cryptbot | f611711bbcb210e6e679026be24fd78215dc623abfb926d6811274eec16a3ca7

Analysis

max time kernel
149s
max time network
146s
platform
windows10_x64
resource
win10v20210410
submitted
24-05-2021 22:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4509D3B2A883CF33FCAA8452A229A34D.exe
Size

342KB
MD5

4509d3b2a883cf33fcaa8452a229a34d
SHA1

94507d63cf324a8607c426150e4d27b1f8d9efb4
SHA256

f611711bbcb210e6e679026be24fd78215dc623abfb926d6811274eec16a3ca7
SHA512

6d4ccfd0d3891699a248c128da580ef53b22b5a0151056e3ad9fc7c8f0b164af0f738024196b3d37784c7912538577a19f47bd1ef484784863192853df9b7589

Score

10^/10

cryptbot danabot redline 3 77777 mix 25.05 banker discovery infostealer spyware stealer trojan

Malware Config

Extracted

Family

redline

Botnet

77777

xanerlaychi.xyz:80

Extracted

Family

cryptbot

geotel12.top

morbqm01.top

Attributes

payload_url
http://roggmq01.top/download.php?file=lv.exe

Extracted

Family

redline

Botnet

MIX 25.05

xisolenoy.xyz:80

Extracted

Family

danabot

Version

1827

Botnet

184.95.51.183:443

184.95.51.175:443

192.210.198.12:443

184.95.51.180:443

Attributes

embedded_hash
AEF96B4D339B580ABB737F203C2D0F52

rsa_pubkey.plain

Signatures

CryptBot
A C++ stealer distributed widely in bundle with other software.
spyware stealer cryptbot

CryptBot Payload 2 IoCs

Processes:

resource	yara_rule
behavioral2/memory/1084-152-0x00000000021A0000-0x0000000002281000-memory.dmp	family_cryptbot
behavioral2/memory/1084-153-0x0000000000400000-0x00000000004E5000-memory.dmp	family_cryptbot

Danabot
Danabot is a modular banking Trojan that has been linked with other malware.
trojan banker danabot
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine Payload 6 IoCs

Processes:

resource	yara_rule
behavioral2/memory/196-123-0x0000000000400000-0x000000000041C000-memory.dmp	family_redline
behavioral2/memory/196-124-0x00000000004166BA-mapping.dmp	family_redline
behavioral2/memory/196-131-0x0000000005360000-0x0000000005966000-memory.dmp	family_redline
behavioral2/memory/4796-171-0x0000000000400000-0x000000000041C000-memory.dmp	family_redline
behavioral2/memory/4796-172-0x000000000041699E-mapping.dmp	family_redline
behavioral2/memory/4796-181-0x0000000005450000-0x0000000005A56000-memory.dmp	family_redline

Blocklisted process makes network request 7 IoCs

Processes:

RUNDLL32.EXEWScript.exe

flow pid process

106 2824 RUNDLL32.EXE
108 1532 WScript.exe
109 1532 WScript.exe
110 1532 WScript.exe
111 1532 WScript.exe
113 2824 RUNDLL32.EXE
114 2824 RUNDLL32.EXE
Downloads MZ/PE file

flow	pid	process
106	2824	RUNDLL32.EXE
108	1532	WScript.exe
109	1532	WScript.exe
110	1532	WScript.exe
111	1532	WScript.exe
113	2824	RUNDLL32.EXE
114	2824	RUNDLL32.EXE

Executes dropped EXE 12 IoCs

Processes:

37212156218.exe72118260523.exe17202393099.exeGarbage Cleaner.exeedspolishpp.exeUgcrpJ.exevpn.exe4.exeDattero.exe.comDattero.exe.comSmartClock.exewruocaihtb.exe

pid	process
4068	37212156218.exe
1084	72118260523.exe
2152	17202393099.exe
3520	Garbage Cleaner.exe
4660	edspolishpp.exe
5076	UgcrpJ.exe
1092	vpn.exe
4236	4.exe
1048	Dattero.exe.com
4672	Dattero.exe.com
5056	SmartClock.exe
3488	wruocaihtb.exe

Drops startup file 1 IoCs

Processes:

4.exe

description ioc process

File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SmartClock.lnk 4.exe
Loads dropped DLL 5 IoCs

Processes:

UgcrpJ.exerundll32.exeRUNDLL32.EXE

pid process

5076 UgcrpJ.exe
4424 rundll32.exe
4424 rundll32.exe
2824 RUNDLL32.EXE
2824 RUNDLL32.EXE
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

95 ip-api.com

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SmartClock.lnk	4.exe

pid	process
5076	UgcrpJ.exe
4424	rundll32.exe
4424	rundll32.exe
2824	RUNDLL32.EXE
2824	RUNDLL32.EXE

flow	ioc
95	ip-api.com

Suspicious use of SetThreadContext 2 IoCs

Processes:

37212156218.exeedspolishpp.exe

description	pid	process	target process
PID 4068 set thread context of 196	4068	37212156218.exe	AddInProcess32.exe
PID 4660 set thread context of 4796	4660	edspolishpp.exe	AddInProcess32.exe

Drops file in Program Files directory 3 IoCs

Processes:

UgcrpJ.exe

description	ioc	process
File created	C:\Program Files (x86)\foler\olader\acppage.dll	UgcrpJ.exe
File created	C:\Program Files (x86)\foler\olader\adprovider.dll	UgcrpJ.exe
File created	C:\Program Files (x86)\foler\olader\acledit.dll	UgcrpJ.exe

Drops file in Windows directory 1 IoCs

Processes:

MicrosoftEdge.exe

description ioc process

File opened for modification C:\Windows\Debug\ESE.TXT MicrosoftEdge.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

description	ioc	process
File opened for modification	C:\Windows\Debug\ESE.TXT	MicrosoftEdge.exe

Checks processor information in registry 2 TTPs 6 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

72118260523.exe17202393099.exeDattero.exe.com

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	72118260523.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	72118260523.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	17202393099.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	17202393099.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Dattero.exe.com
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	Dattero.exe.com

Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

4848 timeout.exe
Kills process with taskkill 1 IoCs
evasion

Processes:

taskkill.exe

pid process

2056 taskkill.exe

pid	process
4848	timeout.exe

pid	process
2056	taskkill.exe

Modifies Internet Explorer settings 1 TTPs 3 IoCs

adware spyware

Modify Registry

T1112

Processes:

MicrosoftEdge.exebrowser_broker.exeMicrosoftEdgeCP.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Main	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Main	browser_broker.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Main	MicrosoftEdgeCP.exe

Modifies registry class 64 IoCs

Processes:

MicrosoftEdge.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exe

description	ioc	process
Set value (data)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\TabbedBrowsing\NewTabPage\ProcessingFlag = a0575121e950d701	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FlipAhead	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ExtensionsStore\datastore\usage\dscc_inventory\ExtensionIn	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Internet Settings\Zones\3	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\Main\OperationalData = "1"	MicrosoftEdgeCP.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Internet Settings\Zones\3\{A8A88C49-5EB2-4990-A1A2-0876022 = 1a3761592352350c7a5f20172f1e1a190e2b017313371312141a152a	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\VersionHigh = "0"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\EdgeMigration	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\LowMic	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ExtensionsStore\datastore	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Main\JumpListFirstRun = "3"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Roaming	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\DomainSuggestion\FileNames\	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Recovery\PendingRecovery\ReadingStorePending = "0"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\Internet Settings\Cache	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\History\CacheLimit = "1"	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Main	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Main\DisallowDefaultBrowserPrompt = "0"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\HistoryJournalCertificate\Certificates	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Roaming\ChangeUnitGenerationNeeded = "1"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Explorer\Main	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\VendorId = "0"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\CVListXMLVersionHigh = "0"	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Recovery\FirstRecoveryTime = 301bd569d72dd701	MicrosoftEdge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Main\ImageStoreRandomFolder = "5tuau29"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\DummyPath\dummySetting = "1"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FavOrder\SyncIEFirstTimeFullScan = "1"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\Wow64-VendorId = "0"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\CIStatus\CIPolicyState = "0"	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\ACGStatus	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Internet Settings	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\TypedURLs	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Explorer\Main\OperationalData = "1"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Recovery\Active	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\CVListXMLVersionLow = "395205405"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Software\Microsoft\SystemCertificates\Disallowed\Certificates	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Software\Microsoft\SystemCertificates\trust\Certificates	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\006\CIStatus\CIPolicyState = "0"	MicrosoftEdgeCP.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus\CIStatusTimestamp = 7a5c430ee950d701	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FlipAhead\Meta\generator$vBulletin 3	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\ACGStatus\ACGPolicyState = "8"	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\PageSetup	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus\CIStatusTimestamp = 7b44ac0ee950d701	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\OnlineHistory	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FavOrder\TreeView = "1"	MicrosoftEdge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\Content\CachePrefix	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Software\Microsoft\SystemCertificates\Root\CRLs	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Recovery\PendingRecovery	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\Cookies	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\Main	MicrosoftEdgeCP.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\ChromeMigration\MigrationTime = 301bd569d72dd701	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FavOrder\Favorites\Order = 0c0000000a000000000000000c0000000100000000000000	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Recovery\Active\{EE88FFA2-7E46-4160-A752-4CA5579E4A45} = "0"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache\Extensible Cache	MicrosoftEdge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache\History\CachePrefix = "Visited:"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\CVListXMLVersionLow = "0"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\DXFeatureLevel = "0"	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus\CIStatusTimestamp = f3ecb10de950d701	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FlipAhead\Meta\generator$WordPress	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\HistoryJournalCertificate	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Software\Microsoft\SystemCertificates\Root	MicrosoftEdge.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

3616 PING.EXE
Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

SmartClock.exe

pid process

5056 SmartClock.exe
Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

AddInProcess32.exeAddInProcess32.exe

pid process

196 AddInProcess32.exe
4796 AddInProcess32.exe
4796 AddInProcess32.exe
4796 AddInProcess32.exe
Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

MicrosoftEdgeCP.exe

pid process

4292 MicrosoftEdgeCP.exe

pid	process
3616	PING.EXE

pid	process
5056	SmartClock.exe

pid	process
196	AddInProcess32.exe
4796	AddInProcess32.exe
4796	AddInProcess32.exe
4796	AddInProcess32.exe

pid	process
4292	MicrosoftEdgeCP.exe

Suspicious use of AdjustPrivilegeToken 18 IoCs

Processes:

37212156218.exeAddInProcess32.exetaskkill.exeGarbage Cleaner.exeMicrosoftEdge.exeMicrosoftEdgeCP.exeedspolishpp.exeMicrosoftEdgeCP.exeAddInProcess32.exerundll32.exeRUNDLL32.EXE

description	pid	process
Token: SeDebugPrivilege	4068	37212156218.exe
Token: SeDebugPrivilege	196	AddInProcess32.exe
Token: SeDebugPrivilege	2056	taskkill.exe
Token: SeDebugPrivilege	3520	Garbage Cleaner.exe
Token: SeDebugPrivilege	1168	MicrosoftEdge.exe
Token: SeDebugPrivilege	1168	MicrosoftEdge.exe
Token: SeDebugPrivilege	1168	MicrosoftEdge.exe
Token: SeDebugPrivilege	1168	MicrosoftEdge.exe
Token: SeDebugPrivilege	4376	MicrosoftEdgeCP.exe
Token: SeDebugPrivilege	4376	MicrosoftEdgeCP.exe
Token: SeDebugPrivilege	4376	MicrosoftEdgeCP.exe
Token: SeDebugPrivilege	4376	MicrosoftEdgeCP.exe
Token: SeDebugPrivilege	4660	edspolishpp.exe
Token: SeDebugPrivilege	4924	MicrosoftEdgeCP.exe
Token: SeDebugPrivilege	4924	MicrosoftEdgeCP.exe
Token: SeDebugPrivilege	4796	AddInProcess32.exe
Token: SeDebugPrivilege	4424	rundll32.exe
Token: SeDebugPrivilege	2824	RUNDLL32.EXE

Suspicious use of FindShellTrayWindow 3 IoCs

Processes:

72118260523.exevpn.exe

pid process

1084 72118260523.exe
1084 72118260523.exe
1092 vpn.exe
Suspicious use of SetWindowsHookEx 3 IoCs

Processes:

MicrosoftEdge.exeMicrosoftEdgeCP.exe

pid process

1168 MicrosoftEdge.exe
4292 MicrosoftEdgeCP.exe
4292 MicrosoftEdgeCP.exe

pid	process
1084	72118260523.exe
1084	72118260523.exe
1092	vpn.exe

pid	process
1168	MicrosoftEdge.exe
4292	MicrosoftEdgeCP.exe
4292	MicrosoftEdgeCP.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

4509D3B2A883CF33FCAA8452A229A34D.execmd.exe37212156218.execmd.execmd.execmd.execmd.exeMicrosoftEdgeCP.exe17202393099.exeedspolishpp.exe72118260523.execmd.exeUgcrpJ.exe

