djvu | b70426b39bb8cea6d9f7d30ece7f73f466ac233fa9026ba5b4d526cac58a1534

Analysis

max time kernel
132s
max time network
147s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
07-02-2023 14:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

fdf79f44f760c5278cc0e232792e03ba.exe
Size

195KB
MD5

fdf79f44f760c5278cc0e232792e03ba
SHA1

c1de9c10c4c01b33d5268e7f2d4f28e4e8e303e0
SHA256

b70426b39bb8cea6d9f7d30ece7f73f466ac233fa9026ba5b4d526cac58a1534
SHA512

5f119afa4f3406a384053cdb45ffcbcde2b794fac14bca9299f33efe40ecbf35aeb447f2c04e0a88964d71082e3aa563d1903eef53e4b0849fa0ed4beb325460
SSDEEP

3072:Te3ObVtrESOLByVGW5M5GtZUQGERJtLRoDOX/jCXErD:Te3onOLIVGOzUQGERTVoqX/eXE3

Score

10^/10

djvu laplas smokeloader systembc vidar 19 backdoor clipper discovery persistence ransomware spyware stealer trojan

Malware Config

Extracted

Family

djvu

http://bihsy.com/lancer/get.php

Attributes

extension
.erop
offline_id
xVB7l5LcUtDGyghMgGsTvebrKc0RGgDXlN1BoKt1
payload_url
http://uaery.top/dl/build2.exe
http://bihsy.com/files/1/build3.exe
ransomnote
ATTENTION! Don't worry, you can return all your files! All your files like pictures, databases, documents and other important are encrypted with strongest encryption and unique key. The only method of recovering files is to purchase decrypt tool and unique key for you. This software will decrypt all your encrypted files. What guarantees you have? You can send one of your encrypted file from your PC and we decrypt it for free. But we can decrypt only 1 file for free. File must not contain valuable information. You can get and look video overview decrypt tool: https://we.tl/t-8pCGyFnOj6 Price of private key and decrypt software is $980. Discount 50% available if you contact us first 72 hours, that's price for you is $490. Please note that you'll never restore your data without payment. Check your e-mail "Spam" or "Junk" folder if you don't get answer more than 6 hours. To get this software you need write on our e-mail: support@freshmail.top Reserve e-mail address to contact us: datarestorehelp@airmail.cc Your personal ID: 0641JOsie

rsa_pubkey.plain

Extracted

Family

vidar

Version

2.4

Botnet

Attributes

profile_id
19

Extracted

Family

systembc

144.76.223.74:443

Extracted

Family

laplas

http://45.159.189.105

Attributes

api_key
ad75d4e2e9636ca662a337b6e798d36159f23acfc89bbe9400d0d451bd8d69fd

Signatures

Detected Djvu ransomware 10 IoCs

Processes:

resource	yara_rule
behavioral2/memory/3584-155-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral2/memory/4408-156-0x0000000002320000-0x000000000243B000-memory.dmp	family_djvu
behavioral2/memory/3584-152-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral2/memory/3584-157-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral2/memory/3584-158-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral2/memory/3584-174-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral2/memory/3772-182-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral2/memory/3772-184-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral2/memory/3772-185-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral2/memory/3772-199-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu

Detects Smokeloader packer 2 IoCs

Processes:

resource	yara_rule
behavioral2/memory/2400-133-0x00000000006F0000-0x00000000006F9000-memory.dmp	family_smokeloader
behavioral2/memory/1128-163-0x00000000005D0000-0x00000000005D9000-memory.dmp	family_smokeloader

Djvu Ransomware
Ransomware which is a variant of the STOP family.
ransomware djvu
Laplas Clipper
Laplas is a crypto wallet stealer with three variants written in Golang, C#, and C++.
stealer clipper laplas
SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
SystemBC
SystemBC is a proxy and remote administration tool first seen in 2019.
trojan systembc
Vidar
Vidar is an infostealer based on Arkei stealer.
stealer vidar
Blocklisted process makes network request 2 IoCs

Processes:

rundll32.exe

flow pid process

131 3300 rundll32.exe
133 3300 rundll32.exe
Downloads MZ/PE file

flow	pid	process
131	3300	rundll32.exe
133	3300	rundll32.exe

Checks computer location settings 2 TTPs 4 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

build2.exe1127.exeF81.exe1127.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	build2.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	1127.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	F81.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	1127.exe

Executes dropped EXE 15 IoCs

Processes:

F81.exe1127.exe160A.exe17B1.exe1A33.exe1127.exe1127.exe1127.exebuild2.exebuild3.exebuild2.exe97C1.exe106C.exemstsca.exesvcupdater.exe

pid	process
1512	F81.exe
4408	1127.exe
1128	160A.exe
1284	17B1.exe
2956	1A33.exe
3584	1127.exe
3120	1127.exe
3772	1127.exe
3328	build2.exe
3928	build3.exe
1808	build2.exe
4688	97C1.exe
4880	106C.exe
2340	mstsca.exe
2368	svcupdater.exe

Loads dropped DLL 4 IoCs

Processes:

build2.exerundll32.exe

pid process

1808 build2.exe
1808 build2.exe
3300 rundll32.exe
3300 rundll32.exe
Modifies file permissions 1 TTPs 1 IoCs
discovery

File Permissions Modification
T1222

Processes:

icacls.exe

pid process

3708 icacls.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses 2FA software files, possible credential harvesting 2 TTPs
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

pid	process
1808	build2.exe
1808	build2.exe
3300	rundll32.exe
3300	rundll32.exe

pid	process
3708	icacls.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

1127.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\5073db6e-d7f0-4dea-9a9c-1160d3dae7af\\1127.exe\" --AutoStart"	1127.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

80 api.2ip.ua
81 api.2ip.ua
97 api.2ip.ua

flow	ioc
80	api.2ip.ua
81	api.2ip.ua
97	api.2ip.ua

Suspicious use of SetThreadContext 4 IoCs

Processes:

1127.exe1127.exebuild2.exerundll32.exe

description	pid	process	target process
PID 4408 set thread context of 3584	4408	1127.exe	1127.exe
PID 3120 set thread context of 3772	3120	1127.exe	1127.exe
PID 3328 set thread context of 1808	3328	build2.exe	build2.exe
PID 3300 set thread context of 4492	3300	rundll32.exe	rundll32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 4 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid pid_target process target process

