plugx | d71d1f411026ddf3124660d50f2e65a42b7ad4637459c9c86d13028a30a0cbb5

Analysis

max time kernel
1727s
max time network
1728s
platform
windows10_x64
resource
win10v20201028
submitted
24-02-2021 20:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

hell.bin.exe
Size

17KB
MD5

767b5f0d52f3c7af12ee5e45e445f046
SHA1

42a6631056347a92888c53d36f97018b8fa5f9ba
SHA256

65403f6f0be0d76e157417c5d5b12023177ef451c2503857f13e9cd0e1e7f6e5
SHA512

be6eaeebb0822cbae55bd5b044f6dd1bd383fa07499010b1cfe17f37e997cd070a16bed705e6f232ac33be29d11787a8611e688632e0a5de3f21717922b4764d

Score

10^/10

plugx bootkit discovery evasion macro persistence spyware trojan upx xlm

Malware Config

Signatures

PlugX
PlugX is a RAT (Remote Access Trojan) that has been around since 2008.
trojan plugx

Nirsoft 7 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Roaming\1614199815076.exe	Nirsoft
C:\Users\Admin\AppData\Roaming\1614199815076.exe	Nirsoft
C:\Users\Admin\AppData\Roaming\1614199817294.exe	Nirsoft
C:\Users\Admin\AppData\Roaming\1614199817294.exe	Nirsoft
C:\Program Files (x86)\gdiview\gdiview\GDIView.exe	Nirsoft
C:\Program Files (x86)\gdiview\gdiview\GDIView.exe	Nirsoft
C:\Program Files (x86)\gdiview\gdiview\GDIView.exe	Nirsoft

Executes dropped EXE 32 IoCs

Processes:

U S3e2xzkxGa.exepV9ofc6R3C Z.exe MWtx8 DK1Xs.exeRNZiBJfTtElg.exejfiag3g_gg.exe MWtx8 DK1Xs.tmpgDBozCQz RWS.exeInstaller.exeSetup.exejfiag3g_gg.exe80EBA4EA58D40136.exe80EBA4EA58D40136.exefile.exe1614199815076.exe1614199817294.exeBE54.tmp.exeBE54.tmp.exeBTRSetp.exe2790485.302006075.225203824.57gdrrr.exeWindows Host.exejfiag3g_gg.exejfiag3g_gg.exeThunderFW.exeGDIView.exeGDIView.exejfiag3g_gg.exejfiag3g_gg.exejfiag3g_gg.exejfiag3g_gg.exe

pid	process
3824	U S3e2xzkxGa.exe
1000	pV9ofc6R3C Z.exe
3232	MWtx8 DK1Xs.exe
1364	RNZiBJfTtElg.exe
3876	jfiag3g_gg.exe
2472	MWtx8 DK1Xs.tmp
1604	gDBozCQz RWS.exe
188	Installer.exe
3320	Setup.exe
4132	jfiag3g_gg.exe
4412	80EBA4EA58D40136.exe
4424	80EBA4EA58D40136.exe
4484	file.exe
4796	1614199815076.exe
5004	1614199817294.exe
5056	BE54.tmp.exe
5092	BE54.tmp.exe
2208	BTRSetp.exe
1432	2790485.30
1548	2006075.22
4452	5203824.57
4768	gdrrr.exe
4924	Windows Host.exe
4996	jfiag3g_gg.exe
4392	jfiag3g_gg.exe
1084	ThunderFW.exe
4716	GDIView.exe
5028	GDIView.exe
4492	jfiag3g_gg.exe
4204	jfiag3g_gg.exe
4912	jfiag3g_gg.exe
4000	jfiag3g_gg.exe

Suspicious Office macro 1 IoCs

Office document equipped with 4.0 macros.

macro xlm

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\gdiview.msi	office_xlm_macros

UPX packed file 11 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\Users\Admin\Documents\RNZiBJfTtElg.exe	upx
C:\Users\Admin\Documents\RNZiBJfTtElg.exe	upx
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe	upx
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe	upx
behavioral4/memory/4116-41-0x0000000004020000-0x0000000004021000-memory.dmp	upx
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe	upx
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe	upx
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe	upx
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe	upx
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe	upx
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe	upx

Loads dropped DLL 2 IoCs

Processes:

MWtx8 DK1Xs.tmpMsiExec.exe

pid process

2472 MWtx8 DK1Xs.tmp
4348 MsiExec.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

pid	process
2472	MWtx8 DK1Xs.tmp
4348	MsiExec.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

pV9ofc6R3C Z.exe2006075.22

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\haleng = "C:\\Users\\Admin\\AppData\\Local\\Temp\\haleng."	pV9ofc6R3C Z.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows Host = "C:\\ProgramData\\Windows Host\\Windows Host.exe"	2006075.22

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

RNZiBJfTtElg.exeSetup.exe80EBA4EA58D40136.exe80EBA4EA58D40136.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	RNZiBJfTtElg.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Setup.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	80EBA4EA58D40136.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	80EBA4EA58D40136.exe

Enumerates connected drives 3 TTPs 48 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

msiexec.exemsiexec.exe

description	ioc	process
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\F:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\F:	msiexec.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

11 ip-api.com
66 api.ipify.org

flow	ioc
11	ip-api.com
66	api.ipify.org

Writes to the Master Boot Record (MBR) 1 TTPs 3 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1067

Processes:

Setup.exe80EBA4EA58D40136.exe80EBA4EA58D40136.exe

description	ioc	process
File opened for modification	\??\PhysicalDrive0	Setup.exe
File opened for modification	\??\PhysicalDrive0	80EBA4EA58D40136.exe
File opened for modification	\??\PhysicalDrive0	80EBA4EA58D40136.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

Processes:

Setup.exe

pid process

3320 Setup.exe

pid	process
3320	Setup.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

80EBA4EA58D40136.exeBE54.tmp.exe

description	pid	process	target process
PID 4412 set thread context of 4668	4412	80EBA4EA58D40136.exe	firefox.exe
PID 4412 set thread context of 4992	4412	80EBA4EA58D40136.exe	firefox.exe
PID 5056 set thread context of 5092	5056	BE54.tmp.exe	BE54.tmp.exe

Drops file in Program Files directory 3 IoCs

Processes:

msiexec.exe

description	ioc	process
File created	C:\Program Files (x86)\gdiview\gdiview\GDIView.chm	msiexec.exe
File created	C:\Program Files (x86)\gdiview\gdiview\GDIView.exe	msiexec.exe
File created	C:\Program Files (x86)\gdiview\gdiview\readme.txt	msiexec.exe

Drops file in Windows directory 8 IoCs

Processes:

msiexec.exe

description	ioc	process
File opened for modification	C:\Windows\Installer\MSI2C9F.tmp	msiexec.exe
File created	C:\Windows\Installer\f752b58.msi	msiexec.exe
File created	C:\Windows\Installer\f752b56.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\f752b56.msi	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File created	C:\Windows\Installer\SourceHash{9A2A452C-3057-4F5E-8C7F-41B0D566B831}	msiexec.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

4116 1364 WerFault.exe RNZiBJfTtElg.exe

pid	pid_target	process	target process
4116	1364	WerFault.exe	RNZiBJfTtElg.exe

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

svchost.exe80EBA4EA58D40136.exe80EBA4EA58D40136.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0003	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\CompatibleIDs	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004C	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\000A	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Capabilities	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{80d81ea6-7473-4b0c-8216-efc11a2c4c8b}\0002	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{88ad39db-0d0c-4a38-8435-4043826b5c91}\000A	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0008\	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0058	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\000A\	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0018	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{80d81ea6-7473-4b0c-8216-efc11a2c4c8b}\0003	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{80d81ea6-7473-4b0c-8216-efc11a2c4c8b}\0004	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0002	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\300A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0051	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\ConfigFlags	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0064	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004E	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004C	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{4340a6c5-93fa-4706-972c-7b648008a5a7}\0008	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\FriendlyName	80EBA4EA58D40136.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\FriendlyName	80EBA4EA58D40136.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004D	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\0006	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{3b2ce006-5e61-4fde-bab8-9b8aac9b26df}\0008	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{80d81ea6-7473-4b0c-8216-efc11a2c4c8b}\0003	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\2006	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{4340a6c5-93fa-4706-972c-7b648008a5a7}\0008	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Capabilities	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\0006	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0008\	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0004\	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{88ad39db-0d0c-4a38-8435-4043826b5c91}\0008	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\FriendlyName	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0052	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0004	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0018	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0008	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Mfg	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{88ad39db-0d0c-4a38-8435-4043826b5c91}\000A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0055	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0005	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\300A	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\FriendlyName	80EBA4EA58D40136.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\000A	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\DeviceDesc	80EBA4EA58D40136.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{88ad39db-0d0c-4a38-8435-4043826b5c91}\0009	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0054	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0034	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\DeviceDesc	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004D	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{88ad39db-0d0c-4a38-8435-4043826b5c91}\0008	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0064	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\ConfigFlags	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\CompatibleIDs	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\2003	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\FriendlyName	80EBA4EA58D40136.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{88ad39db-0d0c-4a38-8435-4043826b5c91}\0009	svchost.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

BE54.tmp.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	BE54.tmp.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	BE54.tmp.exe

Kills process with taskkill 1 IoCs
evasion

Processes:

taskkill.exe

pid process

4728 taskkill.exe

pid	process
4728	taskkill.exe

Modifies data under HKEY_USERS 2 IoCs

Processes:

svchost.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\windows\CurrentVersion\Internet Settings\Connections	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\OnDemandInterfaceCache	svchost.exe

Modifies system certificate store 2 TTPs 4 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

