cryptbot | 32ecbb31b795b66ace206da2ca93e22f05a002d070ba5a5965bf89c0c91beb82

Analysis

max time kernel
144s
max time network
145s
platform
windows10_x64
resource
win10v20210408
submitted
09-06-2021 13:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4ae27f5a2ec7c7aa26ca725d79397e4645c807c6.exe
Size

11KB
MD5

be891367a9a7f020097506d3e964bd08
SHA1

4ae27f5a2ec7c7aa26ca725d79397e4645c807c6
SHA256

32ecbb31b795b66ace206da2ca93e22f05a002d070ba5a5965bf89c0c91beb82
SHA512

38e450ea61e2756279fb03e5b72f31fffdfdfc26ad8f3cd920ddab91c2f22ef438b0fa431a2bb424d3182dc231a42ddbcfd5d4d60a81d1333c705e8b16d6cb4f

Score

10^/10

cryptbot danabot fickerstealer glupteba metasploit redline 3 backdoor banker discovery dropper infostealer loader spyware stealer trojan

Malware Config

Extracted

Family

metasploit

Version

windows/single_exec

Extracted

Family

fickerstealer

bukkva.site:80

Extracted

Family

cryptbot

olmqmc32.top

morovz03.top

Attributes

payload_url
http://vamzcd04.top/download.php?file=lv.exe

Extracted

Family

danabot

Version

1827

Botnet

184.95.51.183:443

184.95.51.175:443

192.210.198.12:443

184.95.51.180:443

Attributes

embedded_hash
AEF96B4D339B580ABB737F203C2D0F52

rsa_pubkey.plain

Signatures

CryptBot
A C++ stealer distributed widely in bundle with other software.
spyware stealer cryptbot

CryptBot Payload 2 IoCs

Processes:

resource	yara_rule
behavioral2/memory/2068-216-0x00000000021F0000-0x00000000022D1000-memory.dmp	family_cryptbot
behavioral2/memory/2068-217-0x0000000000400000-0x00000000004E5000-memory.dmp	family_cryptbot

Danabot
Danabot is a modular banking Trojan that has been linked with other malware.
trojan banker danabot
Glupteba
Glupteba is a modular loader written in Golang with various components.
loader dropper glupteba

Glupteba Payload 2 IoCs

Processes:

resource	yara_rule
behavioral2/memory/2064-195-0x0000000003010000-0x000000000391C000-memory.dmp	family_glupteba
behavioral2/memory/2064-196-0x0000000000400000-0x0000000000D26000-memory.dmp	family_glupteba

MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
trojan backdoor metasploit
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline
Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

Processes:

svchost.exe

description pid process target process

PID 3764 created 2064 3764 svchost.exe L42ZWZAZMW810VRSF8RRCP5A.exe
fickerstealer
Ficker is an infostealer written in Rust and ASM.
infostealer fickerstealer
Blocklisted process makes network request 5 IoCs

Processes:

RUNDLL32.EXEWScript.exe

flow pid process

75 1276 RUNDLL32.EXE
76 2548 WScript.exe
78 2548 WScript.exe
80 2548 WScript.exe
82 2548 WScript.exe
Downloads MZ/PE file

description	pid	process	target process
PID 3764 created 2064	3764	svchost.exe	L42ZWZAZMW810VRSF8RRCP5A.exe

flow	pid	process
75	1276	RUNDLL32.EXE
76	2548	WScript.exe
78	2548	WScript.exe
80	2548	WScript.exe
82	2548	WScript.exe

Executes dropped EXE 16 IoCs

Processes:

L42ZWZAZMW810VRSF8RRCP5A.exeX60RMQ5Z609ALMH81NSQ6KPL.exeL42ZWZAZMW810VRSF8RRCP5A.exe50943488247.exe50943488247.exe1623252315290.exe26560116619.exe44102622419.exeedspolishpp.exeEErbpN.exevpn.exe4.exeGabbie.exe.comGabbie.exe.comSmartClock.exerbqispq.exe

pid	process
2064	L42ZWZAZMW810VRSF8RRCP5A.exe
3792	X60RMQ5Z609ALMH81NSQ6KPL.exe
3316	L42ZWZAZMW810VRSF8RRCP5A.exe
2272	50943488247.exe
612	50943488247.exe
1296	1623252315290.exe
2068	26560116619.exe
3196	44102622419.exe
3684	edspolishpp.exe
2948	EErbpN.exe
840	vpn.exe
3184	4.exe
200	Gabbie.exe.com
2000	Gabbie.exe.com
3316	SmartClock.exe
1720	rbqispq.exe

Drops startup file 1 IoCs

Processes:

4.exe

description ioc process

File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SmartClock.lnk 4.exe
Loads dropped DLL 4 IoCs

Processes:

EErbpN.exerundll32.exeRUNDLL32.EXE

pid process

2948 EErbpN.exe
3868 rundll32.exe
1276 RUNDLL32.EXE
1276 RUNDLL32.EXE
Reads local data of messenger clients 2 TTPs
Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

62 ip-api.com
27 api.ipify.org
Suspicious use of SetThreadContext 1 IoCs

Processes:

50943488247.exe

description pid process target process

PID 2272 set thread context of 612 2272 50943488247.exe 50943488247.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SmartClock.lnk	4.exe

pid	process
2948	EErbpN.exe
3868	rundll32.exe
1276	RUNDLL32.EXE
1276	RUNDLL32.EXE

flow	ioc
62	ip-api.com
27	api.ipify.org

description	pid	process	target process
PID 2272 set thread context of 612	2272	50943488247.exe	50943488247.exe

Drops file in Program Files directory 3 IoCs

Processes:

EErbpN.exe

description	ioc	process
File created	C:\Program Files (x86)\foler\olader\acppage.dll	EErbpN.exe
File created	C:\Program Files (x86)\foler\olader\adprovider.dll	EErbpN.exe
File created	C:\Program Files (x86)\foler\olader\acledit.dll	EErbpN.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 10 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

RUNDLL32.EXE50943488247.exe26560116619.exeGabbie.exe.com44102622419.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	RUNDLL32.EXE
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	50943488247.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	26560116619.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Gabbie.exe.com
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	Gabbie.exe.com
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	50943488247.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	26560116619.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	44102622419.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	44102622419.exe

Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

1656 timeout.exe
Kills process with taskkill 2 IoCs
evasion

Processes:

taskkill.exetaskkill.exe

pid process

2208 taskkill.exe
508 taskkill.exe

pid	process
1656	timeout.exe

pid	process
2208	taskkill.exe
508	taskkill.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