2516 1284 WerFault.exe 17B1.exe
3128 1512 WerFault.exe F81.exe
3792 2956 WerFault.exe 1A33.exe
3940 4688 WerFault.exe 97C1.exe

pid	pid_target	process	target process
2516	1284	WerFault.exe	17B1.exe
3128	1512	WerFault.exe	F81.exe
3792	2956	WerFault.exe	1A33.exe
3940	4688	WerFault.exe	97C1.exe

Checks SCSI registry key(s) 3 TTPs 6 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

160A.exefdf79f44f760c5278cc0e232792e03ba.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	160A.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	160A.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	160A.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	fdf79f44f760c5278cc0e232792e03ba.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	fdf79f44f760c5278cc0e232792e03ba.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	fdf79f44f760c5278cc0e232792e03ba.exe

Checks processor information in registry 2 TTPs 22 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

rundll32.exebuild2.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Previous Update Revision	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Configuration Data	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\VendorIdentifier	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Identifier	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Revision	rundll32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Status	rundll32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	build2.exe
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	rundll32.exe
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Configuration Data	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	build2.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Component Information	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\~MHz	rundll32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	rundll32.exe
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Previous Update Revision	rundll32.exe

Creates scheduled task(s) 1 TTPs 3 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exeschtasks.exe

pid process

5116 schtasks.exe
4008 schtasks.exe
3656 schtasks.exe
Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

112 timeout.exe

pid	process
5116	schtasks.exe
4008	schtasks.exe
3656	schtasks.exe

pid	process
112	timeout.exe

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

Processes:

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\Toolbar
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\Locked = "1"

Modifies registry class 8 IoCs

Processes:

rundll32.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU
Set value (data)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots
Set value (data)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

fdf79f44f760c5278cc0e232792e03ba.exe

pid	process
2400	fdf79f44f760c5278cc0e232792e03ba.exe
2400	fdf79f44f760c5278cc0e232792e03ba.exe
740
740
740
740
740
740
740
740
740
740
740
740
740
740
740
740
740
740
740
740
740
740
740
740
740
740
740
740
740
740
740
740
740
740
740
740
740
740
740
740
740
740
740
740
740
740
740
740
740
740
740
740
740
740
740
740
740
740
740
740
740
740

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

pid process

740
Suspicious behavior: MapViewOfSection 2 IoCs

Processes:

fdf79f44f760c5278cc0e232792e03ba.exe160A.exe

pid process

2400 fdf79f44f760c5278cc0e232792e03ba.exe
1128 160A.exe

pid	process
740

Suspicious use of AdjustPrivilegeToken 34 IoCs

Processes:

description	pid	process
Token: SeShutdownPrivilege	740
Token: SeCreatePagefilePrivilege	740
Token: SeShutdownPrivilege	740
Token: SeCreatePagefilePrivilege	740
Token: SeShutdownPrivilege	740
Token: SeCreatePagefilePrivilege	740
Token: SeShutdownPrivilege	740
Token: SeCreatePagefilePrivilege	740
Token: SeShutdownPrivilege	740
Token: SeCreatePagefilePrivilege	740
Token: SeShutdownPrivilege	740
Token: SeCreatePagefilePrivilege	740
Token: SeShutdownPrivilege	740
Token: SeCreatePagefilePrivilege	740
Token: SeShutdownPrivilege	740
Token: SeCreatePagefilePrivilege	740
Token: SeShutdownPrivilege	740
Token: SeCreatePagefilePrivilege	740
Token: SeShutdownPrivilege	740
Token: SeCreatePagefilePrivilege	740
Token: SeShutdownPrivilege	740
Token: SeCreatePagefilePrivilege	740
Token: SeShutdownPrivilege	740
Token: SeCreatePagefilePrivilege	740
Token: SeShutdownPrivilege	740
Token: SeCreatePagefilePrivilege	740
Token: SeShutdownPrivilege	740
Token: SeCreatePagefilePrivilege	740
Token: SeShutdownPrivilege	740
Token: SeCreatePagefilePrivilege	740
Token: SeShutdownPrivilege	740
Token: SeCreatePagefilePrivilege	740
Token: SeShutdownPrivilege	740
Token: SeCreatePagefilePrivilege	740