Setup.exefile.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\6C0CE2DD0584C47CAC18839F14055F19FA270CDD	Setup.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\6C0CE2DD0584C47CAC18839F14055F19FA270CDD\Blob = 0300000001000000140000006c0ce2dd0584c47cac18839f14055f19fa270cdd2000000001000000500500003082054c30820434a0030201020206016de34cff62300d06092a864886f70d01010b05003081aa313b303906035504030c32436861726c65732050726f78792043412028313920e58d81e69c8820323031392c204445534b544f502d424e41543131552931253023060355040b0c1c68747470733a2f2f636861726c657370726f78792e636f6d2f73736c3111300f060355040a0c08584b3732204c74643111300f06035504070c084175636b6c616e643111300f06035504080c084175636b6c616e64310b3009060355040613024e5a301e170d3030303130313030303030305a170d3438313231353039313533375a3081aa313b303906035504030c32436861726c65732050726f78792043412028313920e58d81e69c8820323031392c204445534b544f502d424e41543131552931253023060355040b0c1c68747470733a2f2f636861726c657370726f78792e636f6d2f73736c3111300f060355040a0c08584b3732204c74643111300f06035504070c084175636b6c616e643111300f06035504080c084175636b6c616e64310b3009060355040613024e5a30820122300d06092a864886f70d01010105000382010f003082010a0282010100ae86c5043ed34d99f44fa3052ea34047a7fbbe33188b1dc2ca645ca3249e85e54b4921d4998fda6a22247c32d9087d742af3bf850803ae8c1e25faad53fb8fd823b7353d9a3ac992bf917f693826c790e53a540b120b6553508ec9585e467d310bd3ef9fb61731deb522eb78f43f824b34be36782db7a8cb162cd22247b14e4c5ae633ed66542354a59971bddc59160ecdc521b4477c93ca9e624e0af00298602300f5dc368819c3cb9f02604636888276b3a498570473b5328b0834f327c34285e333da9207e12f0edbb654c8cf11e3cc7cba17a52cd7cd42c10ae095a2e4eb9d3e3f361488243f0584af40e72d6e6e182149bfb8342384f60f12e14734258d0203010001a382017430820170300f0603551d130101ff040530030101ff3082012c06096086480186f842010d0482011d138201195468697320526f6f74206365727469666963617465207761732067656e65726174656420627920436861726c65732050726f787920666f722053534c2050726f7879696e672e20496620746869732063657274696669636174652069732070617274206f66206120636572746966696361746520636861696e2c2074686973206d65616e73207468617420796f752772652062726f7773696e67207468726f75676820436861726c65732050726f787920776974682053534c2050726f7879696e6720656e61626c656420666f72207468697320776562736974652e20506c656173652073656520687474703a2f2f636861726c657370726f78792e636f6d2f73736c20666f72206d6f726520696e666f726d6174696f6e2e300e0603551d0f0101ff040403020204301d0603551d0e04160414f8d0dc54367cf794020f8b92783a5d8a91251f9f300d06092a864886f70d01010b05000382010100662271eb9d5c744c88382de98ba37320e6312104d04273a92007a8670976d6530e6347d00bbded1319bb6754f36237596095922911e3661a70354f6ba0b797a76258be7adebb8c8dbeeed977760b80271d74b2444d92f6c1337a379b73545b251de5f8812b9625abbbfaedc15f8c6c374b9b26dd0fef035185f5899d8819e689dc6db5f0babbfd637c52b1bec80115b889faeed493d4112d744954ad3abe6607c41a4a2d657ba330ed131fa4e8c25bb28ee181dcef8da91c17bfd30a23c8eae81b152ed85ff938afc32b34ffdaffbdb72d9bb04067bfc87f579eba9637b165ea008ea7408bc8265f33c039bf60f506d245a6b53017afc8e161d70ed5b0d76576	Setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	file.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 5c000000010000000400000000080000090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	file.exe

Runs ping.exe 1 TTPs 4 IoCs

Remote System Discovery
T1018

Processes:

PING.EXEPING.EXEPING.EXEPING.EXE

pid process

4960 PING.EXE
2160 PING.EXE
4680 PING.EXE
4576 PING.EXE

pid	process
4960	PING.EXE
2160	PING.EXE
4680	PING.EXE
4576	PING.EXE

Suspicious behavior: EnumeratesProcesses 44 IoCs

Processes:

jfiag3g_gg.exeWerFault.exe1614199815076.exe1614199817294.exeBE54.tmp.exejfiag3g_gg.exe2790485.305203824.57msiexec.exeGDIView.exeGDIView.exejfiag3g_gg.exejfiag3g_gg.exejfiag3g_gg.exejfiag3g_gg.exe

pid	process
4132	jfiag3g_gg.exe
4132	jfiag3g_gg.exe
4116	WerFault.exe
4116	WerFault.exe
4116	WerFault.exe
4116	WerFault.exe
4116	WerFault.exe
4116	WerFault.exe
4116	WerFault.exe
4116	WerFault.exe
4116	WerFault.exe
4116	WerFault.exe
4116	WerFault.exe
4116	WerFault.exe
4116	WerFault.exe
4116	WerFault.exe
4116	WerFault.exe
4796	1614199815076.exe
4796	1614199815076.exe
5004	1614199817294.exe
5004	1614199817294.exe
5092	BE54.tmp.exe
5092	BE54.tmp.exe
4392	jfiag3g_gg.exe
4392	jfiag3g_gg.exe
1432	2790485.30
1432	2790485.30
4452	5203824.57
4452	5203824.57
1432	2790485.30
4284	msiexec.exe
4284	msiexec.exe
4716	GDIView.exe
4716	GDIView.exe
5028	GDIView.exe
5028	GDIView.exe
4492	jfiag3g_gg.exe
4492	jfiag3g_gg.exe
4204	jfiag3g_gg.exe
4204	jfiag3g_gg.exe
4912	jfiag3g_gg.exe
4912	jfiag3g_gg.exe
4000	jfiag3g_gg.exe
4000	jfiag3g_gg.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

hell.bin.exeRNZiBJfTtElg.exeWerFault.exemsiexec.exemsiexec.exe

description	pid	process
Token: SeDebugPrivilege	1156	hell.bin.exe
Token: SeManageVolumePrivilege	1364	RNZiBJfTtElg.exe
Token: SeRestorePrivilege	4116	WerFault.exe
Token: SeBackupPrivilege	4116	WerFault.exe
Token: SeDebugPrivilege	4116	WerFault.exe
Token: SeShutdownPrivilege	4220	msiexec.exe
Token: SeIncreaseQuotaPrivilege	4220	msiexec.exe
Token: SeSecurityPrivilege	4284	msiexec.exe
Token: SeCreateTokenPrivilege	4220	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	4220	msiexec.exe
Token: SeLockMemoryPrivilege	4220	msiexec.exe
Token: SeIncreaseQuotaPrivilege	4220	msiexec.exe
Token: SeMachineAccountPrivilege	4220	msiexec.exe
Token: SeTcbPrivilege	4220	msiexec.exe
Token: SeSecurityPrivilege	4220	msiexec.exe
Token: SeTakeOwnershipPrivilege	4220	msiexec.exe
Token: SeLoadDriverPrivilege	4220	msiexec.exe
Token: SeSystemProfilePrivilege	4220	msiexec.exe
Token: SeSystemtimePrivilege	4220	msiexec.exe
Token: SeProfSingleProcessPrivilege	4220	msiexec.exe
Token: SeIncBasePriorityPrivilege	4220	msiexec.exe
Token: SeCreatePagefilePrivilege	4220	msiexec.exe
Token: SeCreatePermanentPrivilege	4220	msiexec.exe
Token: SeBackupPrivilege	4220	msiexec.exe
Token: SeRestorePrivilege	4220	msiexec.exe
Token: SeShutdownPrivilege	4220	msiexec.exe
Token: SeDebugPrivilege	4220	msiexec.exe
Token: SeAuditPrivilege	4220	msiexec.exe
Token: SeSystemEnvironmentPrivilege	4220	msiexec.exe
Token: SeChangeNotifyPrivilege	4220	msiexec.exe
Token: SeRemoteShutdownPrivilege	4220	msiexec.exe
Token: SeUndockPrivilege	4220	msiexec.exe
Token: SeSyncAgentPrivilege	4220	msiexec.exe
Token: SeEnableDelegationPrivilege	4220	msiexec.exe
Token: SeManageVolumePrivilege	4220	msiexec.exe
Token: SeImpersonatePrivilege	4220	msiexec.exe
Token: SeCreateGlobalPrivilege	4220	msiexec.exe
Token: SeCreateTokenPrivilege	4220	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	4220	msiexec.exe
Token: SeLockMemoryPrivilege	4220	msiexec.exe
Token: SeIncreaseQuotaPrivilege	4220	msiexec.exe
Token: SeMachineAccountPrivilege	4220	msiexec.exe
Token: SeTcbPrivilege	4220	msiexec.exe
Token: SeSecurityPrivilege	4220	msiexec.exe
Token: SeTakeOwnershipPrivilege	4220	msiexec.exe
Token: SeLoadDriverPrivilege	4220	msiexec.exe
Token: SeSystemProfilePrivilege	4220	msiexec.exe
Token: SeSystemtimePrivilege	4220	msiexec.exe
Token: SeProfSingleProcessPrivilege	4220	msiexec.exe
Token: SeIncBasePriorityPrivilege	4220	msiexec.exe
Token: SeCreatePagefilePrivilege	4220	msiexec.exe
Token: SeCreatePermanentPrivilege	4220	msiexec.exe
Token: SeBackupPrivilege	4220	msiexec.exe
Token: SeRestorePrivilege	4220	msiexec.exe
Token: SeShutdownPrivilege	4220	msiexec.exe
Token: SeDebugPrivilege	4220	msiexec.exe
Token: SeAuditPrivilege	4220	msiexec.exe
Token: SeSystemEnvironmentPrivilege	4220	msiexec.exe
Token: SeChangeNotifyPrivilege	4220	msiexec.exe
Token: SeRemoteShutdownPrivilege	4220	msiexec.exe
Token: SeUndockPrivilege	4220	msiexec.exe
Token: SeSyncAgentPrivilege	4220	msiexec.exe
Token: SeEnableDelegationPrivilege	4220	msiexec.exe
Token: SeManageVolumePrivilege	4220	msiexec.exe

Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

msiexec.exe

pid process

4220 msiexec.exe
4220 msiexec.exe

pid	process
4220	msiexec.exe
4220	msiexec.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

hell.bin.exepV9ofc6R3C Z.exe MWtx8 DK1Xs.exegDBozCQz RWS.exeInstaller.exeSetup.exemsiexec.execmd.exe80EBA4EA58D40136.exe80EBA4EA58D40136.execmd.exe

description	pid	process	target process
PID 1156 wrote to memory of 3824	1156	hell.bin.exe	U S3e2xzkxGa.exe
PID 1156 wrote to memory of 3824	1156	hell.bin.exe	U S3e2xzkxGa.exe
PID 1156 wrote to memory of 1000	1156	hell.bin.exe	pV9ofc6R3C Z.exe
PID 1156 wrote to memory of 1000	1156	hell.bin.exe	pV9ofc6R3C Z.exe
PID 1156 wrote to memory of 1000	1156	hell.bin.exe	pV9ofc6R3C Z.exe
PID 1156 wrote to memory of 3232	1156	hell.bin.exe	MWtx8 DK1Xs.exe
PID 1156 wrote to memory of 3232	1156	hell.bin.exe	MWtx8 DK1Xs.exe
PID 1156 wrote to memory of 3232	1156	hell.bin.exe	MWtx8 DK1Xs.exe
PID 1156 wrote to memory of 1364	1156	hell.bin.exe	RNZiBJfTtElg.exe
PID 1156 wrote to memory of 1364	1156	hell.bin.exe	RNZiBJfTtElg.exe
PID 1156 wrote to memory of 1364	1156	hell.bin.exe	RNZiBJfTtElg.exe
PID 1000 wrote to memory of 3876	1000	pV9ofc6R3C Z.exe	jfiag3g_gg.exe
PID 1000 wrote to memory of 3876	1000	pV9ofc6R3C Z.exe	jfiag3g_gg.exe
PID 1000 wrote to memory of 3876	1000	pV9ofc6R3C Z.exe	jfiag3g_gg.exe
PID 3232 wrote to memory of 2472	3232	MWtx8 DK1Xs.exe	MWtx8 DK1Xs.tmp
PID 3232 wrote to memory of 2472	3232	MWtx8 DK1Xs.exe	MWtx8 DK1Xs.tmp
PID 3232 wrote to memory of 2472	3232	MWtx8 DK1Xs.exe	MWtx8 DK1Xs.tmp
PID 1156 wrote to memory of 1604	1156	hell.bin.exe	gDBozCQz RWS.exe
PID 1156 wrote to memory of 1604	1156	hell.bin.exe	gDBozCQz RWS.exe
PID 1156 wrote to memory of 1604	1156	hell.bin.exe	gDBozCQz RWS.exe
PID 1604 wrote to memory of 188	1604	gDBozCQz RWS.exe	Installer.exe
PID 1604 wrote to memory of 188	1604	gDBozCQz RWS.exe	Installer.exe
PID 1604 wrote to memory of 188	1604	gDBozCQz RWS.exe	Installer.exe
PID 188 wrote to memory of 3320	188	Installer.exe	Setup.exe
PID 188 wrote to memory of 3320	188	Installer.exe	Setup.exe
PID 188 wrote to memory of 3320	188	Installer.exe	Setup.exe
PID 1000 wrote to memory of 4132	1000	pV9ofc6R3C Z.exe	jfiag3g_gg.exe
PID 1000 wrote to memory of 4132	1000	pV9ofc6R3C Z.exe	jfiag3g_gg.exe
PID 1000 wrote to memory of 4132	1000	pV9ofc6R3C Z.exe	jfiag3g_gg.exe
PID 3320 wrote to memory of 4220	3320	Setup.exe	msiexec.exe
PID 3320 wrote to memory of 4220	3320	Setup.exe	msiexec.exe
PID 3320 wrote to memory of 4220	3320	Setup.exe	msiexec.exe
PID 4284 wrote to memory of 4348	4284	msiexec.exe	MsiExec.exe
PID 4284 wrote to memory of 4348	4284	msiexec.exe	MsiExec.exe
PID 4284 wrote to memory of 4348	4284	msiexec.exe	MsiExec.exe
PID 3320 wrote to memory of 4412	3320	Setup.exe	80EBA4EA58D40136.exe
PID 3320 wrote to memory of 4412	3320	Setup.exe	80EBA4EA58D40136.exe
PID 3320 wrote to memory of 4412	3320	Setup.exe	80EBA4EA58D40136.exe
PID 3320 wrote to memory of 4424	3320	Setup.exe	80EBA4EA58D40136.exe
PID 3320 wrote to memory of 4424	3320	Setup.exe	80EBA4EA58D40136.exe
PID 3320 wrote to memory of 4424	3320	Setup.exe	80EBA4EA58D40136.exe
PID 3320 wrote to memory of 4464	3320	Setup.exe	cmd.exe
PID 3320 wrote to memory of 4464	3320	Setup.exe	cmd.exe
PID 3320 wrote to memory of 4464	3320	Setup.exe	cmd.exe
PID 188 wrote to memory of 4484	188	Installer.exe	file.exe
PID 188 wrote to memory of 4484	188	Installer.exe	file.exe
PID 188 wrote to memory of 4484	188	Installer.exe	file.exe
PID 4464 wrote to memory of 4576	4464	cmd.exe	PING.EXE
PID 4464 wrote to memory of 4576	4464	cmd.exe	PING.EXE
PID 4464 wrote to memory of 4576	4464	cmd.exe	PING.EXE
PID 4424 wrote to memory of 4656	4424	80EBA4EA58D40136.exe	cmd.exe
PID 4424 wrote to memory of 4656	4424	80EBA4EA58D40136.exe	cmd.exe
PID 4424 wrote to memory of 4656	4424	80EBA4EA58D40136.exe	cmd.exe
PID 4412 wrote to memory of 4668	4412	80EBA4EA58D40136.exe	firefox.exe
PID 4412 wrote to memory of 4668	4412	80EBA4EA58D40136.exe	firefox.exe
PID 4412 wrote to memory of 4668	4412	80EBA4EA58D40136.exe	firefox.exe
PID 4412 wrote to memory of 4668	4412	80EBA4EA58D40136.exe	firefox.exe
PID 4412 wrote to memory of 4668	4412	80EBA4EA58D40136.exe	firefox.exe
PID 4412 wrote to memory of 4668	4412	80EBA4EA58D40136.exe	firefox.exe
PID 4656 wrote to memory of 4728	4656	cmd.exe	taskkill.exe
PID 4656 wrote to memory of 4728	4656	cmd.exe	taskkill.exe
PID 4656 wrote to memory of 4728	4656	cmd.exe	taskkill.exe
PID 4412 wrote to memory of 4796	4412	80EBA4EA58D40136.exe	1614199815076.exe
PID 4412 wrote to memory of 4796	4412	80EBA4EA58D40136.exe	1614199815076.exe

C:\Users\Admin\AppData\Local\Temp\hell.bin.exe
"C:\Users\Admin\AppData\Local\Temp\hell.bin.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1156

C:\Users\Admin\Documents\U S3e2xzkxGa.exe
"C:\Users\Admin\Documents\U S3e2xzkxGa.exe"
2⤵
- Executes dropped EXE
PID:3824

C:\Users\Admin\Documents\pV9ofc6R3C Z.exe
"C:\Users\Admin\Documents\pV9ofc6R3C Z.exe"
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1000

C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
3⤵
- Executes dropped EXE
PID:3876

C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:4132

C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:4492

C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:4912

C:\Users\Admin\Documents\ MWtx8 DK1Xs.exe
"C:\Users\Admin\Documents\ MWtx8 DK1Xs.exe"
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3232

C:\Users\Admin\AppData\Local\Temp\is-QTJK2.tmp\ MWtx8 DK1Xs.tmp
"C:\Users\Admin\AppData\Local\Temp\is-QTJK2.tmp\ MWtx8 DK1Xs.tmp" /SL5="$A0062,434406,350720,C:\Users\Admin\Documents\ MWtx8 DK1Xs.exe"
3⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2472

C:\Users\Admin\Documents\RNZiBJfTtElg.exe
"C:\Users\Admin\Documents\RNZiBJfTtElg.exe"
2⤵
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of AdjustPrivilegeToken
PID:1364

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1364 -s 2432
3⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4116

C:\Users\Admin\Documents\gDBozCQz RWS.exe
"C:\Users\Admin\Documents\gDBozCQz RWS.exe"
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1604

C:\Users\Admin\AppData\Local\Temp\RarSFX0\Installer.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX0\Installer.exe"
3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:188

C:\Users\Admin\AppData\Local\Temp\RarSFX1\Setup.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX1\Setup.exe"
4⤵
- Executes dropped EXE
- Checks whether UAC is enabled
- Writes to the Master Boot Record (MBR)
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Modifies system certificate store
- Suspicious use of WriteProcessMemory
PID:3320

C:\Windows\SysWOW64\msiexec.exe
msiexec.exe /i "C:\Users\Admin\AppData\Local\Temp\gdiview.msi"
5⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:4220

C:\Users\Admin\AppData\Local\Temp\80EBA4EA58D40136.exe
C:\Users\Admin\AppData\Local\Temp\80EBA4EA58D40136.exe 0011 installp1
5⤵
- Executes dropped EXE
- Checks whether UAC is enabled
- Writes to the Master Boot Record (MBR)
- Suspicious use of SetThreadContext
- Checks SCSI registry key(s)
- Suspicious use of WriteProcessMemory
PID:4412

