plugx | d71d1f411026ddf3124660d50f2e65a42b7ad4637459c9c86d13028a30a0cbb5

Analysis

max time kernel
294s
max time network
294s
platform
windows10_x64
resource
win10v20201028
submitted
24-02-2021 20:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

hell.bin.exe
Size

17KB
MD5

767b5f0d52f3c7af12ee5e45e445f046
SHA1

42a6631056347a92888c53d36f97018b8fa5f9ba
SHA256

65403f6f0be0d76e157417c5d5b12023177ef451c2503857f13e9cd0e1e7f6e5
SHA512

be6eaeebb0822cbae55bd5b044f6dd1bd383fa07499010b1cfe17f37e997cd070a16bed705e6f232ac33be29d11787a8611e688632e0a5de3f21717922b4764d

Score

10^/10

plugx bootkit discovery evasion macro persistence spyware trojan upx xlm

Malware Config

Signatures

PlugX
PlugX is a RAT (Remote Access Trojan) that has been around since 2008.
trojan plugx

Nirsoft 6 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Roaming\1614203420191.exe	Nirsoft
C:\Users\Admin\AppData\Roaming\1614203420191.exe	Nirsoft
C:\Users\Admin\AppData\Roaming\1614203422628.exe	Nirsoft
C:\Users\Admin\AppData\Roaming\1614203422628.exe	Nirsoft
C:\Program Files (x86)\gdiview\gdiview\GDIView.exe	Nirsoft
C:\Program Files (x86)\gdiview\gdiview\GDIView.exe	Nirsoft

Executes dropped EXE 27 IoCs

Processes:

kW5VlOManLru.exeWsBCDB6m6cbw.exeWkCoAbw4bo H.execV urr3Sx_X9.exeCr1t2PllsmAB.exeWsBCDB6m6cbw.tmpjfiag3g_gg.exeInstaller.exeSetup.exejfiag3g_gg.exe80EBA4EA58D40136.exe80EBA4EA58D40136.exefile.exeA8A9.tmp.exe1614203420191.exeA8A9.tmp.exe1614203422628.exeBTRSetp.exe6193327.684908428.534094316.45gdrrr.exeWindows Host.exejfiag3g_gg.exejfiag3g_gg.exeThunderFW.exeGDIView.exe

pid	process
3848	kW5VlOManLru.exe
3808	WsBCDB6m6cbw.exe
2476	WkCoAbw4bo H.exe
4024	cV urr3Sx_X9.exe
644	Cr1t2PllsmAB.exe
892	WsBCDB6m6cbw.tmp
1156	jfiag3g_gg.exe
1772	Installer.exe
2144	Setup.exe
4088	jfiag3g_gg.exe
1864	80EBA4EA58D40136.exe
2888	80EBA4EA58D40136.exe
4200	file.exe
4552	A8A9.tmp.exe
3472	1614203420191.exe
4136	A8A9.tmp.exe
4496	1614203422628.exe
4472	BTRSetp.exe
3292	6193327.68
2320	4908428.53
1180	4094316.45
496	gdrrr.exe
1548	Windows Host.exe
3164	jfiag3g_gg.exe
2824	jfiag3g_gg.exe
4056	ThunderFW.exe
4512	GDIView.exe

Suspicious Office macro 1 IoCs

Office document equipped with 4.0 macros.

macro xlm

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\gdiview.msi	office_xlm_macros

UPX packed file 9 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\Users\Admin\Documents\cV urr3Sx_X9.exe	upx
C:\Users\Admin\Documents\cV urr3Sx_X9.exe	upx
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe	upx
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe	upx
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe	upx
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe	upx
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe	upx
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe	upx
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe	upx

Loads dropped DLL 2 IoCs

Processes:

WsBCDB6m6cbw.tmpMsiExec.exe

pid process

892 WsBCDB6m6cbw.tmp
364 MsiExec.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

pid	process
892	WsBCDB6m6cbw.tmp
364	MsiExec.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

WkCoAbw4bo H.exe4908428.53

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\haleng = "C:\\Users\\Admin\\AppData\\Local\\Temp\\haleng."	WkCoAbw4bo H.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows Host = "C:\\ProgramData\\Windows Host\\Windows Host.exe"	4908428.53

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

80EBA4EA58D40136.execV urr3Sx_X9.exeSetup.exe80EBA4EA58D40136.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	80EBA4EA58D40136.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	cV urr3Sx_X9.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Setup.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	80EBA4EA58D40136.exe

Enumerates connected drives 3 TTPs 48 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

msiexec.exemsiexec.exe

description	ioc	process
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\F:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\F:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

12 ip-api.com
54 api.ipify.org

flow	ioc
12	ip-api.com
54	api.ipify.org

Writes to the Master Boot Record (MBR) 1 TTPs 3 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1067

Processes:

Setup.exe80EBA4EA58D40136.exe80EBA4EA58D40136.exe

description	ioc	process
File opened for modification	\??\PhysicalDrive0	Setup.exe
File opened for modification	\??\PhysicalDrive0	80EBA4EA58D40136.exe
File opened for modification	\??\PhysicalDrive0	80EBA4EA58D40136.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

Processes:

Setup.exe

pid process

2144 Setup.exe

pid	process
2144	Setup.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

80EBA4EA58D40136.exeA8A9.tmp.exe

description	pid	process	target process
PID 1864 set thread context of 4728	1864	80EBA4EA58D40136.exe	firefox.exe
PID 4552 set thread context of 4136	4552	A8A9.tmp.exe	A8A9.tmp.exe
PID 1864 set thread context of 4740	1864	80EBA4EA58D40136.exe	firefox.exe

Drops file in Program Files directory 3 IoCs

Processes:

msiexec.exe

description	ioc	process
File created	C:\Program Files (x86)\gdiview\gdiview\GDIView.chm	msiexec.exe
File created	C:\Program Files (x86)\gdiview\gdiview\GDIView.exe	msiexec.exe
File created	C:\Program Files (x86)\gdiview\gdiview\readme.txt	msiexec.exe

Drops file in Windows directory 8 IoCs

Processes:

msiexec.exe

description	ioc	process
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File created	C:\Windows\Installer\SourceHash{9A2A452C-3057-4F5E-8C7F-41B0D566B831}	msiexec.exe
File opened for modification	C:\Windows\Installer\MSICC2.tmp	msiexec.exe
File created	C:\Windows\Installer\f750b3e.msi	msiexec.exe
File created	C:\Windows\Installer\f750b3c.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\f750b3c.msi	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 2 IoCs

Processes:

WerFault.exeWerFault.exe

pid pid_target process target process

4036 4024 WerFault.exe cV urr3Sx_X9.exe
3328 4136 WerFault.exe A8A9.tmp.exe

pid	pid_target	process	target process
4036	4024	WerFault.exe	cV urr3Sx_X9.exe
3328	4136	WerFault.exe	A8A9.tmp.exe

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

80EBA4EA58D40136.exesvchost.exe80EBA4EA58D40136.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\DeviceDesc	80EBA4EA58D40136.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\000A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{88ad39db-0d0c-4a38-8435-4043826b5c91}\0009	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\0016	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\000A\	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004D	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\FriendlyName	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004D	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\0006	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\FriendlyName	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{88ad39db-0d0c-4a38-8435-4043826b5c91}\0008	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0052	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0038	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\300A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\2002	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0018	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0002	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0034	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0051	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Capabilities	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{80d81ea6-7473-4b0c-8216-efc11a2c4c8b}\0002	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\CompatibleIDs	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Mfg	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0064	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0054	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0055	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004C	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_SANU&PROD_SANU_DVD-ROM\4&37CE57BA&0&010000	80EBA4EA58D40136.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004E	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{88ad39db-0d0c-4a38-8435-4043826b5c91}\0009	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0034	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\2006	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0058	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\FriendlyName	80EBA4EA58D40136.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0052	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\HardwareID	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004E	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0051	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{3b2ce006-5e61-4fde-bab8-9b8aac9b26df}\0008	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Capabilities	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0004	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004A	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0004\	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0005	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0002	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\0006	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{4340a6c5-93fa-4706-972c-7b648008a5a7}\0008	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{80d81ea6-7473-4b0c-8216-efc11a2c4c8b}\0003	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{80d81ea6-7473-4b0c-8216-efc11a2c4c8b}\0004	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\2002	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004C	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Mfg	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0003	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0008\	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\CompatibleIDs	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0038	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\FriendlyName	80EBA4EA58D40136.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0018	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0065	svchost.exe

Kills process with taskkill 1 IoCs
evasion

Processes:

taskkill.exe

pid process

4732 taskkill.exe

pid	process
4732	taskkill.exe

Modifies data under HKEY_USERS 3 IoCs

Processes:

svchost.exefile.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\OnDemandInterfaceCache	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\PegasPc	file.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\windows\CurrentVersion\Internet Settings\Connections	svchost.exe

Modifies system certificate store 2 TTPs 4 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

