djvu | 212cf81edf3cd280350b9dc6770ac93ecc254c2f54f8066bf37e2725c410389c

Analysis

max time kernel
150s
max time network
152s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
02-02-2024 06:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

file.exe
Size

230KB
MD5

5696e707bb2de303879e042ba9fb2681
SHA1

d31c6d321bcb949c8067b801f2565a73ad6b38a6
SHA256

212cf81edf3cd280350b9dc6770ac93ecc254c2f54f8066bf37e2725c410389c
SHA512

62eb3db3bc4e1ddc7bd107dec4d103d5f6f6155e073a40627fad43270ba405d421143e492e82765422d02c807c0d3d406a6e21475cf1a6ce7239fb3f27b7e967
SSDEEP

3072:sGTO9LytnkyFI/Kvum8OJ0iv3TGoAbyxieCh4RSf1X7QP5IStpTG:W9LYFI/bmvJ0i/aouyxR69Sn

Score

10^/10

djvu risepro smokeloader vidar 1b9d7ec5a25ab9d78c31777a0016a097 pub1 backdoor discovery evasion persistence ransomware stealer trojan

Malware Config

Extracted

Family

smokeloader

Botnet

pub1

Extracted

Family

smokeloader

Version

2022

http://trad-einmyus.com/index.php

http://tradein-myus.com/index.php

http://trade-inmyus.com/index.php

rc4.i32

Extracted

Family

djvu

http://habrafa.com/test1/get.php

Attributes

extension
.cdcc
offline_id
LBxKKiegnAy53rpqH3Pj2j46vwldiEt9kqHSuMt1
payload_url
http://brusuax.com/dl/build2.exe
http://habrafa.com/files/1/build3.exe
ransomnote
ATTENTION! Don't worry, you can return all your files! All your files like pictures, databases, documents and other important are encrypted with strongest encryption and unique key. The only method of recovering files is to purchase decrypt tool and unique key for you. This software will decrypt all your encrypted files. What guarantees you have? You can send one of your encrypted file from your PC and we decrypt it for free. But we can decrypt only 1 file for free. File must not contain valuable information. You can get and look video overview decrypt tool: https://we.tl/t-iVcrVFVRqu Price of private key and decrypt software is $1999. Discount 50% available if you contact us first 72 hours, that's price for you is $999. Please note that you'll never restore your data without payment. Check your e-mail "Spam" or "Junk" folder if you don't get answer more than 6 hours. To get this software you need write on our e-mail: [email protected] Reserve e-mail address to contact us: [email protected] Your personal ID: 0846ASdw

rsa_pubkey.plain

Extracted

Family

vidar

Version

7.6

Botnet

1b9d7ec5a25ab9d78c31777a0016a097

https://t.me/tvrugrats

https://steamcommunity.com/profiles/76561199627279110

Attributes

profile_id_v2
1b9d7ec5a25ab9d78c31777a0016a097

Extracted

Family

risepro

193.233.132.62:50500

Signatures

Detect Vidar Stealer 5 IoCs

stealer

Processes:

resource	yara_rule
behavioral1/memory/2916-114-0x00000000003D0000-0x0000000000400000-memory.dmp	family_vidar_v7
behavioral1/memory/2328-116-0x0000000000400000-0x0000000000643000-memory.dmp	family_vidar_v7
behavioral1/memory/2328-119-0x0000000000400000-0x0000000000643000-memory.dmp	family_vidar_v7
behavioral1/memory/2328-120-0x0000000000400000-0x0000000000643000-memory.dmp	family_vidar_v7
behavioral1/memory/2328-275-0x0000000000400000-0x0000000000643000-memory.dmp	family_vidar_v7

Detected Djvu ransomware 15 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1852-38-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/3056-37-0x0000000001D80000-0x0000000001E9B000-memory.dmp	family_djvu
behavioral1/memory/1852-42-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/1852-43-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/1852-65-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/1756-75-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/1756-76-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/1756-89-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/1756-90-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/1756-94-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/1756-97-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/1756-96-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/1756-98-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/1756-179-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/1632-267-0x0000000001BF0000-0x0000000001C82000-memory.dmp	family_djvu

Djvu Ransomware
Ransomware which is a variant of the STOP family.
ransomware djvu
RisePro
RisePro stealer is an infostealer distributed by PrivateLoader.
stealer risepro
SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
Vidar
Vidar is an infostealer based on Arkei stealer.
stealer vidar
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Processes:

B09D.exe

description ioc process

Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ B09D.exe
Downloads MZ/PE file

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	B09D.exe

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

B09D.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	B09D.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	B09D.exe

Deletes itself 1 IoCs

Processes:

pid process

1180

pid	process
1180

Executes dropped EXE 17 IoCs

Processes:

C552.exeE92.exeE92.exeE92.exeE92.exebuild2.exebuild2.exebuild3.exebuild3.exeA8CF.exeB09D.exeBC32.exeBC32.tmplispxdrext.exelispxdrext.exemstsca.exemstsca.exe

pid	process
2680	C552.exe
3056	E92.exe
1852	E92.exe
1632	E92.exe
1756	E92.exe
2916	build2.exe
2328	build2.exe
2088	build3.exe
3044	build3.exe
2200	A8CF.exe
112	B09D.exe
2056	BC32.exe
2804	BC32.tmp
1660	lispxdrext.exe
1548	lispxdrext.exe
1412	mstsca.exe
1256	mstsca.exe

Identifies Wine through registry keys 2 TTPs 1 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Processes:

B09D.exe

description ioc process

Key opened \REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Wine B09D.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Wine	B09D.exe

Loads dropped DLL 25 IoCs

Processes:

E92.exeE92.exeE92.exeE92.exeWerFault.exeWerFault.exeBC32.exeBC32.tmp

pid	process
3056	E92.exe
1852	E92.exe
1852	E92.exe
1632	E92.exe
1756	E92.exe
1756	E92.exe
1756	E92.exe
1756	E92.exe
2540	WerFault.exe
2540	WerFault.exe
2540	WerFault.exe
2540	WerFault.exe
2540	WerFault.exe
2540	WerFault.exe
2540	WerFault.exe
2032	WerFault.exe
2032	WerFault.exe
2032	WerFault.exe
2032	WerFault.exe
2032	WerFault.exe
2056	BC32.exe
2804	BC32.tmp
2804	BC32.tmp
2804	BC32.tmp
2804	BC32.tmp

