modiloader | 89994f1a3641d3d36049928ad6d76a86ebe456ab7f894549ca0301462670bfcd

Resubmissions

15-02-2023 17:27

230215-v1k5pacg7v 7

14-02-2023 10:55

230214-mz8wcscb5s 10

Analysis

max time kernel
76s
max time network
120s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
14-02-2023 10:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ConstructionDocuments.one
Size

923KB
MD5

04ecfc3fa0c53151d976f2d6fbd65c31
SHA1

3fedd5e8cf0d285e74bb66370f4913bdfe9ff2a1
SHA256

89994f1a3641d3d36049928ad6d76a86ebe456ab7f894549ca0301462670bfcd
SHA512

6e7a42a8cd7f814d8b25d0b0d4d075ca71fd0c0779f5d1de865cf53d58dbd50aa7b8ee5d2b9d8ce94c42e1e050e2da7f6fe6c7e44ed1dd58f659f8704ddc5291
SSDEEP

12288:Ob8A+lyMML0gN55kXFyqf0bGBvGoE3IhAf1nAhglRF:O4ZzML0gN5WXFaK9GoEHf1nAhglRF

Score

10^/10

modiloader remcos persistence rat trojan

Malware Config

Signatures

ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
trojan modiloader
Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos

ModiLoader Second Stage 3 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1988-66-0x0000000000370000-0x000000000039C000-memory.dmp	modiloader_stage2
behavioral1/memory/1264-74-0x00000000002D0000-0x00000000002FC000-memory.dmp	modiloader_stage2
behavioral1/memory/1592-82-0x0000000000310000-0x000000000033C000-memory.dmp	modiloader_stage2

Drops startup file 1 IoCs

Processes:

ONENOTE.EXE

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OneNote 2010 Screen Clipper and Launcher.lnk	ONENOTE.EXE

Executes dropped EXE 7 IoCs

Processes:

Yokzgytdjocuus.exeYokzgytdjocuus.exeYokzgytdjocuus.exeeasinvoker.exeeasinvoker.exedtygzkoY.pifdtygzkoY.pif

pid process

1988 Yokzgytdjocuus.exe
1264 Yokzgytdjocuus.exe
1592 Yokzgytdjocuus.exe
1368 easinvoker.exe
1964 easinvoker.exe
1564 dtygzkoY.pif
1740 dtygzkoY.pif

pid	process
1988	Yokzgytdjocuus.exe
1264	Yokzgytdjocuus.exe
1592	Yokzgytdjocuus.exe
1368	easinvoker.exe
1964	easinvoker.exe
1564	dtygzkoY.pif
1740	dtygzkoY.pif

Loads dropped DLL 17 IoCs

Processes:

ONENOTE.EXEYokzgytdjocuus.exeWerFault.exeYokzgytdjocuus.exeWerFault.exe

pid	process
832	ONENOTE.EXE
832	ONENOTE.EXE
832	ONENOTE.EXE
832	ONENOTE.EXE
832	ONENOTE.EXE
832	ONENOTE.EXE
1264	Yokzgytdjocuus.exe
1264	Yokzgytdjocuus.exe
1644	WerFault.exe
1644	WerFault.exe
1644	WerFault.exe
1644	WerFault.exe
1592	Yokzgytdjocuus.exe
840	WerFault.exe
840	WerFault.exe
840	WerFault.exe
840	WerFault.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

Yokzgytdjocuus.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\Yokzgytd = "C:\\Users\\Public\\Libraries\\dtygzkoY.url"	Yokzgytdjocuus.exe

Drops file in Program Files directory 5 IoCs

Processes:

ONENOTE.EXE

description	ioc	process
File opened for modification	C:\Program Files (x86)\Microsoft Office\Templates\1033\ONENOTE\14\Stationery\PLANNERS.ONE	ONENOTE.EXE
File opened for modification	C:\Program Files (x86)\Microsoft Office\Templates\1033\ONENOTE\14\Stationery\ACADEMIC.ONE	ONENOTE.EXE
File opened for modification	C:\Program Files (x86)\Microsoft Office\Templates\1033\ONENOTE\14\Stationery\BLANK.ONE	ONENOTE.EXE
File opened for modification	C:\Program Files (x86)\Microsoft Office\Templates\1033\ONENOTE\14\Stationery\BUSINESS.ONE	ONENOTE.EXE
File opened for modification	C:\Program Files (x86)\Microsoft Office\Templates\1033\ONENOTE\14\Stationery\DESIGNER.ONE	ONENOTE.EXE

Drops file in Windows directory 1 IoCs

Processes:

ONENOTE.EXE

description ioc process

File opened for modification C:\Windows\Debug\WIA\wiatrace.log ONENOTE.EXE
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 2 IoCs

Processes:

WerFault.exeWerFault.exe

pid pid_target process target process

1644 1564 WerFault.exe dtygzkoY.pif
840 1740 WerFault.exe dtygzkoY.pif

description	ioc	process
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	ONENOTE.EXE

pid	pid_target	process	target process
1644	1564	WerFault.exe	dtygzkoY.pif
840	1740	WerFault.exe	dtygzkoY.pif

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

xcopy.exexcopy.exexcopy.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	xcopy.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	xcopy.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	xcopy.exe

Modifies Internet Explorer settings 1 TTPs 9 IoCs

adware spyware

Modify Registry

T1112

Processes:

ONENOTE.EXE

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000"	ONENOTE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1"	ONENOTE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105"	ONENOTE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel	ONENOTE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\MenuExt	ONENOTE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote	ONENOTE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55"	ONENOTE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Toolbar	ONENOTE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes"	ONENOTE.EXE