Setup.exefile.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\6C0CE2DD0584C47CAC18839F14055F19FA270CDD	Setup.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\6C0CE2DD0584C47CAC18839F14055F19FA270CDD\Blob = 0300000001000000140000006c0ce2dd0584c47cac18839f14055f19fa270cdd2000000001000000500500003082054c30820434a0030201020206016de34cff62300d06092a864886f70d01010b05003081aa313b303906035504030c32436861726c65732050726f78792043412028313920e58d81e69c8820323031392c204445534b544f502d424e41543131552931253023060355040b0c1c68747470733a2f2f636861726c657370726f78792e636f6d2f73736c3111300f060355040a0c08584b3732204c74643111300f06035504070c084175636b6c616e643111300f06035504080c084175636b6c616e64310b3009060355040613024e5a301e170d3030303130313030303030305a170d3438313231353039313533375a3081aa313b303906035504030c32436861726c65732050726f78792043412028313920e58d81e69c8820323031392c204445534b544f502d424e41543131552931253023060355040b0c1c68747470733a2f2f636861726c657370726f78792e636f6d2f73736c3111300f060355040a0c08584b3732204c74643111300f06035504070c084175636b6c616e643111300f06035504080c084175636b6c616e64310b3009060355040613024e5a30820122300d06092a864886f70d01010105000382010f003082010a0282010100ae86c5043ed34d99f44fa3052ea34047a7fbbe33188b1dc2ca645ca3249e85e54b4921d4998fda6a22247c32d9087d742af3bf850803ae8c1e25faad53fb8fd823b7353d9a3ac992bf917f693826c790e53a540b120b6553508ec9585e467d310bd3ef9fb61731deb522eb78f43f824b34be36782db7a8cb162cd22247b14e4c5ae633ed66542354a59971bddc59160ecdc521b4477c93ca9e624e0af00298602300f5dc368819c3cb9f02604636888276b3a498570473b5328b0834f327c34285e333da9207e12f0edbb654c8cf11e3cc7cba17a52cd7cd42c10ae095a2e4eb9d3e3f361488243f0584af40e72d6e6e182149bfb8342384f60f12e14734258d0203010001a382017430820170300f0603551d130101ff040530030101ff3082012c06096086480186f842010d0482011d138201195468697320526f6f74206365727469666963617465207761732067656e65726174656420627920436861726c65732050726f787920666f722053534c2050726f7879696e672e20496620746869732063657274696669636174652069732070617274206f66206120636572746966696361746520636861696e2c2074686973206d65616e73207468617420796f752772652062726f7773696e67207468726f75676820436861726c65732050726f787920776974682053534c2050726f7879696e6720656e61626c656420666f72207468697320776562736974652e20506c656173652073656520687474703a2f2f636861726c657370726f78792e636f6d2f73736c20666f72206d6f726520696e666f726d6174696f6e2e300e0603551d0f0101ff040403020204301d0603551d0e04160414f8d0dc54367cf794020f8b92783a5d8a91251f9f300d06092a864886f70d01010b05000382010100662271eb9d5c744c88382de98ba37320e6312104d04273a92007a8670976d6530e6347d00bbded1319bb6754f36237596095922911e3661a70354f6ba0b797a76258be7adebb8c8dbeeed977760b80271d74b2444d92f6c1337a379b73545b251de5f8812b9625abbbfaedc15f8c6c374b9b26dd0fef035185f5899d8819e689dc6db5f0babbfd637c52b1bec80115b889faeed493d4112d744954ad3abe6607c41a4a2d657ba330ed131fa4e8c25bb28ee181dcef8da91c17bfd30a23c8eae81b152ed85ff938afc32b34ffdaffbdb72d9bb04067bfc87f579eba9637b165ea008ea7408bc8265f33c039bf60f506d245a6b53017afc8e161d70ed5b0d76576	Setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	file.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 5c000000010000000400000000080000090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	file.exe

Runs ping.exe 1 TTPs 4 IoCs

Remote System Discovery
T1018

Processes:

PING.EXEPING.EXEPING.EXEPING.EXE

pid process

4032 PING.EXE
924 PING.EXE
2808 PING.EXE
3888 PING.EXE

pid	process
4032	PING.EXE
924	PING.EXE
2808	PING.EXE
3888	PING.EXE

Suspicious behavior: EnumeratesProcesses 54 IoCs

Processes:

jfiag3g_gg.exeWerFault.exe1614203420191.exeWerFault.exefile.exe1614203422628.exejfiag3g_gg.exe6193327.684094316.45msiexec.exeGDIView.exe

pid	process
4088	jfiag3g_gg.exe
4088	jfiag3g_gg.exe
4036	WerFault.exe
4036	WerFault.exe
4036	WerFault.exe
4036	WerFault.exe
4036	WerFault.exe
4036	WerFault.exe
4036	WerFault.exe
4036	WerFault.exe
4036	WerFault.exe
4036	WerFault.exe
4036	WerFault.exe
4036	WerFault.exe
4036	WerFault.exe
4036	WerFault.exe
4036	WerFault.exe
3472	1614203420191.exe
3472	1614203420191.exe
3328	WerFault.exe
3328	WerFault.exe
3328	WerFault.exe
3328	WerFault.exe
3328	WerFault.exe
3328	WerFault.exe
3328	WerFault.exe
3328	WerFault.exe
3328	WerFault.exe
3328	WerFault.exe
3328	WerFault.exe
3328	WerFault.exe
3328	WerFault.exe
3328	WerFault.exe
3328	WerFault.exe
3328	WerFault.exe
3328	WerFault.exe
3328	WerFault.exe
4200	file.exe
4200	file.exe
4496	1614203422628.exe
4496	1614203422628.exe
4200	file.exe
4200	file.exe
2824	jfiag3g_gg.exe
2824	jfiag3g_gg.exe
3292	6193327.68
1180	4094316.45
3292	6193327.68
1180	4094316.45
3292	6193327.68
4508	msiexec.exe
4508	msiexec.exe
4512	GDIView.exe
4512	GDIView.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

hell.bin.execV urr3Sx_X9.exeWerFault.exemsiexec.exemsiexec.exe

description	pid	process
Token: SeDebugPrivilege	4692	hell.bin.exe
Token: SeManageVolumePrivilege	4024	cV urr3Sx_X9.exe
Token: SeRestorePrivilege	4036	WerFault.exe
Token: SeBackupPrivilege	4036	WerFault.exe
Token: SeDebugPrivilege	4036	WerFault.exe
Token: SeShutdownPrivilege	4444	msiexec.exe
Token: SeIncreaseQuotaPrivilege	4444	msiexec.exe
Token: SeSecurityPrivilege	4508	msiexec.exe
Token: SeCreateTokenPrivilege	4444	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	4444	msiexec.exe
Token: SeLockMemoryPrivilege	4444	msiexec.exe
Token: SeIncreaseQuotaPrivilege	4444	msiexec.exe
Token: SeMachineAccountPrivilege	4444	msiexec.exe
Token: SeTcbPrivilege	4444	msiexec.exe
Token: SeSecurityPrivilege	4444	msiexec.exe
Token: SeTakeOwnershipPrivilege	4444	msiexec.exe
Token: SeLoadDriverPrivilege	4444	msiexec.exe
Token: SeSystemProfilePrivilege	4444	msiexec.exe
Token: SeSystemtimePrivilege	4444	msiexec.exe
Token: SeProfSingleProcessPrivilege	4444	msiexec.exe
Token: SeIncBasePriorityPrivilege	4444	msiexec.exe
Token: SeCreatePagefilePrivilege	4444	msiexec.exe
Token: SeCreatePermanentPrivilege	4444	msiexec.exe
Token: SeBackupPrivilege	4444	msiexec.exe
Token: SeRestorePrivilege	4444	msiexec.exe
Token: SeShutdownPrivilege	4444	msiexec.exe
Token: SeDebugPrivilege	4444	msiexec.exe
Token: SeAuditPrivilege	4444	msiexec.exe
Token: SeSystemEnvironmentPrivilege	4444	msiexec.exe
Token: SeChangeNotifyPrivilege	4444	msiexec.exe
Token: SeRemoteShutdownPrivilege	4444	msiexec.exe
Token: SeUndockPrivilege	4444	msiexec.exe
Token: SeSyncAgentPrivilege	4444	msiexec.exe
Token: SeEnableDelegationPrivilege	4444	msiexec.exe
Token: SeManageVolumePrivilege	4444	msiexec.exe
Token: SeImpersonatePrivilege	4444	msiexec.exe
Token: SeCreateGlobalPrivilege	4444	msiexec.exe
Token: SeCreateTokenPrivilege	4444	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	4444	msiexec.exe
Token: SeLockMemoryPrivilege	4444	msiexec.exe
Token: SeIncreaseQuotaPrivilege	4444	msiexec.exe
Token: SeMachineAccountPrivilege	4444	msiexec.exe
Token: SeTcbPrivilege	4444	msiexec.exe
Token: SeSecurityPrivilege	4444	msiexec.exe
Token: SeTakeOwnershipPrivilege	4444	msiexec.exe
Token: SeLoadDriverPrivilege	4444	msiexec.exe
Token: SeSystemProfilePrivilege	4444	msiexec.exe
Token: SeSystemtimePrivilege	4444	msiexec.exe
Token: SeProfSingleProcessPrivilege	4444	msiexec.exe
Token: SeIncBasePriorityPrivilege	4444	msiexec.exe
Token: SeCreatePagefilePrivilege	4444	msiexec.exe
Token: SeCreatePermanentPrivilege	4444	msiexec.exe
Token: SeBackupPrivilege	4444	msiexec.exe
Token: SeRestorePrivilege	4444	msiexec.exe
Token: SeShutdownPrivilege	4444	msiexec.exe
Token: SeDebugPrivilege	4444	msiexec.exe
Token: SeAuditPrivilege	4444	msiexec.exe
Token: SeSystemEnvironmentPrivilege	4444	msiexec.exe
Token: SeChangeNotifyPrivilege	4444	msiexec.exe
Token: SeRemoteShutdownPrivilege	4444	msiexec.exe
Token: SeUndockPrivilege	4444	msiexec.exe
Token: SeSyncAgentPrivilege	4444	msiexec.exe
Token: SeEnableDelegationPrivilege	4444	msiexec.exe
Token: SeManageVolumePrivilege	4444	msiexec.exe

Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

msiexec.exe

pid process

4444 msiexec.exe
4444 msiexec.exe

pid	process
4444	msiexec.exe
4444	msiexec.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

hell.bin.exeWsBCDB6m6cbw.exeWkCoAbw4bo H.exeCr1t2PllsmAB.exeInstaller.exeSetup.exemsiexec.execmd.exefile.exe80EBA4EA58D40136.exe80EBA4EA58D40136.execmd.exe

description	pid	process	target process
PID 4692 wrote to memory of 3848	4692	hell.bin.exe	kW5VlOManLru.exe
PID 4692 wrote to memory of 3848	4692	hell.bin.exe	kW5VlOManLru.exe
PID 4692 wrote to memory of 3808	4692	hell.bin.exe	WsBCDB6m6cbw.exe
PID 4692 wrote to memory of 3808	4692	hell.bin.exe	WsBCDB6m6cbw.exe
PID 4692 wrote to memory of 3808	4692	hell.bin.exe	WsBCDB6m6cbw.exe
PID 4692 wrote to memory of 4024	4692	hell.bin.exe	cV urr3Sx_X9.exe
PID 4692 wrote to memory of 4024	4692	hell.bin.exe	cV urr3Sx_X9.exe
PID 4692 wrote to memory of 4024	4692	hell.bin.exe	cV urr3Sx_X9.exe
PID 4692 wrote to memory of 2476	4692	hell.bin.exe	WkCoAbw4bo H.exe
PID 4692 wrote to memory of 2476	4692	hell.bin.exe	WkCoAbw4bo H.exe
PID 4692 wrote to memory of 2476	4692	hell.bin.exe	WkCoAbw4bo H.exe
PID 4692 wrote to memory of 644	4692	hell.bin.exe	Cr1t2PllsmAB.exe
PID 4692 wrote to memory of 644	4692	hell.bin.exe	Cr1t2PllsmAB.exe
PID 4692 wrote to memory of 644	4692	hell.bin.exe	Cr1t2PllsmAB.exe
PID 3808 wrote to memory of 892	3808	WsBCDB6m6cbw.exe	WsBCDB6m6cbw.tmp
PID 3808 wrote to memory of 892	3808	WsBCDB6m6cbw.exe	WsBCDB6m6cbw.tmp
PID 3808 wrote to memory of 892	3808	WsBCDB6m6cbw.exe	WsBCDB6m6cbw.tmp
PID 2476 wrote to memory of 1156	2476	WkCoAbw4bo H.exe	jfiag3g_gg.exe
PID 2476 wrote to memory of 1156	2476	WkCoAbw4bo H.exe	jfiag3g_gg.exe
PID 2476 wrote to memory of 1156	2476	WkCoAbw4bo H.exe	jfiag3g_gg.exe
PID 644 wrote to memory of 1772	644	Cr1t2PllsmAB.exe	Installer.exe
PID 644 wrote to memory of 1772	644	Cr1t2PllsmAB.exe	Installer.exe
PID 644 wrote to memory of 1772	644	Cr1t2PllsmAB.exe	Installer.exe
PID 1772 wrote to memory of 2144	1772	Installer.exe	Setup.exe
PID 1772 wrote to memory of 2144	1772	Installer.exe	Setup.exe
PID 1772 wrote to memory of 2144	1772	Installer.exe	Setup.exe
PID 2476 wrote to memory of 4088	2476	WkCoAbw4bo H.exe	jfiag3g_gg.exe
PID 2476 wrote to memory of 4088	2476	WkCoAbw4bo H.exe	jfiag3g_gg.exe
PID 2476 wrote to memory of 4088	2476	WkCoAbw4bo H.exe	jfiag3g_gg.exe
PID 2144 wrote to memory of 4444	2144	Setup.exe	msiexec.exe
PID 2144 wrote to memory of 4444	2144	Setup.exe	msiexec.exe
PID 2144 wrote to memory of 4444	2144	Setup.exe	msiexec.exe
PID 2144 wrote to memory of 1864	2144	Setup.exe	80EBA4EA58D40136.exe
PID 2144 wrote to memory of 1864	2144	Setup.exe	80EBA4EA58D40136.exe
PID 2144 wrote to memory of 1864	2144	Setup.exe	80EBA4EA58D40136.exe
PID 2144 wrote to memory of 2888	2144	Setup.exe	80EBA4EA58D40136.exe
PID 2144 wrote to memory of 2888	2144	Setup.exe	80EBA4EA58D40136.exe
PID 2144 wrote to memory of 2888	2144	Setup.exe	80EBA4EA58D40136.exe
PID 4508 wrote to memory of 364	4508	msiexec.exe	MsiExec.exe
PID 4508 wrote to memory of 364	4508	msiexec.exe	MsiExec.exe
PID 4508 wrote to memory of 364	4508	msiexec.exe	MsiExec.exe
PID 2144 wrote to memory of 4668	2144	Setup.exe	cmd.exe
PID 2144 wrote to memory of 4668	2144	Setup.exe	cmd.exe
PID 2144 wrote to memory of 4668	2144	Setup.exe	cmd.exe
PID 1772 wrote to memory of 4200	1772	Installer.exe	file.exe
PID 1772 wrote to memory of 4200	1772	Installer.exe	file.exe
PID 1772 wrote to memory of 4200	1772	Installer.exe	file.exe
PID 4668 wrote to memory of 924	4668	cmd.exe	PING.EXE
PID 4668 wrote to memory of 924	4668	cmd.exe	PING.EXE
PID 4668 wrote to memory of 924	4668	cmd.exe	PING.EXE
PID 4200 wrote to memory of 4552	4200	file.exe	A8A9.tmp.exe
PID 4200 wrote to memory of 4552	4200	file.exe	A8A9.tmp.exe
PID 4200 wrote to memory of 4552	4200	file.exe	A8A9.tmp.exe
PID 1864 wrote to memory of 4728	1864	80EBA4EA58D40136.exe	firefox.exe
PID 1864 wrote to memory of 4728	1864	80EBA4EA58D40136.exe	firefox.exe
PID 1864 wrote to memory of 4728	1864	80EBA4EA58D40136.exe	firefox.exe
PID 1864 wrote to memory of 4728	1864	80EBA4EA58D40136.exe	firefox.exe
PID 1864 wrote to memory of 4728	1864	80EBA4EA58D40136.exe	firefox.exe
PID 1864 wrote to memory of 4728	1864	80EBA4EA58D40136.exe	firefox.exe
PID 2888 wrote to memory of 4876	2888	80EBA4EA58D40136.exe	cmd.exe
PID 2888 wrote to memory of 4876	2888	80EBA4EA58D40136.exe	cmd.exe
PID 2888 wrote to memory of 4876	2888	80EBA4EA58D40136.exe	cmd.exe
PID 4876 wrote to memory of 4732	4876	cmd.exe	taskkill.exe
PID 4876 wrote to memory of 4732	4876	cmd.exe	taskkill.exe

C:\Users\Admin\AppData\Local\Temp\hell.bin.exe
"C:\Users\Admin\AppData\Local\Temp\hell.bin.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4692

C:\Users\Admin\Documents\WsBCDB6m6cbw.exe
"C:\Users\Admin\Documents\WsBCDB6m6cbw.exe"
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3808

C:\Users\Admin\AppData\Local\Temp\is-FOUM1.tmp\WsBCDB6m6cbw.tmp
"C:\Users\Admin\AppData\Local\Temp\is-FOUM1.tmp\WsBCDB6m6cbw.tmp" /SL5="$80048,434406,350720,C:\Users\Admin\Documents\WsBCDB6m6cbw.exe"
3⤵
- Executes dropped EXE
- Loads dropped DLL
PID:892

C:\Users\Admin\Documents\kW5VlOManLru.exe
"C:\Users\Admin\Documents\kW5VlOManLru.exe"
2⤵
- Executes dropped EXE
PID:3848

C:\Users\Admin\Documents\WkCoAbw4bo H.exe
"C:\Users\Admin\Documents\WkCoAbw4bo H.exe"
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2476

C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
3⤵
- Executes dropped EXE
PID:1156

C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:4088

C:\Users\Admin\Documents\cV urr3Sx_X9.exe
"C:\Users\Admin\Documents\cV urr3Sx_X9.exe"
2⤵
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of AdjustPrivilegeToken
PID:4024

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4024 -s 2576
3⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4036

C:\Users\Admin\Documents\Cr1t2PllsmAB.exe
"C:\Users\Admin\Documents\Cr1t2PllsmAB.exe"
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:644

C:\Users\Admin\AppData\Local\Temp\RarSFX0\Installer.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX0\Installer.exe"
3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1772

C:\Users\Admin\AppData\Local\Temp\RarSFX1\Setup.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX1\Setup.exe"
4⤵
- Executes dropped EXE
- Checks whether UAC is enabled
- Writes to the Master Boot Record (MBR)
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Modifies system certificate store
- Suspicious use of WriteProcessMemory
PID:2144

C:\Windows\SysWOW64\msiexec.exe
msiexec.exe /i "C:\Users\Admin\AppData\Local\Temp\gdiview.msi"
5⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:4444

C:\Users\Admin\AppData\Local\Temp\80EBA4EA58D40136.exe
C:\Users\Admin\AppData\Local\Temp\80EBA4EA58D40136.exe 0011 installp1
5⤵
- Executes dropped EXE
- Checks whether UAC is enabled
- Writes to the Master Boot Record (MBR)
- Suspicious use of SetThreadContext
- Checks SCSI registry key(s)
- Suspicious use of WriteProcessMemory
PID:1864

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
6⤵
PID:4728

C:\Users\Admin\AppData\Roaming\1614203420191.exe
"C:\Users\Admin\AppData\Roaming\1614203420191.exe" /sjson "C:\Users\Admin\AppData\Roaming\1614203420191.txt"
6⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:3472

