amadey | 4fe523babbfae3a14393d7b07afbbfc13be4f5084dba9588adb38913b3527c36

Analysis

max time kernel
151s
max time network
138s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
30-01-2023 06:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4fe523babbfae3a14393d7b07afbbfc13be4f5084dba9588adb38913b3527c36.exe
Size

4.8MB
MD5

8269702edacf7c4e3ac06a8b94039e53
SHA1

517837b65db61f5313a34bb2f7d78d4c0a571594
SHA256

4fe523babbfae3a14393d7b07afbbfc13be4f5084dba9588adb38913b3527c36
SHA512

0b8094710eb6e263e4c88916fece32849a528db30d8b74b5cae201c12c2fdf8556e207531d7c3b59c2248928dc523f24c68def28ab1279fab3ce762ac6301c7d
SSDEEP

98304:e0bkY51aSiMu1aRYM7Sz0VVhE5gJ+kmpvxQxkQ8v3os0:sY51a4w59zv5DkmpG2Q8Pj0

Score

10^/10

amadey dcrat raccoon smokeloader 04f8fa0bf52b1b98a127f6deeac54f84 backdoor collection discovery infostealer rat spyware stealer trojan vmprotect

Malware Config

Extracted

Family

amadey

Version

3.65

77.73.134.27/8bmdh3Slb2/index.php

Extracted

Family

raccoon

Botnet

04f8fa0bf52b1b98a127f6deeac54f84

http://94.131.3.70/

http://83.217.11.11/

http://83.217.11.13/

http://83.217.11.14/

http://45.15.156.222/

rc4.plain

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat

Detects Smokeloader packer 1 IoCs

Processes:

resource	yara_rule
behavioral1/memory/4472-178-0x00000000004F0000-0x00000000004F9000-memory.dmp	family_smokeloader

Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.

Processes:

rundll32.exe

description pid pid_target process target process

Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3692 2720 rundll32.exe
Raccoon
Raccoon is an infostealer written in C++ and first seen in 2019.
stealer raccoon
SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
Blocklisted process makes network request 1 IoCs

Processes:

rundll32.exe

flow pid process

63 3584 rundll32.exe
Downloads MZ/PE file

description	pid	pid_target	process	target process
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3692	2720	rundll32.exe

flow	pid	process
63	3584	rundll32.exe

Executes dropped EXE 10 IoCs

Processes:

pb1111.exeliuyuzhen.exePlayer3.exeChromeSetup.exebirges.exenbveek.exeliuyuzhen.exenbveek.exe7B1.exenbveek.exe

pid	process
4088	pb1111.exe
4612	liuyuzhen.exe
816	Player3.exe
4472	ChromeSetup.exe
2980	birges.exe
4124	nbveek.exe
1316	liuyuzhen.exe
2852	nbveek.exe
2916	7B1.exe
2236	nbveek.exe

VMProtect packed file 3 IoCs

Detects executables packed with VMProtect commercial packer.

vmprotect

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\pb1111.exe	vmprotect
C:\Users\Admin\AppData\Local\Temp\pb1111.exe	vmprotect
behavioral1/memory/4088-141-0x0000000140000000-0x0000000140618000-memory.dmp	vmprotect

Checks computer location settings 2 TTPs 4 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

Player3.exeliuyuzhen.exenbveek.exe4fe523babbfae3a14393d7b07afbbfc13be4f5084dba9588adb38913b3527c36.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation	Player3.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation	liuyuzhen.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation	nbveek.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation	4fe523babbfae3a14393d7b07afbbfc13be4f5084dba9588adb38913b3527c36.exe

Loads dropped DLL 5 IoCs

Processes:

rundll32.exerundll32.exerundll32.exerundll32.exe

pid process

2492 rundll32.exe
3584 rundll32.exe
3584 rundll32.exe
4992 rundll32.exe
2112 rundll32.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

pid	process
2492	rundll32.exe
3584	rundll32.exe
3584	rundll32.exe
4992	rundll32.exe
2112	rundll32.exe

Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs

collection

Email Collection

T1114

Processes:

rundll32.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	rundll32.exe

Accesses Microsoft Outlook profiles 1 TTPs 4 IoCs

collection

Email Collection

T1114

Processes:

rundll32.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	rundll32.exe
Key opened	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	rundll32.exe
Key opened	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	rundll32.exe
Key opened	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	rundll32.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Suspicious use of SetThreadContext 2 IoCs

Processes:

birges.exerundll32.exe

description	pid	process	target process
PID 2980 set thread context of 5088	2980	birges.exe	jsc.exe
PID 3584 set thread context of 1280	3584	rundll32.exe	rundll32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 3 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exe

pid pid_target process target process

3472 2492 WerFault.exe rundll32.exe
3764 2916 WerFault.exe 7B1.exe
1404 2112 WerFault.exe rundll32.exe

pid	pid_target	process	target process
3472	2492	WerFault.exe	rundll32.exe
3764	2916	WerFault.exe	7B1.exe
1404	2112	WerFault.exe	rundll32.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

ChromeSetup.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	ChromeSetup.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	ChromeSetup.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	ChromeSetup.exe

Checks processor information in registry 2 TTPs 27 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

rundll32.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Configuration Data	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Previous Update Revision	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	rundll32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\FeatureSet	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Identifier	rundll32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Configuration Data	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Previous Update Revision	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Status	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\FeatureSet	rundll32.exe
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	rundll32.exe
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Revision	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1	rundll32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Status	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\VendorIdentifier	rundll32.exe
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Component Information	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\~MHz	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information	rundll32.exe

Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

3444 schtasks.exe

pid	process
3444	schtasks.exe

Modifies Internet Explorer settings 1 TTPs 4 IoCs

adware spyware

Modify Registry

T1112

Processes:

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser
Set value (data)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser\ITBar7Layout = 13000000000000000000000020000000100000000000000001000000010700005e01000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
Key created	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Software\Microsoft\Internet Explorer\Toolbar
Set value (int)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\Locked = "1"

Modifies registry class 30 IoCs

Processes:

rundll32.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\NodeSlot = "1"
Key created	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell
Key created	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1
Key created	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\WorkFolders
Key created	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU
Set value (data)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\MRUListEx = ffffffff
Set value (data)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff
Key created	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0
Set value (str)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\SniffedFolderType = "Generic"
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\
Set value (data)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 = 14001f44471a0359723fa74489c55595fe6b30ee0000
Set value (data)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0
Set value (data)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\MRUListEx = 00000000ffffffff
Key created	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags
Key created	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\
Key created	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0
Set value (data)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0 = 4e003100000000003e56b13d100054656d7000003a0009000400efbe6b557d6c3e56b13d2e000000000000000000000000000000000000000000000000006de54900540065006d007000000014000000
Set value (data)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02
Key created	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff
Set value (data)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 = 820074001c0043465346160031000000000000000000100041707044617461000000741a595e96dfd3488d671733bcee28bac5cdfadf9f6756418947c5c76bc0b67f400009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004100700070004400610074006100000042000000
Set value (data)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 00000000ffffffff
Set value (data)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0 = 50003100000000000000000010004c6f63616c003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c00000014000000
Key created	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0
Set value (data)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\MRUListEx = 00000000ffffffff
Set value (data)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots

Script User-Agent 1 IoCs
Uses user-agent string associated with script host/environment.

Processes:

description flow ioc

HTTP User-Agent header 14 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

pid process

964

description	flow	ioc
HTTP User-Agent header	14	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

pid	process
964

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

birges.exeChromeSetup.exe

pid	process
2980	birges.exe
2980	birges.exe
2980	birges.exe
2980	birges.exe
2980	birges.exe
2980	birges.exe
2980	birges.exe
2980	birges.exe
2980	birges.exe
2980	birges.exe
2980	birges.exe
2980	birges.exe
2980	birges.exe
2980	birges.exe
2980	birges.exe
2980	birges.exe
2980	birges.exe
2980	birges.exe
2980	birges.exe
2980	birges.exe
2980	birges.exe
2980	birges.exe
2980	birges.exe
2980	birges.exe
2980	birges.exe
2980	birges.exe
2980	birges.exe
2980	birges.exe
4472	ChromeSetup.exe
4472	ChromeSetup.exe
964
964
964
964
964
964
964
964
964
964
964
964
964
964
964
964
964
964
964
964
964
964
964
964
964
964
964
964
964
964
964
964
964
964

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

pid process

964
Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

ChromeSetup.exe

pid process

4472 ChromeSetup.exe

pid	process
964

pid	process
4472	ChromeSetup.exe

Suspicious use of AdjustPrivilegeToken 24 IoCs

Processes:

birges.exerundll32.exe

description	pid	process
Token: SeDebugPrivilege	2980	birges.exe
Token: SeShutdownPrivilege	964
Token: SeCreatePagefilePrivilege	964
Token: SeShutdownPrivilege	964
Token: SeCreatePagefilePrivilege	964
Token: SeDebugPrivilege	3584	rundll32.exe
Token: SeShutdownPrivilege	964
Token: SeCreatePagefilePrivilege	964
Token: SeShutdownPrivilege	964
Token: SeCreatePagefilePrivilege	964
Token: SeShutdownPrivilege	964
Token: SeCreatePagefilePrivilege	964
Token: SeShutdownPrivilege	964
Token: SeCreatePagefilePrivilege	964
Token: SeShutdownPrivilege	964
Token: SeCreatePagefilePrivilege	964
Token: SeShutdownPrivilege	964
Token: SeCreatePagefilePrivilege	964
Token: SeShutdownPrivilege	964
Token: SeCreatePagefilePrivilege	964
Token: SeShutdownPrivilege	964
Token: SeCreatePagefilePrivilege	964
Token: SeShutdownPrivilege	964
Token: SeCreatePagefilePrivilege	964

Suspicious use of FindShellTrayWindow 10 IoCs

Processes:

rundll32.exerundll32.exe

pid process

964
964
964
964
964
964
964
964
3584 rundll32.exe
1280 rundll32.exe
Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

pid process

964
964
Suspicious use of UnmapMainImage 1 IoCs

Processes:

pid process

964

pid	process
964
964
964
964
964
964
964
964
3584	rundll32.exe
1280	rundll32.exe

pid	process
964
964

pid	process
964

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

4fe523babbfae3a14393d7b07afbbfc13be4f5084dba9588adb38913b3527c36.exePlayer3.exeliuyuzhen.exenbveek.exebirges.execmd.exe

