cryptbot | 36c1ab5e18f20ba99b86a8f995b83a3909f9d3e8d8d7fd573ac1c4813fd2e31e

Analysis

max time kernel
146s
max time network
150s
platform
windows10_x64
resource
win10v20210408
submitted
08-06-2021 08:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

B00F279B575B3F07A06352A37A378323.exe
Size

8KB
MD5

b00f279b575b3f07a06352a37a378323
SHA1

e314c43e297237cad9173cf65c774f99b56acbfc
SHA256

36c1ab5e18f20ba99b86a8f995b83a3909f9d3e8d8d7fd573ac1c4813fd2e31e
SHA512

e00b39b0bdcb68583af082a41ec8ff351933519d8942644955327922669d73de52af92f660fd099be19fe9bf947fafa88647da900a95285bcd7eb82092f4e2bb

Malware Config

Extracted

Family

redline

Botnet

Kolya

195.201.17.219:25524

Extracted

Family

metasploit

Version

windows/single_exec

Extracted

Family

raccoon

Botnet

28198d4512d0cf31c204eddceb4471d79950b588

Attributes

url4cnc
https://tttttt.me/capibar

rc4.plain

Extracted

Family

cryptbot

olmjby22.top

mortyl02.top

Attributes

payload_url
http://vamzxy03.top/download.php?file=lv.exe

Extracted

Family

redline

Botnet

MIX 08.06

185.215.113.17:18597

Extracted

Family

danabot

Version

1827

Botnet

184.95.51.183:443

184.95.51.175:443

192.210.198.12:443

184.95.51.180:443

Attributes

embedded_hash
AEF96B4D339B580ABB737F203C2D0F52

rsa_pubkey.plain

Signatures

CryptBot
A C++ stealer distributed widely in bundle with other software.
spyware stealer cryptbot

CryptBot Payload 2 IoCs

Processes:

resource	yara_rule
behavioral2/memory/3736-177-0x00000000021D0000-0x00000000022B1000-memory.dmp	family_cryptbot
behavioral2/memory/3736-178-0x0000000000400000-0x00000000004E5000-memory.dmp	family_cryptbot

Danabot
Danabot is a modular banking Trojan that has been linked with other malware.
trojan banker danabot
Glupteba
Glupteba is a modular loader written in Golang with various components.
loader dropper glupteba

Glupteba Payload 2 IoCs

Processes:

resource	yara_rule
behavioral2/memory/2524-152-0x0000000003170000-0x0000000003A7C000-memory.dmp	family_glupteba
behavioral2/memory/2524-154-0x0000000000400000-0x0000000000D26000-memory.dmp	family_glupteba

MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
trojan backdoor metasploit
Raccoon
Simple but powerful infostealer which was very active in 2019.
stealer raccoon
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine Payload 4 IoCs

Processes:

resource	yara_rule
behavioral2/memory/2748-144-0x0000000002300000-0x000000000231A000-memory.dmp	family_redline
behavioral2/memory/2748-146-0x0000000002570000-0x0000000002589000-memory.dmp	family_redline
behavioral2/memory/4628-197-0x00000000021C0000-0x00000000021DA000-memory.dmp	family_redline
behavioral2/memory/4628-199-0x0000000002330000-0x0000000002349000-memory.dmp	family_redline

Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

Processes:

svchost.exe

description pid process target process

PID 1500 created 2524 1500 svchost.exe https___leselesp.info_app.exe.exe
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497
Blocklisted process makes network request 5 IoCs

Processes:

RUNDLL32.EXEWScript.exe

flow pid process

80 4448 RUNDLL32.EXE
82 4548 WScript.exe
84 4548 WScript.exe
86 4548 WScript.exe
88 4548 WScript.exe
Downloads MZ/PE file

description	pid	process	target process
PID 1500 created 2524	1500	svchost.exe	https___leselesp.info_app.exe.exe

flow	pid	process
80	4448	RUNDLL32.EXE
82	4548	WScript.exe
84	4548	WScript.exe
86	4548	WScript.exe
88	4548	WScript.exe

Executes dropped EXE 16 IoCs

Processes:

https___leselesp.info_app.exe.exehttp___212.192.241.136_files_file1.exe.exehttp___212.192.241.136_files_file2.exe.exehttp___212.192.241.136_files_file3.exe.exe35273352171.exehttps___leselesp.info_app.exe.exe19479237279.exe93229732387.exeedspolishpp.exeMtpDoFM.exe4.exevpn.exeRitornata.exe.comRitornata.exe.comSmartClock.exehpcqfamxv.exe

pid	process
2524	https___leselesp.info_app.exe.exe
4056	http___212.192.241.136_files_file1.exe.exe
200	http___212.192.241.136_files_file2.exe.exe
2748	http___212.192.241.136_files_file3.exe.exe
4000	35273352171.exe
1276	https___leselesp.info_app.exe.exe
3736	19479237279.exe
4328	93229732387.exe
4628	edspolishpp.exe
4760	MtpDoFM.exe
4812	4.exe
4832	vpn.exe
5020	Ritornata.exe.com
5092	Ritornata.exe.com
4172	SmartClock.exe
3100	hpcqfamxv.exe

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

http___212.192.241.136_files_file2.exe.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	http___212.192.241.136_files_file2.exe.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	http___212.192.241.136_files_file2.exe.exe

Drops startup file 1 IoCs

Processes:

4.exe

description ioc process

File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SmartClock.lnk 4.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SmartClock.lnk	4.exe

Loads dropped DLL 10 IoCs

Processes:

35273352171.exeMtpDoFM.exerundll32.exeRUNDLL32.EXE

pid	process
4000	35273352171.exe
4000	35273352171.exe
4000	35273352171.exe
4000	35273352171.exe
4000	35273352171.exe
4760	MtpDoFM.exe
2676	rundll32.exe
2676	rundll32.exe
4448	RUNDLL32.EXE
4448	RUNDLL32.EXE

Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Themida packer 3 IoCs

Detects Themida, an advanced Windows software protection system.

themida

Processes:

resource	yara_rule
C:\Users\Admin\Documents\http___212.192.241.136_files_file2.exe.exe	themida
C:\Users\Admin\Documents\http___212.192.241.136_files_file2.exe.exe	themida
behavioral2/memory/200-131-0x0000000000F40000-0x0000000000F41000-memory.dmp	themida

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

http___212.192.241.136_files_file2.exe.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	http___212.192.241.136_files_file2.exe.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

67 ip-api.com
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

Processes:

http___212.192.241.136_files_file2.exe.exe

pid process

200 http___212.192.241.136_files_file2.exe.exe

flow	ioc
67	ip-api.com

pid	process
200	http___212.192.241.136_files_file2.exe.exe

Drops file in Program Files directory 3 IoCs

Processes:

MtpDoFM.exe

description	ioc	process
File created	C:\Program Files (x86)\foler\olader\acppage.dll	MtpDoFM.exe
File created	C:\Program Files (x86)\foler\olader\adprovider.dll	MtpDoFM.exe
File created	C:\Program Files (x86)\foler\olader\acledit.dll	MtpDoFM.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 8 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

19479237279.exe93229732387.exeRitornata.exe.comRUNDLL32.EXE

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	19479237279.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	93229732387.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	93229732387.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Ritornata.exe.com
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	Ritornata.exe.com
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	RUNDLL32.EXE
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	19479237279.exe

Delays execution with timeout.exe 2 IoCs
evasion

Processes:

timeout.exetimeout.exe

pid process

4248 timeout.exe
912 timeout.exe
Kills process with taskkill 2 IoCs
evasion

Processes:

taskkill.exetaskkill.exe

pid process

4428 taskkill.exe
4552 taskkill.exe

pid	process
4248	timeout.exe
912	timeout.exe

pid	process
4428	taskkill.exe
4552	taskkill.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

