.exe" /P "Admin:N"
      4⤵
      PID:1932
  - - C:\Windows\SysWOW64\cacls.exe
      CACLS "nbveek.exe" /P "Admin:R" /E
      4⤵
      PID:2736
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /S /D /c" echo Y"
      4⤵
      PID:2100
  - - C:\Windows\SysWOW64\cacls.exe
      CACLS "..\9e0894bcc4" /P "Admin:N"
      4⤵
      PID:1620
  - - C:\Windows\SysWOW64\cacls.exe
      CACLS "..\9e0894bcc4" /P "Admin:R" /E
      4⤵
      PID:2568
- - C:\Users\Admin\AppData\Local\Temp\1000001001\700K.exe
    "C:\Users\Admin\AppData\Local\Temp\1000001001\700K.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3468
- - C:\Users\Admin\AppData\Local\Temp\1000002001\qiv1ow16wzuw.exe
    "C:\Users\Admin\AppData\Local\Temp\1000002001\qiv1ow16wzuw.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of WriteProcessMemory
    PID:4616
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
      4⤵
      Accesses Microsoft Outlook profiles
      Checks processor information in registry
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      outlook_office_path
      outlook_win_path
      PID:4528
    - - C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:2524
      - C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        6⤵
        
        PID:4624
      - C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show profile
        6⤵
        
        PID:2380
      - C:\Windows\SysWOW64\findstr.exe
        
        findstr All
        6⤵
        
        PID:4144
    - - C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show profile name="65001" key=clear | findstr Key
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:3452
      - C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        6⤵
        
        PID:4884
      - C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show profile name="65001" key=clear
        6⤵
        
        PID:4816
      - C:\Windows\SysWOW64\findstr.exe
        
        findstr Key
        6⤵
        
        PID:4956
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4616 -s 156
      4⤵
      Program crash
      PID:3820
- - C:\Users\Admin\AppData\Local\Temp\1000004001\14141.exe
    "C:\Users\Admin\AppData\Local\Temp\1000004001\14141.exe"
    3⤵
    - Executes dropped EXE
    - Checks computer location settings
    PID:1612
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1612 -s 936
      4⤵
      Program crash
      PID:3400
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1612 -s 1008
      4⤵
      Program crash
      PID:4848
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1612 -s 1092
      4⤵
      Program crash
      PID:3844
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1612 -s 1108
      4⤵
      Program crash
      PID:4868
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1612 -s 1116
      4⤵
      Program crash
      PID:3192
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1612 -s 1076
      4⤵
      Program crash
      PID:4544
  - - C:\Users\Admin\AppData\Local\Temp\727358c059\nbveek.exe
      "C:\Users\Admin\AppData\Local\Temp\727358c059\nbveek.exe"
      4⤵
      Executes dropped EXE
      PID:4228
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4228 -s 592
        5⤵
        Program crash
        
        PID:4300
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4228 -s 612
        5⤵
        Program crash
        
        PID:1208
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1612 -s 1144
      4⤵
      Program crash
      PID:1488
- - C:\Users\Admin\1000012052\vertu.exe
    "C:\Users\Admin\1000012052\vertu.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2540
- - C:\Users\Admin\AppData\Local\Temp\1000017001\Player3.exe
    "C:\Users\Admin\AppData\Local\Temp\1000017001\Player3.exe"
    3⤵
    - Executes dropped EXE
    - Checks computer location settings
    PID:636
  - - C:\Users\Admin\AppData\Local\Temp\16de06bfb4\nbveek.exe
      "C:\Users\Admin\AppData\Local\Temp\16de06bfb4\nbveek.exe"
      4⤵
      Executes dropped EXE
      Checks computer location settings
      PID:1980
    - - C:\Windows\SysWOW64\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN nbveek.exe /TR "C:\Users\Admin\AppData\Local\Temp\16de06bfb4\nbveek.exe" /F
        5⤵
        Creates scheduled task(s)
        
        PID:2952
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k echo Y|CACLS "nbveek.exe" /P "Admin:N"&&CACLS "nbveek.exe" /P "Admin:R" /E&&echo Y|CACLS "..\16de06bfb4" /P "Admin:N"&&CACLS "..\16de06bfb4" /P "Admin:R" /E&&Exit
        5⤵
        
        PID:2720
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo Y"
        6⤵
        
        PID:2120
      - C:\Windows\SysWOW64\cacls.exe
        
        CACLS "nbveek.exe" /P "Admin:N"
        6⤵
        
        PID:1660
      - C:\Windows\SysWOW64\cacls.exe
        
        CACLS "nbveek.exe" /P "Admin:R" /E
        6⤵
        
        PID:1808
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo Y"
        6⤵
        
        PID:2256
      - C:\Windows\SysWOW64\cacls.exe
        
        CACLS "..\16de06bfb4" /P "Admin:N"
        6⤵
        
        PID:1620
      - C:\Windows\SysWOW64\cacls.exe
        
        CACLS "..\16de06bfb4" /P "Admin:R" /E
        6⤵
        
        PID:3032
    - - C:\Users\Admin\AppData\Local\Temp\1000034001\pb1111.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1000034001\pb1111.exe"
        5⤵
        Executes dropped EXE
        
        PID:3576
    - - C:\Users\Admin\AppData\Local\Temp\1000035001\random.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1000035001\random.exe"
        5⤵
        Executes dropped EXE
        Checks computer location settings
        
        PID:1208
      - C:\Users\Admin\AppData\Local\Temp\1000035001\random.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1000035001\random.exe" -h
        6⤵
        Executes dropped EXE
        
        PID:1388
    - - C:\Users\Admin\AppData\Local\Temp\1000036001\handdiy_1.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1000036001\handdiy_1.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:4844
    - - C:\Windows\SysWOW64\rundll32.exe
        
        "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\07c6bc37dc5087\cred64.dll, Main
        5⤵
        Loads dropped DLL
        
        PID:3080
      - C:\Windows\system32\rundll32.exe
        
        "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\07c6bc37dc5087\cred64.dll, Main
        6⤵
        Loads dropped DLL
        
        PID:3636
        
        C:\Windows\system32\WerFault.exe
        
        C:\Windows\system32\WerFault.exe -u -p 3636 -s 688
        7⤵
        Program crash
        