C:\Users\Admin\AppData\Roaming\1614203422628.exe
"C:\Users\Admin\AppData\Roaming\1614203422628.exe" /sjson "C:\Users\Admin\AppData\Roaming\1614203422628.txt"
6⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:4496

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
6⤵
PID:4740

C:\Users\Admin\AppData\Local\Temp\download\ThunderFW.exe
C:\Users\Admin\AppData\Local\Temp\download\ThunderFW.exe ThunderFW "C:\Users\Admin\AppData\Local\Temp\download\MiniThunderPlatform.exe"
6⤵
- Executes dropped EXE
PID:4056

C:\Windows\SysWOW64\cmd.exe
cmd /c ping 127.0.0.1 -n 3 & del "C:\Users\Admin\AppData\Local\Temp\80EBA4EA58D40136.exe"
6⤵
PID:2176

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1 -n 3
7⤵
- Runs ping.exe
PID:4032

C:\Users\Admin\AppData\Local\Temp\80EBA4EA58D40136.exe
C:\Users\Admin\AppData\Local\Temp\80EBA4EA58D40136.exe 200 installp1
5⤵
- Executes dropped EXE
- Checks whether UAC is enabled
- Writes to the Master Boot Record (MBR)
- Checks SCSI registry key(s)
- Suspicious use of WriteProcessMemory
PID:2888

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im chrome.exe
6⤵
- Suspicious use of WriteProcessMemory
PID:4876

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im chrome.exe
7⤵
- Kills process with taskkill
PID:4732

C:\Windows\SysWOW64\cmd.exe
cmd /c ping 127.0.0.1 -n 3 & del "C:\Users\Admin\AppData\Local\Temp\80EBA4EA58D40136.exe"
6⤵
PID:1248

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1 -n 3
7⤵
- Runs ping.exe
PID:2808

C:\Windows\SysWOW64\cmd.exe
cmd /c ping 127.0.0.1 -n 3 & del "C:\Users\Admin\AppData\Local\Temp\RarSFX1\Setup.exe"
5⤵
- Suspicious use of WriteProcessMemory
PID:4668

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1 -n 3
6⤵
- Runs ping.exe
PID:924

C:\Users\Admin\AppData\Local\Temp\RarSFX1\file.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX1\file.exe"
4⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4200

C:\Users\Admin\AppData\Roaming\A8A9.tmp.exe
"C:\Users\Admin\AppData\Roaming\A8A9.tmp.exe"
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:4552

C:\Users\Admin\AppData\Roaming\A8A9.tmp.exe
"C:\Users\Admin\AppData\Roaming\A8A9.tmp.exe"
6⤵
- Executes dropped EXE
PID:4136

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4136 -s 1400
7⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
PID:3328

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c ping 127.0.0.1 && del "C:\Users\Admin\AppData\Local\Temp\RarSFX1\file.exe"
5⤵
PID:4656

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1
6⤵
- Runs ping.exe
PID:3888

C:\Users\Admin\AppData\Local\Temp\RarSFX1\BTRSetp.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX1\BTRSetp.exe"
4⤵
- Executes dropped EXE
PID:4472

C:\ProgramData\6193327.68
"C:\ProgramData\6193327.68"
5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:3292

C:\ProgramData\4908428.53
"C:\ProgramData\4908428.53"
5⤵
- Executes dropped EXE
- Adds Run key to start application
PID:2320

C:\ProgramData\Windows Host\Windows Host.exe
"C:\ProgramData\Windows Host\Windows Host.exe"
6⤵
- Executes dropped EXE
PID:1548

C:\ProgramData\4094316.45
"C:\ProgramData\4094316.45"
5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:1180

C:\Users\Admin\AppData\Local\Temp\RarSFX1\gdrrr.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX1\gdrrr.exe"
4⤵
- Executes dropped EXE
PID:496

C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
5⤵
- Executes dropped EXE
PID:3164

C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:2824

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4508

C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding A3C3D82A72E7E35BD044322E872C5B83 C
2⤵
- Loads dropped DLL
PID:364

C:\Windows\system32\srtasks.exe
C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
2⤵
PID:2160

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
PID:3096

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s DsmSvc
1⤵
- Checks SCSI registry key(s)
- Modifies data under HKEY_USERS
PID:5056

C:\Program Files (x86)\gdiview\gdiview\GDIView.exe
"C:\Program Files (x86)\gdiview\gdiview\GDIView.exe"
1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:4512

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Bootkit

T1067

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Install Root Certificate

T1130

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Peripheral Device Discovery

T1120

Remote System Discovery

T1018

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Web Service

T1102

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\gdiview\gdiview\GDIView.exe
MD5
292ce5c1baa3da54f5bfd847bdd92fa1

SHA1
4d98e3522790a9408e7e85d0e80c3b54a43318e1

SHA256
c49560f7a206b6b55d89c205a4631dfedd2b4a78ab81fea8706989a5627f95a1

SHA512
87df5d622d8f0685edf93f97b8213c893b203d1c6d064af238f0bdc0dc985c9968be6f0907aff4fb64a320b0886ef2bed2339694aca12f0bcd9502ce3d6f089d

Download Submit
C:\Program Files (x86)\gdiview\gdiview\GDIView.exe
MD5
292ce5c1baa3da54f5bfd847bdd92fa1

SHA1
4d98e3522790a9408e7e85d0e80c3b54a43318e1

SHA256
c49560f7a206b6b55d89c205a4631dfedd2b4a78ab81fea8706989a5627f95a1

SHA512
87df5d622d8f0685edf93f97b8213c893b203d1c6d064af238f0bdc0dc985c9968be6f0907aff4fb64a320b0886ef2bed2339694aca12f0bcd9502ce3d6f089d

Download Submit
C:\ProgramData\4094316.45
MD5
28d92f2f1b2f17197d4d090952943cd3

SHA1
24835f7ba0fb91c280374737031f9eb2acc866da

SHA256
6c65ddab1d6e9690968430a15024cd433b2791f9eb47d08ccba65e5fbcfb3884

SHA512
ae461ddb126984abdf4babe13ebdd62e996154026abfb84b90947c745b80998ca265f0fea27eb04915f02f25e61293daeb13a5777024ab991f56bf960cf36dd4

Download Submit
C:\ProgramData\4094316.45
MD5
28d92f2f1b2f17197d4d090952943cd3

SHA1
24835f7ba0fb91c280374737031f9eb2acc866da

SHA256
6c65ddab1d6e9690968430a15024cd433b2791f9eb47d08ccba65e5fbcfb3884

SHA512
ae461ddb126984abdf4babe13ebdd62e996154026abfb84b90947c745b80998ca265f0fea27eb04915f02f25e61293daeb13a5777024ab991f56bf960cf36dd4

Download Submit
C:\ProgramData\4908428.53
MD5
6eedffd3651138e002a6a9639eca9830

SHA1
8a0c7542187471603f2ff4f8cc5977d8be44dfbe

SHA256
88304ec83df816066689acaa269581741168cbb1e5b849ea3373a051faac1b0f

SHA512
22f7ad4b6a1f0d4f917e19dee5194c56068804e91e3c8071f5007efe4418d9e51f8953e43f644ac253f4a7c4156baed8404c96a5d34a5f7f6233d71fe28fb80a

Download Submit
C:\ProgramData\4908428.53
MD5
6eedffd3651138e002a6a9639eca9830

SHA1
8a0c7542187471603f2ff4f8cc5977d8be44dfbe

SHA256
88304ec83df816066689acaa269581741168cbb1e5b849ea3373a051faac1b0f

SHA512
22f7ad4b6a1f0d4f917e19dee5194c56068804e91e3c8071f5007efe4418d9e51f8953e43f644ac253f4a7c4156baed8404c96a5d34a5f7f6233d71fe28fb80a

Download Submit
C:\ProgramData\6193327.68
MD5
9298adc9b93e65d9ae6d73a72b5a8f5d

SHA1
73309cbd5515ce5f5b9160071e986b2fb54771e1

SHA256
26d0db9d4899a7fbf981e1e11047abc5d7d8094c34176d411d82b26805657b4b

SHA512
fee90a372cabcea95019f29ac8fc4fc4cddf3aaa83598dd26f93ba7732da7736c69205253a7adec6293b8292c4b9a32e53dca56b306fb743fb9e782b263b43b2

Download Submit
C:\ProgramData\6193327.68
MD5
9298adc9b93e65d9ae6d73a72b5a8f5d

SHA1
73309cbd5515ce5f5b9160071e986b2fb54771e1

SHA256
26d0db9d4899a7fbf981e1e11047abc5d7d8094c34176d411d82b26805657b4b

SHA512
fee90a372cabcea95019f29ac8fc4fc4cddf3aaa83598dd26f93ba7732da7736c69205253a7adec6293b8292c4b9a32e53dca56b306fb743fb9e782b263b43b2

Download Submit
C:\ProgramData\Windows Host\Windows Host.exe
MD5
6eedffd3651138e002a6a9639eca9830

SHA1
8a0c7542187471603f2ff4f8cc5977d8be44dfbe

SHA256
88304ec83df816066689acaa269581741168cbb1e5b849ea3373a051faac1b0f

SHA512
22f7ad4b6a1f0d4f917e19dee5194c56068804e91e3c8071f5007efe4418d9e51f8953e43f644ac253f4a7c4156baed8404c96a5d34a5f7f6233d71fe28fb80a

Download Submit
C:\ProgramData\Windows Host\Windows Host.exe
MD5
6eedffd3651138e002a6a9639eca9830

