nanocore | 32a820b30108102245b1c458b9237893e80a644fe1113dca3d4b2132a93f5db3

Analysis

max time kernel
150s
max time network
144s
platform
windows7_x64
resource
win7-20240220-en
resource tags

arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system
submitted
27-06-2024 15:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

167cc413faac757b6a7e57133ceedd0e_JaffaCakes118.msi
Size

452KB
MD5

167cc413faac757b6a7e57133ceedd0e
SHA1

1421d708f6eb6e08745172ea1d44f6af4857de0d
SHA256

32a820b30108102245b1c458b9237893e80a644fe1113dca3d4b2132a93f5db3
SHA512

61873a138588e461744bdcc1a8ad01968ccd549a9408a707acb09946aa1b2422a8771de831911149aa7233094b6583917347f0f8694138fc135018909ed16ccd
SSDEEP

6144:qEJK6g8ITN45qFqshyrwZdWYXPoPyl5FM13iyDFsDTAb/j8Fft6WEgrYvXmH3cpN:qEJKNUEvhRZIIR5M3ipprYAXyRNCj+

Score

10^/10

nanocore evasion keylogger persistence privilege_escalation spyware stealer trojan

Malware Config

Extracted

Family

nanocore

Version

1.2.2.0

manifest.duckdns.org:61970

Mutex

2004e655-d8f5-4f56-b1bd-1074cc528f1d

Attributes

activate_away_mode
true
backup_connection_host
backup_dns_server
8.8.4.4
buffer_size
65535
build_time
2019-11-15T20:09:19.510421436Z
bypass_user_account_control
false
bypass_user_account_control_data
PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTE2Ij8+DQo8VGFzayB2ZXJzaW9uPSIxLjIiIHhtbG5zPSJodHRwOi8vc2NoZW1hcy5taWNyb3NvZnQuY29tL3dpbmRvd3MvMjAwNC8wMi9taXQvdGFzayI+DQogIDxSZWdpc3RyYXRpb25JbmZvIC8+DQogIDxUcmlnZ2VycyAvPg0KICA8UHJpbmNpcGFscz4NCiAgICA8UHJpbmNpcGFsIGlkPSJBdXRob3IiPg0KICAgICAgPExvZ29uVHlwZT5JbnRlcmFjdGl2ZVRva2VuPC9Mb2dvblR5cGU+DQogICAgICA8UnVuTGV2ZWw+SGlnaGVzdEF2YWlsYWJsZTwvUnVuTGV2ZWw+DQogICAgPC9QcmluY2lwYWw+DQogIDwvUHJpbmNpcGFscz4NCiAgPFNldHRpbmdzPg0KICAgIDxNdWx0aXBsZUluc3RhbmNlc1BvbGljeT5QYXJhbGxlbDwvTXVsdGlwbGVJbnN0YW5jZXNQb2xpY3k+DQogICAgPERpc2FsbG93U3RhcnRJZk9uQmF0dGVyaWVzPmZhbHNlPC9EaXNhbGxvd1N0YXJ0SWZPbkJhdHRlcmllcz4NCiAgICA8U3RvcElmR29pbmdPbkJhdHRlcmllcz5mYWxzZTwvU3RvcElmR29pbmdPbkJhdHRlcmllcz4NCiAgICA8QWxsb3dIYXJkVGVybWluYXRlPnRydWU8L0FsbG93SGFyZFRlcm1pbmF0ZT4NCiAgICA8U3RhcnRXaGVuQXZhaWxhYmxlPmZhbHNlPC9TdGFydFdoZW5BdmFpbGFibGU+DQogICAgPFJ1bk9ubHlJZk5ldHdvcmtBdmFpbGFibGU+ZmFsc2U8L1J1bk9ubHlJZk5ldHdvcmtBdmFpbGFibGU+DQogICAgPElkbGVTZXR0aW5ncz4NCiAgICAgIDxTdG9wT25JZGxlRW5kPmZhbHNlPC9TdG9wT25JZGxlRW5kPg0KICAgICAgPFJlc3RhcnRPbklkbGU+ZmFsc2U8L1Jlc3RhcnRPbklkbGU+DQogICAgPC9JZGxlU2V0dGluZ3M+DQogICAgPEFsbG93U3RhcnRPbkRlbWFuZD50cnVlPC9BbGxvd1N0YXJ0T25EZW1hbmQ+DQogICAgPEVuYWJsZWQ+dHJ1ZTwvRW5hYmxlZD4NCiAgICA8SGlkZGVuPmZhbHNlPC9IaWRkZW4+DQogICAgPFJ1bk9ubHlJZklkbGU+ZmFsc2U8L1J1bk9ubHlJZklkbGU+DQogICAgPFdha2VUb1J1bj5mYWxzZTwvV2FrZVRvUnVuPg0KICAgIDxFeGVjdXRpb25UaW1lTGltaXQ+UFQwUzwvRXhlY3V0aW9uVGltZUxpbWl0Pg0KICAgIDxQcmlvcml0eT40PC9Qcmlvcml0eT4NCiAgPC9TZXR0aW5ncz4NCiAgPEFjdGlvbnMgQ29udGV4dD0iQXV0aG9yIj4NCiAgICA8RXhlYz4NCiAgICAgIDxDb21tYW5kPiIjRVhFQ1VUQUJMRVBBVEgiPC9Db21tYW5kPg0KICAgICAgPEFyZ3VtZW50cz4kKEFyZzApPC9Bcmd1bWVudHM+DQogICAgPC9FeGVjPg0KICA8L0FjdGlvbnM+DQo8L1Rhc2s+
clear_access_control
true
clear_zone_identifier
false
connect_delay
4000
connection_port
61970
default_group
Monte Carlo
enable_debug_mode
true
gc_threshold
1.048576e+07
keep_alive_timeout
30000
keyboard_logging
false
lan_timeout
2500
max_packet_size
1.048576e+07
mutex
2004e655-d8f5-4f56-b1bd-1074cc528f1d
mutex_timeout
5000
prevent_system_sleep
false
primary_connection_host
manifest.duckdns.org
primary_dns_server
8.8.8.8
request_elevation
true
restart_delay
5000
run_delay
0
run_on_startup
false
set_critical_process
true
timeout_interval
5000
use_custom_dns_server
false
version
1.2.2.0
wan_timeout
8000