Modifies registry class 6 IoCs

Processes:

ONENOTE.EXE

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{F2A7EE29-8BF6-4A6D-83F1-098E366C709C}\1.0\ = "Microsoft OneNote 12.0 Object Library"	ONENOTE.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{F2A7EE29-8BF6-4A6D-83F1-098E366C709C}\1.0\0\win32\ = "C:\\Program Files (x86)\\Microsoft Office\\Office14\\ONENOTE.EXE\\2"	ONENOTE.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{0EA692EE-BB50-4E3C-AEF0-356D91732725}\1.0\ = "Microsoft OneNote 14.0 Object Library"	ONENOTE.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{0EA692EE-BB50-4E3C-AEF0-356D91732725}\1.0\0\win32\ = "C:\\Program Files (x86)\\Microsoft Office\\Office14\\ONENOTE.EXE\\3"	ONENOTE.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E2E1511D-502D-4BD0-8B3A-8A89A05CDCAE}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}"	ONENOTE.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E2E1511D-502D-4BD0-8B3A-8A89A05CDCAE}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}"	ONENOTE.EXE

Modifies system certificate store 2 TTPs 6 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

Yokzgytdjocuus.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13	Yokzgytdjocuus.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 0f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c1320000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	Yokzgytdjocuus.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 1900000001000000100000006cf252fec3e8f20996de5d4dd9aef424030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131d00000001000000100000004558d512eecb27464920897de7b66053140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc41560858910090000000100000016000000301406082b0601050507030406082b060105050703010b000000010000001e000000440053005400200052006f006f00740020004300410020005800330000000f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d20000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	Yokzgytdjocuus.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 040000000100000010000000410352dc0ff7501b16f0028eba6f45c50f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131900000001000000100000006cf252fec3e8f20996de5d4dd9aef42420000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	Yokzgytdjocuus.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	Yokzgytdjocuus.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	Yokzgytdjocuus.exe

Suspicious behavior: AddClipboardFormatListener 2 IoCs

Processes:

ONENOTE.EXE

pid process

832 ONENOTE.EXE
832 ONENOTE.EXE
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

ONENOTEM.EXE

description pid process

Token: 33 1572 ONENOTEM.EXE
Token: SeIncBasePriorityPrivilege 1572 ONENOTEM.EXE
Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

ONENOTEM.EXEDllHost.exe

pid process

1572 ONENOTEM.EXE
536 DllHost.exe
Suspicious use of SendNotifyMessage 1 IoCs

Processes:

ONENOTEM.EXE

pid process

1572 ONENOTEM.EXE

description	pid	process
Token: 33	1572	ONENOTEM.EXE
Token: SeIncBasePriorityPrivilege	1572	ONENOTEM.EXE

pid	process
1572	ONENOTEM.EXE
536	DllHost.exe

pid	process
1572	ONENOTEM.EXE

Suspicious use of SetWindowsHookEx 12 IoCs

Processes:

ONENOTE.EXE

pid	process
832	ONENOTE.EXE
832	ONENOTE.EXE
832	ONENOTE.EXE
832	ONENOTE.EXE
832	ONENOTE.EXE
832	ONENOTE.EXE
832	ONENOTE.EXE
832	ONENOTE.EXE
832	ONENOTE.EXE
832	ONENOTE.EXE
832	ONENOTE.EXE
832	ONENOTE.EXE

