lumma | eeb18dec0f9402e96fb629ab201890d8b2fcfeb45e890e42e3a79a799e575771

Analysis

max time kernel
145s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
15-07-2023 00:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1b94e6504da7365a7ac9e5f1c37ea714.exe
Size

164KB
MD5

1b94e6504da7365a7ac9e5f1c37ea714
SHA1

b2c784470f5400680f275943aacfcbef6cda5c88
SHA256

eeb18dec0f9402e96fb629ab201890d8b2fcfeb45e890e42e3a79a799e575771
SHA512

6b86bdea9ed18fc11e32c0ce7e6883677fa5e3dfad053200e6757a51cc4b11a5adf0757853c9b4421796e7789d75af17c686ca513a9d442a7a0fa093920d012e
SSDEEP

3072:sSGL9TvjYP99HQjQQeTXE61nB1KpyehJqCFQUDjp5AJ:IL9jjYlaQ9E6B2yeHPOJ

Score

10^/10

lumma phobos rhadamanthys smokeloader systembc summ backdoor collection discovery evasion persistence ransomware spyware stealer trojan

Malware Config

Extracted

Family

smokeloader

Botnet

summ

Extracted

Family

smokeloader

Version

2022

http://stalagmijesarl.com/

http://ukdantist-sarl.com/

http://cpcorprotationltd.com/

http://serverxlogs21.xyz/statweb255/

http://servxblog79.xyz/statweb255/

http://demblog289.xyz/statweb255/

http://admlogs77x.online/statweb255/

http://blogxstat38.xyz/statweb255/

http://blogxstat25.xyz/statweb255/

rc4.i32

Extracted

Family

lumma

gstatic-node.io

Extracted

Family

systembc

adstat477d.xyz:4044

demstat577d.xyz:4044

Signatures

Detect rhadamanthys stealer shellcode 6 IoCs

Processes:

resource	yara_rule
behavioral2/memory/4316-196-0x0000000002540000-0x0000000002940000-memory.dmp	family_rhadamanthys
behavioral2/memory/4316-197-0x0000000002540000-0x0000000002940000-memory.dmp	family_rhadamanthys
behavioral2/memory/4316-198-0x0000000002540000-0x0000000002940000-memory.dmp	family_rhadamanthys
behavioral2/memory/4316-200-0x0000000002540000-0x0000000002940000-memory.dmp	family_rhadamanthys
behavioral2/memory/4316-216-0x0000000002540000-0x0000000002940000-memory.dmp	family_rhadamanthys
behavioral2/memory/4316-219-0x0000000002540000-0x0000000002940000-memory.dmp	family_rhadamanthys

Lumma Stealer
An infostealer written in C++ first seen in August 2022.
stealer lumma
Phobos
Phobos ransomware appeared at the beginning of 2019.
ransomware phobos
Rhadamanthys
Rhadamanthys is an info stealer written in C++ first seen in August 2022.
stealer rhadamanthys
SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

Processes:

63B6.exe

description pid process target process

PID 4316 created 3140 4316 63B6.exe Explorer.EXE
SystemBC
SystemBC is a proxy and remote administration tool first seen in 2019.
trojan systembc
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490
Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs
ransomware evasion

Inhibit System Recovery
T1490

Processes:

bcdedit.exebcdedit.exe

pid process

1412 bcdedit.exe
296 bcdedit.exe
Renames multiple (315) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware
Deletes backup catalog 3 TTPs 1 IoCs
Uses wbadmin.exe to inhibit system recovery.
ransomware

Command-Line Interface
T1059

File Deletion
T1107

Inhibit System Recovery
T1490

Processes:

wbadmin.exe

pid process

3412 wbadmin.exe
Downloads MZ/PE file
Modifies Windows Firewall 1 TTPs 2 IoCs
evasion

Modify Existing Service
T1031

Processes:

netsh.exenetsh.exe

pid process

544 netsh.exe
2440 netsh.exe
Drops startup file 1 IoCs

Processes:

HY5.exe

description ioc process

File created \??\c:\users\admin\appdata\roaming\microsoft\windows\start menu\programs\startup\HY5.exe HY5.exe
Executes dropped EXE 9 IoCs

Processes:

63B6.exe6FFC.exeJni(_]27.exeHY5.exeMOKNQohq0O.exeJni(_]27.exeHY5.exeFD34.exe43.exe

pid process

4316 63B6.exe
3412 6FFC.exe
1412 Jni(_]27.exe
3324 HY5.exe
1080 MOKNQohq0O.exe
5028 Jni(_]27.exe
5012 HY5.exe
2772 FD34.exe
3364 43.exe
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

description	pid	process	target process
PID 4316 created 3140	4316	63B6.exe	Explorer.EXE

pid	process
1412	bcdedit.exe
296	bcdedit.exe

pid	process
3412	wbadmin.exe

pid	process
544	netsh.exe
2440	netsh.exe

description	ioc	process
File created	\??\c:\users\admin\appdata\roaming\microsoft\windows\start menu\programs\startup\HY5.exe	HY5.exe

pid	process
4316	63B6.exe
3412	6FFC.exe
1412	Jni(_]27.exe
3324	HY5.exe
1080	MOKNQohq0O.exe
5028	Jni(_]27.exe
5012	HY5.exe
2772	FD34.exe
3364	43.exe

Accesses Microsoft Outlook profiles 1 TTPs 6 IoCs

collection

Email Collection

T1114

Processes:

certreq.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000\Software\Microsoft\Office\10.0\Outlook\Profiles\Outlook	certreq.exe
Key opened	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000\Software\Microsoft\Office\11.0\Outlook\Profiles\Outlook	certreq.exe
Key opened	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000\Software\Microsoft\Office\12.0\Outlook\Profiles\Outlook	certreq.exe
Key opened	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook	certreq.exe
Key opened	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook	certreq.exe
Key opened	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	certreq.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

HY5.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HY5 = "C:\\Users\\Admin\\AppData\\Local\\HY5.exe"	HY5.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HY5 = "C:\\Users\\Admin\\AppData\\Local\\HY5.exe"	HY5.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops desktop.ini file(s) 4 IoCs

Processes:

HY5.exe

description	ioc	process
File opened for modification	C:\$Recycle.Bin\S-1-5-21-618519468-4027732583-1827558364-1000\desktop.ini	HY5.exe
File opened for modification	F:\$RECYCLE.BIN\S-1-5-21-618519468-4027732583-1827558364-1000\desktop.ini	HY5.exe
File opened for modification	C:\Program Files\desktop.ini	HY5.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\DataServices\DESKTOP.INI	HY5.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Suspicious use of SetThreadContext 1 IoCs

Processes:

Jni(_]27.exe

description pid process target process

PID 1412 set thread context of 5028 1412 Jni(_]27.exe Jni(_]27.exe

description	pid	process	target process
PID 1412 set thread context of 5028	1412	Jni(_]27.exe	Jni(_]27.exe

Drops file in Program Files directory 64 IoCs

Processes:

HY5.exe

description	ioc	process
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-crt-utility-l1-1-0.dll	HY5.exe
File opened for modification	C:\Program Files\Common Files\System\Ole DB\msxactps.dll	HY5.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\bn.pak	HY5.exe
File created	C:\Program Files\Java\jre1.8.0_66\lib\deploy\messages_zh_TW.properties.id[07ED5C0F-3483].[[email protected]].8base	HY5.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\Fonts\private\TEMPSITC.TTF	HY5.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Analysis Services\AS OLEDB\140\dbghelp.dll.id[07ED5C0F-3483].[[email protected]].8base	HY5.exe
File opened for modification	C:\Program Files\7-Zip\Lang\sv.txt	HY5.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ja-JP\TabTip.exe.mui	HY5.exe
File opened for modification	C:\Program Files\Common Files\System\msadc\it-IT\msadcor.dll.mui	HY5.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\EQUATION\msvcp120.dll	HY5.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVClient.man	HY5.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.help_2.0.102.v20141007-2301\feature.xml.id[07ED5C0F-3483].[[email protected]].8base	HY5.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\update_tracking\org-openide-explorer.xml.id[07ED5C0F-3483].[[email protected]].8base	HY5.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\excel-udf-host.win32.bundle	HY5.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\LogoImages\FirstRunLogoSmall.scale-180.png	HY5.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.tr-tr.dll	HY5.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\WordR_Grace-ppd.xrm-ms.id[07ED5C0F-3483].[[email protected]].8base	HY5.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019XC2RVL_MAKC2R-ppd.xrm-ms	HY5.exe
File created	C:\Program Files\7-Zip\Lang\sr-spc.txt.id[07ED5C0F-3483].[[email protected]].8base	HY5.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.rjmx.ui_5.5.0.165303.jar	HY5.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\profiler\modules\org-netbeans-modules-profiler-selector-api.jar	HY5.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_Subscription2-ul-oob.xrm-ms	HY5.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\XLMACRO.CHM.id[07ED5C0F-3483].[[email protected]].8base	HY5.exe
File created	C:\Program Files\Microsoft Office\root\vfs\Fonts\private\LHANDW.TTF.id[07ED5C0F-3483].[[email protected]].8base	HY5.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\QUAD\QUAD.ELM	HY5.exe
File opened for modification	C:\Program Files\7-Zip\Lang\mk.txt	HY5.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.flightrecorder.ui_5.5.0.165303.jar.id[07ED5C0F-3483].[[email protected]].8base	HY5.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.apache.felix.gogo.runtime_0.10.0.v201209301036.jar	HY5.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\HomeStudentVNextR_Retail-ppd.xrm-ms	HY5.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365EduCloudEDUR_Subscription-pl.xrm-ms.id[07ED5C0F-3483].[[email protected]].8base	HY5.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusDemoR_BypassTrial365-ppd.xrm-ms	HY5.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Container.exe.config.id[07ED5C0F-3483].[[email protected]].8base	HY5.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGMN109.XML	HY5.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\policytool.exe	HY5.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\DataModel\Cartridges\sqlpdw.xsl.id[07ED5C0F-3483].[[email protected]].8base	HY5.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\Fonts\private\GADUGI.TTF	HY5.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\appletviewer.exe	HY5.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jinfo.exe	HY5.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\config\Modules\com-sun-tools-visualvm-host-remote.xml.id[07ED5C0F-3483].[[email protected]].8base	HY5.exe
File created	C:\Program Files\Java\jre1.8.0_66\lib\images\cursors\win32_MoveDrop32x32.gif.id[07ED5C0F-3483].[[email protected]].8base	HY5.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\Excel2019R_OEM_Perp-ppd.xrm-ms	HY5.exe
File created	C:\Program Files\Microsoft Office\root\Office16\api-ms-win-crt-string-l1-1-0.dll.id[07ED5C0F-3483].[[email protected]].8base	HY5.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\SharedPerformance.man	HY5.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\css\high-contrast.css	HY5.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\AccessR_Retail-pl.xrm-ms	HY5.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\QUAD\THMBNAIL.PNG	HY5.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.simpleconfigurator_1.1.0.v20131217-1203.jar.id[07ED5C0F-3483].[[email protected]].8base	HY5.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.feature_3.9.0.v20140827-1444\feature.properties.id[07ED5C0F-3483].[[email protected]].8base	HY5.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.p2.ql_2.0.100.v20131211-1531.jar	HY5.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365BusinessR_SubTrial-pl.xrm-ms.id[07ED5C0F-3483].[[email protected]].8base	HY5.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\PROFILE\PROFILE.ELM.id[07ED5C0F-3483].[[email protected]].8base	HY5.exe
File opened for modification	C:\Program Files\Common Files\System\Ole DB\fr-FR\oledb32r.dll.mui	HY5.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_Retail3-ppd.xrm-ms.id[07ED5C0F-3483].[[email protected]].8base	HY5.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\HomeStudentR_Grace-ppd.xrm-ms	HY5.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365EduCloudEDUR_SubTrial-ul-oob.xrm-ms.id[07ED5C0F-3483].[[email protected]].8base	HY5.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\OSFROAMINGPROXY.DLL	HY5.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.frameworkadmin.equinox.nl_zh_4.4.0.v20140623020002.jar	HY5.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlusVL_KMS_Client-ul.xrm-ms.id[07ED5C0F-3483].[[email protected]].8base	HY5.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\WEBSANDBOX.DLL.id[07ED5C0F-3483].[[email protected]].8base	HY5.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\ucrtbase.dll.id[07ED5C0F-3483].[[email protected]].8base	HY5.exe
File created	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\ko.pak.id[07ED5C0F-3483].[[email protected]].8base	HY5.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\MondoR_SubTest-ppd.xrm-ms.id[07ED5C0F-3483].[[email protected]].8base	HY5.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\lib\fonts\LucidaBrightRegular.ttf	HY5.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.flightrecorder.ui.zh_CN_5.5.0.165303.jar	HY5.exe

Program crash 3 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exe

pid pid_target process target process

2708 4316 WerFault.exe 63B6.exe
1168 3412 WerFault.exe 6FFC.exe
4052 5012 WerFault.exe HY5.exe

pid	pid_target	process	target process
2708	4316	WerFault.exe	63B6.exe
1168	3412	WerFault.exe	6FFC.exe
4052	5012	WerFault.exe	HY5.exe

Checks SCSI registry key(s) 3 TTPs 10 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

vds.exe1b94e6504da7365a7ac9e5f1c37ea714.exeJni(_]27.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	vds.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	1b94e6504da7365a7ac9e5f1c37ea714.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jni(_]27.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jni(_]27.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jni(_]27.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000	vds.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	1b94e6504da7365a7ac9e5f1c37ea714.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	1b94e6504da7365a7ac9e5f1c37ea714.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_DADY&PROD_DADY_DVD-ROM\4&215468A5&0&010000	vds.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName	vds.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

certreq.exe

description	ioc	process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	certreq.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	certreq.exe

Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Processes:

vssadmin.exe

pid process

2412 vssadmin.exe

pid	process
2412	vssadmin.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

1b94e6504da7365a7ac9e5f1c37ea714.exeExplorer.EXE

pid	process
864	1b94e6504da7365a7ac9e5f1c37ea714.exe
864	1b94e6504da7365a7ac9e5f1c37ea714.exe
3140	Explorer.EXE
3140	Explorer.EXE
3140	Explorer.EXE
3140	Explorer.EXE
3140	Explorer.EXE
3140	Explorer.EXE
3140	Explorer.EXE
3140	Explorer.EXE
3140	Explorer.EXE
3140	Explorer.EXE
3140	Explorer.EXE
3140	Explorer.EXE
3140	Explorer.EXE
3140	Explorer.EXE
3140	Explorer.EXE
3140	Explorer.EXE
3140	Explorer.EXE
3140	Explorer.EXE
3140	Explorer.EXE
3140	Explorer.EXE
3140	Explorer.EXE
3140	Explorer.EXE
3140	Explorer.EXE
3140	Explorer.EXE
3140	Explorer.EXE
3140	Explorer.EXE
3140	Explorer.EXE
3140	Explorer.EXE
3140	Explorer.EXE
3140	Explorer.EXE
3140	Explorer.EXE
3140	Explorer.EXE
3140	Explorer.EXE
3140	Explorer.EXE
3140	Explorer.EXE
3140	Explorer.EXE
3140	Explorer.EXE
3140	Explorer.EXE
3140	Explorer.EXE
3140	Explorer.EXE
3140	Explorer.EXE
3140	Explorer.EXE
3140	Explorer.EXE
3140	Explorer.EXE
3140	Explorer.EXE
3140	Explorer.EXE
3140	Explorer.EXE
3140	Explorer.EXE
3140	Explorer.EXE
3140	Explorer.EXE
3140	Explorer.EXE
3140	Explorer.EXE
3140	Explorer.EXE
3140	Explorer.EXE
3140	Explorer.EXE
3140	Explorer.EXE
3140	Explorer.EXE
3140	Explorer.EXE
3140	Explorer.EXE
3140	Explorer.EXE
3140	Explorer.EXE
3140	Explorer.EXE

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Explorer.EXE

pid process

3140 Explorer.EXE

pid	process
3140	Explorer.EXE

Suspicious behavior: MapViewOfSection 22 IoCs

Processes:

1b94e6504da7365a7ac9e5f1c37ea714.exeExplorer.EXEJni(_]27.exe

pid	process
864	1b94e6504da7365a7ac9e5f1c37ea714.exe
3140	Explorer.EXE
3140	Explorer.EXE
3140	Explorer.EXE
3140	Explorer.EXE
3140	Explorer.EXE
3140	Explorer.EXE
3140	Explorer.EXE
3140	Explorer.EXE
3140	Explorer.EXE
3140	Explorer.EXE
3140	Explorer.EXE
3140	Explorer.EXE
3140	Explorer.EXE
3140	Explorer.EXE
3140	Explorer.EXE
3140	Explorer.EXE
3140	Explorer.EXE
3140	Explorer.EXE
5028	Jni(_]27.exe
3140	Explorer.EXE
3140	Explorer.EXE

Suspicious use of AdjustPrivilegeToken 63 IoCs

Processes:

Explorer.EXEHY5.exevssvc.exeWMIC.exewbengine.exe

description	pid	process
Token: SeShutdownPrivilege	3140	Explorer.EXE
Token: SeCreatePagefilePrivilege	3140	Explorer.EXE
Token: SeShutdownPrivilege	3140	Explorer.EXE
Token: SeCreatePagefilePrivilege	3140	Explorer.EXE
Token: SeShutdownPrivilege	3140	Explorer.EXE
Token: SeCreatePagefilePrivilege	3140	Explorer.EXE
Token: SeShutdownPrivilege	3140	Explorer.EXE
Token: SeCreatePagefilePrivilege	3140	Explorer.EXE
Token: SeDebugPrivilege	3324	HY5.exe
Token: SeBackupPrivilege	532	vssvc.exe
Token: SeRestorePrivilege	532	vssvc.exe
Token: SeAuditPrivilege	532	vssvc.exe
Token: SeIncreaseQuotaPrivilege	4088	WMIC.exe
Token: SeSecurityPrivilege	4088	WMIC.exe
Token: SeTakeOwnershipPrivilege	4088	WMIC.exe
Token: SeLoadDriverPrivilege	4088	WMIC.exe
Token: SeSystemProfilePrivilege	4088	WMIC.exe
Token: SeSystemtimePrivilege	4088	WMIC.exe
Token: SeProfSingleProcessPrivilege	4088	WMIC.exe
Token: SeIncBasePriorityPrivilege	4088	WMIC.exe
Token: SeCreatePagefilePrivilege	4088	WMIC.exe
Token: SeBackupPrivilege	4088	WMIC.exe
Token: SeRestorePrivilege	4088	WMIC.exe
Token: SeShutdownPrivilege	4088	WMIC.exe
Token: SeDebugPrivilege	4088	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4088	WMIC.exe
Token: SeRemoteShutdownPrivilege	4088	WMIC.exe
Token: SeUndockPrivilege	4088	WMIC.exe
Token: SeManageVolumePrivilege	4088	WMIC.exe
Token: 33	4088	WMIC.exe
Token: 34	4088	WMIC.exe
Token: 35	4088	WMIC.exe
Token: 36	4088	WMIC.exe
Token: SeIncreaseQuotaPrivilege	4088	WMIC.exe
Token: SeSecurityPrivilege	4088	WMIC.exe
Token: SeTakeOwnershipPrivilege	4088	WMIC.exe
Token: SeLoadDriverPrivilege	4088	WMIC.exe
Token: SeSystemProfilePrivilege	4088	WMIC.exe
Token: SeSystemtimePrivilege	4088	WMIC.exe
Token: SeProfSingleProcessPrivilege	4088	WMIC.exe
Token: SeIncBasePriorityPrivilege	4088	WMIC.exe
Token: SeCreatePagefilePrivilege	4088	WMIC.exe
Token: SeBackupPrivilege	4088	WMIC.exe
Token: SeRestorePrivilege	4088	WMIC.exe
Token: SeShutdownPrivilege	4088	WMIC.exe
Token: SeDebugPrivilege	4088	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4088	WMIC.exe
Token: SeRemoteShutdownPrivilege	4088	WMIC.exe
Token: SeUndockPrivilege	4088	WMIC.exe
Token: SeManageVolumePrivilege	4088	WMIC.exe
Token: 33	4088	WMIC.exe
Token: 34	4088	WMIC.exe
Token: 35	4088	WMIC.exe
Token: 36	4088	WMIC.exe
Token: SeShutdownPrivilege	3140	Explorer.EXE
Token: SeCreatePagefilePrivilege	3140	Explorer.EXE
Token: SeBackupPrivilege	4108	wbengine.exe
Token: SeRestorePrivilege	4108	wbengine.exe
Token: SeSecurityPrivilege	4108	wbengine.exe
Token: SeShutdownPrivilege	3140	Explorer.EXE
Token: SeCreatePagefilePrivilege	3140	Explorer.EXE
Token: SeShutdownPrivilege	3140	Explorer.EXE
Token: SeCreatePagefilePrivilege	3140	Explorer.EXE