https___leselesp.info_app.exe.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	https___leselesp.info_app.exe.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-512 = "Central Asia Standard Time"	https___leselesp.info_app.exe.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-281 = "Central Europe Daylight Time"	https___leselesp.info_app.exe.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-365 = "Middle East Standard Time"	https___leselesp.info_app.exe.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-542 = "Myanmar Standard Time"	https___leselesp.info_app.exe.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-1501 = "Turkey Daylight Time"	https___leselesp.info_app.exe.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-932 = "Coordinated Universal Time"	https___leselesp.info_app.exe.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	https___leselesp.info_app.exe.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	https___leselesp.info_app.exe.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-161 = "Central Daylight Time"	https___leselesp.info_app.exe.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-2632 = "Norfolk Standard Time"	https___leselesp.info_app.exe.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-1891 = "Russia TZ 3 Daylight Time"	https___leselesp.info_app.exe.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-2182 = "Astrakhan Standard Time"	https___leselesp.info_app.exe.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-341 = "Egypt Daylight Time"	https___leselesp.info_app.exe.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-32 = "Mid-Atlantic Standard Time"	https___leselesp.info_app.exe.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	https___leselesp.info_app.exe.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-2392 = "Aleutian Standard Time"	https___leselesp.info_app.exe.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-1912 = "Russia TZ 10 Standard Time"	https___leselesp.info_app.exe.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-1832 = "Russia TZ 2 Standard Time"	https___leselesp.info_app.exe.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-1412 = "Syria Standard Time"	https___leselesp.info_app.exe.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-192 = "Mountain Standard Time"	https___leselesp.info_app.exe.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	https___leselesp.info_app.exe.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-461 = "Afghanistan Daylight Time"	https___leselesp.info_app.exe.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-392 = "Arab Standard Time"	https___leselesp.info_app.exe.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-2341 = "Haiti Daylight Time"	https___leselesp.info_app.exe.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-334 = "Jordan Daylight Time"	https___leselesp.info_app.exe.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-912 = "Mauritius Standard Time"	https___leselesp.info_app.exe.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	https___leselesp.info_app.exe.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-891 = "Morocco Daylight Time"	https___leselesp.info_app.exe.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-81 = "Atlantic Daylight Time"	https___leselesp.info_app.exe.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-351 = "FLE Daylight Time"	https___leselesp.info_app.exe.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-1802 = "Line Islands Standard Time"	https___leselesp.info_app.exe.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-832 = "SA Eastern Standard Time"	https___leselesp.info_app.exe.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-692 = "Tasmania Standard Time"	https___leselesp.info_app.exe.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-71 = "Newfoundland Daylight Time"	https___leselesp.info_app.exe.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-791 = "SA Western Daylight Time"	https___leselesp.info_app.exe.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	https___leselesp.info_app.exe.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-842 = "Argentina Standard Time"	https___leselesp.info_app.exe.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-671 = "AUS Eastern Daylight Time"	https___leselesp.info_app.exe.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-511 = "Central Asia Daylight Time"	https___leselesp.info_app.exe.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-261 = "GMT Daylight Time"	https___leselesp.info_app.exe.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-981 = "Kamchatka Daylight Time"	https___leselesp.info_app.exe.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-1041 = "Ulaanbaatar Daylight Time"	https___leselesp.info_app.exe.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-751 = "Tonga Daylight Time"	https___leselesp.info_app.exe.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-651 = "AUS Central Daylight Time"	https___leselesp.info_app.exe.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-721 = "Central Pacific Daylight Time"	https___leselesp.info_app.exe.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-2532 = "Chatham Islands Standard Time"	https___leselesp.info_app.exe.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-262 = "GMT Standard Time"	https___leselesp.info_app.exe.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-892 = "Morocco Standard Time"	https___leselesp.info_app.exe.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-872 = "Pakistan Standard Time"	https___leselesp.info_app.exe.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-241 = "Samoa Daylight Time"	https___leselesp.info_app.exe.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-221 = "Alaskan Daylight Time"	https___leselesp.info_app.exe.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-11 = "Azores Daylight Time"	https___leselesp.info_app.exe.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-342 = "Egypt Standard Time"	https___leselesp.info_app.exe.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-231 = "Hawaiian Daylight Time"	https___leselesp.info_app.exe.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-501 = "Nepal Daylight Time"	https___leselesp.info_app.exe.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-214 = "Pacific Daylight Time (Mexico)"	https___leselesp.info_app.exe.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	https___leselesp.info_app.exe.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-441 = "Arabian Daylight Time"	https___leselesp.info_app.exe.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-142 = "Canada Central Standard Time"	https___leselesp.info_app.exe.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-212 = "Pacific Standard Time"	https___leselesp.info_app.exe.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-562 = "SE Asia Standard Time"	https___leselesp.info_app.exe.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	https___leselesp.info_app.exe.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-42 = "E. South America Standard Time"	https___leselesp.info_app.exe.exe

Modifies registry class 1 IoCs

Processes:

Ritornata.exe.com

description ioc process

Key created \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings Ritornata.exe.com
Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

5112 PING.EXE
Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

SmartClock.exe

pid process

4172 SmartClock.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings	Ritornata.exe.com

pid	process
5112	PING.EXE

pid	process
4172	SmartClock.exe

Suspicious behavior: EnumeratesProcesses 15 IoCs

Processes:

https___leselesp.info_app.exe.exehttp___212.192.241.136_files_file2.exe.exeB00F279B575B3F07A06352A37A378323.exeedspolishpp.exepowershell.exeRUNDLL32.EXEpowershell.exe

pid	process
2524	https___leselesp.info_app.exe.exe
2524	https___leselesp.info_app.exe.exe
200	http___212.192.241.136_files_file2.exe.exe
200	http___212.192.241.136_files_file2.exe.exe
648	B00F279B575B3F07A06352A37A378323.exe
4628	edspolishpp.exe
4628	edspolishpp.exe
3932	powershell.exe
3932	powershell.exe
3932	powershell.exe
4448	RUNDLL32.EXE
4448	RUNDLL32.EXE
4792	powershell.exe
4792	powershell.exe
4792	powershell.exe

Suspicious use of AdjustPrivilegeToken 14 IoCs

Processes:

B00F279B575B3F07A06352A37A378323.exehttps___leselesp.info_app.exe.exesvchost.exehttp___212.192.241.136_files_file2.exe.exehttp___212.192.241.136_files_file3.exe.exetaskkill.exetaskkill.exeedspolishpp.exerundll32.exeRUNDLL32.EXEpowershell.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	648	B00F279B575B3F07A06352A37A378323.exe
Token: SeDebugPrivilege	2524	https___leselesp.info_app.exe.exe
Token: SeImpersonatePrivilege	2524	https___leselesp.info_app.exe.exe
Token: SeTcbPrivilege	1500	svchost.exe
Token: SeTcbPrivilege	1500	svchost.exe
Token: SeDebugPrivilege	200	http___212.192.241.136_files_file2.exe.exe
Token: SeDebugPrivilege	2748	http___212.192.241.136_files_file3.exe.exe
Token: SeDebugPrivilege	4428	taskkill.exe
Token: SeDebugPrivilege	4552	taskkill.exe
Token: SeDebugPrivilege	4628	edspolishpp.exe
Token: SeDebugPrivilege	2676	rundll32.exe
Token: SeDebugPrivilege	4448	RUNDLL32.EXE
Token: SeDebugPrivilege	3932	powershell.exe
Token: SeDebugPrivilege	4792	powershell.exe

Suspicious use of FindShellTrayWindow 4 IoCs

Processes:

19479237279.exevpn.exeRUNDLL32.EXE

pid process

3736 19479237279.exe
3736 19479237279.exe
4832 vpn.exe
4448 RUNDLL32.EXE

pid	process
3736	19479237279.exe
3736	19479237279.exe
4832	vpn.exe
4448	RUNDLL32.EXE

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

B00F279B575B3F07A06352A37A378323.exehttp___212.192.241.136_files_file1.exe.execmd.exesvchost.execmd.exe35273352171.execmd.execmd.execmd.execmd.exe93229732387.exe19479237279.execmd.exeMtpDoFM.exe