        PID:4280
- - C:\Users\Admin\AppData\Local\Temp\1000027001\huf6dcojjmd.exe
    "C:\Users\Admin\AppData\Local\Temp\1000027001\huf6dcojjmd.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    PID:3432
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3764
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3432 -s 268
      4⤵
      Program crash
      PID:4776
- - C:\Users\Admin\AppData\Local\Temp\1000028001\ztf9phdgi2oi7q.exe
    "C:\Users\Admin\AppData\Local\Temp\1000028001\ztf9phdgi2oi7q.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    PID:1988
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
      4⤵
      PID:4872
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1988 -s 156
      4⤵
      Program crash
      PID:1084
- - C:\Windows\SysWOW64\rundll32.exe
    "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dll, Main
    3⤵
    - Loads dropped DLL
    PID:1400
  - - C:\Windows\system32\rundll32.exe
      "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dll, Main
      4⤵
      Loads dropped DLL
      PID:3812
- - C:\Users\Admin\AppData\Local\Temp\1000029001\qiv1ow16wzuw.exe
    "C:\Users\Admin\AppData\Local\Temp\1000029001\qiv1ow16wzuw.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    PID:4640
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
      4⤵
      PID:4300
- - C:\Users\Admin\AppData\Local\Temp\1000032001\tcg05w40u9.exe
    "C:\Users\Admin\AppData\Local\Temp\1000032001\tcg05w40u9.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    PID:4888
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
      4⤵
      PID:4144
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4888 -s 148
      4⤵
      Program crash
      PID:4092
- - C:\Users\Admin\AppData\Local\Temp\1000035001\Amadey.exe
    "C:\Users\Admin\AppData\Local\Temp\1000035001\Amadey.exe"
    3⤵
    - Executes dropped EXE
    - Checks computer location settings
    PID:4436
  - - C:\Users\Admin\AppData\Local\Temp\07001a6976\nbveek.exe
      "C:\Users\Admin\AppData\Local\Temp\07001a6976\nbveek.exe"
      4⤵
      Executes dropped EXE
      Checks computer location settings
      PID:3932
    - - C:\Windows\SysWOW64\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN nbveek.exe /TR "C:\Users\Admin\AppData\Local\Temp\07001a6976\nbveek.exe" /F
        5⤵
        Creates scheduled task(s)
        
        PID:1844
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k echo Y|CACLS "nbveek.exe" /P "Admin:N"&&CACLS "nbveek.exe" /P "Admin:R" /E&&echo Y|CACLS "..\07001a6976" /P "Admin:N"&&CACLS "..\07001a6976" /P "Admin:R" /E&&Exit
        5⤵
        
        PID:3424
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo Y"
        6⤵
        
        PID:3292
      - C:\Windows\SysWOW64\cacls.exe
        
        CACLS "nbveek.exe" /P "Admin:N"
        6⤵
        
        PID:1160
      - C:\Windows\SysWOW64\cacls.exe
        
        CACLS "nbveek.exe" /P "Admin:R" /E
        6⤵
        
        PID:2184
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo Y"
        6⤵
        
        PID:992
      - C:\Windows\SysWOW64\cacls.exe
        
        CACLS "..\07001a6976" /P "Admin:N"
        6⤵
        
        PID:1316
      - C:\Windows\SysWOW64\cacls.exe
        
        CACLS "..\07001a6976" /P "Admin:R" /E
        6⤵
        
        PID:3432
- - C:\Users\Admin\AppData\Local\Temp\1000036001\lbcr.exe
    "C:\Users\Admin\AppData\Local\Temp\1000036001\lbcr.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    PID:4052
  - - C:\Users\Admin\AppData\Local\Temp\1000036001\lbcr.exe
      "C:\Users\Admin\AppData\Local\Temp\1000036001\lbcr.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of NtSetInformationThreadHideFromDebugger
      Modifies registry class
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:732
- - C:\Users\Admin\AppData\Local\Temp\1000038001\bhada.exe
    "C:\Users\Admin\AppData\Local\Temp\1000038001\bhada.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    PID:4468
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4232
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4468 -s 272
      4⤵
      Program crash
      PID:852
- - C:\Users\Admin\AppData\Local\Temp\1000039001\ztf9phdgi2oi7q.exe
    "C:\Users\Admin\AppData\Local\Temp\1000039001\ztf9phdgi2oi7q.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    PID:3020
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
      4⤵
      PID:3192
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3020 -s 156
      4⤵
      Program crash
      PID:4660
- - C:\Users\Admin\AppData\Local\Temp\1000041001\9mbpbo6qiofdjh.exe
    "C:\Users\Admin\AppData\Local\Temp\1000041001\9mbpbo6qiofdjh.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    PID:3272
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
      4⤵
      PID:1644
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3272 -s 304
      4⤵
      Program crash
      PID:1968
- - C:\Users\Admin\1000042052\neste.exe
    "C:\Users\Admin\1000042052\neste.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:876
- - C:\Users\Admin\AppData\Local\Temp\1000050001\msve.exe
    "C:\Users\Admin\AppData\Local\Temp\1000050001\msve.exe"
    3⤵
    - Executes dropped EXE
    PID:1928
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
      4⤵
      PID:1648
    - - C:\Windows\SysWOW64\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /create /f /sc minute /mo 1 /tn "vbc" /tr "C:\Users\Admin\AppData\Roaming\vbc.exe"
        5⤵
        Creates scheduled task(s)
        
        PID:1924
  - - C:\Windows\SysWOW64\cmd.exe
      "cmd" /c copy "C:\Users\Admin\AppData\Local\Temp\1000050001\msve.exe" "C:\Users\Admin\AppData\Local\Temp\msixe\msixe.exe"
      4⤵
      PID:2692
  - - C:\Windows\SysWOW64\cmd.exe
      "cmd" /c schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Local\Temp\msixe\msixe.exe'" /f
      4⤵
      PID:3844
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Local\Temp\msixe\msixe.exe'" /f
        5⤵
        Creates scheduled task(s)
        
        PID:360
  - - C:\Windows\SysWOW64\cmd.exe
      "cmd" /c mkdir "C:\Users\Admin\AppData\Local\Temp\msixe"
      4⤵
      PID:3736
- - C:\Users\Admin\AppData\Local\Temp\1000046001\AntiVirus.exe
    "C:\Users\Admin\AppData\Local\Temp\1000046001\AntiVirus.exe"
    3⤵
    - Executes dropped EXE
    PID:3656
- - C:\Users\Admin\AppData\Local\Temp\1000054001\NATEppp.exe
    "C:\Users\Admin\AppData\Local\Temp\1000054001\NATEppp.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    PID:1640
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:4260
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1640 -s 276
      4⤵
      Program crash
      PID:1256
- - C:\Users\Admin\AppData\Local\Temp\1000065001\myBUILDREDLINE.exe
    "C:\Users\Admin\AppData\Local\Temp\1000065001\myBUILDREDLINE.exe"
    3⤵
    - Executes dropped EXE
    PID:2276
- - C:\Users\Admin\AppData\Roaming\1000064000\buildppb.exe
    "C:\Users\Admin\AppData\Roaming\1000064000\buildppb.exe"
    3⤵
    - Executes dropped EXE
    PID:3344
- - C:\Users\Admin\AppData\Local\Temp\1000066001\svhost.exe
    "C:\Users\Admin\AppData\Local\Temp\1000066001\svhost.exe"
    3⤵
    PID:2744

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 4616 -ip 4616
1⤵
PID:3472

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 1612 -ip 1612
1⤵
PID:1540

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1612 -ip 1612
1⤵
PID:1968

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1612 -ip 1612
1⤵
PID:3524

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 1612 -ip 1612
1⤵
PID:3568

C:\Users\Admin\AppData\Local\Temp\9e0894bcc4\nbveek.exe
C:\Users\Admin\AppData\Local\Temp\9e0894bcc4\nbveek.exe
1⤵
- Executes dropped EXE
PID:4888

