amadey | 41341a270a56d93bc7d7b84bba433894cd802e1f658c550c909648875655ee7a

Analysis

max time kernel
150s
max time network
136s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
15-02-2024 22:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2WikyfhIg3qcjejHn3mPOq9j.exe
Size

4.6MB
MD5

61d5c104ea3648f4020c15dfac7e41de
SHA1

7197efa6c099fd47ea379578e5bdf9877d33b087
SHA256

d699d09ddc2994787b49a164b33353a8e723a62c7a2709201c4a3398169f8edf
SHA512

33386ae9326a298617c54bdc3084559f3b1a2e0ad72d33d773582befe7f5c4b875710dc2e93f9d10614add27bebd3b1ea6f9311b06b05f82eadb81c35df13a0a
SSDEEP

98304:oV8ndGDi9ymvydJLC19UYeh62JPtG4n65Kj5OJPL2Pso:o+ndGapsLCaW4n65K1CPa

Score

10^/10

amadey smokeloader pub3 backdoor spyware stealer trojan

Malware Config

Extracted

Family

smokeloader

Botnet

pub3

Extracted

Family

smokeloader

Version

2022

http://sjyey.com/tmp/index.php

http://babonwo.ru/tmp/index.php

http://mth.com.ua/tmp/index.php

http://piratia.pw/tmp/index.php

http://go-piratia.ru/tmp/index.php

rc4.i32

Extracted

Family

amadey

Version

4.14

http://anfesq.com

http://cbinr.com

http://rimakc.ru

Attributes

install_dir
68fd3d7ade
install_file
Utsysc.exe
strings_key
27ec7fd6f50f63b8af0c1d3deefcc8fe
url_paths
/forum/index.php

rc4.plain

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey
SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
Downloads MZ/PE file

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

2WikyfhIg3qcjejHn3mPOq9j.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Control Panel\International\Geo\Nation	2WikyfhIg3qcjejHn3mPOq9j.exe

Executes dropped EXE 9 IoCs

Processes:

dieFq1vLmHL0zOOyA6YhiJ1t.exemMaa42PwzVHFtTV2I6dZndWZ.exea4qWenGzDVoL3wCWmQN62oxn.exedwdcvtdCFCD.exeCFCD.exeUtsysc.exeUtsysc.exeUtsysc.exe

pid	process
2956	dieFq1vLmHL0zOOyA6YhiJ1t.exe
380	mMaa42PwzVHFtTV2I6dZndWZ.exe
1916	a4qWenGzDVoL3wCWmQN62oxn.exe
2592	dwdcvtd
3032	CFCD.exe
2652	CFCD.exe
2128	Utsysc.exe
356	Utsysc.exe
2160	Utsysc.exe

Loads dropped DLL 55 IoCs

Processes:

rundll32.exeCFCD.exeCFCD.exeUtsysc.exerundll32.exerundll32.exerundll32.exeWerFault.exerundll32.exerundll32.exeWerFault.exerundll32.exerundll32.exeWerFault.exerundll32.exerundll32.exerundll32.exeUtsysc.exe

pid	process
1532	rundll32.exe
1532	rundll32.exe
1532	rundll32.exe
1532	rundll32.exe
3032	CFCD.exe
2652	CFCD.exe
2652	CFCD.exe
2128	Utsysc.exe
1428	rundll32.exe
1428	rundll32.exe
1428	rundll32.exe
1428	rundll32.exe
1064	rundll32.exe
1064	rundll32.exe
1064	rundll32.exe
1064	rundll32.exe
2196	rundll32.exe
2196	rundll32.exe
2196	rundll32.exe
2196	rundll32.exe
2352	WerFault.exe
2352	WerFault.exe
3040	rundll32.exe
3040	rundll32.exe
3040	rundll32.exe
3040	rundll32.exe
304	rundll32.exe
304	rundll32.exe
304	rundll32.exe
304	rundll32.exe
2528	WerFault.exe
2528	WerFault.exe
1008	rundll32.exe
1008	rundll32.exe
1008	rundll32.exe
1008	rundll32.exe
2008	rundll32.exe
2008	rundll32.exe
2008	rundll32.exe
2008	rundll32.exe
1912	WerFault.exe
1912	WerFault.exe
2944	rundll32.exe
2944	rundll32.exe
2944	rundll32.exe
2944	rundll32.exe
2180	rundll32.exe
2180	rundll32.exe
2180	rundll32.exe
2180	rundll32.exe
2604	rundll32.exe
2604	rundll32.exe
2604	rundll32.exe
2604	rundll32.exe
2160	Utsysc.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Looks up external IP address via web service 4 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

4 api.myip.com
5 api.myip.com
8 ipinfo.io
9 ipinfo.io

flow	ioc
4	api.myip.com
5	api.myip.com
8	ipinfo.io
9	ipinfo.io

Drops file in System32 directory 4 IoCs

Processes:

2WikyfhIg3qcjejHn3mPOq9j.exe

description	ioc	process
File created	C:\Windows\System32\GroupPolicy\Machine\Registry.pol	2WikyfhIg3qcjejHn3mPOq9j.exe
File opened for modification	C:\Windows\System32\GroupPolicy\GPT.INI	2WikyfhIg3qcjejHn3mPOq9j.exe
File opened for modification	C:\Windows\System32\GroupPolicy	2WikyfhIg3qcjejHn3mPOq9j.exe
File opened for modification	C:\Windows\System32\GroupPolicy\gpt.ini	2WikyfhIg3qcjejHn3mPOq9j.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