description	pid	process	target process
PID 648 wrote to memory of 2524	648	B00F279B575B3F07A06352A37A378323.exe	https___leselesp.info_app.exe.exe
PID 648 wrote to memory of 2524	648	B00F279B575B3F07A06352A37A378323.exe	https___leselesp.info_app.exe.exe
PID 648 wrote to memory of 2524	648	B00F279B575B3F07A06352A37A378323.exe	https___leselesp.info_app.exe.exe
PID 648 wrote to memory of 4056	648	B00F279B575B3F07A06352A37A378323.exe	http___212.192.241.136_files_file1.exe.exe
PID 648 wrote to memory of 4056	648	B00F279B575B3F07A06352A37A378323.exe	http___212.192.241.136_files_file1.exe.exe
PID 648 wrote to memory of 4056	648	B00F279B575B3F07A06352A37A378323.exe	http___212.192.241.136_files_file1.exe.exe
PID 648 wrote to memory of 200	648	B00F279B575B3F07A06352A37A378323.exe	http___212.192.241.136_files_file2.exe.exe
PID 648 wrote to memory of 200	648	B00F279B575B3F07A06352A37A378323.exe	http___212.192.241.136_files_file2.exe.exe
PID 648 wrote to memory of 200	648	B00F279B575B3F07A06352A37A378323.exe	http___212.192.241.136_files_file2.exe.exe
PID 648 wrote to memory of 2748	648	B00F279B575B3F07A06352A37A378323.exe	http___212.192.241.136_files_file3.exe.exe
PID 648 wrote to memory of 2748	648	B00F279B575B3F07A06352A37A378323.exe	http___212.192.241.136_files_file3.exe.exe
PID 648 wrote to memory of 2748	648	B00F279B575B3F07A06352A37A378323.exe	http___212.192.241.136_files_file3.exe.exe
PID 4056 wrote to memory of 2224	4056	http___212.192.241.136_files_file1.exe.exe	cmd.exe
PID 4056 wrote to memory of 2224	4056	http___212.192.241.136_files_file1.exe.exe	cmd.exe
PID 4056 wrote to memory of 2224	4056	http___212.192.241.136_files_file1.exe.exe	cmd.exe
PID 2224 wrote to memory of 4000	2224	cmd.exe	35273352171.exe
PID 2224 wrote to memory of 4000	2224	cmd.exe	35273352171.exe
PID 2224 wrote to memory of 4000	2224	cmd.exe	35273352171.exe
PID 1500 wrote to memory of 1276	1500	svchost.exe	https___leselesp.info_app.exe.exe
PID 1500 wrote to memory of 1276	1500	svchost.exe	https___leselesp.info_app.exe.exe
PID 1500 wrote to memory of 1276	1500	svchost.exe	https___leselesp.info_app.exe.exe
PID 4056 wrote to memory of 2836	4056	http___212.192.241.136_files_file1.exe.exe	cmd.exe
PID 4056 wrote to memory of 2836	4056	http___212.192.241.136_files_file1.exe.exe	cmd.exe
PID 4056 wrote to memory of 2836	4056	http___212.192.241.136_files_file1.exe.exe	cmd.exe
PID 2836 wrote to memory of 3736	2836	cmd.exe	19479237279.exe
PID 2836 wrote to memory of 3736	2836	cmd.exe	19479237279.exe
PID 2836 wrote to memory of 3736	2836	cmd.exe	19479237279.exe
PID 4000 wrote to memory of 4212	4000	35273352171.exe	cmd.exe
PID 4000 wrote to memory of 4212	4000	35273352171.exe	cmd.exe
PID 4000 wrote to memory of 4212	4000	35273352171.exe	cmd.exe
PID 4212 wrote to memory of 4248	4212	cmd.exe	timeout.exe
PID 4212 wrote to memory of 4248	4212	cmd.exe	timeout.exe
PID 4212 wrote to memory of 4248	4212	cmd.exe	timeout.exe
PID 4056 wrote to memory of 4280	4056	http___212.192.241.136_files_file1.exe.exe	cmd.exe
PID 4056 wrote to memory of 4280	4056	http___212.192.241.136_files_file1.exe.exe	cmd.exe
PID 4056 wrote to memory of 4280	4056	http___212.192.241.136_files_file1.exe.exe	cmd.exe
PID 4280 wrote to memory of 4328	4280	cmd.exe	93229732387.exe
PID 4280 wrote to memory of 4328	4280	cmd.exe	93229732387.exe
PID 4280 wrote to memory of 4328	4280	cmd.exe	93229732387.exe
PID 4056 wrote to memory of 4384	4056	http___212.192.241.136_files_file1.exe.exe	cmd.exe
PID 4056 wrote to memory of 4384	4056	http___212.192.241.136_files_file1.exe.exe	cmd.exe
PID 4056 wrote to memory of 4384	4056	http___212.192.241.136_files_file1.exe.exe	cmd.exe
PID 4384 wrote to memory of 4428	4384	cmd.exe	taskkill.exe
PID 4384 wrote to memory of 4428	4384	cmd.exe	taskkill.exe
PID 4384 wrote to memory of 4428	4384	cmd.exe	taskkill.exe
PID 648 wrote to memory of 4496	648	B00F279B575B3F07A06352A37A378323.exe	cmd.exe
PID 648 wrote to memory of 4496	648	B00F279B575B3F07A06352A37A378323.exe	cmd.exe
PID 4496 wrote to memory of 4552	4496	cmd.exe	taskkill.exe
PID 4496 wrote to memory of 4552	4496	cmd.exe	taskkill.exe
PID 4328 wrote to memory of 4628	4328	93229732387.exe	edspolishpp.exe
PID 4328 wrote to memory of 4628	4328	93229732387.exe	edspolishpp.exe
PID 4328 wrote to memory of 4628	4328	93229732387.exe	edspolishpp.exe
PID 3736 wrote to memory of 4696	3736	19479237279.exe	cmd.exe
PID 3736 wrote to memory of 4696	3736	19479237279.exe	cmd.exe
PID 3736 wrote to memory of 4696	3736	19479237279.exe	cmd.exe
PID 4696 wrote to memory of 4760	4696	cmd.exe	MtpDoFM.exe
PID 4696 wrote to memory of 4760	4696	cmd.exe	MtpDoFM.exe
PID 4696 wrote to memory of 4760	4696	cmd.exe	MtpDoFM.exe
PID 4760 wrote to memory of 4812	4760	MtpDoFM.exe	4.exe
PID 4760 wrote to memory of 4812	4760	MtpDoFM.exe	4.exe
PID 4760 wrote to memory of 4812	4760	MtpDoFM.exe	4.exe
PID 4760 wrote to memory of 4832	4760	MtpDoFM.exe	vpn.exe
PID 4760 wrote to memory of 4832	4760	MtpDoFM.exe	vpn.exe
PID 4760 wrote to memory of 4832	4760	MtpDoFM.exe	vpn.exe

C:\Users\Admin\AppData\Local\Temp\B00F279B575B3F07A06352A37A378323.exe
"C:\Users\Admin\AppData\Local\Temp\B00F279B575B3F07A06352A37A378323.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:648
- C:\Users\Admin\Documents\https___leselesp.info_app.exe.exe
  "C:\Users\Admin\Documents\https___leselesp.info_app.exe.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2524
- - C:\Users\Admin\Documents\https___leselesp.info_app.exe.exe
    "C:\Users\Admin\Documents\https___leselesp.info_app.exe.exe"
    3⤵
    - Executes dropped EXE
    - Modifies data under HKEY_USERS
    PID:1276
- C:\Users\Admin\Documents\http___212.192.241.136_files_file1.exe.exe
  "C:\Users\Admin\Documents\http___212.192.241.136_files_file1.exe.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:4056
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c start /I "" "C:\Users\Admin\AppData\Local\Temp\{El3y-W1F2w-z403-QWPFt}\35273352171.exe"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2224
  - - C:\Users\Admin\AppData\Local\Temp\{El3y-W1F2w-z403-QWPFt}\35273352171.exe
      "C:\Users\Admin\AppData\Local\Temp\{El3y-W1F2w-z403-QWPFt}\35273352171.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of WriteProcessMemory
      PID:4000
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /C timeout /T 10 /NOBREAK > Nul & Del /f /q "C:\Users\Admin\AppData\Local\Temp\{El3y-W1F2w-z403-QWPFt}\35273352171.exe"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:4212
      - C:\Windows\SysWOW64\timeout.exe
        
        timeout /T 10 /NOBREAK
        6⤵
        Delays execution with timeout.exe
        
        PID:4248
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c start /I "" "C:\Users\Admin\AppData\Local\Temp\{El3y-W1F2w-z403-QWPFt}\19479237279.exe" /mix
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2836
  - - C:\Users\Admin\AppData\Local\Temp\{El3y-W1F2w-z403-QWPFt}\19479237279.exe
      "C:\Users\Admin\AppData\Local\Temp\{El3y-W1F2w-z403-QWPFt}\19479237279.exe" /mix
      4⤵
      Executes dropped EXE
      Checks processor information in registry
      Suspicious use of FindShellTrayWindow
      Suspicious use of WriteProcessMemory
      PID:3736
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c start "" "C:\Users\Admin\AppData\Local\Temp\MtpDoFM.exe"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:4696
      - C:\Users\Admin\AppData\Local\Temp\MtpDoFM.exe
        
        "C:\Users\Admin\AppData\Local\Temp\MtpDoFM.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Program Files directory
        Suspicious use of WriteProcessMemory
        
        PID:4760
        
        C:\Users\Admin\AppData\Local\Temp\New Feature\4.exe
        
        "C:\Users\Admin\AppData\Local\Temp\New Feature\4.exe"
        7⤵
        Executes dropped EXE
        Drops startup file
        
        PID:4812
        
        C:\Users\Admin\AppData\Roaming\Smart Clock\SmartClock.exe
        
        "C:\Users\Admin\AppData\Roaming\Smart Clock\SmartClock.exe"
        8⤵
        Executes dropped EXE
        Suspicious behavior: AddClipboardFormatListener
        
        PID:4172
        
        C:\Users\Admin\AppData\Local\Temp\New Feature\vpn.exe
        
        "C:\Users\Admin\AppData\Local\Temp\New Feature\vpn.exe"
        7⤵
        Executes dropped EXE
        Suspicious use of FindShellTrayWindow
        
        PID:4832
        
        C:\Windows\SysWOW64\dllhost.exe
        
        "C:\Windows\System32\dllhost.exe"
        8⤵
        
        PID:4904
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c cmd < Questa.mui
        8⤵
        
        PID:4924
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd
        9⤵
        
        PID:4972
        
        C:\Windows\SysWOW64\findstr.exe
        
        findstr /V /R "^bkKukanvvIaviummCuKudmQWXJRADyBlRAsoRwEThgwuiCesPIojDwzYxNpBAXTdiiEGPdHACRTwbKPxGALUXfHPizOtSezfcKZZYcCnqHJMosAJYPUqkYzRAOnvCDI$" Tocchi.mui
        10⤵
        
        PID:4988
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Ritornata.exe.com
        
        Ritornata.exe.com h
        10⤵
        Executes dropped EXE
        
        PID:5020
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Ritornata.exe.com
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Ritornata.exe.com h
        11⤵
        Executes dropped EXE
        Checks processor information in registry
        Modifies registry class
        
        PID:5092
        
        C:\Users\Admin\AppData\Local\Temp\hpcqfamxv.exe
        
        "C:\Users\Admin\AppData\Local\Temp\hpcqfamxv.exe"
        12⤵
        Executes dropped EXE
        
        PID:3100
        
        C:\Windows\SysWOW64\rundll32.exe
        
        C:\Windows\system32\rundll32.exe C:\Users\Admin\AppData\Local\Temp\HPCQFA~1.DLL,Z C:\Users\Admin\AppData\Local\Temp\HPCQFA~1.EXE
        13⤵
        Loads dropped DLL
        Suspicious use of AdjustPrivilegeToken
        