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 1612 -ip 1612
1⤵
PID:1364

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 3432 -ip 3432
1⤵
PID:3344

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 384 -p 1612 -ip 1612
1⤵
PID:4556

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 1988 -ip 1988
1⤵
PID:4848

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 4640 -ip 4640
1⤵
PID:4380

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 4888 -ip 4888
1⤵
PID:4064

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 4468 -ip 4468
1⤵
PID:1256

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 568 -p 3812 -ip 3812
1⤵
PID:4524

C:\Users\Admin\AppData\Local\Temp\16de06bfb4\nbveek.exe
C:\Users\Admin\AppData\Local\Temp\16de06bfb4\nbveek.exe
1⤵
- Executes dropped EXE
PID:4400

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 1612 -ip 1612
1⤵
PID:5064

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 3020 -ip 3020
1⤵
PID:3752

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 592 -p 4228 -ip 4228
1⤵
PID:3588

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 596 -p 3272 -ip 3272
1⤵
PID:1084

C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\db.dll",open
1⤵
- Process spawned unexpected child process
PID:1600
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe "C:\Users\Admin\AppData\Local\Temp\db.dll",open
  2⤵
  - Loads dropped DLL
  PID:3396
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3396 -s 600
    3⤵
    - Program crash
    PID:1480

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 4228 -ip 4228
1⤵
PID:316

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 1640 -ip 1640
1⤵
PID:1260

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 600 -p 3636 -ip 3636
1⤵
PID:4960

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 576 -p 3396 -ip 3396
1⤵
PID:2256

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Scripting

T1064

Persistence

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Scripting

T1064

Web Service

T1102

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\1000012052\vertu.exe

Filesize
175KB

MD5
217a9bc8298a3349d4f0848a6dbe4624

SHA1
3780b3fb1ad7cff8b6d2be61e73768b106364e61

SHA256
815a468a5c1583dc0acfb30ab3be2401c3d8cf0bbbc5bb1dd5f7a30a321acc1d

SHA512
32c66ada7eac2df93b7ed41699bc97ef2ab7faae5219d205f36aedf202c666f1bc88db8594f30a593da6ec6d187966f48e7e3689dcedda78aa1931caa6896296

Download Submit
C:\Users\Admin\1000012052\vertu.exe

Filesize
175KB

MD5
217a9bc8298a3349d4f0848a6dbe4624

SHA1
3780b3fb1ad7cff8b6d2be61e73768b106364e61

SHA256
815a468a5c1583dc0acfb30ab3be2401c3d8cf0bbbc5bb1dd5f7a30a321acc1d

SHA512
32c66ada7eac2df93b7ed41699bc97ef2ab7faae5219d205f36aedf202c666f1bc88db8594f30a593da6ec6d187966f48e7e3689dcedda78aa1931caa6896296

Download Submit
C:\Users\Admin\1000042052\neste.exe

Filesize
426KB

MD5
b24bd8b76ece974eb0b59ad171297c86

SHA1
491cada8497c49f8dbfc49fac8afa897708b49d4

SHA256
d6b354bd1b7153e049e51c53a8250925b4016655114a7cf1655aa9dde5587161

SHA512
b8f44038a8158868543464b3a6e5b21ecde9272db0a69b0759fb2e1745b67f8448c92b325e7b728e5f121fe2a82dc17c6d1a62cf62b1751c310a2e15ad9d3616

Download Submit
C:\Users\Admin\1000042052\neste.exe

Filesize
426KB

MD5
b24bd8b76ece974eb0b59ad171297c86

SHA1
491cada8497c49f8dbfc49fac8afa897708b49d4

SHA256
d6b354bd1b7153e049e51c53a8250925b4016655114a7cf1655aa9dde5587161

SHA512
b8f44038a8158868543464b3a6e5b21ecde9272db0a69b0759fb2e1745b67f8448c92b325e7b728e5f121fe2a82dc17c6d1a62cf62b1751c310a2e15ad9d3616

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

Filesize
1KB

MD5
2465c641f99d0f0ffa3bb60cb21e8056

SHA1
9be7c6959aa47ab5282f32bcb894eb04bb7be4dc

SHA256
5a288c6ed001e16e63592b20299327f59e2c581eaf7b3ab162dc06d088961bae

SHA512
c9e6118a369a80a48d21a760bfcdffb0dd296e68d96bedaa94c875deff6a42f837ba7c4abea69b5709095adc6d810e859b88586776998f466d0a9c1f08009537

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464

Filesize
724B

MD5
c18c1ab84b27ba6cf9cd2e5ca8a96d62

SHA1
df6dc9e0b61be770d13df05ac149ed07c5f9210c

SHA256
c3535d9b617c8060aa4a80b708e2d017c1b344258b5f18d1b6889060c894ff2a

SHA512
cb84a250d7c37c1def8d34976326f4d90b4e5fc0dbefddec5958af85e67a07e77ca0bebe8bd8c3ab784b138eb2ee05004ebba20156e5e02186bd1dd1d92850e2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

Filesize
410B

MD5
d9ef5f67754a988565f8eaf2d0164797

SHA1
c2bd6b2a542e469767238ff318d8f72467bd9769

SHA256
6369ec7a1ef80475b6100c9da4d1a862a7518b7abc5683f170637dd10cefc5da

SHA512
490934840a09218e86cd110cd977964748df7dfa026d62af30358ec7a883c35bb86f85893f9ec4d62738dcdb21f7b1a0158b13ef81a39c9dd4726653e3c52385

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464

Filesize
392B

MD5
f7411941dbc4ff9c14b03610251199b5

SHA1
5962170ab834c38dac35e2f49ae60386d13ae0de

SHA256
cb9d623e3c3a97705cff5a1f08f957b8e7efed773687cd6227dde8372461810d

SHA512
8ec82aba00f73b1a33ec485f69fd043233217ed3b3da130b9911cc844028a68c25ef080d406fd84c6d2238172193e2fd6f49376e377374692bcd3539003d4439

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\vbc.exe.log

Filesize
321B

MD5
08027eeee0542c93662aef98d70095e4

SHA1
42402c02bf4763fcd6fb0650fc13386f2eae8f9b

SHA256
1b9ec007ac8e7de37c61313c5e1b9444df6dc0cd9110553bfa281b13204a646d

SHA512
c4e7a17a1dc1f27c91791439d92435a5d750a065508e9539c9af458f21472a7ce45ba0666ef6855a00386e1a75c518d0908b82d929084a1b67ca4c65997a5979

Download Submit
C:\Users\Admin\AppData\Local\Temp\07001a6976\nbveek.exe

Filesize
246KB

MD5
54d77d83a9d14719645848a53a9295a6

SHA1
4e04bb8cd980f568df05b92a894b50cb1f5258b4

SHA256
2073406f740a15b0bcdc15b30d558dd7155fff533508247b4304b32d04c7ea85

SHA512
9ea89676aa993b0def9be6870bea7452ea38e0781e561b8484488a91705e9f1fbaee048ed7a7826f782e6f418708151cf9ac96184fc18771764fe97d2918ce9c