Signatures

NanoCore
NanoCore is a remote access tool (RAT) with a variety of capabilities.
keylogger trojan stealer spyware nanocore

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

MSI3C28.tmpxTMUmRNSplXXLMhgma5.exeRegAsm.exexTMUmRNSplXXLMhgma5.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	MSI3C28.tmp
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\WDLropUtil = "C:\\Users\\Admin\\WDLropUtil.exe"	xTMUmRNSplXXLMhgma5.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\TCP Subsystem = "C:\\Program Files (x86)\\TCP Subsystem\\tcpss.exe"	RegAsm.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\WDLropUtil = "C:\\Users\\Admin\\WDLropUtil.exe"	xTMUmRNSplXXLMhgma5.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs
evasion trojan

System Information Discovery
T1082

Processes:

RegAsm.exe

description ioc process

Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA RegAsm.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	RegAsm.exe

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

msiexec.exemsiexec.exe

description	ioc	process
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

xTMUmRNSplXXLMhgma5.exexTMUmRNSplXXLMhgma5.exe

description pid process target process

PID 768 set thread context of 1264 768 xTMUmRNSplXXLMhgma5.exe RegAsm.exe
PID 2336 set thread context of 3024 2336 xTMUmRNSplXXLMhgma5.exe RegAsm.exe
Drops file in Program Files directory 2 IoCs

Processes:

RegAsm.exe

description ioc process

File created C:\Program Files (x86)\TCP Subsystem\tcpss.exe RegAsm.exe
File opened for modification C:\Program Files (x86)\TCP Subsystem\tcpss.exe RegAsm.exe

description	pid	process	target process
PID 768 set thread context of 1264	768	xTMUmRNSplXXLMhgma5.exe	RegAsm.exe
PID 2336 set thread context of 3024	2336	xTMUmRNSplXXLMhgma5.exe	RegAsm.exe

description	ioc	process
File created	C:\Program Files (x86)\TCP Subsystem\tcpss.exe	RegAsm.exe
File opened for modification	C:\Program Files (x86)\TCP Subsystem\tcpss.exe	RegAsm.exe

Drops file in Windows directory 10 IoCs

Processes:

msiexec.exeDrvInst.exe

description	ioc	process
File created	C:\Windows\Installer\f763b4c.msi	msiexec.exe
File created	C:\Windows\Installer\f763b4f.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI3BF7.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\f763b4f.ipi	msiexec.exe
File opened for modification	C:\Windows\INF\setupapi.ev3	DrvInst.exe
File opened for modification	C:\Windows\INF\setupapi.ev1	DrvInst.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	DrvInst.exe
File opened for modification	C:\Windows\Installer\f763b4c.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI3C28.tmp	msiexec.exe

Executes dropped EXE 4 IoCs

Processes:

MSI3C28.tmpxTMUmRNSplXXLMhgma5.exexTMUmRNSplXXLMhgma5.exexTMUmRNSplXXLMhgma5.exe

pid process

1452 MSI3C28.tmp
768 xTMUmRNSplXXLMhgma5.exe
2336 xTMUmRNSplXXLMhgma5.exe
2600 xTMUmRNSplXXLMhgma5.exe
Loads dropped DLL 7 IoCs

Processes:

MSI3C28.tmpxTMUmRNSplXXLMhgma5.exexTMUmRNSplXXLMhgma5.exeWerFault.exe

pid process

1452 MSI3C28.tmp
1452 MSI3C28.tmp
768 xTMUmRNSplXXLMhgma5.exe
2336 xTMUmRNSplXXLMhgma5.exe
2172 WerFault.exe
2172 WerFault.exe
2172 WerFault.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Event Triggered Execution: Installer Packages 1 TTPs 1 IoCs
persistence privilege_escalation

Installer Packages
T1546.016

Processes:

msiexec.exe

pid process

3036 msiexec.exe
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

2172 2600 WerFault.exe xTMUmRNSplXXLMhgma5.exe

pid	process
1452	MSI3C28.tmp
768	xTMUmRNSplXXLMhgma5.exe
2336	xTMUmRNSplXXLMhgma5.exe
2600	xTMUmRNSplXXLMhgma5.exe

pid	process
1452	MSI3C28.tmp
1452	MSI3C28.tmp
768	xTMUmRNSplXXLMhgma5.exe
2336	xTMUmRNSplXXLMhgma5.exe
2172	WerFault.exe
2172	WerFault.exe
2172	WerFault.exe

pid	process
3036	msiexec.exe

pid	pid_target	process	target process
2172	2600	WerFault.exe	xTMUmRNSplXXLMhgma5.exe

Modifies data under HKEY_USERS 43 IoCs

Processes:

DrvInst.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs	DrvInst.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs	DrvInst.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence execution