        PID:2676
        
        C:\Windows\SysWOW64\RUNDLL32.EXE
        
        C:\Windows\system32\RUNDLL32.EXE C:\Users\Admin\AppData\Local\Temp\HPCQFA~1.DLL,eWEYfI0v
        14⤵
        Blocklisted process makes network request
        Loads dropped DLL
        Checks processor information in registry
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        
        PID:4448
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Executionpolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\tmp93B0.tmp.ps1"
        15⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3932
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Executionpolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\tmpAD93.tmp.ps1"
        15⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4792
        
        C:\Windows\SysWOW64\nslookup.exe
        
        "C:\Windows\system32\nslookup.exe" -type=any localhost
        16⤵
        
        PID:4440
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /End /tn \Microsoft\Windows\Wininet\CacheTask
        15⤵
        
        PID:5032
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /Run /tn \Microsoft\Windows\Wininet\CacheTask
        15⤵
        
        PID:5024
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\vosoliyb.vbs"
        12⤵
        
        PID:4400
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fvyhmuwxxf.vbs"
        12⤵
        Blocklisted process makes network request
        
        PID:4548
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 30
        10⤵
        Runs ping.exe
        
        PID:5112
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c rd /s /q C:\Users\Admin\AppData\Local\Temp\OGMYaYcUOOJd & timeout 3 & del /f /q "C:\Users\Admin\AppData\Local\Temp\{El3y-W1F2w-z403-QWPFt}\19479237279.exe"
        5⤵
        
        PID:5044
      - C:\Windows\SysWOW64\timeout.exe
        
        timeout 3
        6⤵
        Delays execution with timeout.exe
        
        PID:912
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c start /I "" "C:\Users\Admin\AppData\Local\Temp\{El3y-W1F2w-z403-QWPFt}\93229732387.exe" /mix
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4280
  - - C:\Users\Admin\AppData\Local\Temp\{El3y-W1F2w-z403-QWPFt}\93229732387.exe
      "C:\Users\Admin\AppData\Local\Temp\{El3y-W1F2w-z403-QWPFt}\93229732387.exe" /mix
      4⤵
      Executes dropped EXE
      Checks processor information in registry
      Suspicious use of WriteProcessMemory
      PID:4328
    - - C:\Users\Admin\AppData\Roaming\nailedp\edspolishpp.exe
        
        edspolishpp.exe
        5⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4628
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c taskkill /im "http___212.192.241.136_files_file1.exe.exe" /f & erase "C:\Users\Admin\Documents\http___212.192.241.136_files_file1.exe.exe" & exit
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4384
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /im "http___212.192.241.136_files_file1.exe.exe" /f
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:4428
- C:\Users\Admin\Documents\http___212.192.241.136_files_file2.exe.exe
  "C:\Users\Admin\Documents\http___212.192.241.136_files_file2.exe.exe"
  2⤵
  - Executes dropped EXE
  - Checks BIOS information in registry
  - Checks whether UAC is enabled
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:200
- C:\Users\Admin\Documents\http___212.192.241.136_files_file3.exe.exe
  "C:\Users\Admin\Documents\http___212.192.241.136_files_file3.exe.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:2748
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c taskkill /im "B00F279B575B3F07A06352A37A378323.exe" /f & erase "C:\Users\Admin\AppData\Local\Temp\B00F279B575B3F07A06352A37A378323.exe" & exit
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4496
- - C:\Windows\system32\taskkill.exe
    taskkill /im "B00F279B575B3F07A06352A37A378323.exe" /f
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:4552

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s seclogon
1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1500

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

T1497

Web Service

T1102

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5
f7a808b5711f58fb4f85476c1bb24ac3

SHA1
fbdf9670d622e8fc3446ad4f53fbbd83016f03d1

SHA256
de4aadfe00c4cf41434a12450cdc69d37cb2d9cec951b074c3b5e7bfce9e94ec

SHA512
866848d13e999e6a1a79d77c33adb642d78d0a11adee293fca411b4ed5f7bf85324f90b3031148a66ac10dccc577d3c2a7c1ab6ed4237360de9911c27516a5af

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5
b1af461e60d3f2111bd57b66ea19d93f

SHA1
629a3d861e29ae31db92f04207f418f9ab8981ed

SHA256
fb2e47aa169c1d7cac542503f8628906dc3e0df876780d3ddc2e53ac0b2ab52e

SHA512
a5d13c6a451a6530eff79cbe2365c642984c212616e94e2162b9183190085233d3e3bbe76e8a20c3c7de69fa4d6ff10f65166e63e96d6ad802ba9688afe8a4ca

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Quando.mui

MD5
2d6336f72a3c1157257324be430e78f5

SHA1
24b49a1a4c2ed11d9736439ad8886dcba0c33c6a

SHA256
a0826bcbf9adea88158640146cb2cffcf773e32824f4aa3a73d867a4bd532e49

SHA512
fab9b97bd5a652b72318e7cd4c6ae952491bde96ca5c859877514f4ef3ee4716e57701d908400107600391ee3e55a586f66e3172a1476e05f58e5e3cd649eb3d

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Questa.mui

MD5
b62c547f5f658d070f3ddc82b0fb3868

SHA1
983dfe0c7c7914875af6158632ef2dc84f21bff2

SHA256
e51d5e55f67529ca949ce58a61afcdc5d92188cafece914a1b6a87e49215e661

SHA512
6be41b35fc156befa6f947d59a51161a7cd6761e4fa26bdb8c68705d439b5a6f5bf1dd0881c4a2fa3f8acfaa707bddd02455e21a9281d3a1807a62bb8a12aac9

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Ricordarmi.mui

MD5
73bac4ffe318c194c0cae6e4fe10b88d

SHA1
0084fc54977f07c35aaaa6d3c228f244bdcd0d8b

SHA256
99a524a1e56311da3708655e1199e845c0ee57798773005aed6818fb1d1e5195

SHA512
b5ceb472a9b5cfa92d9e489126feef8962e57d485fa0d3a9f56d2b20dad57f6da097706b68104854d35ad1e7ed9861a6309ed69a5bf6c57abcc6b11bc6a96ed1

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Ritornata.exe.com

MD5
c56b5f0201a3b3de53e561fe76912bfd

SHA1
2a4062e10a5de813f5688221dbeb3f3ff33eb417

SHA256
237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d

SHA512
195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Ritornata.exe.com

MD5
c56b5f0201a3b3de53e561fe76912bfd

SHA1
2a4062e10a5de813f5688221dbeb3f3ff33eb417

SHA256
237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d

SHA512
195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Ritornata.exe.com

MD5
c56b5f0201a3b3de53e561fe76912bfd

SHA1
2a4062e10a5de813f5688221dbeb3f3ff33eb417

SHA256
237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d

SHA512
195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Tocchi.mui

MD5
1b1eca6ed02020892df62e9d79c2c2cd

SHA1
be9aace354a0ab53fe1a187e8b2ccda2c524e336

SHA256
eb5d411bf93fbce1354a8270cfea181b7db1e8e7792fa8b3297234e5e8be542e

SHA512
fa9fb2db07c8360f1f220a055ad476be5e9ece9bb308ea09dc42d09f06ed2c74ba4fd20746af29dfec94fcc404f78523c235b913a6c131cf5789c4e9e77f176e

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\h

MD5
73bac4ffe318c194c0cae6e4fe10b88d

SHA1
0084fc54977f07c35aaaa6d3c228f244bdcd0d8b

SHA256
99a524a1e56311da3708655e1199e845c0ee57798773005aed6818fb1d1e5195

SHA512
b5ceb472a9b5cfa92d9e489126feef8962e57d485fa0d3a9f56d2b20dad57f6da097706b68104854d35ad1e7ed9861a6309ed69a5bf6c57abcc6b11bc6a96ed1

Download Submit
C:\Users\Admin\AppData\Local\Temp\HPCQFA~1.DLL

MD5
7ac078a4c0a0c82464f31418b512cad7

SHA1
edafdb4391106484521c3a76890690ee525a9d68

SHA256
8c8d6d7a1c6ce3ae445a85b32aac61eef74d00effcaaac0379d33cd299008418

SHA512
e5c6cff838a20a0130ed42b170fdd0fcca3491dd65ffb4ced4612b8c8598b3083172f3218a5471c22ffdd6189f748c22e6c7b9417a775344b04956fa2e141507

Download Submit
C:\Users\Admin\AppData\Local\Temp\MtpDoFM.exe

MD5
8cfa42a0c6cc448848164ccf43a6d9eb

SHA1
f8d2e40a07d52e319cf878fe378780141cfd4357

SHA256
f1d2fb33b29b473a7569489503bef52926aa24cd433b24260db77baaf380d410

SHA512
4af8b744b4605a4417bd0884018ef7a1374cfe017cad975429a4c0a9abbf6312af826131c53350f5d9a5727f50b7f0f1a996c405b12f0b5e93abe018f04a9799

Download Submit
C:\Users\Admin\AppData\Local\Temp\MtpDoFM.exe

MD5
8cfa42a0c6cc448848164ccf43a6d9eb

SHA1
f8d2e40a07d52e319cf878fe378780141cfd4357

SHA256
f1d2fb33b29b473a7569489503bef52926aa24cd433b24260db77baaf380d410

SHA512
4af8b744b4605a4417bd0884018ef7a1374cfe017cad975429a4c0a9abbf6312af826131c53350f5d9a5727f50b7f0f1a996c405b12f0b5e93abe018f04a9799