description	pid	process	target process
PID 4048 wrote to memory of 3860	4048	4509D3B2A883CF33FCAA8452A229A34D.exe	cmd.exe
PID 4048 wrote to memory of 3860	4048	4509D3B2A883CF33FCAA8452A229A34D.exe	cmd.exe
PID 4048 wrote to memory of 3860	4048	4509D3B2A883CF33FCAA8452A229A34D.exe	cmd.exe
PID 3860 wrote to memory of 4068	3860	cmd.exe	37212156218.exe
PID 3860 wrote to memory of 4068	3860	cmd.exe	37212156218.exe
PID 3860 wrote to memory of 4068	3860	cmd.exe	37212156218.exe
PID 4068 wrote to memory of 196	4068	37212156218.exe	AddInProcess32.exe
PID 4068 wrote to memory of 196	4068	37212156218.exe	AddInProcess32.exe
PID 4068 wrote to memory of 196	4068	37212156218.exe	AddInProcess32.exe
PID 4068 wrote to memory of 196	4068	37212156218.exe	AddInProcess32.exe
PID 4068 wrote to memory of 196	4068	37212156218.exe	AddInProcess32.exe
PID 4068 wrote to memory of 196	4068	37212156218.exe	AddInProcess32.exe
PID 4068 wrote to memory of 196	4068	37212156218.exe	AddInProcess32.exe
PID 4068 wrote to memory of 196	4068	37212156218.exe	AddInProcess32.exe
PID 4048 wrote to memory of 1404	4048	4509D3B2A883CF33FCAA8452A229A34D.exe	cmd.exe
PID 4048 wrote to memory of 1404	4048	4509D3B2A883CF33FCAA8452A229A34D.exe	cmd.exe
PID 4048 wrote to memory of 1404	4048	4509D3B2A883CF33FCAA8452A229A34D.exe	cmd.exe
PID 1404 wrote to memory of 1084	1404	cmd.exe	72118260523.exe
PID 1404 wrote to memory of 1084	1404	cmd.exe	72118260523.exe
PID 1404 wrote to memory of 1084	1404	cmd.exe	72118260523.exe
PID 4048 wrote to memory of 3980	4048	4509D3B2A883CF33FCAA8452A229A34D.exe	cmd.exe
PID 4048 wrote to memory of 3980	4048	4509D3B2A883CF33FCAA8452A229A34D.exe	cmd.exe
PID 4048 wrote to memory of 3980	4048	4509D3B2A883CF33FCAA8452A229A34D.exe	cmd.exe
PID 3980 wrote to memory of 2152	3980	cmd.exe	17202393099.exe
PID 3980 wrote to memory of 2152	3980	cmd.exe	17202393099.exe
PID 3980 wrote to memory of 2152	3980	cmd.exe	17202393099.exe
PID 4048 wrote to memory of 1120	4048	4509D3B2A883CF33FCAA8452A229A34D.exe	cmd.exe
PID 4048 wrote to memory of 1120	4048	4509D3B2A883CF33FCAA8452A229A34D.exe	cmd.exe
PID 4048 wrote to memory of 1120	4048	4509D3B2A883CF33FCAA8452A229A34D.exe	cmd.exe
PID 4048 wrote to memory of 4012	4048	4509D3B2A883CF33FCAA8452A229A34D.exe	cmd.exe
PID 4048 wrote to memory of 4012	4048	4509D3B2A883CF33FCAA8452A229A34D.exe	cmd.exe
PID 4048 wrote to memory of 4012	4048	4509D3B2A883CF33FCAA8452A229A34D.exe	cmd.exe
PID 1120 wrote to memory of 3520	1120	cmd.exe	Garbage Cleaner.exe
PID 1120 wrote to memory of 3520	1120	cmd.exe	Garbage Cleaner.exe
PID 4012 wrote to memory of 2056	4012	cmd.exe	taskkill.exe
PID 4012 wrote to memory of 2056	4012	cmd.exe	taskkill.exe
PID 4012 wrote to memory of 2056	4012	cmd.exe	taskkill.exe
PID 4292 wrote to memory of 4376	4292	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 4292 wrote to memory of 4376	4292	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 4292 wrote to memory of 4376	4292	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 4292 wrote to memory of 4376	4292	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 2152 wrote to memory of 4660	2152	17202393099.exe	edspolishpp.exe
PID 2152 wrote to memory of 4660	2152	17202393099.exe	edspolishpp.exe
PID 2152 wrote to memory of 4660	2152	17202393099.exe	edspolishpp.exe
PID 4660 wrote to memory of 4796	4660	edspolishpp.exe	AddInProcess32.exe
PID 4660 wrote to memory of 4796	4660	edspolishpp.exe	AddInProcess32.exe
PID 4660 wrote to memory of 4796	4660	edspolishpp.exe	AddInProcess32.exe
PID 4660 wrote to memory of 4796	4660	edspolishpp.exe	AddInProcess32.exe
PID 4660 wrote to memory of 4796	4660	edspolishpp.exe	AddInProcess32.exe
PID 4660 wrote to memory of 4796	4660	edspolishpp.exe	AddInProcess32.exe
PID 4660 wrote to memory of 4796	4660	edspolishpp.exe	AddInProcess32.exe
PID 4660 wrote to memory of 4796	4660	edspolishpp.exe	AddInProcess32.exe
PID 1084 wrote to memory of 5032	1084	72118260523.exe	cmd.exe
PID 1084 wrote to memory of 5032	1084	72118260523.exe	cmd.exe
PID 1084 wrote to memory of 5032	1084	72118260523.exe	cmd.exe
PID 5032 wrote to memory of 5076	5032	cmd.exe	UgcrpJ.exe
PID 5032 wrote to memory of 5076	5032	cmd.exe	UgcrpJ.exe
PID 5032 wrote to memory of 5076	5032	cmd.exe	UgcrpJ.exe
PID 5076 wrote to memory of 1092	5076	UgcrpJ.exe	vpn.exe
PID 5076 wrote to memory of 1092	5076	UgcrpJ.exe	vpn.exe
PID 5076 wrote to memory of 1092	5076	UgcrpJ.exe	vpn.exe
PID 5076 wrote to memory of 4236	5076	UgcrpJ.exe	4.exe
PID 5076 wrote to memory of 4236	5076	UgcrpJ.exe	4.exe
PID 5076 wrote to memory of 4236	5076	UgcrpJ.exe	4.exe

C:\Users\Admin\AppData\Local\Temp\4509D3B2A883CF33FCAA8452A229A34D.exe
"C:\Users\Admin\AppData\Local\Temp\4509D3B2A883CF33FCAA8452A229A34D.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4048
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c start /I "" "C:\Users\Admin\AppData\Local\Temp\{zcPB-pw3gz-OCCC-4TUNq}\37212156218.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3860
- - C:\Users\Admin\AppData\Local\Temp\{zcPB-pw3gz-OCCC-4TUNq}\37212156218.exe
    "C:\Users\Admin\AppData\Local\Temp\{zcPB-pw3gz-OCCC-4TUNq}\37212156218.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4068
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
      C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\AddInProcess32.exe
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:196
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c start /I "" "C:\Users\Admin\AppData\Local\Temp\{zcPB-pw3gz-OCCC-4TUNq}\72118260523.exe" /mix
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1404
- - C:\Users\Admin\AppData\Local\Temp\{zcPB-pw3gz-OCCC-4TUNq}\72118260523.exe
    "C:\Users\Admin\AppData\Local\Temp\{zcPB-pw3gz-OCCC-4TUNq}\72118260523.exe" /mix
    3⤵
    - Executes dropped EXE
    - Checks processor information in registry
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of WriteProcessMemory
    PID:1084
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /c start "" "C:\Users\Admin\AppData\Local\Temp\UgcrpJ.exe"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:5032
    - - C:\Users\Admin\AppData\Local\Temp\UgcrpJ.exe
        
        "C:\Users\Admin\AppData\Local\Temp\UgcrpJ.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Program Files directory
        Suspicious use of WriteProcessMemory
        
        PID:5076
      - C:\Users\Admin\AppData\Local\Temp\New Feature\vpn.exe
        
        "C:\Users\Admin\AppData\Local\Temp\New Feature\vpn.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of FindShellTrayWindow
        
        PID:1092
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c C:\Windows\system32\cmd < Mantenga.vss
        7⤵
        