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

ONENOTE.EXEYokzgytdjocuus.execmd.exeYokzgytdjocuus.exedtygzkoY.pif

description	pid	process	target process
PID 832 wrote to memory of 1572	832	ONENOTE.EXE	ONENOTEM.EXE
PID 832 wrote to memory of 1572	832	ONENOTE.EXE	ONENOTEM.EXE
PID 832 wrote to memory of 1572	832	ONENOTE.EXE	ONENOTEM.EXE
PID 832 wrote to memory of 1572	832	ONENOTE.EXE	ONENOTEM.EXE
PID 832 wrote to memory of 1988	832	ONENOTE.EXE	Yokzgytdjocuus.exe
PID 832 wrote to memory of 1988	832	ONENOTE.EXE	Yokzgytdjocuus.exe
PID 832 wrote to memory of 1988	832	ONENOTE.EXE	Yokzgytdjocuus.exe
PID 832 wrote to memory of 1988	832	ONENOTE.EXE	Yokzgytdjocuus.exe
PID 832 wrote to memory of 1264	832	ONENOTE.EXE	Yokzgytdjocuus.exe
PID 832 wrote to memory of 1264	832	ONENOTE.EXE	Yokzgytdjocuus.exe
PID 832 wrote to memory of 1264	832	ONENOTE.EXE	Yokzgytdjocuus.exe
PID 832 wrote to memory of 1264	832	ONENOTE.EXE	Yokzgytdjocuus.exe
PID 832 wrote to memory of 1592	832	ONENOTE.EXE	Yokzgytdjocuus.exe
PID 832 wrote to memory of 1592	832	ONENOTE.EXE	Yokzgytdjocuus.exe
PID 832 wrote to memory of 1592	832	ONENOTE.EXE	Yokzgytdjocuus.exe
PID 832 wrote to memory of 1592	832	ONENOTE.EXE	Yokzgytdjocuus.exe
PID 1988 wrote to memory of 1780	1988	Yokzgytdjocuus.exe	cmd.exe
PID 1988 wrote to memory of 1780	1988	Yokzgytdjocuus.exe	cmd.exe
PID 1988 wrote to memory of 1780	1988	Yokzgytdjocuus.exe	cmd.exe
PID 1988 wrote to memory of 1780	1988	Yokzgytdjocuus.exe	cmd.exe
PID 1780 wrote to memory of 1712	1780	cmd.exe	cmd.exe
PID 1780 wrote to memory of 1712	1780	cmd.exe	cmd.exe
PID 1780 wrote to memory of 1712	1780	cmd.exe	cmd.exe
PID 1780 wrote to memory of 1712	1780	cmd.exe	cmd.exe
PID 1780 wrote to memory of 828	1780	cmd.exe	xcopy.exe
PID 1780 wrote to memory of 828	1780	cmd.exe	xcopy.exe
PID 1780 wrote to memory of 828	1780	cmd.exe	xcopy.exe
PID 1780 wrote to memory of 828	1780	cmd.exe	xcopy.exe
PID 1780 wrote to memory of 1008	1780	cmd.exe	cmd.exe
PID 1780 wrote to memory of 1008	1780	cmd.exe	cmd.exe
PID 1780 wrote to memory of 1008	1780	cmd.exe	cmd.exe
PID 1780 wrote to memory of 1008	1780	cmd.exe	cmd.exe
PID 1780 wrote to memory of 2036	1780	cmd.exe	xcopy.exe
PID 1780 wrote to memory of 2036	1780	cmd.exe	xcopy.exe
PID 1780 wrote to memory of 2036	1780	cmd.exe	xcopy.exe
PID 1780 wrote to memory of 2036	1780	cmd.exe	xcopy.exe
PID 1264 wrote to memory of 1564	1264	Yokzgytdjocuus.exe	dtygzkoY.pif
PID 1264 wrote to memory of 1564	1264	Yokzgytdjocuus.exe	dtygzkoY.pif
PID 1264 wrote to memory of 1564	1264	Yokzgytdjocuus.exe	dtygzkoY.pif
PID 1264 wrote to memory of 1564	1264	Yokzgytdjocuus.exe	dtygzkoY.pif
PID 1780 wrote to memory of 280	1780	cmd.exe	cmd.exe
PID 1780 wrote to memory of 280	1780	cmd.exe	cmd.exe
PID 1780 wrote to memory of 280	1780	cmd.exe	cmd.exe
PID 1780 wrote to memory of 280	1780	cmd.exe	cmd.exe
PID 1780 wrote to memory of 1644	1780	cmd.exe	xcopy.exe
PID 1780 wrote to memory of 1644	1780	cmd.exe	xcopy.exe
PID 1780 wrote to memory of 1644	1780	cmd.exe	xcopy.exe
PID 1780 wrote to memory of 1644	1780	cmd.exe	xcopy.exe
PID 1264 wrote to memory of 1564	1264	Yokzgytdjocuus.exe	dtygzkoY.pif
PID 1264 wrote to memory of 1564	1264	Yokzgytdjocuus.exe	dtygzkoY.pif
PID 1264 wrote to memory of 1564	1264	Yokzgytdjocuus.exe	dtygzkoY.pif
PID 1264 wrote to memory of 1564	1264	Yokzgytdjocuus.exe	dtygzkoY.pif
PID 1264 wrote to memory of 1564	1264	Yokzgytdjocuus.exe	dtygzkoY.pif
PID 1264 wrote to memory of 1564	1264	Yokzgytdjocuus.exe	dtygzkoY.pif
PID 1264 wrote to memory of 1564	1264	Yokzgytdjocuus.exe	dtygzkoY.pif
PID 1264 wrote to memory of 1564	1264	Yokzgytdjocuus.exe	dtygzkoY.pif
PID 1264 wrote to memory of 1564	1264	Yokzgytdjocuus.exe	dtygzkoY.pif
PID 1264 wrote to memory of 1564	1264	Yokzgytdjocuus.exe	dtygzkoY.pif
PID 1264 wrote to memory of 1564	1264	Yokzgytdjocuus.exe	dtygzkoY.pif
PID 1264 wrote to memory of 1564	1264	Yokzgytdjocuus.exe	dtygzkoY.pif
PID 1264 wrote to memory of 1564	1264	Yokzgytdjocuus.exe	dtygzkoY.pif
PID 1264 wrote to memory of 1564	1264	Yokzgytdjocuus.exe	dtygzkoY.pif
PID 1564 wrote to memory of 1644	1564	dtygzkoY.pif	WerFault.exe
PID 1564 wrote to memory of 1644	1564	dtygzkoY.pif	WerFault.exe

C:\Program Files (x86)\Microsoft Office\Office14\ONENOTE.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\ONENOTE.EXE" "C:\Users\Admin\AppData\Local\Temp\ConstructionDocuments.one"
1⤵
- Drops startup file
- Loads dropped DLL
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:832

C:\Program Files (x86)\Microsoft Office\Office14\ONENOTEM.EXE
/tsr
2⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1572

C:\Users\Admin\AppData\Local\Temp\OneNote\14.0\NT\0\Yokzgytdjocuus.exe
"C:\Users\Admin\AppData\Local\Temp\OneNote\14.0\NT\0\Yokzgytdjocuus.exe"
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Modifies system certificate store
- Suspicious use of WriteProcessMemory
PID:1988

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Public\Libraries\YokzgytdO.bat" "
3⤵
- Suspicious use of WriteProcessMemory
PID:1780

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" ECHO F"
4⤵
PID:1712

C:\Windows\SysWOW64\xcopy.exe
xcopy "easinvoker.exe" "C:\Windows \System32\" /K /D /H /Y
4⤵
- Enumerates system info in registry
PID:828

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" ECHO F"
4⤵
PID:1008

C:\Windows\SysWOW64\xcopy.exe
xcopy "netutils.dll" "C:\Windows \System32\" /K /D /H /Y
4⤵
- Enumerates system info in registry
PID:2036