Download Submit
C:\Users\Admin\AppData\Local\Temp\07001a6976\nbveek.exe

Filesize
246KB

MD5
54d77d83a9d14719645848a53a9295a6

SHA1
4e04bb8cd980f568df05b92a894b50cb1f5258b4

SHA256
2073406f740a15b0bcdc15b30d558dd7155fff533508247b4304b32d04c7ea85

SHA512
9ea89676aa993b0def9be6870bea7452ea38e0781e561b8484488a91705e9f1fbaee048ed7a7826f782e6f418708151cf9ac96184fc18771764fe97d2918ce9c

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000001001\700K.exe

Filesize
175KB

MD5
10fc0e201418375882eeef47dba6b6d8

SHA1
bbdc696eb27fb2367e251db9b0fae64a0a58b0d0

SHA256
b6dcda3b84e6561d582db25fdbdbcd6ddb350579899817122d08dfdb6c8fd2a3

SHA512
746b1f7c7f6e841bdbe308c34ed20e2cf48a757a70f97e6f37903f3ec0aa0c8d944cc75648109a6594839df0e3858ba84177d2fa3cc6398f39656c6421df2ad5

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000001001\700K.exe

Filesize
175KB

MD5
10fc0e201418375882eeef47dba6b6d8

SHA1
bbdc696eb27fb2367e251db9b0fae64a0a58b0d0

SHA256
b6dcda3b84e6561d582db25fdbdbcd6ddb350579899817122d08dfdb6c8fd2a3

SHA512
746b1f7c7f6e841bdbe308c34ed20e2cf48a757a70f97e6f37903f3ec0aa0c8d944cc75648109a6594839df0e3858ba84177d2fa3cc6398f39656c6421df2ad5

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000002001\qiv1ow16wzuw.exe

Filesize
667KB

MD5
1125d277ccde4c5fea05e9b784107388

SHA1
33a6701d158fdf233d9551d949fee2b1eefa31f4

SHA256
156da573614eadb656348d9ac7af4de07134dd7e1f66cb2df40260a830b7b520

SHA512
3c335773a982a6f652b8481a82d70983f4d7a64ea9a699c2fbf370413124770bcd6ee629057aa9478ba37125e88e2d8a68a1a50ade95c27722fcc631b4dee4ea

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000002001\qiv1ow16wzuw.exe

Filesize
667KB

MD5
1125d277ccde4c5fea05e9b784107388

SHA1
33a6701d158fdf233d9551d949fee2b1eefa31f4

SHA256
156da573614eadb656348d9ac7af4de07134dd7e1f66cb2df40260a830b7b520

SHA512
3c335773a982a6f652b8481a82d70983f4d7a64ea9a699c2fbf370413124770bcd6ee629057aa9478ba37125e88e2d8a68a1a50ade95c27722fcc631b4dee4ea

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000004001\14141.exe

Filesize
267KB

MD5
58ccd490229a6eb997fd8bfa74dee077

SHA1
4549c5bb4694a8809a3effcef814948b488840a1

SHA256
5d7b46092d913f01673161204b22b835a48bf40f110ecb2ba82d59e42d74adc7

SHA512
4dd52eb64ddcc24fc20cecea268b111c6aaddb2917618b7a448e0786d9c9342e190c1735ad66c08811bc3b47679851a29d3f9f6ac1d5a6a249a8ad0b45626ba9

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000004001\14141.exe

Filesize
267KB

MD5
58ccd490229a6eb997fd8bfa74dee077

SHA1
4549c5bb4694a8809a3effcef814948b488840a1

SHA256
5d7b46092d913f01673161204b22b835a48bf40f110ecb2ba82d59e42d74adc7

SHA512
4dd52eb64ddcc24fc20cecea268b111c6aaddb2917618b7a448e0786d9c9342e190c1735ad66c08811bc3b47679851a29d3f9f6ac1d5a6a249a8ad0b45626ba9

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000017001\Player3.exe

Filesize
244KB

MD5
43a3e1c9723e124a9b495cd474a05dcb

SHA1
d293f427eaa8efc18bb8929a9f54fb61e03bdd89

SHA256
619bbbc9e9ddd1f6b7961cacb33d99c8f558499a33751b28d91085aab8cb95ab

SHA512
6717d6be0f25d66ba3689b703b9f1360c172138faa0172168c531f55eb217050c03a41396b7a440e899974d71c2f42b41d07db0ef97751c420facfae1550bfa7

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000017001\Player3.exe

Filesize
244KB

MD5
43a3e1c9723e124a9b495cd474a05dcb

SHA1
d293f427eaa8efc18bb8929a9f54fb61e03bdd89

SHA256
619bbbc9e9ddd1f6b7961cacb33d99c8f558499a33751b28d91085aab8cb95ab

SHA512
6717d6be0f25d66ba3689b703b9f1360c172138faa0172168c531f55eb217050c03a41396b7a440e899974d71c2f42b41d07db0ef97751c420facfae1550bfa7

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000027001\huf6dcojjmd.exe

Filesize
515KB

MD5
03d393d1b4d0d817d03a758cd024a654

SHA1
830012a33021b7775084a28502af40863c6beb21

SHA256
aaaceb896a7a8b0aa3c1946d93762420965c4328cfab43310f084813fec44afb

SHA512
eaaf0956fb20b00d3dbfa2df4ec2e25a5e2280e2d6f757e2669c4e91a602decb1e97ee37a5ce35aeec70421b40147a8b65313c98132895aece6f47b242c765ab

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000027001\huf6dcojjmd.exe

Filesize
515KB

MD5
03d393d1b4d0d817d03a758cd024a654

SHA1
830012a33021b7775084a28502af40863c6beb21

SHA256
aaaceb896a7a8b0aa3c1946d93762420965c4328cfab43310f084813fec44afb

SHA512
eaaf0956fb20b00d3dbfa2df4ec2e25a5e2280e2d6f757e2669c4e91a602decb1e97ee37a5ce35aeec70421b40147a8b65313c98132895aece6f47b242c765ab

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000028001\ztf9phdgi2oi7q.exe

Filesize
445KB

MD5
25dbc9fb9f4d6dcbba5f528f4780de04

SHA1
95dd10a0166683dd10efd0cabca2c7c4a9df4bbb

SHA256
88aa85f63ddbcfa1204202633336d60f9ac6e37510794be230bcfc64a50f243f

SHA512
a2dc07ac76cac145d77dac104b0b59bb824fcb9df859380f975df62c99043500ddd8cef1d66bc712fb8efd6d32d084324d02f83a41b60b7aa9ae39cad489e06f

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000028001\ztf9phdgi2oi7q.exe

Filesize
445KB

MD5
25dbc9fb9f4d6dcbba5f528f4780de04

SHA1
95dd10a0166683dd10efd0cabca2c7c4a9df4bbb

SHA256
88aa85f63ddbcfa1204202633336d60f9ac6e37510794be230bcfc64a50f243f

SHA512
a2dc07ac76cac145d77dac104b0b59bb824fcb9df859380f975df62c99043500ddd8cef1d66bc712fb8efd6d32d084324d02f83a41b60b7aa9ae39cad489e06f