Scheduled Task
T1053.005

Processes:

schtasks.exeschtasks.exe

pid process

1060 schtasks.exe
2356 schtasks.exe

pid	process
1060	schtasks.exe
2356	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

msiexec.exexTMUmRNSplXXLMhgma5.exe

pid	process
2468	msiexec.exe
2468	msiexec.exe
768	xTMUmRNSplXXLMhgma5.exe
768	xTMUmRNSplXXLMhgma5.exe
768	xTMUmRNSplXXLMhgma5.exe
768	xTMUmRNSplXXLMhgma5.exe
768	xTMUmRNSplXXLMhgma5.exe
768	xTMUmRNSplXXLMhgma5.exe
768	xTMUmRNSplXXLMhgma5.exe
768	xTMUmRNSplXXLMhgma5.exe
768	xTMUmRNSplXXLMhgma5.exe
768	xTMUmRNSplXXLMhgma5.exe
768	xTMUmRNSplXXLMhgma5.exe
768	xTMUmRNSplXXLMhgma5.exe
768	xTMUmRNSplXXLMhgma5.exe
768	xTMUmRNSplXXLMhgma5.exe
768	xTMUmRNSplXXLMhgma5.exe
768	xTMUmRNSplXXLMhgma5.exe
768	xTMUmRNSplXXLMhgma5.exe
768	xTMUmRNSplXXLMhgma5.exe
768	xTMUmRNSplXXLMhgma5.exe
768	xTMUmRNSplXXLMhgma5.exe
768	xTMUmRNSplXXLMhgma5.exe
768	xTMUmRNSplXXLMhgma5.exe
768	xTMUmRNSplXXLMhgma5.exe
768	xTMUmRNSplXXLMhgma5.exe
768	xTMUmRNSplXXLMhgma5.exe
768	xTMUmRNSplXXLMhgma5.exe
768	xTMUmRNSplXXLMhgma5.exe
768	xTMUmRNSplXXLMhgma5.exe
768	xTMUmRNSplXXLMhgma5.exe
768	xTMUmRNSplXXLMhgma5.exe
768	xTMUmRNSplXXLMhgma5.exe
768	xTMUmRNSplXXLMhgma5.exe
768	xTMUmRNSplXXLMhgma5.exe
768	xTMUmRNSplXXLMhgma5.exe
768	xTMUmRNSplXXLMhgma5.exe
768	xTMUmRNSplXXLMhgma5.exe
768	xTMUmRNSplXXLMhgma5.exe
768	xTMUmRNSplXXLMhgma5.exe
768	xTMUmRNSplXXLMhgma5.exe
768	xTMUmRNSplXXLMhgma5.exe
768	xTMUmRNSplXXLMhgma5.exe
768	xTMUmRNSplXXLMhgma5.exe
768	xTMUmRNSplXXLMhgma5.exe
768	xTMUmRNSplXXLMhgma5.exe
768	xTMUmRNSplXXLMhgma5.exe
768	xTMUmRNSplXXLMhgma5.exe
768	xTMUmRNSplXXLMhgma5.exe
768	xTMUmRNSplXXLMhgma5.exe
768	xTMUmRNSplXXLMhgma5.exe
768	xTMUmRNSplXXLMhgma5.exe
768	xTMUmRNSplXXLMhgma5.exe
768	xTMUmRNSplXXLMhgma5.exe
768	xTMUmRNSplXXLMhgma5.exe
768	xTMUmRNSplXXLMhgma5.exe
768	xTMUmRNSplXXLMhgma5.exe
768	xTMUmRNSplXXLMhgma5.exe
768	xTMUmRNSplXXLMhgma5.exe
768	xTMUmRNSplXXLMhgma5.exe
768	xTMUmRNSplXXLMhgma5.exe
768	xTMUmRNSplXXLMhgma5.exe
768	xTMUmRNSplXXLMhgma5.exe
768	xTMUmRNSplXXLMhgma5.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

RegAsm.exe

pid process

1264 RegAsm.exe
Suspicious behavior: MapViewOfSection 2 IoCs

Processes:

xTMUmRNSplXXLMhgma5.exexTMUmRNSplXXLMhgma5.exe

pid process

768 xTMUmRNSplXXLMhgma5.exe
2336 xTMUmRNSplXXLMhgma5.exe

pid	process
1264	RegAsm.exe

pid	process
768	xTMUmRNSplXXLMhgma5.exe
2336	xTMUmRNSplXXLMhgma5.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

msiexec.exemsiexec.exevssvc.exeDrvInst.exexTMUmRNSplXXLMhgma5.exeRegAsm.exexTMUmRNSplXXLMhgma5.exe