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

Explorer.EXE63B6.exeJni(_]27.exeHY5.execmd.execmd.exe

description	pid	process	target process
PID 3140 wrote to memory of 4316	3140	Explorer.EXE	63B6.exe
PID 3140 wrote to memory of 4316	3140	Explorer.EXE	63B6.exe
PID 3140 wrote to memory of 4316	3140	Explorer.EXE	63B6.exe
PID 3140 wrote to memory of 3412	3140	Explorer.EXE	6FFC.exe
PID 3140 wrote to memory of 3412	3140	Explorer.EXE	6FFC.exe
PID 3140 wrote to memory of 3412	3140	Explorer.EXE	6FFC.exe
PID 3140 wrote to memory of 1176	3140	Explorer.EXE	explorer.exe
PID 3140 wrote to memory of 1176	3140	Explorer.EXE	explorer.exe
PID 3140 wrote to memory of 1176	3140	Explorer.EXE	explorer.exe
PID 3140 wrote to memory of 1176	3140	Explorer.EXE	explorer.exe
PID 3140 wrote to memory of 5040	3140	Explorer.EXE	explorer.exe
PID 3140 wrote to memory of 5040	3140	Explorer.EXE	explorer.exe
PID 3140 wrote to memory of 5040	3140	Explorer.EXE	explorer.exe
PID 3140 wrote to memory of 2160	3140	Explorer.EXE	explorer.exe
PID 3140 wrote to memory of 2160	3140	Explorer.EXE	explorer.exe
PID 3140 wrote to memory of 2160	3140	Explorer.EXE	explorer.exe
PID 3140 wrote to memory of 2160	3140	Explorer.EXE	explorer.exe
PID 3140 wrote to memory of 4440	3140	Explorer.EXE	explorer.exe
PID 3140 wrote to memory of 4440	3140	Explorer.EXE	explorer.exe
PID 3140 wrote to memory of 4440	3140	Explorer.EXE	explorer.exe
PID 3140 wrote to memory of 5068	3140	Explorer.EXE	explorer.exe
PID 3140 wrote to memory of 5068	3140	Explorer.EXE	explorer.exe
PID 3140 wrote to memory of 5068	3140	Explorer.EXE	explorer.exe
PID 3140 wrote to memory of 5068	3140	Explorer.EXE	explorer.exe
PID 3140 wrote to memory of 4320	3140	Explorer.EXE	explorer.exe
PID 3140 wrote to memory of 4320	3140	Explorer.EXE	explorer.exe
PID 3140 wrote to memory of 4320	3140	Explorer.EXE	explorer.exe
PID 3140 wrote to memory of 4320	3140	Explorer.EXE	explorer.exe
PID 3140 wrote to memory of 3668	3140	Explorer.EXE	explorer.exe
PID 3140 wrote to memory of 3668	3140	Explorer.EXE	explorer.exe
PID 3140 wrote to memory of 3668	3140	Explorer.EXE	explorer.exe
PID 3140 wrote to memory of 3668	3140	Explorer.EXE	explorer.exe
PID 3140 wrote to memory of 988	3140	Explorer.EXE	explorer.exe
PID 3140 wrote to memory of 988	3140	Explorer.EXE	explorer.exe
PID 3140 wrote to memory of 988	3140	Explorer.EXE	explorer.exe
PID 3140 wrote to memory of 4988	3140	Explorer.EXE	explorer.exe
PID 3140 wrote to memory of 4988	3140	Explorer.EXE	explorer.exe
PID 3140 wrote to memory of 4988	3140	Explorer.EXE	explorer.exe
PID 3140 wrote to memory of 4988	3140	Explorer.EXE	explorer.exe
PID 4316 wrote to memory of 4120	4316	63B6.exe	certreq.exe
PID 4316 wrote to memory of 4120	4316	63B6.exe	certreq.exe
PID 4316 wrote to memory of 4120	4316	63B6.exe	certreq.exe
PID 4316 wrote to memory of 4120	4316	63B6.exe	certreq.exe
PID 1412 wrote to memory of 5028	1412	Jni(_]27.exe	Jni(_]27.exe
PID 1412 wrote to memory of 5028	1412	Jni(_]27.exe	Jni(_]27.exe
PID 1412 wrote to memory of 5028	1412	Jni(_]27.exe	Jni(_]27.exe
PID 1412 wrote to memory of 5028	1412	Jni(_]27.exe	Jni(_]27.exe
PID 1412 wrote to memory of 5028	1412	Jni(_]27.exe	Jni(_]27.exe
PID 1412 wrote to memory of 5028	1412	Jni(_]27.exe	Jni(_]27.exe
PID 3324 wrote to memory of 1528	3324	HY5.exe	cmd.exe
PID 3324 wrote to memory of 1528	3324	HY5.exe	cmd.exe
PID 3324 wrote to memory of 3508	3324	HY5.exe	cmd.exe
PID 3324 wrote to memory of 3508	3324	HY5.exe	cmd.exe
PID 3508 wrote to memory of 544	3508	cmd.exe	netsh.exe
PID 3508 wrote to memory of 544	3508	cmd.exe	netsh.exe
PID 1528 wrote to memory of 2412	1528	cmd.exe	vssadmin.exe
PID 1528 wrote to memory of 2412	1528	cmd.exe	vssadmin.exe
PID 1528 wrote to memory of 4088	1528	cmd.exe	WMIC.exe
PID 1528 wrote to memory of 4088	1528	cmd.exe	WMIC.exe
PID 3508 wrote to memory of 2440	3508	cmd.exe	netsh.exe
PID 3508 wrote to memory of 2440	3508	cmd.exe	netsh.exe
PID 1528 wrote to memory of 1412	1528	cmd.exe	bcdedit.exe
PID 1528 wrote to memory of 1412	1528	cmd.exe	bcdedit.exe
PID 1528 wrote to memory of 296	1528	cmd.exe	bcdedit.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

outlook_office_path 1 IoCs

Processes:

certreq.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook	certreq.exe

outlook_win_path 1 IoCs

Processes:

certreq.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	certreq.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3140
- C:\Users\Admin\AppData\Local\Temp\1b94e6504da7365a7ac9e5f1c37ea714.exe
  "C:\Users\Admin\AppData\Local\Temp\1b94e6504da7365a7ac9e5f1c37ea714.exe"
  2⤵
  - Checks SCSI registry key(s)
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  PID:864
- C:\Users\Admin\AppData\Local\Temp\63B6.exe
  C:\Users\Admin\AppData\Local\Temp\63B6.exe
  2⤵
  - Suspicious use of NtCreateUserProcessOtherParentProcess
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:4316
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4316 -s 788
    3⤵
    - Program crash
    PID:2708
- C:\Users\Admin\AppData\Local\Temp\6FFC.exe
  C:\Users\Admin\AppData\Local\Temp\6FFC.exe
  2⤵
  - Executes dropped EXE
  PID:3412
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3412 -s 3344
    3⤵
    - Program crash
    PID:1168
- C:\Windows\SysWOW64\explorer.exe
  C:\Windows\SysWOW64\explorer.exe
  2⤵
  PID:1176
- C:\Windows\explorer.exe
  C:\Windows\explorer.exe
  2⤵
  PID:5040
- C:\Windows\SysWOW64\explorer.exe
  C:\Windows\SysWOW64\explorer.exe
  2⤵
  PID:2160
- C:\Windows\explorer.exe
  C:\Windows\explorer.exe
  2⤵
  PID:4440
- C:\Windows\SysWOW64\explorer.exe
  C:\Windows\SysWOW64\explorer.exe
  2⤵
  PID:5068
- C:\Windows\SysWOW64\explorer.exe
  C:\Windows\SysWOW64\explorer.exe
  2⤵
  PID:4320
- C:\Windows\SysWOW64\explorer.exe
  C:\Windows\SysWOW64\explorer.exe
  2⤵
  PID:3668
- C:\Windows\explorer.exe
  C:\Windows\explorer.exe
  2⤵
  PID:988
- C:\Windows\SysWOW64\explorer.exe
  C:\Windows\SysWOW64\explorer.exe
  2⤵
  PID:4988
- C:\Windows\system32\certreq.exe
  "C:\Windows\system32\certreq.exe"
  2⤵
  - Accesses Microsoft Outlook profiles
  - Checks processor information in registry
  - outlook_office_path
  - outlook_win_path
  PID:4120
- C:\Users\Admin\AppData\Local\Temp\FD34.exe
  C:\Users\Admin\AppData\Local\Temp\FD34.exe
  2⤵
  - Executes dropped EXE
  PID:2772
- C:\Users\Admin\AppData\Local\Temp\43.exe
  C:\Users\Admin\AppData\Local\Temp\43.exe
  2⤵
  - Executes dropped EXE
  PID:3364
- C:\Windows\SysWOW64\explorer.exe
  C:\Windows\SysWOW64\explorer.exe
  2⤵
  PID:1676
- C:\Windows\explorer.exe
  C:\Windows\explorer.exe
  2⤵
  PID:3528
- C:\Windows\SysWOW64\explorer.exe
  C:\Windows\SysWOW64\explorer.exe
  2⤵
  PID:3348
- C:\Windows\SysWOW64\explorer.exe
  C:\Windows\SysWOW64\explorer.exe
  2⤵
  PID:4112
- C:\Windows\SysWOW64\explorer.exe
  C:\Windows\SysWOW64\explorer.exe
  2⤵
  PID:3340
- C:\Windows\explorer.exe
  C:\Windows\explorer.exe
  2⤵
  PID:3008

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 368 -p 4316 -ip 4316
1⤵
PID:836

C:\Users\Admin\AppData\Local\Microsoft\Jni(_]27.exe
"C:\Users\Admin\AppData\Local\Microsoft\Jni(_]27.exe"
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1412
- C:\Users\Admin\AppData\Local\Microsoft\Jni(_]27.exe
  "C:\Users\Admin\AppData\Local\Microsoft\Jni(_]27.exe"
  2⤵
  - Executes dropped EXE
  - Checks SCSI registry key(s)
  - Suspicious behavior: MapViewOfSection
  PID:5028

C:\Users\Admin\AppData\Local\Microsoft\HY5.exe
"C:\Users\Admin\AppData\Local\Microsoft\HY5.exe"
1⤵
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Drops desktop.ini file(s)
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3324
- C:\Users\Admin\AppData\Local\Microsoft\HY5.exe
  "C:\Users\Admin\AppData\Local\Microsoft\HY5.exe"
  2⤵
  - Executes dropped EXE
  PID:5012
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 5012 -s 480
    3⤵
    - Program crash
    PID:4052
- C:\Windows\system32\cmd.exe
  "C:\Windows\system32\cmd.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3508
- - C:\Windows\system32\netsh.exe
    netsh advfirewall set currentprofile state off
    3⤵
    - Modifies Windows Firewall
    PID:544
- - C:\Windows\system32\netsh.exe
    netsh firewall set opmode mode=disable
    3⤵
    - Modifies Windows Firewall
    PID:2440
- C:\Windows\system32\cmd.exe
  "C:\Windows\system32\cmd.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1528
- - C:\Windows\system32\vssadmin.exe
    vssadmin delete shadows /all /quiet
    3⤵
    - Interacts with shadow copies
    PID:2412
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic shadowcopy delete
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:4088
- - C:\Windows\system32\bcdedit.exe
    bcdedit /set {default} bootstatuspolicy ignoreallfailures
    3⤵
    - Modifies boot configuration data using bcdedit
    PID:1412
- - C:\Windows\system32\bcdedit.exe
    bcdedit /set {default} recoveryenabled no
    3⤵
    - Modifies boot configuration data using bcdedit
    PID:296
- - C:\Windows\system32\wbadmin.exe
    wbadmin delete catalog -quiet
    3⤵
    - Deletes backup catalog
    PID:3412

C:\Users\Admin\AppData\Local\Microsoft\MOKNQohq0O.exe
"C:\Users\Admin\AppData\Local\Microsoft\MOKNQohq0O.exe"
1⤵
- Executes dropped EXE
PID:1080

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 3412 -ip 3412
1⤵
PID:2728

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:532

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4108

C:\Windows\System32\vdsldr.exe
C:\Windows\System32\vdsldr.exe -Embedding
1⤵
PID:1184

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Checks SCSI registry key(s)
PID:2800

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 5012 -ip 5012
1⤵
PID:2560

C:\Users\Admin\AppData\Roaming\rrahvuf
C:\Users\Admin\AppData\Roaming\rrahvuf
1⤵
PID:2696

C:\Users\Admin\AppData\Roaming\uwahvuf
C:\Users\Admin\AppData\Roaming\uwahvuf
1⤵
PID:4156

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Command-Line Interface

T1059

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

File Deletion

T1107

Modify Registry

T1112

Web Service

T1102

Credential Access

Credentials in Files

T1081

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Command and Control

Web Service

T1102

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Common Files\microsoft shared\ClickToRun\AppvIsvSubsystems32.dll.id[07ED5C0F-3483].[[email protected]].8base

Filesize
2.7MB

MD5
0bd50927af09a1bcc65bbe40a754e848

SHA1
bd6fa5d74d6365e88d63dda797ebbf4e8f9b474c

SHA256
6931acd1aefb331946b74f55524490529d10eb27ea578be5d3295965388e39e0

SHA512
7a030cbcf8f44a9118f7919d201d767954969b9d65e6beb5b99b092bccb717a028bfc960f0a8db3e9348d6ae358ee3177be15c92eb965f002c6598e90787276c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\HY5.exe

Filesize
164KB

MD5
7166d39e9c1cb17e1728d316531242b1

SHA1
d05810943685bcd70999ff0926215f5d6fe2637a

SHA256
8879a7a950a3916f5438685f994ee829a20e4c60021db73060cd078e4a72b5a7

SHA512
b377a2605a34a0fe98a1c49db7d3898e12850944c323b7a4d19c1f5e2081e688624127de529e961da530b7439813495cc254957cb2e16ffea999d943f0fc4214