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

rundll32.exe

pid process

4492 rundll32.exe
Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

pid process

740
740

pid	process
4492	rundll32.exe

pid	process
740
740

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

1127.exe1127.exeF81.exe1127.exe1127.exebuild3.exebuild2.exebuild2.exe

description	pid	process	target process
PID 740 wrote to memory of 1512	740		F81.exe
PID 740 wrote to memory of 1512	740		F81.exe
PID 740 wrote to memory of 1512	740		F81.exe
PID 740 wrote to memory of 4408	740		1127.exe
PID 740 wrote to memory of 4408	740		1127.exe
PID 740 wrote to memory of 4408	740		1127.exe
PID 740 wrote to memory of 1128	740		160A.exe
PID 740 wrote to memory of 1128	740		160A.exe
PID 740 wrote to memory of 1128	740		160A.exe
PID 740 wrote to memory of 1284	740		17B1.exe
PID 740 wrote to memory of 1284	740		17B1.exe
PID 740 wrote to memory of 1284	740		17B1.exe
PID 740 wrote to memory of 2956	740		1A33.exe
PID 740 wrote to memory of 2956	740		1A33.exe
PID 740 wrote to memory of 2956	740		1A33.exe
PID 4408 wrote to memory of 3584	4408	1127.exe	1127.exe
PID 4408 wrote to memory of 3584	4408	1127.exe	1127.exe
PID 4408 wrote to memory of 3584	4408	1127.exe	1127.exe
PID 4408 wrote to memory of 3584	4408	1127.exe	1127.exe
PID 4408 wrote to memory of 3584	4408	1127.exe	1127.exe
PID 4408 wrote to memory of 3584	4408	1127.exe	1127.exe
PID 4408 wrote to memory of 3584	4408	1127.exe	1127.exe
PID 4408 wrote to memory of 3584	4408	1127.exe	1127.exe
PID 4408 wrote to memory of 3584	4408	1127.exe	1127.exe
PID 4408 wrote to memory of 3584	4408	1127.exe	1127.exe
PID 3584 wrote to memory of 3708	3584	1127.exe	icacls.exe
PID 3584 wrote to memory of 3708	3584	1127.exe	icacls.exe
PID 3584 wrote to memory of 3708	3584	1127.exe	icacls.exe
PID 3584 wrote to memory of 3120	3584	1127.exe	1127.exe
PID 3584 wrote to memory of 3120	3584	1127.exe	1127.exe
PID 3584 wrote to memory of 3120	3584	1127.exe	1127.exe
PID 1512 wrote to memory of 5116	1512	F81.exe	schtasks.exe
PID 1512 wrote to memory of 5116	1512	F81.exe	schtasks.exe
PID 1512 wrote to memory of 5116	1512	F81.exe	schtasks.exe
PID 3120 wrote to memory of 3772	3120	1127.exe	1127.exe
PID 3120 wrote to memory of 3772	3120	1127.exe	1127.exe
PID 3120 wrote to memory of 3772	3120	1127.exe	1127.exe
PID 3120 wrote to memory of 3772	3120	1127.exe	1127.exe
PID 3120 wrote to memory of 3772	3120	1127.exe	1127.exe
PID 3120 wrote to memory of 3772	3120	1127.exe	1127.exe
PID 3120 wrote to memory of 3772	3120	1127.exe	1127.exe
PID 3120 wrote to memory of 3772	3120	1127.exe	1127.exe
PID 3120 wrote to memory of 3772	3120	1127.exe	1127.exe
PID 3120 wrote to memory of 3772	3120	1127.exe	1127.exe
PID 3772 wrote to memory of 3328	3772	1127.exe	build2.exe
PID 3772 wrote to memory of 3328	3772	1127.exe	build2.exe
PID 3772 wrote to memory of 3328	3772	1127.exe	build2.exe
PID 3772 wrote to memory of 3928	3772	1127.exe	build3.exe
PID 3772 wrote to memory of 3928	3772	1127.exe	build3.exe
PID 3772 wrote to memory of 3928	3772	1127.exe	build3.exe
PID 3928 wrote to memory of 4008	3928	build3.exe	schtasks.exe
PID 3928 wrote to memory of 4008	3928	build3.exe	schtasks.exe
PID 3928 wrote to memory of 4008	3928	build3.exe	schtasks.exe
PID 3328 wrote to memory of 1808	3328	build2.exe	build2.exe
PID 3328 wrote to memory of 1808	3328	build2.exe	build2.exe
PID 3328 wrote to memory of 1808	3328	build2.exe	build2.exe
PID 3328 wrote to memory of 1808	3328	build2.exe	build2.exe
PID 3328 wrote to memory of 1808	3328	build2.exe	build2.exe
PID 3328 wrote to memory of 1808	3328	build2.exe	build2.exe
PID 3328 wrote to memory of 1808	3328	build2.exe	build2.exe
PID 3328 wrote to memory of 1808	3328	build2.exe	build2.exe
PID 3328 wrote to memory of 1808	3328	build2.exe	build2.exe
PID 1808 wrote to memory of 1252	1808	build2.exe	cmd.exe
PID 1808 wrote to memory of 1252	1808	build2.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\fdf79f44f760c5278cc0e232792e03ba.exe
"C:\Users\Admin\AppData\Local\Temp\fdf79f44f760c5278cc0e232792e03ba.exe"
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:2400

C:\Users\Admin\AppData\Local\Temp\F81.exe
C:\Users\Admin\AppData\Local\Temp\F81.exe
1⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1512

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /create /tn "svcupdater" /tr "C:\Users\Admin\AppData\Roaming\Win32Sync\svcupdater.exe" /st 00:00 /du 9999:59 /sc once /ri 1 /f
2⤵
- Creates scheduled task(s)
PID:5116

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1512 -s 1028
2⤵
- Program crash
PID:3128

C:\Users\Admin\AppData\Local\Temp\1127.exe
C:\Users\Admin\AppData\Local\Temp\1127.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4408

C:\Users\Admin\AppData\Local\Temp\1127.exe
C:\Users\Admin\AppData\Local\Temp\1127.exe
2⤵
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3584

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Users\Admin\AppData\Local\5073db6e-d7f0-4dea-9a9c-1160d3dae7af" /deny *S-1-1-0:(OI)(CI)(DE,DC)
3⤵
- Modifies file permissions
PID:3708

C:\Users\Admin\AppData\Local\Temp\1127.exe
"C:\Users\Admin\AppData\Local\Temp\1127.exe" --Admin IsNotAutoStart IsNotTask
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3120

C:\Users\Admin\AppData\Local\Temp\1127.exe
"C:\Users\Admin\AppData\Local\Temp\1127.exe" --Admin IsNotAutoStart IsNotTask
4⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3772

C:\Users\Admin\AppData\Local\63e89778-d2d6-4f21-90e9-be11b832a9cc\build2.exe
"C:\Users\Admin\AppData\Local\63e89778-d2d6-4f21-90e9-be11b832a9cc\build2.exe"
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3328

C:\Users\Admin\AppData\Local\63e89778-d2d6-4f21-90e9-be11b832a9cc\build2.exe
"C:\Users\Admin\AppData\Local\63e89778-d2d6-4f21-90e9-be11b832a9cc\build2.exe"
6⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
- Checks processor information in registry
- Suspicious use of WriteProcessMemory
PID:1808

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c timeout /t 6 & del /f /q "C:\Users\Admin\AppData\Local\63e89778-d2d6-4f21-90e9-be11b832a9cc\build2.exe" & exit
7⤵
PID:1252

C:\Windows\SysWOW64\timeout.exe
timeout /t 6
8⤵
- Delays execution with timeout.exe
PID:112

C:\Users\Admin\AppData\Local\63e89778-d2d6-4f21-90e9-be11b832a9cc\build3.exe
"C:\Users\Admin\AppData\Local\63e89778-d2d6-4f21-90e9-be11b832a9cc\build3.exe"
5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3928

C:\Windows\SysWOW64\schtasks.exe
/C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"
6⤵
- Creates scheduled task(s)
PID:4008

C:\Users\Admin\AppData\Local\Temp\160A.exe
C:\Users\Admin\AppData\Local\Temp\160A.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
PID:1128