description	pid	process
Token: SeShutdownPrivilege	3036	msiexec.exe
Token: SeIncreaseQuotaPrivilege	3036	msiexec.exe
Token: SeRestorePrivilege	2468	msiexec.exe
Token: SeTakeOwnershipPrivilege	2468	msiexec.exe
Token: SeSecurityPrivilege	2468	msiexec.exe
Token: SeCreateTokenPrivilege	3036	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	3036	msiexec.exe
Token: SeLockMemoryPrivilege	3036	msiexec.exe
Token: SeIncreaseQuotaPrivilege	3036	msiexec.exe
Token: SeMachineAccountPrivilege	3036	msiexec.exe
Token: SeTcbPrivilege	3036	msiexec.exe
Token: SeSecurityPrivilege	3036	msiexec.exe
Token: SeTakeOwnershipPrivilege	3036	msiexec.exe
Token: SeLoadDriverPrivilege	3036	msiexec.exe
Token: SeSystemProfilePrivilege	3036	msiexec.exe
Token: SeSystemtimePrivilege	3036	msiexec.exe
Token: SeProfSingleProcessPrivilege	3036	msiexec.exe
Token: SeIncBasePriorityPrivilege	3036	msiexec.exe
Token: SeCreatePagefilePrivilege	3036	msiexec.exe
Token: SeCreatePermanentPrivilege	3036	msiexec.exe
Token: SeBackupPrivilege	3036	msiexec.exe
Token: SeRestorePrivilege	3036	msiexec.exe
Token: SeShutdownPrivilege	3036	msiexec.exe
Token: SeDebugPrivilege	3036	msiexec.exe
Token: SeAuditPrivilege	3036	msiexec.exe
Token: SeSystemEnvironmentPrivilege	3036	msiexec.exe
Token: SeChangeNotifyPrivilege	3036	msiexec.exe
Token: SeRemoteShutdownPrivilege	3036	msiexec.exe
Token: SeUndockPrivilege	3036	msiexec.exe
Token: SeSyncAgentPrivilege	3036	msiexec.exe
Token: SeEnableDelegationPrivilege	3036	msiexec.exe
Token: SeManageVolumePrivilege	3036	msiexec.exe
Token: SeImpersonatePrivilege	3036	msiexec.exe
Token: SeCreateGlobalPrivilege	3036	msiexec.exe
Token: SeBackupPrivilege	2564	vssvc.exe
Token: SeRestorePrivilege	2564	vssvc.exe
Token: SeAuditPrivilege	2564	vssvc.exe
Token: SeBackupPrivilege	2468	msiexec.exe
Token: SeRestorePrivilege	2468	msiexec.exe
Token: SeRestorePrivilege	2376	DrvInst.exe
Token: SeRestorePrivilege	2376	DrvInst.exe
Token: SeRestorePrivilege	2376	DrvInst.exe
Token: SeRestorePrivilege	2376	DrvInst.exe
Token: SeRestorePrivilege	2376	DrvInst.exe
Token: SeRestorePrivilege	2376	DrvInst.exe
Token: SeRestorePrivilege	2376	DrvInst.exe
Token: SeLoadDriverPrivilege	2376	DrvInst.exe
Token: SeLoadDriverPrivilege	2376	DrvInst.exe
Token: SeLoadDriverPrivilege	2376	DrvInst.exe
Token: SeRestorePrivilege	2468	msiexec.exe
Token: SeTakeOwnershipPrivilege	2468	msiexec.exe
Token: SeRestorePrivilege	2468	msiexec.exe
Token: SeTakeOwnershipPrivilege	2468	msiexec.exe
Token: SeRestorePrivilege	2468	msiexec.exe
Token: SeTakeOwnershipPrivilege	2468	msiexec.exe
Token: SeRestorePrivilege	2468	msiexec.exe
Token: SeTakeOwnershipPrivilege	2468	msiexec.exe
Token: SeDebugPrivilege	768	xTMUmRNSplXXLMhgma5.exe
Token: SeDebugPrivilege	1264	RegAsm.exe
Token: SeDebugPrivilege	2336	xTMUmRNSplXXLMhgma5.exe
Token: SeRestorePrivilege	2468	msiexec.exe
Token: SeTakeOwnershipPrivilege	2468	msiexec.exe
Token: SeRestorePrivilege	2468	msiexec.exe
Token: SeTakeOwnershipPrivilege	2468	msiexec.exe

Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

msiexec.exe

pid process

3036 msiexec.exe
3036 msiexec.exe

pid	process
3036	msiexec.exe
3036	msiexec.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

msiexec.exeMSI3C28.tmpxTMUmRNSplXXLMhgma5.execsc.execsc.exexTMUmRNSplXXLMhgma5.exeRegAsm.execsc.execsc.exe