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\HY5.exe

Filesize
164KB

MD5
7166d39e9c1cb17e1728d316531242b1

SHA1
d05810943685bcd70999ff0926215f5d6fe2637a

SHA256
8879a7a950a3916f5438685f994ee829a20e4c60021db73060cd078e4a72b5a7

SHA512
b377a2605a34a0fe98a1c49db7d3898e12850944c323b7a4d19c1f5e2081e688624127de529e961da530b7439813495cc254957cb2e16ffea999d943f0fc4214

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\HY5.exe

Filesize
164KB

MD5
7166d39e9c1cb17e1728d316531242b1

SHA1
d05810943685bcd70999ff0926215f5d6fe2637a

SHA256
8879a7a950a3916f5438685f994ee829a20e4c60021db73060cd078e4a72b5a7

SHA512
b377a2605a34a0fe98a1c49db7d3898e12850944c323b7a4d19c1f5e2081e688624127de529e961da530b7439813495cc254957cb2e16ffea999d943f0fc4214

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Jni(_]27.exe

Filesize
163KB

MD5
7d39a3778ad4a5d5e6c7e78fc9e05a00

SHA1
2b030e3180efb06721404fa0de1fbe4998618225

SHA256
21a3bdc28c80ad2f590418c95fa8ff8c21f2e8b80166c7dea43ddc70c16bfaf9

SHA512
1a0693245d226de50eacd2c8ae0081cea3c20e8b9f6f0f0dff69468aba294c402fba321920129346528bc1d5512e6db31f551f049b95177add129dae6148cc2e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Jni(_]27.exe

Filesize
163KB

MD5
7d39a3778ad4a5d5e6c7e78fc9e05a00

SHA1
2b030e3180efb06721404fa0de1fbe4998618225

SHA256
21a3bdc28c80ad2f590418c95fa8ff8c21f2e8b80166c7dea43ddc70c16bfaf9

SHA512
1a0693245d226de50eacd2c8ae0081cea3c20e8b9f6f0f0dff69468aba294c402fba321920129346528bc1d5512e6db31f551f049b95177add129dae6148cc2e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Jni(_]27.exe

Filesize
163KB

MD5
7d39a3778ad4a5d5e6c7e78fc9e05a00

SHA1
2b030e3180efb06721404fa0de1fbe4998618225

SHA256
21a3bdc28c80ad2f590418c95fa8ff8c21f2e8b80166c7dea43ddc70c16bfaf9

SHA512
1a0693245d226de50eacd2c8ae0081cea3c20e8b9f6f0f0dff69468aba294c402fba321920129346528bc1d5512e6db31f551f049b95177add129dae6148cc2e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\MOKNQohq0O.exe

Filesize
164KB

MD5
16bab536f93bbf833bca053e355402ee

SHA1
8b7ccbef0fcb0edab800b6ddc0c9d302b0a03374

SHA256
b8c302a27f96d81723dae52638784519772a968b84533a793e69aab74ef08ba4

SHA512
c7f9b1f0a6034e22b61febcab103482dc613f861a987e53569a2526aba56826fd06f98fe357506fd4f2806abc7f84c3d86e2e046cdfac3539eea6e67ff9c603f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\MOKNQohq0O.exe

Filesize
164KB

MD5
16bab536f93bbf833bca053e355402ee

SHA1
8b7ccbef0fcb0edab800b6ddc0c9d302b0a03374

SHA256
b8c302a27f96d81723dae52638784519772a968b84533a793e69aab74ef08ba4

SHA512
c7f9b1f0a6034e22b61febcab103482dc613f861a987e53569a2526aba56826fd06f98fe357506fd4f2806abc7f84c3d86e2e046cdfac3539eea6e67ff9c603f

Download Submit
C:\Users\Admin\AppData\Local\Temp\43.exe

Filesize
164KB

MD5
16bab536f93bbf833bca053e355402ee

SHA1
8b7ccbef0fcb0edab800b6ddc0c9d302b0a03374

SHA256
b8c302a27f96d81723dae52638784519772a968b84533a793e69aab74ef08ba4

SHA512
c7f9b1f0a6034e22b61febcab103482dc613f861a987e53569a2526aba56826fd06f98fe357506fd4f2806abc7f84c3d86e2e046cdfac3539eea6e67ff9c603f

Download Submit
C:\Users\Admin\AppData\Local\Temp\43.exe

Filesize
164KB

MD5
16bab536f93bbf833bca053e355402ee

SHA1
8b7ccbef0fcb0edab800b6ddc0c9d302b0a03374

SHA256
b8c302a27f96d81723dae52638784519772a968b84533a793e69aab74ef08ba4

SHA512
c7f9b1f0a6034e22b61febcab103482dc613f861a987e53569a2526aba56826fd06f98fe357506fd4f2806abc7f84c3d86e2e046cdfac3539eea6e67ff9c603f

Download Submit
C:\Users\Admin\AppData\Local\Temp\63B6.exe

Filesize
374KB

MD5
11715c27335a026129dfc1695ebc8888

SHA1
0ffaa4f65fbf2bc0750b972621f37c787b0231e2

SHA256
c4c5c296ff9dd8f2518960f5521747335c5a457e3cb0be2eee0bf8bcf8f64482

SHA512
f7743e16fa619a90cb2c216bc46e2f3b10973e2d3aeb81be27d284e52758cc6fd204dc0babef2bfd01e8bfdc12e70c35dd0f50472f06635f489d2db8060b1220

Download Submit
C:\Users\Admin\AppData\Local\Temp\63B6.exe

Filesize
374KB

MD5
11715c27335a026129dfc1695ebc8888

SHA1
0ffaa4f65fbf2bc0750b972621f37c787b0231e2

SHA256
c4c5c296ff9dd8f2518960f5521747335c5a457e3cb0be2eee0bf8bcf8f64482

SHA512
f7743e16fa619a90cb2c216bc46e2f3b10973e2d3aeb81be27d284e52758cc6fd204dc0babef2bfd01e8bfdc12e70c35dd0f50472f06635f489d2db8060b1220

Download Submit
C:\Users\Admin\AppData\Local\Temp\6FFC.exe

Filesize
290KB

MD5
6d35d4cb11e99f8645441b0f1f96da3d

SHA1
3b6e12da0c1c37d38db867ab6330ace34461c56a

SHA256
9066d830ae21197499f19a044054b0ea96f5be17cbb246714e15f36f32312204

SHA512
01b5b75ce608f55f70c6471bb20f0a248116ef902f4bd602b5cf11fed747e0af9b811fbe74d393895672806f2b525900c6cef0ce889229d27032683a5e591aa4

Download Submit
C:\Users\Admin\AppData\Local\Temp\6FFC.exe

Filesize
290KB

MD5
6d35d4cb11e99f8645441b0f1f96da3d

SHA1
3b6e12da0c1c37d38db867ab6330ace34461c56a

SHA256
9066d830ae21197499f19a044054b0ea96f5be17cbb246714e15f36f32312204

SHA512
01b5b75ce608f55f70c6471bb20f0a248116ef902f4bd602b5cf11fed747e0af9b811fbe74d393895672806f2b525900c6cef0ce889229d27032683a5e591aa4