Download Submit
C:\Users\Admin\AppData\Local\Temp\New Feature\4.exe

MD5
7335afd5f210acf1ce86732852c06c89

SHA1
7dd8f4774683c5898584b4c4f6175ded0805c24b

SHA256
0e2bdf6dd3646844b57f6ffc9d5281f97b914e7d936f485cc86d3677257fea1f

SHA512
99b2c93ebdf5d1317d57293cfcdd25d6c1e20a5d8cc927742fd126bd5240458c7ab69dc5d7e86dd9fe16c421006277c885ca9ae45adcc379ad0db9ac32e3c67b

Download Submit
C:\Users\Admin\AppData\Local\Temp\New Feature\4.exe

MD5
7335afd5f210acf1ce86732852c06c89

SHA1
7dd8f4774683c5898584b4c4f6175ded0805c24b

SHA256
0e2bdf6dd3646844b57f6ffc9d5281f97b914e7d936f485cc86d3677257fea1f

SHA512
99b2c93ebdf5d1317d57293cfcdd25d6c1e20a5d8cc927742fd126bd5240458c7ab69dc5d7e86dd9fe16c421006277c885ca9ae45adcc379ad0db9ac32e3c67b

Download Submit
C:\Users\Admin\AppData\Local\Temp\New Feature\vpn.exe

MD5
9ea7c37369fa79acd572676e116da600

SHA1
b28496e01ac8286abeb9ff1763202336547c4295

SHA256
d84d5f46aff7558ecac285457ab90ec833da78af47529e6a2aa41903649639dd

SHA512
5a41a7f773ed15a81b8d6e4245230bf3f4fd1cd8472ee27c6f35f5c04875b59bdd3dbd0191fb9729d6dd0d8012c78d00a5dd0f7f0266888eea6df71f9f043f59

Download Submit
C:\Users\Admin\AppData\Local\Temp\New Feature\vpn.exe

MD5
9ea7c37369fa79acd572676e116da600

SHA1
b28496e01ac8286abeb9ff1763202336547c4295

SHA256
d84d5f46aff7558ecac285457ab90ec833da78af47529e6a2aa41903649639dd

SHA512
5a41a7f773ed15a81b8d6e4245230bf3f4fd1cd8472ee27c6f35f5c04875b59bdd3dbd0191fb9729d6dd0d8012c78d00a5dd0f7f0266888eea6df71f9f043f59

Download Submit
C:\Users\Admin\AppData\Local\Temp\OGMYaYcUOOJd\JCYAFE~1.ZIP

MD5
3c0807345bd12da85c601e0b933c05be

SHA1
276700642205c3176f388b3fd801bd1f2471ef5a

SHA256
d9d39b8d53da5074718393c63457bef08d70227eae4229590bb18adbd31ca3f3

SHA512
3e63097145a62482e6086bd6209db4c647219966dde3fdbd250fd4d0c9fc5445497ff4bb5115a0112e6df69908f9eb8bfb36cfab6d6f0342b8d0ae5eab739a20

Download Submit
C:\Users\Admin\AppData\Local\Temp\OGMYaYcUOOJd\YBVJBD~1.ZIP

MD5
37870009919ad8f20c0e9aa90bb0beab

SHA1
7fbed13efb0153bb66f868df44242629cb6774fe

SHA256
fca02cee35fb51526483840a4432738c356079e7ee3cfa78328e1f2212144e34

SHA512
dcead5c6915e4ea7cbdadbf69efd6e3e8996af7f7212b89c4845f8ad2d6039213577cb62ecdd2bf0a0f4295f6d1735d052b47776bf1072dce84fe9bc0bd22574

Download Submit
C:\Users\Admin\AppData\Local\Temp\OGMYaYcUOOJd\_Files\_INFOR~1.TXT

MD5
f9d292d21c3621d4969bf5c550e754e3

SHA1
90ab6928452d25148d8c842382aa363b3647e69a

SHA256
4cbdec609f161e498bac88a07e5341a0b47c618c23c9221ce72e6274844225de

SHA512
a43cbaf96e08d6357aa021686cc3e2674c18224e0343c3c1786c06672c74fd540acab26dd09b6459adfde81b8daea462b227479e5b41dca958a174f063f15545

Download Submit
C:\Users\Admin\AppData\Local\Temp\OGMYaYcUOOJd\_Files\_SCREE~1.JPE

MD5
365d1242183cbb02b13b64e5d446236e

SHA1
e7a01ae9f927ed289ddf80d35ba867199885b124

SHA256
a54bc0763b4860945b68d06fcf22c73eda249ed55d38712f5b30baa7e9a96b5a

SHA512
da507427593902b491be9f16f66550ba9af61d61f32c438affc63fddde8ed92c5ed7dc3092e8d57295eb11acc0f4776a01cddeedae00b4ef7629ba566015dc5e

Download Submit
C:\Users\Admin\AppData\Local\Temp\OGMYaYcUOOJd\files_\SCREEN~1.JPG

MD5
365d1242183cbb02b13b64e5d446236e

SHA1
e7a01ae9f927ed289ddf80d35ba867199885b124

SHA256
a54bc0763b4860945b68d06fcf22c73eda249ed55d38712f5b30baa7e9a96b5a

SHA512
da507427593902b491be9f16f66550ba9af61d61f32c438affc63fddde8ed92c5ed7dc3092e8d57295eb11acc0f4776a01cddeedae00b4ef7629ba566015dc5e

Download Submit
C:\Users\Admin\AppData\Local\Temp\OGMYaYcUOOJd\files_\SYSTEM~1.TXT

MD5
3c8e9812030e244c4969607c368b8e6e

SHA1
687b8facd90b7e8073dba04527870844ea4aac5b

SHA256
b21420b3dd75512b7951dbb4acc30ef567d25f4dd12d174ceea1eff0198c7353

SHA512
affc32d896e63d437e04115a147b33d903c16e9d8f7a3722e4c8de9138c66f1ca9a23cb75a71eeabbd387ab7478af5c48ea207fdec0089e0449984ae699416ac

Download Submit
C:\Users\Admin\AppData\Local\Temp\fvyhmuwxxf.vbs

MD5
72568c60b8bfd97209b29e77cf62f669

SHA1
121d94b15c7c683c4367920b92b6d064f9e0e1d4

SHA256
6105373022a0cdb2f596a5ba109e835cdda51f1f2cdab04c81a7503409e2fdca

SHA512
bd7cf4fb8e8cf4cb0b4ca9d16120528f75761e26471023164dffad9d155e7d3574b8eb49c2c46258b600f1d93ba410ea5327159147125613005b31a050efe061

Download Submit
C:\Users\Admin\AppData\Local\Temp\hpcqfamxv.exe

MD5
e91d25fe1c352dde539dfe3956693a9e

SHA1
478ceadecb5529b39b8c71c436f6ba3a03b12de6

SHA256
1876ed395dafc0dfadea8019a9362a065bb43a5f870e0c3e8810d347a0ab61d0

SHA512
ec48e80bdc5639673a850ea8f25a575db381d2e4ca47a66b76eda7adc68cf5bdedd69cf1864f9abc6f57d88a65b831ffe7729fb0617bbeb081802cebbf5ec5ad

Download Submit
C:\Users\Admin\AppData\Local\Temp\hpcqfamxv.exe

MD5
e91d25fe1c352dde539dfe3956693a9e

SHA1
478ceadecb5529b39b8c71c436f6ba3a03b12de6

SHA256
1876ed395dafc0dfadea8019a9362a065bb43a5f870e0c3e8810d347a0ab61d0

SHA512
ec48e80bdc5639673a850ea8f25a575db381d2e4ca47a66b76eda7adc68cf5bdedd69cf1864f9abc6f57d88a65b831ffe7729fb0617bbeb081802cebbf5ec5ad

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp93B0.tmp.ps1

MD5
c60adefd2b915862c1eb1caf114378d9

SHA1
e1399d5298af2b12b4d75e86c6998ce37644fff5

SHA256
988df112ec0e80c076dfd694cbbfb133d72fe283136658eb40b392699e17d090

SHA512
6f5702a1542011b53347ced60945976050de462f719371b6bf63134864324f793830a3db8f556793d5eaf08da6cfe29b96c67fc8b344d8c8eb2869c1a5f14045

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp93B1.tmp

MD5
c416c12d1b2b1da8c8655e393b544362

SHA1
fb1a43cd8e1c556c2d25f361f42a21293c29e447

SHA256
0600d59103840dff210778179fdfba904dcb737a4bfdb35384608698c86ea046

SHA512
cb6d3636be4330aa2fd577c3636d0b7165f92ee817e98f21180ba0c918eb76f4e38f025086593a0e508234ca981cfec2c53482b0e9cc0acfa885fefbdf89913c

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpAD93.tmp.ps1

MD5
2fe4622244e72374be7a2ad19ec1566f

SHA1
61a1d33e2ba04b4f57bd4b8ab142552692018d59

SHA256
f1efdaf741fbbeba634793d59c571f07ca89e4d3ec3d2420145e6c827f42efa9

SHA512
508c90d12695b39f6a03a9245be2f0879b485c97beaac10b6f67b91433511120822d5434dc83eb17befb7771664a2e6bf733648bf78342f90e0fc8050f198e01

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpAD94.tmp

MD5
1860260b2697808b80802352fe324782

SHA1
f07b4cb6a8133d8dd942fc285d63cb3ce5a1ed6b

SHA256
0c4bb6ae7726faa47aef8459bcf37bf9ca16f0b93fd52790932adaf7845d1fb1

SHA512
d9fd458e2fe871e93199d7f3783133ded898d824024d9525e8c9af2af31892b13f3fb147d3bfda7dfd7659b7072f5cd1d6c3ebfe2dbf5893afd00e59a96aa94f