description	pid	process	target process
PID 2468 wrote to memory of 1452	2468	msiexec.exe	MSI3C28.tmp
PID 2468 wrote to memory of 1452	2468	msiexec.exe	MSI3C28.tmp
PID 2468 wrote to memory of 1452	2468	msiexec.exe	MSI3C28.tmp
PID 2468 wrote to memory of 1452	2468	msiexec.exe	MSI3C28.tmp
PID 1452 wrote to memory of 768	1452	MSI3C28.tmp	xTMUmRNSplXXLMhgma5.exe
PID 1452 wrote to memory of 768	1452	MSI3C28.tmp	xTMUmRNSplXXLMhgma5.exe
PID 1452 wrote to memory of 768	1452	MSI3C28.tmp	xTMUmRNSplXXLMhgma5.exe
PID 1452 wrote to memory of 768	1452	MSI3C28.tmp	xTMUmRNSplXXLMhgma5.exe
PID 768 wrote to memory of 1552	768	xTMUmRNSplXXLMhgma5.exe	csc.exe
PID 768 wrote to memory of 1552	768	xTMUmRNSplXXLMhgma5.exe	csc.exe
PID 768 wrote to memory of 1552	768	xTMUmRNSplXXLMhgma5.exe	csc.exe
PID 768 wrote to memory of 1552	768	xTMUmRNSplXXLMhgma5.exe	csc.exe
PID 1552 wrote to memory of 1636	1552	csc.exe	cvtres.exe
PID 1552 wrote to memory of 1636	1552	csc.exe	cvtres.exe
PID 1552 wrote to memory of 1636	1552	csc.exe	cvtres.exe
PID 1552 wrote to memory of 1636	1552	csc.exe	cvtres.exe
PID 768 wrote to memory of 1896	768	xTMUmRNSplXXLMhgma5.exe	csc.exe
PID 768 wrote to memory of 1896	768	xTMUmRNSplXXLMhgma5.exe	csc.exe
PID 768 wrote to memory of 1896	768	xTMUmRNSplXXLMhgma5.exe	csc.exe
PID 768 wrote to memory of 1896	768	xTMUmRNSplXXLMhgma5.exe	csc.exe
PID 1896 wrote to memory of 340	1896	csc.exe	cvtres.exe
PID 1896 wrote to memory of 340	1896	csc.exe	cvtres.exe
PID 1896 wrote to memory of 340	1896	csc.exe	cvtres.exe
PID 1896 wrote to memory of 340	1896	csc.exe	cvtres.exe
PID 768 wrote to memory of 1264	768	xTMUmRNSplXXLMhgma5.exe	RegAsm.exe
PID 768 wrote to memory of 1264	768	xTMUmRNSplXXLMhgma5.exe	RegAsm.exe
PID 768 wrote to memory of 1264	768	xTMUmRNSplXXLMhgma5.exe	RegAsm.exe
PID 768 wrote to memory of 1264	768	xTMUmRNSplXXLMhgma5.exe	RegAsm.exe
PID 768 wrote to memory of 1264	768	xTMUmRNSplXXLMhgma5.exe	RegAsm.exe
PID 768 wrote to memory of 1264	768	xTMUmRNSplXXLMhgma5.exe	RegAsm.exe
PID 768 wrote to memory of 1264	768	xTMUmRNSplXXLMhgma5.exe	RegAsm.exe
PID 768 wrote to memory of 1264	768	xTMUmRNSplXXLMhgma5.exe	RegAsm.exe
PID 768 wrote to memory of 2336	768	xTMUmRNSplXXLMhgma5.exe	xTMUmRNSplXXLMhgma5.exe
PID 768 wrote to memory of 2336	768	xTMUmRNSplXXLMhgma5.exe	xTMUmRNSplXXLMhgma5.exe
PID 768 wrote to memory of 2336	768	xTMUmRNSplXXLMhgma5.exe	xTMUmRNSplXXLMhgma5.exe
PID 768 wrote to memory of 2336	768	xTMUmRNSplXXLMhgma5.exe	xTMUmRNSplXXLMhgma5.exe
PID 2336 wrote to memory of 704	2336	xTMUmRNSplXXLMhgma5.exe	csc.exe
PID 2336 wrote to memory of 704	2336	xTMUmRNSplXXLMhgma5.exe	csc.exe
PID 2336 wrote to memory of 704	2336	xTMUmRNSplXXLMhgma5.exe	csc.exe
PID 2336 wrote to memory of 704	2336	xTMUmRNSplXXLMhgma5.exe	csc.exe
PID 1264 wrote to memory of 1060	1264	RegAsm.exe	schtasks.exe
PID 1264 wrote to memory of 1060	1264	RegAsm.exe	schtasks.exe
PID 1264 wrote to memory of 1060	1264	RegAsm.exe	schtasks.exe
PID 1264 wrote to memory of 1060	1264	RegAsm.exe	schtasks.exe
PID 704 wrote to memory of 1620	704	csc.exe	cvtres.exe
PID 704 wrote to memory of 1620	704	csc.exe	cvtres.exe
PID 704 wrote to memory of 1620	704	csc.exe	cvtres.exe
PID 704 wrote to memory of 1620	704	csc.exe	cvtres.exe
PID 2336 wrote to memory of 2328	2336	xTMUmRNSplXXLMhgma5.exe	csc.exe
PID 2336 wrote to memory of 2328	2336	xTMUmRNSplXXLMhgma5.exe	csc.exe
PID 2336 wrote to memory of 2328	2336	xTMUmRNSplXXLMhgma5.exe	csc.exe
PID 2336 wrote to memory of 2328	2336	xTMUmRNSplXXLMhgma5.exe	csc.exe
PID 2328 wrote to memory of 2104	2328	csc.exe	cvtres.exe
PID 2328 wrote to memory of 2104	2328	csc.exe	cvtres.exe
PID 2328 wrote to memory of 2104	2328	csc.exe	cvtres.exe
PID 2328 wrote to memory of 2104	2328	csc.exe	cvtres.exe
PID 1264 wrote to memory of 2356	1264	RegAsm.exe	schtasks.exe
PID 1264 wrote to memory of 2356	1264	RegAsm.exe	schtasks.exe
PID 1264 wrote to memory of 2356	1264	RegAsm.exe	schtasks.exe
PID 1264 wrote to memory of 2356	1264	RegAsm.exe	schtasks.exe
PID 2336 wrote to memory of 3024	2336	xTMUmRNSplXXLMhgma5.exe	RegAsm.exe
PID 2336 wrote to memory of 3024	2336	xTMUmRNSplXXLMhgma5.exe	RegAsm.exe
PID 2336 wrote to memory of 3024	2336	xTMUmRNSplXXLMhgma5.exe	RegAsm.exe
PID 2336 wrote to memory of 3024	2336	xTMUmRNSplXXLMhgma5.exe	RegAsm.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Windows\system32\msiexec.exe
msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\167cc413faac757b6a7e57133ceedd0e_JaffaCakes118.msi
1⤵
- Enumerates connected drives
- Event Triggered Execution: Installer Packages
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:3036

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2468

C:\Windows\Installer\MSI3C28.tmp
"C:\Windows\Installer\MSI3C28.tmp"
2⤵
- Adds Run key to start application
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1452

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\xTMUmRNSplXXLMhgma5.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\xTMUmRNSplXXLMhgma5.exe
3⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:768

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\tfotbjir\tfotbjir.cmdline"
4⤵
- Suspicious use of WriteProcessMemory
PID:1552

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES3E86.tmp" "c:\Users\Admin\AppData\Local\Temp\tfotbjir\CSC2A8EB007886F4CC0B29075731CDA75E2.TMP"
5⤵
PID:1636

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\3ccqb1ea\3ccqb1ea.cmdline"
4⤵
- Suspicious use of WriteProcessMemory
PID:1896