C:\Users\Admin\AppData\Local\Temp\17B1.exe
C:\Users\Admin\AppData\Local\Temp\17B1.exe
1⤵
- Executes dropped EXE
PID:1284

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1284 -s 348
2⤵
- Program crash
PID:2516

C:\Users\Admin\AppData\Local\Temp\1A33.exe
C:\Users\Admin\AppData\Local\Temp\1A33.exe
1⤵
- Executes dropped EXE
PID:2956

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2956 -s 760
2⤵
- Program crash
PID:3792

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 1284 -ip 1284
1⤵
PID:1508

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 1512 -ip 1512
1⤵
PID:4996

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 2956 -ip 2956
1⤵
PID:1132

C:\Users\Admin\AppData\Local\Temp\97C1.exe
C:\Users\Admin\AppData\Local\Temp\97C1.exe
1⤵
- Executes dropped EXE
PID:4688

C:\Windows\SysWOW64\rundll32.exe
C:\Windows\system32\rundll32.exe C:\Users\Admin\AppData\Local\Temp\Ifdefyrywdt.dll,start
2⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Checks processor information in registry
PID:3300

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#61 20174
3⤵
- Modifies registry class
- Suspicious use of FindShellTrayWindow
PID:4492

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4688 -s 480
2⤵
- Program crash
PID:3940

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 4688 -ip 4688
1⤵
PID:3068

C:\Users\Admin\AppData\Local\Temp\106C.exe
C:\Users\Admin\AppData\Local\Temp\106C.exe
1⤵
- Executes dropped EXE
PID:4880

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
1⤵
- Executes dropped EXE
PID:2340

C:\Windows\SysWOW64\schtasks.exe
/C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"
2⤵
- Creates scheduled task(s)
PID:3656

C:\Users\Admin\AppData\Roaming\Win32Sync\svcupdater.exe
C:\Users\Admin\AppData\Roaming\Win32Sync\svcupdater.exe
1⤵
- Executes dropped EXE
PID:2368

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:2336

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

File Permissions Modification

T1222

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Peripheral Device Discovery

T1120

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\mozglue.dll
Filesize
593KB

MD5
c8fd9be83bc728cc04beffafc2907fe9

SHA1
95ab9f701e0024cedfbd312bcfe4e726744c4f2e

SHA256
ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a

SHA512
fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040

Download Submit
C:\ProgramData\nss3.dll
Filesize
2.0MB

MD5
1cc453cdf74f31e4d913ff9c10acdde2

SHA1
6e85eae544d6e965f15fa5c39700fa7202f3aafe

SHA256
ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5

SHA512
dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\07CEF2F654E3ED6050FFC9B6EB844250_3431D4C539FB2CFCB781821E9902850D
Filesize
2KB

MD5
0a0b229200e844dd99e5bd4a96157dc9

SHA1
f0d9dd308e562849fba66546c08cb6868613df4d

SHA256
01bc83810123b2cf28d2a027a4201f93537daeda3f40c4ef7d83c0bd44baedda

SHA512
af4d0a4566bec38a8f1e97ee2a4daf81f1b4ef2a2893dbd09fb4b147f6c86bf37ab24959a7f5550e7c477187c825182e737d04bc6c56647e76a6c027529dac61

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E
Filesize
1KB

MD5
95699a1d2d3132a4067cecdcbc504fca

SHA1
0491453351e9eedac59152594e9b5ff0f091b54e

SHA256
ec6eb0fbc54c26ddbc5e7a8227b657fa20e0b9d565994001273ba32ccd0c53f4

SHA512
93ea4adfa46089cd37bb40077f0c4db111f4a16ae3d312b5d35450462b6228b7cae0e57c2888386041749df2014997cec3e590e436161825a6d42e44f6f694f0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\07CEF2F654E3ED6050FFC9B6EB844250_3431D4C539FB2CFCB781821E9902850D
Filesize
488B

MD5
7f6cf7e253157248fdc82f8277766d34

SHA1
44bc33f1793a8e378cb0a6ed2fd0690207e4f941

SHA256
6f3ee9f5834c944e99b2f5464ef3f17ece99c358476923821b3f1b9006f885cb

SHA512
5d97127a72ed45d5c8ec8b0683acaa5ec62f28f85d2ff069e0c4af63472fbc695574c6131c02ce31dd5f8985943de2a8b8a2249bd60e03a9bffe5d36d295573b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E
Filesize
482B

MD5
0e09ad1a3ca4db744679aebc1cdb0f71

SHA1
1325885385b461573cb4eea4239d16761e513097

SHA256
230390caa087fd7076ec178c0018f4e1f55303b8b1fc2f14876cbe536c46368a

SHA512
31dc37bd850f0df916dc782692bc771b544141260c453e311c63a34f37265612a2d7b863e0c4c12e5ec33dcfeb877c8f1d5248d36e7a9c5696a2bc592bc203a1

Download Submit
C:\Users\Admin\AppData\Local\5073db6e-d7f0-4dea-9a9c-1160d3dae7af\1127.exe
Filesize
706KB

MD5
46909da148de57b2d85591626aedbd76

SHA1
8000c3d7b0b33eaa538f8b0e09eff0559af06287

SHA256
0ca1867b6e512a1e78d8a00cecf4fdc09b665b31f9af122c78ee4a1e5de5a692

SHA512
c3a4c1392e9300c5a9255a8bec4757d8244023f5353d693a9e7a1496da92f1b90482f9201035ab07b669c228f8bedbe467f5c54bfb8f4d50c90350b0f2076603

Download Submit
C:\Users\Admin\AppData\Local\63e89778-d2d6-4f21-90e9-be11b832a9cc\build2.exe
Filesize
422KB

MD5
0b622eb410bfb32c5fa7b45eb3c116d2

SHA1
606d111174079e4d784e95f285805f14116e6d63

SHA256
9b7b45434353b99f97d33f44e225e71b9c164cd21ae56335c078cca20ae29c1d

SHA512
ffc1c0caf526c598624845c4d15df2fd68309f8027373c971ed7405f1bda52e89db6b936ce11937d038c3c1a2dba4fcbc70ba8f28d8d1aa4bf4325f08a6a61c4