Modifies file permissions 1 TTPs 1 IoCs
discovery

File and Directory Permissions Modification
T1222

Processes:

icacls.exe

pid process

1588 icacls.exe

pid	process
1588	icacls.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

E92.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\a98e9571-dfc7-4b9d-bc3d-56855961933e\\E92.exe\" --AutoStart"	E92.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

9 api.2ip.ua
10 api.2ip.ua
16 api.2ip.ua
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

Processes:

B09D.exe

pid process

112 B09D.exe

flow	ioc
9	api.2ip.ua
10	api.2ip.ua
16	api.2ip.ua

pid	process
112	B09D.exe

Suspicious use of SetThreadContext 5 IoCs

Processes:

E92.exeE92.exebuild2.exebuild3.exemstsca.exe

description	pid	process	target process
PID 3056 set thread context of 1852	3056	E92.exe	E92.exe
PID 1632 set thread context of 1756	1632	E92.exe	E92.exe
PID 2916 set thread context of 2328	2916	build2.exe	build2.exe
PID 2088 set thread context of 3044	2088	build3.exe	build3.exe
PID 1412 set thread context of 1256	1412	mstsca.exe	mstsca.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Program crash 2 IoCs

Processes:

WerFault.exeWerFault.exe

pid pid_target process target process

2540 2328 WerFault.exe build2.exe
2032 2200 WerFault.exe A8CF.exe

pid	pid_target	process	target process
2540	2328	WerFault.exe	build2.exe
2032	2200	WerFault.exe	A8CF.exe

Checks SCSI registry key(s) 3 TTPs 6 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

C552.exefile.exe

description	ioc	process
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	C552.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	file.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	file.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	file.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	C552.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	C552.exe

Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exeschtasks.exe

pid process

2800 schtasks.exe
1100 schtasks.exe

pid	process
2800	schtasks.exe
1100	schtasks.exe

Modifies system certificate store 2 TTPs 3 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

Processes:

build2.exe

description	ioc	process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703085300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc252000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	build2.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 190000000100000010000000ba4f3972e7aed9dccdc210db59da13c90300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc251d00000001000000100000008f76b981d528ad4770088245e2031b630b0000000100000012000000440069006700690043006500720074000000140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc35300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a82000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	build2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25	build2.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

file.exe

pid	process
1308	file.exe
1308	file.exe
1180
1180
1180
1180
1180
1180
1180
1180
1180
1180
1180
1180
1180
1180
1180
1180
1180
1180
1180
1180
1180
1180
1180
1180
1180
1180
1180
1180
1180
1180
1180
1180
1180
1180
1180
1180
1180
1180
1180
1180
1180
1180
1180
1180
1180
1180
1180
1180
1180
1180
1180
1180
1180
1180
1180
1180
1180
1180
1180
1180
1180
1180

Suspicious behavior: MapViewOfSection 2 IoCs

Processes:

file.exeC552.exe

pid process

1308 file.exe
2680 C552.exe
Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

description pid process

Token: SeShutdownPrivilege 1180
Token: SeShutdownPrivilege 1180
Token: SeShutdownPrivilege 1180
Token: SeShutdownPrivilege 1180
Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

BC32.tmp

pid process

2804 BC32.tmp

description	pid	process
Token: SeShutdownPrivilege	1180
Token: SeShutdownPrivilege	1180
Token: SeShutdownPrivilege	1180
Token: SeShutdownPrivilege	1180