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
6⤵
PID:4668

C:\Users\Admin\AppData\Roaming\1614199815076.exe
"C:\Users\Admin\AppData\Roaming\1614199815076.exe" /sjson "C:\Users\Admin\AppData\Roaming\1614199815076.txt"
6⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:4796

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
6⤵
PID:4992

C:\Users\Admin\AppData\Roaming\1614199817294.exe
"C:\Users\Admin\AppData\Roaming\1614199817294.exe" /sjson "C:\Users\Admin\AppData\Roaming\1614199817294.txt"
6⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:5004

C:\Users\Admin\AppData\Local\Temp\download\ThunderFW.exe
C:\Users\Admin\AppData\Local\Temp\download\ThunderFW.exe ThunderFW "C:\Users\Admin\AppData\Local\Temp\download\MiniThunderPlatform.exe"
6⤵
- Executes dropped EXE
PID:1084

C:\Windows\SysWOW64\cmd.exe
cmd /c ping 127.0.0.1 -n 3 & del "C:\Users\Admin\AppData\Local\Temp\80EBA4EA58D40136.exe"
6⤵
PID:4436

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1 -n 3
7⤵
- Runs ping.exe
PID:4680

C:\Users\Admin\AppData\Local\Temp\80EBA4EA58D40136.exe
C:\Users\Admin\AppData\Local\Temp\80EBA4EA58D40136.exe 200 installp1
5⤵
- Executes dropped EXE
- Checks whether UAC is enabled
- Writes to the Master Boot Record (MBR)
- Checks SCSI registry key(s)
- Suspicious use of WriteProcessMemory
PID:4424

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im chrome.exe
6⤵
- Suspicious use of WriteProcessMemory
PID:4656

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im chrome.exe
7⤵
- Kills process with taskkill
PID:4728

C:\Windows\SysWOW64\cmd.exe
cmd /c ping 127.0.0.1 -n 3 & del "C:\Users\Admin\AppData\Local\Temp\80EBA4EA58D40136.exe"
6⤵
PID:4916

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1 -n 3
7⤵
- Runs ping.exe
PID:4960

C:\Windows\SysWOW64\cmd.exe
cmd /c ping 127.0.0.1 -n 3 & del "C:\Users\Admin\AppData\Local\Temp\RarSFX1\Setup.exe"
5⤵
- Suspicious use of WriteProcessMemory
PID:4464

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1 -n 3
6⤵
- Runs ping.exe
PID:4576

C:\Users\Admin\AppData\Local\Temp\RarSFX1\file.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX1\file.exe"
4⤵
- Executes dropped EXE
- Modifies system certificate store
PID:4484

C:\Users\Admin\AppData\Roaming\BE54.tmp.exe
"C:\Users\Admin\AppData\Roaming\BE54.tmp.exe"
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:5056

C:\Users\Admin\AppData\Roaming\BE54.tmp.exe
"C:\Users\Admin\AppData\Roaming\BE54.tmp.exe"
6⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
PID:5092

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c ping 127.0.0.1 && del "C:\Users\Admin\AppData\Local\Temp\RarSFX1\file.exe"
5⤵
PID:4164

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1
6⤵
- Runs ping.exe
PID:2160

C:\Users\Admin\AppData\Local\Temp\RarSFX1\BTRSetp.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX1\BTRSetp.exe"
4⤵
- Executes dropped EXE
PID:2208

C:\ProgramData\2790485.30
"C:\ProgramData\2790485.30"
5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:1432

C:\ProgramData\2006075.22
"C:\ProgramData\2006075.22"
5⤵
- Executes dropped EXE
- Adds Run key to start application
PID:1548

C:\ProgramData\Windows Host\Windows Host.exe
"C:\ProgramData\Windows Host\Windows Host.exe"
6⤵
- Executes dropped EXE
PID:4924

C:\ProgramData\5203824.57
"C:\ProgramData\5203824.57"
5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:4452

C:\Users\Admin\AppData\Local\Temp\RarSFX1\gdrrr.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX1\gdrrr.exe"
4⤵
- Executes dropped EXE
PID:4768

C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
5⤵
- Executes dropped EXE
PID:4996

C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:4392

C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:4204

C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:4000

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4284

C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding 2B52E097AD9256CC7F339E4658FB246E C
2⤵
- Loads dropped DLL
PID:4348

C:\Windows\system32\srtasks.exe
C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
2⤵
PID:4928

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
PID:1924

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s DsmSvc
1⤵
- Checks SCSI registry key(s)
- Modifies data under HKEY_USERS
PID:4528

C:\Program Files (x86)\gdiview\gdiview\GDIView.exe
"C:\Program Files (x86)\gdiview\gdiview\GDIView.exe"
1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:4716

C:\Program Files (x86)\gdiview\gdiview\GDIView.exe
"C:\Program Files (x86)\gdiview\gdiview\GDIView.exe"
1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:5028

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Bootkit

T1067

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Install Root Certificate

T1130

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Peripheral Device Discovery

T1120

Remote System Discovery

T1018

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Web Service

T1102

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\gdiview\gdiview\GDIView.exe
MD5
292ce5c1baa3da54f5bfd847bdd92fa1

SHA1
4d98e3522790a9408e7e85d0e80c3b54a43318e1

SHA256
c49560f7a206b6b55d89c205a4631dfedd2b4a78ab81fea8706989a5627f95a1

SHA512
87df5d622d8f0685edf93f97b8213c893b203d1c6d064af238f0bdc0dc985c9968be6f0907aff4fb64a320b0886ef2bed2339694aca12f0bcd9502ce3d6f089d

Download Submit
C:\Program Files (x86)\gdiview\gdiview\GDIView.exe
MD5
292ce5c1baa3da54f5bfd847bdd92fa1

SHA1
4d98e3522790a9408e7e85d0e80c3b54a43318e1

SHA256
c49560f7a206b6b55d89c205a4631dfedd2b4a78ab81fea8706989a5627f95a1

SHA512
87df5d622d8f0685edf93f97b8213c893b203d1c6d064af238f0bdc0dc985c9968be6f0907aff4fb64a320b0886ef2bed2339694aca12f0bcd9502ce3d6f089d

Download Submit
C:\Program Files (x86)\gdiview\gdiview\GDIView.exe
MD5
292ce5c1baa3da54f5bfd847bdd92fa1

SHA1
4d98e3522790a9408e7e85d0e80c3b54a43318e1

SHA256
c49560f7a206b6b55d89c205a4631dfedd2b4a78ab81fea8706989a5627f95a1

SHA512
87df5d622d8f0685edf93f97b8213c893b203d1c6d064af238f0bdc0dc985c9968be6f0907aff4fb64a320b0886ef2bed2339694aca12f0bcd9502ce3d6f089d

Download Submit
C:\ProgramData\2006075.22
MD5
6eedffd3651138e002a6a9639eca9830

SHA1
8a0c7542187471603f2ff4f8cc5977d8be44dfbe

SHA256
88304ec83df816066689acaa269581741168cbb1e5b849ea3373a051faac1b0f

SHA512
22f7ad4b6a1f0d4f917e19dee5194c56068804e91e3c8071f5007efe4418d9e51f8953e43f644ac253f4a7c4156baed8404c96a5d34a5f7f6233d71fe28fb80a

Download Submit
C:\ProgramData\2006075.22
MD5
6eedffd3651138e002a6a9639eca9830

SHA1
8a0c7542187471603f2ff4f8cc5977d8be44dfbe

SHA256
88304ec83df816066689acaa269581741168cbb1e5b849ea3373a051faac1b0f

SHA512
22f7ad4b6a1f0d4f917e19dee5194c56068804e91e3c8071f5007efe4418d9e51f8953e43f644ac253f4a7c4156baed8404c96a5d34a5f7f6233d71fe28fb80a

Download Submit
C:\ProgramData\2790485.30
MD5
9298adc9b93e65d9ae6d73a72b5a8f5d

SHA1
73309cbd5515ce5f5b9160071e986b2fb54771e1

SHA256
26d0db9d4899a7fbf981e1e11047abc5d7d8094c34176d411d82b26805657b4b

SHA512
fee90a372cabcea95019f29ac8fc4fc4cddf3aaa83598dd26f93ba7732da7736c69205253a7adec6293b8292c4b9a32e53dca56b306fb743fb9e782b263b43b2

Download Submit
C:\ProgramData\2790485.30
MD5
9298adc9b93e65d9ae6d73a72b5a8f5d

SHA1
73309cbd5515ce5f5b9160071e986b2fb54771e1

SHA256
26d0db9d4899a7fbf981e1e11047abc5d7d8094c34176d411d82b26805657b4b

SHA512
fee90a372cabcea95019f29ac8fc4fc4cddf3aaa83598dd26f93ba7732da7736c69205253a7adec6293b8292c4b9a32e53dca56b306fb743fb9e782b263b43b2

Download Submit
C:\ProgramData\5203824.57
MD5
28d92f2f1b2f17197d4d090952943cd3

SHA1
24835f7ba0fb91c280374737031f9eb2acc866da

SHA256
6c65ddab1d6e9690968430a15024cd433b2791f9eb47d08ccba65e5fbcfb3884

SHA512
ae461ddb126984abdf4babe13ebdd62e996154026abfb84b90947c745b80998ca265f0fea27eb04915f02f25e61293daeb13a5777024ab991f56bf960cf36dd4

Download Submit
C:\ProgramData\5203824.57
MD5
28d92f2f1b2f17197d4d090952943cd3

SHA1
24835f7ba0fb91c280374737031f9eb2acc866da

SHA256
6c65ddab1d6e9690968430a15024cd433b2791f9eb47d08ccba65e5fbcfb3884

SHA512
ae461ddb126984abdf4babe13ebdd62e996154026abfb84b90947c745b80998ca265f0fea27eb04915f02f25e61293daeb13a5777024ab991f56bf960cf36dd4