Download Submit
C:\Users\Admin\AppData\Local\Temp\vosoliyb.vbs

MD5
98a52835fa781017770adfe0b171eff1

SHA1
c5726396364aa33c72d3ad0b9905d755593fe3bc

SHA256
3bba6635163cb9b9322d0380fa1da6b053e5d3a659abd46f5dadcdbd8c80b1bd

SHA512
00fcd90372afa52ca94b739c192ed4406eb512f3a7cff1e97758e6798a75d36827f345a4528c4c479f4c73d8f30ef224ab0aeaedb120d73007849784e5fabdad

Download Submit
C:\Users\Admin\AppData\Local\Temp\{El3y-W1F2w-z403-QWPFt}\19479237279.exe

MD5
c51c45bbb095023f3b002838d0260d93

SHA1
b89089aab28c604de07707b309e1a6cfd1d8bc45

SHA256
6051ad192d2c5bbf8505a23b280a880339665074ff7303527a3ec61e2c586476

SHA512
21f06c6da9a85d0e3173ca577d6be8d6bf2059761665844289797ee3d71c598d2a54686c7dc0b68c9c47f4413e7de07468fb6c21ee1cd04401f408ddc149de56

Download Submit
C:\Users\Admin\AppData\Local\Temp\{El3y-W1F2w-z403-QWPFt}\19479237279.exe

MD5
c51c45bbb095023f3b002838d0260d93

SHA1
b89089aab28c604de07707b309e1a6cfd1d8bc45

SHA256
6051ad192d2c5bbf8505a23b280a880339665074ff7303527a3ec61e2c586476

SHA512
21f06c6da9a85d0e3173ca577d6be8d6bf2059761665844289797ee3d71c598d2a54686c7dc0b68c9c47f4413e7de07468fb6c21ee1cd04401f408ddc149de56

Download Submit
C:\Users\Admin\AppData\Local\Temp\{El3y-W1F2w-z403-QWPFt}\35273352171.exe

MD5
e7ccfdce0d5c66e3f1d4d89eac63fafa

SHA1
23634375e7b10ca832f7da12569e1390171a41fd

SHA256
4cd381d6f335c3f329c9d0aeff1a0336d1aeddd13e5cccef40315bb7b0616cc1

SHA512
9ddb95a47cd45f4a81e411240c7964411195dcd6e641eae31159b4601ac06084bf9a967acb4e88dd762fa70fdf4856fec135bd8c4bdc91968e47c542033af60f

Download Submit
C:\Users\Admin\AppData\Local\Temp\{El3y-W1F2w-z403-QWPFt}\35273352171.exe

MD5
e7ccfdce0d5c66e3f1d4d89eac63fafa

SHA1
23634375e7b10ca832f7da12569e1390171a41fd

SHA256
4cd381d6f335c3f329c9d0aeff1a0336d1aeddd13e5cccef40315bb7b0616cc1

SHA512
9ddb95a47cd45f4a81e411240c7964411195dcd6e641eae31159b4601ac06084bf9a967acb4e88dd762fa70fdf4856fec135bd8c4bdc91968e47c542033af60f

Download Submit
C:\Users\Admin\AppData\Local\Temp\{El3y-W1F2w-z403-QWPFt}\93229732387.exe

MD5
37428f7016077d4689c4b5cf110803d1

SHA1
99858fc1d99be082351d07f7a5ca0035b3c5b078

SHA256
aa68eec8a7206098f2cf085f1fcf8bc462b0d9847b25a8de3933fc354a618834

SHA512
d21f43bbeff890bf82b49934f2b9cc0e28f8af8bf662314af6e3003763057b09251ab8b1bc31d2ab6de2aaf5503a0ae0bf6b1925c0d00fce7ccfa6e12d783d86

Download Submit
C:\Users\Admin\AppData\Roaming\Smart Clock\SmartClock.exe

MD5
7335afd5f210acf1ce86732852c06c89

SHA1
7dd8f4774683c5898584b4c4f6175ded0805c24b

SHA256
0e2bdf6dd3646844b57f6ffc9d5281f97b914e7d936f485cc86d3677257fea1f

SHA512
99b2c93ebdf5d1317d57293cfcdd25d6c1e20a5d8cc927742fd126bd5240458c7ab69dc5d7e86dd9fe16c421006277c885ca9ae45adcc379ad0db9ac32e3c67b

Download Submit
C:\Users\Admin\AppData\Roaming\Smart Clock\SmartClock.exe

MD5
7335afd5f210acf1ce86732852c06c89

SHA1
7dd8f4774683c5898584b4c4f6175ded0805c24b

SHA256
0e2bdf6dd3646844b57f6ffc9d5281f97b914e7d936f485cc86d3677257fea1f

SHA512
99b2c93ebdf5d1317d57293cfcdd25d6c1e20a5d8cc927742fd126bd5240458c7ab69dc5d7e86dd9fe16c421006277c885ca9ae45adcc379ad0db9ac32e3c67b

Download Submit
C:\Users\Admin\AppData\Roaming\nailedp\edspolishpp.exe

MD5
b5e7e1fd00e34e49999f5b60286cd7aa

SHA1
3321f734fcf156bca17c7faadc7fe863a44fe849

SHA256
ec3c9e1878a43c6f5d7c0c5fd98ba61ca5e4d4ceae6ce3c7693e4c3a3c8283fe

SHA512
1e01e673aa1fa59a2ce5ddc9148ba15041dee4f00a83021bda32a9a60e27131098f57a69e27b306706e63e2ed0a96fe7d8c765942a3119d718c7afdc0f802e8c

Download Submit
C:\Users\Admin\AppData\Roaming\nailedp\edspolishpp.exe

MD5
b5e7e1fd00e34e49999f5b60286cd7aa

SHA1
3321f734fcf156bca17c7faadc7fe863a44fe849

SHA256
ec3c9e1878a43c6f5d7c0c5fd98ba61ca5e4d4ceae6ce3c7693e4c3a3c8283fe

SHA512
1e01e673aa1fa59a2ce5ddc9148ba15041dee4f00a83021bda32a9a60e27131098f57a69e27b306706e63e2ed0a96fe7d8c765942a3119d718c7afdc0f802e8c

Download Submit
C:\Users\Admin\Documents\http___212.192.241.136_files_file1.exe.exe

MD5
9c8697e583e0071d29bc362cdfba1a21

SHA1
4957e631d8c622ffd64ccb338b0ed2793928f935

SHA256
255a309aa4ac9d53e3de0f3247b3388d6376af9efb19f8256fd8d1db5bfb2448

SHA512
991633afe078ccdc2328df1a24fe6728592941993696a776b508567579bb8ef0c6f2fa007529ab0eebf0af82503e3d05cb5b5c4eb7aaa1a2bfdbcf12be0be3d4

Download Submit
C:\Users\Admin\Documents\http___212.192.241.136_files_file1.exe.exe

MD5
9c8697e583e0071d29bc362cdfba1a21

SHA1
4957e631d8c622ffd64ccb338b0ed2793928f935

SHA256
255a309aa4ac9d53e3de0f3247b3388d6376af9efb19f8256fd8d1db5bfb2448

SHA512
991633afe078ccdc2328df1a24fe6728592941993696a776b508567579bb8ef0c6f2fa007529ab0eebf0af82503e3d05cb5b5c4eb7aaa1a2bfdbcf12be0be3d4

Download Submit
C:\Users\Admin\Documents\http___212.192.241.136_files_file2.exe.exe

MD5
1f7b929d59d32602616ae4a25aee40a0

SHA1
4f8f66213ba8e8c9692f9154ea8162bd861d9260

SHA256
684c418e39d173630d23b16023322988f6e59efaadea29b36331f6dc4817df1c

SHA512
4b0af647030c7544b77f2ba86a9756fdf8c2b9ae26bdb388888afa2e9b18b011ca08de681be81b0b263545b7af6e3d01c60dfe0ff0215d8ed4dbbbb1166b83f4

Download Submit
C:\Users\Admin\Documents\http___212.192.241.136_files_file2.exe.exe

MD5
1f7b929d59d32602616ae4a25aee40a0

SHA1
4f8f66213ba8e8c9692f9154ea8162bd861d9260

SHA256
684c418e39d173630d23b16023322988f6e59efaadea29b36331f6dc4817df1c

SHA512
4b0af647030c7544b77f2ba86a9756fdf8c2b9ae26bdb388888afa2e9b18b011ca08de681be81b0b263545b7af6e3d01c60dfe0ff0215d8ed4dbbbb1166b83f4

Download Submit
C:\Users\Admin\Documents\http___212.192.241.136_files_file3.exe.exe

MD5
51cb4383518e4d2ca519ab6c8874fc4c

SHA1
e8875494406aa10c347edea47fa8e607194023e3

SHA256
3bec59f84c4d86172ce1bfdd8d2f43ab1e679155620852c13f44cfe5cd95a0fd

SHA512
11490c1e5ca5da171204709adf1cb6cd23b4c3cee8f437147b8ebf5d7f07e24bf3e7611359cce68b1270f36ebc8e2bf2f92de38648dcef2ea9d5acddb79f9927