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES3F13.tmp" "c:\Users\Admin\AppData\Local\Temp\3ccqb1ea\CSC28ADD20F114243D88D7A56282C9E4258.TMP"
5⤵
PID:340

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
4⤵
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1264

C:\Windows\SysWOW64\schtasks.exe
"schtasks.exe" /create /f /tn "TCP Subsystem" /xml "C:\Users\Admin\AppData\Local\Temp\tmpC1D9.tmp"
5⤵
- Scheduled Task/Job: Scheduled Task
PID:1060

C:\Windows\SysWOW64\schtasks.exe
"schtasks.exe" /create /f /tn "TCP Subsystem Task" /xml "C:\Users\Admin\AppData\Local\Temp\tmpC2F2.tmp"
5⤵
- Scheduled Task/Job: Scheduled Task
PID:2356

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\xTMUmRNSplXXLMhgma5.exe
"C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\xTMUmRNSplXXLMhgma5.exe"
4⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2336

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\rje3ry5q\rje3ry5q.cmdline"
5⤵
- Suspicious use of WriteProcessMemory
PID:704

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESC1F8.tmp" "c:\Users\Admin\AppData\Local\Temp\rje3ry5q\CSC6212267F3E894A2CB8C32F175495BE.TMP"
6⤵
PID:1620

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\dzmbox2o\dzmbox2o.cmdline"
5⤵
- Suspicious use of WriteProcessMemory
PID:2328

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESC284.tmp" "c:\Users\Admin\AppData\Local\Temp\dzmbox2o\CSCDE454407FAC347EFA2FE6263165E1BE7.TMP"
6⤵
PID:2104

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
5⤵
PID:3024

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\xTMUmRNSplXXLMhgma5.exe
"C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\xTMUmRNSplXXLMhgma5.exe"
5⤵
- Executes dropped EXE
PID:2600

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2600 -s 544
6⤵
- Loads dropped DLL
- Program crash
PID:2172

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2564

C:\Windows\system32\DrvInst.exe
DrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot19" "" "" "61530dda3" "0000000000000000" "00000000000005AC" "00000000000003C8"
1⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2376

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Event Triggered Execution

Installer Packages

Scheduled Task/Job

Scheduled Task

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Event Triggered Execution

Installer Packages

Scheduled Task/Job

Scheduled Task

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Query Registry

T1012

Peripheral Device Discovery

T1120

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\f763b50.rbs
Filesize
663B

MD5
e7a7a7d9cdf437084af0b9154f8e212d

SHA1
1ef50ae276874a597330e7ca670cf2c1a6aa798a

SHA256
852e5cacd8a2e769eedb0389423842576723b191279394c345cbd7304aef1e31

SHA512
5608a9bbc6e566cac1635c51009378a919ccb6fccf9b2d068a6aacdb33956019e589c03a532aacabbc84fe65d571924e4ca2d053bed1af0a4d616d81c86dc362

Download Submit
C:\Users\Admin\AppData\Local\Temp\3ccqb1ea\3ccqb1ea.dll
Filesize
634KB

MD5
854ee7e7aaa8698f36a216806bc04ca4

SHA1
31c3c0be81436b6bcedea29ea5602c0055118051

SHA256
7e23d07a6474d6cfbb6a5685f2dd44e0a2d61fdd7ea1a1c9f349ce02a8f5602c

SHA512
34b3a3da6d4268771c23d4ab63fd38ed4d916ce4030a1f1e2df6aa6db589dfe0cf0364717305120c2da8ed7e0bfd21d704ba33106fbe9d497a17858f806d72e5

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\xTMUmRNSplXXLMhgma5
Filesize
946KB

MD5
b73c6439a2302db41bb7737de87b8835

SHA1
a3f1fb5fc06083f5e0adfe7e26ddb094883b7d6b

SHA256
2f28247f05c070b5dd9c869b152e7b4084254d7b162a193a9a43b5c8b2419c1f

SHA512
68e3f65502cbc32d4d2c1e699e9ca07a3493e554cecf058e632f82874ecec61a63367de56ad693db94ec069e076a44701ce3068deb8748b739c0d6dbcaa70991

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\xTMUmRNSplXXLMhgma5.exe
Filesize
113KB

MD5
ac692fdb7dc25fdea0c0a82819b9ca05

SHA1
2b94177f0144e34dbd39b847e6bc3305ba7fe080

SHA256
afdceace49e12768aa2500489c6102293a1f6e7cb9c844610a655fa741ce0cdb

SHA512
04303b051c722d28d8e382acf62997766478cde0ef36473c85ba71c648001a4960f08417e3493d10fb582be5c6293be851eed459c063d6b36561defdc307e2ba

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES3E86.tmp
Filesize
1KB

MD5
639a0352bb86776e2fe927bc28860a68

SHA1
a46f06e3b7e3c98f0672f1617b9064983919f043

SHA256
b54b0c17c4caf83004d101395a9adf30c9e1067dcc579f55031ad8fdfe53ffc0

SHA512
e579d68187039202a2391e3fb4e5a42a032d577ded17e1cd4472c5931e57dec238643f9b763a95dedcc427857e4ed2b3834625fe79f6afad32b5436f24182eb9

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES3F13.tmp
Filesize
1KB

MD5
a8fdafd9115969805b0acffda3eb6593

SHA1
52f9448a7853759b473a664676bec4c5b71ce8c4

SHA256
bef9f45371d81f46eccfc020547c85a1407c9da648f82f504f01c2fedaf7dabc

SHA512
a7802d510903b1bc4d537332127786ef9beef14996b3bd82227c5aa5a62afdfd2626d98207846370bbb261eb27721df84560ff63aa4486b955e1cd74f8f3c289