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" ECHO F"
4⤵
PID:280

C:\Windows\SysWOW64\xcopy.exe
xcopy "KDECO.bat" "C:\Windows \System32\" /K /D /H /Y
4⤵
- Enumerates system info in registry
PID:1644

C:\Windows \System32\easinvoker.exe
"C:\Windows \System32\easinvoker.exe"
4⤵
- Executes dropped EXE
PID:1368

C:\Windows \System32\easinvoker.exe
"C:\Windows \System32\easinvoker.exe"
4⤵
- Executes dropped EXE
PID:1964

C:\Users\Admin\AppData\Local\Temp\OneNote\14.0\NT\1\Yokzgytdjocuus.exe
"C:\Users\Admin\AppData\Local\Temp\OneNote\14.0\NT\1\Yokzgytdjocuus.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1264

C:\Users\Public\Libraries\dtygzkoY.pif
C:\Users\Public\Libraries\dtygzkoY.pif
3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1564

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1564 -s 124
4⤵
- Loads dropped DLL
- Program crash
PID:1644

C:\Users\Admin\AppData\Local\Temp\OneNote\14.0\NT\2\Yokzgytdjocuus.exe
"C:\Users\Admin\AppData\Local\Temp\OneNote\14.0\NT\2\Yokzgytdjocuus.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1592

C:\Users\Public\Libraries\dtygzkoY.pif
C:\Users\Public\Libraries\dtygzkoY.pif
3⤵
- Executes dropped EXE
PID:1740

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1740 -s 128
4⤵
- Loads dropped DLL
- Program crash
PID:840

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}
1⤵
- Suspicious use of FindShellTrayWindow
PID:536

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Install Root Certificate

T1130

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\103621DE9CD5414CC2538780B4B75751

Filesize
717B

MD5
ec8ff3b1ded0246437b1472c69dd1811

SHA1
d813e874c2524e3a7da6c466c67854ad16800326

SHA256
e634c2d1ed20e0638c95597adf4c9d392ebab932d3353f18af1e4421f4bb9cab

SHA512
e967b804cbf2d6da30a532cbc62557d09bd236807790040c6bee5584a482dc09d724fc1d9ac0de6aa5b4e8b1fff72c8ab3206222cc2c95a91035754ac1257552

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
61KB

MD5
fc4666cbca561e864e7fdf883a9e6661

SHA1
2f8d6094c7a34bf12ea0bbf0d51ee9c5bb7939a5

SHA256
10f3deb6c452d749a7451b5d065f4c0449737e5ee8a44f4d15844b503141e65b

SHA512
c71f54b571e01f247f072be4bbebdf5d8410b67eb79a61e7e0d9853fe857ab9bd12f53e6af3394b935560178107291fc4be351b27deb388eba90ba949633d57d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\103621DE9CD5414CC2538780B4B75751

Filesize
192B

MD5
ee9df0c861e8070ae9a7f394a001d493

SHA1
fa8fdbc92f686d0de2a9b00b241626d404104821

SHA256
48e0baf1190cf8f8705502ac76015513a36eb61678dc6e4f65f301783337ceef

SHA512
7487aa3d857e684646ffdbfb8cd1d561c874840547b1e7d650423d9080eb4486c9ebf2e937138a60359aa28f0e3d79534b757e252c512ed92829c80c269e1cd8

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
bb39e72bd262bf5785cb728664ff5209

SHA1
6adc0888d36b1d574ac88f38b9abca3941468934

SHA256
d83c48660451eeaf2e6eae56ff49f336d02973c7108aa07934353b7dd3c218e9

SHA512
90f5c461fd5391105e85f76a8093c5d27b801be891797d19b7c843476f97f587966ff7e95231b485328618868685265c736b48c533bbb0876260222bfab02f25

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
3cc67fcea2868898c7dc25a960af8f6b

SHA1
5621a0d27e4ce50fe194fd19ec0f944e9276e9d7

SHA256
b635230d79aaf5e0df1e40e99a9a1a54a907b8b63f81e1b1e0b89fe21d4860d4

SHA512
95c52b2aaa02bdafe15aec0a590f558ca977e44bbcca878d060e94858be0a180d467a5b27ba670f77ebf2cfb2710b519122ab99dd5fe38b865d55c985d362975

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
5205ed190010970742f84e7b93dc95c4

SHA1
e21c95a4894112d848a7357ad5696bd2b17847a8

SHA256
88a18e7cbb4da2ea2d7a8caf0ed860209644b434e9aff44e486fcaabdf7870d8

SHA512
ebd96aabad0dcb405301da8e2cd748e945c2df94709f983e844d55133c6c49d916bdd7838b1936feb18cf062daf30495c2c370d116bcebfb3c0c6a50e32d09d2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\9XNRFMOH\Yokzgytdjoc[2]

Filesize
767KB

MD5
7e64fd58c32af2d00af8199d0f6888d4

SHA1
6bf750a22393498a1ec677e317adb3168e73db01

SHA256
32efc8c2e71347dfe47950168d6968c047d074e03f7273d40d34056babc42a00

SHA512
4afffe2f4766661598b3b6df97cdc6694f1e2b453fac92dda955a0c485d707a446d63548ebf7fa4ca354ba8cd7b5f46ad4a0d71f68b68ad74cee8d142e161d6f

Download Submit
C:\Users\Admin\AppData\Local\Temp\OneNote\14.0\NT\0\Yokzgytdjocuus.exe