        PID:1248
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd
        8⤵
        
        PID:2544
        
        C:\Windows\SysWOW64\findstr.exe
        
        findstr /V /R "^bAkfzoKQvHFUmbrqoisrIleiaesQFsrIsJknWXXoOVdpobAbbHavzJQhbrXdQTltDXCPkEtlpogMUSYVCTzYZGgHSYqSZGaVLkFkUKkSCijkxrzEy$" Infine.vss
        9⤵
        
        PID:2208
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Dattero.exe.com
        
        Dattero.exe.com I
        9⤵
        Executes dropped EXE
        
        PID:1048
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Dattero.exe.com
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Dattero.exe.com I
        10⤵
        Executes dropped EXE
        Checks processor information in registry
        
        PID:4672
        
        C:\Users\Admin\AppData\Local\Temp\wruocaihtb.exe
        
        "C:\Users\Admin\AppData\Local\Temp\wruocaihtb.exe"
        11⤵
        Executes dropped EXE
        
        PID:3488
        
        C:\Windows\SysWOW64\rundll32.exe
        
        C:\Windows\system32\rundll32.exe C:\Users\Admin\AppData\Local\Temp\WRUOCA~1.DLL,Z C:\Users\Admin\AppData\Local\Temp\WRUOCA~1.EXE
        12⤵
        Loads dropped DLL
        Suspicious use of AdjustPrivilegeToken
        
        PID:4424
        
        C:\Windows\SysWOW64\RUNDLL32.EXE
        
        C:\Windows\system32\RUNDLL32.EXE C:\Users\Admin\AppData\Local\Temp\WRUOCA~1.DLL,YAhYLDZoBfT4
        13⤵
        Blocklisted process makes network request
        Loads dropped DLL
        Suspicious use of AdjustPrivilegeToken
        
        PID:2824
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\puvchqopt.vbs"
        11⤵
        
        PID:3160
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\qotuvgtsaey.vbs"
        11⤵
        Blocklisted process makes network request
        
        PID:1532
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 30
        9⤵
        Runs ping.exe
        
        PID:3616
      - C:\Users\Admin\AppData\Local\Temp\New Feature\4.exe
        
        "C:\Users\Admin\AppData\Local\Temp\New Feature\4.exe"
        6⤵
        Executes dropped EXE
        Drops startup file
        
        PID:4236
        
        C:\Users\Admin\AppData\Roaming\Smart Clock\SmartClock.exe
        
        "C:\Users\Admin\AppData\Roaming\Smart Clock\SmartClock.exe"
        7⤵
        Executes dropped EXE
        Suspicious behavior: AddClipboardFormatListener
        
        PID:5056
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /c rd /s /q C:\Users\Admin\AppData\Local\Temp\jWhhOMQfb & timeout 3 & del /f /q "C:\Users\Admin\AppData\Local\Temp\{zcPB-pw3gz-OCCC-4TUNq}\72118260523.exe"
      4⤵
      PID:4664
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout 3
        5⤵
        Delays execution with timeout.exe
        
        PID:4848
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c start /I "" "C:\Users\Admin\AppData\Local\Temp\{zcPB-pw3gz-OCCC-4TUNq}\17202393099.exe" /mix
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3980
- - C:\Users\Admin\AppData\Local\Temp\{zcPB-pw3gz-OCCC-4TUNq}\17202393099.exe
    "C:\Users\Admin\AppData\Local\Temp\{zcPB-pw3gz-OCCC-4TUNq}\17202393099.exe" /mix
    3⤵
    - Executes dropped EXE
    - Checks processor information in registry
    - Suspicious use of WriteProcessMemory
    PID:2152
  - - C:\Users\Admin\AppData\Roaming\nailedp\edspolishpp.exe
      edspolishpp.exe
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:4660
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
        
        C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\AddInProcess32.exe
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4796
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c start /I "" "C:\ProgramData\Garbage Cleaner\Garbage Cleaner.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1120
- - C:\ProgramData\Garbage Cleaner\Garbage Cleaner.exe
    "C:\ProgramData\Garbage Cleaner\Garbage Cleaner.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:3520
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c taskkill /im "4509D3B2A883CF33FCAA8452A229A34D.exe" /f & erase "C:\Users\Admin\AppData\Local\Temp\4509D3B2A883CF33FCAA8452A229A34D.exe" & exit
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4012
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /im "4509D3B2A883CF33FCAA8452A229A34D.exe" /f
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2056

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca
1⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1168

C:\Windows\system32\browser_broker.exe
C:\Windows\system32\browser_broker.exe -Embedding
1⤵
- Modifies Internet Explorer settings
PID:3800

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies registry class
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4292

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:4376

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:4924

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies registry class
PID:2024

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies registry class
PID:660

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Web Service

T1102

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Garbage Cleaner\Bunifu_UI_v1.5.3.dll

MD5
2ecb51ab00c5f340380ecf849291dbcf

SHA1
1a4dffbce2a4ce65495ed79eab42a4da3b660931

SHA256
f1b3e0f2750a9103e46a6a4a34f1cf9d17779725f98042cc2475ec66484801cf

SHA512
e241a48eafcaf99187035f0870d24d74ae97fe84aaadd2591cceea9f64b8223d77cfb17a038a58eadd3b822c5201a6f7494f26eea6f77d95f77f6c668d088e6b

Download Submit
C:\ProgramData\Garbage Cleaner\Garbage Cleaner.exe

MD5
90d01324d134695266115e71e43e35dc

SHA1
8474a7f1ba4491104770c241ecc97c58a833985f

SHA256
f368fa6ec4bdce4139fb6926d329360e4f094e4fbebf49a3f2aaf333d108bce7

SHA512
3e588e4b22e15c9518c326357ad998d6e49caf9321138a515bfd1a9444abc8457c52a01a5082bac94cba43e5eb12a65161f9c6cec05ba142ca6858dd8fd230bd

Download Submit
C:\ProgramData\Garbage Cleaner\Garbage Cleaner.exe

MD5
90d01324d134695266115e71e43e35dc

SHA1
8474a7f1ba4491104770c241ecc97c58a833985f

SHA256
f368fa6ec4bdce4139fb6926d329360e4f094e4fbebf49a3f2aaf333d108bce7

SHA512
3e588e4b22e15c9518c326357ad998d6e49caf9321138a515bfd1a9444abc8457c52a01a5082bac94cba43e5eb12a65161f9c6cec05ba142ca6858dd8fd230bd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\AddInProcess32.exe.log

MD5
8c51d25ba63d722d2a4b6610e7650146

SHA1
33d17c45bea2224226c4ec015e2b6b33aa7b690b

SHA256
34bb1c24f595af737409396a9e27174ea4d6a78bc4fc8887a230a868ef7534c7

SHA512
6fbcaa6472e28370b2451ad5496e6520e9eddb50ac2fbb222266b0a11a59218a7b7c278fcbe46b657e448cbcb0513774a526e6102bb61f558f7e991310f6b2b8

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Armi.vss

MD5
0590d0f53762996fd415b79a7a3189e3

SHA1
f68946c49c2e22d03077c361734a191990dd9a25

SHA256
792e1aa3a4fdcac59f9f1051409d97bbe2fa59a0d4c475c7f306fa533bc2e759

SHA512
13178bb8c425b4d46a697f1967c3256c052ca8a93ed8fd06da9ab83c18224f000db40dd9a40779244a644eaea9aead1c28fda2f3c5fc2abe03e3767ea6f0700a