pid	process
2804	BC32.tmp

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

E92.exeE92.exeE92.exeE92.exebuild2.exebuild2.exebuild3.exe

description	pid	process	target process
PID 1180 wrote to memory of 2680	1180		C552.exe
PID 1180 wrote to memory of 2680	1180		C552.exe
PID 1180 wrote to memory of 2680	1180		C552.exe
PID 1180 wrote to memory of 2680	1180		C552.exe
PID 1180 wrote to memory of 3056	1180		E92.exe
PID 1180 wrote to memory of 3056	1180		E92.exe
PID 1180 wrote to memory of 3056	1180		E92.exe
PID 1180 wrote to memory of 3056	1180		E92.exe
PID 3056 wrote to memory of 1852	3056	E92.exe	E92.exe
PID 3056 wrote to memory of 1852	3056	E92.exe	E92.exe
PID 3056 wrote to memory of 1852	3056	E92.exe	E92.exe
PID 3056 wrote to memory of 1852	3056	E92.exe	E92.exe
PID 3056 wrote to memory of 1852	3056	E92.exe	E92.exe
PID 3056 wrote to memory of 1852	3056	E92.exe	E92.exe
PID 3056 wrote to memory of 1852	3056	E92.exe	E92.exe
PID 3056 wrote to memory of 1852	3056	E92.exe	E92.exe
PID 3056 wrote to memory of 1852	3056	E92.exe	E92.exe
PID 3056 wrote to memory of 1852	3056	E92.exe	E92.exe
PID 3056 wrote to memory of 1852	3056	E92.exe	E92.exe
PID 1852 wrote to memory of 1588	1852	E92.exe	icacls.exe
PID 1852 wrote to memory of 1588	1852	E92.exe	icacls.exe
PID 1852 wrote to memory of 1588	1852	E92.exe	icacls.exe
PID 1852 wrote to memory of 1588	1852	E92.exe	icacls.exe
PID 1852 wrote to memory of 1632	1852	E92.exe	E92.exe
PID 1852 wrote to memory of 1632	1852	E92.exe	E92.exe
PID 1852 wrote to memory of 1632	1852	E92.exe	E92.exe
PID 1852 wrote to memory of 1632	1852	E92.exe	E92.exe
PID 1632 wrote to memory of 1756	1632	E92.exe	E92.exe
PID 1632 wrote to memory of 1756	1632	E92.exe	E92.exe
PID 1632 wrote to memory of 1756	1632	E92.exe	E92.exe
PID 1632 wrote to memory of 1756	1632	E92.exe	E92.exe
PID 1632 wrote to memory of 1756	1632	E92.exe	E92.exe
PID 1632 wrote to memory of 1756	1632	E92.exe	E92.exe
PID 1632 wrote to memory of 1756	1632	E92.exe	E92.exe
PID 1632 wrote to memory of 1756	1632	E92.exe	E92.exe
PID 1632 wrote to memory of 1756	1632	E92.exe	E92.exe
PID 1632 wrote to memory of 1756	1632	E92.exe	E92.exe
PID 1632 wrote to memory of 1756	1632	E92.exe	E92.exe
PID 1756 wrote to memory of 2916	1756	E92.exe	build2.exe
PID 1756 wrote to memory of 2916	1756	E92.exe	build2.exe
PID 1756 wrote to memory of 2916	1756	E92.exe	build2.exe
PID 1756 wrote to memory of 2916	1756	E92.exe	build2.exe
PID 2916 wrote to memory of 2328	2916	build2.exe	build2.exe
PID 2916 wrote to memory of 2328	2916	build2.exe	build2.exe
PID 2916 wrote to memory of 2328	2916	build2.exe	build2.exe
PID 2916 wrote to memory of 2328	2916	build2.exe	build2.exe
PID 2916 wrote to memory of 2328	2916	build2.exe	build2.exe
PID 2916 wrote to memory of 2328	2916	build2.exe	build2.exe
PID 2916 wrote to memory of 2328	2916	build2.exe	build2.exe
PID 2916 wrote to memory of 2328	2916	build2.exe	build2.exe
PID 2916 wrote to memory of 2328	2916	build2.exe	build2.exe
PID 2916 wrote to memory of 2328	2916	build2.exe	build2.exe
PID 2916 wrote to memory of 2328	2916	build2.exe	build2.exe
PID 1756 wrote to memory of 2088	1756	E92.exe	build3.exe
PID 1756 wrote to memory of 2088	1756	E92.exe	build3.exe
PID 1756 wrote to memory of 2088	1756	E92.exe	build3.exe
PID 1756 wrote to memory of 2088	1756	E92.exe	build3.exe
PID 2328 wrote to memory of 2540	2328	build2.exe	WerFault.exe
PID 2328 wrote to memory of 2540	2328	build2.exe	WerFault.exe
PID 2328 wrote to memory of 2540	2328	build2.exe	WerFault.exe
PID 2328 wrote to memory of 2540	2328	build2.exe	WerFault.exe
PID 2088 wrote to memory of 3044	2088	build3.exe	build3.exe
PID 2088 wrote to memory of 3044	2088	build3.exe	build3.exe
PID 2088 wrote to memory of 3044	2088	build3.exe	build3.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\file.exe
"C:\Users\Admin\AppData\Local\Temp\file.exe"
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:1308

C:\Users\Admin\AppData\Local\Temp\C552.exe
C:\Users\Admin\AppData\Local\Temp\C552.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
PID:2680

C:\Users\Admin\AppData\Local\Temp\E92.exe
C:\Users\Admin\AppData\Local\Temp\E92.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3056

C:\Users\Admin\AppData\Local\Temp\E92.exe
C:\Users\Admin\AppData\Local\Temp\E92.exe
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1852

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Users\Admin\AppData\Local\a98e9571-dfc7-4b9d-bc3d-56855961933e" /deny *S-1-1-0:(OI)(CI)(DE,DC)
3⤵
- Modifies file permissions
PID:1588

C:\Users\Admin\AppData\Local\Temp\E92.exe
"C:\Users\Admin\AppData\Local\Temp\E92.exe" --Admin IsNotAutoStart IsNotTask
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1632

C:\Users\Admin\AppData\Local\Temp\E92.exe
"C:\Users\Admin\AppData\Local\Temp\E92.exe" --Admin IsNotAutoStart IsNotTask
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1756

C:\Users\Admin\AppData\Local\277abd03-4e33-45c0-85de-9f7af7eb232b\build2.exe
"C:\Users\Admin\AppData\Local\277abd03-4e33-45c0-85de-9f7af7eb232b\build2.exe"
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2916

C:\Users\Admin\AppData\Local\277abd03-4e33-45c0-85de-9f7af7eb232b\build2.exe
"C:\Users\Admin\AppData\Local\277abd03-4e33-45c0-85de-9f7af7eb232b\build2.exe"
6⤵
- Executes dropped EXE
- Modifies system certificate store
- Suspicious use of WriteProcessMemory
PID:2328

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2328 -s 1464
7⤵
- Loads dropped DLL
- Program crash
PID:2540

C:\Users\Admin\AppData\Local\277abd03-4e33-45c0-85de-9f7af7eb232b\build3.exe
"C:\Users\Admin\AppData\Local\277abd03-4e33-45c0-85de-9f7af7eb232b\build3.exe"
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2088

C:\Users\Admin\AppData\Local\277abd03-4e33-45c0-85de-9f7af7eb232b\build3.exe
"C:\Users\Admin\AppData\Local\277abd03-4e33-45c0-85de-9f7af7eb232b\build3.exe"
6⤵
- Executes dropped EXE
PID:3044

C:\Windows\SysWOW64\schtasks.exe
/C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"
1⤵
- Creates scheduled task(s)
PID:2800

C:\Users\Admin\AppData\Local\Temp\A8CF.exe
C:\Users\Admin\AppData\Local\Temp\A8CF.exe
1⤵
- Executes dropped EXE
PID:2200

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2200 -s 96
2⤵
- Loads dropped DLL
- Program crash
PID:2032

C:\Users\Admin\AppData\Local\Temp\B09D.exe
C:\Users\Admin\AppData\Local\Temp\B09D.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:112

C:\Users\Admin\AppData\Local\Temp\BC32.exe
C:\Users\Admin\AppData\Local\Temp\BC32.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2056

C:\Users\Admin\AppData\Local\Temp\is-M676N.tmp\BC32.tmp
"C:\Users\Admin\AppData\Local\Temp\is-M676N.tmp\BC32.tmp" /SL5="$4017E,6192182,54272,C:\Users\Admin\AppData\Local\Temp\BC32.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of FindShellTrayWindow
PID:2804

