dcrat | b8fe0b788b7717ab0e18dd23d32df615d1f2ff658bd08cfd6c61fceca5a456fe

Analysis

max time kernel
150s
max time network
147s
platform
windows10-1703_x64
resource
win10-20231129-en
resource tags

arch:x64arch:x86image:win10-20231129-enlocale:en-usos:windows10-1703-x64system
submitted
06-12-2023 22:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b8fe0b788b7717ab0e18dd23d32df615d1f2ff658bd08cfd6c61fceca5a456fe.exe
Size

365KB
MD5

0cb1d0221840068398a7749e80bbe353
SHA1

fa99d48afe2d4b2804db3e435a462fbd4339fb71
SHA256

b8fe0b788b7717ab0e18dd23d32df615d1f2ff658bd08cfd6c61fceca5a456fe
SHA512

dc5169b7f95a797333adad88f8570e87bd85d32d7324dcde5539884c4cc8f33d4b80ffe92d6c0a1bc0a98830ba3126c040695cc3108eeb1aad24f9c35dc3921d
SSDEEP

3072:Gs5/nzFOust3E9X2LQBlI/iOSMwmgUDLl21/5hC95q7Vdb9r6+:hf5sLQYaO2mHL065qDh

Malware Config

Extracted

Family

smokeloader

Botnet

up3

Extracted

Family

smokeloader

Version

2020

http://host-file-host6.com/

http://host-host-file8.com/

rc4.i32

Extracted

Family

djvu

http://zexeq.com/test1/get.php

Attributes

extension
.nbzi
offline_id
csCsb6cUvy0iMa6NgGCGH0hSfXQlGjZVEmFVkgt1
payload_url
http://brusuax.com/dl/build2.exe

http://zexeq.com/files/1/build3.exe
ransomnote
ATTENTION! Don't worry, you can return all your files! All your files like pictures, databases, documents and other important are encrypted with strongest encryption and unique key. The only method of recovering files is to purchase decrypt tool and unique key for you. This software will decrypt all your encrypted files. What guarantees you have? You can send one of your encrypted file from your PC and we decrypt it for free. But we can decrypt only 1 file for free. File must not contain valuable information. You can get and look video overview decrypt tool: https://we.tl/t-8dGJ2tqlOd Price of private key and decrypt software is $980. Discount 50% available if you contact us first 72 hours, that's price for you is $490. Please note that you'll never restore your data without payment. Check your e-mail "Spam" or "Junk" folder if you don't get answer more than 6 hours. To get this software you need write on our e-mail: [email protected] Reserve e-mail address to contact us: [email protected] Your personal ID: 0832ASdw

rsa_pubkey.plain

Extracted

Family

risepro

193.233.132.51

Signatures

DcRat 5 IoCs

DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

rat infostealer dcrat

Processes:

b8fe0b788b7717ab0e18dd23d32df615d1f2ff658bd08cfd6c61fceca5a456fe.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	b8fe0b788b7717ab0e18dd23d32df615d1f2ff658bd08cfd6c61fceca5a456fe.exe
3128	schtasks.exe
196	schtasks.exe
4548	schtasks.exe
3468	schtasks.exe

Detect ZGRat V1 23 IoCs

Processes:

resource	yara_rule
behavioral1/memory/3904-108-0x00000291404A0000-0x0000029140584000-memory.dmp	family_zgrat_v1
behavioral1/memory/3904-121-0x00000291404A0000-0x0000029140580000-memory.dmp	family_zgrat_v1
behavioral1/memory/3904-122-0x00000291404A0000-0x0000029140580000-memory.dmp	family_zgrat_v1
behavioral1/memory/3904-126-0x00000291404A0000-0x0000029140580000-memory.dmp	family_zgrat_v1
behavioral1/memory/3904-132-0x00000291404A0000-0x0000029140580000-memory.dmp	family_zgrat_v1
behavioral1/memory/3904-138-0x00000291404A0000-0x0000029140580000-memory.dmp	family_zgrat_v1
behavioral1/memory/3904-144-0x00000291404A0000-0x0000029140580000-memory.dmp	family_zgrat_v1
behavioral1/memory/3904-150-0x00000291404A0000-0x0000029140580000-memory.dmp	family_zgrat_v1
behavioral1/memory/3904-170-0x00000291404A0000-0x0000029140580000-memory.dmp	family_zgrat_v1
behavioral1/memory/3904-165-0x00000291404A0000-0x0000029140580000-memory.dmp	family_zgrat_v1
behavioral1/memory/3904-163-0x00000291404A0000-0x0000029140580000-memory.dmp	family_zgrat_v1
behavioral1/memory/3904-159-0x00000291404A0000-0x0000029140580000-memory.dmp	family_zgrat_v1
behavioral1/memory/3904-154-0x00000291404A0000-0x0000029140580000-memory.dmp	family_zgrat_v1
behavioral1/memory/3904-152-0x00000291404A0000-0x0000029140580000-memory.dmp	family_zgrat_v1
behavioral1/memory/3904-148-0x00000291404A0000-0x0000029140580000-memory.dmp	family_zgrat_v1
behavioral1/memory/3904-146-0x00000291404A0000-0x0000029140580000-memory.dmp	family_zgrat_v1
behavioral1/memory/3904-142-0x00000291404A0000-0x0000029140580000-memory.dmp	family_zgrat_v1
behavioral1/memory/3904-140-0x00000291404A0000-0x0000029140580000-memory.dmp	family_zgrat_v1
behavioral1/memory/3904-136-0x00000291404A0000-0x0000029140580000-memory.dmp	family_zgrat_v1
behavioral1/memory/3904-134-0x00000291404A0000-0x0000029140580000-memory.dmp	family_zgrat_v1
behavioral1/memory/3904-130-0x00000291404A0000-0x0000029140580000-memory.dmp	family_zgrat_v1
behavioral1/memory/3904-128-0x00000291404A0000-0x0000029140580000-memory.dmp	family_zgrat_v1
behavioral1/memory/3904-124-0x00000291404A0000-0x0000029140580000-memory.dmp	family_zgrat_v1

Detected Djvu ransomware 15 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2860-55-0x00000000025B0000-0x00000000026CB000-memory.dmp	family_djvu
behavioral1/memory/192-57-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/192-56-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/192-53-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/192-51-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/192-71-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/4748-80-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/4748-79-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/4748-78-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/4748-88-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/4748-87-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/4748-115-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/4748-117-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/4748-120-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/4748-1410-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu

Djvu Ransomware
Ransomware which is a variant of the STOP family.
ransomware djvu
PrivateLoader
PrivateLoader is a downloader sold as a pay-per-install malware distribution service.
loader privateloader
Raccoon
Raccoon is an infostealer written in C++ and first seen in 2019.
stealer raccoon

Raccoon Stealer V2 payload 2 IoCs

Processes:

resource	yara_rule
behavioral1/memory/4156-236-0x0000000000CD0000-0x0000000000CE6000-memory.dmp	family_raccoon_v2
behavioral1/memory/4156-239-0x0000000000400000-0x0000000000B9B000-memory.dmp	family_raccoon_v2

RisePro
RisePro stealer is an infostealer distributed by PrivateLoader.
stealer risepro
SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
ZGRat
ZGRat is remote access trojan written in C#.
rat zgrat
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Processes:

2AF5.exe

description ioc process

Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 2AF5.exe
Downloads MZ/PE file

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	2AF5.exe

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

2AF5.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	2AF5.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	2AF5.exe

Drops startup file 2 IoCs

Processes:

1vh52gV1.exebdobwhq.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\FANBooster131.lnk	1vh52gV1.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\provisionshare.url	bdobwhq.exe

Executes dropped EXE 24 IoCs

Processes:

2AF5.exe3D46.exe3D46.exe3D46.exe3D46.exe467E.exe467E.exebuild2.exebuild2.exe4FF5.exebuild3.exe5A46.exeZv1cs20.exeHU9Im35.exeEX3RK79.exe1vh52gV1.exebuild3.exemstsca.exeContextProperties.exeContextProperties.exemstsca.exebdobwhq.exebdobwhq.exemstsca.exe

pid	process
4592	2AF5.exe
2860	3D46.exe
192	3D46.exe
2236	3D46.exe
4748	3D46.exe
1400	467E.exe
3904	467E.exe
4316	build2.exe
776	build2.exe
4156	4FF5.exe
3220	build3.exe
3604	5A46.exe
1564	Zv1cs20.exe
2400	HU9Im35.exe
1364	EX3RK79.exe
3600	1vh52gV1.exe
4156	build3.exe
4248	mstsca.exe
4592	ContextProperties.exe
1952	ContextProperties.exe
1112	mstsca.exe
4256	bdobwhq.exe
4936	bdobwhq.exe
3908	mstsca.exe

Modifies file permissions 1 TTPs 1 IoCs
discovery

File and Directory Permissions Modification
T1222

Processes:

icacls.exe

pid process

1764 icacls.exe
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

pid	process
1764	icacls.exe

Themida packer 4 IoCs

Detects Themida, an advanced Windows software protection system.

themida

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\2AF5.exe	themida
C:\Users\Admin\AppData\Local\Temp\2AF5.exe	themida
behavioral1/memory/4592-37-0x0000000000B70000-0x000000000163A000-memory.dmp	themida
behavioral1/memory/4592-1228-0x0000000000B70000-0x000000000163A000-memory.dmp	themida

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

Processes:

1vh52gV1.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2915688436-2954362642-4271300650-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	1vh52gV1.exe
Key opened	\REGISTRY\USER\S-1-5-21-2915688436-2954362642-4271300650-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	1vh52gV1.exe
Key opened	\REGISTRY\USER\S-1-5-21-2915688436-2954362642-4271300650-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	1vh52gV1.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 7 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

5A46.exeZv1cs20.exeHU9Im35.exeEX3RK79.exe1vh52gV1.exebdobwhq.exe3D46.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	5A46.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	Zv1cs20.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	HU9Im35.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	EX3RK79.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2915688436-2954362642-4271300650-1000\Software\Microsoft\Windows\CurrentVersion\Run\MaxLoonaFest131 = "C:\\Users\\Admin\\AppData\\Local\\MaxLoonaFest131\\MaxLoonaFest131.exe"	1vh52gV1.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2915688436-2954362642-4271300650-1000\Software\Microsoft\Windows\CurrentVersion\Run\Izhnav = "C:\\Users\\Admin\\AppData\\Roaming\\Izhnav.exe"	bdobwhq.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2915688436-2954362642-4271300650-1000\Software\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\a1131d02-e154-4850-8021-2e631517f827\\3D46.exe\" --AutoStart"	3D46.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Checks whether UAC is enabled 1 TTPs 1 IoCs
evasion trojan

System Information Discovery
T1082

Processes:

2AF5.exe

description ioc process

Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 2AF5.exe
Looks up external IP address via web service 4 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

56 api.2ip.ua
88 ipinfo.io
43 api.2ip.ua
44 api.2ip.ua

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	2AF5.exe

flow	ioc
56	api.2ip.ua
88	ipinfo.io
43	api.2ip.ua
44	api.2ip.ua

Drops file in System32 directory 4 IoCs

Processes:

1vh52gV1.exe

description	ioc	process
File opened for modification	C:\Windows\System32\GroupPolicy	1vh52gV1.exe
File opened for modification	C:\Windows\SysWOW64\GroupPolicy\gpt.ini	1vh52gV1.exe
File created	C:\Windows\System32\GroupPolicy\Machine\Registry.pol	1vh52gV1.exe
File opened for modification	C:\Windows\System32\GroupPolicy\GPT.INI	1vh52gV1.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

Processes:

2AF5.exe

pid process

4592 2AF5.exe

Suspicious use of SetThreadContext 11 IoCs

Processes:

b8fe0b788b7717ab0e18dd23d32df615d1f2ff658bd08cfd6c61fceca5a456fe.exe3D46.exe3D46.exe467E.exebuild2.exebuild3.exeContextProperties.exeContextProperties.exeMSBuild.exemstsca.exebdobwhq.exe

description	pid	process	target process
PID 4524 set thread context of 4480	4524	b8fe0b788b7717ab0e18dd23d32df615d1f2ff658bd08cfd6c61fceca5a456fe.exe	b8fe0b788b7717ab0e18dd23d32df615d1f2ff658bd08cfd6c61fceca5a456fe.exe
PID 2860 set thread context of 192	2860	3D46.exe	3D46.exe
PID 2236 set thread context of 4748	2236	3D46.exe	3D46.exe
PID 1400 set thread context of 3904	1400	467E.exe	467E.exe
PID 4316 set thread context of 776	4316	build2.exe	build2.exe
PID 3220 set thread context of 4156	3220	build3.exe	build3.exe
PID 4592 set thread context of 1952	4592	ContextProperties.exe	ContextProperties.exe
PID 1952 set thread context of 3564	1952	ContextProperties.exe	MSBuild.exe
PID 3564 set thread context of 2304	3564	MSBuild.exe	MSBuild.exe
PID 4248 set thread context of 1112	4248	mstsca.exe	mstsca.exe
PID 4256 set thread context of 4936	4256	bdobwhq.exe	bdobwhq.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 3 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
2972	4480	WerFault.exe	b8fe0b788b7717ab0e18dd23d32df615d1f2ff658bd08cfd6c61fceca5a456fe.exe
4516	776	WerFault.exe	build2.exe
4744	3600	WerFault.exe	1vh52gV1.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

b8fe0b788b7717ab0e18dd23d32df615d1f2ff658bd08cfd6c61fceca5a456fe.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	b8fe0b788b7717ab0e18dd23d32df615d1f2ff658bd08cfd6c61fceca5a456fe.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	b8fe0b788b7717ab0e18dd23d32df615d1f2ff658bd08cfd6c61fceca5a456fe.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	b8fe0b788b7717ab0e18dd23d32df615d1f2ff658bd08cfd6c61fceca5a456fe.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

1vh52gV1.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	1vh52gV1.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	1vh52gV1.exe

Creates scheduled task(s) 1 TTPs 4 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid process

3128 schtasks.exe
196 schtasks.exe
4548 schtasks.exe
3468 schtasks.exe
GoLang User-Agent 1 IoCs
Uses default user-agent string defined by GoLang HTTP packages.

Processes:

description flow ioc

HTTP User-Agent header 152 Go-http-client/1.1

pid	process
3128	schtasks.exe
196	schtasks.exe
4548	schtasks.exe
3468	schtasks.exe

description	flow	ioc
HTTP User-Agent header	152	Go-http-client/1.1

Modifies registry class 2 IoCs

Processes:

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance
Key created	\REGISTRY\USER\S-1-5-21-2915688436-2954362642-4271300650-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

Processes:

build2.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\2796BAE63F1801E277261BA0D77770028F20EEE4	build2.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\2796BAE63F1801E277261BA0D77770028F20EEE4\Blob = 19000000010000001000000063664b080559a094d10f0a3c5f4f62900300000001000000140000002796bae63f1801e277261ba0d77770028f20eee41d000000010000001000000099949d2179811f6b30a8c99c4f6b4226140000000100000014000000d2c4b0d291d44c1171b361cb3da1fedda86ad4e3620000000100000020000000c3846bf24b9e93ca64274c0ec67c1ecc5e024ffcacd2d74019350e81fe546ae453000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00b000000010000005200000047006f00200044006100640064007900200043006c00610073007300200032002000430065007200740069006600690063006100740069006f006e00200041007500740068006f00720069007400790000000f00000001000000140000005d82adb90d5dd3c7e3524f56f787ec537261877609000000010000002a000000302806082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030120000000010000000404000030820400308202e8a003020102020100300d06092a864886f70d01010505003063310b30090603550406130255533121301f060355040a131854686520476f2044616464792047726f75702c20496e632e3131302f060355040b1328476f20446164647920436c61737320322043657274696669636174696f6e20417574686f72697479301e170d3034303632393137303632305a170d3334303632393137303632305a3063310b30090603550406130255533121301f060355040a131854686520476f2044616464792047726f75702c20496e632e3131302f060355040b1328476f20446164647920436c61737320322043657274696669636174696f6e20417574686f7269747930820120300d06092a864886f70d01010105000382010d00308201080282010100de9dd7ea571849a15bebd75f4886eabeddffe4ef671cf46568b35771a05e77bbed9b49e970803d561863086fdaf2ccd03f7f0254225410d8b281d4c0753d4b7fc777c33e78ab1a03b5206b2f6a2bb1c5887ec4bb1eb0c1d845276faa3758f78726d7d82df6a917b71f72364ea6173f659892db2a6e5da2fe88e00bde7fe58d15e1ebcb3ad5e212a2132dd88eaf5f123da0080508b65ca565380445991ea3606074c541a572621b62c51f6f5f1a42be025165a8ae23186afc7803a94d7f80c3faab5afca140a4ca1916feb2c8ef5e730dee77bd9af67998bcb10767a2150ddda058c6447b0a3e62285fba41075358cf117e3874c5f8ffb569908f8474ea971baf020103a381c03081bd301d0603551d0e04160414d2c4b0d291d44c1171b361cb3da1fedda86ad4e330818d0603551d230481853081828014d2c4b0d291d44c1171b361cb3da1fedda86ad4e3a167a4653063310b30090603550406130255533121301f060355040a131854686520476f2044616464792047726f75702c20496e632e3131302f060355040b1328476f20446164647920436c61737320322043657274696669636174696f6e20417574686f72697479820100300c0603551d13040530030101ff300d06092a864886f70d01010505000382010100324bf3b2ca3e91fc12c6a1078c8e77a03306145c901e18f708a63d0a19f98780116e69e4961730ff3491637238eecc1c01a31d9428a431f67ac454d7f6e5315803a2ccce62db944573b5bf45c924b5d58202ad2379698db8b64dcecf4cca3323e81c88aa9d8b416e16c920e5899ecd3bda70f77e992620145425ab6e7385e69b219d0a6c820ea8f8c20cfa101e6c96ef870dc40f618badee832b95f88e92847239eb20ea83ed83cd976e08bceb4e26b6732be4d3f64cfe2671e26111744aff571a870f75482ecf516917a002126195d5d140b2104ceec4ac1043a6a59e0ad595629a0dcf8882c5320ce42b9f45e60d9f289cb1b92a5a57ad370faf1d7fdbbd9f	build2.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

b8fe0b788b7717ab0e18dd23d32df615d1f2ff658bd08cfd6c61fceca5a456fe.exe

pid	process
4480	b8fe0b788b7717ab0e18dd23d32df615d1f2ff658bd08cfd6c61fceca5a456fe.exe
4480	b8fe0b788b7717ab0e18dd23d32df615d1f2ff658bd08cfd6c61fceca5a456fe.exe
3424
3424
3424
3424
3424
3424
3424
3424
3424
3424
3424
3424
3424
3424
3424
3424
3424
3424
3424
3424
3424
3424
3424
3424
3424
3424
3424
3424
3424
3424
3424
3424
3424
3424
3424
3424
3424
3424
3424
3424
3424
3424
3424
3424
3424
3424
3424
3424
3424
3424
3424
3424
3424
3424
3424
3424
3424
3424
3424
3424
3424
3424

Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

b8fe0b788b7717ab0e18dd23d32df615d1f2ff658bd08cfd6c61fceca5a456fe.exe

pid process

4480 b8fe0b788b7717ab0e18dd23d32df615d1f2ff658bd08cfd6c61fceca5a456fe.exe

Suspicious use of AdjustPrivilegeToken 46 IoCs

Processes:

467E.exe2AF5.exe467E.exeContextProperties.exeContextProperties.exeMSBuild.exeMSBuild.exebdobwhq.exe

description	pid	process
Token: SeShutdownPrivilege	3424
Token: SeCreatePagefilePrivilege	3424
Token: SeShutdownPrivilege	3424
Token: SeCreatePagefilePrivilege	3424
Token: SeShutdownPrivilege	3424
Token: SeCreatePagefilePrivilege	3424
Token: SeShutdownPrivilege	3424
Token: SeCreatePagefilePrivilege	3424
Token: SeShutdownPrivilege	3424
Token: SeCreatePagefilePrivilege	3424
Token: SeShutdownPrivilege	3424
Token: SeCreatePagefilePrivilege	3424
Token: SeDebugPrivilege	1400	467E.exe
Token: SeDebugPrivilege	4592	2AF5.exe
Token: SeShutdownPrivilege	3424
Token: SeCreatePagefilePrivilege	3424
Token: SeShutdownPrivilege	3424
Token: SeCreatePagefilePrivilege	3424
Token: SeShutdownPrivilege	3424
Token: SeCreatePagefilePrivilege	3424
Token: SeShutdownPrivilege	3424
Token: SeCreatePagefilePrivilege	3424
Token: SeShutdownPrivilege	3424
Token: SeCreatePagefilePrivilege	3424
Token: SeShutdownPrivilege	3424
Token: SeCreatePagefilePrivilege	3424
Token: SeShutdownPrivilege	3424
Token: SeCreatePagefilePrivilege	3424
Token: SeShutdownPrivilege	3424
Token: SeCreatePagefilePrivilege	3424
Token: SeDebugPrivilege	3904	467E.exe
Token: SeShutdownPrivilege	3424
Token: SeCreatePagefilePrivilege	3424
Token: SeShutdownPrivilege	3424
Token: SeCreatePagefilePrivilege	3424
Token: SeDebugPrivilege	4592	ContextProperties.exe
Token: SeDebugPrivilege	1952	ContextProperties.exe
Token: SeDebugPrivilege	3564	MSBuild.exe
Token: SeShutdownPrivilege	3424
Token: SeCreatePagefilePrivilege	3424
Token: SeDebugPrivilege	2304	MSBuild.exe
Token: SeShutdownPrivilege	3424
Token: SeCreatePagefilePrivilege	3424
Token: SeDebugPrivilege	4256	bdobwhq.exe
Token: SeShutdownPrivilege	3424
Token: SeCreatePagefilePrivilege	3424

Suspicious use of FindShellTrayWindow 6 IoCs

Processes:

pid process

3424
3424
3424
3424
3424
3424
Suspicious use of SendNotifyMessage 2 IoCs

Processes:

pid process

3424
3424

pid	process
3424
3424
3424
3424
3424
3424

pid	process
3424
3424

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

b8fe0b788b7717ab0e18dd23d32df615d1f2ff658bd08cfd6c61fceca5a456fe.execmd.execmd.exe3D46.exe3D46.exe3D46.exe467E.exe3D46.exebuild2.exe

description	pid	process	target process
PID 4524 wrote to memory of 4480	4524	b8fe0b788b7717ab0e18dd23d32df615d1f2ff658bd08cfd6c61fceca5a456fe.exe	b8fe0b788b7717ab0e18dd23d32df615d1f2ff658bd08cfd6c61fceca5a456fe.exe
PID 4524 wrote to memory of 4480	4524	b8fe0b788b7717ab0e18dd23d32df615d1f2ff658bd08cfd6c61fceca5a456fe.exe	b8fe0b788b7717ab0e18dd23d32df615d1f2ff658bd08cfd6c61fceca5a456fe.exe
PID 4524 wrote to memory of 4480	4524	b8fe0b788b7717ab0e18dd23d32df615d1f2ff658bd08cfd6c61fceca5a456fe.exe	b8fe0b788b7717ab0e18dd23d32df615d1f2ff658bd08cfd6c61fceca5a456fe.exe
PID 4524 wrote to memory of 4480	4524	b8fe0b788b7717ab0e18dd23d32df615d1f2ff658bd08cfd6c61fceca5a456fe.exe	b8fe0b788b7717ab0e18dd23d32df615d1f2ff658bd08cfd6c61fceca5a456fe.exe
PID 4524 wrote to memory of 4480	4524	b8fe0b788b7717ab0e18dd23d32df615d1f2ff658bd08cfd6c61fceca5a456fe.exe	b8fe0b788b7717ab0e18dd23d32df615d1f2ff658bd08cfd6c61fceca5a456fe.exe
PID 4524 wrote to memory of 4480	4524	b8fe0b788b7717ab0e18dd23d32df615d1f2ff658bd08cfd6c61fceca5a456fe.exe	b8fe0b788b7717ab0e18dd23d32df615d1f2ff658bd08cfd6c61fceca5a456fe.exe
PID 3424 wrote to memory of 2688	3424		cmd.exe
PID 3424 wrote to memory of 2688	3424		cmd.exe
PID 2688 wrote to memory of 4516	2688	cmd.exe	reg.exe
PID 2688 wrote to memory of 4516	2688	cmd.exe	reg.exe
PID 3424 wrote to memory of 212	3424		cmd.exe
PID 3424 wrote to memory of 212	3424		cmd.exe
PID 212 wrote to memory of 924	212	cmd.exe	reg.exe
PID 212 wrote to memory of 924	212	cmd.exe	reg.exe
PID 3424 wrote to memory of 4592	3424		2AF5.exe
PID 3424 wrote to memory of 4592	3424		2AF5.exe
PID 3424 wrote to memory of 4592	3424		2AF5.exe
PID 3424 wrote to memory of 2860	3424		3D46.exe
PID 3424 wrote to memory of 2860	3424		3D46.exe
PID 3424 wrote to memory of 2860	3424		3D46.exe
PID 2860 wrote to memory of 192	2860	3D46.exe	3D46.exe
PID 2860 wrote to memory of 192	2860	3D46.exe	3D46.exe
PID 2860 wrote to memory of 192	2860	3D46.exe	3D46.exe
PID 2860 wrote to memory of 192	2860	3D46.exe	3D46.exe
PID 2860 wrote to memory of 192	2860	3D46.exe	3D46.exe
PID 2860 wrote to memory of 192	2860	3D46.exe	3D46.exe
PID 2860 wrote to memory of 192	2860	3D46.exe	3D46.exe
PID 2860 wrote to memory of 192	2860	3D46.exe	3D46.exe
PID 2860 wrote to memory of 192	2860	3D46.exe	3D46.exe
PID 2860 wrote to memory of 192	2860	3D46.exe	3D46.exe
PID 192 wrote to memory of 1764	192	3D46.exe	icacls.exe
PID 192 wrote to memory of 1764	192	3D46.exe	icacls.exe
PID 192 wrote to memory of 1764	192	3D46.exe	icacls.exe
PID 192 wrote to memory of 2236	192	3D46.exe	3D46.exe
PID 192 wrote to memory of 2236	192	3D46.exe	3D46.exe
PID 192 wrote to memory of 2236	192	3D46.exe	3D46.exe
PID 2236 wrote to memory of 4748	2236	3D46.exe	3D46.exe
PID 2236 wrote to memory of 4748	2236	3D46.exe	3D46.exe
PID 2236 wrote to memory of 4748	2236	3D46.exe	3D46.exe
PID 2236 wrote to memory of 4748	2236	3D46.exe	3D46.exe
PID 2236 wrote to memory of 4748	2236	3D46.exe	3D46.exe
PID 2236 wrote to memory of 4748	2236	3D46.exe	3D46.exe
PID 2236 wrote to memory of 4748	2236	3D46.exe	3D46.exe
PID 2236 wrote to memory of 4748	2236	3D46.exe	3D46.exe
PID 2236 wrote to memory of 4748	2236	3D46.exe	3D46.exe
PID 2236 wrote to memory of 4748	2236	3D46.exe	3D46.exe
PID 3424 wrote to memory of 1400	3424		467E.exe
PID 3424 wrote to memory of 1400	3424		467E.exe
PID 1400 wrote to memory of 3904	1400	467E.exe	467E.exe
PID 1400 wrote to memory of 3904	1400	467E.exe	467E.exe
PID 1400 wrote to memory of 3904	1400	467E.exe	467E.exe
PID 1400 wrote to memory of 3904	1400	467E.exe	467E.exe
PID 1400 wrote to memory of 3904	1400	467E.exe	467E.exe
PID 1400 wrote to memory of 3904	1400	467E.exe	467E.exe
PID 4748 wrote to memory of 4316	4748	3D46.exe	build2.exe
PID 4748 wrote to memory of 4316	4748	3D46.exe	build2.exe
PID 4748 wrote to memory of 4316	4748	3D46.exe	build2.exe
PID 4316 wrote to memory of 776	4316	build2.exe	build2.exe
PID 4316 wrote to memory of 776	4316	build2.exe	build2.exe
PID 4316 wrote to memory of 776	4316	build2.exe	build2.exe
PID 4316 wrote to memory of 776	4316	build2.exe	build2.exe
PID 4316 wrote to memory of 776	4316	build2.exe	build2.exe
PID 4316 wrote to memory of 776	4316	build2.exe	build2.exe
PID 4316 wrote to memory of 776	4316	build2.exe	build2.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

outlook_office_path 1 IoCs

Processes:

1vh52gV1.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2915688436-2954362642-4271300650-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	1vh52gV1.exe

outlook_win_path 1 IoCs

Processes:

1vh52gV1.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2915688436-2954362642-4271300650-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	1vh52gV1.exe

C:\Users\Admin\AppData\Local\Temp\b8fe0b788b7717ab0e18dd23d32df615d1f2ff658bd08cfd6c61fceca5a456fe.exe
"C:\Users\Admin\AppData\Local\Temp\b8fe0b788b7717ab0e18dd23d32df615d1f2ff658bd08cfd6c61fceca5a456fe.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4524

C:\Users\Admin\AppData\Local\Temp\b8fe0b788b7717ab0e18dd23d32df615d1f2ff658bd08cfd6c61fceca5a456fe.exe
"C:\Users\Admin\AppData\Local\Temp\b8fe0b788b7717ab0e18dd23d32df615d1f2ff658bd08cfd6c61fceca5a456fe.exe"
2⤵
- DcRat
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:4480

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4480 -s 496
3⤵
- Program crash
PID:2972

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\1DF3.bat" "
1⤵
- Suspicious use of WriteProcessMemory
PID:2688

C:\Windows\system32\reg.exe
reg add "HKEY_CURRENT_USER\Software\clicker\key" /v primary /t REG_DWORD /d 1
2⤵
PID:4516

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\2065.bat" "
1⤵
- Suspicious use of WriteProcessMemory
PID:212

C:\Windows\system32\reg.exe
reg add "HKEY_CURRENT_USER\Software\clicker\key" /v primary /t REG_DWORD /d 1
2⤵
PID:924

C:\Users\Admin\AppData\Local\Temp\2AF5.exe
C:\Users\Admin\AppData\Local\Temp\2AF5.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
PID:4592

C:\Users\Admin\AppData\Local\Temp\3D46.exe
C:\Users\Admin\AppData\Local\Temp\3D46.exe
1⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:192

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Users\Admin\AppData\Local\a1131d02-e154-4850-8021-2e631517f827" /deny *S-1-1-0:(OI)(CI)(DE,DC)
2⤵
- Modifies file permissions
PID:1764

C:\Users\Admin\AppData\Local\Temp\3D46.exe
"C:\Users\Admin\AppData\Local\Temp\3D46.exe" --Admin IsNotAutoStart IsNotTask
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2236

C:\Users\Admin\AppData\Local\Temp\3D46.exe
"C:\Users\Admin\AppData\Local\Temp\3D46.exe" --Admin IsNotAutoStart IsNotTask
3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4748

C:\Users\Admin\AppData\Local\9e2fed45-8b60-4fa1-b94c-1ba5c5bc333b\build2.exe
"C:\Users\Admin\AppData\Local\9e2fed45-8b60-4fa1-b94c-1ba5c5bc333b\build2.exe"
4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4316

C:\Users\Admin\AppData\Local\9e2fed45-8b60-4fa1-b94c-1ba5c5bc333b\build2.exe
"C:\Users\Admin\AppData\Local\9e2fed45-8b60-4fa1-b94c-1ba5c5bc333b\build2.exe"
5⤵
- Executes dropped EXE
- Modifies system certificate store
PID:776

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 776 -s 1996
6⤵
- Program crash
PID:4516

C:\Users\Admin\AppData\Local\9e2fed45-8b60-4fa1-b94c-1ba5c5bc333b\build3.exe
"C:\Users\Admin\AppData\Local\9e2fed45-8b60-4fa1-b94c-1ba5c5bc333b\build3.exe"
4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:3220

C:\Users\Admin\AppData\Local\9e2fed45-8b60-4fa1-b94c-1ba5c5bc333b\build3.exe
"C:\Users\Admin\AppData\Local\9e2fed45-8b60-4fa1-b94c-1ba5c5bc333b\build3.exe"
5⤵
- Executes dropped EXE
PID:4156

C:\Windows\SysWOW64\schtasks.exe
/C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"
6⤵
- DcRat
- Creates scheduled task(s)
PID:4548

C:\Users\Admin\AppData\Local\Temp\3D46.exe
C:\Users\Admin\AppData\Local\Temp\3D46.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2860

C:\Users\Admin\AppData\Local\Temp\467E.exe
C:\Users\Admin\AppData\Local\Temp\467E.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1400

C:\Users\Admin\AppData\Local\Temp\467E.exe
C:\Users\Admin\AppData\Local\Temp\467E.exe
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3904

C:\Users\Admin\AppData\Local\Temp\4FF5.exe
C:\Users\Admin\AppData\Local\Temp\4FF5.exe
1⤵
- Executes dropped EXE
PID:4156

C:\Users\Admin\AppData\Local\Temp\5A46.exe
C:\Users\Admin\AppData\Local\Temp\5A46.exe
1⤵
- Executes dropped EXE
- Adds Run key to start application
PID:3604

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Zv1cs20.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Zv1cs20.exe
2⤵
- Executes dropped EXE
- Adds Run key to start application
PID:1564

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\HU9Im35.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\HU9Im35.exe
3⤵
- Executes dropped EXE
- Adds Run key to start application
PID:2400

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\EX3RK79.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\EX3RK79.exe
4⤵
- Executes dropped EXE
- Adds Run key to start application
PID:1364

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1vh52gV1.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1vh52gV1.exe
5⤵
- Drops startup file
- Executes dropped EXE
- Accesses Microsoft Outlook profiles
- Adds Run key to start application
- Drops file in System32 directory
- Checks processor information in registry
- outlook_office_path
- outlook_win_path
PID:3600

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /f /RU "Admin" /tr "C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exe" /tn "OfficeTrackerNMP131 HR" /sc HOURLY /rl HIGHEST
6⤵
- DcRat
- Creates scheduled task(s)
PID:3128

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /f /RU "Admin" /tr "C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exe" /tn "OfficeTrackerNMP131 LG" /sc ONLOGON /rl HIGHEST
6⤵
- DcRat
- Creates scheduled task(s)
PID:196

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3600 -s 1616
6⤵
- Program crash
PID:4744

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum
1⤵
PID:668

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localsystemnetworkrestricted -s fhsvc
1⤵
PID:5092

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:4248

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
2⤵
- Executes dropped EXE
PID:1112

C:\Windows\SysWOW64\schtasks.exe
/C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"
3⤵
- DcRat
- Creates scheduled task(s)
PID:3468

C:\Users\Admin\AppData\Local\AceFlags\ukprjs\ContextProperties.exe
C:\Users\Admin\AppData\Local\AceFlags\ukprjs\ContextProperties.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:4592

C:\Users\Admin\AppData\Local\AceFlags\ukprjs\ContextProperties.exe
C:\Users\Admin\AppData\Local\AceFlags\ukprjs\ContextProperties.exe
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:1952

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe
3⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:3564

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:2304

C:\Users\Admin\AppData\Local\Temp\bdobwhq.exe
C:\Users\Admin\AppData\Local\Temp\bdobwhq.exe
1⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:4256

C:\Users\Admin\AppData\Local\Temp\bdobwhq.exe
C:\Users\Admin\AppData\Local\Temp\bdobwhq.exe
2⤵
- Drops startup file
- Executes dropped EXE
PID:4936

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
1⤵
- Executes dropped EXE
PID:3908

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Defense Evasion

File and Directory Permissions Modification

T1222

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Virtualization/Sandbox Evasion

T1497

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

Filesize
1KB

MD5
0cc824b5c93707d4f66d409c06a72dfb

SHA1
933af30e8509b4145c9288468f3b21d29f699a0c

SHA256
c144c5d201de2c169409d736f4cc072ba0c42dd000605845611852fddf7a1000

SHA512
2d32e219a6406ffbaccfaa08b955eb530a78b63d9ec201381d8dc7c041afaf048728839a8187fab5925d6f945ffa499e1b235953f11c2ff3a2ccf5db6bc2f15f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464

Filesize
724B

MD5
8202a1cd02e7d69597995cabbe881a12

SHA1
8858d9d934b7aa9330ee73de6c476acf19929ff6

SHA256
58f381c3a0a0ace6321da22e40bd44a597bd98b9c9390ab9258426b5cf75a7a5

SHA512
97ba9fceab995d4bef706f8deef99e06862999734ebe6a05832c710104479c6337cbf0a76e1c1e0f91566a61334dc100d837dfd049e20da765fe49def684f9c9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

Filesize
410B

MD5
8d363aa7aafbaf1d1a7f959e7c874488

SHA1
47e6beae67d5a24d0c3d89374f7c41ddc224b2cd

SHA256
5786a43fa67b87ad0797c0a566a1503ef9852c6cc79e46e2a0c761965ae4279e

SHA512
74b48371bd453377121b559404c711cb0fbca276b61f5ebecb075f938f5f65b94cbce95fa92bfdb4e361d3834b220e70be74e3b01e806128f8df1cf9da56c6d5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464