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Dattero.exe.com

MD5
c56b5f0201a3b3de53e561fe76912bfd

SHA1
2a4062e10a5de813f5688221dbeb3f3ff33eb417

SHA256
237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d

SHA512
195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Dattero.exe.com

MD5
c56b5f0201a3b3de53e561fe76912bfd

SHA1
2a4062e10a5de813f5688221dbeb3f3ff33eb417

SHA256
237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d

SHA512
195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Dattero.exe.com

MD5
c56b5f0201a3b3de53e561fe76912bfd

SHA1
2a4062e10a5de813f5688221dbeb3f3ff33eb417

SHA256
237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d

SHA512
195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\I

MD5
81289f08198e168ea7ac49509f896cd1

SHA1
8b58e421b1f56a5f4974257fb4f1f63fff156389

SHA256
4229f28c9ac25535da831599da32aa6a6e7ef5482e6796040338747f4c53905c

SHA512
93553261e776fa17a1d86d8fb49636f24ca18ad448abfdabc5d2164dccbeeba9ebf6133000aae01185b8caa14fd67fc0220229058db915fa6b443012db6dcf50

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Infine.vss

MD5
94a567f66abdfcb5f8a7bc4b5b303043

SHA1
bdba9fc8118e567e7294381774fdea02ed98ffb6

SHA256
7a8cde5417f46acf73224e49b604b7ffe6582cd8c62218bc79cc0cda781e0914

SHA512
036b1e57a0df6ff3ded11d0ba5627bba1aa4e1aa5dc8bc0b8faa6a379b06ae57e31570d11ce4bbd6e4d69a33ef3091400c195c24abce7650c6c55296579b4774

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Mantenga.vss

MD5
223a924c57c78642d6205cba5f0ff25a

SHA1
15aa1494cf0c73d5bb64038da53cebf5a1a54bdc

SHA256
7e573334a81ce3cf631bafb96fc01fd391c1cc8c6fb8555bfdb7902a6d44a6e2

SHA512
7e6cc21befb0721392be6421088260a69335f2149fc0cefc58da1b00c009a979fc0df3e03620b1403f8618368c4b223fb3506833e43e05bbf4021985031be60d

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Tenendo.vss

MD5
81289f08198e168ea7ac49509f896cd1

SHA1
8b58e421b1f56a5f4974257fb4f1f63fff156389

SHA256
4229f28c9ac25535da831599da32aa6a6e7ef5482e6796040338747f4c53905c

SHA512
93553261e776fa17a1d86d8fb49636f24ca18ad448abfdabc5d2164dccbeeba9ebf6133000aae01185b8caa14fd67fc0220229058db915fa6b443012db6dcf50

Download Submit
C:\Users\Admin\AppData\Local\Temp\AB65.tmp

MD5
149c2823b7eadbfb0a82388a2ab9494f

SHA1
415fe979ce5fd0064d2557a48745a3ed1a3fbf9c

SHA256
06fa5d4e7fbfb1efdc19baa034601a894b21cf729785732853ced4bb40aca869

SHA512
f8fb6b7c93c4ab37f6e250ba8ac5c82f6e17fe52156cab81d34e91107d1da716b744bfe02ee0306497a3876d5352af789a1e66dab10e11e22065bac3050475fe

Download Submit
C:\Users\Admin\AppData\Local\Temp\New Feature\4.exe

MD5
ac6a0b44cc5e2c7947c52ca03d2fea0f

SHA1
d2bbf1242c59528b423fc1e8892584f7879ad364

SHA256
659d4c20e5cb8b548281e2386adc764c9ddf34821bab4671ad95ed7afc4793c7

SHA512
e7a0d9e26517dbc724f5b4a96109dee386b471b80d504a2d2a3f65413b32d7db860d1445dd88f2f261b6fe002dc557cb1277bb3c5869e0abe18d1428b5b3aa64

Download Submit
C:\Users\Admin\AppData\Local\Temp\New Feature\4.exe

MD5
ac6a0b44cc5e2c7947c52ca03d2fea0f

SHA1
d2bbf1242c59528b423fc1e8892584f7879ad364

SHA256
659d4c20e5cb8b548281e2386adc764c9ddf34821bab4671ad95ed7afc4793c7

SHA512
e7a0d9e26517dbc724f5b4a96109dee386b471b80d504a2d2a3f65413b32d7db860d1445dd88f2f261b6fe002dc557cb1277bb3c5869e0abe18d1428b5b3aa64

Download Submit
C:\Users\Admin\AppData\Local\Temp\New Feature\vpn.exe

MD5
edd6e5e05d8fc862240f7b68e50bdade

SHA1
1dd847ade625e4eac74f264a15a7ba9730027d8d

SHA256
0ac613fc321484cf2364587255173f267b58bf1cea1f255f57a5e2499aa12f09

SHA512
22dc0cd4e702231106a43da6e5a042973c2e34bd44319a3db547c5257c272568080ee594e6f706a64de57b85e1736b927ba34991564a1e972925aec622269495

Download Submit
C:\Users\Admin\AppData\Local\Temp\New Feature\vpn.exe

MD5
edd6e5e05d8fc862240f7b68e50bdade

SHA1
1dd847ade625e4eac74f264a15a7ba9730027d8d

SHA256
0ac613fc321484cf2364587255173f267b58bf1cea1f255f57a5e2499aa12f09

SHA512
22dc0cd4e702231106a43da6e5a042973c2e34bd44319a3db547c5257c272568080ee594e6f706a64de57b85e1736b927ba34991564a1e972925aec622269495

Download Submit
C:\Users\Admin\AppData\Local\Temp\UgcrpJ.exe

MD5
0c4395b985bb159fcbfd05d8227b1484

SHA1
51890a6ed3f8a94cc0db1be611993438e1a4d124

SHA256
1c62dd0752e7923f5a67e352758ab13be8f92e174075ac87eadb556d95779eb1

SHA512
69de6e38f4af0944cc6f266c78bbc857a0733677dea943fca03cfc844d7b18058f13e3cd1d33eda1dd778a4ea63da4a1d5f8d197ecd9ccad281ca22485d1f84b

Download Submit
C:\Users\Admin\AppData\Local\Temp\UgcrpJ.exe

MD5
0c4395b985bb159fcbfd05d8227b1484

SHA1
51890a6ed3f8a94cc0db1be611993438e1a4d124

SHA256
1c62dd0752e7923f5a67e352758ab13be8f92e174075ac87eadb556d95779eb1

SHA512
69de6e38f4af0944cc6f266c78bbc857a0733677dea943fca03cfc844d7b18058f13e3cd1d33eda1dd778a4ea63da4a1d5f8d197ecd9ccad281ca22485d1f84b

Download Submit
C:\Users\Admin\AppData\Local\Temp\WRUOCA~1.DLL

MD5
7ac078a4c0a0c82464f31418b512cad7

SHA1
edafdb4391106484521c3a76890690ee525a9d68

SHA256
8c8d6d7a1c6ce3ae445a85b32aac61eef74d00effcaaac0379d33cd299008418

SHA512
e5c6cff838a20a0130ed42b170fdd0fcca3491dd65ffb4ced4612b8c8598b3083172f3218a5471c22ffdd6189f748c22e6c7b9417a775344b04956fa2e141507