C:\Users\Admin\AppData\Local\LISP XDR Extension\lispxdrext.exe
"C:\Users\Admin\AppData\Local\LISP XDR Extension\lispxdrext.exe" -i
3⤵
- Executes dropped EXE
PID:1660

C:\Users\Admin\AppData\Local\LISP XDR Extension\lispxdrext.exe
"C:\Users\Admin\AppData\Local\LISP XDR Extension\lispxdrext.exe" -s
3⤵
- Executes dropped EXE
PID:1548

C:\Windows\system32\taskeng.exe
taskeng.exe {DC988F09-91B3-4B4C-A330-2CF0AF6F198C} S-1-5-21-1268429524-3929314613-1992311491-1000:XBTLDBHN\Admin:Interactive:[1]
1⤵
PID:1516

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:1412

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
3⤵
- Executes dropped EXE
PID:1256

C:\Windows\SysWOW64\schtasks.exe
/C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"
4⤵
- Creates scheduled task(s)
PID:1100

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Defense Evasion

Virtualization/Sandbox Evasion

T1497

File and Directory Permissions Modification

T1222

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

System Information Discovery

T1082

Peripheral Device Discovery

T1120

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA
Filesize
1KB

MD5
7b0c931c9e5f4ae3b486907b8e65fe09

SHA1
abb761d0fe5318119a8a21204b56840a83c12584

SHA256
d21cfbea4d9bae6d62238f6c73b0c9d2b85ca549cd6c404d013e9f859d1e4fd8

SHA512
2f9a996f02606e5a0c8a288045644b43b45401f1bfd7dcc8593fde95573d77ac83b466af1d3b019f6ae444304f7c564a4685f751a68cb04d8f014d7001409c32

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464
Filesize
724B

MD5
8202a1cd02e7d69597995cabbe881a12

SHA1
8858d9d934b7aa9330ee73de6c476acf19929ff6

SHA256
58f381c3a0a0ace6321da22e40bd44a597bd98b9c9390ab9258426b5cf75a7a5

SHA512
97ba9fceab995d4bef706f8deef99e06862999734ebe6a05832c710104479c6337cbf0a76e1c1e0f91566a61334dc100d837dfd049e20da765fe49def684f9c9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA
Filesize
410B

MD5
0943bb8a495d1ba6a292a508451c90bf

SHA1
dc645cf9c5558cdf169799fe5b768cb2b45b37b9

SHA256
2293b3bf2c51f2174edd3ea94baca66a80ce28eb36cd9977df42ab712a5ae4aa

SHA512
48f817e465cfce24f24ac9462e7e68a8a4833a3202ebf5e5bed497eb298d5af97cedc958b851819b8a6d5987f1b5273ea987817d068ff564b19711db1a06a9f5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
e3d430e7d4c1b22f4f672bdc8fdcb9d5

SHA1
c5c77ff10410327b11f8c45fa38559df7ca79381

SHA256
94406e7325a6d9dd23f8685509ee382d8a3c24c95bc3c7a36a869cae53d918b3

SHA512
b2696e77687d613f6002a028523386a073fb9150900bde40d18c7e0e6afb7d9b2721092fbfecfa29dfac96942601e805b9ff339e653714394b06fccb090c0171

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464
Filesize
392B

MD5
277813c7ea4825c369e4b77cac0b5116

SHA1
d9cfbdaf0ede745326970000062174a8e43856c4

SHA256
3a0d07af2ea99c1f0cb9f73fbc8604042b99e9ca57130ecb9b9342482b8e75b0

SHA512
62defc0f96b5856585ebefbaef77b0d53502756b0024aa359f8517b313499237c266b56abbe8eb92416c85123e0e0f8498f0eaa2031372131ab85d090a6a54d3

Download Submit
C:\Users\Admin\AppData\Local\LISP XDR Extension\lispxdrext.exe
Filesize
56KB

MD5
9a2149359f4e2e870b395406b269cbe1

SHA1
b6ca60638eb1fd0c2a33b2fd4c5ab7a80f100161

SHA256
76132107bbdd3f88c013f7408e687cfa5bc0b8259b95cd7de6f4b95582782494

SHA512
fc6dd87cce16561548cc335365d475ed583ac0e91532233e135c4eafaa92b17301ac5ef25aa4f67455a42e5e8229a3fcdc422af2396670be0a48a9fdce404efe

Download Submit
C:\Users\Admin\AppData\Local\LISP XDR Extension\lispxdrext.exe
Filesize
237KB

MD5
6981b48505a549b7aeb3ae4f95476a42

SHA1
d9b25746758287947abfcc8fdba90a226b42f470

SHA256
f660b59403f709adbc8337cd37607fa98faad172451db848578ba425f84c25b1

SHA512
4f2ab0cfac8248c53d57b9738b0f097480ac1945ff9e6e5096c54e77ee01b1489d639086736198e4fd1a794542b38e3d6336bd897b13d03ee9dd03881c327282

Download Submit
C:\Users\Admin\AppData\Local\LISP XDR Extension\lispxdrext.exe
Filesize
168KB

MD5
29cdae9c22d385b6fd76d18df9787cf0

SHA1
c38668d4da8f3df90f4a5663c2690353c7503f90

SHA256
065e7fa28218c20102deab70999485032b2e11f067f5b7740dc3ecbb1befa4e1

SHA512
9a1fed64b983a15179ab3184c897f6583af70647debbd3e8b4062acf97e20927b0f0d43443e3727802abd81b6d313aa79034a61d431fda8895f833d54827948f

Download Submit
C:\Users\Admin\AppData\Local\Temp\A8CF.exe
Filesize
3.5MB

MD5
63e69628e361e90ad632e64a9b864f3c

SHA1
1784009fc6766abbd3d23ce4e49d863bd1618a10

SHA256
50215cc2474d56997b7f1a395f16a62e14103aff2c42f1a8989ff18b3a6258cd

SHA512
a8fe002bbf18bb6efeb705606d75a8857f1f3cd686bda2717a7a4c0d76187db525346bf70940fd3c051b55b34134a8c0f182e0a2fd4ea3456a1144b7882c3577