Filesize
884KB

MD5
b1b76651c4db6ab4742722ce54e38789

SHA1
accec060ca6085806b5a5d4f15d0bacdfd56c86f

SHA256
93134717e4d09a23d7b3047ffc97803f7520c030a638cb98e710a4022c6bd870

SHA512
27bcf1261302b98efbdc7407700a2e647c5ba14979df169e203c8b9b5238de86bd8139973c7663d312094384215a802dcf63ed1ce64169e4cdcfa021c0007f3c

Download Submit
C:\Users\Admin\AppData\Local\Temp\OneNote\14.0\NT\0\Yokzgytdjocuus.exe

Filesize
884KB

MD5
b1b76651c4db6ab4742722ce54e38789

SHA1
accec060ca6085806b5a5d4f15d0bacdfd56c86f

SHA256
93134717e4d09a23d7b3047ffc97803f7520c030a638cb98e710a4022c6bd870

SHA512
27bcf1261302b98efbdc7407700a2e647c5ba14979df169e203c8b9b5238de86bd8139973c7663d312094384215a802dcf63ed1ce64169e4cdcfa021c0007f3c

Download Submit
C:\Users\Admin\AppData\Local\Temp\OneNote\14.0\NT\1\Yokzgytdjocuus.exe

Filesize
884KB

MD5
b1b76651c4db6ab4742722ce54e38789

SHA1
accec060ca6085806b5a5d4f15d0bacdfd56c86f

SHA256
93134717e4d09a23d7b3047ffc97803f7520c030a638cb98e710a4022c6bd870

SHA512
27bcf1261302b98efbdc7407700a2e647c5ba14979df169e203c8b9b5238de86bd8139973c7663d312094384215a802dcf63ed1ce64169e4cdcfa021c0007f3c

Download Submit
C:\Users\Admin\AppData\Local\Temp\OneNote\14.0\NT\1\Yokzgytdjocuus.exe

Filesize
884KB

MD5
b1b76651c4db6ab4742722ce54e38789

SHA1
accec060ca6085806b5a5d4f15d0bacdfd56c86f

SHA256
93134717e4d09a23d7b3047ffc97803f7520c030a638cb98e710a4022c6bd870

SHA512
27bcf1261302b98efbdc7407700a2e647c5ba14979df169e203c8b9b5238de86bd8139973c7663d312094384215a802dcf63ed1ce64169e4cdcfa021c0007f3c

Download Submit
C:\Users\Admin\AppData\Local\Temp\OneNote\14.0\NT\2\Yokzgytdjocuus.exe

Filesize
884KB

MD5
b1b76651c4db6ab4742722ce54e38789

SHA1
accec060ca6085806b5a5d4f15d0bacdfd56c86f

SHA256
93134717e4d09a23d7b3047ffc97803f7520c030a638cb98e710a4022c6bd870

SHA512
27bcf1261302b98efbdc7407700a2e647c5ba14979df169e203c8b9b5238de86bd8139973c7663d312094384215a802dcf63ed1ce64169e4cdcfa021c0007f3c

Download Submit
C:\Users\Admin\AppData\Local\Temp\OneNote\14.0\NT\2\Yokzgytdjocuus.exe

Filesize
884KB

MD5
b1b76651c4db6ab4742722ce54e38789

SHA1
accec060ca6085806b5a5d4f15d0bacdfd56c86f

SHA256
93134717e4d09a23d7b3047ffc97803f7520c030a638cb98e710a4022c6bd870

SHA512
27bcf1261302b98efbdc7407700a2e647c5ba14979df169e203c8b9b5238de86bd8139973c7663d312094384215a802dcf63ed1ce64169e4cdcfa021c0007f3c

Download Submit
C:\Users\Public\Libraries\KDECO.bat

Filesize
155B

MD5
213c60adf1c9ef88dc3c9b2d579959d2

SHA1
e4d2ad7b22b1a8b5b1f7a702b303c7364b0ee021

SHA256
37c59c8398279916cfce45f8c5e3431058248f5e3bef4d9f5c0f44a7d564f82e

SHA512
fe897d9caa306b0e761b2fd61bb5dc32a53bfaad1ce767c6860af4e3ad59c8f3257228a6e1072dab0f990cb51c59c648084ba419ac6bc5c0a99bdffa569217b7

Download Submit
C:\Users\Public\Libraries\YokzgytdO.bat

Filesize
411B

MD5
55aba243e88f6a6813c117ffe1fa5979

SHA1
210b9b028a4b798c837a182321dbf2e50d112816

SHA256
5a11c5641c476891aa30e7ecfa57c2639f6827d8640061f73e9afec0adbbd7d2

SHA512
68009c4c9bbea75a3bfa9f79945d30957a95691ea405d031b4ca7f1cb47504bbc768fcae59173885743ad4d6cfdd2313c3fe0acb515e34e5c809ecdc7f45e307

Download Submit
C:\Users\Public\Libraries\dtygzkoY.pif

Filesize
66KB

MD5
c116d3604ceafe7057d77ff27552c215

SHA1
452b14432fb5758b46f2897aeccd89f7c82a727d

SHA256
7bcdc2e607abc65ef93afd009c3048970d9e8d1c2a18fc571562396b13ebb301

SHA512
9202a00eeaf4c5be94de32fd41bfea40fc32d368955d49b7bad2b5c23c4ebc92dccb37d99f5a14e53ad674b63f1baa6efb1feb27225c86693ead3262a26d66c6

Download Submit
C:\Users\Public\Libraries\dtygzkoY.pif

Filesize
66KB

MD5
c116d3604ceafe7057d77ff27552c215

SHA1
452b14432fb5758b46f2897aeccd89f7c82a727d

SHA256
7bcdc2e607abc65ef93afd009c3048970d9e8d1c2a18fc571562396b13ebb301

SHA512
9202a00eeaf4c5be94de32fd41bfea40fc32d368955d49b7bad2b5c23c4ebc92dccb37d99f5a14e53ad674b63f1baa6efb1feb27225c86693ead3262a26d66c6