Download Submit
C:\ProgramData\Windows Host\Windows Host.exe
MD5
6eedffd3651138e002a6a9639eca9830

SHA1
8a0c7542187471603f2ff4f8cc5977d8be44dfbe

SHA256
88304ec83df816066689acaa269581741168cbb1e5b849ea3373a051faac1b0f

SHA512
22f7ad4b6a1f0d4f917e19dee5194c56068804e91e3c8071f5007efe4418d9e51f8953e43f644ac253f4a7c4156baed8404c96a5d34a5f7f6233d71fe28fb80a

Download Submit
C:\ProgramData\Windows Host\Windows Host.exe
MD5
6eedffd3651138e002a6a9639eca9830

SHA1
8a0c7542187471603f2ff4f8cc5977d8be44dfbe

SHA256
88304ec83df816066689acaa269581741168cbb1e5b849ea3373a051faac1b0f

SHA512
22f7ad4b6a1f0d4f917e19dee5194c56068804e91e3c8071f5007efe4418d9e51f8953e43f644ac253f4a7c4156baed8404c96a5d34a5f7f6233d71fe28fb80a

Download Submit
C:\Users\Admin\AppData\Local\Temp\80EBA4EA58D40136.exe
MD5
e70e40b7acda24d775bfa15b89137483

SHA1
a993e1cccbfbdf0ec6eead05a99506e3fdc4e146

SHA256
26b8ffe7b3e413e1cb19c534d3b8c2bd05244aad79d84f96a6eb9ad5e5e19136

SHA512
0ff7bb4228a2aee8d062031c31c67e05b88176efb0771602a591a599a78d7d03ba5e4d343caf8f4fadc14230b0b07605900eeb76a8e593fb22528a98d4300053

Download Submit
C:\Users\Admin\AppData\Local\Temp\80EBA4EA58D40136.exe
MD5
e70e40b7acda24d775bfa15b89137483

SHA1
a993e1cccbfbdf0ec6eead05a99506e3fdc4e146

SHA256
26b8ffe7b3e413e1cb19c534d3b8c2bd05244aad79d84f96a6eb9ad5e5e19136

SHA512
0ff7bb4228a2aee8d062031c31c67e05b88176efb0771602a591a599a78d7d03ba5e4d343caf8f4fadc14230b0b07605900eeb76a8e593fb22528a98d4300053

Download Submit
C:\Users\Admin\AppData\Local\Temp\80EBA4EA58D40136.exe
MD5
e70e40b7acda24d775bfa15b89137483

SHA1
a993e1cccbfbdf0ec6eead05a99506e3fdc4e146

SHA256
26b8ffe7b3e413e1cb19c534d3b8c2bd05244aad79d84f96a6eb9ad5e5e19136

SHA512
0ff7bb4228a2aee8d062031c31c67e05b88176efb0771602a591a599a78d7d03ba5e4d343caf8f4fadc14230b0b07605900eeb76a8e593fb22528a98d4300053

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI984E.tmp
MD5
84878b1a26f8544bda4e069320ad8e7d

SHA1
51c6ee244f5f2fa35b563bffb91e37da848a759c

SHA256
809aab5eace34dfbfb2b3d45462d42b34fcb95b415201d0d625414b56e437444

SHA512
4742b84826961f590e0a2d6cc85a60b59ca4d300c58be5d0c33eb2315cefaf5627ae5ed908233ad51e188ce53ca861cf5cf8c1aa2620dc2667f83f98e627b549

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\Installer.exe
MD5
2effa71f03a5d4a572191b534e28e13e

SHA1
666e04fac3e335664743b71edca3e645775a54fa

SHA256
ccc0b907f78bf21befba3c9b199c926f488572237d6487c145c92a5213b25d29

SHA512
02e64f3751d4afb0d3058e88461cd2a55cd7f662c73c40e3af782a95fa759b9b40c66bd33acdd0199386fda9de0c46dccc22e75e5305e43b9573d836e64f680f

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\Installer.exe
MD5
2effa71f03a5d4a572191b534e28e13e

SHA1
666e04fac3e335664743b71edca3e645775a54fa

SHA256
ccc0b907f78bf21befba3c9b199c926f488572237d6487c145c92a5213b25d29

SHA512
02e64f3751d4afb0d3058e88461cd2a55cd7f662c73c40e3af782a95fa759b9b40c66bd33acdd0199386fda9de0c46dccc22e75e5305e43b9573d836e64f680f

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX1\BTRSetp.exe
MD5
4cfee35f55ecaef4bdc4508eb5d46f8a

SHA1
be092ce3723b7a8ea942ec59c1c30e5d585b89ba

SHA256
fa828cf0731d35f2e35606d56aad77fc5fff41dfd5d37a5ad0f657b38b57cfbe

SHA512
4cf15a517f103750ac0ad93bb858b930f7c2f454ecc688f0adbe20ee9a8b18dc04fc004d0678b3de5b94a50049d8e73fa1c3616adfa5aeb716e1ad6521913401

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX1\BTRSetp.exe
MD5
4cfee35f55ecaef4bdc4508eb5d46f8a

SHA1
be092ce3723b7a8ea942ec59c1c30e5d585b89ba

SHA256
fa828cf0731d35f2e35606d56aad77fc5fff41dfd5d37a5ad0f657b38b57cfbe

SHA512
4cf15a517f103750ac0ad93bb858b930f7c2f454ecc688f0adbe20ee9a8b18dc04fc004d0678b3de5b94a50049d8e73fa1c3616adfa5aeb716e1ad6521913401

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX1\Setup.exe
MD5
e70e40b7acda24d775bfa15b89137483

SHA1
a993e1cccbfbdf0ec6eead05a99506e3fdc4e146

SHA256
26b8ffe7b3e413e1cb19c534d3b8c2bd05244aad79d84f96a6eb9ad5e5e19136

SHA512
0ff7bb4228a2aee8d062031c31c67e05b88176efb0771602a591a599a78d7d03ba5e4d343caf8f4fadc14230b0b07605900eeb76a8e593fb22528a98d4300053

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX1\Setup.exe
MD5
e70e40b7acda24d775bfa15b89137483

SHA1
a993e1cccbfbdf0ec6eead05a99506e3fdc4e146

SHA256
26b8ffe7b3e413e1cb19c534d3b8c2bd05244aad79d84f96a6eb9ad5e5e19136

SHA512
0ff7bb4228a2aee8d062031c31c67e05b88176efb0771602a591a599a78d7d03ba5e4d343caf8f4fadc14230b0b07605900eeb76a8e593fb22528a98d4300053

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX1\file.exe
MD5
4127593be833d53d84be69a1073b46d6

SHA1
589338f5597ae7bc8e184dcf06b7bf0cb21ca104

SHA256
d0ba78c12f7fc6d3c7976b561c6e092bdefc4ee297b51c1f1bd2c13b775df5a4

SHA512
a239cf6ebd06f3d3955dd7fc885e3d0a8bc6d363c5861e4e2a2ed02f23fba6a852ba01a6e3b3582e5e763fc721867d38c1ee58af9f62e8f366a57d5863753ddb

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX1\file.exe
MD5
4127593be833d53d84be69a1073b46d6

SHA1
589338f5597ae7bc8e184dcf06b7bf0cb21ca104

SHA256
d0ba78c12f7fc6d3c7976b561c6e092bdefc4ee297b51c1f1bd2c13b775df5a4

SHA512
a239cf6ebd06f3d3955dd7fc885e3d0a8bc6d363c5861e4e2a2ed02f23fba6a852ba01a6e3b3582e5e763fc721867d38c1ee58af9f62e8f366a57d5863753ddb

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX1\gdrrr.exe
MD5
6a714c56525073f78181129ce52175db

SHA1
eb7a9356e9cc40368e1774035c23b15b7c8d792b

SHA256
57c417f53d9032a2f256cee17c274df2d411858abb14789406671c1dca6017c4

SHA512
04a183bddeeaa6fe316596fad52a6e707549ca2e93b2b294c618b4381018bf5791582e2ac08e0f5e5cea86ac980a56208e54e1e310945614e00524d50a00c550

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX1\gdrrr.exe
MD5
6a714c56525073f78181129ce52175db

SHA1
eb7a9356e9cc40368e1774035c23b15b7c8d792b

SHA256
57c417f53d9032a2f256cee17c274df2d411858abb14789406671c1dca6017c4

SHA512
04a183bddeeaa6fe316596fad52a6e707549ca2e93b2b294c618b4381018bf5791582e2ac08e0f5e5cea86ac980a56208e54e1e310945614e00524d50a00c550

Download Submit
C:\Users\Admin\AppData\Local\Temp\download\ThunderFW.exe
MD5
f0372ff8a6148498b19e04203dbb9e69

SHA1
27fe4b5f8cb9464ab5ddc63e69c3c180b77dbde8

SHA256
298d334b630c77b70e66cf5e9c1924c7f0d498b02c2397e92e2d9efdff2e1bdf

SHA512
65d84817cdddb808b6e0ab964a4b41e96f7ce129e3cc8c253a31642efe73a9b7070638c22c659033e1479322aceea49d1afdceff54f8ed044b1513bffd33f865

Download Submit
C:\Users\Admin\AppData\Local\Temp\download\ThunderFW.exe
MD5
f0372ff8a6148498b19e04203dbb9e69

SHA1
27fe4b5f8cb9464ab5ddc63e69c3c180b77dbde8

SHA256
298d334b630c77b70e66cf5e9c1924c7f0d498b02c2397e92e2d9efdff2e1bdf

SHA512
65d84817cdddb808b6e0ab964a4b41e96f7ce129e3cc8c253a31642efe73a9b7070638c22c659033e1479322aceea49d1afdceff54f8ed044b1513bffd33f865