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000029001\qiv1ow16wzuw.exe

Filesize
667KB

MD5
1125d277ccde4c5fea05e9b784107388

SHA1
33a6701d158fdf233d9551d949fee2b1eefa31f4

SHA256
156da573614eadb656348d9ac7af4de07134dd7e1f66cb2df40260a830b7b520

SHA512
3c335773a982a6f652b8481a82d70983f4d7a64ea9a699c2fbf370413124770bcd6ee629057aa9478ba37125e88e2d8a68a1a50ade95c27722fcc631b4dee4ea

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000029001\qiv1ow16wzuw.exe

Filesize
667KB

MD5
1125d277ccde4c5fea05e9b784107388

SHA1
33a6701d158fdf233d9551d949fee2b1eefa31f4

SHA256
156da573614eadb656348d9ac7af4de07134dd7e1f66cb2df40260a830b7b520

SHA512
3c335773a982a6f652b8481a82d70983f4d7a64ea9a699c2fbf370413124770bcd6ee629057aa9478ba37125e88e2d8a68a1a50ade95c27722fcc631b4dee4ea

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000032001\tcg05w40u9.exe

Filesize
515KB

MD5
3e53ae172be6a897d35f92c6572b06d5

SHA1
6d74b1913de885d5ec43b1d44f8a2a2c09ad5693

SHA256
57d08937a405243dd23e7c3666c53b5f2573639eb2c4f6bfa5b23e9c611392a1

SHA512
a79ad1ac78b25c9d029df6eec00d4459977db854755837691330c944e46668865061211e099f78d3e4f9ca4935b700402281f23383bf787d4bbbb6a87ca1bd8f

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000032001\tcg05w40u9.exe

Filesize
515KB

MD5
3e53ae172be6a897d35f92c6572b06d5

SHA1
6d74b1913de885d5ec43b1d44f8a2a2c09ad5693

SHA256
57d08937a405243dd23e7c3666c53b5f2573639eb2c4f6bfa5b23e9c611392a1

SHA512
a79ad1ac78b25c9d029df6eec00d4459977db854755837691330c944e46668865061211e099f78d3e4f9ca4935b700402281f23383bf787d4bbbb6a87ca1bd8f

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000034001\pb1111.exe

Filesize
3.5MB

MD5
3517aaa63e57ebc51421fd6266ec09a6

SHA1
49469a3ea738cb2f79723913a52f263f6e217d40

SHA256
c5cbf5c1b551dec1326505e5a0ea4d298d19a53ce0c6197df9de8f57980bbd88

SHA512
7c8d19c0d4fb64d5851ca765a3797250605240b5e13ffbd485e042dbe612136da5a1b42b0dafd631f18ca1c102cda2580ad4289a6d5d3365b589030e30b5f511

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000034001\pb1111.exe

Filesize
3.5MB

MD5
3517aaa63e57ebc51421fd6266ec09a6

SHA1
49469a3ea738cb2f79723913a52f263f6e217d40

SHA256
c5cbf5c1b551dec1326505e5a0ea4d298d19a53ce0c6197df9de8f57980bbd88

SHA512
7c8d19c0d4fb64d5851ca765a3797250605240b5e13ffbd485e042dbe612136da5a1b42b0dafd631f18ca1c102cda2580ad4289a6d5d3365b589030e30b5f511

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000035001\Amadey.exe

Filesize
246KB

MD5
54d77d83a9d14719645848a53a9295a6

SHA1
4e04bb8cd980f568df05b92a894b50cb1f5258b4

SHA256
2073406f740a15b0bcdc15b30d558dd7155fff533508247b4304b32d04c7ea85

SHA512
9ea89676aa993b0def9be6870bea7452ea38e0781e561b8484488a91705e9f1fbaee048ed7a7826f782e6f418708151cf9ac96184fc18771764fe97d2918ce9c

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000035001\Amadey.exe

Filesize
246KB

MD5
54d77d83a9d14719645848a53a9295a6

SHA1
4e04bb8cd980f568df05b92a894b50cb1f5258b4

SHA256
2073406f740a15b0bcdc15b30d558dd7155fff533508247b4304b32d04c7ea85

SHA512
9ea89676aa993b0def9be6870bea7452ea38e0781e561b8484488a91705e9f1fbaee048ed7a7826f782e6f418708151cf9ac96184fc18771764fe97d2918ce9c

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000035001\random.exe

Filesize
160KB

MD5
b9363486500e209c05f97330226bbf8a

SHA1
bfe2d0072d09b30ec66dee072dde4e7af26e4633

SHA256
01138f2318e59e1fe59f1eb7de3859af815ebf9a59aae1084c1a97a99319ee35

SHA512
6d06e5baeab962d85b306c72f39a82e40e22eb889867c11c406a069011155cb8901bf021f48efc98fd95340be7e9609fc11f4e24fc322dbf721e610120771534

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000035001\random.exe

Filesize
160KB

MD5
b9363486500e209c05f97330226bbf8a

SHA1
bfe2d0072d09b30ec66dee072dde4e7af26e4633

SHA256
01138f2318e59e1fe59f1eb7de3859af815ebf9a59aae1084c1a97a99319ee35

SHA512
6d06e5baeab962d85b306c72f39a82e40e22eb889867c11c406a069011155cb8901bf021f48efc98fd95340be7e9609fc11f4e24fc322dbf721e610120771534

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000035001\random.exe

Filesize
160KB

MD5
b9363486500e209c05f97330226bbf8a

SHA1
bfe2d0072d09b30ec66dee072dde4e7af26e4633

SHA256
01138f2318e59e1fe59f1eb7de3859af815ebf9a59aae1084c1a97a99319ee35

SHA512
6d06e5baeab962d85b306c72f39a82e40e22eb889867c11c406a069011155cb8901bf021f48efc98fd95340be7e9609fc11f4e24fc322dbf721e610120771534

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000036001\handdiy_1.exe

Filesize
1.4MB

MD5
bd2a8b80c04d3c539fec8d51610f01af

SHA1
3ca7b135f654fc478525e8597c96f611f25baff5

SHA256
f6fe9151f8017272ce7e97a709bbcc822b302dc46b6ce62b2abb2bd9a38e5cd0

SHA512
f87c2677b26d844a238bdb97c0d26d6239f980e141261b1f27a68805b44987182cd6c4cf9df36421f1a6e525f790cfc414bd9efefe03b7c4ffc3c94b31865718

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000036001\handdiy_1.exe

Filesize
1.4MB

MD5
bd2a8b80c04d3c539fec8d51610f01af

SHA1
3ca7b135f654fc478525e8597c96f611f25baff5

SHA256
f6fe9151f8017272ce7e97a709bbcc822b302dc46b6ce62b2abb2bd9a38e5cd0

SHA512
f87c2677b26d844a238bdb97c0d26d6239f980e141261b1f27a68805b44987182cd6c4cf9df36421f1a6e525f790cfc414bd9efefe03b7c4ffc3c94b31865718