Download Submit
C:\Users\Admin\AppData\Local\Temp\B09D.exe
Filesize
180KB

MD5
f44b8ab251b4e56a5b79c61e8551c113

SHA1
012c9e76dc69fbe2973ac0fa5f47a1410b36e97d

SHA256
fdaa2bf5e7db5ba2cdd17079718e0e16f99e17d3b28527663a8197bd9c58e5fa

SHA512
43b36c00b360f77cbd639bb75f9d147896902dbdb647531e14e01ba45de9fdf89eeaa8feaedfd90734cc86b3dda2726e30494705f4557cd4ab95f530859fe6f0

Download Submit
C:\Users\Admin\AppData\Local\Temp\BC32.exe
Filesize
48KB

MD5
a98680977f4eb7312d71d05e44fd78a5

SHA1
642613c0154b5d3ad52288efb29da1346bd44645

SHA256
12e9267c7134e69f1589cc4dba4dfbc4c01d3d0e1849c072c14c90e49d276cc0

SHA512
3e0cffe82bc277686a2d59be648208cea7e4a724ebfde2af01ad56c4afd4be2800fda4b13332c553e4eda26747e7516527462f3104f0bb58aeb8eba4fb488175

Download Submit
C:\Users\Admin\AppData\Local\Temp\BC32.exe
Filesize
45KB

MD5
e719bb4ec95453298d544fc32dc5ded4

SHA1
c2fb4cf577cf61c8adcc655af474e18a341d0fd9

SHA256
f1e01a0ca0cbfc2257df41cde4fafd134dd2959123748babf8d546e8c39cf6c8

SHA512
584152a8d4400545fc2ee0c146534aec2c85d78e37724c679b03dce0d9974aa3e36add23a883854bf71da7b96c4f0f074a87627cc7512e4e878d9d90a6d77a78

Download Submit
C:\Users\Admin\AppData\Local\Temp\C552.exe
Filesize
230KB

MD5
5696e707bb2de303879e042ba9fb2681

SHA1
d31c6d321bcb949c8067b801f2565a73ad6b38a6

SHA256
212cf81edf3cd280350b9dc6770ac93ecc254c2f54f8066bf37e2725c410389c

SHA512
62eb3db3bc4e1ddc7bd107dec4d103d5f6f6155e073a40627fad43270ba405d421143e492e82765422d02c807c0d3d406a6e21475cf1a6ce7239fb3f27b7e967

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab209B.tmp
Filesize
65KB

MD5
ac05d27423a85adc1622c714f2cb6184

SHA1
b0fe2b1abddb97837ea0195be70ab2ff14d43198

SHA256
c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

SHA512
6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

Download Submit
C:\Users\Admin\AppData\Local\Temp\E92.exe
Filesize
729KB

MD5
7b4831d36aecb22f4973ea088ca8a79c

SHA1
03bdcb88c50bc0e95f964be0ea2e048253ee01dc

SHA256
689fdca3a73d4972fec7d88020c0297529f091a88ccba1be01962ccb5bf92881

SHA512
de1d14fab716a1ff343800b180ed12ec4f89c0779a4982647f7f42514cac7d6385af0051e606d7baad2bff17379e2f1f3e24a475816f3c06a5d193fb9b7efdf3

Download Submit
C:\Users\Admin\AppData\Local\Temp\E92.exe
Filesize
448KB

MD5
0b766e58887f79d52aabc0fdb6c14d58

SHA1
f1f03b143052aade2ff87d29a5217e614b552944

SHA256
f83bd05613297414f59c4f741f3b918908cf5ea46671bc7556b0c1e58e897e60

SHA512
3e16cc8a646b9d8addd906b30be1b62a386775bd17e2e1b28c2933d4e4ad85c50ed7c9d9b878bbdfea07c974cb15e86ff100dab0d288967393bf991f1edbc0f2

Download Submit
C:\Users\Admin\AppData\Local\Temp\E92.exe
Filesize
303KB

MD5
189efc69187b8ae584e4e7b461e437b8

SHA1
97dd7d0f9efbc480a0f443bbc9a643203e4335f7

SHA256
bf6e429ee13f75ee8357724e77608ceccc6f27c41b56c810100d7256c04919e6

SHA512
ce0cc8d8ebe57ed9865341734efc10e74ca7edacb7bc1956c6d58fab03cada4ea5ad66d2b3991de1ac058880ec1fa5cd88163e0e6b558197f994de9c97841cad

Download Submit
C:\Users\Admin\AppData\Local\Temp\E92.exe
Filesize
7KB

MD5
05bbdba1cb17443783b3fb247c60615e

SHA1
e6360dbce868fd1ab45f1d1eabfcafc91b1fc86a

SHA256
3b8a20307be9c185d02c6911d73072d1bd45178aa2f6195fc8473ad379b27373

SHA512
19d8cd64fa8d5ba216eb126c53ecb3f6b6e59ba3cf3ca8194ba2bf0a587e6586fbb77714a3325a3c1deeb588d8df72c38fbfc30b4cab94cf5c662d540c00312c

Download Submit
C:\Users\Admin\AppData\Local\Temp\E92.exe
Filesize
62KB

MD5
33dad06b83e6a459e610456b711fd497

SHA1
48e12def9005afa9bb4e9e4f95beed36900c6e00

SHA256
b9a19e629b38464ae99e6c046a03b15d2d15936613384d443bf4ca3d5a89c1f2

SHA512
c1de319e4a4faaff249576a1b177bc036a19c3f76caeefc2ca79cf1eb59c5ded58a4b10d7f6efd5d73f1f03eef380a7b4604149e09ab6150085bf31f38230b1b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar4220.tmp
Filesize
171KB

MD5
9c0c641c06238516f27941aa1166d427

SHA1
64cd549fb8cf014fcd9312aa7a5b023847b6c977

SHA256
4276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f

SHA512
936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-M676N.tmp\BC32.tmp
Filesize
342KB

MD5
4c55c6c6e3a42337a6501f5edf69fbc4

SHA1
08330e49a364c41e0531b79f653673f47fa5fda4

SHA256
10b504986c7de45f24ed9c10b9e106eed1d256c27e4b02bce171a3b4367ad929

SHA512
5280f6ece11bd549efaeff1caab80d47bba923004037a5e50694b6523bf7f466c4a46b45ecb328ab562dd4b050e8b2cf16fefb8ff29f60870b5dc3665bcd2ce9