Download Submit
C:\Users\Admin\AppData\Local\Temp\FD34.exe

Filesize
164KB

MD5
7166d39e9c1cb17e1728d316531242b1

SHA1
d05810943685bcd70999ff0926215f5d6fe2637a

SHA256
8879a7a950a3916f5438685f994ee829a20e4c60021db73060cd078e4a72b5a7

SHA512
b377a2605a34a0fe98a1c49db7d3898e12850944c323b7a4d19c1f5e2081e688624127de529e961da530b7439813495cc254957cb2e16ffea999d943f0fc4214

Download Submit
C:\Users\Admin\AppData\Local\Temp\FD34.exe

Filesize
164KB

MD5
7166d39e9c1cb17e1728d316531242b1

SHA1
d05810943685bcd70999ff0926215f5d6fe2637a

SHA256
8879a7a950a3916f5438685f994ee829a20e4c60021db73060cd078e4a72b5a7

SHA512
b377a2605a34a0fe98a1c49db7d3898e12850944c323b7a4d19c1f5e2081e688624127de529e961da530b7439813495cc254957cb2e16ffea999d943f0fc4214

Download Submit
C:\Users\Admin\AppData\Local\Temp\FD34.exe

Filesize
164KB

MD5
7166d39e9c1cb17e1728d316531242b1

SHA1
d05810943685bcd70999ff0926215f5d6fe2637a

SHA256
8879a7a950a3916f5438685f994ee829a20e4c60021db73060cd078e4a72b5a7

SHA512
b377a2605a34a0fe98a1c49db7d3898e12850944c323b7a4d19c1f5e2081e688624127de529e961da530b7439813495cc254957cb2e16ffea999d943f0fc4214

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\05ypapi5.default-release\cookies.sqlite.id[07ED5C0F-3483].[[email protected]].8base

Filesize
96KB

MD5
05a87f2afd4c4ba5f9c852fed70390ad

SHA1
f47dc599a99b1a07036f3c0d6df243f9fb9b73f6

SHA256
e2f93150a39346b2b0e41f7d28eeec6bb156f4cb770c4bd736913f4eb213505e

SHA512
2d2f5275af1478b737b42215d427f5e919833f5a8c706e2a35aa6da2ce687636ce75fd4338ae742b06a181eb76c2e5a9e88ca8d1c04c8f32ac5b5154daccfc55