CFCD.exeUtsysc.exeUtsysc.exe

description	pid	process	target process
PID 3032 set thread context of 2652	3032	CFCD.exe	CFCD.exe
PID 2128 set thread context of 356	2128	Utsysc.exe	Utsysc.exe
PID 2160 set thread context of 2996	2160	Utsysc.exe	Utsysc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 6 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

a4qWenGzDVoL3wCWmQN62oxn.exedwdcvtd

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	a4qWenGzDVoL3wCWmQN62oxn.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	a4qWenGzDVoL3wCWmQN62oxn.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	a4qWenGzDVoL3wCWmQN62oxn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	dwdcvtd
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	dwdcvtd
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	dwdcvtd

Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exe

pid process

2472 schtasks.exe

pid	process
2472	schtasks.exe

Modifies system certificate store 2 TTPs 9 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

Processes:

2WikyfhIg3qcjejHn3mPOq9j.exe

description	ioc	process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 19000000010000001000000068cb42b035ea773e52ef50ecf50ec529030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae47409000000010000000c000000300a06082b060105050703011d0000000100000010000000918ad43a9475f78bb5243de886d8103c140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df053000000010000002400000030223020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c00b0000000100000034000000420061006c00740069006d006f007200650020004300790062006500720054007200750073007400200052006f006f00740000000f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f20000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9	2WikyfhIg3qcjejHn3mPOq9j.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 040000000100000010000000410352dc0ff7501b16f0028eba6f45c50f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131900000001000000100000006cf252fec3e8f20996de5d4dd9aef42420000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	2WikyfhIg3qcjejHn3mPOq9j.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474	2WikyfhIg3qcjejHn3mPOq9j.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	2WikyfhIg3qcjejHn3mPOq9j.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	2WikyfhIg3qcjejHn3mPOq9j.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13	2WikyfhIg3qcjejHn3mPOq9j.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 0f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c1320000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	2WikyfhIg3qcjejHn3mPOq9j.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 1900000001000000100000006cf252fec3e8f20996de5d4dd9aef424030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131d00000001000000100000004558d512eecb27464920897de7b66053140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc41560858910090000000100000016000000301406082b0601050507030406082b060105050703010b000000010000001e000000440053005400200052006f006f00740020004300410020005800330000000f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d20000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	2WikyfhIg3qcjejHn3mPOq9j.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 0f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f0b0000000100000034000000420061006c00740069006d006f007200650020004300790062006500720054007200750073007400200052006f006f007400000053000000010000002400000030223020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c0140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df01d0000000100000010000000918ad43a9475f78bb5243de886d8103c09000000010000000c000000300a06082b06010505070301030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae47420000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9	2WikyfhIg3qcjejHn3mPOq9j.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

2WikyfhIg3qcjejHn3mPOq9j.exea4qWenGzDVoL3wCWmQN62oxn.exe

pid	process
2192	2WikyfhIg3qcjejHn3mPOq9j.exe
2192	2WikyfhIg3qcjejHn3mPOq9j.exe
1916	a4qWenGzDVoL3wCWmQN62oxn.exe
1916	a4qWenGzDVoL3wCWmQN62oxn.exe
1188
1188
1188
1188
1188
1188
1188
1188
1188
1188
1188
1188
1188
1188
1188
1188
1188
1188
1188
1188
1188
1188
1188
1188
1188
1188
1188
1188
1188
1188
1188
1188
1188
1188
1188
1188
1188
1188
1188
1188
1188
1188
1188
1188
1188
1188
1188
1188
1188
1188
1188
1188
1188
1188
1188
1188
1188
1188
1188
1188

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

pid process

1188
Suspicious behavior: MapViewOfSection 2 IoCs

Processes:

a4qWenGzDVoL3wCWmQN62oxn.exedwdcvtd

pid process

1916 a4qWenGzDVoL3wCWmQN62oxn.exe
2592 dwdcvtd

pid	process
1188

pid	process
1916	a4qWenGzDVoL3wCWmQN62oxn.exe
2592	dwdcvtd

Suspicious use of AdjustPrivilegeToken 10 IoCs

Processes:

description	pid	process
Token: SeShutdownPrivilege	1188
Token: SeShutdownPrivilege	1188
Token: SeShutdownPrivilege	1188
Token: SeShutdownPrivilege	1188
Token: SeShutdownPrivilege	1188
Token: SeShutdownPrivilege	1188
Token: SeShutdownPrivilege	1188
Token: SeShutdownPrivilege	1188
Token: SeShutdownPrivilege	1188
Token: SeShutdownPrivilege	1188

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

CFCD.exe

pid process

2652 CFCD.exe

pid	process
2652	CFCD.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

2WikyfhIg3qcjejHn3mPOq9j.exemMaa42PwzVHFtTV2I6dZndWZ.execontrol.exetaskeng.exeCFCD.exeCFCD.exeUtsysc.exeUtsysc.exerundll32.exe