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000036001\lbcr.exe

Filesize
193KB

MD5
0bfcb2a4ad4975ee352cf455ccbbb9a7

SHA1
9333b2b05821edffe504039afa7e30245b93def2

SHA256
29186fc94bec8aab709cd3a8eeb154cb6c03b1594502f70c0a40a38940f85474

SHA512
80d6487735ca737e9bb1d1d80b4b1733432e60fe5828a0102ff150a6bd425fada8ae40505f81c73ceb22224acbccf3075edb6c12168dd5e80caff8e4629ab93b

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000036001\lbcr.exe

Filesize
193KB

MD5
0bfcb2a4ad4975ee352cf455ccbbb9a7

SHA1
9333b2b05821edffe504039afa7e30245b93def2

SHA256
29186fc94bec8aab709cd3a8eeb154cb6c03b1594502f70c0a40a38940f85474

SHA512
80d6487735ca737e9bb1d1d80b4b1733432e60fe5828a0102ff150a6bd425fada8ae40505f81c73ceb22224acbccf3075edb6c12168dd5e80caff8e4629ab93b

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000036001\lbcr.exe

Filesize
193KB

MD5
0bfcb2a4ad4975ee352cf455ccbbb9a7

SHA1
9333b2b05821edffe504039afa7e30245b93def2

SHA256
29186fc94bec8aab709cd3a8eeb154cb6c03b1594502f70c0a40a38940f85474

SHA512
80d6487735ca737e9bb1d1d80b4b1733432e60fe5828a0102ff150a6bd425fada8ae40505f81c73ceb22224acbccf3075edb6c12168dd5e80caff8e4629ab93b

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000038001\bhada.exe

Filesize
515KB

MD5
a0a2821ad9d549d75e1f828d4945ee94

SHA1
d7514ff9cc8b3a4a275dbc874bea4149e97849fa

SHA256
5a96f601e3986178a0ec0a223261e9dabe79e3c50695b108e3e89c207af5036f

SHA512
01235c70360650bb5cdf98ccecc1541b4707f54eff590a5902da9b64cb137bf572e71db57036cd2bf4c065fa5f7322ed25a9799b96121a1e880d2dfae8c336e5

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000038001\bhada.exe

Filesize
515KB

MD5
a0a2821ad9d549d75e1f828d4945ee94

SHA1
d7514ff9cc8b3a4a275dbc874bea4149e97849fa

SHA256
5a96f601e3986178a0ec0a223261e9dabe79e3c50695b108e3e89c207af5036f

SHA512
01235c70360650bb5cdf98ccecc1541b4707f54eff590a5902da9b64cb137bf572e71db57036cd2bf4c065fa5f7322ed25a9799b96121a1e880d2dfae8c336e5

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000039001\ztf9phdgi2oi7q.exe

Filesize
445KB

MD5
25dbc9fb9f4d6dcbba5f528f4780de04

SHA1
95dd10a0166683dd10efd0cabca2c7c4a9df4bbb

SHA256
88aa85f63ddbcfa1204202633336d60f9ac6e37510794be230bcfc64a50f243f

SHA512
a2dc07ac76cac145d77dac104b0b59bb824fcb9df859380f975df62c99043500ddd8cef1d66bc712fb8efd6d32d084324d02f83a41b60b7aa9ae39cad489e06f

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000039001\ztf9phdgi2oi7q.exe

Filesize
445KB

MD5
25dbc9fb9f4d6dcbba5f528f4780de04

SHA1
95dd10a0166683dd10efd0cabca2c7c4a9df4bbb

SHA256
88aa85f63ddbcfa1204202633336d60f9ac6e37510794be230bcfc64a50f243f

SHA512
a2dc07ac76cac145d77dac104b0b59bb824fcb9df859380f975df62c99043500ddd8cef1d66bc712fb8efd6d32d084324d02f83a41b60b7aa9ae39cad489e06f

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000041001\9mbpbo6qiofdjh.exe

Filesize
515KB

MD5
260f9c5ac84352b29e45a52bc1587d4b

SHA1
2f508f9ddbad7861b8533037af74fcd0fa167214

SHA256
103f83fe1d783a7a427f59f42754725a7b6f6be6b450a429907598ff831e4a54

SHA512
85d9422b2cdc6eda1a24f2f1ff6342ad3701d566ad2ee1f3edee1d6622403ab4f4f2092c23572e78973f99c97a64a3f36fb00b1ae31d16393d9e8b93ce526816

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000041001\9mbpbo6qiofdjh.exe

Filesize
515KB

MD5
260f9c5ac84352b29e45a52bc1587d4b

SHA1
2f508f9ddbad7861b8533037af74fcd0fa167214

SHA256
103f83fe1d783a7a427f59f42754725a7b6f6be6b450a429907598ff831e4a54

SHA512
85d9422b2cdc6eda1a24f2f1ff6342ad3701d566ad2ee1f3edee1d6622403ab4f4f2092c23572e78973f99c97a64a3f36fb00b1ae31d16393d9e8b93ce526816

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000046001\AntiVirus.exe

Filesize
444KB

MD5
3d94454db911af846b7fab5df51c980c

SHA1
5a24d06d338481a821486aa5ba829f3e502bed47

SHA256
1dfbea7dfa2a6feec6e27b1e1d39169aeece1a4a716f08fc7726d0a08fc567cc

SHA512
39a30de87c87de1fe0d2ff787a6c3a5005f7ca5d5eb9c4c1efb4ea124fedab85d683bb4f33d3a2e93e91fd105f0b1242a199d9c953c22bb5548f6e81ce65e120

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000046001\AntiVirus.exe

Filesize
444KB

MD5
3d94454db911af846b7fab5df51c980c

SHA1
5a24d06d338481a821486aa5ba829f3e502bed47

SHA256
1dfbea7dfa2a6feec6e27b1e1d39169aeece1a4a716f08fc7726d0a08fc567cc

SHA512
39a30de87c87de1fe0d2ff787a6c3a5005f7ca5d5eb9c4c1efb4ea124fedab85d683bb4f33d3a2e93e91fd105f0b1242a199d9c953c22bb5548f6e81ce65e120

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000050001\msve.exe

Filesize
298KB

MD5
a59bceac202bda4b2704b379d3eb89f0

SHA1
e543b2304dfa578dd6de07e743487a29dd92cbb2

SHA256
6f3491d165ac055811596f2d64ad107247e19b333d79316c0ac96c93787c1e1a

SHA512
34160998e69bd5146e3e10d10db86d4dcc52563a1032acee0f4d4072bf23c1d3edaa169c4b42a420ff9700d63f45a3068fb4c92533ba9e75007288ae80a67ab4

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000050001\msve.exe

Filesize
298KB

MD5
a59bceac202bda4b2704b379d3eb89f0

SHA1
e543b2304dfa578dd6de07e743487a29dd92cbb2

SHA256
6f3491d165ac055811596f2d64ad107247e19b333d79316c0ac96c93787c1e1a

SHA512
34160998e69bd5146e3e10d10db86d4dcc52563a1032acee0f4d4072bf23c1d3edaa169c4b42a420ff9700d63f45a3068fb4c92533ba9e75007288ae80a67ab4