Download Submit
C:\Users\Admin\AppData\Local\Temp\jWhhOMQfb\DBOJCE~1.ZIP

MD5
f1fe6f144122640993224a5389d82ddc

SHA1
434412e0b2597f1c2487ca311a246e4dd1a07a5f

SHA256
1abc3bd85668d35901436a87bd0d4fbd7fad977ef9fefd697678ad9fa9bdec81

SHA512
4586634f22f83f4c4a84226288f902c811933ea746c970679b6fddcd2d9d6b2b195d57530dc12e14a009eaf97f732f94d1097dcefdc53eade022a9ffa3be624d

Download Submit
C:\Users\Admin\AppData\Local\Temp\jWhhOMQfb\RRBLXK~1.ZIP

MD5
8ba2143a29c4fe56ffebbd7cb59aea01

SHA1
c08c325bbf8e58d163cac49bd20522a985c16588

SHA256
c74bd54a2bc48a7c25abc604e2383c577df39ef9d1bb502b63c81dc1c3a1b8c7

SHA512
600ab5c04f37b089885b08710aa3ffc48bd3cbbf6ebfcd34bc495346389ac654e4cade79b9563c71afe12d65d7dd0db59b0fcfba94a0ef4b3304fbf9ac477f87

Download Submit
C:\Users\Admin\AppData\Local\Temp\jWhhOMQfb\_Files\_INFOR~1.TXT

MD5
e62c5eed0d46f8a688be97f9f46af599

SHA1
4706bf4e92dcaa9ecd7cc167d1c80d92942b701e

SHA256
c3b679e665e57d184dbee007773aa3446805b7f9c992c773adff7795d765a302

SHA512
0d4161e096a607a88b43a44806a092305eb6b5f70ed672af8c6bad43a4d414f5b43d4df17fde43c4ca055691c5d6ecfe6f879cc5a613f954c24ffdd34225fc9b

Download Submit
C:\Users\Admin\AppData\Local\Temp\jWhhOMQfb\_Files\_SCREE~1.JPE

MD5
3d5f2847a5236d722472fe5738efd7da

SHA1
28980f6c27f3795bcacdc94b20a36830be996015

SHA256
28b27643519b4ec626e332489b0f93f93d6cf5d8b95207e57a899ff4d7a3a620

SHA512
d6c79637cdf28e7bd15d0d298bbefd0e24508aaffde216da57d89ce82dfd8dff910e24f2d2e3f6557ce5bc342fbc22bcd1ec898d8db0dcf1f52dd02455e460f6

Download Submit
C:\Users\Admin\AppData\Local\Temp\jWhhOMQfb\files_\SCREEN~1.JPG

MD5
3d5f2847a5236d722472fe5738efd7da

SHA1
28980f6c27f3795bcacdc94b20a36830be996015

SHA256
28b27643519b4ec626e332489b0f93f93d6cf5d8b95207e57a899ff4d7a3a620

SHA512
d6c79637cdf28e7bd15d0d298bbefd0e24508aaffde216da57d89ce82dfd8dff910e24f2d2e3f6557ce5bc342fbc22bcd1ec898d8db0dcf1f52dd02455e460f6

Download Submit
C:\Users\Admin\AppData\Local\Temp\jWhhOMQfb\files_\SYSTEM~1.TXT

MD5
0bb05331187374ce76f44bbf6f713e9d

SHA1
8d79a8da2c6231947a92b18c262657aed7fecb5e

SHA256
df367166eba2af917707988158af4ad918ed587e2763e8dcb6239fd7f12ee086

SHA512
5e2f24d9fe6bf60abb63b4a24146c036e1d93b5f6c91471d4c7db2b9266b0dc09d75ef40422a1ed60177599f081c447878054f5c56c1bacdf263d6901221d13c

Download Submit
C:\Users\Admin\AppData\Local\Temp\puvchqopt.vbs

MD5
7d8da398f6dbdaccaf975cedfdb3ce0c

SHA1
95b5fdd33addf7a365d901a630d39cfdd971885c

SHA256
80ff3f586086a59984316d83c3035e0d440bafd2adc6541778c2dc731e2df2e2

SHA512
72a390921101e9650e96bf0e370fa579810abff3a4078890cf774b611c07a81a8360caa15a69f82119dca247d50797d8055181771c126c7423dc7b99ad6c94bc

Download Submit
C:\Users\Admin\AppData\Local\Temp\qotuvgtsaey.vbs

MD5
df066f82fb7f21183c59017d08e51974

SHA1
8df9ef21909f650ff32d6821b07710ce5521e347

SHA256
4e4761372e1d6f97a9a7d976fa11306ef79f8cd67a2f549003de898150d45213

SHA512
0596e55faf44cedd372ed0971272766447e468ed348b20a42607273367c7340dcc6296a1d3f6a288871a8011cac9dabe33b1f38acfae0c8e920078d5c15240cc

Download Submit
C:\Users\Admin\AppData\Local\Temp\wruocaihtb.exe

MD5
cd40719a2a4b343268739b3d711437f4

SHA1
dd207bf59d41c15eae9f0f5025f0bee87b21f782

SHA256
f49f273f3ee41c8bfebed6c87c839335ae6ee8faa025f6ab67b6f9aec1569604

SHA512
541f608c46460d16341ca38d4175c96e4b5f37d591b6511efdbb7de4d5da74c960cd415db1032e1041fc76ddb3f10985d5d6c5f239853db1543c8b6e4f1a091e

Download Submit
C:\Users\Admin\AppData\Local\Temp\wruocaihtb.exe

MD5
cd40719a2a4b343268739b3d711437f4

SHA1
dd207bf59d41c15eae9f0f5025f0bee87b21f782

SHA256
f49f273f3ee41c8bfebed6c87c839335ae6ee8faa025f6ab67b6f9aec1569604

SHA512
541f608c46460d16341ca38d4175c96e4b5f37d591b6511efdbb7de4d5da74c960cd415db1032e1041fc76ddb3f10985d5d6c5f239853db1543c8b6e4f1a091e

Download Submit
C:\Users\Admin\AppData\Local\Temp\{zcPB-pw3gz-OCCC-4TUNq}\17202393099.exe

MD5
282226c050347c5ec110f338ef2b3019

SHA1
2f6a3239161ab66c3b394d203d90c7e8e54c2734

SHA256
2feb79c4820a1a855757884a7e71364134c743b624a4dc858bcc084f40f12bca

SHA512
423d97ee99f62d83c721e87cd3e2f340941b28bc106849ded554c3e53b5355c6c3f54060691fd5b31e69885b84ca7cf13926afd65548f868540edfcd0f89db48

Download Submit
C:\Users\Admin\AppData\Local\Temp\{zcPB-pw3gz-OCCC-4TUNq}\37212156218.exe

MD5
f86f20ca144ea03a7c0a6d68db883ace

SHA1
a402b6db28dd6531e6b35eeced1dd58063c57dcf

SHA256
b64e5c3552474b5c34c77a80a72711446f0c09a75f297d766dc0ec3880b85b71

SHA512
e63bdc640193ed31461bbf36b16a85799dc8e52463f0273fb7996e40c97ad08b5178258875429dcebd25343c9cc83378341c31d55b4564a12575174fd2e4be21