description	pid	process	target process
PID 2192 wrote to memory of 2956	2192	2WikyfhIg3qcjejHn3mPOq9j.exe	dieFq1vLmHL0zOOyA6YhiJ1t.exe
PID 2192 wrote to memory of 2956	2192	2WikyfhIg3qcjejHn3mPOq9j.exe	dieFq1vLmHL0zOOyA6YhiJ1t.exe
PID 2192 wrote to memory of 2956	2192	2WikyfhIg3qcjejHn3mPOq9j.exe	dieFq1vLmHL0zOOyA6YhiJ1t.exe
PID 2192 wrote to memory of 2956	2192	2WikyfhIg3qcjejHn3mPOq9j.exe	dieFq1vLmHL0zOOyA6YhiJ1t.exe
PID 2192 wrote to memory of 380	2192	2WikyfhIg3qcjejHn3mPOq9j.exe	mMaa42PwzVHFtTV2I6dZndWZ.exe
PID 2192 wrote to memory of 380	2192	2WikyfhIg3qcjejHn3mPOq9j.exe	mMaa42PwzVHFtTV2I6dZndWZ.exe
PID 2192 wrote to memory of 380	2192	2WikyfhIg3qcjejHn3mPOq9j.exe	mMaa42PwzVHFtTV2I6dZndWZ.exe
PID 2192 wrote to memory of 380	2192	2WikyfhIg3qcjejHn3mPOq9j.exe	mMaa42PwzVHFtTV2I6dZndWZ.exe
PID 2192 wrote to memory of 1916	2192	2WikyfhIg3qcjejHn3mPOq9j.exe	a4qWenGzDVoL3wCWmQN62oxn.exe
PID 2192 wrote to memory of 1916	2192	2WikyfhIg3qcjejHn3mPOq9j.exe	a4qWenGzDVoL3wCWmQN62oxn.exe
PID 2192 wrote to memory of 1916	2192	2WikyfhIg3qcjejHn3mPOq9j.exe	a4qWenGzDVoL3wCWmQN62oxn.exe
PID 2192 wrote to memory of 1916	2192	2WikyfhIg3qcjejHn3mPOq9j.exe	a4qWenGzDVoL3wCWmQN62oxn.exe
PID 380 wrote to memory of 1520	380	mMaa42PwzVHFtTV2I6dZndWZ.exe	control.exe
PID 380 wrote to memory of 1520	380	mMaa42PwzVHFtTV2I6dZndWZ.exe	control.exe
PID 380 wrote to memory of 1520	380	mMaa42PwzVHFtTV2I6dZndWZ.exe	control.exe
PID 380 wrote to memory of 1520	380	mMaa42PwzVHFtTV2I6dZndWZ.exe	control.exe
PID 1520 wrote to memory of 1532	1520	control.exe	rundll32.exe
PID 1520 wrote to memory of 1532	1520	control.exe	rundll32.exe
PID 1520 wrote to memory of 1532	1520	control.exe	rundll32.exe
PID 1520 wrote to memory of 1532	1520	control.exe	rundll32.exe
PID 1520 wrote to memory of 1532	1520	control.exe	rundll32.exe
PID 1520 wrote to memory of 1532	1520	control.exe	rundll32.exe
PID 1520 wrote to memory of 1532	1520	control.exe	rundll32.exe
PID 3004 wrote to memory of 2592	3004	taskeng.exe	dwdcvtd
PID 3004 wrote to memory of 2592	3004	taskeng.exe	dwdcvtd
PID 3004 wrote to memory of 2592	3004	taskeng.exe	dwdcvtd
PID 3004 wrote to memory of 2592	3004	taskeng.exe	dwdcvtd
PID 1188 wrote to memory of 3032	1188		CFCD.exe
PID 1188 wrote to memory of 3032	1188		CFCD.exe
PID 1188 wrote to memory of 3032	1188		CFCD.exe
PID 1188 wrote to memory of 3032	1188		CFCD.exe
PID 3032 wrote to memory of 2652	3032	CFCD.exe	CFCD.exe
PID 3032 wrote to memory of 2652	3032	CFCD.exe	CFCD.exe
PID 3032 wrote to memory of 2652	3032	CFCD.exe	CFCD.exe
PID 3032 wrote to memory of 2652	3032	CFCD.exe	CFCD.exe
PID 3032 wrote to memory of 2652	3032	CFCD.exe	CFCD.exe
PID 3032 wrote to memory of 2652	3032	CFCD.exe	CFCD.exe
PID 3032 wrote to memory of 2652	3032	CFCD.exe	CFCD.exe
PID 3032 wrote to memory of 2652	3032	CFCD.exe	CFCD.exe
PID 3032 wrote to memory of 2652	3032	CFCD.exe	CFCD.exe
PID 3032 wrote to memory of 2652	3032	CFCD.exe	CFCD.exe
PID 3032 wrote to memory of 2652	3032	CFCD.exe	CFCD.exe
PID 2652 wrote to memory of 2128	2652	CFCD.exe	Utsysc.exe
PID 2652 wrote to memory of 2128	2652	CFCD.exe	Utsysc.exe
PID 2652 wrote to memory of 2128	2652	CFCD.exe	Utsysc.exe
PID 2652 wrote to memory of 2128	2652	CFCD.exe	Utsysc.exe
PID 2128 wrote to memory of 356	2128	Utsysc.exe	Utsysc.exe
PID 2128 wrote to memory of 356	2128	Utsysc.exe	Utsysc.exe
PID 2128 wrote to memory of 356	2128	Utsysc.exe	Utsysc.exe
PID 2128 wrote to memory of 356	2128	Utsysc.exe	Utsysc.exe
PID 2128 wrote to memory of 356	2128	Utsysc.exe	Utsysc.exe
PID 2128 wrote to memory of 356	2128	Utsysc.exe	Utsysc.exe
PID 2128 wrote to memory of 356	2128	Utsysc.exe	Utsysc.exe
PID 2128 wrote to memory of 356	2128	Utsysc.exe	Utsysc.exe
PID 2128 wrote to memory of 356	2128	Utsysc.exe	Utsysc.exe
PID 2128 wrote to memory of 356	2128	Utsysc.exe	Utsysc.exe
PID 2128 wrote to memory of 356	2128	Utsysc.exe	Utsysc.exe
PID 356 wrote to memory of 2472	356	Utsysc.exe	schtasks.exe
PID 356 wrote to memory of 2472	356	Utsysc.exe	schtasks.exe
PID 356 wrote to memory of 2472	356	Utsysc.exe	schtasks.exe
PID 356 wrote to memory of 2472	356	Utsysc.exe	schtasks.exe
PID 1532 wrote to memory of 692	1532	rundll32.exe	RunDll32.exe
PID 1532 wrote to memory of 692	1532	rundll32.exe	RunDll32.exe
PID 1532 wrote to memory of 692	1532	rundll32.exe	RunDll32.exe