Download Submit
C:\Users\Public\Libraries\dtygzkoY.pif

Filesize
66KB

MD5
c116d3604ceafe7057d77ff27552c215

SHA1
452b14432fb5758b46f2897aeccd89f7c82a727d

SHA256
7bcdc2e607abc65ef93afd009c3048970d9e8d1c2a18fc571562396b13ebb301

SHA512
9202a00eeaf4c5be94de32fd41bfea40fc32d368955d49b7bad2b5c23c4ebc92dccb37d99f5a14e53ad674b63f1baa6efb1feb27225c86693ead3262a26d66c6

Download Submit
C:\Users\Public\Libraries\easinvoker.exe

Filesize
128KB

MD5
231ce1e1d7d98b44371ffff407d68b59

SHA1
25510d0f6353dbf0c9f72fc880de7585e34b28ff

SHA256
30951db8bfc21640645aa9144cfeaa294bb7c6980ef236d28552b6f4f3f92a96

SHA512
520887b01bda96b7c4f91b9330a5c03a12f7c7f266d4359432e7bacc76b0eef377c05a4361f8fa80ad0b94b5865699d747a5d94a2d3dcdb85dabf5887bb6c612

Download Submit
C:\Users\Public\Libraries\netutils.dll

Filesize
110KB

MD5
b375e74a145c45d07190212e9157e5f8

SHA1
59d3de7748e1090ce95523601224ce5ab6cc4a3a

SHA256
6ec341496722bfdde504d430a7ece494701a9369b1fa5376ec488a77ab3c1744

SHA512
859737afb6108f131c0ac35560878359505c4f7fdd01ce468c04b15848df71f70987552a831a43ce948a37c9b1d6a434ff7f6fb5946f3730049b924d5b462ef0

Download Submit
C:\Users\Public\cojdtygzkoY.png

Filesize
1KB

MD5
d9ae953da96f6c7261f47b6fdc6d2b7e

SHA1
561eb2a21d9898ca6ddf3fbf5eac0b493e32abe8

SHA256
137b50eb77d46c7b1b3a60adaf69980d03cb57771fe2628135da5b5deb6f3de7

SHA512
2b99fa91ffb39e30df0e6284c2ba9e9015dfd9b1ecdcddb31e0d988dce3d7b35167f651c4c832970eb2dc139bce810da259b9d8f3c0a46a8f714167b4a0fb254

Download Submit
C:\Windows \System32\easinvoker.exe

Filesize
128KB

MD5
231ce1e1d7d98b44371ffff407d68b59

SHA1
25510d0f6353dbf0c9f72fc880de7585e34b28ff

SHA256
30951db8bfc21640645aa9144cfeaa294bb7c6980ef236d28552b6f4f3f92a96

SHA512
520887b01bda96b7c4f91b9330a5c03a12f7c7f266d4359432e7bacc76b0eef377c05a4361f8fa80ad0b94b5865699d747a5d94a2d3dcdb85dabf5887bb6c612

Download Submit
C:\Windows \System32\easinvoker.exe

Filesize
128KB

MD5
231ce1e1d7d98b44371ffff407d68b59

SHA1
25510d0f6353dbf0c9f72fc880de7585e34b28ff

SHA256
30951db8bfc21640645aa9144cfeaa294bb7c6980ef236d28552b6f4f3f92a96

SHA512
520887b01bda96b7c4f91b9330a5c03a12f7c7f266d4359432e7bacc76b0eef377c05a4361f8fa80ad0b94b5865699d747a5d94a2d3dcdb85dabf5887bb6c612

Download Submit
C:\Windows \System32\easinvoker.exe

Filesize
128KB

MD5
231ce1e1d7d98b44371ffff407d68b59

SHA1
25510d0f6353dbf0c9f72fc880de7585e34b28ff

SHA256
30951db8bfc21640645aa9144cfeaa294bb7c6980ef236d28552b6f4f3f92a96

SHA512
520887b01bda96b7c4f91b9330a5c03a12f7c7f266d4359432e7bacc76b0eef377c05a4361f8fa80ad0b94b5865699d747a5d94a2d3dcdb85dabf5887bb6c612

Download Submit
\Users\Admin\AppData\Local\Temp\OneNote\14.0\NT\0\Yokzgytdjocuus.exe

Filesize
884KB

MD5
b1b76651c4db6ab4742722ce54e38789

SHA1
accec060ca6085806b5a5d4f15d0bacdfd56c86f

SHA256
93134717e4d09a23d7b3047ffc97803f7520c030a638cb98e710a4022c6bd870

SHA512
27bcf1261302b98efbdc7407700a2e647c5ba14979df169e203c8b9b5238de86bd8139973c7663d312094384215a802dcf63ed1ce64169e4cdcfa021c0007f3c

Download Submit
\Users\Admin\AppData\Local\Temp\OneNote\14.0\NT\0\Yokzgytdjocuus.exe

Filesize
884KB

MD5
b1b76651c4db6ab4742722ce54e38789

SHA1
accec060ca6085806b5a5d4f15d0bacdfd56c86f

SHA256
93134717e4d09a23d7b3047ffc97803f7520c030a638cb98e710a4022c6bd870

SHA512
27bcf1261302b98efbdc7407700a2e647c5ba14979df169e203c8b9b5238de86bd8139973c7663d312094384215a802dcf63ed1ce64169e4cdcfa021c0007f3c