SHA1
8a0c7542187471603f2ff4f8cc5977d8be44dfbe

SHA256
88304ec83df816066689acaa269581741168cbb1e5b849ea3373a051faac1b0f

SHA512
22f7ad4b6a1f0d4f917e19dee5194c56068804e91e3c8071f5007efe4418d9e51f8953e43f644ac253f4a7c4156baed8404c96a5d34a5f7f6233d71fe28fb80a

Download Submit
C:\Users\Admin\AppData\Local\Temp\80EBA4EA58D40136.exe
MD5
e70e40b7acda24d775bfa15b89137483

SHA1
a993e1cccbfbdf0ec6eead05a99506e3fdc4e146

SHA256
26b8ffe7b3e413e1cb19c534d3b8c2bd05244aad79d84f96a6eb9ad5e5e19136

SHA512
0ff7bb4228a2aee8d062031c31c67e05b88176efb0771602a591a599a78d7d03ba5e4d343caf8f4fadc14230b0b07605900eeb76a8e593fb22528a98d4300053

Download Submit
C:\Users\Admin\AppData\Local\Temp\80EBA4EA58D40136.exe
MD5
e70e40b7acda24d775bfa15b89137483

SHA1
a993e1cccbfbdf0ec6eead05a99506e3fdc4e146

SHA256
26b8ffe7b3e413e1cb19c534d3b8c2bd05244aad79d84f96a6eb9ad5e5e19136

SHA512
0ff7bb4228a2aee8d062031c31c67e05b88176efb0771602a591a599a78d7d03ba5e4d343caf8f4fadc14230b0b07605900eeb76a8e593fb22528a98d4300053

Download Submit
C:\Users\Admin\AppData\Local\Temp\80EBA4EA58D40136.exe
MD5
e70e40b7acda24d775bfa15b89137483

SHA1
a993e1cccbfbdf0ec6eead05a99506e3fdc4e146

SHA256
26b8ffe7b3e413e1cb19c534d3b8c2bd05244aad79d84f96a6eb9ad5e5e19136

SHA512
0ff7bb4228a2aee8d062031c31c67e05b88176efb0771602a591a599a78d7d03ba5e4d343caf8f4fadc14230b0b07605900eeb76a8e593fb22528a98d4300053

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI9485.tmp
MD5
84878b1a26f8544bda4e069320ad8e7d

SHA1
51c6ee244f5f2fa35b563bffb91e37da848a759c

SHA256
809aab5eace34dfbfb2b3d45462d42b34fcb95b415201d0d625414b56e437444

SHA512
4742b84826961f590e0a2d6cc85a60b59ca4d300c58be5d0c33eb2315cefaf5627ae5ed908233ad51e188ce53ca861cf5cf8c1aa2620dc2667f83f98e627b549

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\Installer.exe
MD5
2effa71f03a5d4a572191b534e28e13e

SHA1
666e04fac3e335664743b71edca3e645775a54fa

SHA256
ccc0b907f78bf21befba3c9b199c926f488572237d6487c145c92a5213b25d29

SHA512
02e64f3751d4afb0d3058e88461cd2a55cd7f662c73c40e3af782a95fa759b9b40c66bd33acdd0199386fda9de0c46dccc22e75e5305e43b9573d836e64f680f

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\Installer.exe
MD5
2effa71f03a5d4a572191b534e28e13e

SHA1
666e04fac3e335664743b71edca3e645775a54fa

SHA256
ccc0b907f78bf21befba3c9b199c926f488572237d6487c145c92a5213b25d29

SHA512
02e64f3751d4afb0d3058e88461cd2a55cd7f662c73c40e3af782a95fa759b9b40c66bd33acdd0199386fda9de0c46dccc22e75e5305e43b9573d836e64f680f

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX1\BTRSetp.exe
MD5
4cfee35f55ecaef4bdc4508eb5d46f8a

SHA1
be092ce3723b7a8ea942ec59c1c30e5d585b89ba

SHA256
fa828cf0731d35f2e35606d56aad77fc5fff41dfd5d37a5ad0f657b38b57cfbe

SHA512
4cf15a517f103750ac0ad93bb858b930f7c2f454ecc688f0adbe20ee9a8b18dc04fc004d0678b3de5b94a50049d8e73fa1c3616adfa5aeb716e1ad6521913401

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX1\BTRSetp.exe
MD5
4cfee35f55ecaef4bdc4508eb5d46f8a

SHA1
be092ce3723b7a8ea942ec59c1c30e5d585b89ba

SHA256
fa828cf0731d35f2e35606d56aad77fc5fff41dfd5d37a5ad0f657b38b57cfbe

SHA512
4cf15a517f103750ac0ad93bb858b930f7c2f454ecc688f0adbe20ee9a8b18dc04fc004d0678b3de5b94a50049d8e73fa1c3616adfa5aeb716e1ad6521913401

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX1\Setup.exe
MD5
e70e40b7acda24d775bfa15b89137483

SHA1
a993e1cccbfbdf0ec6eead05a99506e3fdc4e146

SHA256
26b8ffe7b3e413e1cb19c534d3b8c2bd05244aad79d84f96a6eb9ad5e5e19136

SHA512
0ff7bb4228a2aee8d062031c31c67e05b88176efb0771602a591a599a78d7d03ba5e4d343caf8f4fadc14230b0b07605900eeb76a8e593fb22528a98d4300053

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX1\Setup.exe
MD5
e70e40b7acda24d775bfa15b89137483

SHA1
a993e1cccbfbdf0ec6eead05a99506e3fdc4e146

SHA256
26b8ffe7b3e413e1cb19c534d3b8c2bd05244aad79d84f96a6eb9ad5e5e19136

SHA512
0ff7bb4228a2aee8d062031c31c67e05b88176efb0771602a591a599a78d7d03ba5e4d343caf8f4fadc14230b0b07605900eeb76a8e593fb22528a98d4300053

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX1\file.exe
MD5
4127593be833d53d84be69a1073b46d6

SHA1
589338f5597ae7bc8e184dcf06b7bf0cb21ca104

SHA256
d0ba78c12f7fc6d3c7976b561c6e092bdefc4ee297b51c1f1bd2c13b775df5a4

SHA512
a239cf6ebd06f3d3955dd7fc885e3d0a8bc6d363c5861e4e2a2ed02f23fba6a852ba01a6e3b3582e5e763fc721867d38c1ee58af9f62e8f366a57d5863753ddb

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX1\file.exe
MD5
4127593be833d53d84be69a1073b46d6

SHA1
589338f5597ae7bc8e184dcf06b7bf0cb21ca104

SHA256
d0ba78c12f7fc6d3c7976b561c6e092bdefc4ee297b51c1f1bd2c13b775df5a4

SHA512
a239cf6ebd06f3d3955dd7fc885e3d0a8bc6d363c5861e4e2a2ed02f23fba6a852ba01a6e3b3582e5e763fc721867d38c1ee58af9f62e8f366a57d5863753ddb

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX1\gdrrr.exe
MD5
6a714c56525073f78181129ce52175db

SHA1
eb7a9356e9cc40368e1774035c23b15b7c8d792b

SHA256
57c417f53d9032a2f256cee17c274df2d411858abb14789406671c1dca6017c4

SHA512
04a183bddeeaa6fe316596fad52a6e707549ca2e93b2b294c618b4381018bf5791582e2ac08e0f5e5cea86ac980a56208e54e1e310945614e00524d50a00c550

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX1\gdrrr.exe
MD5
6a714c56525073f78181129ce52175db

SHA1
eb7a9356e9cc40368e1774035c23b15b7c8d792b

SHA256
57c417f53d9032a2f256cee17c274df2d411858abb14789406671c1dca6017c4

SHA512
04a183bddeeaa6fe316596fad52a6e707549ca2e93b2b294c618b4381018bf5791582e2ac08e0f5e5cea86ac980a56208e54e1e310945614e00524d50a00c550

Download Submit
C:\Users\Admin\AppData\Local\Temp\download\ThunderFW.exe
MD5
f0372ff8a6148498b19e04203dbb9e69

SHA1
27fe4b5f8cb9464ab5ddc63e69c3c180b77dbde8

SHA256
298d334b630c77b70e66cf5e9c1924c7f0d498b02c2397e92e2d9efdff2e1bdf

SHA512
65d84817cdddb808b6e0ab964a4b41e96f7ce129e3cc8c253a31642efe73a9b7070638c22c659033e1479322aceea49d1afdceff54f8ed044b1513bffd33f865

Download Submit
C:\Users\Admin\AppData\Local\Temp\download\ThunderFW.exe
MD5
f0372ff8a6148498b19e04203dbb9e69

SHA1
27fe4b5f8cb9464ab5ddc63e69c3c180b77dbde8

SHA256
298d334b630c77b70e66cf5e9c1924c7f0d498b02c2397e92e2d9efdff2e1bdf

SHA512
65d84817cdddb808b6e0ab964a4b41e96f7ce129e3cc8c253a31642efe73a9b7070638c22c659033e1479322aceea49d1afdceff54f8ed044b1513bffd33f865

Download Submit
C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
MD5
b7161c0845a64ff6d7345b67ff97f3b0

SHA1
d223f855da541fe8e4c1d5c50cb26da0a1deb5fc

SHA256
fe9e28ff0b652e22a124b0a05382bc1ac48cbd9c7c76ca647b0c9f8542888f66

SHA512
98d8971ff20ba256cf886a9db416ac9366d2c6ad4ff51a65bd7e539974dc93f4c897f92d8c9c0319c69b27eacf05cd350a0302828e63190b03457a0eda57f680

Download Submit
C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
MD5
b7161c0845a64ff6d7345b67ff97f3b0

SHA1
d223f855da541fe8e4c1d5c50cb26da0a1deb5fc

SHA256
fe9e28ff0b652e22a124b0a05382bc1ac48cbd9c7c76ca647b0c9f8542888f66

SHA512
98d8971ff20ba256cf886a9db416ac9366d2c6ad4ff51a65bd7e539974dc93f4c897f92d8c9c0319c69b27eacf05cd350a0302828e63190b03457a0eda57f680