C:\Users\Admin\AppData\Local\Temp\2WikyfhIg3qcjejHn3mPOq9j.exe
"C:\Users\Admin\AppData\Local\Temp\2WikyfhIg3qcjejHn3mPOq9j.exe"
1⤵
- Checks computer location settings
- Drops file in System32 directory
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2192
- C:\Users\Admin\Documents\GuardFox\dieFq1vLmHL0zOOyA6YhiJ1t.exe
  "C:\Users\Admin\Documents\GuardFox\dieFq1vLmHL0zOOyA6YhiJ1t.exe"
  2⤵
  - Executes dropped EXE
  PID:2956
- C:\Users\Admin\Documents\GuardFox\mMaa42PwzVHFtTV2I6dZndWZ.exe
  "C:\Users\Admin\Documents\GuardFox\mMaa42PwzVHFtTV2I6dZndWZ.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:380
- - C:\Windows\SysWOW64\control.exe
    "C:\Windows\System32\control.exe" "C:\Users\Admin\AppData\Local\Temp\XcaOMYM_.cPL",
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1520
  - - C:\Windows\SysWOW64\rundll32.exe
      "C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL "C:\Users\Admin\AppData\Local\Temp\XcaOMYM_.cPL",
      4⤵
      Loads dropped DLL
      Suspicious use of WriteProcessMemory
      PID:1532
    - - C:\Windows\system32\RunDll32.exe
        
        C:\Windows\system32\RunDll32.exe Shell32.dll,Control_RunDLL "C:\Users\Admin\AppData\Local\Temp\XcaOMYM_.cPL",
        5⤵
        
        PID:692
      - C:\Windows\SysWOW64\rundll32.exe
        
        "C:\Windows\SysWOW64\rundll32.exe" "C:\Windows\SysWOW64\shell32.dll",#44 "C:\Users\Admin\AppData\Local\Temp\XcaOMYM_.cPL",
        6⤵
        Loads dropped DLL
        
        PID:1428
- C:\Users\Admin\Documents\GuardFox\a4qWenGzDVoL3wCWmQN62oxn.exe
  "C:\Users\Admin\Documents\GuardFox\a4qWenGzDVoL3wCWmQN62oxn.exe"
  2⤵
  - Executes dropped EXE
  - Checks SCSI registry key(s)
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  PID:1916

C:\Windows\system32\taskeng.exe
taskeng.exe {B1BAFE8B-FDE4-4594-8B38-4473FCAC6C05} S-1-5-21-3601492379-692465709-652514833-1000:CALKHSYM\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:3004
- C:\Users\Admin\AppData\Roaming\dwdcvtd
  C:\Users\Admin\AppData\Roaming\dwdcvtd
  2⤵
  - Executes dropped EXE
  - Checks SCSI registry key(s)
  - Suspicious behavior: MapViewOfSection
  PID:2592
- C:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exe
  C:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  PID:2160
- - C:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exe
    C:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exe
    3⤵
    PID:2996

C:\Users\Admin\AppData\Local\Temp\CFCD.exe
C:\Users\Admin\AppData\Local\Temp\CFCD.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3032
- C:\Users\Admin\AppData\Local\Temp\CFCD.exe
  C:\Users\Admin\AppData\Local\Temp\CFCD.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:2652
- - C:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exe
    "C:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    - Suspicious use of WriteProcessMemory
    PID:2128
  - - C:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exe
      "C:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:356
    - - C:\Windows\SysWOW64\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN Utsysc.exe /TR "C:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exe" /F
        5⤵
        Creates scheduled task(s)
        
        PID:2472
    - - C:\Windows\SysWOW64\rundll32.exe
        
        "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\2eed656dd58e95\cred64.dll, Main
        5⤵
        Loads dropped DLL
        
        PID:1064
      - C:\Windows\system32\rundll32.exe
        
        "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\2eed656dd58e95\cred64.dll, Main
        6⤵
        Loads dropped DLL
        
        PID:2196
        
        C:\Windows\system32\WerFault.exe
        
        C:\Windows\system32\WerFault.exe -u -p 2196 -s 308
        7⤵
        Loads dropped DLL
        
        PID:2352
    - - C:\Windows\SysWOW64\rundll32.exe
        
        "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\2eed656dd58e95\cred64.dll, Main
        5⤵
        Loads dropped DLL
        
        PID:3040
      - C:\Windows\system32\rundll32.exe
        
        "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\2eed656dd58e95\cred64.dll, Main
        6⤵
        Loads dropped DLL
        