Filesize
392B

MD5
eb463e5e5f5f40a1e2ff53cf300a5337

SHA1
73c62087a304f260c1f43f9d35842d7cf2860151

SHA256
a9167115dd4b2e4252642941e74f11639ffb7e0fa3f7f1ba0db2294399e1e25c

SHA512
322da0e09ba2d02af4d2e4fb92d0675f83fdb5deb01880c7c2a4c63ec7bd79bcdf1b0bbda22231dda5d3d7167ebc62c58a3e14a11313a2df6a7329cdcab2cd2d

Download Submit
C:\Users\Admin\AppData\Local\9e2fed45-8b60-4fa1-b94c-1ba5c5bc333b\build2.exe

Filesize
302KB

MD5
f5f946c85bbcd85d14e984c5b2d9fdda

SHA1
dfd3e685b41e62d30395205ee9c6038081b9e875

SHA256
60f8db8893d5f127c739701a02a5cfdb78461c37a796c50467da51d1839d2b22

SHA512
2e018cd5ae9ece5a66ee232c0e15e8c1aead1d5e10255088bf5d9e3d468d797216a75b2ff07c1032be19f5882e9fddd015bb2bdf56ebab99dfd927cab53d1853

Download Submit
C:\Users\Admin\AppData\Local\9e2fed45-8b60-4fa1-b94c-1ba5c5bc333b\build2.exe

Filesize
302KB

MD5
f5f946c85bbcd85d14e984c5b2d9fdda

SHA1
dfd3e685b41e62d30395205ee9c6038081b9e875

SHA256
60f8db8893d5f127c739701a02a5cfdb78461c37a796c50467da51d1839d2b22

SHA512
2e018cd5ae9ece5a66ee232c0e15e8c1aead1d5e10255088bf5d9e3d468d797216a75b2ff07c1032be19f5882e9fddd015bb2bdf56ebab99dfd927cab53d1853

Download Submit
C:\Users\Admin\AppData\Local\9e2fed45-8b60-4fa1-b94c-1ba5c5bc333b\build2.exe

Filesize
302KB

MD5
f5f946c85bbcd85d14e984c5b2d9fdda

SHA1
dfd3e685b41e62d30395205ee9c6038081b9e875

SHA256
60f8db8893d5f127c739701a02a5cfdb78461c37a796c50467da51d1839d2b22

SHA512
2e018cd5ae9ece5a66ee232c0e15e8c1aead1d5e10255088bf5d9e3d468d797216a75b2ff07c1032be19f5882e9fddd015bb2bdf56ebab99dfd927cab53d1853

Download Submit
C:\Users\Admin\AppData\Local\9e2fed45-8b60-4fa1-b94c-1ba5c5bc333b\build3.exe

Filesize
299KB

MD5
41b883a061c95e9b9cb17d4ca50de770

SHA1
1daf96ec21d53d9a4699cea9b4db08cda6fbb5ad

SHA256
fef2c8ca07c500e416fd7700a381c39899ee26ce1119f62e7c65cf922ce8b408

SHA512
cdd1bb3a36182575cd715a52815765161eeaa3849e72c1c2a9a4e84cc43af9f8ec4997e642702bb3de41f162d2e8fd8717f6f8302bba5306821ee4d155626319

Download Submit
C:\Users\Admin\AppData\Local\9e2fed45-8b60-4fa1-b94c-1ba5c5bc333b\build3.exe

Filesize
299KB

MD5
41b883a061c95e9b9cb17d4ca50de770

SHA1
1daf96ec21d53d9a4699cea9b4db08cda6fbb5ad

SHA256
fef2c8ca07c500e416fd7700a381c39899ee26ce1119f62e7c65cf922ce8b408

SHA512
cdd1bb3a36182575cd715a52815765161eeaa3849e72c1c2a9a4e84cc43af9f8ec4997e642702bb3de41f162d2e8fd8717f6f8302bba5306821ee4d155626319

Download Submit
C:\Users\Admin\AppData\Local\9e2fed45-8b60-4fa1-b94c-1ba5c5bc333b\build3.exe

Filesize
299KB

MD5
41b883a061c95e9b9cb17d4ca50de770

SHA1
1daf96ec21d53d9a4699cea9b4db08cda6fbb5ad

SHA256
fef2c8ca07c500e416fd7700a381c39899ee26ce1119f62e7c65cf922ce8b408

SHA512
cdd1bb3a36182575cd715a52815765161eeaa3849e72c1c2a9a4e84cc43af9f8ec4997e642702bb3de41f162d2e8fd8717f6f8302bba5306821ee4d155626319

Download Submit
C:\Users\Admin\AppData\Local\AceFlags\ukprjs\ContextProperties.exe

Filesize
1.0MB

MD5
a70d83fb50f0ef7ba20ada80d6f07e9f

SHA1
844f1939d41b23e85886178c2e058a9e56c496e9

SHA256
e62b3949e1092bcb92435ec398caa0c55963deca3dbe79a4808dda3e093622a9

SHA512
9eb598c50f55fe66792193a7827610be801d2f29876e5b3151b0509d097196c45a6dacb26898193362019248bbe8a444c839811e6ecaf8053ac405834e009a25

Download Submit
C:\Users\Admin\AppData\Local\AceFlags\ukprjs\ContextProperties.exe

Filesize
1.0MB

MD5
a70d83fb50f0ef7ba20ada80d6f07e9f

SHA1
844f1939d41b23e85886178c2e058a9e56c496e9

SHA256
e62b3949e1092bcb92435ec398caa0c55963deca3dbe79a4808dda3e093622a9

SHA512
9eb598c50f55fe66792193a7827610be801d2f29876e5b3151b0509d097196c45a6dacb26898193362019248bbe8a444c839811e6ecaf8053ac405834e009a25

Download Submit
C:\Users\Admin\AppData\Local\AceFlags\ukprjs\ContextProperties.exe

Filesize
1.0MB

MD5
a70d83fb50f0ef7ba20ada80d6f07e9f

SHA1
844f1939d41b23e85886178c2e058a9e56c496e9

SHA256
e62b3949e1092bcb92435ec398caa0c55963deca3dbe79a4808dda3e093622a9

SHA512
9eb598c50f55fe66792193a7827610be801d2f29876e5b3151b0509d097196c45a6dacb26898193362019248bbe8a444c839811e6ecaf8053ac405834e009a25

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\467E.exe.log

Filesize
1KB

MD5
81b6f7911c04d1ce4c04aa863175692e

SHA1
7bbb69e4996c85de335721300fac3725ab17234d

SHA256
fe4c1929c30a9bede91497644aca2a44b8df1dffc7052786139a5674e1c1212a

SHA512
9bca4d0aa3286f426eadb50592447743938684a4ecc0ec1db5be18014c667eb3a26ba36ea4d149a4ef17471c2000368a31646724413b71c9ddfdd77977b97d47

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\ContextProperties.exe.log

Filesize
1KB

MD5
81b6f7911c04d1ce4c04aa863175692e

SHA1
7bbb69e4996c85de335721300fac3725ab17234d

SHA256
fe4c1929c30a9bede91497644aca2a44b8df1dffc7052786139a5674e1c1212a

SHA512
9bca4d0aa3286f426eadb50592447743938684a4ecc0ec1db5be18014c667eb3a26ba36ea4d149a4ef17471c2000368a31646724413b71c9ddfdd77977b97d47

Download Submit
C:\Users\Admin\AppData\Local\Temp\1DF3.bat

Filesize
77B

MD5
55cc761bf3429324e5a0095cab002113

SHA1
2cc1ef4542a4e92d4158ab3978425d517fafd16d

SHA256
d6cceb3c71b80403364bf142f2fa4624ee0be36a49bac25ed45a497cf1ce9c3a

SHA512
33f9f5cad22d291077787c7df510806e4ac31f453d288712595af6debe579fabed6cdf4662e46e6fa94de135b161e739f55cfae05c36c87af85ed6a6ad1c9155

Download Submit
C:\Users\Admin\AppData\Local\Temp\2065.bat

Filesize
77B

MD5
55cc761bf3429324e5a0095cab002113

SHA1
2cc1ef4542a4e92d4158ab3978425d517fafd16d

SHA256
d6cceb3c71b80403364bf142f2fa4624ee0be36a49bac25ed45a497cf1ce9c3a

SHA512
33f9f5cad22d291077787c7df510806e4ac31f453d288712595af6debe579fabed6cdf4662e46e6fa94de135b161e739f55cfae05c36c87af85ed6a6ad1c9155

Download Submit
C:\Users\Admin\AppData\Local\Temp\2065.bat

Filesize
77B

MD5
55cc761bf3429324e5a0095cab002113

SHA1
2cc1ef4542a4e92d4158ab3978425d517fafd16d

SHA256
d6cceb3c71b80403364bf142f2fa4624ee0be36a49bac25ed45a497cf1ce9c3a

SHA512
33f9f5cad22d291077787c7df510806e4ac31f453d288712595af6debe579fabed6cdf4662e46e6fa94de135b161e739f55cfae05c36c87af85ed6a6ad1c9155

Download Submit
C:\Users\Admin\AppData\Local\Temp\2AF5.exe

Filesize
4.6MB

MD5
a3dea4c1f895c2729505cb4712ad469d

SHA1
fdfeebab437bf7f97fb848cd67abec9409adb3b2

SHA256
acfa700a776ef8622839fd22f3bcca3e7183e3ee2e21473ca0d9ccdc895c4afd

SHA512
9da049b6e9169e1079182ce04fd852e823d6bb31f0be3a814ee687047f3831c3cac58dd46b6a8592714afd102233d40a70a0b66e5f094d014c7059b119aa11c4