Download Submit
C:\Users\Admin\AppData\Local\63e89778-d2d6-4f21-90e9-be11b832a9cc\build2.exe
Filesize
422KB

MD5
0b622eb410bfb32c5fa7b45eb3c116d2

SHA1
606d111174079e4d784e95f285805f14116e6d63

SHA256
9b7b45434353b99f97d33f44e225e71b9c164cd21ae56335c078cca20ae29c1d

SHA512
ffc1c0caf526c598624845c4d15df2fd68309f8027373c971ed7405f1bda52e89db6b936ce11937d038c3c1a2dba4fcbc70ba8f28d8d1aa4bf4325f08a6a61c4

Download Submit
C:\Users\Admin\AppData\Local\63e89778-d2d6-4f21-90e9-be11b832a9cc\build2.exe
Filesize
422KB

MD5
0b622eb410bfb32c5fa7b45eb3c116d2

SHA1
606d111174079e4d784e95f285805f14116e6d63

SHA256
9b7b45434353b99f97d33f44e225e71b9c164cd21ae56335c078cca20ae29c1d

SHA512
ffc1c0caf526c598624845c4d15df2fd68309f8027373c971ed7405f1bda52e89db6b936ce11937d038c3c1a2dba4fcbc70ba8f28d8d1aa4bf4325f08a6a61c4

Download Submit
C:\Users\Admin\AppData\Local\63e89778-d2d6-4f21-90e9-be11b832a9cc\build3.exe
Filesize
9KB

MD5
9ead10c08e72ae41921191f8db39bc16

SHA1
abe3bce01cd34afc88e2c838173f8c2bd0090ae1

SHA256
8d7f0e6b6877bdfb9f4531afafd0451f7d17f0ac24e2f2427e9b4ecc5452b9f0

SHA512
aa35dbc59a3589df2763e76a495ce5a9e62196628b4c1d098add38bd7f27c49edf93a66fb8507fb746e37ee32932da2460e440f241abe1a5a279abcc1e5ffe4a

Download Submit
C:\Users\Admin\AppData\Local\63e89778-d2d6-4f21-90e9-be11b832a9cc\build3.exe
Filesize
9KB

MD5
9ead10c08e72ae41921191f8db39bc16

SHA1
abe3bce01cd34afc88e2c838173f8c2bd0090ae1

SHA256
8d7f0e6b6877bdfb9f4531afafd0451f7d17f0ac24e2f2427e9b4ecc5452b9f0

SHA512
aa35dbc59a3589df2763e76a495ce5a9e62196628b4c1d098add38bd7f27c49edf93a66fb8507fb746e37ee32932da2460e440f241abe1a5a279abcc1e5ffe4a

Download Submit
C:\Users\Admin\AppData\Local\Temp\106C.exe
Filesize
195KB

MD5
046ec1348aa8b770b48b9b4530d2d407

SHA1
781ecc1f27da4f8177271a3265ba16df605989b1

SHA256
bbaf5140518acfc1cd69cc595184869b0f6adda59134f83566393bc3435fb9d3

SHA512
27405bae7f117729d68ed8bfa4cf69452b61bfe70be01ce1f24be27bb5c9721e8ddd50e5cdd19c893bf4af09ed89efa886fa142fa9d635eb95dc6bc8e8b6139f

Download Submit
C:\Users\Admin\AppData\Local\Temp\106C.exe
Filesize
195KB

MD5
046ec1348aa8b770b48b9b4530d2d407

SHA1
781ecc1f27da4f8177271a3265ba16df605989b1

SHA256
bbaf5140518acfc1cd69cc595184869b0f6adda59134f83566393bc3435fb9d3

SHA512
27405bae7f117729d68ed8bfa4cf69452b61bfe70be01ce1f24be27bb5c9721e8ddd50e5cdd19c893bf4af09ed89efa886fa142fa9d635eb95dc6bc8e8b6139f

Download Submit
C:\Users\Admin\AppData\Local\Temp\1127.exe
Filesize
706KB

MD5
46909da148de57b2d85591626aedbd76

SHA1
8000c3d7b0b33eaa538f8b0e09eff0559af06287

SHA256
0ca1867b6e512a1e78d8a00cecf4fdc09b665b31f9af122c78ee4a1e5de5a692

SHA512
c3a4c1392e9300c5a9255a8bec4757d8244023f5353d693a9e7a1496da92f1b90482f9201035ab07b669c228f8bedbe467f5c54bfb8f4d50c90350b0f2076603

Download Submit
C:\Users\Admin\AppData\Local\Temp\1127.exe
Filesize
706KB

MD5
46909da148de57b2d85591626aedbd76

SHA1
8000c3d7b0b33eaa538f8b0e09eff0559af06287

SHA256
0ca1867b6e512a1e78d8a00cecf4fdc09b665b31f9af122c78ee4a1e5de5a692

SHA512
c3a4c1392e9300c5a9255a8bec4757d8244023f5353d693a9e7a1496da92f1b90482f9201035ab07b669c228f8bedbe467f5c54bfb8f4d50c90350b0f2076603

Download Submit
C:\Users\Admin\AppData\Local\Temp\1127.exe
Filesize
706KB

MD5
46909da148de57b2d85591626aedbd76

SHA1
8000c3d7b0b33eaa538f8b0e09eff0559af06287

SHA256
0ca1867b6e512a1e78d8a00cecf4fdc09b665b31f9af122c78ee4a1e5de5a692

SHA512
c3a4c1392e9300c5a9255a8bec4757d8244023f5353d693a9e7a1496da92f1b90482f9201035ab07b669c228f8bedbe467f5c54bfb8f4d50c90350b0f2076603

Download Submit
C:\Users\Admin\AppData\Local\Temp\1127.exe
Filesize
706KB

MD5
46909da148de57b2d85591626aedbd76

SHA1
8000c3d7b0b33eaa538f8b0e09eff0559af06287

SHA256
0ca1867b6e512a1e78d8a00cecf4fdc09b665b31f9af122c78ee4a1e5de5a692

SHA512
c3a4c1392e9300c5a9255a8bec4757d8244023f5353d693a9e7a1496da92f1b90482f9201035ab07b669c228f8bedbe467f5c54bfb8f4d50c90350b0f2076603