Download Submit
\Users\Admin\AppData\Local\Temp\OneNote\14.0\NT\1\Yokzgytdjocuus.exe

Filesize
884KB

MD5
b1b76651c4db6ab4742722ce54e38789

SHA1
accec060ca6085806b5a5d4f15d0bacdfd56c86f

SHA256
93134717e4d09a23d7b3047ffc97803f7520c030a638cb98e710a4022c6bd870

SHA512
27bcf1261302b98efbdc7407700a2e647c5ba14979df169e203c8b9b5238de86bd8139973c7663d312094384215a802dcf63ed1ce64169e4cdcfa021c0007f3c

Download Submit
\Users\Admin\AppData\Local\Temp\OneNote\14.0\NT\1\Yokzgytdjocuus.exe

Filesize
884KB

MD5
b1b76651c4db6ab4742722ce54e38789

SHA1
accec060ca6085806b5a5d4f15d0bacdfd56c86f

SHA256
93134717e4d09a23d7b3047ffc97803f7520c030a638cb98e710a4022c6bd870

SHA512
27bcf1261302b98efbdc7407700a2e647c5ba14979df169e203c8b9b5238de86bd8139973c7663d312094384215a802dcf63ed1ce64169e4cdcfa021c0007f3c

Download Submit
\Users\Admin\AppData\Local\Temp\OneNote\14.0\NT\2\Yokzgytdjocuus.exe

Filesize
884KB

MD5
b1b76651c4db6ab4742722ce54e38789

SHA1
accec060ca6085806b5a5d4f15d0bacdfd56c86f

SHA256
93134717e4d09a23d7b3047ffc97803f7520c030a638cb98e710a4022c6bd870

SHA512
27bcf1261302b98efbdc7407700a2e647c5ba14979df169e203c8b9b5238de86bd8139973c7663d312094384215a802dcf63ed1ce64169e4cdcfa021c0007f3c

Download Submit
\Users\Admin\AppData\Local\Temp\OneNote\14.0\NT\2\Yokzgytdjocuus.exe

Filesize
884KB

MD5
b1b76651c4db6ab4742722ce54e38789

SHA1
accec060ca6085806b5a5d4f15d0bacdfd56c86f

SHA256
93134717e4d09a23d7b3047ffc97803f7520c030a638cb98e710a4022c6bd870

SHA512
27bcf1261302b98efbdc7407700a2e647c5ba14979df169e203c8b9b5238de86bd8139973c7663d312094384215a802dcf63ed1ce64169e4cdcfa021c0007f3c

Download Submit
\Users\Public\Libraries\dtygzkoY.pif

Filesize
66KB

MD5
c116d3604ceafe7057d77ff27552c215

SHA1
452b14432fb5758b46f2897aeccd89f7c82a727d

SHA256
7bcdc2e607abc65ef93afd009c3048970d9e8d1c2a18fc571562396b13ebb301

SHA512
9202a00eeaf4c5be94de32fd41bfea40fc32d368955d49b7bad2b5c23c4ebc92dccb37d99f5a14e53ad674b63f1baa6efb1feb27225c86693ead3262a26d66c6

Download Submit
\Users\Public\Libraries\dtygzkoY.pif

Filesize
66KB

MD5
c116d3604ceafe7057d77ff27552c215

SHA1
452b14432fb5758b46f2897aeccd89f7c82a727d

SHA256
7bcdc2e607abc65ef93afd009c3048970d9e8d1c2a18fc571562396b13ebb301

SHA512
9202a00eeaf4c5be94de32fd41bfea40fc32d368955d49b7bad2b5c23c4ebc92dccb37d99f5a14e53ad674b63f1baa6efb1feb27225c86693ead3262a26d66c6

Download Submit
\Users\Public\Libraries\dtygzkoY.pif

Filesize
66KB

MD5
c116d3604ceafe7057d77ff27552c215

SHA1
452b14432fb5758b46f2897aeccd89f7c82a727d

SHA256
7bcdc2e607abc65ef93afd009c3048970d9e8d1c2a18fc571562396b13ebb301

SHA512
9202a00eeaf4c5be94de32fd41bfea40fc32d368955d49b7bad2b5c23c4ebc92dccb37d99f5a14e53ad674b63f1baa6efb1feb27225c86693ead3262a26d66c6

Download Submit
\Users\Public\Libraries\dtygzkoY.pif

Filesize
66KB

MD5
c116d3604ceafe7057d77ff27552c215

SHA1
452b14432fb5758b46f2897aeccd89f7c82a727d

SHA256
7bcdc2e607abc65ef93afd009c3048970d9e8d1c2a18fc571562396b13ebb301

SHA512
9202a00eeaf4c5be94de32fd41bfea40fc32d368955d49b7bad2b5c23c4ebc92dccb37d99f5a14e53ad674b63f1baa6efb1feb27225c86693ead3262a26d66c6

Download Submit
\Users\Public\Libraries\dtygzkoY.pif

Filesize
66KB

MD5
c116d3604ceafe7057d77ff27552c215

SHA1
452b14432fb5758b46f2897aeccd89f7c82a727d

SHA256
7bcdc2e607abc65ef93afd009c3048970d9e8d1c2a18fc571562396b13ebb301

SHA512
9202a00eeaf4c5be94de32fd41bfea40fc32d368955d49b7bad2b5c23c4ebc92dccb37d99f5a14e53ad674b63f1baa6efb1feb27225c86693ead3262a26d66c6