description	pid	process	target process
PID 2700 wrote to memory of 4088	2700	4fe523babbfae3a14393d7b07afbbfc13be4f5084dba9588adb38913b3527c36.exe	pb1111.exe
PID 2700 wrote to memory of 4088	2700	4fe523babbfae3a14393d7b07afbbfc13be4f5084dba9588adb38913b3527c36.exe	pb1111.exe
PID 2700 wrote to memory of 4612	2700	4fe523babbfae3a14393d7b07afbbfc13be4f5084dba9588adb38913b3527c36.exe	liuyuzhen.exe
PID 2700 wrote to memory of 4612	2700	4fe523babbfae3a14393d7b07afbbfc13be4f5084dba9588adb38913b3527c36.exe	liuyuzhen.exe
PID 2700 wrote to memory of 4612	2700	4fe523babbfae3a14393d7b07afbbfc13be4f5084dba9588adb38913b3527c36.exe	liuyuzhen.exe
PID 2700 wrote to memory of 816	2700	4fe523babbfae3a14393d7b07afbbfc13be4f5084dba9588adb38913b3527c36.exe	Player3.exe
PID 2700 wrote to memory of 816	2700	4fe523babbfae3a14393d7b07afbbfc13be4f5084dba9588adb38913b3527c36.exe	Player3.exe
PID 2700 wrote to memory of 816	2700	4fe523babbfae3a14393d7b07afbbfc13be4f5084dba9588adb38913b3527c36.exe	Player3.exe
PID 2700 wrote to memory of 4472	2700	4fe523babbfae3a14393d7b07afbbfc13be4f5084dba9588adb38913b3527c36.exe	ChromeSetup.exe
PID 2700 wrote to memory of 4472	2700	4fe523babbfae3a14393d7b07afbbfc13be4f5084dba9588adb38913b3527c36.exe	ChromeSetup.exe
PID 2700 wrote to memory of 4472	2700	4fe523babbfae3a14393d7b07afbbfc13be4f5084dba9588adb38913b3527c36.exe	ChromeSetup.exe
PID 2700 wrote to memory of 2980	2700	4fe523babbfae3a14393d7b07afbbfc13be4f5084dba9588adb38913b3527c36.exe	birges.exe
PID 2700 wrote to memory of 2980	2700	4fe523babbfae3a14393d7b07afbbfc13be4f5084dba9588adb38913b3527c36.exe	birges.exe
PID 816 wrote to memory of 4124	816	Player3.exe	nbveek.exe
PID 816 wrote to memory of 4124	816	Player3.exe	nbveek.exe
PID 816 wrote to memory of 4124	816	Player3.exe	nbveek.exe
PID 4612 wrote to memory of 1316	4612	liuyuzhen.exe	liuyuzhen.exe
PID 4612 wrote to memory of 1316	4612	liuyuzhen.exe	liuyuzhen.exe
PID 4612 wrote to memory of 1316	4612	liuyuzhen.exe	liuyuzhen.exe
PID 4124 wrote to memory of 3444	4124	nbveek.exe	schtasks.exe
PID 4124 wrote to memory of 3444	4124	nbveek.exe	schtasks.exe
PID 4124 wrote to memory of 3444	4124	nbveek.exe	schtasks.exe
PID 4124 wrote to memory of 3156	4124	nbveek.exe	cmd.exe
PID 4124 wrote to memory of 3156	4124	nbveek.exe	cmd.exe
PID 4124 wrote to memory of 3156	4124	nbveek.exe	cmd.exe
PID 2980 wrote to memory of 2108	2980	birges.exe	InstallUtil.exe
PID 2980 wrote to memory of 2108	2980	birges.exe	InstallUtil.exe
PID 2980 wrote to memory of 3528	2980	birges.exe	RegSvcs.exe
PID 2980 wrote to memory of 3528	2980	birges.exe	RegSvcs.exe
PID 2980 wrote to memory of 2352	2980	birges.exe	CasPol.exe
PID 2980 wrote to memory of 2352	2980	birges.exe	CasPol.exe
PID 2980 wrote to memory of 1516	2980	birges.exe	DataSvcUtil.exe
PID 2980 wrote to memory of 1516	2980	birges.exe	DataSvcUtil.exe
PID 2980 wrote to memory of 1784	2980	birges.exe	ngentask.exe
PID 2980 wrote to memory of 1784	2980	birges.exe	ngentask.exe
PID 2980 wrote to memory of 1560	2980	birges.exe	AppLaunch.exe
PID 2980 wrote to memory of 1560	2980	birges.exe	AppLaunch.exe
PID 2980 wrote to memory of 3900	2980	birges.exe	mscorsvw.exe
PID 2980 wrote to memory of 3900	2980	birges.exe	mscorsvw.exe
PID 2980 wrote to memory of 2220	2980	birges.exe	aspnet_regbrowsers.exe
PID 2980 wrote to memory of 2220	2980	birges.exe	aspnet_regbrowsers.exe
PID 2980 wrote to memory of 3608	2980	birges.exe	aspnet_regiis.exe
PID 2980 wrote to memory of 3608	2980	birges.exe	aspnet_regiis.exe
PID 2980 wrote to memory of 2044	2980	birges.exe	AddInUtil.exe
PID 2980 wrote to memory of 2044	2980	birges.exe	AddInUtil.exe
PID 2980 wrote to memory of 4308	2980	birges.exe	dfsvc.exe
PID 2980 wrote to memory of 4308	2980	birges.exe	dfsvc.exe
PID 2980 wrote to memory of 4340	2980	birges.exe	WsatConfig.exe
PID 2980 wrote to memory of 4340	2980	birges.exe	WsatConfig.exe
PID 2980 wrote to memory of 4896	2980	birges.exe	ComSvcConfig.exe
PID 2980 wrote to memory of 4896	2980	birges.exe	ComSvcConfig.exe
PID 2980 wrote to memory of 4028	2980	birges.exe	ilasm.exe
PID 2980 wrote to memory of 4028	2980	birges.exe	ilasm.exe
PID 2980 wrote to memory of 5088	2980	birges.exe	jsc.exe
PID 2980 wrote to memory of 5088	2980	birges.exe	jsc.exe
PID 2980 wrote to memory of 5088	2980	birges.exe	jsc.exe
PID 2980 wrote to memory of 5088	2980	birges.exe	jsc.exe
PID 2980 wrote to memory of 5088	2980	birges.exe	jsc.exe
PID 2980 wrote to memory of 5088	2980	birges.exe	jsc.exe
PID 2980 wrote to memory of 5088	2980	birges.exe	jsc.exe
PID 2980 wrote to memory of 5088	2980	birges.exe	jsc.exe
PID 2980 wrote to memory of 5088	2980	birges.exe	jsc.exe
PID 3156 wrote to memory of 2032	3156	cmd.exe	cmd.exe
PID 3156 wrote to memory of 2032	3156	cmd.exe	cmd.exe