L42ZWZAZMW810VRSF8RRCP5A.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-271 = "Greenwich Daylight Time"	L42ZWZAZMW810VRSF8RRCP5A.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-449 = "Azerbaijan Standard Time"	L42ZWZAZMW810VRSF8RRCP5A.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-341 = "Egypt Daylight Time"	L42ZWZAZMW810VRSF8RRCP5A.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	L42ZWZAZMW810VRSF8RRCP5A.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	L42ZWZAZMW810VRSF8RRCP5A.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-542 = "Myanmar Standard Time"	L42ZWZAZMW810VRSF8RRCP5A.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-541 = "Myanmar Daylight Time"	L42ZWZAZMW810VRSF8RRCP5A.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-2591 = "Tocantins Daylight Time"	L42ZWZAZMW810VRSF8RRCP5A.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	L42ZWZAZMW810VRSF8RRCP5A.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-721 = "Central Pacific Daylight Time"	L42ZWZAZMW810VRSF8RRCP5A.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-442 = "Arabian Standard Time"	L42ZWZAZMW810VRSF8RRCP5A.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-141 = "Canada Central Daylight Time"	L42ZWZAZMW810VRSF8RRCP5A.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-912 = "Mauritius Standard Time"	L42ZWZAZMW810VRSF8RRCP5A.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-2062 = "North Korea Standard Time"	L42ZWZAZMW810VRSF8RRCP5A.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-302 = "Romance Standard Time"	L42ZWZAZMW810VRSF8RRCP5A.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-1891 = "Russia TZ 3 Daylight Time"	L42ZWZAZMW810VRSF8RRCP5A.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-2392 = "Aleutian Standard Time"	L42ZWZAZMW810VRSF8RRCP5A.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-2162 = "Altai Standard Time"	L42ZWZAZMW810VRSF8RRCP5A.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-932 = "Coordinated Universal Time"	L42ZWZAZMW810VRSF8RRCP5A.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-32 = "Mid-Atlantic Standard Time"	L42ZWZAZMW810VRSF8RRCP5A.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-71 = "Newfoundland Daylight Time"	L42ZWZAZMW810VRSF8RRCP5A.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-372 = "Jerusalem Standard Time"	L42ZWZAZMW810VRSF8RRCP5A.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-2411 = "Marquesas Daylight Time"	L42ZWZAZMW810VRSF8RRCP5A.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-911 = "Mauritius Daylight Time"	L42ZWZAZMW810VRSF8RRCP5A.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-681 = "E. Australia Daylight Time"	L42ZWZAZMW810VRSF8RRCP5A.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-431 = "Iran Daylight Time"	L42ZWZAZMW810VRSF8RRCP5A.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-531 = "Sri Lanka Daylight Time"	L42ZWZAZMW810VRSF8RRCP5A.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-2572 = "Turks and Caicos Standard Time"	L42ZWZAZMW810VRSF8RRCP5A.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	L42ZWZAZMW810VRSF8RRCP5A.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-771 = "Montevideo Daylight Time"	L42ZWZAZMW810VRSF8RRCP5A.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-1871 = "Russia TZ 7 Daylight Time"	L42ZWZAZMW810VRSF8RRCP5A.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-832 = "SA Eastern Standard Time"	L42ZWZAZMW810VRSF8RRCP5A.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	L42ZWZAZMW810VRSF8RRCP5A.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-1842 = "Russia TZ 4 Standard Time"	L42ZWZAZMW810VRSF8RRCP5A.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-1022 = "Bangladesh Standard Time"	L42ZWZAZMW810VRSF8RRCP5A.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-871 = "Pakistan Daylight Time"	L42ZWZAZMW810VRSF8RRCP5A.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-1892 = "Russia TZ 3 Standard Time"	L42ZWZAZMW810VRSF8RRCP5A.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	L42ZWZAZMW810VRSF8RRCP5A.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-842 = "Argentina Standard Time"	L42ZWZAZMW810VRSF8RRCP5A.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-12 = "Azores Standard Time"	L42ZWZAZMW810VRSF8RRCP5A.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-2511 = "Lord Howe Daylight Time"	L42ZWZAZMW810VRSF8RRCP5A.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-1861 = "Russia TZ 6 Daylight Time"	L42ZWZAZMW810VRSF8RRCP5A.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	L42ZWZAZMW810VRSF8RRCP5A.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-448 = "Azerbaijan Daylight Time"	L42ZWZAZMW810VRSF8RRCP5A.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-364 = "Middle East Daylight Time"	L42ZWZAZMW810VRSF8RRCP5A.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-132 = "US Eastern Standard Time"	L42ZWZAZMW810VRSF8RRCP5A.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	L42ZWZAZMW810VRSF8RRCP5A.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-1832 = "Russia TZ 2 Standard Time"	L42ZWZAZMW810VRSF8RRCP5A.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-682 = "E. Australia Standard Time"	L42ZWZAZMW810VRSF8RRCP5A.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-492 = "India Standard Time"	L42ZWZAZMW810VRSF8RRCP5A.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-2372 = "Easter Island Standard Time"	L42ZWZAZMW810VRSF8RRCP5A.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-382 = "South Africa Standard Time"	L42ZWZAZMW810VRSF8RRCP5A.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-281 = "Central Europe Daylight Time"	L42ZWZAZMW810VRSF8RRCP5A.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-172 = "Central Standard Time (Mexico)"	L42ZWZAZMW810VRSF8RRCP5A.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-1802 = "Line Islands Standard Time"	L42ZWZAZMW810VRSF8RRCP5A.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-962 = "Paraguay Standard Time"	L42ZWZAZMW810VRSF8RRCP5A.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-692 = "Tasmania Standard Time"	L42ZWZAZMW810VRSF8RRCP5A.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-82 = "Atlantic Standard Time"	L42ZWZAZMW810VRSF8RRCP5A.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-81 = "Atlantic Daylight Time"	L42ZWZAZMW810VRSF8RRCP5A.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	L42ZWZAZMW810VRSF8RRCP5A.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-52 = "Greenland Standard Time"	L42ZWZAZMW810VRSF8RRCP5A.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-2341 = "Haiti Daylight Time"	L42ZWZAZMW810VRSF8RRCP5A.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-2772 = "Omsk Standard Time"	L42ZWZAZMW810VRSF8RRCP5A.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-632 = "Tokyo Standard Time"	L42ZWZAZMW810VRSF8RRCP5A.exe

Modifies registry class 1 IoCs

Processes:

Gabbie.exe.com

description ioc process

Key created \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings Gabbie.exe.com
Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

1960 PING.EXE
Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

SmartClock.exe

pid process

3316 SmartClock.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings	Gabbie.exe.com

pid	process
1960	PING.EXE

pid	process
3316	SmartClock.exe

Suspicious behavior: EnumeratesProcesses 17 IoCs

Processes:

powershell.exeL42ZWZAZMW810VRSF8RRCP5A.exe50943488247.exeedspolishpp.exepowershell.exeRUNDLL32.EXEpowershell.exe

pid	process
2956	powershell.exe
2956	powershell.exe
2956	powershell.exe
2064	L42ZWZAZMW810VRSF8RRCP5A.exe
2064	L42ZWZAZMW810VRSF8RRCP5A.exe
612	50943488247.exe
612	50943488247.exe
3684	edspolishpp.exe
3684	edspolishpp.exe
1484	powershell.exe
1484	powershell.exe
1484	powershell.exe
1276	RUNDLL32.EXE
1276	RUNDLL32.EXE
2180	powershell.exe
2180	powershell.exe
2180	powershell.exe