Download Submit
\Users\Public\Libraries\dtygzkoY.pif

Filesize
66KB

MD5
c116d3604ceafe7057d77ff27552c215

SHA1
452b14432fb5758b46f2897aeccd89f7c82a727d

SHA256
7bcdc2e607abc65ef93afd009c3048970d9e8d1c2a18fc571562396b13ebb301

SHA512
9202a00eeaf4c5be94de32fd41bfea40fc32d368955d49b7bad2b5c23c4ebc92dccb37d99f5a14e53ad674b63f1baa6efb1feb27225c86693ead3262a26d66c6

Download Submit
\Users\Public\Libraries\dtygzkoY.pif

Filesize
66KB

MD5
c116d3604ceafe7057d77ff27552c215

SHA1
452b14432fb5758b46f2897aeccd89f7c82a727d

SHA256
7bcdc2e607abc65ef93afd009c3048970d9e8d1c2a18fc571562396b13ebb301

SHA512
9202a00eeaf4c5be94de32fd41bfea40fc32d368955d49b7bad2b5c23c4ebc92dccb37d99f5a14e53ad674b63f1baa6efb1feb27225c86693ead3262a26d66c6

Download Submit
\Users\Public\Libraries\dtygzkoY.pif

Filesize
66KB

MD5
c116d3604ceafe7057d77ff27552c215

SHA1
452b14432fb5758b46f2897aeccd89f7c82a727d

SHA256
7bcdc2e607abc65ef93afd009c3048970d9e8d1c2a18fc571562396b13ebb301

SHA512
9202a00eeaf4c5be94de32fd41bfea40fc32d368955d49b7bad2b5c23c4ebc92dccb37d99f5a14e53ad674b63f1baa6efb1feb27225c86693ead3262a26d66c6

Download Submit
\Users\Public\Libraries\dtygzkoY.pif

Filesize
66KB

MD5
c116d3604ceafe7057d77ff27552c215

SHA1
452b14432fb5758b46f2897aeccd89f7c82a727d

SHA256
7bcdc2e607abc65ef93afd009c3048970d9e8d1c2a18fc571562396b13ebb301

SHA512
9202a00eeaf4c5be94de32fd41bfea40fc32d368955d49b7bad2b5c23c4ebc92dccb37d99f5a14e53ad674b63f1baa6efb1feb27225c86693ead3262a26d66c6

Download Submit
\Users\Public\Libraries\dtygzkoY.pif

Filesize
66KB

MD5
c116d3604ceafe7057d77ff27552c215

SHA1
452b14432fb5758b46f2897aeccd89f7c82a727d

SHA256
7bcdc2e607abc65ef93afd009c3048970d9e8d1c2a18fc571562396b13ebb301

SHA512
9202a00eeaf4c5be94de32fd41bfea40fc32d368955d49b7bad2b5c23c4ebc92dccb37d99f5a14e53ad674b63f1baa6efb1feb27225c86693ead3262a26d66c6

Download Submit
\Users\Public\Libraries\dtygzkoY.pif

Filesize
66KB

MD5
c116d3604ceafe7057d77ff27552c215

SHA1
452b14432fb5758b46f2897aeccd89f7c82a727d

SHA256
7bcdc2e607abc65ef93afd009c3048970d9e8d1c2a18fc571562396b13ebb301

SHA512
9202a00eeaf4c5be94de32fd41bfea40fc32d368955d49b7bad2b5c23c4ebc92dccb37d99f5a14e53ad674b63f1baa6efb1feb27225c86693ead3262a26d66c6

Download Submit
memory/280-101-0x0000000000000000-mapping.dmp

Download
memory/828-93-0x0000000000000000-mapping.dmp

Download
memory/832-55-0x0000000075701000-0x0000000075703000-memory.dmp

Filesize
8KB

Download
memory/832-56-0x000000007324D000-0x0000000073258000-memory.dmp

Filesize
44KB

Download
memory/832-59-0x000000007324D000-0x0000000073258000-memory.dmp

Filesize
44KB

Download
memory/832-54-0x0000000072261000-0x0000000072263000-memory.dmp

Filesize
8KB

Download
memory/840-132-0x0000000000000000-mapping.dmp

Download
memory/1008-95-0x0000000000000000-mapping.dmp

Download
memory/1264-74-0x00000000002D0000-0x00000000002FC000-memory.dmp

Filesize
176KB

Download
memory/1264-100-0x0000000010590000-0x000000001060B000-memory.dmp

Filesize
492KB

Download
memory/1264-110-0x0000000010590000-0x000000001060B000-memory.dmp

Filesize
492KB

Download
memory/1264-70-0x0000000000000000-mapping.dmp

Download
memory/1564-120-0x0000000010590000-0x000000001060B000-memory.dmp

Filesize
492KB

Download
memory/1564-111-0x0000000010590000-0x000000001060B000-memory.dmp

Filesize
492KB

Download
memory/1564-103-0x0000000000000000-mapping.dmp

Download
memory/1572-57-0x0000000000000000-mapping.dmp

Download
memory/1592-78-0x0000000000000000-mapping.dmp

Download
memory/1592-82-0x0000000000310000-0x000000000033C000-memory.dmp

Filesize
176KB

Download
memory/1644-102-0x0000000000000000-mapping.dmp

Download
memory/1644-115-0x0000000000000000-mapping.dmp

Download
memory/1712-92-0x0000000000000000-mapping.dmp

Download
memory/1740-126-0x0000000000000000-mapping.dmp

Download
memory/1780-90-0x0000000000000000-mapping.dmp

Download
memory/1988-62-0x0000000000000000-mapping.dmp

Download
memory/1988-66-0x0000000000370000-0x000000000039C000-memory.dmp

Filesize
176KB

Download
memory/2036-96-0x0000000000000000-mapping.dmp

Download