Download Submit
C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
MD5
b7161c0845a64ff6d7345b67ff97f3b0

SHA1
d223f855da541fe8e4c1d5c50cb26da0a1deb5fc

SHA256
fe9e28ff0b652e22a124b0a05382bc1ac48cbd9c7c76ca647b0c9f8542888f66

SHA512
98d8971ff20ba256cf886a9db416ac9366d2c6ad4ff51a65bd7e539974dc93f4c897f92d8c9c0319c69b27eacf05cd350a0302828e63190b03457a0eda57f680

Download Submit
C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
MD5
b7161c0845a64ff6d7345b67ff97f3b0

SHA1
d223f855da541fe8e4c1d5c50cb26da0a1deb5fc

SHA256
fe9e28ff0b652e22a124b0a05382bc1ac48cbd9c7c76ca647b0c9f8542888f66

SHA512
98d8971ff20ba256cf886a9db416ac9366d2c6ad4ff51a65bd7e539974dc93f4c897f92d8c9c0319c69b27eacf05cd350a0302828e63190b03457a0eda57f680

Download Submit
C:\Users\Admin\AppData\Local\Temp\gdiview.msi
MD5
7cc103f6fd70c6f3a2d2b9fca0438182

SHA1
699bd8924a27516b405ea9a686604b53b4e23372

SHA256
dbd9f2128f0b92b21ef99a1d7a0f93f14ebe475dba436d8b1562677821b918a1

SHA512
92ec9590e32a0cf810fc5d15ca9d855c86e5b8cb17cf45dd68bcb972bd78692436535adf9f510259d604e0a8ba2e25c6d2616df242261eb7b09a0ca5c6c2c128

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-FOUM1.tmp\WsBCDB6m6cbw.tmp
MD5
c867d33d57f9128051e60c8a2003885e

SHA1
129a7738a77ba6a8a8e5f3230ab349cb20abc07a

SHA256
6eea6eae7f76f0d93864ac076cd55b6fa1d9a1d8243b49fcb1654cb5d1dacf1a

SHA512
ac22b7c9271f05514ac3dae48f781fc1c7a1bcaa30f5d812577b40c9a0d6ba5fd5c833241e053b8e03afef73beb60aab1357a094c9940d7a04c27f78de24b353

Download Submit
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
MD5
7fee8223d6e4f82d6cd115a28f0b6d58

SHA1
1b89c25f25253df23426bd9ff6c9208f1202f58b

SHA256
a45317c374d54e322153afd73f0e90f1486638d77b7fd85746d091071bbecd59

SHA512
3ed900b83dd178637c2fd4e8444a899f17f12c4ec92a6f4de4fe544fe8d41b521c69b8f348343cb397d0e160f23e27429042d758b5fa5acac0bab5c3584bace4

Download Submit
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
MD5
7fee8223d6e4f82d6cd115a28f0b6d58

SHA1
1b89c25f25253df23426bd9ff6c9208f1202f58b

SHA256
a45317c374d54e322153afd73f0e90f1486638d77b7fd85746d091071bbecd59

SHA512
3ed900b83dd178637c2fd4e8444a899f17f12c4ec92a6f4de4fe544fe8d41b521c69b8f348343cb397d0e160f23e27429042d758b5fa5acac0bab5c3584bace4

Download Submit
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
MD5
7fee8223d6e4f82d6cd115a28f0b6d58

SHA1
1b89c25f25253df23426bd9ff6c9208f1202f58b

SHA256
a45317c374d54e322153afd73f0e90f1486638d77b7fd85746d091071bbecd59

SHA512
3ed900b83dd178637c2fd4e8444a899f17f12c4ec92a6f4de4fe544fe8d41b521c69b8f348343cb397d0e160f23e27429042d758b5fa5acac0bab5c3584bace4

Download Submit
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
MD5
a6279ec92ff948760ce53bba817d6a77

SHA1
5345505e12f9e4c6d569a226d50e71b5a572dce2

SHA256
8b581869bf8944a8e0aa169adea2a4afe47434123da477132880aff6a5032181

SHA512
213cb374f1273c899e0c88a20c0101a7c28024ce5046a2e0d7898bd182d918288bb80367fea4454c437c057ff9ed4fffd42be48a13ca73653021a6d63e1cfa9c

Download Submit
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
MD5
a6279ec92ff948760ce53bba817d6a77

SHA1
5345505e12f9e4c6d569a226d50e71b5a572dce2

SHA256
8b581869bf8944a8e0aa169adea2a4afe47434123da477132880aff6a5032181

SHA512
213cb374f1273c899e0c88a20c0101a7c28024ce5046a2e0d7898bd182d918288bb80367fea4454c437c057ff9ed4fffd42be48a13ca73653021a6d63e1cfa9c

Download Submit
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
MD5
a6279ec92ff948760ce53bba817d6a77

SHA1
5345505e12f9e4c6d569a226d50e71b5a572dce2

SHA256
8b581869bf8944a8e0aa169adea2a4afe47434123da477132880aff6a5032181

SHA512
213cb374f1273c899e0c88a20c0101a7c28024ce5046a2e0d7898bd182d918288bb80367fea4454c437c057ff9ed4fffd42be48a13ca73653021a6d63e1cfa9c

Download Submit
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
MD5
a6279ec92ff948760ce53bba817d6a77

SHA1
5345505e12f9e4c6d569a226d50e71b5a572dce2

SHA256
8b581869bf8944a8e0aa169adea2a4afe47434123da477132880aff6a5032181

SHA512
213cb374f1273c899e0c88a20c0101a7c28024ce5046a2e0d7898bd182d918288bb80367fea4454c437c057ff9ed4fffd42be48a13ca73653021a6d63e1cfa9c

Download Submit
C:\Users\Admin\AppData\Roaming\1614203420191.exe
MD5
ef6f72358cb02551caebe720fbc55f95

SHA1
b5ee276e8d479c270eceb497606bd44ee09ff4b8

SHA256
6562bdcbf775e04d8238c2b52a4e8df5afa1e35d1d33d1e4508cfe040676c1e5

SHA512
ea3f0cf40ed3aa3e43b7a19ed6412027f76f9d2d738e040e6459415aa1e5ef13c29ca830a66430c33e492558f7c5f0cc86e1df9474322f231f8506e49c3a1a90

Download Submit
C:\Users\Admin\AppData\Roaming\1614203420191.exe
MD5
ef6f72358cb02551caebe720fbc55f95

SHA1
b5ee276e8d479c270eceb497606bd44ee09ff4b8

SHA256
6562bdcbf775e04d8238c2b52a4e8df5afa1e35d1d33d1e4508cfe040676c1e5

SHA512
ea3f0cf40ed3aa3e43b7a19ed6412027f76f9d2d738e040e6459415aa1e5ef13c29ca830a66430c33e492558f7c5f0cc86e1df9474322f231f8506e49c3a1a90

Download Submit
C:\Users\Admin\AppData\Roaming\1614203420191.txt
MD5
f3a55ae79aa1a18000ccac4d16761dcd

SHA1
7e2cf5c2a7147b4b172bd9347bbf45aca6beb0f3

SHA256
a77561badbf13eef0e2b0d278d81d7847bfa26c8f3765c2fb798ab4187675575

SHA512
5184cb5cc3278cccf387e7e576587fa33c87d62df1249d20542257443fb36ca67a71f63775c241dcb982542abfcb0918d29edc333addb234b0a46db29fd5c168

Download Submit
C:\Users\Admin\AppData\Roaming\1614203422628.exe
MD5
ef6f72358cb02551caebe720fbc55f95

SHA1
b5ee276e8d479c270eceb497606bd44ee09ff4b8

SHA256
6562bdcbf775e04d8238c2b52a4e8df5afa1e35d1d33d1e4508cfe040676c1e5

SHA512
ea3f0cf40ed3aa3e43b7a19ed6412027f76f9d2d738e040e6459415aa1e5ef13c29ca830a66430c33e492558f7c5f0cc86e1df9474322f231f8506e49c3a1a90

Download Submit
C:\Users\Admin\AppData\Roaming\1614203422628.exe
MD5
ef6f72358cb02551caebe720fbc55f95

SHA1
b5ee276e8d479c270eceb497606bd44ee09ff4b8

SHA256
6562bdcbf775e04d8238c2b52a4e8df5afa1e35d1d33d1e4508cfe040676c1e5

SHA512
ea3f0cf40ed3aa3e43b7a19ed6412027f76f9d2d738e040e6459415aa1e5ef13c29ca830a66430c33e492558f7c5f0cc86e1df9474322f231f8506e49c3a1a90

Download Submit
C:\Users\Admin\AppData\Roaming\1614203422628.txt
MD5
f3a55ae79aa1a18000ccac4d16761dcd

SHA1
7e2cf5c2a7147b4b172bd9347bbf45aca6beb0f3

SHA256
a77561badbf13eef0e2b0d278d81d7847bfa26c8f3765c2fb798ab4187675575

SHA512
5184cb5cc3278cccf387e7e576587fa33c87d62df1249d20542257443fb36ca67a71f63775c241dcb982542abfcb0918d29edc333addb234b0a46db29fd5c168

Download Submit
C:\Users\Admin\AppData\Roaming\A8A9.tmp.exe
MD5
5f58ea16d3b08acf421a568da5e901f1