Download Submit
C:\Users\Admin\AppData\Local\Temp\2AF5.exe

Filesize
4.6MB

MD5
a3dea4c1f895c2729505cb4712ad469d

SHA1
fdfeebab437bf7f97fb848cd67abec9409adb3b2

SHA256
acfa700a776ef8622839fd22f3bcca3e7183e3ee2e21473ca0d9ccdc895c4afd

SHA512
9da049b6e9169e1079182ce04fd852e823d6bb31f0be3a814ee687047f3831c3cac58dd46b6a8592714afd102233d40a70a0b66e5f094d014c7059b119aa11c4

Download Submit
C:\Users\Admin\AppData\Local\Temp\3D46.exe

Filesize
777KB

MD5
9ae60d7ffeddaf8a6fb90e255b004933

SHA1
19d88c4223a90fe3e8aa263dca56a207c6fa6d5d

SHA256
9ebc4495be65f7c1fbff430eb5837c526b42f33844a22d4d59321224cf5033ce

SHA512
f4b017a0ea367d91a5036baa110dd52ed4ec5e148fad132557ec482a698440344416d3f3fd8ad3480a7cef106816e5c5d035627830b03e4b9482096540413b56

Download Submit
C:\Users\Admin\AppData\Local\Temp\3D46.exe

Filesize
777KB

MD5
9ae60d7ffeddaf8a6fb90e255b004933

SHA1
19d88c4223a90fe3e8aa263dca56a207c6fa6d5d

SHA256
9ebc4495be65f7c1fbff430eb5837c526b42f33844a22d4d59321224cf5033ce

SHA512
f4b017a0ea367d91a5036baa110dd52ed4ec5e148fad132557ec482a698440344416d3f3fd8ad3480a7cef106816e5c5d035627830b03e4b9482096540413b56

Download Submit
C:\Users\Admin\AppData\Local\Temp\3D46.exe

Filesize
777KB

MD5
9ae60d7ffeddaf8a6fb90e255b004933

SHA1
19d88c4223a90fe3e8aa263dca56a207c6fa6d5d

SHA256
9ebc4495be65f7c1fbff430eb5837c526b42f33844a22d4d59321224cf5033ce

SHA512
f4b017a0ea367d91a5036baa110dd52ed4ec5e148fad132557ec482a698440344416d3f3fd8ad3480a7cef106816e5c5d035627830b03e4b9482096540413b56

Download Submit
C:\Users\Admin\AppData\Local\Temp\3D46.exe

Filesize
777KB

MD5
9ae60d7ffeddaf8a6fb90e255b004933

SHA1
19d88c4223a90fe3e8aa263dca56a207c6fa6d5d

SHA256
9ebc4495be65f7c1fbff430eb5837c526b42f33844a22d4d59321224cf5033ce

SHA512
f4b017a0ea367d91a5036baa110dd52ed4ec5e148fad132557ec482a698440344416d3f3fd8ad3480a7cef106816e5c5d035627830b03e4b9482096540413b56

Download Submit
C:\Users\Admin\AppData\Local\Temp\3D46.exe

Filesize
777KB

MD5
9ae60d7ffeddaf8a6fb90e255b004933

SHA1
19d88c4223a90fe3e8aa263dca56a207c6fa6d5d

SHA256
9ebc4495be65f7c1fbff430eb5837c526b42f33844a22d4d59321224cf5033ce

SHA512
f4b017a0ea367d91a5036baa110dd52ed4ec5e148fad132557ec482a698440344416d3f3fd8ad3480a7cef106816e5c5d035627830b03e4b9482096540413b56

Download Submit
C:\Users\Admin\AppData\Local\Temp\467E.exe

Filesize
1.0MB

MD5
a70d83fb50f0ef7ba20ada80d6f07e9f

SHA1
844f1939d41b23e85886178c2e058a9e56c496e9

SHA256
e62b3949e1092bcb92435ec398caa0c55963deca3dbe79a4808dda3e093622a9

SHA512
9eb598c50f55fe66792193a7827610be801d2f29876e5b3151b0509d097196c45a6dacb26898193362019248bbe8a444c839811e6ecaf8053ac405834e009a25

Download Submit
C:\Users\Admin\AppData\Local\Temp\467E.exe

Filesize
1.0MB

MD5
a70d83fb50f0ef7ba20ada80d6f07e9f

SHA1
844f1939d41b23e85886178c2e058a9e56c496e9

SHA256
e62b3949e1092bcb92435ec398caa0c55963deca3dbe79a4808dda3e093622a9

SHA512
9eb598c50f55fe66792193a7827610be801d2f29876e5b3151b0509d097196c45a6dacb26898193362019248bbe8a444c839811e6ecaf8053ac405834e009a25

Download Submit
C:\Users\Admin\AppData\Local\Temp\467E.exe

Filesize
1.0MB

MD5
a70d83fb50f0ef7ba20ada80d6f07e9f

SHA1
844f1939d41b23e85886178c2e058a9e56c496e9

SHA256
e62b3949e1092bcb92435ec398caa0c55963deca3dbe79a4808dda3e093622a9

SHA512
9eb598c50f55fe66792193a7827610be801d2f29876e5b3151b0509d097196c45a6dacb26898193362019248bbe8a444c839811e6ecaf8053ac405834e009a25

Download Submit
C:\Users\Admin\AppData\Local\Temp\4FF5.exe

Filesize
259KB

MD5
7b03f18e7dc5404b621864fea6f2a941

SHA1
eb7bdd7174e2dd2b89cfcd5508529bbbcb62d4be

SHA256
d9aecc3499223bcaf87ab69cdcd8e846e804f34a3426d0a4a848f60b3f4a5475

SHA512
551b9f6be77d36a770f4b4e247159f78c56cfc7121481a116ee83f4429e67e28a55753d9f46a8e413712cd021402956ed4fcf3f093ad1a68e64e813bf13fddf7

Download Submit
C:\Users\Admin\AppData\Local\Temp\4FF5.exe

Filesize
259KB

MD5
7b03f18e7dc5404b621864fea6f2a941

SHA1
eb7bdd7174e2dd2b89cfcd5508529bbbcb62d4be

SHA256
d9aecc3499223bcaf87ab69cdcd8e846e804f34a3426d0a4a848f60b3f4a5475

SHA512
551b9f6be77d36a770f4b4e247159f78c56cfc7121481a116ee83f4429e67e28a55753d9f46a8e413712cd021402956ed4fcf3f093ad1a68e64e813bf13fddf7

Download Submit
C:\Users\Admin\AppData\Local\Temp\5A46.exe

Filesize
2.6MB

MD5
d6c0758ac654c599b8ac4a32df6fe168

SHA1
db810672ed5a9c673abbd86ee5bf0c4b0b5d5a1b

SHA256
5981e56b8d4e6615793cabc5725e57b028c6d2d6202660338735dcce443187d4

SHA512
5a8adc3b6990ec64f456b5f25bd6c1ac32b927f462574bc9bc681cfda518b6f549b82195de19584d5be1d654dbe7806c552131c21f3332d2ac0cdc553eb338b1

Download Submit
C:\Users\Admin\AppData\Local\Temp\5A46.exe

Filesize
2.6MB

MD5
d6c0758ac654c599b8ac4a32df6fe168

SHA1
db810672ed5a9c673abbd86ee5bf0c4b0b5d5a1b

SHA256
5981e56b8d4e6615793cabc5725e57b028c6d2d6202660338735dcce443187d4

SHA512
5a8adc3b6990ec64f456b5f25bd6c1ac32b927f462574bc9bc681cfda518b6f549b82195de19584d5be1d654dbe7806c552131c21f3332d2ac0cdc553eb338b1

Download Submit
C:\Users\Admin\AppData\Local\Temp\FANBooster131\FANBooster131.exe

Filesize
1.6MB

MD5
86e2f2ea8ddba356926c3a446f6b2efc

SHA1
b0b8fcd2ba317f7302a407ef168fd74008c306d1

SHA256
faa72a44f8c7b7148b5e596d692cf88cc280656cde41c2c5da0f74231aa0dbf1

SHA512
7dcdcac3bdcafdac217085bc13cf921f5c467f21bd5c67ca882e328a370f52f925561db903e9007fff6d256a47296fde0e3c4d6081f195695aa0ad103e6fd676

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Zv1cs20.exe

Filesize
2.1MB

MD5
6854a4954221145fea288f9024a368e5

SHA1
40821817f42182a112e326f1975a392983de0701

SHA256
ab6f41a1a51d5c182df584658d66fe233021128ccfc6c4083205c1629fa5515e

SHA512
32bd1063aac169a99505a1952e12da682f4f02b1b10af1dfa25baf60fdf368f5d106c460f8cadbaeb3de9d30a13dda95118ef29b6d5ce307da77de75734498d6

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Zv1cs20.exe

Filesize
2.1MB

MD5
6854a4954221145fea288f9024a368e5

SHA1
40821817f42182a112e326f1975a392983de0701

SHA256
ab6f41a1a51d5c182df584658d66fe233021128ccfc6c4083205c1629fa5515e

SHA512
32bd1063aac169a99505a1952e12da682f4f02b1b10af1dfa25baf60fdf368f5d106c460f8cadbaeb3de9d30a13dda95118ef29b6d5ce307da77de75734498d6