        PID:304
        
        C:\Windows\system32\WerFault.exe
        
        C:\Windows\system32\WerFault.exe -u -p 304 -s 308
        7⤵
        Loads dropped DLL
        
        PID:2528
    - - C:\Windows\SysWOW64\rundll32.exe
        
        "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\2eed656dd58e95\cred64.dll, Main
        5⤵
        Loads dropped DLL
        
        PID:1008
      - C:\Windows\system32\rundll32.exe
        
        "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\2eed656dd58e95\cred64.dll, Main
        6⤵
        Loads dropped DLL
        
        PID:2008
        
        C:\Windows\system32\WerFault.exe
        
        C:\Windows\system32\WerFault.exe -u -p 2008 -s 308
        7⤵
        Loads dropped DLL
        
        PID:1912
    - - C:\Windows\SysWOW64\rundll32.exe
        
        "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\2eed656dd58e95\clip64.dll, Main
        5⤵
        Loads dropped DLL
        
        PID:2944
    - - C:\Windows\SysWOW64\rundll32.exe
        
        "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\2eed656dd58e95\clip64.dll, Main
        5⤵
        Loads dropped DLL
        
        PID:2180
    - - C:\Windows\SysWOW64\rundll32.exe
        
        "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\2eed656dd58e95\clip64.dll, Main
        5⤵
        Loads dropped DLL
        
        PID:2604

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
43b0eaf3d8ff264f86ca86670aa08de2

SHA1
ecd9f84abff04edea28eb7aad987500ca76fd3cf

SHA256
47bf214aaf01fe51e59ee38bf8a3286667909fc76676f07dd2260ccb77762d71

SHA512
52c381e6073c7dbf33c083a0699a160fe75537057ce3c31aa5e4ab23ee8a5d31ed6e80389409a686620be12b0ca998977b50ded74ee9b1e57a158ff70e43fe33

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
c85cd98d25ea9594f1b0ab856db1dd3e

SHA1
584c23a1480e25e30d9d7dbd3b2596472d7d591d

SHA256
4aa0d678088255ab86494ab78bf1c76bc4536db291cfb69ebe3fc8baca314b9d

SHA512
49e9e402f30a89b34f3f569039cffcdd2e94e479cc2c6513463d5e507132d5586870eb460da29b13f0f39db40c1fda8c8e591104f129a1442313e5b0724aed88

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
ba71ea02aad1a0526f1a917cbc9cbeba

SHA1
726d59449078dedd5c3a93b722d2161ababf49e3

SHA256
760d386060fec0eec933a1a5e0bbb682c548bfef31274c9e58f5d7c65dfa8cc6

SHA512
bb3cc1f078d88f4fd62bbf68200a56a4430a9c5f8e90537e895a45540dd081b63c03ff6f91d1b80911a367a5d66bed90924153d0d3712dda3a6df5a437f813e4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
ff178a32e275895a6993de96f70247b6

SHA1
0e916ae46b0a2a80da70b730e6441223f05db3b0

SHA256
25111a216b4a444a860cb33dfdf5e70828fd6dc53132929f445ac1b17f0002a5

SHA512
fbd194f8a53648235fd486d0310bf28148f11c55d24bc24ac6e9ab9cc2fcf8dc1629b848b309e6edfde528bb4bbd801874bb0237231f6146ce4a188d8269d4be

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
c52523f88d90e5f2146d03b80f89a898

SHA1
d1c3e3c4917a539d2e1598894e880a44f95d3e26

SHA256
39a993ef2e75f75841c5336fe946261b5cc186e2f3167382469ca0bcedc5500b

SHA512
ef6e8874f29277e5f112906269a8a42d29ba89b5cd7c787e192199a8396fe957d0399f9ee75eb14fa4f960f8a8edd49bfec303f8cb4f8c7bc63db42defaf2c4c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
1c3b422afb60d9e61011540bc7ebcba6

SHA1
97e37fca45a43003b98515e145bbe67f34746a47

SHA256
8d979c7ef8211430bc3685ccb92f3f84cf097aef2a2c809507be023dad31f14b

SHA512
c3d9829dac97025db7b1ed325e95cef36c88dcf8ac0a16544642b76a3f704a0ab165bc88526f2d6f798e60ad381b03d0a83aa1423902011924270ae9ec304f05

Download Submit
C:\Users\Admin\AppData\Local\Temp\601492379692

Filesize
65KB

MD5
b456377549274ee9b7d7682e7e0d28e8

SHA1
dbd74b17dab9324f196fd8639561a9ea36ee02c2

SHA256
9f7bc7d2948290a1448cd52701d4fe8e28b73412070d53c137ed9921b2f36c7b

SHA512
375a362b0c55ae503386fae5e6b4e68a4ba45d52850e2ee0bbff1f6e94ee3402bcc04b09d8665c1bc853c2d825180ecc498ad902a5879e02e70a6afa94d0d351

Download Submit
C:\Users\Admin\AppData\Local\Temp\CFCD.exe

Filesize
192KB

MD5
b4149b4a35e02013e81f173b6e1c2c35

SHA1
7cd2908d39d22d3615b18c848941c3a6b39cc58c

SHA256
119cd393ce755ceae61df6fed0e80c135cc988b972307db5e19e4ee1955c9886

SHA512
a7de6b5cd059b13894266a02f4b05328add5dc3d9da449ec57a37f94844b32639b06d46df229b456c52177c9cd14fff95a8062be9f31223aefa68c8c3f78f77d