Download Submit
C:\Users\Admin\AppData\Local\a98e9571-dfc7-4b9d-bc3d-56855961933e\E92.exe
Filesize
79KB

MD5
0077e4e9431b592bb1f65e5af3d4516a

SHA1
1a1daf9244da861a02ccc5708ea0f9d2b8bddfd8

SHA256
f5aecde4f143d1d340ab5d520b65506adea307a33db598e9573d76a202d3deba

SHA512
96f7af86e69809b85bec61fcb6e43bb752cec13752ada5ea2f609ba6d2f57763d63fc329f5932fcc26062613ba1cf4facb4678c290249a8cb815745223f5dc7e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
Filesize
21KB

MD5
50a9bec9c89ffba2e9eb56c695ab00c1

SHA1
42c95a81f0112ac260f34d1291a65f5890ee6425

SHA256
a481f9247c480ca9fca939ad2b7ba0d8e1b17f3df15a705e5d65f3f60e07dd3d

SHA512
75f9bab138d9e337bce57724eaeb5ab8ea798f781b1f7e838c16573c75cf1563a050189a5b566de9dca5d8e288c1123621efe3b2bde51e3d713c30878751468e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
Filesize
76KB

MD5
15b921e099cfbb806124b69c90ca9d00

SHA1
9b7a1f27df5db1c355c223dfa7e6f4bf1bb4ffd7

SHA256
eda2d09549cd8da1e362a414f41f4211cd9e6e153dfb45ecced10c036685c36d

SHA512
cf8bb8b550dc7a9603394701c1c7bae6a903abda6c078c843c88b1c9d390f2c9f838c4e97c6013d9b03eb8e273561e9f57a30728bd7dfd901e023d964d66a33a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
Filesize
85KB

MD5
8b1c6dc5545b36751fd5fc6ca163ce66

SHA1
49c30b6e04cb27bd8ee36e55b1c8a3b232e564c3

SHA256
42ac4b6fcd474a741df6ab1c44c79e32daff85b4671b8073f0eba4d507958fae

SHA512
ea4bbfbb14e52aa95323e6108765bf86bb45ad195170f00fa01360b11d122265aca92fee5eb7c8095795091c9f154521f8aeda8dbe1178f791fc816b390c754d

Download Submit
\??\c:\users\admin\appdata\local\temp\is-m676n.tmp\bc32.tmp
Filesize
337KB

MD5
cc8e5c3ba1d20c0fd556496a215610fe

SHA1
43c516b20ccb6e92ba850430ddf57ccf74b9132c

SHA256
03fa8c5733afbdb560005f57481a5dba1beca415fc0b0fcace05a84ba7d9f22c

SHA512
ab6aa3bc63588604a4a1a06925981bb4ae663ff3776d2d61568f809d9deea7620caea3590c3327dcb9d90f9b58f8dc9fa59a6b623b284b462fcbe5b93ef6c6bb

Download Submit
\Users\Admin\AppData\Local\277abd03-4e33-45c0-85de-9f7af7eb232b\build2.exe
Filesize
385KB

MD5
63e4a9cd7a8b37335b5f18cefc5dd9d2

SHA1
c781a30935afc452b108cc78724b60f389b78874

SHA256
c1e75efde3fd1da605135e5c3ffab0073299c80632d136f8eeba9d4a7c98c70f

SHA512
3818b5966938704c5830acb5426db7791f6ae476853248d8984b1aff35a6722a0684bea54a53ef6ded1f301f6de9ed044d45f007457a9c0f3a7ea3afc7bf0ecc

Download Submit
\Users\Admin\AppData\Local\277abd03-4e33-45c0-85de-9f7af7eb232b\build3.exe
Filesize
299KB

MD5
41b883a061c95e9b9cb17d4ca50de770

SHA1
1daf96ec21d53d9a4699cea9b4db08cda6fbb5ad

SHA256
fef2c8ca07c500e416fd7700a381c39899ee26ce1119f62e7c65cf922ce8b408

SHA512
cdd1bb3a36182575cd715a52815765161eeaa3849e72c1c2a9a4e84cc43af9f8ec4997e642702bb3de41f162d2e8fd8717f6f8302bba5306821ee4d155626319

Download Submit
\Users\Admin\AppData\Local\LISP XDR Extension\lispxdrext.exe
Filesize
149KB

MD5
9b3b15f56f0b3fea11bd253e990d061e

SHA1
8109524d131e4e59c6a355e62c87736f2ab681dd

SHA256
f39d39040e305f799f888c214b4f1f598041035367eca3827daa4916a87320f0

SHA512
14ba595d734bcd4392363058ed708e0df9126017bef164af6d400c7e430e4d510153c8370a7389b283eac0f81ebd2f7eda03f4721be728af4df2cad8c67292ca

Download Submit
\Users\Admin\AppData\Local\Temp\A8CF.exe
Filesize
256KB

MD5
274b6d5cdcff03124898eb00bbc3323e

SHA1
e07bc859754286bdfb125a6e895a1e629a052303

SHA256
31645d2622154f621f99c0b801418fe72dc102d018de9a83dd607cffa1a8d88f

SHA512
48b315b6173ddd19b384c231d5a304f8bf07b96568eecfc07745d4e3884e214aa94ca04061fcf63801df5e188103041811a4171deadbfcfadf33af85bb084991

Download Submit
\Users\Admin\AppData\Local\Temp\A8CF.exe
Filesize
193KB

MD5
e551d2146d8f40badf4c2bacb9826a09

SHA1
4ecc792d445cdfe84622d394333d10a57d51c020

SHA256
17411e3ffd9e3f841c8c2ab4ddb727e7619cfee04eb07db9f79d116a85736ba8

SHA512
7a108cab2bcf2803176492a2384d5a90915760b887e757c7bd80eed27a8a9412f82bb2dfda7fea4178af92e67facb260563d1cd065dcbca5b7d5e61fdf774d19