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESC1F8.tmp
Filesize
1KB

MD5
2205da7b6ea8ee1b778595d2d5ab8193

SHA1
5a3a68b93d5bcfaca9aeeef50b298a51eaf61b25

SHA256
128dcc56c464bf2af20abf0e9ad3b78d7fab54607c59cc07e0cd525733f0ea5b

SHA512
74d47ef7e4abc718db5383b3495c3b6031b739b70515a7c5143274843785070d2b76ee2a8fabd19407755f9c31c996a8a8dbaaa5f2d356f627105dfe3c016331

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESC284.tmp
Filesize
1KB

MD5
d9df7d277a854099892ee95063185aa0

SHA1
34dc0820c1f932b41ae0567eef4f9cd2cd26745e

SHA256
6fd1ae8cca2f1cd7553d88c1788331e689d800b17cc2559e86a86a6e3aa79e24

SHA512
1dfce99fce8c07f098a12a95920c8614bb2e29080152a8c1587793fe39701f7d39e08c507a7530289021831d25bd904c40495cea49246a51a0398c0d891795a4

Download Submit
C:\Users\Admin\AppData\Local\Temp\dzmbox2o\dzmbox2o.dll
Filesize
634KB

MD5
f58992a3e62df69180849eeab6fdfc67

SHA1
205a342d25b7a9ccd05bca235b56fab598e6fb1c

SHA256
4e67d65da09e3eb168f4d3c3e9d09bb47acfda97a5183e68cbdf23f10319bf8c

SHA512
a2f63d28d56ecfe587af0fe3649ef3d376ffb685789314f9f3dada2fc3d61de9b4cde423aac79e6f5910817c75a23b44b4e65c2b3c7c67021bc09a98a699a563

Download Submit
C:\Users\Admin\AppData\Local\Temp\rje3ry5q\rje3ry5q.dll
Filesize
634KB

MD5
bdffef07a18efb3e823a07ff2d9aa059

SHA1
b45d813c206ab421667efb3487387c9e2a2fe1fa

SHA256
b7aa834d86476c35ec8c5a10f5436c72c05593e3c4382fda0d6d8e4745c8d2dd

SHA512
6c9121a6ea2b49775c4c077c83af94093a322da27579c5c282f7b71eb51b8e90e3f2567db8bf396ea7e89dad78222217c125009f3b9abbba0021d27b4b58b0b4

Download Submit
C:\Users\Admin\AppData\Local\Temp\tfotbjir\tfotbjir.dll
Filesize
634KB

MD5
23e80110ba883fd0acfc2f706c216388

SHA1
9c4032b9ab3b8347931ae5236aa5a24daf682ee2

SHA256
c93192360deefcb18ecf7c0246e109ff1ca9662b4394b9f131bcfe91f6ff149a

SHA512
b64da09fcc1b1a8f5bfee7e7eddff977875f302a776df909ddeb911d34376a385d6b42f86f51e6251f6173e931041198601b40b893d5a0612fd19786a781f8ec

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpC1D9.tmp
Filesize
1KB

MD5
48ef7fa9033389ad7929d7a6b9d10298

SHA1
9db6cb7325c8bdf66a15f7b5f34703709a45aeb6

SHA256
0c1b5f67eeb276d1d4205b138ce32bc6149924e02281a2db8e4623a700e88f15

SHA512
ac8bd104ecbacc9bccce9e087f67e5b18072d59367ccd31d4e66132b6baaea520cba5b9b59464483d86abf74826b382c402f12e9a586c99bda8c78a0de33944e

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpC2F2.tmp
Filesize
1KB

MD5
4b7ef560289c0f62d0baf6f14f48a57a

SHA1
8331acb90dde588aa3196919f6e847f398fd06d1

SHA256
062844155306130d6fafc4fe10ac9e5ddd2ed462532b729c50cdc979c0d83207

SHA512
ecaa27c4b703d95f9f9b37d8c339982970482e7dab968c2010e0aa644bbfa31973111aafb827565af30c423d1d14e4ff997ec149614e713ff7ef3456894d02d8

Download Submit
C:\Windows\Installer\MSI3C28.tmp
Filesize
425KB

MD5
7997a52983aa768553d9e039f011e9a8

SHA1
9b2955a38238fdc5c5511dbb8c578c63a9e19495

SHA256
1ea29b91f3647b1cf4822cff87a2e5a7030f2ad92c88013381a6eb4a4088f4c0

SHA512
2682afb87b6f860395d286df4ba4a519586b8c4a5fdaa5495ceb964eb2c2c35a7f08896a8c6d28ec691e87b2084c43afc5a7062f9369fbafcbec6c4881d3d083

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\3ccqb1ea\3ccqb1ea.cmdline
Filesize
302B

MD5
ed4fcac88c13828307e5a5a7d470c221

SHA1
e9da0176b6c158d63e00ee09de1f7e614a0c8e37

SHA256
77a0e08592f9fefbf6f5e62b83073dfdccd12a28719a63ae0deb024d6ab8f2d9

SHA512
dd3b9f6508c5f669b7a5d313631a6530f320fcf67c7adfcee3056ee8ae6cbe9d43385557ca454453315835d296ef12ba1a0c2e5d24e929f9069fe794b1d52855

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\3ccqb1ea\CSC28ADD20F114243D88D7A56282C9E4258.TMP
Filesize
652B