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\HU9Im35.exe

Filesize
1.7MB

MD5
7fc70ca0bb651d9422c68dcc523405fe

SHA1
9a4b07b4d8ca6f13bbfe6b35b176a87808522bee

SHA256
b870fccaf2ee31a6c5829f6fb46eab4e7bfb4e024da7f65ed1eb7edbf865a9d6

SHA512
2fee5693f31f102efc856e1db94519a5dd57af443bc87aa2b0c5badb6d075a8db0664cef8338317d1b8febf107b43b05ba432048e5b1efcf892d70b7d13f71cc

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\HU9Im35.exe

Filesize
1.7MB

MD5
7fc70ca0bb651d9422c68dcc523405fe

SHA1
9a4b07b4d8ca6f13bbfe6b35b176a87808522bee

SHA256
b870fccaf2ee31a6c5829f6fb46eab4e7bfb4e024da7f65ed1eb7edbf865a9d6

SHA512
2fee5693f31f102efc856e1db94519a5dd57af443bc87aa2b0c5badb6d075a8db0664cef8338317d1b8febf107b43b05ba432048e5b1efcf892d70b7d13f71cc

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\EX3RK79.exe

Filesize
789KB

MD5
99de74d3bf6bf76a5b5cd1ef9f05dc6a

SHA1
6c5b259d5cd05621464fc08d13028c88c8563192

SHA256
5a19ee5d4ae3ffbb9404de652aae3ba1f9d0843bda7e0540a1781f5e5d95d416

SHA512
8d27997f13ddc00676e492165fe6de207d4139ba395af90d9e360eeacf066fa132212ff8dc094b73b6b8c6e602770c44381bfdb8811ff8ef5ecdfc149a13ebc6

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\EX3RK79.exe

Filesize
789KB

MD5
99de74d3bf6bf76a5b5cd1ef9f05dc6a

SHA1
6c5b259d5cd05621464fc08d13028c88c8563192

SHA256
5a19ee5d4ae3ffbb9404de652aae3ba1f9d0843bda7e0540a1781f5e5d95d416

SHA512
8d27997f13ddc00676e492165fe6de207d4139ba395af90d9e360eeacf066fa132212ff8dc094b73b6b8c6e602770c44381bfdb8811ff8ef5ecdfc149a13ebc6

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1vh52gV1.exe

Filesize
1.6MB

MD5
86e2f2ea8ddba356926c3a446f6b2efc

SHA1
b0b8fcd2ba317f7302a407ef168fd74008c306d1

SHA256
faa72a44f8c7b7148b5e596d692cf88cc280656cde41c2c5da0f74231aa0dbf1

SHA512
7dcdcac3bdcafdac217085bc13cf921f5c467f21bd5c67ca882e328a370f52f925561db903e9007fff6d256a47296fde0e3c4d6081f195695aa0ad103e6fd676

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1vh52gV1.exe

Filesize
1.6MB

MD5
86e2f2ea8ddba356926c3a446f6b2efc

SHA1
b0b8fcd2ba317f7302a407ef168fd74008c306d1

SHA256
faa72a44f8c7b7148b5e596d692cf88cc280656cde41c2c5da0f74231aa0dbf1

SHA512
7dcdcac3bdcafdac217085bc13cf921f5c467f21bd5c67ca882e328a370f52f925561db903e9007fff6d256a47296fde0e3c4d6081f195695aa0ad103e6fd676

Download Submit
C:\Users\Admin\AppData\Local\Temp\bdobwhq.exe

Filesize
2.9MB

MD5
ead47cb4048702fedb7ad8ab8f98adc9

SHA1
dad962db949eea7bd594725d4071f7b6b6849ba5

SHA256
e5366a16ef5d251311603d713e49b9346b2082f449bd0ab18c492f8656413d94

SHA512
1791b0dd82544e722b1a52271d5ba682d1e6ff52f6a616b20075cc25a5b1ef6efb52e2309c006bd79b8ca151c8c995d01177b27fcfa605ab08fd2e0781bf1fc6

Download Submit
C:\Users\Admin\AppData\Local\Temp\bdobwhq.exe

Filesize
2.9MB

MD5
ead47cb4048702fedb7ad8ab8f98adc9

SHA1
dad962db949eea7bd594725d4071f7b6b6849ba5

SHA256
e5366a16ef5d251311603d713e49b9346b2082f449bd0ab18c492f8656413d94

SHA512
1791b0dd82544e722b1a52271d5ba682d1e6ff52f6a616b20075cc25a5b1ef6efb52e2309c006bd79b8ca151c8c995d01177b27fcfa605ab08fd2e0781bf1fc6

Download Submit
C:\Users\Admin\AppData\Local\Temp\bdobwhq.exe

Filesize
2.9MB

MD5
ead47cb4048702fedb7ad8ab8f98adc9

SHA1
dad962db949eea7bd594725d4071f7b6b6849ba5

SHA256
e5366a16ef5d251311603d713e49b9346b2082f449bd0ab18c492f8656413d94

SHA512
1791b0dd82544e722b1a52271d5ba682d1e6ff52f6a616b20075cc25a5b1ef6efb52e2309c006bd79b8ca151c8c995d01177b27fcfa605ab08fd2e0781bf1fc6

Download Submit
C:\Users\Admin\AppData\Local\Temp\grandUIAEE1PZQZTrfDti\information.txt

Filesize
3KB

MD5
f4ad2a4bb540f576fa0ce37c2d8d3e7d

SHA1
562a97e122d59fcba9b9a931ab934dd9b13762a8

SHA256
072f672b904c477fc78637691b87837ca0ec27058dac3aa8ab4bc9ed326eec38

SHA512
60adab57a4718cadafb0a95c85d415483ba56b3a665b1b7a3d0661b0325b4a86b1bd0a266b600acdf1f29f53cbf5feb67c501f07eed615376bf31a5932adf276

Download Submit
C:\Users\Admin\AppData\Local\a1131d02-e154-4850-8021-2e631517f827\3D46.exe

Filesize
777KB

MD5
9ae60d7ffeddaf8a6fb90e255b004933

SHA1
19d88c4223a90fe3e8aa263dca56a207c6fa6d5d

SHA256
9ebc4495be65f7c1fbff430eb5837c526b42f33844a22d4d59321224cf5033ce

SHA512
f4b017a0ea367d91a5036baa110dd52ed4ec5e148fad132557ec482a698440344416d3f3fd8ad3480a7cef106816e5c5d035627830b03e4b9482096540413b56

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

Filesize
299KB

MD5
41b883a061c95e9b9cb17d4ca50de770

SHA1
1daf96ec21d53d9a4699cea9b4db08cda6fbb5ad

SHA256
fef2c8ca07c500e416fd7700a381c39899ee26ce1119f62e7c65cf922ce8b408

SHA512
cdd1bb3a36182575cd715a52815765161eeaa3849e72c1c2a9a4e84cc43af9f8ec4997e642702bb3de41f162d2e8fd8717f6f8302bba5306821ee4d155626319

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

Filesize
299KB

MD5
41b883a061c95e9b9cb17d4ca50de770

SHA1
1daf96ec21d53d9a4699cea9b4db08cda6fbb5ad

SHA256
fef2c8ca07c500e416fd7700a381c39899ee26ce1119f62e7c65cf922ce8b408

SHA512
cdd1bb3a36182575cd715a52815765161eeaa3849e72c1c2a9a4e84cc43af9f8ec4997e642702bb3de41f162d2e8fd8717f6f8302bba5306821ee4d155626319

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

Filesize
299KB

MD5
41b883a061c95e9b9cb17d4ca50de770

SHA1
1daf96ec21d53d9a4699cea9b4db08cda6fbb5ad

SHA256
fef2c8ca07c500e416fd7700a381c39899ee26ce1119f62e7c65cf922ce8b408

SHA512
cdd1bb3a36182575cd715a52815765161eeaa3849e72c1c2a9a4e84cc43af9f8ec4997e642702bb3de41f162d2e8fd8717f6f8302bba5306821ee4d155626319

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

Filesize
299KB

MD5
41b883a061c95e9b9cb17d4ca50de770

SHA1
1daf96ec21d53d9a4699cea9b4db08cda6fbb5ad

SHA256
fef2c8ca07c500e416fd7700a381c39899ee26ce1119f62e7c65cf922ce8b408

SHA512
cdd1bb3a36182575cd715a52815765161eeaa3849e72c1c2a9a4e84cc43af9f8ec4997e642702bb3de41f162d2e8fd8717f6f8302bba5306821ee4d155626319

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

Filesize
299KB

MD5
41b883a061c95e9b9cb17d4ca50de770

SHA1
1daf96ec21d53d9a4699cea9b4db08cda6fbb5ad

SHA256
fef2c8ca07c500e416fd7700a381c39899ee26ce1119f62e7c65cf922ce8b408

SHA512
cdd1bb3a36182575cd715a52815765161eeaa3849e72c1c2a9a4e84cc43af9f8ec4997e642702bb3de41f162d2e8fd8717f6f8302bba5306821ee4d155626319

Download Submit
memory/192-53-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/192-51-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/192-56-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/192-71-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/192-57-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/776-188-0x0000000000400000-0x0000000000644000-memory.dmp