Download Submit
\Users\Admin\AppData\Local\Temp\A8CF.exe
Filesize
161KB

MD5
0af0ae6200069c8b26c19ee547b5d57d

SHA1
fe35e53b7a399aaf384ecc9aae9c6be2d21926bb

SHA256
d9e7204712bd3e566105025dd785129a237a83b5440a3e7d98d1fbcc2e955934

SHA512
4d1b7b59672ef45e1357c35db72d3f8f4e83cd4031b06ad320347056f4390b8efafbde094bd64f5468b8d10e33fe4f3f12ce8530af41eb4ddaac1332420d18f8

Download Submit
\Users\Admin\AppData\Local\Temp\A8CF.exe
Filesize
259KB

MD5
616a5cb7c8c1eca7759335e0473a7242

SHA1
378ad3e64706ed839cc05290f9b9435a3ac28a05

SHA256
e412f520ef5c5bda315bbee1a11c2269b91007c8c9e72cc2440a1051d7fde996

SHA512
e7b8f82c3394524169ec3c812cda90b03cc9dad592e006121768a5d0df4378746506e7128290e97ab84ea434349c47e0d1289f0d4abb54333d6d1e0289ca9727

Download Submit
\Users\Admin\AppData\Local\Temp\A8CF.exe
Filesize
199KB

MD5
44a65cb9a5d66539149770163d0379e6

SHA1
6b19aafc2848376b57d7ec9857cb0ac69e00105e

SHA256
9e1048105ad9bb0244fe800da383c9d84ff62cab1b3be9f00d807bb625d76873

SHA512
284f7cf790c4cb58cbcd83e80bbe501043a4d44cbe8f7f46e765d540785769b9646bb3cbd2f5531c61f8638dbe32355e404813c05fb60d7ade61e2847d8ec77f

Download Submit
\Users\Admin\AppData\Local\Temp\E92.exe
Filesize
58KB

MD5
6ea092b9282dd52954f1451c8e3992d3

SHA1
f2f11491b3a74a96abd62eba7c4de921eb7de9f8

SHA256
515dae982c574e6320a40d4f12bd0367143385b366fd49d220216410ef36ae31

SHA512
b6ea9e248466fb8256763d59570e85996942fcca253b91fc6797505ac3668a36af3b3fe5da3f110d2b577ceed5e189afcef3309c10eac236d24824c3a02d7773

Download Submit
\Users\Admin\AppData\Local\Temp\E92.exe
Filesize
55KB

MD5
98b745aee31cce170184cdfdb53b1522

SHA1
22dfed761f881ae3a9b0423d54d92482dbf49c59

SHA256
f31b710befecbaf3e035d1f17c7bfd03c3066bb68f1753b3c56ab4e1dd44dd6d

SHA512
ac69d0dcbedff96400e62b81738d5672c0a8356a7bbb670d3ec8444051ae4e24a41578ad2f3cb08323b139433f9d1a284684f449e922a5fef58a7e645aeda9f8

Download Submit
\Users\Admin\AppData\Local\Temp\E92.exe
Filesize
16KB

MD5
48908c025251aec452a6a5c619fb75e9

SHA1
97fc2d939057b7fefe650b61ae5ee35ae94fabe3

SHA256
c4a6e48d711ab835fac8fac0952c607ca225690489b5186d7cd03cfe38eead46

SHA512
b3a06cd33f1562cd5af62276fca93eaca568d674ab22654950498087acd0da7408c10e307cdc09a8e46a83f42102f0022dac6dbd7737bdb5fc4b58f9ebf76063

Download Submit
\Users\Admin\AppData\Local\Temp\is-2T3HU.tmp\_isetup\_iscrypt.dll
Filesize
2KB

MD5
a69559718ab506675e907fe49deb71e9

SHA1
bc8f404ffdb1960b50c12ff9413c893b56f2e36f

SHA256
2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc

SHA512
e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63

Download Submit
\Users\Admin\AppData\Local\Temp\is-2T3HU.tmp\_isetup\_shfoldr.dll
Filesize
22KB

MD5
92dc6ef532fbb4a5c3201469a5b5eb63

SHA1
3e89ff837147c16b4e41c30d6c796374e0b8e62c

SHA256
9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87

SHA512
9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

Download Submit
\Users\Admin\AppData\Local\Temp\is-M676N.tmp\BC32.tmp
Filesize
45KB

MD5
ce114d053b70f0894efe7b57d9d0842d

SHA1
7859a542e97e0c1a7b7fdff8cd6ced32b4d3d99a

SHA256
697c0abc3bef01a539c30968dbd65004290bc5147f555d7bd396217019af4f91

SHA512
c861518bbad46f26f4ffe40ca85f2d99f9cd8c7705cdc4097b41d7bb6052f258ad9e9d352afaab2c97b68c57ac673b4bcfc108e418224d01e85f32793bebffe1