outlook_office_path 1 IoCs

Processes:

rundll32.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	rundll32.exe

outlook_win_path 1 IoCs

Processes:

rundll32.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	rundll32.exe

C:\Users\Admin\AppData\Local\Temp\4fe523babbfae3a14393d7b07afbbfc13be4f5084dba9588adb38913b3527c36.exe
"C:\Users\Admin\AppData\Local\Temp\4fe523babbfae3a14393d7b07afbbfc13be4f5084dba9588adb38913b3527c36.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2700

C:\Users\Admin\AppData\Local\Temp\pb1111.exe
"C:\Users\Admin\AppData\Local\Temp\pb1111.exe"
2⤵
- Executes dropped EXE
PID:4088

C:\Users\Admin\AppData\Local\Temp\liuyuzhen.exe
"C:\Users\Admin\AppData\Local\Temp\liuyuzhen.exe"
2⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4612

C:\Users\Admin\AppData\Local\Temp\liuyuzhen.exe
"C:\Users\Admin\AppData\Local\Temp\liuyuzhen.exe" -h
3⤵
- Executes dropped EXE
PID:1316

C:\Users\Admin\AppData\Local\Temp\Player3.exe
"C:\Users\Admin\AppData\Local\Temp\Player3.exe"
2⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:816

C:\Users\Admin\AppData\Local\Temp\16de06bfb4\nbveek.exe
"C:\Users\Admin\AppData\Local\Temp\16de06bfb4\nbveek.exe"
3⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4124

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN nbveek.exe /TR "C:\Users\Admin\AppData\Local\Temp\16de06bfb4\nbveek.exe" /F
4⤵
- Creates scheduled task(s)
PID:3444

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "nbveek.exe" /P "Admin:N"&&CACLS "nbveek.exe" /P "Admin:R" /E&&echo Y|CACLS "..\16de06bfb4" /P "Admin:N"&&CACLS "..\16de06bfb4" /P "Admin:R" /E&&Exit
4⤵
- Suspicious use of WriteProcessMemory
PID:3156

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
5⤵
PID:2032

C:\Windows\SysWOW64\cacls.exe
CACLS "nbveek.exe" /P "Admin:N"
5⤵
PID:4592

C:\Windows\SysWOW64\cacls.exe
CACLS "nbveek.exe" /P "Admin:R" /E
5⤵
PID:4596

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
5⤵
PID:3012

C:\Windows\SysWOW64\cacls.exe
CACLS "..\16de06bfb4" /P "Admin:N"
5⤵
PID:5052

C:\Windows\SysWOW64\cacls.exe
CACLS "..\16de06bfb4" /P "Admin:R" /E
5⤵
PID:5108

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\07c6bc37dc5087\cred64.dll, Main
4⤵
- Loads dropped DLL
PID:4992

C:\Windows\system32\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\07c6bc37dc5087\cred64.dll, Main
5⤵
- Loads dropped DLL
PID:2112

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 2112 -s 680
6⤵
- Program crash
PID:1404

C:\Users\Admin\AppData\Local\Temp\ChromeSetup.exe
"C:\Users\Admin\AppData\Local\Temp\ChromeSetup.exe"
2⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:4472

C:\Users\Admin\AppData\Local\Temp\birges.exe
"C:\Users\Admin\AppData\Local\Temp\birges.exe"
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2980

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe"
3⤵
PID:2108

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe"
3⤵
PID:3528

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe"
3⤵
PID:3900

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ComSvcConfig.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ComSvcConfig.exe"
3⤵
PID:4896

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exe"
3⤵
PID:5088

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ilasm.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ilasm.exe"
3⤵
PID:4028

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\WsatConfig.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\WsatConfig.exe"
3⤵
PID:4340

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe"
3⤵
PID:4308

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInUtil.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInUtil.exe"
3⤵
PID:2044

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_regiis.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_regiis.exe"
3⤵
PID:3608

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_regbrowsers.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_regbrowsers.exe"
3⤵
PID:2220

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AppLaunch.exe"
3⤵
PID:1560

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngentask.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngentask.exe"
3⤵
PID:1784

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\DataSvcUtil.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\DataSvcUtil.exe"
3⤵
PID:1516

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CasPol.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CasPol.exe"
3⤵
PID:2352

C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\db.dll",open
1⤵
- Process spawned unexpected child process
PID:3692

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\db.dll",open
2⤵
- Loads dropped DLL
PID:2492

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2492 -s 600
3⤵
- Program crash
PID:3472

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 2492 -ip 2492
1⤵
PID:4056

C:\Users\Admin\AppData\Local\Temp\16de06bfb4\nbveek.exe
C:\Users\Admin\AppData\Local\Temp\16de06bfb4\nbveek.exe
1⤵
- Executes dropped EXE
PID:2852

C:\Users\Admin\AppData\Local\Temp\7B1.exe
C:\Users\Admin\AppData\Local\Temp\7B1.exe
1⤵
- Executes dropped EXE
PID:2916