Download Submit
memory/864-134-0x00000000004F0000-0x00000000005F0000-memory.dmp

Filesize
1024KB

Download
memory/864-138-0x0000000000400000-0x00000000004E3000-memory.dmp

Filesize
908KB

Download
memory/864-136-0x0000000002240000-0x0000000002249000-memory.dmp

Filesize
36KB

Download
memory/864-135-0x0000000000400000-0x00000000004E3000-memory.dmp

Filesize
908KB

Download
memory/988-184-0x0000000000B90000-0x0000000000B9D000-memory.dmp

Filesize
52KB

Download
memory/988-181-0x0000000000B90000-0x0000000000B9D000-memory.dmp

Filesize
52KB

Download
memory/988-199-0x0000000000BA0000-0x0000000000BA7000-memory.dmp

Filesize
28KB

Download
memory/988-183-0x0000000000BA0000-0x0000000000BA7000-memory.dmp

Filesize
28KB

Download
memory/1080-270-0x0000000000400000-0x00000000004E3000-memory.dmp

Filesize
908KB

Download
memory/1080-267-0x0000000000650000-0x0000000000655000-memory.dmp

Filesize
20KB

Download
memory/1080-266-0x00000000006C0000-0x00000000007C0000-memory.dmp

Filesize
1024KB

Download
memory/1080-718-0x00000000006C0000-0x00000000007C0000-memory.dmp

Filesize
1024KB

Download
memory/1176-158-0x00000000016A0000-0x00000000016A7000-memory.dmp

Filesize
28KB

Download
memory/1176-173-0x00000000016A0000-0x00000000016A7000-memory.dmp

Filesize
28KB

Download
memory/1176-160-0x0000000001690000-0x000000000169B000-memory.dmp

Filesize
44KB

Download
memory/1176-159-0x0000000001690000-0x000000000169B000-memory.dmp

Filesize
44KB

Download
memory/1412-263-0x0000000000630000-0x0000000000639000-memory.dmp

Filesize
36KB

Download
memory/1412-261-0x0000000000520000-0x0000000000620000-memory.dmp

Filesize
1024KB

Download
memory/1676-5746-0x0000000000E40000-0x0000000000EAB000-memory.dmp

Filesize
428KB

Download
memory/2160-164-0x0000000000E00000-0x0000000000E09000-memory.dmp

Filesize
36KB

Download
memory/2160-166-0x0000000000E00000-0x0000000000E09000-memory.dmp

Filesize
36KB

Download
memory/2160-165-0x0000000000E10000-0x0000000000E15000-memory.dmp

Filesize
20KB

Download
memory/2160-182-0x0000000000E10000-0x0000000000E15000-memory.dmp

Filesize
20KB

Download
memory/3140-276-0x0000000007750000-0x0000000007766000-memory.dmp

Filesize
88KB

Download
memory/3140-137-0x0000000006CB0000-0x0000000006CC6000-memory.dmp

Filesize
88KB

Download
memory/3324-271-0x0000000000790000-0x0000000000890000-memory.dmp

Filesize
1024KB

Download
memory/3324-839-0x0000000000400000-0x00000000004E3000-memory.dmp

Filesize
908KB

Download
memory/3324-1094-0x0000000000790000-0x0000000000890000-memory.dmp

Filesize
1024KB

Download
memory/3324-2400-0x0000000000400000-0x00000000004E3000-memory.dmp

Filesize
908KB

Download
memory/3324-4578-0x0000000000400000-0x00000000004E3000-memory.dmp

Filesize
908KB

Download
memory/3324-269-0x0000000000400000-0x00000000004E3000-memory.dmp

Filesize
908KB

Download
memory/3324-268-0x0000000000600000-0x000000000060F000-memory.dmp

Filesize
60KB

Download
memory/3324-5988-0x0000000000400000-0x00000000004E3000-memory.dmp

Filesize
908KB

Download
memory/3412-260-0x0000000000400000-0x0000000000502000-memory.dmp

Filesize
1.0MB

Download
memory/3412-221-0x00000000005B0000-0x00000000006B0000-memory.dmp

Filesize
1024KB

Download
memory/3412-203-0x0000000000400000-0x0000000000502000-memory.dmp

Filesize
1.0MB

Download
memory/3412-201-0x0000000002160000-0x00000000021B5000-memory.dmp

Filesize
340KB

Download
memory/3412-222-0x0000000000400000-0x0000000000502000-memory.dmp

Filesize
1.0MB

Download
memory/3412-202-0x00000000005B0000-0x00000000006B0000-memory.dmp

Filesize
1024KB

Download
memory/3412-220-0x0000000002160000-0x00000000021B5000-memory.dmp

Filesize
340KB

Download
memory/3528-5989-0x0000000000770000-0x000000000077C000-memory.dmp

Filesize
48KB

Download
memory/3668-177-0x00000000009A0000-0x00000000009AB000-memory.dmp

Filesize
44KB

Download
memory/3668-180-0x00000000009A0000-0x00000000009AB000-memory.dmp

Filesize
44KB

Download
memory/3668-179-0x00000000009B0000-0x00000000009B6000-memory.dmp

Filesize
24KB

Download
memory/3668-194-0x00000000009B0000-0x00000000009B6000-memory.dmp

Filesize
24KB

Download
memory/4120-226-0x00007FF4DCD80000-0x00007FF4DCEAD000-memory.dmp

Filesize
1.2MB

Download
memory/4120-234-0x00007FF4DCD80000-0x00007FF4DCEAD000-memory.dmp

Filesize
1.2MB

Download
memory/4120-223-0x000001DED99C0000-0x000001DED99C3000-memory.dmp

Filesize
12KB

Download
memory/4120-224-0x000001DED9C60000-0x000001DED9C67000-memory.dmp

Filesize
28KB

Download
memory/4120-225-0x00007FF4DCD80000-0x00007FF4DCEAD000-memory.dmp

Filesize
1.2MB

Download
memory/4120-258-0x00007FFB71A70000-0x00007FFB71C65000-memory.dmp

Filesize
2.0MB

Download
memory/4120-227-0x00007FF4DCD80000-0x00007FF4DCEAD000-memory.dmp

Filesize
1.2MB

Download
memory/4120-228-0x00007FF4DCD80000-0x00007FF4DCEAD000-memory.dmp

Filesize
1.2MB

Download
memory/4120-229-0x00007FF4DCD80000-0x00007FF4DCEAD000-memory.dmp

Filesize
1.2MB

Download
memory/4120-231-0x00007FF4DCD80000-0x00007FF4DCEAD000-memory.dmp

Filesize
1.2MB

Download
memory/4120-233-0x00007FF4DCD80000-0x00007FF4DCEAD000-memory.dmp

Filesize
1.2MB

Download
memory/4120-257-0x000001DED9C60000-0x000001DED9C65000-memory.dmp

Filesize
20KB

Download
memory/4120-235-0x00007FF4DCD80000-0x00007FF4DCEAD000-memory.dmp

Filesize
1.2MB

Download
memory/4120-236-0x00007FFB71A70000-0x00007FFB71C65000-memory.dmp

Filesize
2.0MB

Download
memory/4120-237-0x00007FF4DCD80000-0x00007FF4DCEAD000-memory.dmp

Filesize
1.2MB

Download
memory/4120-238-0x00007FF4DCD80000-0x00007FF4DCEAD000-memory.dmp

Filesize
1.2MB

Download
memory/4120-239-0x00007FF4DCD80000-0x00007FF4DCEAD000-memory.dmp

Filesize
1.2MB

Download
memory/4120-241-0x00007FF4DCD80000-0x00007FF4DCEAD000-memory.dmp

Filesize
1.2MB

Download
memory/4120-242-0x00007FF4DCD80000-0x00007FF4DCEAD000-memory.dmp

Filesize
1.2MB

Download
memory/4120-243-0x00007FFB71A70000-0x00007FFB71C65000-memory.dmp

Filesize
2.0MB

Download
memory/4120-206-0x000001DED99C0000-0x000001DED99C3000-memory.dmp

Filesize
12KB

Download
memory/4316-198-0x0000000002540000-0x0000000002940000-memory.dmp

Filesize
4.0MB

Download
memory/4316-208-0x00000000024D0000-0x0000000002506000-memory.dmp

Filesize
216KB

Download
memory/4316-219-0x0000000002540000-0x0000000002940000-memory.dmp

Filesize
4.0MB

Download
memory/4316-197-0x0000000002540000-0x0000000002940000-memory.dmp

Filesize
4.0MB

Download
memory/4316-196-0x0000000002540000-0x0000000002940000-memory.dmp

Filesize
4.0MB

Download
memory/4316-218-0x0000000000400000-0x0000000000517000-memory.dmp

Filesize
1.1MB

Download
memory/4316-215-0x00000000024D0000-0x0000000002506000-memory.dmp

Filesize
216KB

Download
memory/4316-195-0x00000000021D0000-0x00000000021D7000-memory.dmp

Filesize
28KB

Download
memory/4316-216-0x0000000002540000-0x0000000002940000-memory.dmp

Filesize
4.0MB

Download
memory/4316-200-0x0000000002540000-0x0000000002940000-memory.dmp

Filesize
4.0MB

Download
memory/4316-205-0x0000000000400000-0x0000000000517000-memory.dmp

Filesize
1.1MB

Download
memory/4316-207-0x00000000007A0000-0x00000000008A0000-memory.dmp

Filesize
1024KB

Download
memory/4316-192-0x0000000000400000-0x0000000000517000-memory.dmp

Filesize
1.1MB

Download
memory/4316-191-0x0000000002040000-0x00000000020B1000-memory.dmp

Filesize
452KB

Download
memory/4316-190-0x00000000007A0000-0x00000000008A0000-memory.dmp

Filesize
1024KB

Download
memory/4320-175-0x0000000000550000-0x0000000000555000-memory.dmp

Filesize
20KB

Download
memory/4320-174-0x0000000000540000-0x0000000000549000-memory.dmp

Filesize
36KB

Download
memory/4320-176-0x0000000000540000-0x0000000000549000-memory.dmp

Filesize
36KB

Download
memory/4320-193-0x0000000000550000-0x0000000000555000-memory.dmp

Filesize
20KB

Download
memory/4440-167-0x00000000004D0000-0x00000000004DC000-memory.dmp

Filesize
48KB

Download
memory/4440-168-0x00000000004E0000-0x00000000004E6000-memory.dmp

Filesize
24KB

Download
memory/4440-186-0x00000000004E0000-0x00000000004E6000-memory.dmp

Filesize
24KB

Download
memory/4440-169-0x00000000004D0000-0x00000000004DC000-memory.dmp

Filesize
48KB

Download
memory/4988-204-0x00000000007B0000-0x00000000007B8000-memory.dmp

Filesize
32KB

Download
memory/4988-188-0x00000000007A0000-0x00000000007AB000-memory.dmp

Filesize
44KB

Download
memory/4988-185-0x00000000007A0000-0x00000000007AB000-memory.dmp

Filesize
44KB

Download
memory/4988-187-0x00000000007B0000-0x00000000007B8000-memory.dmp

Filesize
32KB

Download
memory/5012-2264-0x0000000000690000-0x0000000000790000-memory.dmp

Filesize
1024KB

Download
memory/5012-2270-0x0000000000400000-0x00000000004E3000-memory.dmp

Filesize
908KB

Download
memory/5028-277-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/5028-265-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/5028-262-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/5040-178-0x00000000003F0000-0x00000000003FF000-memory.dmp

Filesize
60KB

Download
memory/5040-163-0x00000000003F0000-0x00000000003FF000-memory.dmp

Filesize
60KB

Download
memory/5040-161-0x0000000000680000-0x0000000000689000-memory.dmp

Filesize
36KB

Download
memory/5068-172-0x00000000001B0000-0x00000000001D7000-memory.dmp

Filesize
156KB

Download
memory/5068-171-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/5068-170-0x00000000001B0000-0x00000000001D7000-memory.dmp

Filesize
156KB

Download
memory/5068-189-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download