Download Submit
memory/112-394-0x00000000009C0000-0x0000000000F64000-memory.dmp

Filesize
5.6MB

Download
memory/112-303-0x0000000002660000-0x0000000002661000-memory.dmp

Filesize
4KB

Download
memory/112-312-0x00000000027F0000-0x00000000027F1000-memory.dmp

Filesize
4KB

Download
memory/112-313-0x0000000002CA0000-0x0000000002CA2000-memory.dmp

Filesize
8KB

Download
memory/112-304-0x0000000002BD0000-0x0000000002BD1000-memory.dmp

Filesize
4KB

Download
memory/112-305-0x0000000000990000-0x0000000000991000-memory.dmp

Filesize
4KB

Download
memory/112-299-0x00000000009C0000-0x0000000000F64000-memory.dmp

Filesize
5.6MB

Download
memory/112-310-0x0000000002C30000-0x0000000002C31000-memory.dmp

Filesize
4KB

Download
memory/112-309-0x0000000002BE0000-0x0000000002BE1000-memory.dmp

Filesize
4KB

Download
memory/112-393-0x00000000009C0000-0x0000000000F64000-memory.dmp

Filesize
5.6MB

Download
memory/112-311-0x0000000002420000-0x0000000002421000-memory.dmp

Filesize
4KB

Download
memory/112-308-0x0000000002C40000-0x0000000002C41000-memory.dmp

Filesize
4KB

Download
memory/112-402-0x00000000009C0000-0x0000000000F64000-memory.dmp

Filesize
5.6MB

Download
memory/112-307-0x0000000002AC0000-0x0000000002AC1000-memory.dmp

Filesize
4KB

Download
memory/112-306-0x00000000009C0000-0x0000000000F64000-memory.dmp

Filesize
5.6MB

Download
memory/112-300-0x0000000077230000-0x0000000077232000-memory.dmp

Filesize
8KB

Download
memory/112-301-0x0000000002650000-0x0000000002651000-memory.dmp

Filesize
4KB

Download
memory/112-302-0x0000000002370000-0x0000000002371000-memory.dmp

Filesize
4KB

Download
memory/1180-21-0x0000000003B70000-0x0000000003B86000-memory.dmp

Filesize
88KB

Download
memory/1180-4-0x0000000002A90000-0x0000000002AA6000-memory.dmp

Filesize
88KB

Download
memory/1308-8-0x00000000001B0000-0x00000000001BB000-memory.dmp

Filesize
44KB

Download
memory/1308-1-0x0000000000250000-0x0000000000350000-memory.dmp

Filesize
1024KB

Download
memory/1308-2-0x00000000001B0000-0x00000000001BB000-memory.dmp

Filesize
44KB

Download
memory/1308-3-0x0000000000400000-0x0000000000449000-memory.dmp

Filesize
292KB

Download
memory/1308-5-0x0000000000400000-0x0000000000449000-memory.dmp

Filesize
292KB

Download
memory/1412-409-0x00000000008A0000-0x00000000009A0000-memory.dmp

Filesize
1024KB

Download
memory/1548-423-0x0000000000400000-0x00000000006AE000-memory.dmp

Filesize
2.7MB

Download
memory/1548-427-0x0000000000400000-0x00000000006AE000-memory.dmp

Filesize
2.7MB

Download
memory/1548-396-0x0000000000400000-0x00000000006AE000-memory.dmp

Filesize
2.7MB

Download
memory/1548-391-0x0000000000400000-0x00000000006AE000-memory.dmp

Filesize
2.7MB

Download
memory/1632-66-0x0000000001BF0000-0x0000000001C82000-memory.dmp

Filesize
584KB

Download
memory/1632-267-0x0000000001BF0000-0x0000000001C82000-memory.dmp

Filesize
584KB

Download
memory/1632-69-0x0000000001BF0000-0x0000000001C82000-memory.dmp

Filesize
584KB

Download
memory/1660-389-0x0000000000400000-0x00000000006AE000-memory.dmp

Filesize
2.7MB

Download
memory/1660-388-0x0000000000400000-0x00000000006AE000-memory.dmp

Filesize
2.7MB

Download
memory/1660-384-0x0000000000400000-0x00000000006AE000-memory.dmp

Filesize
2.7MB

Download
memory/1660-385-0x0000000000400000-0x00000000006AE000-memory.dmp

Filesize
2.7MB

Download
memory/1756-75-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/1756-179-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/1756-96-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/1756-98-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/1756-94-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/1756-90-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/1756-97-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/1756-89-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/1756-76-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/1852-38-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/1852-43-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/1852-65-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/1852-42-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/1852-35-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2056-322-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/2056-318-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/2056-400-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/2088-263-0x00000000009A0000-0x0000000000AA0000-memory.dmp

Filesize
1024KB

Download
memory/2088-264-0x0000000000220000-0x0000000000224000-memory.dmp

Filesize
16KB

Download
memory/2200-288-0x0000000000080000-0x0000000000081000-memory.dmp

Filesize
4KB

Download
memory/2200-283-0x0000000000180000-0x0000000000C94000-memory.dmp

Filesize
11.1MB

Download
memory/2200-287-0x0000000000180000-0x0000000000C94000-memory.dmp

Filesize
11.1MB

Download
memory/2328-120-0x0000000000400000-0x0000000000643000-memory.dmp

Filesize
2.3MB

Download
memory/2328-119-0x0000000000400000-0x0000000000643000-memory.dmp

Filesize
2.3MB

Download
memory/2328-275-0x0000000000400000-0x0000000000643000-memory.dmp

Filesize
2.3MB

Download
memory/2328-116-0x0000000000400000-0x0000000000643000-memory.dmp

Filesize
2.3MB

Download
memory/2328-113-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2680-19-0x00000000008B0000-0x00000000009B0000-memory.dmp

Filesize
1024KB

Download
memory/2680-20-0x0000000000400000-0x0000000000449000-memory.dmp

Filesize
292KB

Download
memory/2680-22-0x0000000000400000-0x0000000000449000-memory.dmp

Filesize
292KB

Download
memory/2804-332-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/2804-383-0x0000000005100000-0x00000000053AE000-memory.dmp

Filesize
2.7MB

Download
memory/2804-411-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/2804-401-0x0000000000400000-0x00000000004BD000-memory.dmp

Filesize
756KB

Download
memory/2804-412-0x0000000005100000-0x00000000053AE000-memory.dmp

Filesize
2.7MB

Download
memory/2916-112-0x0000000000260000-0x0000000000360000-memory.dmp

Filesize
1024KB

Download
memory/2916-114-0x00000000003D0000-0x0000000000400000-memory.dmp

Filesize
192KB

Download
memory/3044-272-0x0000000000400000-0x0000000000406000-memory.dmp

Filesize
24KB

Download
memory/3044-266-0x0000000000400000-0x0000000000406000-memory.dmp

Filesize
24KB

Download
memory/3044-270-0x0000000000400000-0x0000000000406000-memory.dmp

Filesize
24KB

Download
memory/3056-31-0x0000000000340000-0x00000000003D2000-memory.dmp

Filesize
584KB

Download
memory/3056-34-0x0000000000340000-0x00000000003D2000-memory.dmp

Filesize
584KB

Download
memory/3056-41-0x0000000000340000-0x00000000003D2000-memory.dmp

Filesize
584KB

Download
memory/3056-37-0x0000000001D80000-0x0000000001E9B000-memory.dmp

Filesize
1.1MB

Download