C:\Windows\SysWOW64\rundll32.exe
C:\Windows\system32\rundll32.exe C:\Users\Admin\AppData\Local\Temp\Eorppuwwrieiyod.dll,start
2⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Accesses Microsoft Outlook accounts
- Accesses Microsoft Outlook profiles
- Suspicious use of SetThreadContext
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- outlook_office_path
- outlook_win_path
PID:3584

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#61 23727
3⤵
- Modifies registry class
- Suspicious use of FindShellTrayWindow
PID:1280

C:\Windows\SysWOW64\schtasks.exe
schtasks /End /tn \Microsoft\Windows\Wininet\CacheTask
3⤵
PID:3608

C:\Windows\SysWOW64\schtasks.exe
schtasks /Run /tn \Microsoft\Windows\Wininet\CacheTask
3⤵
PID:2544

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2916 -s 536
2⤵
- Program crash
PID:3764

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 2916 -ip 2916
1⤵
PID:2400

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 548 -p 2112 -ip 2112
1⤵
PID:816

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4596

C:\Users\Admin\AppData\Local\Temp\16de06bfb4\nbveek.exe
C:\Users\Admin\AppData\Local\Temp\16de06bfb4\nbveek.exe
1⤵
- Executes dropped EXE
PID:2236

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Peripheral Device Discovery

T1120

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\16de06bfb4\nbveek.exe
Filesize
244KB

MD5
43a3e1c9723e124a9b495cd474a05dcb

SHA1
d293f427eaa8efc18bb8929a9f54fb61e03bdd89

SHA256
619bbbc9e9ddd1f6b7961cacb33d99c8f558499a33751b28d91085aab8cb95ab

SHA512
6717d6be0f25d66ba3689b703b9f1360c172138faa0172168c531f55eb217050c03a41396b7a440e899974d71c2f42b41d07db0ef97751c420facfae1550bfa7

Download Submit
C:\Users\Admin\AppData\Local\Temp\16de06bfb4\nbveek.exe
Filesize
244KB

MD5
43a3e1c9723e124a9b495cd474a05dcb

SHA1
d293f427eaa8efc18bb8929a9f54fb61e03bdd89

SHA256
619bbbc9e9ddd1f6b7961cacb33d99c8f558499a33751b28d91085aab8cb95ab

SHA512
6717d6be0f25d66ba3689b703b9f1360c172138faa0172168c531f55eb217050c03a41396b7a440e899974d71c2f42b41d07db0ef97751c420facfae1550bfa7

Download Submit
C:\Users\Admin\AppData\Local\Temp\16de06bfb4\nbveek.exe
Filesize
244KB

MD5
43a3e1c9723e124a9b495cd474a05dcb

SHA1
d293f427eaa8efc18bb8929a9f54fb61e03bdd89

SHA256
619bbbc9e9ddd1f6b7961cacb33d99c8f558499a33751b28d91085aab8cb95ab

SHA512
6717d6be0f25d66ba3689b703b9f1360c172138faa0172168c531f55eb217050c03a41396b7a440e899974d71c2f42b41d07db0ef97751c420facfae1550bfa7

Download Submit
C:\Users\Admin\AppData\Local\Temp\16de06bfb4\nbveek.exe
Filesize
244KB

MD5
43a3e1c9723e124a9b495cd474a05dcb

SHA1
d293f427eaa8efc18bb8929a9f54fb61e03bdd89

SHA256
619bbbc9e9ddd1f6b7961cacb33d99c8f558499a33751b28d91085aab8cb95ab

SHA512
6717d6be0f25d66ba3689b703b9f1360c172138faa0172168c531f55eb217050c03a41396b7a440e899974d71c2f42b41d07db0ef97751c420facfae1550bfa7

Download Submit
C:\Users\Admin\AppData\Local\Temp\7B1.exe
Filesize
3.1MB

MD5
3cdaca80f86804b2e837331a0728de3f

SHA1
a6ff93a2e3c8a324fdd38e54927f47a65d985bda

SHA256
0974600df5ce3148dbce0a102687eac7fe834fc71cd620bb40a11584bc58572a

SHA512
c2f828be4f20a0b649db4842d927556bdad6afe99cd8f9347622973e166ab78d30af1d0a549eece3a53baf3563026524e2059e7cb8229986682bb7e76cb68f17

Download Submit
C:\Users\Admin\AppData\Local\Temp\7B1.exe
Filesize
3.1MB

MD5
3cdaca80f86804b2e837331a0728de3f

SHA1
a6ff93a2e3c8a324fdd38e54927f47a65d985bda

SHA256
0974600df5ce3148dbce0a102687eac7fe834fc71cd620bb40a11584bc58572a

SHA512
c2f828be4f20a0b649db4842d927556bdad6afe99cd8f9347622973e166ab78d30af1d0a549eece3a53baf3563026524e2059e7cb8229986682bb7e76cb68f17

Download Submit
C:\Users\Admin\AppData\Local\Temp\ChromeSetup.exe
Filesize
298KB

MD5
1bf0113ca9ff16b5d8f3a7280286f37a

SHA1
c8cbb862ced7c01f45ed2ef7413c8d2eaefa6d3a

SHA256
6164128b4834ad44cc9f6cd3f5f50c38a97e07d43fc07c260f733d85abac233b

SHA512
af0561404765fef8151afb054c3fc44c2484e82af018e3e7898c2a8887552113e8f25bb772ab10163916603340b18aeb6d5085899ad810ea06a589856a6f61a6