Download Submit
C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
MD5
b7161c0845a64ff6d7345b67ff97f3b0

SHA1
d223f855da541fe8e4c1d5c50cb26da0a1deb5fc

SHA256
fe9e28ff0b652e22a124b0a05382bc1ac48cbd9c7c76ca647b0c9f8542888f66

SHA512
98d8971ff20ba256cf886a9db416ac9366d2c6ad4ff51a65bd7e539974dc93f4c897f92d8c9c0319c69b27eacf05cd350a0302828e63190b03457a0eda57f680

Download Submit
C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
MD5
b7161c0845a64ff6d7345b67ff97f3b0

SHA1
d223f855da541fe8e4c1d5c50cb26da0a1deb5fc

SHA256
fe9e28ff0b652e22a124b0a05382bc1ac48cbd9c7c76ca647b0c9f8542888f66

SHA512
98d8971ff20ba256cf886a9db416ac9366d2c6ad4ff51a65bd7e539974dc93f4c897f92d8c9c0319c69b27eacf05cd350a0302828e63190b03457a0eda57f680

Download Submit
C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
MD5
b7161c0845a64ff6d7345b67ff97f3b0

SHA1
d223f855da541fe8e4c1d5c50cb26da0a1deb5fc

SHA256
fe9e28ff0b652e22a124b0a05382bc1ac48cbd9c7c76ca647b0c9f8542888f66

SHA512
98d8971ff20ba256cf886a9db416ac9366d2c6ad4ff51a65bd7e539974dc93f4c897f92d8c9c0319c69b27eacf05cd350a0302828e63190b03457a0eda57f680

Download Submit
C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
MD5
b7161c0845a64ff6d7345b67ff97f3b0

SHA1
d223f855da541fe8e4c1d5c50cb26da0a1deb5fc

SHA256
fe9e28ff0b652e22a124b0a05382bc1ac48cbd9c7c76ca647b0c9f8542888f66

SHA512
98d8971ff20ba256cf886a9db416ac9366d2c6ad4ff51a65bd7e539974dc93f4c897f92d8c9c0319c69b27eacf05cd350a0302828e63190b03457a0eda57f680

Download Submit
C:\Users\Admin\AppData\Local\Temp\gdiview.msi
MD5
7cc103f6fd70c6f3a2d2b9fca0438182

SHA1
699bd8924a27516b405ea9a686604b53b4e23372

SHA256
dbd9f2128f0b92b21ef99a1d7a0f93f14ebe475dba436d8b1562677821b918a1

SHA512
92ec9590e32a0cf810fc5d15ca9d855c86e5b8cb17cf45dd68bcb972bd78692436535adf9f510259d604e0a8ba2e25c6d2616df242261eb7b09a0ca5c6c2c128

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-QTJK2.tmp\ MWtx8 DK1Xs.tmp
MD5
c867d33d57f9128051e60c8a2003885e

SHA1
129a7738a77ba6a8a8e5f3230ab349cb20abc07a

SHA256
6eea6eae7f76f0d93864ac076cd55b6fa1d9a1d8243b49fcb1654cb5d1dacf1a

SHA512
ac22b7c9271f05514ac3dae48f781fc1c7a1bcaa30f5d812577b40c9a0d6ba5fd5c833241e053b8e03afef73beb60aab1357a094c9940d7a04c27f78de24b353

Download Submit
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
MD5
7fee8223d6e4f82d6cd115a28f0b6d58

SHA1
1b89c25f25253df23426bd9ff6c9208f1202f58b

SHA256
a45317c374d54e322153afd73f0e90f1486638d77b7fd85746d091071bbecd59

SHA512
3ed900b83dd178637c2fd4e8444a899f17f12c4ec92a6f4de4fe544fe8d41b521c69b8f348343cb397d0e160f23e27429042d758b5fa5acac0bab5c3584bace4

Download Submit
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
MD5
7fee8223d6e4f82d6cd115a28f0b6d58

SHA1
1b89c25f25253df23426bd9ff6c9208f1202f58b

SHA256
a45317c374d54e322153afd73f0e90f1486638d77b7fd85746d091071bbecd59

SHA512
3ed900b83dd178637c2fd4e8444a899f17f12c4ec92a6f4de4fe544fe8d41b521c69b8f348343cb397d0e160f23e27429042d758b5fa5acac0bab5c3584bace4

Download Submit
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
MD5
7fee8223d6e4f82d6cd115a28f0b6d58

SHA1
1b89c25f25253df23426bd9ff6c9208f1202f58b

SHA256
a45317c374d54e322153afd73f0e90f1486638d77b7fd85746d091071bbecd59

SHA512
3ed900b83dd178637c2fd4e8444a899f17f12c4ec92a6f4de4fe544fe8d41b521c69b8f348343cb397d0e160f23e27429042d758b5fa5acac0bab5c3584bace4

Download Submit
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
MD5
a6279ec92ff948760ce53bba817d6a77

SHA1
5345505e12f9e4c6d569a226d50e71b5a572dce2

SHA256
8b581869bf8944a8e0aa169adea2a4afe47434123da477132880aff6a5032181

SHA512
213cb374f1273c899e0c88a20c0101a7c28024ce5046a2e0d7898bd182d918288bb80367fea4454c437c057ff9ed4fffd42be48a13ca73653021a6d63e1cfa9c

Download Submit
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
MD5
a6279ec92ff948760ce53bba817d6a77

SHA1
5345505e12f9e4c6d569a226d50e71b5a572dce2

SHA256
8b581869bf8944a8e0aa169adea2a4afe47434123da477132880aff6a5032181

SHA512
213cb374f1273c899e0c88a20c0101a7c28024ce5046a2e0d7898bd182d918288bb80367fea4454c437c057ff9ed4fffd42be48a13ca73653021a6d63e1cfa9c

Download Submit
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
MD5
a6279ec92ff948760ce53bba817d6a77

SHA1
5345505e12f9e4c6d569a226d50e71b5a572dce2

SHA256
8b581869bf8944a8e0aa169adea2a4afe47434123da477132880aff6a5032181

SHA512
213cb374f1273c899e0c88a20c0101a7c28024ce5046a2e0d7898bd182d918288bb80367fea4454c437c057ff9ed4fffd42be48a13ca73653021a6d63e1cfa9c

Download Submit
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
MD5
a6279ec92ff948760ce53bba817d6a77

SHA1
5345505e12f9e4c6d569a226d50e71b5a572dce2

SHA256
8b581869bf8944a8e0aa169adea2a4afe47434123da477132880aff6a5032181

SHA512
213cb374f1273c899e0c88a20c0101a7c28024ce5046a2e0d7898bd182d918288bb80367fea4454c437c057ff9ed4fffd42be48a13ca73653021a6d63e1cfa9c

Download Submit
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
MD5
a6279ec92ff948760ce53bba817d6a77

SHA1
5345505e12f9e4c6d569a226d50e71b5a572dce2

SHA256
8b581869bf8944a8e0aa169adea2a4afe47434123da477132880aff6a5032181

SHA512
213cb374f1273c899e0c88a20c0101a7c28024ce5046a2e0d7898bd182d918288bb80367fea4454c437c057ff9ed4fffd42be48a13ca73653021a6d63e1cfa9c

Download Submit
C:\Users\Admin\AppData\Roaming\1614199815076.exe
MD5
ef6f72358cb02551caebe720fbc55f95

SHA1
b5ee276e8d479c270eceb497606bd44ee09ff4b8

SHA256
6562bdcbf775e04d8238c2b52a4e8df5afa1e35d1d33d1e4508cfe040676c1e5

SHA512
ea3f0cf40ed3aa3e43b7a19ed6412027f76f9d2d738e040e6459415aa1e5ef13c29ca830a66430c33e492558f7c5f0cc86e1df9474322f231f8506e49c3a1a90

Download Submit
C:\Users\Admin\AppData\Roaming\1614199815076.exe
MD5
ef6f72358cb02551caebe720fbc55f95

SHA1
b5ee276e8d479c270eceb497606bd44ee09ff4b8

SHA256
6562bdcbf775e04d8238c2b52a4e8df5afa1e35d1d33d1e4508cfe040676c1e5

SHA512
ea3f0cf40ed3aa3e43b7a19ed6412027f76f9d2d738e040e6459415aa1e5ef13c29ca830a66430c33e492558f7c5f0cc86e1df9474322f231f8506e49c3a1a90

Download Submit
C:\Users\Admin\AppData\Roaming\1614199815076.txt
MD5
f3a55ae79aa1a18000ccac4d16761dcd

SHA1
7e2cf5c2a7147b4b172bd9347bbf45aca6beb0f3

SHA256
a77561badbf13eef0e2b0d278d81d7847bfa26c8f3765c2fb798ab4187675575

SHA512
5184cb5cc3278cccf387e7e576587fa33c87d62df1249d20542257443fb36ca67a71f63775c241dcb982542abfcb0918d29edc333addb234b0a46db29fd5c168

Download Submit
C:\Users\Admin\AppData\Roaming\1614199817294.exe
MD5
ef6f72358cb02551caebe720fbc55f95

SHA1
b5ee276e8d479c270eceb497606bd44ee09ff4b8

SHA256
6562bdcbf775e04d8238c2b52a4e8df5afa1e35d1d33d1e4508cfe040676c1e5

SHA512
ea3f0cf40ed3aa3e43b7a19ed6412027f76f9d2d738e040e6459415aa1e5ef13c29ca830a66430c33e492558f7c5f0cc86e1df9474322f231f8506e49c3a1a90

Download Submit
C:\Users\Admin\AppData\Roaming\1614199817294.exe
MD5
ef6f72358cb02551caebe720fbc55f95