MD5
2c3d4ee93d95073e227eea419ee2637f

SHA1
420bb20ff5a0af396c28250563462d3e894ae795

SHA256
cfe40698224866b71ad5a869431b480f27209a3bb548202011a240afbe5ce1c3

SHA512
0842bed4c880a924a48c6e8fc33d15fd07cd1f3f695e448670aab71b785fbde9a2691c3edd17c1931a086313be9bc0fe9a9f67b90c8673db682fa563741c93bd

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\dzmbox2o\CSCDE454407FAC347EFA2FE6263165E1BE7.TMP
Filesize
652B

MD5
92732d290af70c29cdf086e1a6cbb9c3

SHA1
9ec199bfc03557c44198adeb5b2dcdc4a450ca34

SHA256
3e2b041b83dc5ab47f390007ea1eb222ba9f0ec44be9cc6a6867357761f2d9be

SHA512
b39633a440edd5bc4f3cdcc30f40f8ea5cf53e8abb4be36188ffe814dd84c3c7bf4a58094f95af468961f0ac39f44f2835c725b9c58c953d8f0bdbc238c85246

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\dzmbox2o\dzmbox2o.cmdline
Filesize
302B

MD5
58c47230a4e55a4c823a08d159b6baa9

SHA1
f27eaf76518513417ed145a3f87939d610fdf580

SHA256
ef2d3be7549cceb3b9c5058d2779a428c8b8aec1641da8be3a2df4fc88894375

SHA512
5721784d9c8a7008cd6b36e4ba68a82cc029eeb6c0b2cf94ee41c3837aaa0a1e3a1abcda1221a3fe85c686e49962eca00af55e56f0f779fa97223af61ebc67a3

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\rje3ry5q\CSC6212267F3E894A2CB8C32F175495BE.TMP
Filesize
652B

MD5
bbbfc0c7cfb2a35078e9fb488da66763

SHA1
85a630981c7462f25c27435d7fcd023a16549dc2

SHA256
db971468e03b47d3f1a210824fa4f12109e9f64815a17bb44360a9eff4d5a42f

SHA512
324af00d603a795ce71a6db02961d6e490cbf298f9f63b6c4b55247ba4c23c68974e4e8a44005c7efb6992419258e687779227729debf011fbe3e7d3d71a64ad

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\rje3ry5q\rje3ry5q.cmdline
Filesize
302B

MD5
983af9b59193e486329ec722bde0e040

SHA1
4617a51ba213dd9b2551f3a383d555cda8ac2362

SHA256
465c49b5ee7cd2dcd1f9fb0fbb3887a172ab1e16025823054c682b813708c66a

SHA512
e06a869ccc9159476b78505c88ec4097daf0c9342aeeff5a8d8d29326afcf71a970de919cd3cfd049c6ce8a614afa6a29456692c291439f326c478fe6047fea5

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\tfotbjir\CSC2A8EB007886F4CC0B29075731CDA75E2.TMP
Filesize
652B

MD5
db87782e895cd82cdc24175299fff756

SHA1
67e3edb45a7f5dd3e0094ae569846e6ee65ab8fd

SHA256
683da3abc12d803970f3ded9ac0f7f7c54ec7fbd3c7c82296e497b9108f3a179

SHA512
66d7bd60fbbae0337f4c474702280d15de0fc0e9f130df46c8bb86a8b682c16170a220f2cedadc5d451a863be9de173788364e8905657a1471e2afaec8676b52

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\tfotbjir\tfotbjir.0.cs
Filesize
946KB

MD5
b5d745ad124400fe21ea0c07e7d0e8bc

SHA1
4e8cb83eb077c46240e9c0c372a3404763c6c132

SHA256
a75d60a3aba62d7137461fd31761cba8d6f6c7f8db75cf9d491d1a53c254e95e

SHA512
a9c96c2f56c8f4134cafd2bbc8599e57e7fc1c469afd151ce861e28667c27c6e89e0f35606c2fd6ea64c192f549bdabdc4fc20d7059179d935b94dd94f800e8b

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\tfotbjir\tfotbjir.cmdline
Filesize
302B

MD5
6636a9d89510980dc39f569b20e2c31f

SHA1
4df4e32b1c300cd2ced3bf78079b609320a37e5a

SHA256
9b8fae8d9d15056ee2d4998598ced5015a65e7ab49d3a33a64b0b5d5c923ffe5

SHA512
4b629c21c7ca6492f7c7a9e210e28c820d1feb0f95d496a435fe3142a6b17e631d42c3fa904929a8a3c65258aab1e5c59fbaa2b2b6c1b7ded4af635e1340bbc9

Download Submit
memory/768-37-0x0000000000940000-0x00000000009E4000-memory.dmp

Filesize
656KB

Download
memory/768-51-0x0000000000CF0000-0x0000000000D94000-memory.dmp

Filesize
656KB

Download
memory/768-53-0x00000000009E0000-0x0000000000A22000-memory.dmp

Filesize
264KB

Download
memory/768-23-0x0000000001290000-0x00000000012B2000-memory.dmp

Filesize
136KB

Download
memory/1264-58-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1264-59-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1264-98-0x00000000007E0000-0x00000000007EA000-memory.dmp

Filesize
40KB

Download
memory/1264-99-0x00000000007F0000-0x000000000080E000-memory.dmp

Filesize
120KB

Download
memory/1264-100-0x0000000000810000-0x000000000081A000-memory.dmp

Filesize
40KB

Download
memory/1264-57-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2336-92-0x0000000000C30000-0x0000000000CD4000-memory.dmp

Filesize
656KB

Download
memory/2336-94-0x00000000003C0000-0x0000000000402000-memory.dmp

Filesize
264KB

Download
memory/2336-77-0x0000000000B40000-0x0000000000BE4000-memory.dmp

Filesize
656KB

Download