Download Submit
C:\Users\Admin\AppData\Local\Temp\ChromeSetup.exe
Filesize
298KB

MD5
1bf0113ca9ff16b5d8f3a7280286f37a

SHA1
c8cbb862ced7c01f45ed2ef7413c8d2eaefa6d3a

SHA256
6164128b4834ad44cc9f6cd3f5f50c38a97e07d43fc07c260f733d85abac233b

SHA512
af0561404765fef8151afb054c3fc44c2484e82af018e3e7898c2a8887552113e8f25bb772ab10163916603340b18aeb6d5085899ad810ea06a589856a6f61a6

Download Submit
C:\Users\Admin\AppData\Local\Temp\Eorppuwwrieiyod.dll
Filesize
4.2MB

MD5
53eb3a3f2272e236334df02756467924

SHA1
ab5e9515f78f7b84c57922f34c6b012ffe1f086e

SHA256
9f66e653c044503e72f478f0255b3ac0fdfc8717b4d24c3583605b50b912782c

SHA512
890eb0cd517949254dcce421c9d2ce596d72ba6b9bfb7ba10795007d93cbde55313421c2d424fdf37ed00df58ff1dffd7329603897bda956b6ba6a317ad44870

Download Submit
C:\Users\Admin\AppData\Local\Temp\Eorppuwwrieiyod.dll
Filesize
4.2MB

MD5
53eb3a3f2272e236334df02756467924

SHA1
ab5e9515f78f7b84c57922f34c6b012ffe1f086e

SHA256
9f66e653c044503e72f478f0255b3ac0fdfc8717b4d24c3583605b50b912782c

SHA512
890eb0cd517949254dcce421c9d2ce596d72ba6b9bfb7ba10795007d93cbde55313421c2d424fdf37ed00df58ff1dffd7329603897bda956b6ba6a317ad44870

Download Submit
C:\Users\Admin\AppData\Local\Temp\Eorppuwwrieiyod.dll
Filesize
4.2MB

MD5
53eb3a3f2272e236334df02756467924

SHA1
ab5e9515f78f7b84c57922f34c6b012ffe1f086e

SHA256
9f66e653c044503e72f478f0255b3ac0fdfc8717b4d24c3583605b50b912782c

SHA512
890eb0cd517949254dcce421c9d2ce596d72ba6b9bfb7ba10795007d93cbde55313421c2d424fdf37ed00df58ff1dffd7329603897bda956b6ba6a317ad44870

Download Submit
C:\Users\Admin\AppData\Local\Temp\Player3.exe
Filesize
244KB

MD5
43a3e1c9723e124a9b495cd474a05dcb

SHA1
d293f427eaa8efc18bb8929a9f54fb61e03bdd89

SHA256
619bbbc9e9ddd1f6b7961cacb33d99c8f558499a33751b28d91085aab8cb95ab

SHA512
6717d6be0f25d66ba3689b703b9f1360c172138faa0172168c531f55eb217050c03a41396b7a440e899974d71c2f42b41d07db0ef97751c420facfae1550bfa7

Download Submit
C:\Users\Admin\AppData\Local\Temp\Player3.exe
Filesize
244KB

MD5
43a3e1c9723e124a9b495cd474a05dcb

SHA1
d293f427eaa8efc18bb8929a9f54fb61e03bdd89

SHA256
619bbbc9e9ddd1f6b7961cacb33d99c8f558499a33751b28d91085aab8cb95ab

SHA512
6717d6be0f25d66ba3689b703b9f1360c172138faa0172168c531f55eb217050c03a41396b7a440e899974d71c2f42b41d07db0ef97751c420facfae1550bfa7

Download Submit
C:\Users\Admin\AppData\Local\Temp\birges.exe
Filesize
676KB

MD5
86f5fc4c4e892540dd55816b592e6acc

SHA1
72ddfd7b2be3c8c0f8ef61024c815f6bf9c89291

SHA256
0c346b8657a834a536575fb82a6b9ee37c738547fb2e4de821917d9131ec3fe2

SHA512
9f6b15b2aee343bc92b38a91ada6758363f10638f3447ce945fbb8422a85297542d5453aa2ba51264a257eaa13eb28665b2e17ae8735b59fd08be67a979d11aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\birges.exe
Filesize
676KB

MD5
86f5fc4c4e892540dd55816b592e6acc

SHA1
72ddfd7b2be3c8c0f8ef61024c815f6bf9c89291

SHA256
0c346b8657a834a536575fb82a6b9ee37c738547fb2e4de821917d9131ec3fe2

SHA512
9f6b15b2aee343bc92b38a91ada6758363f10638f3447ce945fbb8422a85297542d5453aa2ba51264a257eaa13eb28665b2e17ae8735b59fd08be67a979d11aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\birges.exe
Filesize
676KB

MD5
86f5fc4c4e892540dd55816b592e6acc

SHA1
72ddfd7b2be3c8c0f8ef61024c815f6bf9c89291

SHA256
0c346b8657a834a536575fb82a6b9ee37c738547fb2e4de821917d9131ec3fe2

SHA512
9f6b15b2aee343bc92b38a91ada6758363f10638f3447ce945fbb8422a85297542d5453aa2ba51264a257eaa13eb28665b2e17ae8735b59fd08be67a979d11aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\db.dat
Filesize
557KB

MD5
30d5f615722d12fdda4f378048221909

SHA1
e94e3e3a6fae8b29f0f80128761ad1b69304a7eb

SHA256
b7cb464cd0c61026ec38d89c0a041393bc9369e217303677551eec65a09d2628

SHA512
a561a224d7228ec531a966c7dbd6bc88138e2f4a1c8112e5950644f69bf3a43b1e87e03bc1b4fd5e9ca071b5a9353b18697573404602ccd51f2946faf95144c2