SHA1
34b6677c290fd53c01d3920a161ed0410d6e55b3

SHA256
e6f025d0a5ec3a4ac1d7943aaf64c95b18d0f2956caf43444ce9651cb71dcd10

SHA512
c80a545edc4ea15947184ee51e7fe8d50e09afca719d0a2e8dadbe6dec8711e0002c3b175a14280c6a9bc2799837cd1a3d546156e2effef959f2c7002bdd560b

Download Submit
C:\Users\Admin\AppData\Roaming\A8A9.tmp.exe
MD5
5f58ea16d3b08acf421a568da5e901f1

SHA1
34b6677c290fd53c01d3920a161ed0410d6e55b3

SHA256
e6f025d0a5ec3a4ac1d7943aaf64c95b18d0f2956caf43444ce9651cb71dcd10

SHA512
c80a545edc4ea15947184ee51e7fe8d50e09afca719d0a2e8dadbe6dec8711e0002c3b175a14280c6a9bc2799837cd1a3d546156e2effef959f2c7002bdd560b

Download Submit
C:\Users\Admin\AppData\Roaming\A8A9.tmp.exe
MD5
5f58ea16d3b08acf421a568da5e901f1

SHA1
34b6677c290fd53c01d3920a161ed0410d6e55b3

SHA256
e6f025d0a5ec3a4ac1d7943aaf64c95b18d0f2956caf43444ce9651cb71dcd10

SHA512
c80a545edc4ea15947184ee51e7fe8d50e09afca719d0a2e8dadbe6dec8711e0002c3b175a14280c6a9bc2799837cd1a3d546156e2effef959f2c7002bdd560b

Download Submit
C:\Users\Admin\Documents\Cr1t2PllsmAB.exe
MD5
f5cca3aa7de2478569d38c765654267d

SHA1
7dfd05dd62788dd43289e2032f00006789e71311

SHA256
280aa9de9a1db7e8c380b811e80f30a12b592222fe304b578ea1efcb2ac340e5

SHA512
0a78ae90699d7b8834946368c9d2d8e87d9a6c610d9cc2d26fe9c2e1e80173331d55beeb28c40f17831daf29132fb40c9fe670334b9626e349eeeb0a28acb57d

Download Submit
C:\Users\Admin\Documents\Cr1t2PllsmAB.exe
MD5
f5cca3aa7de2478569d38c765654267d

SHA1
7dfd05dd62788dd43289e2032f00006789e71311

SHA256
280aa9de9a1db7e8c380b811e80f30a12b592222fe304b578ea1efcb2ac340e5

SHA512
0a78ae90699d7b8834946368c9d2d8e87d9a6c610d9cc2d26fe9c2e1e80173331d55beeb28c40f17831daf29132fb40c9fe670334b9626e349eeeb0a28acb57d

Download Submit
C:\Users\Admin\Documents\WkCoAbw4bo H.exe
MD5
fcfb7642a05749559f580bd93f37acf4

SHA1
2969ae53e434a0844134a931f69a3da137a6d811

SHA256
7058bd005e007331f12d014479a3728514d2b09d8e4602e0a966ba68dea51552

SHA512
0357509767ef1b29ca86c1adcbe7ea8169ea3b298703b3764b21a70f5642380bcbca3d410a6977378b81b180d625cbf5412ac9f82238a2a7690dde1089654b83

Download Submit
C:\Users\Admin\Documents\WkCoAbw4bo H.exe
MD5
fcfb7642a05749559f580bd93f37acf4

SHA1
2969ae53e434a0844134a931f69a3da137a6d811

SHA256
7058bd005e007331f12d014479a3728514d2b09d8e4602e0a966ba68dea51552

SHA512
0357509767ef1b29ca86c1adcbe7ea8169ea3b298703b3764b21a70f5642380bcbca3d410a6977378b81b180d625cbf5412ac9f82238a2a7690dde1089654b83

Download Submit
C:\Users\Admin\Documents\WsBCDB6m6cbw.exe
MD5
b9c42d94ce265a43259a201ce4e5aeb4

SHA1
64926b6302ebfb5002e6342c842c7206d667b22b

SHA256
b8db09eb95279b78a840fab1ee7b39a7f140b0f44adb928c4b11d20e30891bb2

SHA512
c768c39b757eadf02b784d1f6b389cd3a989f88bee336d45ac5739e56f223a505a50e32b2c60d02d16cdc576f506d408aee58530ac578aa350338793df0c854c

Download Submit
C:\Users\Admin\Documents\WsBCDB6m6cbw.exe
MD5
b9c42d94ce265a43259a201ce4e5aeb4

SHA1
64926b6302ebfb5002e6342c842c7206d667b22b

SHA256
b8db09eb95279b78a840fab1ee7b39a7f140b0f44adb928c4b11d20e30891bb2

SHA512
c768c39b757eadf02b784d1f6b389cd3a989f88bee336d45ac5739e56f223a505a50e32b2c60d02d16cdc576f506d408aee58530ac578aa350338793df0c854c

Download Submit
C:\Users\Admin\Documents\cV urr3Sx_X9.exe
MD5
cc9720fe2882a3f7cc54f0f9afb1f335

SHA1
aea59caec4ed3bfbbee2b8cd94c516ae45848a69

SHA256
7e0afbcc7487f74ef4d2dc400812b48542b95dfecad63fe356231065fa10a3db

SHA512
c310106ae8e37c7b85e9355b0852fe87ee73f03cbd23d68c7ac236a2548bb46b7b4a20dfcc973ee836ac415f1dedef5c53a4ade365e90be0dc7e11ef7641e1fa

Download Submit
C:\Users\Admin\Documents\cV urr3Sx_X9.exe
MD5
cc9720fe2882a3f7cc54f0f9afb1f335

SHA1
aea59caec4ed3bfbbee2b8cd94c516ae45848a69

SHA256
7e0afbcc7487f74ef4d2dc400812b48542b95dfecad63fe356231065fa10a3db

SHA512
c310106ae8e37c7b85e9355b0852fe87ee73f03cbd23d68c7ac236a2548bb46b7b4a20dfcc973ee836ac415f1dedef5c53a4ade365e90be0dc7e11ef7641e1fa

Download Submit
C:\Users\Admin\Documents\kW5VlOManLru.exe
MD5
f16ab0fc5a3e8a0deabf9593f78224b8

SHA1
e3cf6e16cfd08bb13aab7273cfc9c57d81908ae6

SHA256
85f7a484933b1149a458d63dddb9be83bd630fb65b45a94491db62cb18950009

SHA512
df6ef9d0f7ea373f1f0d1ea391aeba866e60928cd3214482d2c65c1ad7cbe12913f8900d96ebb48ac0acc1fbe707eb42d717c752d42b2cd8c63d8eefc54ecd7d

Download Submit
C:\Users\Admin\Documents\kW5VlOManLru.exe
MD5
f16ab0fc5a3e8a0deabf9593f78224b8

SHA1
e3cf6e16cfd08bb13aab7273cfc9c57d81908ae6

SHA256
85f7a484933b1149a458d63dddb9be83bd630fb65b45a94491db62cb18950009

SHA512
df6ef9d0f7ea373f1f0d1ea391aeba866e60928cd3214482d2c65c1ad7cbe12913f8900d96ebb48ac0acc1fbe707eb42d717c752d42b2cd8c63d8eefc54ecd7d

Download Submit
C:\Users\Public\Desktop\Acrobat Reader DC.lnk
MD5
1f7b5734ef18d001dcfc853ce05befb3

SHA1
1a3502be098e3fea7d90405fd6913f5ba0a404d3

SHA256
ff0fde76fe2e1e6261a81b2e49cf84f062f4345d9b31ad752c297929c47e6402

SHA512
15e955ed7d065b788ddb2edfcf32d702e768d437995382c8a72658d151dce3e654c96c8a90275a6f2312bfc9f4284f31c4611cfea91d26717a16847a7b6fe1d5

Download Submit
C:\Users\Public\Desktop\Firefox.lnk
MD5
f1e0a1c1d587a701c670c7c2631de6bb

SHA1
10c1bcbf5855fbef440a6907791487a87f5f0c9c

SHA256
8054b4172aa188949e17b1bc30f942cff515e47efd97e67a4c468764e7b61f21

SHA512
8cdeeba058af17861bcd719a9c0b97a5178c69ef5c4c148ecae62bcda4791726dc2a1079755e5f570a46a5f86abd55f3a5e7e9079ba566a25adca0801fdb0af2

Download Submit
\??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2
MD5
e31d8853d93d27246536496573389636

SHA1
7f5ab14181838ce4a12e5735e1fa6b7f818f68f2

SHA256
528a6381855ffa7e24f927b2d5c083413f241d274865b9812f4a313e37171352

SHA512
6b9a3773ed4a949e0ce6df312991b0a9768c91c4a0cb7d504a20e6d92d9b2cbbea999f67318a306e7782b2eb21f1005d1f8705744b8391e840eae51a8788b05c

Download Submit
\??\Volume{0e932f02-0000-0000-0000-500600000000}\System Volume Information\SPP\OnlineMetadataCache\{a342cb93-cfd3-40f1-bd1c-f331979a6c75}_OnDiskSnapshotProp
MD5
b6d23fb2c4a09d1d6b2c9171055a3118

SHA1
631f87a1b13b4190d9600059e36f6f1f8be91e3e

SHA256
843b19a1680308bbeba9e5d3911883b1888b94f8084fd00d99dc95baf5b53b2a

SHA512
f5eff085f3bff2257a384ecf3507c10d4884aa65c5f5a5cbbf947807635cb0df004e254a64712cf5645d426fb363fb11fae45c6eec302b2168dc16e01c563e3c

Download Submit
\Users\Admin\AppData\Local\Temp\MSI9485.tmp
MD5
84878b1a26f8544bda4e069320ad8e7d