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000054001\NATEppp.exe

Filesize
515KB

MD5
c9ed0e907b985cf1b07f4e7b97f6d0da

SHA1
901de144d9f0f7a46000ac69d8da15679e03245d

SHA256
c44bb6e89d6d5184f6fc10a8be170ba74af12d352e6988c9cf0730004a8a3ee3

SHA512
2b88dbb4b7388736d450a6b95be3296211a530f88ad422d2e79def86f7cb4cbc21847161c610ed85a553519b98748bdf9832c2ef882ee5255a52878d5f362080

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000054001\NATEppp.exe

Filesize
515KB

MD5
c9ed0e907b985cf1b07f4e7b97f6d0da

SHA1
901de144d9f0f7a46000ac69d8da15679e03245d

SHA256
c44bb6e89d6d5184f6fc10a8be170ba74af12d352e6988c9cf0730004a8a3ee3

SHA512
2b88dbb4b7388736d450a6b95be3296211a530f88ad422d2e79def86f7cb4cbc21847161c610ed85a553519b98748bdf9832c2ef882ee5255a52878d5f362080

Download Submit
C:\Users\Admin\AppData\Local\Temp\16de06bfb4\nbveek.exe

Filesize
244KB

MD5
43a3e1c9723e124a9b495cd474a05dcb

SHA1
d293f427eaa8efc18bb8929a9f54fb61e03bdd89

SHA256
619bbbc9e9ddd1f6b7961cacb33d99c8f558499a33751b28d91085aab8cb95ab

SHA512
6717d6be0f25d66ba3689b703b9f1360c172138faa0172168c531f55eb217050c03a41396b7a440e899974d71c2f42b41d07db0ef97751c420facfae1550bfa7

Download Submit
C:\Users\Admin\AppData\Local\Temp\16de06bfb4\nbveek.exe

Filesize
244KB

MD5
43a3e1c9723e124a9b495cd474a05dcb

SHA1
d293f427eaa8efc18bb8929a9f54fb61e03bdd89

SHA256
619bbbc9e9ddd1f6b7961cacb33d99c8f558499a33751b28d91085aab8cb95ab

SHA512
6717d6be0f25d66ba3689b703b9f1360c172138faa0172168c531f55eb217050c03a41396b7a440e899974d71c2f42b41d07db0ef97751c420facfae1550bfa7

Download Submit
C:\Users\Admin\AppData\Local\Temp\16de06bfb4\nbveek.exe

Filesize
244KB

MD5
43a3e1c9723e124a9b495cd474a05dcb

SHA1
d293f427eaa8efc18bb8929a9f54fb61e03bdd89

SHA256
619bbbc9e9ddd1f6b7961cacb33d99c8f558499a33751b28d91085aab8cb95ab

SHA512
6717d6be0f25d66ba3689b703b9f1360c172138faa0172168c531f55eb217050c03a41396b7a440e899974d71c2f42b41d07db0ef97751c420facfae1550bfa7

Download Submit
C:\Users\Admin\AppData\Local\Temp\727358c059\nbveek.exe

Filesize
267KB

MD5
58ccd490229a6eb997fd8bfa74dee077

SHA1
4549c5bb4694a8809a3effcef814948b488840a1

SHA256
5d7b46092d913f01673161204b22b835a48bf40f110ecb2ba82d59e42d74adc7

SHA512
4dd52eb64ddcc24fc20cecea268b111c6aaddb2917618b7a448e0786d9c9342e190c1735ad66c08811bc3b47679851a29d3f9f6ac1d5a6a249a8ad0b45626ba9

Download Submit
C:\Users\Admin\AppData\Local\Temp\727358c059\nbveek.exe

Filesize
267KB

MD5
58ccd490229a6eb997fd8bfa74dee077

SHA1
4549c5bb4694a8809a3effcef814948b488840a1

SHA256
5d7b46092d913f01673161204b22b835a48bf40f110ecb2ba82d59e42d74adc7

SHA512
4dd52eb64ddcc24fc20cecea268b111c6aaddb2917618b7a448e0786d9c9342e190c1735ad66c08811bc3b47679851a29d3f9f6ac1d5a6a249a8ad0b45626ba9

Download Submit
C:\Users\Admin\AppData\Local\Temp\9e0894bcc4\nbveek.exe

Filesize
235KB

MD5
9630e11f88c832c3c7a5da18ef9cc0ac

SHA1
5bfadbe22a7b3a1db3cb5a7f2ec224f4e44c7bd0

SHA256
2c25b70f08a34cc52989882c4715854c4f488dacfa2c4a615ce5f8c265b21862

SHA512
da94fdf546709e7f18af019cd92e23af81d161b9e2730b65719381da052320191d957db16d06b26021f8de686a7fb6b20d9715fe7e64a0c7063a6b3051dab4cd

Download Submit
C:\Users\Admin\AppData\Local\Temp\9e0894bcc4\nbveek.exe

Filesize
235KB

MD5
9630e11f88c832c3c7a5da18ef9cc0ac

SHA1
5bfadbe22a7b3a1db3cb5a7f2ec224f4e44c7bd0

SHA256
2c25b70f08a34cc52989882c4715854c4f488dacfa2c4a615ce5f8c265b21862

SHA512
da94fdf546709e7f18af019cd92e23af81d161b9e2730b65719381da052320191d957db16d06b26021f8de686a7fb6b20d9715fe7e64a0c7063a6b3051dab4cd

Download Submit
C:\Users\Admin\AppData\Local\Temp\9e0894bcc4\nbveek.exe

Filesize
235KB

MD5
9630e11f88c832c3c7a5da18ef9cc0ac

SHA1
5bfadbe22a7b3a1db3cb5a7f2ec224f4e44c7bd0

SHA256
2c25b70f08a34cc52989882c4715854c4f488dacfa2c4a615ce5f8c265b21862

SHA512
da94fdf546709e7f18af019cd92e23af81d161b9e2730b65719381da052320191d957db16d06b26021f8de686a7fb6b20d9715fe7e64a0c7063a6b3051dab4cd

Download Submit
C:\Users\Admin\AppData\Local\Temp\db.dll

Filesize
52KB

MD5
0b35335b70b96d31633d0caa207d71f9

SHA1
996c7804fe4d85025e2bd7ea8aa5e33c71518f84

SHA256
ec01d244074f45d4f698f5713147e99d76053824a648b306e1debf69f3ba9ce6

SHA512
ab3d770e99b3f379165863808f3ffc55d64d8e9384a158e6695d7325e97fa1bb570c5088ccdc1d2c3b90df5be11d6722ede15e7b6552bf90e748cb9c28ab94ce

Download Submit
C:\Users\Admin\AppData\Roaming\07c6bc37dc5087\cred64.dll

Filesize
1.0MB

MD5
2c4e958144bd089aa93a564721ed28bb

SHA1
38ef85f66b7fdc293661e91ba69f31598c5b5919

SHA256
b597b1c638ae81f03ec4baafa68dda316d57e6398fe095a58ecc89e8bcc61855

SHA512
a0e3b82bbb458018e368cb921ed57d3720945e7e7f779c85103370a1ae65ff0120e1b5bad399b9315be5c3e970795734c8a82baf3783154408be635b860ee9e6