Download Submit
C:\Users\Admin\AppData\Local\Temp\db.dll
Filesize
52KB

MD5
0b35335b70b96d31633d0caa207d71f9

SHA1
996c7804fe4d85025e2bd7ea8aa5e33c71518f84

SHA256
ec01d244074f45d4f698f5713147e99d76053824a648b306e1debf69f3ba9ce6

SHA512
ab3d770e99b3f379165863808f3ffc55d64d8e9384a158e6695d7325e97fa1bb570c5088ccdc1d2c3b90df5be11d6722ede15e7b6552bf90e748cb9c28ab94ce

Download Submit
C:\Users\Admin\AppData\Local\Temp\db.dll
Filesize
52KB

MD5
0b35335b70b96d31633d0caa207d71f9

SHA1
996c7804fe4d85025e2bd7ea8aa5e33c71518f84

SHA256
ec01d244074f45d4f698f5713147e99d76053824a648b306e1debf69f3ba9ce6

SHA512
ab3d770e99b3f379165863808f3ffc55d64d8e9384a158e6695d7325e97fa1bb570c5088ccdc1d2c3b90df5be11d6722ede15e7b6552bf90e748cb9c28ab94ce

Download Submit
C:\Users\Admin\AppData\Local\Temp\liuyuzhen.exe
Filesize
160KB

MD5
b9363486500e209c05f97330226bbf8a

SHA1
bfe2d0072d09b30ec66dee072dde4e7af26e4633

SHA256
01138f2318e59e1fe59f1eb7de3859af815ebf9a59aae1084c1a97a99319ee35

SHA512
6d06e5baeab962d85b306c72f39a82e40e22eb889867c11c406a069011155cb8901bf021f48efc98fd95340be7e9609fc11f4e24fc322dbf721e610120771534

Download Submit
C:\Users\Admin\AppData\Local\Temp\liuyuzhen.exe
Filesize
160KB

MD5
b9363486500e209c05f97330226bbf8a

SHA1
bfe2d0072d09b30ec66dee072dde4e7af26e4633

SHA256
01138f2318e59e1fe59f1eb7de3859af815ebf9a59aae1084c1a97a99319ee35

SHA512
6d06e5baeab962d85b306c72f39a82e40e22eb889867c11c406a069011155cb8901bf021f48efc98fd95340be7e9609fc11f4e24fc322dbf721e610120771534

Download Submit
C:\Users\Admin\AppData\Local\Temp\liuyuzhen.exe
Filesize
160KB

MD5
b9363486500e209c05f97330226bbf8a

SHA1
bfe2d0072d09b30ec66dee072dde4e7af26e4633

SHA256
01138f2318e59e1fe59f1eb7de3859af815ebf9a59aae1084c1a97a99319ee35

SHA512
6d06e5baeab962d85b306c72f39a82e40e22eb889867c11c406a069011155cb8901bf021f48efc98fd95340be7e9609fc11f4e24fc322dbf721e610120771534

Download Submit
C:\Users\Admin\AppData\Local\Temp\pb1111.exe
Filesize
3.5MB

MD5
12af31a83714f11103e061ac722195e0

SHA1
a0b08575934a67b38a6e12900776b4c91a4fc022

SHA256
ac371bda90a40da22f6fcf633b7ad731c9b11de21cc91ed47ab12cbe18d18ae5

SHA512
6fba6d1763520d37a6108be7253a43b3afad8133e23935fffdb98c8a1ab11d13a411a81dd3eddadefd816a452600aca85bb37c53577fcc784a777f82bb7ce218

Download Submit
C:\Users\Admin\AppData\Local\Temp\pb1111.exe
Filesize
3.5MB

MD5
12af31a83714f11103e061ac722195e0

SHA1
a0b08575934a67b38a6e12900776b4c91a4fc022

SHA256
ac371bda90a40da22f6fcf633b7ad731c9b11de21cc91ed47ab12cbe18d18ae5

SHA512
6fba6d1763520d37a6108be7253a43b3afad8133e23935fffdb98c8a1ab11d13a411a81dd3eddadefd816a452600aca85bb37c53577fcc784a777f82bb7ce218

Download Submit
C:\Users\Admin\AppData\Roaming\07c6bc37dc5087\cred64.dll
Filesize
1.0MB

MD5
2c4e958144bd089aa93a564721ed28bb

SHA1
38ef85f66b7fdc293661e91ba69f31598c5b5919

SHA256
b597b1c638ae81f03ec4baafa68dda316d57e6398fe095a58ecc89e8bcc61855

SHA512
a0e3b82bbb458018e368cb921ed57d3720945e7e7f779c85103370a1ae65ff0120e1b5bad399b9315be5c3e970795734c8a82baf3783154408be635b860ee9e6

Download Submit
C:\Users\Admin\AppData\Roaming\07c6bc37dc5087\cred64.dll
Filesize
1.0MB

MD5
2c4e958144bd089aa93a564721ed28bb

SHA1
38ef85f66b7fdc293661e91ba69f31598c5b5919

SHA256
b597b1c638ae81f03ec4baafa68dda316d57e6398fe095a58ecc89e8bcc61855

SHA512
a0e3b82bbb458018e368cb921ed57d3720945e7e7f779c85103370a1ae65ff0120e1b5bad399b9315be5c3e970795734c8a82baf3783154408be635b860ee9e6

Download Submit
C:\Users\Admin\AppData\Roaming\07c6bc37dc5087\cred64.dll
Filesize
1.0MB