SHA1
b5ee276e8d479c270eceb497606bd44ee09ff4b8

SHA256
6562bdcbf775e04d8238c2b52a4e8df5afa1e35d1d33d1e4508cfe040676c1e5

SHA512
ea3f0cf40ed3aa3e43b7a19ed6412027f76f9d2d738e040e6459415aa1e5ef13c29ca830a66430c33e492558f7c5f0cc86e1df9474322f231f8506e49c3a1a90

Download Submit
C:\Users\Admin\AppData\Roaming\1614199817294.txt
MD5
f3a55ae79aa1a18000ccac4d16761dcd

SHA1
7e2cf5c2a7147b4b172bd9347bbf45aca6beb0f3

SHA256
a77561badbf13eef0e2b0d278d81d7847bfa26c8f3765c2fb798ab4187675575

SHA512
5184cb5cc3278cccf387e7e576587fa33c87d62df1249d20542257443fb36ca67a71f63775c241dcb982542abfcb0918d29edc333addb234b0a46db29fd5c168

Download Submit
C:\Users\Admin\AppData\Roaming\BE54.tmp.exe
MD5
5f58ea16d3b08acf421a568da5e901f1

SHA1
34b6677c290fd53c01d3920a161ed0410d6e55b3

SHA256
e6f025d0a5ec3a4ac1d7943aaf64c95b18d0f2956caf43444ce9651cb71dcd10

SHA512
c80a545edc4ea15947184ee51e7fe8d50e09afca719d0a2e8dadbe6dec8711e0002c3b175a14280c6a9bc2799837cd1a3d546156e2effef959f2c7002bdd560b

Download Submit
C:\Users\Admin\AppData\Roaming\BE54.tmp.exe
MD5
5f58ea16d3b08acf421a568da5e901f1

SHA1
34b6677c290fd53c01d3920a161ed0410d6e55b3

SHA256
e6f025d0a5ec3a4ac1d7943aaf64c95b18d0f2956caf43444ce9651cb71dcd10

SHA512
c80a545edc4ea15947184ee51e7fe8d50e09afca719d0a2e8dadbe6dec8711e0002c3b175a14280c6a9bc2799837cd1a3d546156e2effef959f2c7002bdd560b

Download Submit
C:\Users\Admin\AppData\Roaming\BE54.tmp.exe
MD5
5f58ea16d3b08acf421a568da5e901f1

SHA1
34b6677c290fd53c01d3920a161ed0410d6e55b3

SHA256
e6f025d0a5ec3a4ac1d7943aaf64c95b18d0f2956caf43444ce9651cb71dcd10

SHA512
c80a545edc4ea15947184ee51e7fe8d50e09afca719d0a2e8dadbe6dec8711e0002c3b175a14280c6a9bc2799837cd1a3d546156e2effef959f2c7002bdd560b

Download Submit
C:\Users\Admin\Documents\ MWtx8 DK1Xs.exe
MD5
b9c42d94ce265a43259a201ce4e5aeb4

SHA1
64926b6302ebfb5002e6342c842c7206d667b22b

SHA256
b8db09eb95279b78a840fab1ee7b39a7f140b0f44adb928c4b11d20e30891bb2

SHA512
c768c39b757eadf02b784d1f6b389cd3a989f88bee336d45ac5739e56f223a505a50e32b2c60d02d16cdc576f506d408aee58530ac578aa350338793df0c854c

Download Submit
C:\Users\Admin\Documents\ MWtx8 DK1Xs.exe
MD5
b9c42d94ce265a43259a201ce4e5aeb4

SHA1
64926b6302ebfb5002e6342c842c7206d667b22b

SHA256
b8db09eb95279b78a840fab1ee7b39a7f140b0f44adb928c4b11d20e30891bb2

SHA512
c768c39b757eadf02b784d1f6b389cd3a989f88bee336d45ac5739e56f223a505a50e32b2c60d02d16cdc576f506d408aee58530ac578aa350338793df0c854c

Download Submit
C:\Users\Admin\Documents\RNZiBJfTtElg.exe
MD5
cc9720fe2882a3f7cc54f0f9afb1f335

SHA1
aea59caec4ed3bfbbee2b8cd94c516ae45848a69

SHA256
7e0afbcc7487f74ef4d2dc400812b48542b95dfecad63fe356231065fa10a3db

SHA512
c310106ae8e37c7b85e9355b0852fe87ee73f03cbd23d68c7ac236a2548bb46b7b4a20dfcc973ee836ac415f1dedef5c53a4ade365e90be0dc7e11ef7641e1fa

Download Submit
C:\Users\Admin\Documents\RNZiBJfTtElg.exe
MD5
cc9720fe2882a3f7cc54f0f9afb1f335

SHA1
aea59caec4ed3bfbbee2b8cd94c516ae45848a69

SHA256
7e0afbcc7487f74ef4d2dc400812b48542b95dfecad63fe356231065fa10a3db

SHA512
c310106ae8e37c7b85e9355b0852fe87ee73f03cbd23d68c7ac236a2548bb46b7b4a20dfcc973ee836ac415f1dedef5c53a4ade365e90be0dc7e11ef7641e1fa

Download Submit
C:\Users\Admin\Documents\U S3e2xzkxGa.exe
MD5
f16ab0fc5a3e8a0deabf9593f78224b8

SHA1
e3cf6e16cfd08bb13aab7273cfc9c57d81908ae6

SHA256
85f7a484933b1149a458d63dddb9be83bd630fb65b45a94491db62cb18950009

SHA512
df6ef9d0f7ea373f1f0d1ea391aeba866e60928cd3214482d2c65c1ad7cbe12913f8900d96ebb48ac0acc1fbe707eb42d717c752d42b2cd8c63d8eefc54ecd7d

Download Submit
C:\Users\Admin\Documents\U S3e2xzkxGa.exe
MD5
f16ab0fc5a3e8a0deabf9593f78224b8

SHA1
e3cf6e16cfd08bb13aab7273cfc9c57d81908ae6

SHA256
85f7a484933b1149a458d63dddb9be83bd630fb65b45a94491db62cb18950009

SHA512
df6ef9d0f7ea373f1f0d1ea391aeba866e60928cd3214482d2c65c1ad7cbe12913f8900d96ebb48ac0acc1fbe707eb42d717c752d42b2cd8c63d8eefc54ecd7d

Download Submit
C:\Users\Admin\Documents\gDBozCQz RWS.exe
MD5
f5cca3aa7de2478569d38c765654267d

SHA1
7dfd05dd62788dd43289e2032f00006789e71311

SHA256
280aa9de9a1db7e8c380b811e80f30a12b592222fe304b578ea1efcb2ac340e5

SHA512
0a78ae90699d7b8834946368c9d2d8e87d9a6c610d9cc2d26fe9c2e1e80173331d55beeb28c40f17831daf29132fb40c9fe670334b9626e349eeeb0a28acb57d

Download Submit
C:\Users\Admin\Documents\gDBozCQz RWS.exe
MD5
f5cca3aa7de2478569d38c765654267d

SHA1
7dfd05dd62788dd43289e2032f00006789e71311

SHA256
280aa9de9a1db7e8c380b811e80f30a12b592222fe304b578ea1efcb2ac340e5

SHA512
0a78ae90699d7b8834946368c9d2d8e87d9a6c610d9cc2d26fe9c2e1e80173331d55beeb28c40f17831daf29132fb40c9fe670334b9626e349eeeb0a28acb57d

Download Submit
C:\Users\Admin\Documents\pV9ofc6R3C Z.exe
MD5
fcfb7642a05749559f580bd93f37acf4

SHA1
2969ae53e434a0844134a931f69a3da137a6d811

SHA256
7058bd005e007331f12d014479a3728514d2b09d8e4602e0a966ba68dea51552

SHA512
0357509767ef1b29ca86c1adcbe7ea8169ea3b298703b3764b21a70f5642380bcbca3d410a6977378b81b180d625cbf5412ac9f82238a2a7690dde1089654b83

Download Submit
C:\Users\Admin\Documents\pV9ofc6R3C Z.exe
MD5
fcfb7642a05749559f580bd93f37acf4

SHA1
2969ae53e434a0844134a931f69a3da137a6d811

SHA256
7058bd005e007331f12d014479a3728514d2b09d8e4602e0a966ba68dea51552

SHA512
0357509767ef1b29ca86c1adcbe7ea8169ea3b298703b3764b21a70f5642380bcbca3d410a6977378b81b180d625cbf5412ac9f82238a2a7690dde1089654b83

Download Submit
\??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2
MD5
3773a457915b165cf40400b88c5a6c03

SHA1
b3fca3fa5956b895340a67ca9d3c2371a772d150

SHA256
94b144b67fe2f5b6b3773a2a1bd03ba5d01b3d3b9de0e094476f8595d792e282

SHA512
c4a657c1188f1308791b6939c739fe02a0c3d23e73fc3889435f60f94cca07b029cbdc275a04642864c08d7fa384855b15f6996bc162be4135e6ded442bf556f

Download Submit
\??\Volume{f994966a-0000-0000-0000-500600000000}\System Volume Information\SPP\OnlineMetadataCache\{2616c56b-3896-43d1-98bf-7389d38cc7fc}_OnDiskSnapshotProp
MD5
24a26a1e268d4a5283fa784b052de805

SHA1
369b03849df2d92a22f64f4eb0d7b61e6bb2ad7a

SHA256
e22f78a0e10afc10eb207e14a84f7363cc50e524599a045a1faacb4e6880ae34

SHA512
d8e89674665d19201349296b4cca4d491d590b9c344f80318334cfeaa4a40aca01c008de4c596079b24fe5ae7dae47a95d61599be0a982ed8fe94fd67637d11f

Download Submit
\Users\Admin\AppData\Local\Temp\MSI984E.tmp
MD5
84878b1a26f8544bda4e069320ad8e7d