Download Submit
C:\Users\Admin\AppData\Local\Temp\{zcPB-pw3gz-OCCC-4TUNq}\37212156218.exe

MD5
f86f20ca144ea03a7c0a6d68db883ace

SHA1
a402b6db28dd6531e6b35eeced1dd58063c57dcf

SHA256
b64e5c3552474b5c34c77a80a72711446f0c09a75f297d766dc0ec3880b85b71

SHA512
e63bdc640193ed31461bbf36b16a85799dc8e52463f0273fb7996e40c97ad08b5178258875429dcebd25343c9cc83378341c31d55b4564a12575174fd2e4be21

Download Submit
C:\Users\Admin\AppData\Local\Temp\{zcPB-pw3gz-OCCC-4TUNq}\72118260523.exe

MD5
5352e9818d87c0456c69d433f2b5bbe1

SHA1
c81dddec46f548b4ab7e4d90435caec7ec241c3e

SHA256
2c4f065776a8e5d2b48a1af9b1e4928ff30422b67e7c0499df8304bb6e1d67c2

SHA512
3e23f17dcb60d8c5d23b9fff198423d5abd16ebb459f2549c63d76cbdf44f70c6b74092391fbfafb8c015450eae0f7f122dbc49c11b6f452b9e816525bba7c02

Download Submit
C:\Users\Admin\AppData\Local\Temp\{zcPB-pw3gz-OCCC-4TUNq}\72118260523.exe

MD5
5352e9818d87c0456c69d433f2b5bbe1

SHA1
c81dddec46f548b4ab7e4d90435caec7ec241c3e

SHA256
2c4f065776a8e5d2b48a1af9b1e4928ff30422b67e7c0499df8304bb6e1d67c2

SHA512
3e23f17dcb60d8c5d23b9fff198423d5abd16ebb459f2549c63d76cbdf44f70c6b74092391fbfafb8c015450eae0f7f122dbc49c11b6f452b9e816525bba7c02

Download Submit
C:\Users\Admin\AppData\Roaming\Smart Clock\SmartClock.exe

MD5
ac6a0b44cc5e2c7947c52ca03d2fea0f

SHA1
d2bbf1242c59528b423fc1e8892584f7879ad364

SHA256
659d4c20e5cb8b548281e2386adc764c9ddf34821bab4671ad95ed7afc4793c7

SHA512
e7a0d9e26517dbc724f5b4a96109dee386b471b80d504a2d2a3f65413b32d7db860d1445dd88f2f261b6fe002dc557cb1277bb3c5869e0abe18d1428b5b3aa64

Download Submit
C:\Users\Admin\AppData\Roaming\Smart Clock\SmartClock.exe

MD5
ac6a0b44cc5e2c7947c52ca03d2fea0f

SHA1
d2bbf1242c59528b423fc1e8892584f7879ad364

SHA256
659d4c20e5cb8b548281e2386adc764c9ddf34821bab4671ad95ed7afc4793c7

SHA512
e7a0d9e26517dbc724f5b4a96109dee386b471b80d504a2d2a3f65413b32d7db860d1445dd88f2f261b6fe002dc557cb1277bb3c5869e0abe18d1428b5b3aa64

Download Submit
C:\Users\Admin\AppData\Roaming\nailedp\edspolishpp.exe

MD5
6c7eb87d56448a4c9f4f11132c7e154e

SHA1
5e0d7a04718cb47b5d66c2d6b849d44da160863c

SHA256
177ca17e687ece45d924c37610fdc99f088cbf7c85bce7fdae6ccf9e9d955b41

SHA512
c4c72ea4fd1efb8a4d4f00d8dbb67f19cb52c318d1486f232fddb3922d33be8af573257349fddec938bbd0dd97618c1ab22db177dfb98dd4d01781cd5d5ffaa5

Download Submit
C:\Users\Admin\AppData\Roaming\nailedp\edspolishpp.exe

MD5
6c7eb87d56448a4c9f4f11132c7e154e

SHA1
5e0d7a04718cb47b5d66c2d6b849d44da160863c

SHA256
177ca17e687ece45d924c37610fdc99f088cbf7c85bce7fdae6ccf9e9d955b41

SHA512
c4c72ea4fd1efb8a4d4f00d8dbb67f19cb52c318d1486f232fddb3922d33be8af573257349fddec938bbd0dd97618c1ab22db177dfb98dd4d01781cd5d5ffaa5

Download Submit
\Users\Admin\AppData\Local\Temp\WRUOCA~1.DLL

MD5
7ac078a4c0a0c82464f31418b512cad7

SHA1
edafdb4391106484521c3a76890690ee525a9d68

SHA256
8c8d6d7a1c6ce3ae445a85b32aac61eef74d00effcaaac0379d33cd299008418

SHA512
e5c6cff838a20a0130ed42b170fdd0fcca3491dd65ffb4ced4612b8c8598b3083172f3218a5471c22ffdd6189f748c22e6c7b9417a775344b04956fa2e141507

Download Submit
\Users\Admin\AppData\Local\Temp\WRUOCA~1.DLL

MD5
7ac078a4c0a0c82464f31418b512cad7

SHA1
edafdb4391106484521c3a76890690ee525a9d68

SHA256
8c8d6d7a1c6ce3ae445a85b32aac61eef74d00effcaaac0379d33cd299008418

SHA512
e5c6cff838a20a0130ed42b170fdd0fcca3491dd65ffb4ced4612b8c8598b3083172f3218a5471c22ffdd6189f748c22e6c7b9417a775344b04956fa2e141507

Download Submit
\Users\Admin\AppData\Local\Temp\WRUOCA~1.DLL

MD5
7ac078a4c0a0c82464f31418b512cad7

SHA1
edafdb4391106484521c3a76890690ee525a9d68

SHA256
8c8d6d7a1c6ce3ae445a85b32aac61eef74d00effcaaac0379d33cd299008418

SHA512
e5c6cff838a20a0130ed42b170fdd0fcca3491dd65ffb4ced4612b8c8598b3083172f3218a5471c22ffdd6189f748c22e6c7b9417a775344b04956fa2e141507

Download Submit
\Users\Admin\AppData\Local\Temp\WRUOCA~1.DLL

MD5
7ac078a4c0a0c82464f31418b512cad7

SHA1
edafdb4391106484521c3a76890690ee525a9d68

SHA256
8c8d6d7a1c6ce3ae445a85b32aac61eef74d00effcaaac0379d33cd299008418

SHA512
e5c6cff838a20a0130ed42b170fdd0fcca3491dd65ffb4ced4612b8c8598b3083172f3218a5471c22ffdd6189f748c22e6c7b9417a775344b04956fa2e141507

Download Submit
\Users\Admin\AppData\Local\Temp\nsa9F83.tmp\UAC.dll

MD5
adb29e6b186daa765dc750128649b63d

SHA1
160cbdc4cb0ac2c142d361df138c537aa7e708c9

SHA256
2f7f8fc05dc4fd0d5cda501b47e4433357e887bbfed7292c028d99c73b52dc08

SHA512
b28adcccf0c33660fecd6f95f28f11f793dc9988582187617b4c113fb4e6fdad4cf7694cd8c0300a477e63536456894d119741a940dda09b7df3ff0087a7eada