Download Submit
C:\Users\Admin\AppData\Local\Temp\1127.exe
Filesize
706KB

MD5
46909da148de57b2d85591626aedbd76

SHA1
8000c3d7b0b33eaa538f8b0e09eff0559af06287

SHA256
0ca1867b6e512a1e78d8a00cecf4fdc09b665b31f9af122c78ee4a1e5de5a692

SHA512
c3a4c1392e9300c5a9255a8bec4757d8244023f5353d693a9e7a1496da92f1b90482f9201035ab07b669c228f8bedbe467f5c54bfb8f4d50c90350b0f2076603

Download Submit
C:\Users\Admin\AppData\Local\Temp\160A.exe
Filesize
195KB

MD5
3a452937e8a961c5e19974c2cbb4afaa

SHA1
6c8522ac545442f29b6a5a768fa9f0fc4a38a928

SHA256
de5f535b0a84c65bb341ee58b72bda0b75c18cd795eff21a5318d0bfdaee21bd

SHA512
c12172037f48f14394cd2d408dc2b31ad683c253b57eb807949f05e53af95954ba8d10ebcbad4b0562ab69d932f2d8463e4891350756170940054182a72d8252

Download Submit
C:\Users\Admin\AppData\Local\Temp\160A.exe
Filesize
195KB

MD5
3a452937e8a961c5e19974c2cbb4afaa

SHA1
6c8522ac545442f29b6a5a768fa9f0fc4a38a928

SHA256
de5f535b0a84c65bb341ee58b72bda0b75c18cd795eff21a5318d0bfdaee21bd

SHA512
c12172037f48f14394cd2d408dc2b31ad683c253b57eb807949f05e53af95954ba8d10ebcbad4b0562ab69d932f2d8463e4891350756170940054182a72d8252

Download Submit
C:\Users\Admin\AppData\Local\Temp\17B1.exe
Filesize
196KB

MD5
d8e322c0d2dc6d054cbbae0bdd4399c8

SHA1
5c301531d05a623b40e872b66f86d50293464f07

SHA256
288c8bcb80df65ec35c3d4775d1df071ec84c0b04df3a5ca7a43f361ccedef0f

SHA512
ca967d0df1c206c94504894978d1bd9f4b60552cd247814ee627694d88515881a667cc047d3c731d3626fd8106c8741848ca748b90b545d7065d8e2a6607ff91

Download Submit
C:\Users\Admin\AppData\Local\Temp\17B1.exe
Filesize
196KB

MD5
d8e322c0d2dc6d054cbbae0bdd4399c8

SHA1
5c301531d05a623b40e872b66f86d50293464f07

SHA256
288c8bcb80df65ec35c3d4775d1df071ec84c0b04df3a5ca7a43f361ccedef0f

SHA512
ca967d0df1c206c94504894978d1bd9f4b60552cd247814ee627694d88515881a667cc047d3c731d3626fd8106c8741848ca748b90b545d7065d8e2a6607ff91

Download Submit
C:\Users\Admin\AppData\Local\Temp\17B1.exe
Filesize
196KB

MD5
d8e322c0d2dc6d054cbbae0bdd4399c8

SHA1
5c301531d05a623b40e872b66f86d50293464f07

SHA256
288c8bcb80df65ec35c3d4775d1df071ec84c0b04df3a5ca7a43f361ccedef0f

SHA512
ca967d0df1c206c94504894978d1bd9f4b60552cd247814ee627694d88515881a667cc047d3c731d3626fd8106c8741848ca748b90b545d7065d8e2a6607ff91

Download Submit
C:\Users\Admin\AppData\Local\Temp\1A33.exe
Filesize
196KB

MD5
d0515091178ba6b2ecfa1d7a0d400b80

SHA1
7077163cae765a14367cad5b11f7bb9056dc1766

SHA256
5d4d63a331509e32df02096d9f27fc54d8147ec5ba0487150e9f59f04b2586e3

SHA512
341d7ecec23862d1a8077007edaa3308044836c2f1b444a0630c22989903dfaa17cc7fda31983b93e6e0dcad622a3b4c56144448269b7a57c26169b46eed5e73

Download Submit
C:\Users\Admin\AppData\Local\Temp\1A33.exe
Filesize
196KB

MD5
d0515091178ba6b2ecfa1d7a0d400b80

SHA1
7077163cae765a14367cad5b11f7bb9056dc1766

SHA256
5d4d63a331509e32df02096d9f27fc54d8147ec5ba0487150e9f59f04b2586e3

SHA512
341d7ecec23862d1a8077007edaa3308044836c2f1b444a0630c22989903dfaa17cc7fda31983b93e6e0dcad622a3b4c56144448269b7a57c26169b46eed5e73

Download Submit
C:\Users\Admin\AppData\Local\Temp\1A33.exe
Filesize
196KB

MD5
d0515091178ba6b2ecfa1d7a0d400b80

SHA1
7077163cae765a14367cad5b11f7bb9056dc1766

SHA256
5d4d63a331509e32df02096d9f27fc54d8147ec5ba0487150e9f59f04b2586e3

SHA512
341d7ecec23862d1a8077007edaa3308044836c2f1b444a0630c22989903dfaa17cc7fda31983b93e6e0dcad622a3b4c56144448269b7a57c26169b46eed5e73

Download Submit
C:\Users\Admin\AppData\Local\Temp\97C1.exe
Filesize
3.7MB

MD5
fcfeb9c9499e6657b1c7f2d13378a3b9

SHA1
afd2034440f523803980e4b63dd2484ca35e6431

SHA256
b890db11e0db6e1eac3965e1c1121b251977c0f251f6b5ced6a77f6ca5850962

SHA512
3f5e376161dc86bce0ac870921561eadfee4347d5cf085f991da8cb6b3af540ff435feded5aac116e937c39d3a7c7e9f850367b89d670a930fa9efedf5945a6f

Download Submit
C:\Users\Admin\AppData\Local\Temp\97C1.exe
Filesize
3.7MB

MD5
fcfeb9c9499e6657b1c7f2d13378a3b9

SHA1
afd2034440f523803980e4b63dd2484ca35e6431

SHA256
b890db11e0db6e1eac3965e1c1121b251977c0f251f6b5ced6a77f6ca5850962

SHA512
3f5e376161dc86bce0ac870921561eadfee4347d5cf085f991da8cb6b3af540ff435feded5aac116e937c39d3a7c7e9f850367b89d670a930fa9efedf5945a6f