Download Submit
C:\Users\Admin\Documents\http___212.192.241.136_files_file3.exe.exe

MD5
51cb4383518e4d2ca519ab6c8874fc4c

SHA1
e8875494406aa10c347edea47fa8e607194023e3

SHA256
3bec59f84c4d86172ce1bfdd8d2f43ab1e679155620852c13f44cfe5cd95a0fd

SHA512
11490c1e5ca5da171204709adf1cb6cd23b4c3cee8f437147b8ebf5d7f07e24bf3e7611359cce68b1270f36ebc8e2bf2f92de38648dcef2ea9d5acddb79f9927

Download Submit
C:\Users\Admin\Documents\https___leselesp.info_app.exe.exe

MD5
140376ea9ed326c65dd36e062411813c

SHA1
e867d62597776e8d26539a4ac03a25e1b901ae75

SHA256
0011ed51d2cc363d3fcd45bab9d12752e05eebf69ebc2a1063d7d11c7ff8cdd8

SHA512
5e4b746bbb74b3b852884f473a40607048294930faffab44eb7afca5b9f5310be1278b826d7c4efeaac210b3ae4568edfadc53c5509344b3a8323b800b9777ad

Download Submit
C:\Users\Admin\Documents\https___leselesp.info_app.exe.exe

MD5
140376ea9ed326c65dd36e062411813c

SHA1
e867d62597776e8d26539a4ac03a25e1b901ae75

SHA256
0011ed51d2cc363d3fcd45bab9d12752e05eebf69ebc2a1063d7d11c7ff8cdd8

SHA512
5e4b746bbb74b3b852884f473a40607048294930faffab44eb7afca5b9f5310be1278b826d7c4efeaac210b3ae4568edfadc53c5509344b3a8323b800b9777ad

Download Submit
C:\Users\Admin\Documents\https___leselesp.info_app.exe.exe

MD5
140376ea9ed326c65dd36e062411813c

SHA1
e867d62597776e8d26539a4ac03a25e1b901ae75

SHA256
0011ed51d2cc363d3fcd45bab9d12752e05eebf69ebc2a1063d7d11c7ff8cdd8

SHA512
5e4b746bbb74b3b852884f473a40607048294930faffab44eb7afca5b9f5310be1278b826d7c4efeaac210b3ae4568edfadc53c5509344b3a8323b800b9777ad

Download Submit
\Users\Admin\AppData\LocalLow\gC9tT2iQ3s\freebl3.dll

MD5
60acd24430204ad2dc7f148b8cfe9bdc

SHA1
989f377b9117d7cb21cbe92a4117f88f9c7693d9

SHA256
9876c53134dbbec4dcca67581f53638eba3fea3a15491aa3cf2526b71032da97

SHA512
626c36e9567f57fa8ec9c36d96cbadede9c6f6734a7305ecfb9f798952bbacdfa33a1b6c4999ba5b78897dc2ec6f91870f7ec25b2ceacbaee4be942fe881db01

Download Submit
\Users\Admin\AppData\LocalLow\gC9tT2iQ3s\mozglue.dll

MD5
eae9273f8cdcf9321c6c37c244773139

SHA1
8378e2a2f3635574c106eea8419b5eb00b8489b0

SHA256
a0c6630d4012ae0311ff40f4f06911bcf1a23f7a4762ce219b8dffa012d188cc

SHA512
06e43e484a89cea9ba9b9519828d38e7c64b040f44cdaeb321cbda574e7551b11fea139ce3538f387a0a39a3d8c4cba7f4cf03e4a3c98db85f8121c2212a9097

Download Submit
\Users\Admin\AppData\LocalLow\gC9tT2iQ3s\nss3.dll

MD5
02cc7b8ee30056d5912de54f1bdfc219

SHA1
a6923da95705fb81e368ae48f93d28522ef552fb

SHA256
1989526553fd1e1e49b0fea8036822ca062d3d39c4cab4a37846173d0f1753d5

SHA512
0d5dfcf4fb19b27246fa799e339d67cd1b494427783f379267fb2d10d615ffb734711bab2c515062c078f990a44a36f2d15859b1dacd4143dcc35b5c0cee0ef5

Download Submit
\Users\Admin\AppData\LocalLow\gC9tT2iQ3s\softokn3.dll

MD5
4e8df049f3459fa94ab6ad387f3561ac

SHA1
06ed392bc29ad9d5fc05ee254c2625fd65925114

SHA256
25a4dae37120426ab060ebb39b7030b3e7c1093cc34b0877f223b6843b651871

SHA512
3dd4a86f83465989b2b30c240a7307edd1b92d5c1d5c57d47eff287dc9daa7bace157017908d82e00be90f08ff5badb68019ffc9d881440229dcea5038f61cd6

Download Submit
\Users\Admin\AppData\LocalLow\sqlite3.dll

MD5
f964811b68f9f1487c2b41e1aef576ce

SHA1
b423959793f14b1416bc3b7051bed58a1034025f

SHA256
83bc57dcf282264f2b00c21ce0339eac20fcb7401f7c5472c0cd0c014844e5f7

SHA512
565b1a7291c6fcb63205907fcd9e72fc2e11ca945afc4468c378edba882e2f314c2ac21a7263880ff7d4b84c2a1678024c1ac9971ac1c1de2bfa4248ec0f98c4

Download Submit
\Users\Admin\AppData\Local\Temp\HPCQFA~1.DLL

MD5
7ac078a4c0a0c82464f31418b512cad7

SHA1
edafdb4391106484521c3a76890690ee525a9d68

SHA256
8c8d6d7a1c6ce3ae445a85b32aac61eef74d00effcaaac0379d33cd299008418

SHA512
e5c6cff838a20a0130ed42b170fdd0fcca3491dd65ffb4ced4612b8c8598b3083172f3218a5471c22ffdd6189f748c22e6c7b9417a775344b04956fa2e141507

Download Submit
\Users\Admin\AppData\Local\Temp\HPCQFA~1.DLL

MD5
7ac078a4c0a0c82464f31418b512cad7

SHA1
edafdb4391106484521c3a76890690ee525a9d68

SHA256
8c8d6d7a1c6ce3ae445a85b32aac61eef74d00effcaaac0379d33cd299008418

SHA512
e5c6cff838a20a0130ed42b170fdd0fcca3491dd65ffb4ced4612b8c8598b3083172f3218a5471c22ffdd6189f748c22e6c7b9417a775344b04956fa2e141507

Download Submit
\Users\Admin\AppData\Local\Temp\HPCQFA~1.DLL

MD5
7ac078a4c0a0c82464f31418b512cad7

SHA1
edafdb4391106484521c3a76890690ee525a9d68

SHA256
8c8d6d7a1c6ce3ae445a85b32aac61eef74d00effcaaac0379d33cd299008418

SHA512
e5c6cff838a20a0130ed42b170fdd0fcca3491dd65ffb4ced4612b8c8598b3083172f3218a5471c22ffdd6189f748c22e6c7b9417a775344b04956fa2e141507

Download Submit
\Users\Admin\AppData\Local\Temp\HPCQFA~1.DLL

MD5
7ac078a4c0a0c82464f31418b512cad7

SHA1
edafdb4391106484521c3a76890690ee525a9d68

SHA256
8c8d6d7a1c6ce3ae445a85b32aac61eef74d00effcaaac0379d33cd299008418

SHA512
e5c6cff838a20a0130ed42b170fdd0fcca3491dd65ffb4ced4612b8c8598b3083172f3218a5471c22ffdd6189f748c22e6c7b9417a775344b04956fa2e141507

Download Submit
\Users\Admin\AppData\Local\Temp\nsd597C.tmp\UAC.dll

MD5
adb29e6b186daa765dc750128649b63d

SHA1
160cbdc4cb0ac2c142d361df138c537aa7e708c9

SHA256
2f7f8fc05dc4fd0d5cda501b47e4433357e887bbfed7292c028d99c73b52dc08

SHA512
b28adcccf0c33660fecd6f95f28f11f793dc9988582187617b4c113fb4e6fdad4cf7694cd8c0300a477e63536456894d119741a940dda09b7df3ff0087a7eada