Download Submit
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dll

Filesize
1.0MB

MD5
6554ed243a87f709ed65ef09bab598b2

SHA1
3dbe3e9877a4dcd179356bb342c6c8bce3a4f5da

SHA256
663c3fca0878472db0ecd4ec4fdc67690c1de08fa5c228e1911b6278cf83a0a6

SHA512
c0cbc4a70d3e1efe26c3b816b602d77f92a1c3605d543db36f33dfc9f6ecf2031e7a287abf02146aa0573e99ce6ee84e47463145fefd2ca4c8cd4d87ba8e8e39

Download Submit
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dll

Filesize
1.0MB

MD5
6554ed243a87f709ed65ef09bab598b2

SHA1
3dbe3e9877a4dcd179356bb342c6c8bce3a4f5da

SHA256
663c3fca0878472db0ecd4ec4fdc67690c1de08fa5c228e1911b6278cf83a0a6

SHA512
c0cbc4a70d3e1efe26c3b816b602d77f92a1c3605d543db36f33dfc9f6ecf2031e7a287abf02146aa0573e99ce6ee84e47463145fefd2ca4c8cd4d87ba8e8e39

Download Submit
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dll

Filesize
1.0MB

MD5
6554ed243a87f709ed65ef09bab598b2

SHA1
3dbe3e9877a4dcd179356bb342c6c8bce3a4f5da

SHA256
663c3fca0878472db0ecd4ec4fdc67690c1de08fa5c228e1911b6278cf83a0a6

SHA512
c0cbc4a70d3e1efe26c3b816b602d77f92a1c3605d543db36f33dfc9f6ecf2031e7a287abf02146aa0573e99ce6ee84e47463145fefd2ca4c8cd4d87ba8e8e39

Download Submit
memory/732-304-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/732-343-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/732-313-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/732-315-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/876-348-0x00000000020E0000-0x000000000212B000-memory.dmp

Filesize
300KB

Download
memory/876-349-0x0000000000400000-0x0000000000470000-memory.dmp

Filesize
448KB

Download
memory/876-354-0x00000000005C0000-0x00000000005EE000-memory.dmp

Filesize
184KB

Download
memory/876-347-0x00000000005C0000-0x00000000005EE000-memory.dmp

Filesize
184KB

Download
memory/1612-172-0x0000000000400000-0x0000000002BAB000-memory.dmp

Filesize
39.7MB

Download
memory/1612-341-0x0000000000400000-0x0000000002BAB000-memory.dmp

Filesize
39.7MB

Download
memory/1612-170-0x0000000002E18000-0x0000000002E38000-memory.dmp

Filesize
128KB

Download
memory/1612-332-0x0000000002E18000-0x0000000002E38000-memory.dmp

Filesize
128KB

Download
memory/1612-179-0x0000000002E18000-0x0000000002E38000-memory.dmp

Filesize
128KB

Download
memory/1612-171-0x00000000047A0000-0x00000000047DF000-memory.dmp

Filesize
252KB

Download
memory/1644-320-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/1648-351-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/1928-328-0x0000000000940000-0x0000000000990000-memory.dmp

Filesize
320KB

Download
memory/2276-350-0x0000000000B50000-0x0000000000B82000-memory.dmp

Filesize
200KB

Download
memory/2540-180-0x0000000006600000-0x0000000006676000-memory.dmp

Filesize
472KB

Download
memory/2540-168-0x0000000000C80000-0x0000000000CB2000-memory.dmp

Filesize
200KB

Download
memory/2744-355-0x00000000023A6000-0x0000000002550000-memory.dmp

Filesize
1.7MB

Download
memory/2744-356-0x0000000002660000-0x0000000002A30000-memory.dmp

Filesize
3.8MB

Download
memory/2744-357-0x0000000000400000-0x0000000000803000-memory.dmp

Filesize
4.0MB

Download
memory/3468-146-0x0000000000BB0000-0x0000000000BE2000-memory.dmp

Filesize
200KB

Download
memory/3468-183-0x0000000007EB0000-0x0000000008072000-memory.dmp

Filesize
1.8MB

Download
memory/3468-164-0x00000000086E0000-0x000000000871C000-memory.dmp

Filesize
240KB

Download
memory/3468-160-0x0000000007AE0000-0x0000000007AF2000-memory.dmp

Filesize
72KB

Download
memory/3468-156-0x0000000006240000-0x0000000006858000-memory.dmp

Filesize
6.1MB

Download
memory/3468-159-0x0000000007BD0000-0x0000000007CDA000-memory.dmp

Filesize
1.0MB

Download
memory/3468-187-0x0000000009CC0000-0x000000000A1EC000-memory.dmp

Filesize
5.2MB

Download
memory/3576-224-0x0000000140000000-0x000000014061E000-memory.dmp

Filesize
6.1MB

Download
memory/3656-346-0x0000000000400000-0x0000000002BD7000-memory.dmp

Filesize
39.8MB

Download
memory/3656-353-0x0000000000400000-0x0000000002BD7000-memory.dmp

Filesize
39.8MB

Download
memory/3656-352-0x0000000002C98000-0x0000000002CE3000-memory.dmp

Filesize
300KB

Download
memory/3656-345-0x00000000047F0000-0x000000000484B000-memory.dmp

Filesize
364KB

Download
memory/3656-344-0x0000000002C98000-0x0000000002CE3000-memory.dmp

Filesize
300KB

Download
memory/3764-206-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/4052-262-0x0000000000B10000-0x0000000000B46000-memory.dmp

Filesize
216KB

Download
memory/4144-247-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/4228-334-0x0000000002F38000-0x0000000002F58000-memory.dmp

Filesize
128KB

Download
memory/4228-300-0x0000000002F38000-0x0000000002F58000-memory.dmp

Filesize
128KB

Download
memory/4228-301-0x0000000002CF0000-0x0000000002D2F000-memory.dmp

Filesize
252KB

Download
memory/4228-303-0x0000000000400000-0x0000000002BAB000-memory.dmp

Filesize
39.7MB

Download
memory/4232-266-0x0000000000600000-0x0000000000632000-memory.dmp

Filesize
200KB

Download
memory/4260-335-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/4528-157-0x0000000005760000-0x0000000005D04000-memory.dmp

Filesize
5.6MB

Download
memory/4528-176-0x00000000068F0000-0x000000000698C000-memory.dmp

Filesize
624KB

Download
memory/4528-151-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/4528-169-0x00000000062F0000-0x0000000006382000-memory.dmp

Filesize
584KB

Download
memory/4528-174-0x0000000006700000-0x0000000006750000-memory.dmp

Filesize
320KB

Download
memory/4528-158-0x00000000051B0000-0x0000000005216000-memory.dmp

Filesize
408KB

Download
memory/4872-228-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/4872-239-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download