Download Submit
C:\Users\Admin\AppData\Local\Temp\F81.exe
Filesize
378KB

MD5
b141bc58618c537917cc1da179cbe8ab

SHA1
c76d3f5eeae9493e41a272a974b5dfec5f4e4724

SHA256
fd999e4a07d8b3d95f9d9231fd496b0125b56094f1b03ddca7a7b074c1d8c03e

SHA512
5c72f63124a394602a36a4f985e33a41e8159f54653f431c270b8f0fa8e13131517c31b497a936d5f5d3d27397f40fc7909efc4bfd04c01bcca7f306860c3114

Download Submit
C:\Users\Admin\AppData\Local\Temp\F81.exe
Filesize
378KB

MD5
b141bc58618c537917cc1da179cbe8ab

SHA1
c76d3f5eeae9493e41a272a974b5dfec5f4e4724

SHA256
fd999e4a07d8b3d95f9d9231fd496b0125b56094f1b03ddca7a7b074c1d8c03e

SHA512
5c72f63124a394602a36a4f985e33a41e8159f54653f431c270b8f0fa8e13131517c31b497a936d5f5d3d27397f40fc7909efc4bfd04c01bcca7f306860c3114

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ifdefyrywdt.dll
Filesize
4.3MB

MD5
9a8e6345cb61e859a131baf29f77ed25

SHA1
d84ab03e33768d2b000e15d495a8281e5079a8a3

SHA256
d9694b3e4e082ac8166de9325332cec5cdab767aff5a0b022415866eb6ced03b

SHA512
d7c059b04e9ad6b52297bcf48defd682ee5c9a517801f7f1158caeb887111dd7398f90138a61662e132cc09987eb0f79e9ad48df5cef55ab363a89d1a1ebfcd8

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ifdefyrywdt.dll
Filesize
4.3MB

MD5
9a8e6345cb61e859a131baf29f77ed25

SHA1
d84ab03e33768d2b000e15d495a8281e5079a8a3

SHA256
d9694b3e4e082ac8166de9325332cec5cdab767aff5a0b022415866eb6ced03b

SHA512
d7c059b04e9ad6b52297bcf48defd682ee5c9a517801f7f1158caeb887111dd7398f90138a61662e132cc09987eb0f79e9ad48df5cef55ab363a89d1a1ebfcd8

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ifdefyrywdt.dll
Filesize
4.3MB

MD5
9a8e6345cb61e859a131baf29f77ed25

SHA1
d84ab03e33768d2b000e15d495a8281e5079a8a3

SHA256
d9694b3e4e082ac8166de9325332cec5cdab767aff5a0b022415866eb6ced03b

SHA512
d7c059b04e9ad6b52297bcf48defd682ee5c9a517801f7f1158caeb887111dd7398f90138a61662e132cc09987eb0f79e9ad48df5cef55ab363a89d1a1ebfcd8

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
Filesize
9KB

MD5
9ead10c08e72ae41921191f8db39bc16

SHA1
abe3bce01cd34afc88e2c838173f8c2bd0090ae1

SHA256
8d7f0e6b6877bdfb9f4531afafd0451f7d17f0ac24e2f2427e9b4ecc5452b9f0

SHA512
aa35dbc59a3589df2763e76a495ce5a9e62196628b4c1d098add38bd7f27c49edf93a66fb8507fb746e37ee32932da2460e440f241abe1a5a279abcc1e5ffe4a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
Filesize
9KB

MD5
9ead10c08e72ae41921191f8db39bc16

SHA1
abe3bce01cd34afc88e2c838173f8c2bd0090ae1

SHA256
8d7f0e6b6877bdfb9f4531afafd0451f7d17f0ac24e2f2427e9b4ecc5452b9f0

SHA512
aa35dbc59a3589df2763e76a495ce5a9e62196628b4c1d098add38bd7f27c49edf93a66fb8507fb746e37ee32932da2460e440f241abe1a5a279abcc1e5ffe4a

Download Submit
C:\Users\Admin\AppData\Roaming\Win32Sync\svcupdater.exe
Filesize
268.7MB

MD5
21e4e2d32835a9318969d0c7a0ff2383

SHA1
34dbae785fc7393ed2d1239f4bfd5c8c4ad1e05c

SHA256
38ef8ede63e4e2f3fd44223dbd9d5f3f5c6e39e63dcbb4627de2e8c661e4653a

SHA512
a9b04ff3bce271db9f272af452b159d90beac69d6a80cab9620cd61821436271e4735f491c54098bdb99d923cb874fd826eaddc8232370875a0fc397a4caab3f

Download Submit
C:\Users\Admin\AppData\Roaming\Win32Sync\svcupdater.exe
Filesize
266.6MB

MD5
12e9218d456269ae83cda976ed40cf3c

SHA1
4f68345719b1516d3654cc7445217031bb19d500

SHA256
d84d04924ec24e18e384bc0205140b72c8e782180958fda09a58bedef0cab90f

SHA512
6cd8534075a1932eeccf3fff79aeed61c545932fb12d903de37cb506412d4bf4aa03a1ee90d09a3733719ceebf8de70c58ffcdb0c1a8cfd511be0fa3c656869f

Download Submit
memory/112-232-0x0000000000000000-mapping.dmp

Download
memory/1128-142-0x0000000000000000-mapping.dmp

Download
memory/1128-164-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1128-163-0x00000000005D0000-0x00000000005D9000-memory.dmp

Filesize
36KB

Download
memory/1128-178-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1128-162-0x0000000000659000-0x000000000066C000-memory.dmp

Filesize
76KB

Download
memory/1252-230-0x0000000000000000-mapping.dmp

Download
memory/1284-145-0x0000000000000000-mapping.dmp

Download
memory/1284-167-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1284-165-0x0000000000759000-0x000000000076C000-memory.dmp