Download Submit
memory/200-165-0x0000000007410000-0x0000000007411000-memory.dmp

Filesize
4KB

Download
memory/200-129-0x0000000077DA0000-0x0000000077F2E000-memory.dmp

Filesize
1.6MB

Download
memory/200-133-0x0000000006450000-0x0000000006451000-memory.dmp

Filesize
4KB

Download
memory/200-134-0x0000000005E30000-0x0000000005E31000-memory.dmp

Filesize
4KB

Download
memory/200-123-0x0000000000000000-mapping.dmp

Download
memory/200-138-0x0000000005FE0000-0x0000000005FE1000-memory.dmp

Filesize
4KB

Download
memory/200-166-0x0000000007630000-0x0000000007631000-memory.dmp

Filesize
4KB

Download
memory/200-163-0x0000000007150000-0x0000000007151000-memory.dmp

Filesize
4KB

Download
memory/200-137-0x0000000005D70000-0x0000000005D71000-memory.dmp

Filesize
4KB

Download
memory/200-131-0x0000000000F40000-0x0000000000F41000-memory.dmp

Filesize
4KB

Download
memory/200-136-0x0000000005D30000-0x0000000005D31000-memory.dmp

Filesize
4KB

Download
memory/200-164-0x0000000007850000-0x0000000007851000-memory.dmp

Filesize
4KB

Download
memory/200-135-0x0000000003BC0000-0x0000000003BC1000-memory.dmp

Filesize
4KB

Download
memory/648-114-0x00000000003A0000-0x00000000003A1000-memory.dmp

Filesize
4KB

Download
memory/648-116-0x000000001B7F0000-0x000000001B7F2000-memory.dmp

Filesize
8KB

Download
memory/912-242-0x0000000000000000-mapping.dmp

Download
memory/1276-161-0x0000000000000000-mapping.dmp

Download
memory/2224-157-0x0000000000000000-mapping.dmp

Download
memory/2524-117-0x0000000000000000-mapping.dmp

Download
memory/2524-154-0x0000000000400000-0x0000000000D26000-memory.dmp

Filesize
9.1MB

Download
memory/2524-152-0x0000000003170000-0x0000000003A7C000-memory.dmp

Filesize
9.0MB

Download
memory/2676-279-0x0000000004BB1000-0x0000000005210000-memory.dmp

Filesize
6.4MB

Download
memory/2676-263-0x0000000000000000-mapping.dmp

Download
memory/2676-280-0x00000000002C0000-0x00000000002C1000-memory.dmp

Filesize
4KB

Download
memory/2676-269-0x0000000003F90000-0x0000000004555000-memory.dmp

Filesize
5.8MB

Download
memory/2676-270-0x0000000004850000-0x0000000004851000-memory.dmp

Filesize
4KB

Download
memory/2748-146-0x0000000002570000-0x0000000002589000-memory.dmp

Filesize
100KB

Download
memory/2748-143-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/2748-145-0x00000000049E0000-0x00000000049E1000-memory.dmp

Filesize
4KB

Download
memory/2748-155-0x0000000002344000-0x0000000002346000-memory.dmp

Filesize
8KB

Download
memory/2748-151-0x0000000002343000-0x0000000002344000-memory.dmp

Filesize
4KB

Download
memory/2748-141-0x0000000002340000-0x0000000002341000-memory.dmp

Filesize
4KB

Download
memory/2748-142-0x00000000005D0000-0x00000000005FF000-memory.dmp

Filesize
188KB

Download
memory/2748-150-0x0000000002342000-0x0000000002343000-memory.dmp

Filesize
4KB

Download
memory/2748-144-0x0000000002300000-0x000000000231A000-memory.dmp

Filesize
104KB

Download
memory/2748-126-0x0000000000000000-mapping.dmp

Download
memory/2836-172-0x0000000000000000-mapping.dmp

Download
memory/3100-265-0x0000000002630000-0x0000000002631000-memory.dmp

Filesize
4KB

Download
memory/3100-257-0x0000000000000000-mapping.dmp

Download
memory/3100-264-0x0000000000400000-0x0000000000B14000-memory.dmp

Filesize
7.1MB

Download
memory/3100-262-0x0000000002E10000-0x0000000003517000-memory.dmp

Filesize
7.0MB

Download
memory/3736-177-0x00000000021D0000-0x00000000022B1000-memory.dmp

Filesize
900KB

Download
memory/3736-173-0x0000000000000000-mapping.dmp

Download
memory/3736-178-0x0000000000400000-0x00000000004E5000-memory.dmp

Filesize
916KB

Download
memory/3932-295-0x0000000007530000-0x0000000007531000-memory.dmp

Filesize
4KB

Download
memory/3932-311-0x0000000006FA3000-0x0000000006FA4000-memory.dmp

Filesize
4KB

Download
memory/3932-309-0x0000000009D80000-0x0000000009D81000-memory.dmp

Filesize
4KB

Download
memory/3932-304-0x00000000086B0000-0x00000000086B1000-memory.dmp

Filesize
4KB

Download
memory/3932-302-0x00000000085A0000-0x00000000085A1000-memory.dmp

Filesize
4KB

Download
memory/3932-300-0x00000000081C0000-0x00000000081C1000-memory.dmp

Filesize
4KB

Download
memory/3932-299-0x0000000006FA2000-0x0000000006FA3000-memory.dmp

Filesize
4KB

Download
memory/3932-298-0x0000000007E70000-0x0000000007E71000-memory.dmp

Filesize
4KB

Download
memory/3932-296-0x0000000007D80000-0x0000000007D81000-memory.dmp

Filesize
4KB

Download
memory/3932-292-0x00000000075E0000-0x00000000075E1000-memory.dmp

Filesize
4KB

Download
memory/3932-287-0x0000000000000000-mapping.dmp

Download
memory/3932-290-0x0000000006FA0000-0x0000000006FA1000-memory.dmp

Filesize
4KB

Download
memory/3932-291-0x0000000004AB0000-0x0000000004AB1000-memory.dmp

Filesize
4KB

Download
memory/4000-168-0x00000000021F0000-0x0000000002281000-memory.dmp

Filesize
580KB

Download
memory/4000-169-0x0000000000400000-0x0000000000492000-memory.dmp

Filesize
584KB

Download
memory/4000-158-0x0000000000000000-mapping.dmp

Download
memory/4056-119-0x0000000000000000-mapping.dmp

Download
memory/4056-140-0x0000000000400000-0x000000000045D000-memory.dmp

Filesize
372KB

Download
memory/4056-139-0x0000000000550000-0x000000000069A000-memory.dmp

Filesize
1.3MB

Download
memory/4172-254-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/4172-244-0x0000000000000000-mapping.dmp

Download
memory/4212-183-0x0000000000000000-mapping.dmp

Download
memory/4248-184-0x0000000000000000-mapping.dmp

Download
memory/4280-185-0x0000000000000000-mapping.dmp

Download
memory/4328-193-0x0000000000400000-0x00000000004D5000-memory.dmp

Filesize
852KB

Download
memory/4328-186-0x0000000000000000-mapping.dmp

Download
memory/4328-192-0x0000000002140000-0x000000000220E000-memory.dmp

Filesize
824KB

Download
memory/4384-188-0x0000000000000000-mapping.dmp

Download
memory/4400-260-0x0000000000000000-mapping.dmp

Download
memory/4428-189-0x0000000000000000-mapping.dmp

Download
memory/4440-319-0x0000000000000000-mapping.dmp

Download
memory/4448-312-0x0000000003140000-0x000000000328A000-memory.dmp

Filesize
1.3MB

Download
memory/4448-275-0x0000000000000000-mapping.dmp

Download
memory/4448-278-0x0000000004AC0000-0x0000000005085000-memory.dmp

Filesize
5.8MB

Download
memory/4448-286-0x00000000056D1000-0x0000000005D30000-memory.dmp

Filesize
6.4MB

Download
memory/4448-281-0x0000000005370000-0x0000000005371000-memory.dmp

Filesize
4KB

Download
memory/4496-190-0x0000000000000000-mapping.dmp

Download
memory/4548-293-0x0000000000000000-mapping.dmp

Download
memory/4552-191-0x0000000000000000-mapping.dmp

Download
memory/4628-212-0x0000000004B74000-0x0000000004B76000-memory.dmp

Filesize
8KB

Download
memory/4628-194-0x0000000000000000-mapping.dmp

Download
memory/4628-209-0x0000000004B72000-0x0000000004B73000-memory.dmp

Filesize
4KB

Download
memory/4628-206-0x00000000005C0000-0x00000000005EF000-memory.dmp

Filesize
188KB

Download
memory/4628-211-0x0000000004B73000-0x0000000004B74000-memory.dmp

Filesize
4KB

Download
memory/4628-208-0x0000000004B70000-0x0000000004B71000-memory.dmp

Filesize
4KB

Download
memory/4628-207-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/4628-199-0x0000000002330000-0x0000000002349000-memory.dmp

Filesize
100KB

Download
memory/4628-197-0x00000000021C0000-0x00000000021DA000-memory.dmp

Filesize
104KB

Download
memory/4696-204-0x0000000000000000-mapping.dmp

Download
memory/4760-210-0x0000000000000000-mapping.dmp

Download
memory/4792-316-0x0000000004480000-0x0000000004481000-memory.dmp

Filesize
4KB

Download
memory/4792-317-0x0000000004482000-0x0000000004483000-memory.dmp

Filesize
4KB

Download
memory/4792-313-0x0000000000000000-mapping.dmp

Download
memory/4792-322-0x0000000004483000-0x0000000004484000-memory.dmp

Filesize
4KB

Download
memory/4812-247-0x00000000005C0000-0x00000000005E6000-memory.dmp

Filesize
152KB

Download
memory/4812-216-0x0000000000000000-mapping.dmp

Download
memory/4812-248-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/4832-219-0x0000000000000000-mapping.dmp

Download
memory/4904-222-0x0000000000000000-mapping.dmp

Download
memory/4924-223-0x0000000000000000-mapping.dmp

Download
memory/4972-225-0x0000000000000000-mapping.dmp

Download
memory/4988-226-0x0000000000000000-mapping.dmp

Download
memory/5020-229-0x0000000000000000-mapping.dmp

Download
memory/5024-323-0x0000000000000000-mapping.dmp

Download
memory/5032-321-0x0000000000000000-mapping.dmp

Download
memory/5044-231-0x0000000000000000-mapping.dmp

Download
memory/5092-255-0x0000000001460000-0x000000000150E000-memory.dmp

Filesize
696KB

Download
memory/5092-233-0x0000000000000000-mapping.dmp

Download
memory/5112-235-0x0000000000000000-mapping.dmp

Download