MD5
2c4e958144bd089aa93a564721ed28bb

SHA1
38ef85f66b7fdc293661e91ba69f31598c5b5919

SHA256
b597b1c638ae81f03ec4baafa68dda316d57e6398fe095a58ecc89e8bcc61855

SHA512
a0e3b82bbb458018e368cb921ed57d3720945e7e7f779c85103370a1ae65ff0120e1b5bad399b9315be5c3e970795734c8a82baf3783154408be635b860ee9e6

Download Submit
memory/816-138-0x0000000000000000-mapping.dmp

Download
memory/1280-210-0x000001FD9A4D0000-0x000001FD9A610000-memory.dmp

Filesize
1.2MB

Download
memory/1280-209-0x000001FD9A4D0000-0x000001FD9A610000-memory.dmp

Filesize
1.2MB

Download
memory/1280-208-0x00007FF6A5836890-mapping.dmp

Download
memory/1280-212-0x00000000006C0000-0x0000000000951000-memory.dmp

Filesize
2.6MB

Download
memory/1280-213-0x000001FD98A80000-0x000001FD98D23000-memory.dmp

Filesize
2.6MB

Download
memory/1316-156-0x0000000000000000-mapping.dmp

Download
memory/2032-167-0x0000000000000000-mapping.dmp

Download
memory/2112-197-0x0000000000000000-mapping.dmp

Download
memory/2492-174-0x0000000000000000-mapping.dmp

Download
memory/2544-216-0x0000000000000000-mapping.dmp

Download
memory/2700-132-0x0000000000B90000-0x000000000106A000-memory.dmp

Filesize
4.9MB

Download
memory/2916-187-0x0000000000400000-0x0000000002E89000-memory.dmp

Filesize
42.5MB

Download
memory/2916-185-0x0000000004D93000-0x0000000005093000-memory.dmp

Filesize
3.0MB

Download
memory/2916-193-0x0000000000400000-0x0000000002E89000-memory.dmp

Filesize
42.5MB

Download
memory/2916-186-0x00000000050A0000-0x000000000545C000-memory.dmp

Filesize
3.7MB

Download
memory/2916-182-0x0000000000000000-mapping.dmp

Download
memory/2980-160-0x00007FF99E720000-0x00007FF99F1E1000-memory.dmp

Filesize
10.8MB

Download
memory/2980-149-0x0000000000000000-mapping.dmp

Download
memory/2980-152-0x000002A4708F0000-0x000002A47099C000-memory.dmp

Filesize
688KB

Download
memory/2980-165-0x00007FF99E720000-0x00007FF99F1E1000-memory.dmp

Filesize
10.8MB

Download
memory/3012-170-0x0000000000000000-mapping.dmp

Download
memory/3156-159-0x0000000000000000-mapping.dmp

Download
memory/3444-158-0x0000000000000000-mapping.dmp

Download
memory/3584-199-0x0000000003480000-0x0000000003FD1000-memory.dmp

Filesize
11.3MB

Download
memory/3584-211-0x0000000004BF5000-0x0000000004BF7000-memory.dmp

Filesize
8KB

Download
memory/3584-218-0x0000000004BF5000-0x0000000004BF7000-memory.dmp

Filesize
8KB

Download
memory/3584-215-0x0000000003480000-0x0000000003FD1000-memory.dmp

Filesize
11.3MB

Download
memory/3584-192-0x00000000021C0000-0x00000000025FC000-memory.dmp

Filesize
4.2MB

Download
memory/3584-188-0x0000000000000000-mapping.dmp

Download
memory/3584-207-0x00000000040E0000-0x0000000004220000-memory.dmp

Filesize
1.2MB

Download
memory/3584-206-0x00000000040E0000-0x0000000004220000-memory.dmp

Filesize
1.2MB

Download
memory/3584-205-0x0000000004B20000-0x0000000004C60000-memory.dmp

Filesize
1.2MB

Download
memory/3584-204-0x0000000004B20000-0x0000000004C60000-memory.dmp

Filesize
1.2MB

Download
memory/3584-203-0x00000000040E0000-0x0000000004220000-memory.dmp

Filesize
1.2MB

Download
memory/3584-202-0x00000000040E0000-0x0000000004220000-memory.dmp

Filesize
1.2MB

Download
memory/3584-201-0x0000000003480000-0x0000000003FD1000-memory.dmp

Filesize
11.3MB

Download
memory/3584-200-0x0000000003480000-0x0000000003FD1000-memory.dmp

Filesize
11.3MB

Download
memory/3608-214-0x0000000000000000-mapping.dmp

Download
memory/4088-133-0x0000000000000000-mapping.dmp

Download
memory/4088-141-0x0000000140000000-0x0000000140618000-memory.dmp

Filesize
6.1MB

Download
memory/4124-153-0x0000000000000000-mapping.dmp

Download
memory/4472-177-0x0000000000548000-0x000000000055E000-memory.dmp

Filesize
88KB

Download
memory/4472-179-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/4472-180-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/4472-178-0x00000000004F0000-0x00000000004F9000-memory.dmp

Filesize
36KB

Download
memory/4472-142-0x0000000000000000-mapping.dmp

Download
memory/4592-168-0x0000000000000000-mapping.dmp

Download
memory/4596-169-0x0000000000000000-mapping.dmp

Download
memory/4612-136-0x0000000000000000-mapping.dmp

Download
memory/4992-194-0x0000000000000000-mapping.dmp

Download
memory/5052-171-0x0000000000000000-mapping.dmp

Download
memory/5088-162-0x00000000004088ED-mapping.dmp

Download
memory/5088-161-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/5088-166-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/5088-164-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/5108-172-0x0000000000000000-mapping.dmp

Download