SHA1
51c6ee244f5f2fa35b563bffb91e37da848a759c

SHA256
809aab5eace34dfbfb2b3d45462d42b34fcb95b415201d0d625414b56e437444

SHA512
4742b84826961f590e0a2d6cc85a60b59ca4d300c58be5d0c33eb2315cefaf5627ae5ed908233ad51e188ce53ca861cf5cf8c1aa2620dc2667f83f98e627b549

Download Submit
\Users\Admin\AppData\Local\Temp\is-6UD78.tmp\idp.dll
MD5
8f995688085bced38ba7795f60a5e1d3

SHA1
5b1ad67a149c05c50d6e388527af5c8a0af4343a

SHA256
203d7b61eac96de865ab3b586160e72c78d93ab5532b13d50ef27174126fd006

SHA512
043d41947ab69fc9297dcb5ad238acc2c35250d1172869945ed1a56894c10f93855f0210cbca41ceee9efb55fd56a35a4ec03c77e252409edc64bfb5fb821c35

Download Submit
memory/188-33-0x0000000000000000-mapping.dmp

Download
memory/1000-7-0x0000000000000000-mapping.dmp

Download
memory/1084-171-0x0000000000000000-mapping.dmp

Download
memory/1156-5-0x0000000001170000-0x0000000001171000-memory.dmp

Filesize
4KB

Download
memory/1156-2-0x0000000073CB0000-0x000000007439E000-memory.dmp

Filesize
6.9MB

Download
memory/1156-3-0x00000000007A0000-0x00000000007A1000-memory.dmp

Filesize
4KB

Download
memory/1364-14-0x0000000000000000-mapping.dmp

Download
memory/1432-137-0x0000000007E20000-0x0000000007E21000-memory.dmp

Filesize
4KB

Download
memory/1432-111-0x0000000000000000-mapping.dmp

Download
memory/1432-135-0x0000000007D40000-0x0000000007D72000-memory.dmp

Filesize
200KB

Download
memory/1432-140-0x0000000005730000-0x0000000005731000-memory.dmp

Filesize
4KB

Download
memory/1432-168-0x0000000009100000-0x0000000009101000-memory.dmp

Filesize
4KB

Download
memory/1432-114-0x0000000073CB0000-0x000000007439E000-memory.dmp

Filesize
6.9MB

Download
memory/1432-118-0x0000000000E50000-0x0000000000E51000-memory.dmp

Filesize
4KB

Download
memory/1548-131-0x00000000027B0000-0x00000000027B1000-memory.dmp

Filesize
4KB

Download
memory/1548-133-0x00000000027C0000-0x00000000027CB000-memory.dmp

Filesize
44KB

Download
memory/1548-139-0x000000000A340000-0x000000000A341000-memory.dmp

Filesize
4KB

Download
memory/1548-115-0x0000000000000000-mapping.dmp

Download
memory/1548-136-0x000000000A7B0000-0x000000000A7B1000-memory.dmp

Filesize
4KB

Download
memory/1548-124-0x0000000000610000-0x0000000000611000-memory.dmp

Filesize
4KB

Download
memory/1548-119-0x0000000073CB0000-0x000000007439E000-memory.dmp

Filesize
6.9MB

Download
memory/1604-27-0x0000000000000000-mapping.dmp

Download
memory/2160-106-0x0000000000000000-mapping.dmp

Download
memory/2208-103-0x00007FFC81EC0000-0x00007FFC828AC000-memory.dmp

Filesize
9.9MB

Download
memory/2208-100-0x0000000000000000-mapping.dmp

Download
memory/2208-104-0x0000000000CF0000-0x0000000000CF1000-memory.dmp

Filesize
4KB

Download
memory/2208-107-0x0000000001400000-0x0000000001401000-memory.dmp

Filesize
4KB

Download
memory/2208-109-0x0000000001430000-0x000000000144E000-memory.dmp

Filesize
120KB

Download
memory/2208-108-0x000000001B940000-0x000000001B942000-memory.dmp

Filesize
8KB

Download
memory/2208-110-0x0000000001410000-0x0000000001411000-memory.dmp

Filesize
4KB

Download
memory/2472-31-0x00000000001E0000-0x00000000001E1000-memory.dmp

Filesize
4KB

Download
memory/2472-25-0x0000000000000000-mapping.dmp

Download
memory/3232-24-0x0000000000401000-0x000000000040B000-memory.dmp

Filesize
40KB

Download
memory/3232-13-0x0000000000000000-mapping.dmp

Download
memory/3320-36-0x0000000000000000-mapping.dmp

Download
memory/3320-46-0x0000000010000000-0x000000001033D000-memory.dmp

Filesize
3.2MB

Download
memory/3824-12-0x00007FFC81EC0000-0x00007FFC828AC000-memory.dmp

Filesize
9.9MB

Download
memory/3824-16-0x00000000007F0000-0x00000000007F1000-memory.dmp

Filesize
4KB

Download
memory/3824-6-0x0000000000000000-mapping.dmp

Download
memory/3876-20-0x0000000000000000-mapping.dmp

Download
memory/4000-186-0x0000000000000000-mapping.dmp

Download
memory/4116-40-0x0000000004020000-0x0000000004021000-memory.dmp

Filesize
4KB

Download
memory/4116-41-0x0000000004020000-0x0000000004021000-memory.dmp

Filesize
4KB

Download
memory/4132-39-0x0000000000000000-mapping.dmp

Download
memory/4164-99-0x0000000000000000-mapping.dmp

Download
memory/4204-184-0x0000000000000000-mapping.dmp

Download
memory/4220-47-0x0000000000000000-mapping.dmp

Download
memory/4348-53-0x0000000000000000-mapping.dmp

Download
memory/4392-162-0x0000000000000000-mapping.dmp

Download
memory/4412-56-0x0000000000000000-mapping.dmp

Download
memory/4412-69-0x0000000002E50000-0x00000000032FF000-memory.dmp

Filesize
4.7MB

Download
memory/4424-58-0x0000000000000000-mapping.dmp

Download
memory/4424-70-0x0000000003660000-0x0000000003B0F000-memory.dmp

Filesize
4.7MB

Download
memory/4436-174-0x0000000000000000-mapping.dmp

Download
memory/4452-127-0x0000000000C40000-0x0000000000C41000-memory.dmp

Filesize
4KB

Download
memory/4452-158-0x0000000005670000-0x0000000005671000-memory.dmp

Filesize
4KB

Download
memory/4452-147-0x0000000005490000-0x0000000005491000-memory.dmp

Filesize
4KB

Download
memory/4452-134-0x0000000002CE0000-0x0000000002CE1000-memory.dmp

Filesize
4KB

Download
memory/4452-125-0x0000000073CB0000-0x000000007439E000-memory.dmp

Filesize
6.9MB

Download
memory/4452-143-0x0000000005450000-0x0000000005485000-memory.dmp

Filesize
212KB

Download
memory/4452-141-0x00000000054B0000-0x00000000054B1000-memory.dmp

Filesize
4KB

Download
memory/4452-121-0x0000000000000000-mapping.dmp

Download
memory/4464-61-0x0000000000000000-mapping.dmp

Download
memory/4484-65-0x00000000008C0000-0x00000000008CD000-memory.dmp

Filesize
52KB

Download
memory/4484-62-0x0000000000000000-mapping.dmp

Download
memory/4484-98-0x0000000003450000-0x000000000349A000-memory.dmp

Filesize
296KB

Download
memory/4492-182-0x0000000000000000-mapping.dmp

Download
memory/4576-68-0x0000000000000000-mapping.dmp

Download
memory/4656-71-0x0000000000000000-mapping.dmp

Download
memory/4668-73-0x0000000010000000-0x0000000010057000-memory.dmp

Filesize
348KB

Download
memory/4668-75-0x0000025284570000-0x0000025284571000-memory.dmp

Filesize
4KB

Download
memory/4668-72-0x00007FF720AE8270-mapping.dmp

Download
memory/4680-175-0x0000000000000000-mapping.dmp

Download
memory/4728-74-0x0000000000000000-mapping.dmp

Download
memory/4768-128-0x0000000000000000-mapping.dmp

Download
memory/4796-76-0x0000000000000000-mapping.dmp

Download
memory/4912-185-0x0000000000000000-mapping.dmp

Download
memory/4916-80-0x0000000000000000-mapping.dmp

Download
memory/4924-142-0x0000000000000000-mapping.dmp

Download
memory/4924-157-0x0000000005600000-0x0000000005601000-memory.dmp

Filesize
4KB

Download
memory/4924-146-0x0000000073CB0000-0x000000007439E000-memory.dmp

Filesize
6.9MB

Download
memory/4924-160-0x0000000002E40000-0x0000000002E41000-memory.dmp

Filesize
4KB

Download
memory/4928-176-0x0000000000000000-mapping.dmp

Download
memory/4960-81-0x0000000000000000-mapping.dmp

Download
memory/4992-82-0x00007FF720AE8270-mapping.dmp

Download
memory/4992-87-0x000001E6D2CF0000-0x000001E6D2CF1000-memory.dmp

Filesize
4KB

Download
memory/4996-148-0x0000000000000000-mapping.dmp

Download
memory/5004-83-0x0000000000000000-mapping.dmp

Download
memory/5056-96-0x0000000000960000-0x00000000009A5000-memory.dmp

Filesize
276KB

Download
memory/5056-92-0x0000000000DC0000-0x0000000000DC1000-memory.dmp

Filesize
4KB

Download
memory/5056-89-0x0000000000000000-mapping.dmp

Download
memory/5092-94-0x0000000000401480-mapping.dmp

Download
memory/5092-93-0x0000000000400000-0x0000000000449000-memory.dmp

Filesize
292KB

Download
memory/5092-97-0x0000000000400000-0x0000000000449000-memory.dmp

Filesize
292KB

Download