Download Submit
memory/196-137-0x0000000006380000-0x0000000006381000-memory.dmp

Filesize
4KB

Download
memory/196-132-0x0000000005720000-0x0000000005721000-memory.dmp

Filesize
4KB

Download
memory/196-123-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/196-124-0x00000000004166BA-mapping.dmp

Download
memory/196-127-0x0000000005970000-0x0000000005971000-memory.dmp

Filesize
4KB

Download
memory/196-128-0x00000000053B0000-0x00000000053B1000-memory.dmp

Filesize
4KB

Download
memory/196-129-0x0000000005410000-0x0000000005411000-memory.dmp

Filesize
4KB

Download
memory/196-140-0x0000000007520000-0x0000000007521000-memory.dmp

Filesize
4KB

Download
memory/196-130-0x0000000005450000-0x0000000005451000-memory.dmp

Filesize
4KB

Download
memory/196-131-0x0000000005360000-0x0000000005966000-memory.dmp

Filesize
6.0MB

Download
memory/196-141-0x0000000006770000-0x0000000006771000-memory.dmp

Filesize
4KB

Download
memory/196-138-0x0000000006920000-0x0000000006921000-memory.dmp

Filesize
4KB

Download
memory/196-139-0x0000000006E20000-0x0000000006E21000-memory.dmp

Filesize
4KB

Download
memory/1048-199-0x0000000000000000-mapping.dmp

Download
memory/1084-152-0x00000000021A0000-0x0000000002281000-memory.dmp

Filesize
900KB

Download
memory/1084-153-0x0000000000400000-0x00000000004E5000-memory.dmp

Filesize
916KB

Download
memory/1084-134-0x0000000000000000-mapping.dmp

Download
memory/1092-187-0x0000000000000000-mapping.dmp

Download
memory/1120-145-0x0000000000000000-mapping.dmp

Download
memory/1248-193-0x0000000000000000-mapping.dmp

Download
memory/1404-133-0x0000000000000000-mapping.dmp

Download
memory/1532-251-0x0000000000000000-mapping.dmp

Download
memory/2056-158-0x0000000000000000-mapping.dmp

Download
memory/2152-143-0x0000000000000000-mapping.dmp

Download
memory/2152-161-0x0000000000400000-0x00000000004D5000-memory.dmp

Filesize
852KB

Download
memory/2152-160-0x0000000002190000-0x000000000225E000-memory.dmp

Filesize
824KB

Download
memory/2208-196-0x0000000000000000-mapping.dmp

Download
memory/2544-195-0x0000000000000000-mapping.dmp

Download
memory/2824-245-0x00000000047E0000-0x0000000004DA5000-memory.dmp

Filesize
5.8MB

Download
memory/2824-248-0x00000000058A0000-0x00000000058A1000-memory.dmp

Filesize
4KB

Download
memory/2824-250-0x00000000050F1000-0x0000000005750000-memory.dmp

Filesize
6.4MB

Download
memory/2824-242-0x0000000000000000-mapping.dmp

Download
memory/3160-231-0x0000000000000000-mapping.dmp

Download
memory/3488-228-0x0000000000000000-mapping.dmp

Download
memory/3488-235-0x0000000003430000-0x0000000003431000-memory.dmp

Filesize
4KB

Download
memory/3488-233-0x0000000002D00000-0x0000000003407000-memory.dmp

Filesize
7.0MB

Download
memory/3488-234-0x0000000000400000-0x0000000000B14000-memory.dmp

Filesize
7.1MB

Download
memory/3520-147-0x0000000000000000-mapping.dmp

Download
memory/3520-167-0x000002031A8D2000-0x000002031A8D4000-memory.dmp

Filesize
8KB

Download
memory/3520-169-0x000002031A8D5000-0x000002031A8D7000-memory.dmp

Filesize
8KB

Download
memory/3520-155-0x000002031A7D0000-0x000002031A7D1000-memory.dmp

Filesize
4KB

Download
memory/3520-156-0x000002031A8D0000-0x000002031A8D2000-memory.dmp

Filesize
8KB

Download
memory/3520-150-0x0000020300320000-0x0000020300321000-memory.dmp

Filesize
4KB

Download
memory/3520-168-0x000002031A8D4000-0x000002031A8D5000-memory.dmp

Filesize
4KB

Download
memory/3616-202-0x0000000000000000-mapping.dmp

Download
memory/3860-116-0x0000000000000000-mapping.dmp

Download
memory/3980-142-0x0000000000000000-mapping.dmp

Download
memory/4012-146-0x0000000000000000-mapping.dmp

Download
memory/4048-114-0x00000000004C0000-0x000000000060A000-memory.dmp

Filesize
1.3MB

Download
memory/4048-115-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/4068-122-0x00000000055A0000-0x00000000055A1000-memory.dmp

Filesize
4KB

Download
memory/4068-120-0x0000000000CA0000-0x0000000000CA1000-memory.dmp

Filesize
4KB

Download
memory/4068-117-0x0000000000000000-mapping.dmp

Download
memory/4236-222-0x0000000000460000-0x00000000005AA000-memory.dmp

Filesize
1.3MB

Download
memory/4236-223-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/4236-189-0x0000000000000000-mapping.dmp

Download
memory/4424-241-0x0000000001360000-0x0000000001361000-memory.dmp

Filesize
4KB

Download
memory/4424-236-0x0000000000000000-mapping.dmp

Download
memory/4424-247-0x00000000003C0000-0x00000000003C1000-memory.dmp

Filesize
4KB

Download
memory/4424-240-0x0000000000D10000-0x00000000012D5000-memory.dmp

Filesize
5.8MB

Download
memory/4424-246-0x0000000004F01000-0x0000000005560000-memory.dmp

Filesize
6.4MB

Download
memory/4660-165-0x0000000000CD0000-0x0000000000CD1000-memory.dmp

Filesize
4KB

Download
memory/4660-162-0x0000000000000000-mapping.dmp

Download
memory/4660-170-0x00000000054E0000-0x00000000054E1000-memory.dmp

Filesize
4KB

Download
memory/4664-206-0x0000000000000000-mapping.dmp

Download
memory/4672-226-0x0000000000DB0000-0x0000000000DB1000-memory.dmp

Filesize
4KB

Download
memory/4672-203-0x0000000000000000-mapping.dmp

Download
memory/4796-172-0x000000000041699E-mapping.dmp

Download
memory/4796-181-0x0000000005450000-0x0000000005A56000-memory.dmp

Filesize
6.0MB

Download
memory/4796-179-0x0000000005520000-0x0000000005521000-memory.dmp

Filesize
4KB

Download
memory/4796-171-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/4848-213-0x0000000000000000-mapping.dmp

Download
memory/5032-182-0x0000000000000000-mapping.dmp

Download
memory/5056-225-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/5056-224-0x0000000002040000-0x0000000002066000-memory.dmp

Filesize
152KB

Download
memory/5056-219-0x0000000000000000-mapping.dmp

Download
memory/5076-183-0x0000000000000000-mapping.dmp

Download