Download Submit
C:\Users\Admin\AppData\Local\Temp\CFCD.exe

Filesize
389KB

MD5
57a16daebdf4113651b1d0a1af3ebf96

SHA1
bf2dec1b7cdbe8548020f6e9c3002151fe6a20ee

SHA256
54fe7416808922eb895d5a5b56aa62db6c404bf95d9d689e4e6d464b2f9e58b4

SHA512
a20f4c5e9e3f3656171201e509d80dfc61b962c141512cd05945dad0129b181cc3516b21c43a76d1a04c13208760362187e894db198ecfc81664b75f744d58b6

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab1FB3.tmp

Filesize
65KB

MD5
ac05d27423a85adc1622c714f2cb6184

SHA1
b0fe2b1abddb97837ea0195be70ab2ff14d43198

SHA256
c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

SHA512
6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar2033.tmp

Filesize
171KB

MD5
9c0c641c06238516f27941aa1166d427

SHA1
64cd549fb8cf014fcd9312aa7a5b023847b6c977

SHA256
4276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f

SHA512
936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06

Download Submit
C:\Users\Admin\AppData\Local\Temp\XcaOMYM_.cPL

Filesize
1.9MB

MD5
5254fa3131da8ddb80baed46e59ca87c

SHA1
d34771c1d291f3e2695dc332b794222985003364

SHA256
67b1cac0042defadb87423b062af82959dc42677ff7c4cf484342df0d2561731

SHA512
83452765e921aa6969ceaac903fd56ed6af394a0321bfcbb2d95e34a44548e8a01ff2eff18bcba1db27d577fbead0ae1fc2e8c3df656b40edecdd8d23124e75d

Download Submit
C:\Users\Admin\AppData\Roaming\2eed656dd58e95\clip64.dll

Filesize
102KB

MD5
4194e9b8b694b1e9b672c36f0d868e32

SHA1
252f27fe313c7bf8e9f36aef0c7b676383872efb

SHA256
97e342fb4dbfe474ab2674682a816931bb9f56814bf13b20ff11ac1939775125

SHA512
f956acdec4c0255030f784d27210d59e30c3377e0a5abec915818bde8545afc3ef04a06395a2bfa5946f86cdf1088c9089bfc5064d9fd71b8137eae14f64e5c7

Download Submit
C:\Users\Admin\AppData\Roaming\2eed656dd58e95\cred64.dll

Filesize
1.1MB

MD5
f01f5bc76b9596e0cfeab8a272cba3a5

SHA1
19cab1291e4e518ae636f2fb3d41567e4e6e4722

SHA256
83ef6d2414a5c0c9cb6cfe502cb40cdda5c425ee7408a4075e32891f4599d938

SHA512
ccfa16f0bbcdb909446fc4d47c1732e0b1baa759d78866fcce9ac7c5c12f1299e74df03b23881f3e37627b358bc6ddd2941c9110e030f6d68dd79f67c9e39f63

Download Submit
C:\Users\Admin\Documents\GuardFox\a4qWenGzDVoL3wCWmQN62oxn.exe

Filesize
240KB

MD5
a05efaf63385624a9a6f4cb71e3034f2

SHA1
00921d3aa2c3cb750b0b2799001eaee1023c6e97

SHA256
75797f5c19efd1cbecae73491e2fb1f1026ce435a01f402d67124778110b239f

SHA512
c181aedf600a55843aaaacbefc585b9f7b0bad26e87bdc7b00c63d1c908f7d5994f89ef116847a201ec91a89fe869523ac5bcbe331203ccf85923e9ff44281e5

Download Submit
C:\Users\Admin\Documents\GuardFox\dieFq1vLmHL0zOOyA6YhiJ1t.exe

Filesize
63KB

MD5
1c1f4537de6e94b3ab9d86c60fe9c7d0

SHA1
4a9e295bebdf12439e21cbbf2c4807c0fa9bf04b

SHA256
9671f7d02ac4b9e489165e88b4458fb4a40a1d8afae63b0cd809b8d26b2ec766

SHA512
2b065574235195e5b259590bc697ec9bc8ee11bd1bfd2eeef0c5eaa6f05489a86fe0bf9ed4657b88ffb5cb91b6d874615ca01161c5efa82620ac10a5a6bb4eb7

Download Submit
C:\Users\Admin\Documents\GuardFox\mMaa42PwzVHFtTV2I6dZndWZ.exe

Filesize
3.2MB

MD5
9259a28900f40d3700db944449186bf3

SHA1
25ee590cdd8a0c240ddb34cd94a385017c3c73d7

SHA256
180439ab2db8af7705d6c14681940ec7308eabff2a5815a20bfbc014befe54ae

SHA512
5efffab8b366fa9387a71efc47b25f881e2f4816e590cfcfa0405ba6fe20e18effefe0ce82ee5ef45f517901a8264971cb938379e272f8c9c9c9b16c8a905205

Download Submit
C:\Users\Admin\Documents\GuardFox\mMaa42PwzVHFtTV2I6dZndWZ.exe

Filesize
2.7MB

MD5
4811eb151a5af4a20d550f1fd1925688

SHA1
dec8a7ebd34a274f9459f0c2c2724d58001652bb

SHA256
a62ca9bb54b4d2c872ce795c036cf7b58cb1ae0d982dcfc744505643da733d72

SHA512
aeef34fe19f562311bb2cf7cc8e3d850c3011aa4b39748d9cf8c3e87530a36b52ddaaac1200bfce4a875ec1dcd99e8c6ba905026267c3403b922cfd59f28f317