Filesize
76KB

Download
memory/1512-159-0x00000000006D9000-0x0000000000703000-memory.dmp

Filesize
168KB

Download
memory/1512-177-0x0000000000400000-0x000000000047A000-memory.dmp

Filesize
488KB

Download
memory/1512-176-0x00000000006D9000-0x0000000000703000-memory.dmp

Filesize
168KB

Download
memory/1512-160-0x00000000020A0000-0x00000000020E7000-memory.dmp

Filesize
284KB

Download
memory/1512-136-0x0000000000000000-mapping.dmp

Download
memory/1512-161-0x0000000000400000-0x000000000047A000-memory.dmp

Filesize
488KB

Download
memory/1808-201-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/1808-200-0x0000000000000000-mapping.dmp

Download
memory/1808-203-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/1808-207-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/1808-231-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/1808-204-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/1808-208-0x0000000050BB0000-0x0000000050CA3000-memory.dmp

Filesize
972KB

Download
memory/2368-259-0x00000000006A7000-0x00000000006D1000-memory.dmp

Filesize
168KB

Download
memory/2368-260-0x0000000000400000-0x000000000047A000-memory.dmp

Filesize
488KB

Download
memory/2368-272-0x00000000006A7000-0x00000000006D1000-memory.dmp

Filesize
168KB

Download
memory/2400-132-0x0000000000788000-0x000000000079B000-memory.dmp

Filesize
76KB

Download
memory/2400-135-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2400-134-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2400-133-0x00000000006F0000-0x00000000006F9000-memory.dmp

Filesize
36KB

Download
memory/2956-148-0x0000000000000000-mapping.dmp

Download
memory/2956-191-0x00000000005E9000-0x00000000005FC000-memory.dmp

Filesize
76KB

Download
memory/2956-229-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2956-228-0x00000000005E9000-0x00000000005FC000-memory.dmp

Filesize
76KB

Download
memory/2956-170-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2956-169-0x00000000005A0000-0x00000000005BC000-memory.dmp

Filesize
112KB

Download
memory/2956-168-0x00000000005E9000-0x00000000005FC000-memory.dmp

Filesize
76KB

Download
memory/3120-183-0x00000000007A8000-0x0000000000839000-memory.dmp

Filesize
580KB

Download
memory/3120-172-0x0000000000000000-mapping.dmp

Download
memory/3300-243-0x0000000002B70000-0x0000000002FD2000-memory.dmp

Filesize
4.4MB

Download
memory/3300-263-0x0000000004C20000-0x0000000004D60000-memory.dmp

Filesize
1.2MB

Download
memory/3300-269-0x0000000004020000-0x0000000004B60000-memory.dmp

Filesize
11.2MB

Download
memory/3300-262-0x0000000004C20000-0x0000000004D60000-memory.dmp

Filesize
1.2MB

Download
memory/3300-258-0x0000000004C20000-0x0000000004D60000-memory.dmp

Filesize
1.2MB

Download
memory/3300-261-0x0000000004C20000-0x0000000004D60000-memory.dmp

Filesize
1.2MB

Download
memory/3300-252-0x0000000004C20000-0x0000000004D60000-memory.dmp

Filesize
1.2MB

Download
memory/3300-251-0x0000000004C20000-0x0000000004D60000-memory.dmp

Filesize
1.2MB

Download
memory/3300-250-0x0000000004020000-0x0000000004B60000-memory.dmp

Filesize
11.2MB

Download
memory/3300-246-0x0000000004020000-0x0000000004B60000-memory.dmp

Filesize
11.2MB

Download
memory/3300-245-0x0000000004020000-0x0000000004B60000-memory.dmp

Filesize
11.2MB

Download
memory/3300-239-0x0000000000000000-mapping.dmp

Download
memory/3328-192-0x0000000000000000-mapping.dmp

Download
memory/3328-206-0x0000000000660000-0x00000000006BE000-memory.dmp

Filesize
376KB

Download
memory/3328-205-0x000000000057D000-0x00000000005B1000-memory.dmp

Filesize
208KB

Download
memory/3584-174-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/3584-158-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/3584-151-0x0000000000000000-mapping.dmp

Download
memory/3584-155-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/3584-157-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/3584-152-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/3656-255-0x0000000000000000-mapping.dmp

Download
memory/3708-166-0x0000000000000000-mapping.dmp

Download
memory/3772-199-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/3772-182-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/3772-185-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/3772-184-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/3772-179-0x0000000000000000-mapping.dmp

Download
memory/3928-195-0x0000000000000000-mapping.dmp

Download
memory/4008-198-0x0000000000000000-mapping.dmp

Download
memory/4408-139-0x0000000000000000-mapping.dmp

Download
memory/4408-153-0x0000000002289000-0x000000000231A000-memory.dmp

Filesize
580KB

Download
memory/4408-156-0x0000000002320000-0x000000000243B000-memory.dmp

Filesize
1.1MB

Download
memory/4408-190-0x0000000002320000-0x000000000243B000-memory.dmp

Filesize
1.1MB

Download
memory/4492-266-0x00000208427F0000-0x0000020842930000-memory.dmp

Filesize
1.2MB

Download
memory/4492-268-0x0000020840D90000-0x0000020841044000-memory.dmp

Filesize
2.7MB

Download
memory/4492-264-0x00007FF75A286890-mapping.dmp

Download
memory/4492-267-0x00000000009B0000-0x0000000000C52000-memory.dmp

Filesize
2.6MB

Download
memory/4492-265-0x00000208427F0000-0x0000020842930000-memory.dmp

Filesize
1.2MB

Download
memory/4688-238-0x0000000000400000-0x00000000008F8000-memory.dmp

Filesize
5.0MB

Download
memory/4688-233-0x0000000000000000-mapping.dmp

Download
memory/4688-237-0x0000000002990000-0x0000000002E7B000-memory.dmp

Filesize
4.9MB

Download
memory/4688-236-0x0000000002603000-0x000000000298E000-memory.dmp

Filesize
3.5MB

Download
memory/4688-244-0x0000000000400000-0x00000000008F8000-memory.dmp

Filesize
5.0MB

Download
memory/4880-247-0x0000000000000000-mapping.dmp

Download
memory/4880-273-0x00000000007D9000-0x00000000007EC000-memory.dmp

Filesize
76KB

Download
memory/4880-274-0x00000000001C0000-0x00000000001C3000-memory.dmp

Filesize
12KB

Download
memory/4880-275-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/5116-175-0x0000000000000000-mapping.dmp

Download