Filesize
2.3MB

Download
memory/1400-93-0x000001E769240000-0x000001E76934C000-memory.dmp

Filesize
1.0MB

Download
memory/1400-109-0x00007FFC064F0000-0x00007FFC06EDC000-memory.dmp

Filesize
9.9MB

Download
memory/1400-101-0x000001E76B950000-0x000001E76B960000-memory.dmp

Filesize
64KB

Download
memory/1400-99-0x000001E76BB90000-0x000001E76BC58000-memory.dmp

Filesize
800KB

Download
memory/1400-102-0x000001E76BC60000-0x000001E76BD28000-memory.dmp

Filesize
800KB

Download
memory/1400-95-0x000001E76BA10000-0x000001E76BAF0000-memory.dmp

Filesize
896KB

Download
memory/1400-103-0x000001E76BAF0000-0x000001E76BB3C000-memory.dmp

Filesize
304KB

Download
memory/1400-94-0x00007FFC064F0000-0x00007FFC06EDC000-memory.dmp

Filesize
9.9MB

Download
memory/2236-76-0x0000000002420000-0x00000000024B3000-memory.dmp

Filesize
588KB

Download
memory/2860-55-0x00000000025B0000-0x00000000026CB000-memory.dmp

Filesize
1.1MB

Download
memory/2860-54-0x0000000002510000-0x00000000025A2000-memory.dmp

Filesize
584KB

Download
memory/3220-1606-0x0000000000B30000-0x0000000000C30000-memory.dmp

Filesize
1024KB

Download
memory/3220-1608-0x0000000000A30000-0x0000000000A34000-memory.dmp

Filesize
16KB

Download
memory/3424-6-0x00000000011D0000-0x00000000011E6000-memory.dmp

Filesize
88KB

Download
memory/3904-2108-0x0000029127C70000-0x0000029127C80000-memory.dmp

Filesize
64KB

Download
memory/3904-152-0x00000291404A0000-0x0000029140580000-memory.dmp

Filesize
896KB

Download
memory/3904-2493-0x0000029127C80000-0x0000029127C88000-memory.dmp

Filesize
32KB

Download
memory/3904-2111-0x00007FFC064F0000-0x00007FFC06EDC000-memory.dmp

Filesize
9.9MB

Download
memory/3904-121-0x00000291404A0000-0x0000029140580000-memory.dmp

Filesize
896KB

Download
memory/3904-122-0x00000291404A0000-0x0000029140580000-memory.dmp

Filesize
896KB

Download
memory/3904-126-0x00000291404A0000-0x0000029140580000-memory.dmp

Filesize
896KB

Download
memory/3904-132-0x00000291404A0000-0x0000029140580000-memory.dmp

Filesize
896KB

Download
memory/3904-138-0x00000291404A0000-0x0000029140580000-memory.dmp

Filesize
896KB

Download
memory/3904-144-0x00000291404A0000-0x0000029140580000-memory.dmp

Filesize
896KB

Download
memory/3904-150-0x00000291404A0000-0x0000029140580000-memory.dmp

Filesize
896KB

Download
memory/3904-104-0x0000000000400000-0x00000000004AA000-memory.dmp

Filesize
680KB

Download
memory/3904-108-0x00000291404A0000-0x0000029140584000-memory.dmp

Filesize
912KB

Download
memory/3904-170-0x00000291404A0000-0x0000029140580000-memory.dmp

Filesize
896KB

Download
memory/3904-165-0x00000291404A0000-0x0000029140580000-memory.dmp

Filesize
896KB

Download
memory/3904-118-0x00007FFC064F0000-0x00007FFC06EDC000-memory.dmp

Filesize
9.9MB

Download
memory/3904-124-0x00000291404A0000-0x0000029140580000-memory.dmp

Filesize
896KB

Download
memory/3904-163-0x00000291404A0000-0x0000029140580000-memory.dmp

Filesize
896KB

Download
memory/3904-159-0x00000291404A0000-0x0000029140580000-memory.dmp

Filesize
896KB

Download
memory/3904-154-0x00000291404A0000-0x0000029140580000-memory.dmp

Filesize
896KB

Download
memory/3904-111-0x0000029127C70000-0x0000029127C80000-memory.dmp

Filesize
64KB

Download
memory/3904-2494-0x00000291406F0000-0x0000029140746000-memory.dmp

Filesize
344KB

Download
memory/3904-128-0x00000291404A0000-0x0000029140580000-memory.dmp

Filesize
896KB

Download
memory/3904-130-0x00000291404A0000-0x0000029140580000-memory.dmp

Filesize
896KB

Download
memory/3904-148-0x00000291404A0000-0x0000029140580000-memory.dmp

Filesize
896KB

Download
memory/3904-146-0x00000291404A0000-0x0000029140580000-memory.dmp

Filesize
896KB

Download
memory/3904-142-0x00000291404A0000-0x0000029140580000-memory.dmp

Filesize
896KB

Download
memory/3904-140-0x00000291404A0000-0x0000029140580000-memory.dmp

Filesize
896KB

Download
memory/3904-136-0x00000291404A0000-0x0000029140580000-memory.dmp

Filesize
896KB

Download
memory/3904-134-0x00000291404A0000-0x0000029140580000-memory.dmp

Filesize
896KB

Download
memory/4156-236-0x0000000000CD0000-0x0000000000CE6000-memory.dmp

Filesize
88KB

Download
memory/4156-239-0x0000000000400000-0x0000000000B9B000-memory.dmp

Filesize
7.6MB

Download
memory/4156-234-0x0000000000E40000-0x0000000000F40000-memory.dmp

Filesize
1024KB

Download
memory/4156-1619-0x0000000000400000-0x0000000000406000-memory.dmp

Filesize
24KB

Download
memory/4316-172-0x0000000002CC0000-0x0000000002DC0000-memory.dmp

Filesize
1024KB

Download
memory/4316-174-0x0000000002C10000-0x0000000002C41000-memory.dmp

Filesize
196KB

Download
memory/4480-5-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/4480-3-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/4480-10-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/4480-4-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/4524-1-0x00000000009B0000-0x0000000000AB0000-memory.dmp

Filesize
1024KB

Download
memory/4524-2-0x00000000008E0000-0x00000000008E9000-memory.dmp

Filesize
36KB

Download
memory/4592-97-0x00000000770D0000-0x00000000771A0000-memory.dmp

Filesize
832KB

Download
memory/4592-43-0x0000000008770000-0x0000000008782000-memory.dmp

Filesize
72KB

Download
memory/4592-40-0x0000000005EB0000-0x0000000005EBA000-memory.dmp

Filesize
40KB

Download
memory/4592-38-0x0000000008A00000-0x0000000008EFE000-memory.dmp

Filesize
5.0MB

Download
memory/4592-39-0x00000000085A0000-0x0000000008632000-memory.dmp

Filesize
584KB

Download
memory/4592-36-0x0000000072F60000-0x000000007364E000-memory.dmp

Filesize
6.9MB

Download
memory/4592-37-0x0000000000B70000-0x000000000163A000-memory.dmp

Filesize
10.8MB

Download
memory/4592-33-0x0000000077A74000-0x0000000077A75000-memory.dmp

Filesize
4KB

Download
memory/4592-31-0x00000000772A0000-0x0000000077462000-memory.dmp

Filesize
1.8MB

Download
memory/4592-30-0x00000000770D0000-0x00000000771A0000-memory.dmp

Filesize
832KB

Download
memory/4592-859-0x000000000AC30000-0x000000000AC80000-memory.dmp

Filesize
320KB

Download
memory/4592-29-0x00000000770D0000-0x00000000771A0000-memory.dmp

Filesize
832KB

Download
memory/4592-913-0x000000000AE50000-0x000000000B012000-memory.dmp

Filesize
1.8MB

Download
memory/4592-916-0x000000000B550000-0x000000000BA7C000-memory.dmp

Filesize
5.2MB

Download
memory/4592-1228-0x0000000000B70000-0x000000000163A000-memory.dmp

Filesize
10.8MB

Download
memory/4592-1230-0x00000000772A0000-0x0000000077462000-memory.dmp

Filesize
1.8MB

Download
memory/4592-1234-0x0000000072F60000-0x000000007364E000-memory.dmp

Filesize
6.9MB

Download
memory/4592-1232-0x00000000770D0000-0x00000000771A0000-memory.dmp

Filesize
832KB

Download
memory/4592-96-0x0000000000B70000-0x000000000163A000-memory.dmp

Filesize
10.8MB

Download
memory/4592-41-0x0000000009510000-0x0000000009B16000-memory.dmp

Filesize
6.0MB

Download
memory/4592-44-0x00000000087D0000-0x000000000880E000-memory.dmp

Filesize
248KB

Download
memory/4592-28-0x00000000770D0000-0x00000000771A0000-memory.dmp

Filesize
832KB

Download
memory/4592-42-0x0000000008880000-0x000000000898A000-memory.dmp

Filesize
1.0MB

Download
memory/4592-45-0x0000000008810000-0x000000000885B000-memory.dmp

Filesize
300KB

Download
memory/4592-187-0x0000000072F60000-0x000000007364E000-memory.dmp

Filesize
6.9MB

Download
memory/4592-100-0x00000000772A0000-0x0000000077462000-memory.dmp

Filesize
1.8MB

Download
memory/4592-119-0x0000000008FE0000-0x0000000009046000-memory.dmp

Filesize
408KB

Download
memory/4592-98-0x00000000770D0000-0x00000000771A0000-memory.dmp

Filesize
832KB

Download
memory/4592-110-0x00000000770D0000-0x00000000771A0000-memory.dmp

Filesize
832KB

Download
memory/4592-27-0x0000000000B70000-0x000000000163A000-memory.dmp

Filesize
10.8MB

Download
memory/4748-117-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/4748-115-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/4748-79-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/4748-120-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/4748-1410-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/4748-80-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/4748-87-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/4748-88-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/4748-78-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download