SHA1
51c6ee244f5f2fa35b563bffb91e37da848a759c

SHA256
809aab5eace34dfbfb2b3d45462d42b34fcb95b415201d0d625414b56e437444

SHA512
4742b84826961f590e0a2d6cc85a60b59ca4d300c58be5d0c33eb2315cefaf5627ae5ed908233ad51e188ce53ca861cf5cf8c1aa2620dc2667f83f98e627b549

Download Submit
\Users\Admin\AppData\Local\Temp\is-3QDJA.tmp\idp.dll
MD5
8f995688085bced38ba7795f60a5e1d3

SHA1
5b1ad67a149c05c50d6e388527af5c8a0af4343a

SHA256
203d7b61eac96de865ab3b586160e72c78d93ab5532b13d50ef27174126fd006

SHA512
043d41947ab69fc9297dcb5ad238acc2c35250d1172869945ed1a56894c10f93855f0210cbca41ceee9efb55fd56a35a4ec03c77e252409edc64bfb5fb821c35

Download Submit
memory/364-51-0x0000000000000000-mapping.dmp

Download
memory/496-138-0x0000000000000000-mapping.dmp

Download
memory/644-19-0x0000000000000000-mapping.dmp

Download
memory/892-21-0x0000000000000000-mapping.dmp

Download
memory/892-30-0x00000000001E0000-0x00000000001E1000-memory.dmp

Filesize
4KB

Download
memory/924-60-0x0000000000000000-mapping.dmp

Download
memory/1156-27-0x0000000000000000-mapping.dmp

Download
memory/1180-157-0x000000000A200000-0x000000000A235000-memory.dmp

Filesize
212KB

Download
memory/1180-164-0x0000000004AC0000-0x0000000004AC1000-memory.dmp

Filesize
4KB

Download
memory/1180-167-0x0000000004CD0000-0x0000000004CD1000-memory.dmp

Filesize
4KB

Download
memory/1180-131-0x0000000000000000-mapping.dmp

Download
memory/1180-148-0x0000000000C80000-0x0000000000C81000-memory.dmp

Filesize
4KB

Download
memory/1180-140-0x00000000002D0000-0x00000000002D1000-memory.dmp

Filesize
4KB

Download
memory/1180-176-0x00000000054C0000-0x00000000054C1000-memory.dmp

Filesize
4KB

Download
memory/1180-161-0x0000000004AA0000-0x0000000004AA1000-memory.dmp

Filesize
4KB

Download
memory/1180-134-0x0000000073430000-0x0000000073B1E000-memory.dmp

Filesize
6.9MB

Download
memory/1248-95-0x0000000000000000-mapping.dmp

Download
memory/1548-166-0x000000000E640000-0x000000000E641000-memory.dmp

Filesize
4KB

Download
memory/1548-152-0x0000000073430000-0x0000000073B1E000-memory.dmp

Filesize
6.9MB

Download
memory/1548-165-0x00000000050A0000-0x00000000050A1000-memory.dmp

Filesize
4KB

Download
memory/1548-149-0x0000000000000000-mapping.dmp

Download
memory/1772-32-0x0000000000000000-mapping.dmp

Download
memory/1864-72-0x00000000035A0000-0x0000000003A4F000-memory.dmp

Filesize
4.7MB

Download
memory/1864-47-0x0000000000000000-mapping.dmp

Download
memory/2144-36-0x0000000000000000-mapping.dmp

Download
memory/2144-43-0x0000000010000000-0x000000001033D000-memory.dmp

Filesize
3.2MB

Download
memory/2160-182-0x0000000000000000-mapping.dmp

Download
memory/2176-186-0x0000000000000000-mapping.dmp

Download
memory/2320-137-0x000000000B170000-0x000000000B171000-memory.dmp

Filesize
4KB

Download
memory/2320-135-0x0000000001850000-0x0000000001851000-memory.dmp

Filesize
4KB

Download
memory/2320-129-0x0000000000E70000-0x0000000000E71000-memory.dmp

Filesize
4KB

Download
memory/2320-123-0x0000000000000000-mapping.dmp

Download
memory/2320-128-0x0000000073430000-0x0000000073B1E000-memory.dmp

Filesize
6.9MB

Download
memory/2320-136-0x0000000001860000-0x000000000186B000-memory.dmp

Filesize
44KB

Download
memory/2320-139-0x000000000AC70000-0x000000000AC71000-memory.dmp

Filesize
4KB

Download
memory/2320-146-0x00000000030C0000-0x00000000030C1000-memory.dmp

Filesize
4KB

Download
memory/2476-10-0x0000000000000000-mapping.dmp

Download
memory/2808-98-0x0000000000000000-mapping.dmp

Download
memory/2824-170-0x0000000000000000-mapping.dmp

Download
memory/2888-71-0x0000000002D90000-0x000000000323F000-memory.dmp

Filesize
4.7MB

Download
memory/2888-49-0x0000000000000000-mapping.dmp

Download
memory/3164-159-0x0000000000000000-mapping.dmp

Download
memory/3292-147-0x0000000004990000-0x0000000004991000-memory.dmp

Filesize
4KB

Download
memory/3292-122-0x0000000073430000-0x0000000073B1E000-memory.dmp

Filesize
6.9MB

Download
memory/3292-119-0x0000000000000000-mapping.dmp

Download
memory/3292-124-0x0000000000100000-0x0000000000101000-memory.dmp

Filesize
4KB

Download
memory/3292-141-0x0000000004910000-0x0000000004942000-memory.dmp

Filesize
200KB

Download
memory/3328-91-0x0000000004780000-0x0000000004781000-memory.dmp

Filesize
4KB

Download
memory/3328-92-0x0000000004780000-0x0000000004781000-memory.dmp

Filesize
4KB

Download
memory/3328-97-0x0000000004B80000-0x0000000004B81000-memory.dmp

Filesize
4KB

Download
memory/3472-83-0x0000000000000000-mapping.dmp

Download
memory/3808-7-0x0000000000000000-mapping.dmp

Download
memory/3808-25-0x0000000000401000-0x000000000040B000-memory.dmp

Filesize
40KB

Download
memory/3848-6-0x0000000000000000-mapping.dmp

Download
memory/3848-13-0x00007FFCF1730000-0x00007FFCF211C000-memory.dmp

Filesize
9.9MB

Download
memory/3848-23-0x00000000001E0000-0x00000000001E1000-memory.dmp

Filesize
4KB

Download
memory/3888-112-0x0000000000000000-mapping.dmp

Download
memory/4024-9-0x0000000000000000-mapping.dmp

Download
memory/4032-187-0x0000000000000000-mapping.dmp

Download
memory/4036-39-0x0000000004240000-0x0000000004241000-memory.dmp

Filesize
4KB

Download
memory/4056-179-0x0000000000000000-mapping.dmp

Download
memory/4088-40-0x0000000000000000-mapping.dmp

Download
memory/4136-90-0x0000000000400000-0x0000000000449000-memory.dmp

Filesize
292KB

Download
memory/4136-87-0x0000000000401480-mapping.dmp

Download
memory/4136-85-0x0000000000400000-0x0000000000449000-memory.dmp

Filesize
292KB

Download
memory/4200-56-0x0000000000000000-mapping.dmp

Download
memory/4200-59-0x0000000001290000-0x000000000129D000-memory.dmp

Filesize
52KB

Download
memory/4200-80-0x0000000000400000-0x000000000044A000-memory.dmp

Filesize
296KB

Download
memory/4444-44-0x0000000000000000-mapping.dmp

Download
memory/4472-118-0x000000001B2B0000-0x000000001B2B2000-memory.dmp

Filesize
8KB

Download
memory/4472-111-0x00007FFCF17D0000-0x00007FFCF21BC000-memory.dmp

Filesize
9.9MB

Download
memory/4472-117-0x0000000000A60000-0x0000000000A61000-memory.dmp

Filesize
4KB

Download
memory/4472-116-0x0000000000A40000-0x0000000000A5E000-memory.dmp

Filesize
120KB

Download
memory/4472-108-0x0000000000000000-mapping.dmp

Download
memory/4472-113-0x0000000000420000-0x0000000000421000-memory.dmp

Filesize
4KB

Download
memory/4472-115-0x0000000000A30000-0x0000000000A31000-memory.dmp

Filesize
4KB

Download
memory/4496-101-0x0000000000000000-mapping.dmp

Download
memory/4552-73-0x0000000000000000-mapping.dmp

Download
memory/4552-89-0x0000000000BC0000-0x0000000000C05000-memory.dmp

Filesize
276KB

Download
memory/4552-82-0x0000000000DC0000-0x0000000000DC1000-memory.dmp

Filesize
4KB

Download
memory/4656-107-0x0000000000000000-mapping.dmp

Download
memory/4668-55-0x0000000000000000-mapping.dmp

Download
memory/4692-2-0x0000000073430000-0x0000000073B1E000-memory.dmp

Filesize
6.9MB

Download
memory/4692-3-0x0000000000CB0000-0x0000000000CB1000-memory.dmp

Filesize
4KB

Download
memory/4692-5-0x00000000054A0000-0x00000000054A1000-memory.dmp

Filesize
4KB

Download
memory/4728-81-0x0000025A52350000-0x0000025A52351000-memory.dmp

Filesize
4KB

Download
memory/4728-78-0x0000000010000000-0x0000000010057000-memory.dmp

Filesize
348KB

Download
memory/4728-74-0x00007FF61FF58270-mapping.dmp

Download
memory/4732-79-0x0000000000000000-mapping.dmp

Download
memory/4740-100-0x00007FF61FF58270-mapping.dmp

Download
memory/4740-105-0x0000024E68D30000-0x0000024E68D31000-memory.dmp

Filesize
4KB

Download
memory/4876-77-0x0000000000000000-mapping.dmp

Download