Download Submit
C:\Users\Admin\Documents\GuardFox\mMaa42PwzVHFtTV2I6dZndWZ.exe

Filesize
330KB

MD5
184357f58981b6d7bfd908fe3c1ce99b

SHA1
2c4a5825c8a2b526a2cc8a19324a7ce4704e1bcc

SHA256
58b10876995f6097df164857dcc0267d66f91171d2da2e316eb531a56c248bf7

SHA512
382e5565dd7e07a76ad736e1a242a656ec0f1c58ad3ebc92b5698a367df78412f45a3be6eed256e9a734432cc694493fc952dd62bafc7dd1ea025c145bbbd198

Download Submit
\Users\Admin\AppData\Local\Temp\xcaoMYm_.cpl

Filesize
1.9MB

MD5
adcd0acf507fc5aef454bfce849ccb00

SHA1
b5f3498fb2ae9c4b750e41c8d29a8b665d4ad8ad

SHA256
7f2291b7dc50eee9da63b0379234cb3a500f6948061250cfcc89993eeab2d5e1

SHA512
6a31f459f07e4f9de021ca7016ee94c3c585ca491d0ac1fffcce03b0eb9157f4f514d5f70925ede5501523488e5e50f499559084d715c2100f88081615e49101

Download Submit
\Users\Admin\AppData\Local\Temp\xcaoMYm_.cpl

Filesize
1.5MB

MD5
7fa2bb8a5292a1c4de93d83a16f5fae5

SHA1
32f51ac5d53f664ff4e0f6bf3fd15c791c0bfccd

SHA256
24055ad6625d3683969acd5ff3d4e934ff3933010c7d3e59476924fcc0a58d00

SHA512
6cf29d3e40a60af7a5b149f5a957d81d1566998f63d024829fb8585545a346291c555060e4a7d44eba37645fadd6dc8f60e62013999c5d861e2fb01ac41d8a2f

Download Submit
\Users\Admin\AppData\Local\Temp\xcaoMYm_.cpl

Filesize
1.6MB

MD5
11898773055bd9042e663224b395b9a1

SHA1
2e5e671bfb075c60652154e5301e1db6471d6395

SHA256
0ba7c8b71dcf54f2bd427d0ac6d7862b60d0d15d69f98d9a809171ecd3957cdb

SHA512
e602b69e3753b621443b9a76a52125bbd68bb14206caa648a271f2ff6a183d4f4d9dd91aa0b8cbc98ca8a7abc33fe88d8565bdb38dc71adcef50c2cb0b192475

Download Submit
\Users\Admin\AppData\Local\Temp\xcaoMYm_.cpl

Filesize
1.8MB

MD5
fff8205fb2e1991a10df648e1881001c

SHA1
f18b403c8f631e4fadf7b94c6ad7b8021f0605ef

SHA256
dbc3375850741dc718aa1f81ad86118220d0ff0538da4ebb83cd37bc37d99212

SHA512
231fc7841516768567e0e7e541cece8b6b65ab5eee027a4907da826bed992c6065c82eb66b8295e1eaa9eda85d351f714bdbc8ea97c92d7c26468bea4a4a5dd7

Download Submit
\Users\Admin\AppData\Local\Temp\xcaoMYm_.cpl

Filesize
2.5MB

MD5
439b13825452007529641f9317c67ea1

SHA1
a284b5eef6e25917033d12a5e0cddb67e07b4dd8

SHA256
53e9a44708dfeb84f71380d2f5dce3ca3e7dc2a2995842eeea078381fb006cb8

SHA512
f372aa471fa7690723982bedb388fc05a74abe0a85e289872019d40a666025e93ea5a0bebfb0ebc035c070cbed74d7d54b412c36e81016cc210217631ca13817

Download Submit
\Users\Admin\AppData\Local\Temp\xcaoMYm_.cpl

Filesize
3.0MB

MD5
5dd038d4d1988253e884984010452736

SHA1
9321eb1b82703676ea15be29d22ed9e2ae05d68e

SHA256
aeb947a6c7ad2c277e422ac30d222d87ce356e6abc2d11780b95ec9b1ba40e7f

SHA512
e9411d2bcd5c653becf51a9636bf5fbf73f2ba1ec45cb654756a999800f302f1e58d0db428d8ad3ead1f1da70ab6475f92ca2541fd640ab5fe1698e5e70f5b98

Download Submit
\Users\Admin\AppData\Local\Temp\xcaoMYm_.cpl

Filesize
2.9MB

MD5
32d3654d5483b4a52a0b86eb1e92deb8

SHA1
9597572749bc30224584ef13de448a2d755716bf

SHA256
e7cbcfe494e7dcc3c8e6c6343659395506d680c116b192516549dee032f9a2da

SHA512
ae27dcebd729d2f55d2e5ebd13eb8f85b721d7ea8218dab0e0e0173b39d737b0261d4abd0638444d822c8a9f47cddd52e9f54d44d4d5d17a1cfc5f36fa6c143e

Download Submit
\Users\Admin\AppData\Local\Temp\xcaoMYm_.cpl

Filesize
2.6MB

MD5
a0545f765354f16b9dea834fcd08bde5

SHA1
e045b7a8e5a7389c5233192627669b1b66e1474f

SHA256
bc679c59146df6af01d9cccc6d271376e0b2a2fba3805676100a9d2c644e91f6

SHA512
5a673d75c68c3713335b2716095fded074ae51709792099923ab2936fd2552a1a4885a531071f04ae611ac947da8ed1a0c6a70557207a627400734ad9478fc85

Download Submit
memory/356-401-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/356-402-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/356-493-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/1188-336-0x0000000002DB0000-0x0000000002DC6000-memory.dmp

Filesize
88KB

Download
memory/1428-431-0x0000000000190000-0x0000000000196000-memory.dmp

Filesize
24KB

Download
memory/1532-330-0x0000000000180000-0x0000000000186000-memory.dmp

Filesize
24KB

Download
memory/1532-352-0x0000000010000000-0x000000001030E000-memory.dmp

Filesize
3.1MB

Download
memory/1532-346-0x0000000003040000-0x000000000314F000-memory.dmp

Filesize
1.1MB

Download
memory/1532-343-0x0000000003040000-0x000000000314F000-memory.dmp

Filesize
1.1MB

Download
memory/1532-329-0x0000000010000000-0x000000001030E000-memory.dmp

Filesize
3.1MB

Download
memory/1532-341-0x0000000002F10000-0x000000000303C000-memory.dmp

Filesize
1.2MB

Download
memory/1916-337-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/1916-317-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/1916-316-0x0000000000220000-0x000000000022B000-memory.dmp

Filesize
44KB

Download
memory/1916-315-0x0000000000610000-0x0000000000710000-memory.dmp

Filesize
1024KB

Download
memory/2128-392-0x0000000000640000-0x0000000000740000-memory.dmp

Filesize
1024KB

Download
memory/2160-539-0x0000000000630000-0x0000000000730000-memory.dmp

Filesize
1024KB

Download
memory/2160-532-0x0000000000630000-0x0000000000730000-memory.dmp

Filesize
1024KB

Download
memory/2192-8-0x0000000077580000-0x0000000077582000-memory.dmp

Filesize
8KB

Download
memory/2192-35-0x0000000001D70000-0x0000000001E09000-memory.dmp

Filesize
612KB

Download
memory/2192-335-0x000000013F580000-0x000000013FDA2000-memory.dmp

Filesize
8.1MB

Download
memory/2192-11-0x0000000077590000-0x0000000077592000-memory.dmp

Filesize
8KB

Download
memory/2192-5-0x0000000077570000-0x0000000077572000-memory.dmp

Filesize
8KB

Download
memory/2192-3-0x0000000077570000-0x0000000077572000-memory.dmp

Filesize
8KB

Download
memory/2192-0-0x0000000077570000-0x0000000077572000-memory.dmp

Filesize
8KB

Download
memory/2192-20-0x00000000775A0000-0x00000000775A2000-memory.dmp

Filesize
8KB

Download
memory/2192-10-0x0000000077580000-0x0000000077582000-memory.dmp

Filesize
8KB

Download
memory/2192-6-0x0000000077580000-0x0000000077582000-memory.dmp

Filesize
8KB

Download
memory/2192-18-0x00000000775A0000-0x00000000775A2000-memory.dmp

Filesize
8KB

Download
memory/2192-2-0x000000013F580000-0x000000013FDA2000-memory.dmp

Filesize
8.1MB

Download
memory/2192-30-0x000007FEFD640000-0x000007FEFD642000-memory.dmp

Filesize
8KB

Download
memory/2192-13-0x0000000077590000-0x0000000077592000-memory.dmp

Filesize
8KB

Download
memory/2192-15-0x0000000077590000-0x0000000077592000-memory.dmp

Filesize
8KB

Download
memory/2192-28-0x000007FEFD640000-0x000007FEFD642000-memory.dmp

Filesize
8KB

Download
memory/2192-25-0x000007FEFD590000-0x000007FEFD592000-memory.dmp

Filesize
8KB

Download
memory/2192-23-0x000007FEFD590000-0x000007FEFD592000-memory.dmp

Filesize
8KB

Download
memory/2192-16-0x00000000775A0000-0x00000000775A2000-memory.dmp

Filesize
8KB

Download
memory/2592-357-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/2592-454-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/2592-453-0x00000000005B0000-0x00000000006B0000-memory.dmp

Filesize
1024KB

Download
memory/2592-358-0x00000000005B0000-0x00000000006B0000-memory.dmp

Filesize
1024KB

Download
memory/2652-376-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/2652-380-0x0000000000620000-0x0000000000621000-memory.dmp

Filesize
4KB

Download
memory/2652-388-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/2652-375-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/2652-372-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/2652-370-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2956-333-0x00000000004F0000-0x0000000000530000-memory.dmp

Filesize
256KB

Download
memory/2956-342-0x0000000074430000-0x0000000074B1E000-memory.dmp

Filesize
6.9MB

Download
memory/2956-334-0x00000000005F0000-0x0000000000600000-memory.dmp

Filesize
64KB

Download
memory/2956-356-0x00000000004F0000-0x0000000000530000-memory.dmp

Filesize
256KB

Download
memory/2956-332-0x00000000004F0000-0x0000000000530000-memory.dmp

Filesize
256KB

Download
memory/2956-323-0x0000000074430000-0x0000000074B1E000-memory.dmp

Filesize
6.9MB

Download
memory/2956-322-0x00000000003C0000-0x00000000003DA000-memory.dmp

Filesize
104KB

Download
memory/2956-321-0x00000000003A0000-0x00000000003B4000-memory.dmp

Filesize
80KB

Download
memory/3032-367-0x00000000002A0000-0x000000000030F000-memory.dmp

Filesize
444KB

Download
memory/3032-366-0x0000000000640000-0x0000000000740000-memory.dmp

Filesize
1024KB

Download