Suspicious use of AdjustPrivilegeToken 13 IoCs

Processes:

powershell.exe4ae27f5a2ec7c7aa26ca725d79397e4645c807c6.exeL42ZWZAZMW810VRSF8RRCP5A.exesvchost.exetaskkill.exetaskkill.exeedspolishpp.exerundll32.exeRUNDLL32.EXEpowershell.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	2956	powershell.exe
Token: SeDebugPrivilege	740	4ae27f5a2ec7c7aa26ca725d79397e4645c807c6.exe
Token: SeDebugPrivilege	2064	L42ZWZAZMW810VRSF8RRCP5A.exe
Token: SeImpersonatePrivilege	2064	L42ZWZAZMW810VRSF8RRCP5A.exe
Token: SeTcbPrivilege	3764	svchost.exe
Token: SeTcbPrivilege	3764	svchost.exe
Token: SeDebugPrivilege	2208	taskkill.exe
Token: SeDebugPrivilege	508	taskkill.exe
Token: SeDebugPrivilege	3684	edspolishpp.exe
Token: SeDebugPrivilege	3868	rundll32.exe
Token: SeDebugPrivilege	1276	RUNDLL32.EXE
Token: SeDebugPrivilege	1484	powershell.exe
Token: SeDebugPrivilege	2180	powershell.exe

Suspicious use of FindShellTrayWindow 4 IoCs

Processes:

26560116619.exevpn.exeRUNDLL32.EXE

pid process

2068 26560116619.exe
2068 26560116619.exe
840 vpn.exe
1276 RUNDLL32.EXE

pid	process
2068	26560116619.exe
2068	26560116619.exe
840	vpn.exe
1276	RUNDLL32.EXE

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

4ae27f5a2ec7c7aa26ca725d79397e4645c807c6.execmd.execmd.execmd.exeX60RMQ5Z609ALMH81NSQ6KPL.exesvchost.execmd.exe50943488247.exe50943488247.execmd.execmd.execmd.exe44102622419.exe

description	pid	process	target process
PID 740 wrote to memory of 3756	740	4ae27f5a2ec7c7aa26ca725d79397e4645c807c6.exe	cmd.exe
PID 740 wrote to memory of 3756	740	4ae27f5a2ec7c7aa26ca725d79397e4645c807c6.exe	cmd.exe
PID 740 wrote to memory of 3756	740	4ae27f5a2ec7c7aa26ca725d79397e4645c807c6.exe	cmd.exe
PID 3756 wrote to memory of 2956	3756	cmd.exe	powershell.exe
PID 3756 wrote to memory of 2956	3756	cmd.exe	powershell.exe
PID 3756 wrote to memory of 2956	3756	cmd.exe	powershell.exe
PID 740 wrote to memory of 1420	740	4ae27f5a2ec7c7aa26ca725d79397e4645c807c6.exe	cmd.exe
PID 740 wrote to memory of 1420	740	4ae27f5a2ec7c7aa26ca725d79397e4645c807c6.exe	cmd.exe
PID 740 wrote to memory of 1420	740	4ae27f5a2ec7c7aa26ca725d79397e4645c807c6.exe	cmd.exe
PID 1420 wrote to memory of 2064	1420	cmd.exe	L42ZWZAZMW810VRSF8RRCP5A.exe
PID 1420 wrote to memory of 2064	1420	cmd.exe	L42ZWZAZMW810VRSF8RRCP5A.exe
PID 1420 wrote to memory of 2064	1420	cmd.exe	L42ZWZAZMW810VRSF8RRCP5A.exe
PID 740 wrote to memory of 1284	740	4ae27f5a2ec7c7aa26ca725d79397e4645c807c6.exe	cmd.exe
PID 740 wrote to memory of 1284	740	4ae27f5a2ec7c7aa26ca725d79397e4645c807c6.exe	cmd.exe
PID 740 wrote to memory of 1284	740	4ae27f5a2ec7c7aa26ca725d79397e4645c807c6.exe	cmd.exe
PID 1284 wrote to memory of 3792	1284	cmd.exe	X60RMQ5Z609ALMH81NSQ6KPL.exe
PID 1284 wrote to memory of 3792	1284	cmd.exe	X60RMQ5Z609ALMH81NSQ6KPL.exe
PID 1284 wrote to memory of 3792	1284	cmd.exe	X60RMQ5Z609ALMH81NSQ6KPL.exe
PID 3792 wrote to memory of 2428	3792	X60RMQ5Z609ALMH81NSQ6KPL.exe	cmd.exe
PID 3792 wrote to memory of 2428	3792	X60RMQ5Z609ALMH81NSQ6KPL.exe	cmd.exe
PID 3792 wrote to memory of 2428	3792	X60RMQ5Z609ALMH81NSQ6KPL.exe	cmd.exe
PID 3764 wrote to memory of 3316	3764	svchost.exe	L42ZWZAZMW810VRSF8RRCP5A.exe
PID 3764 wrote to memory of 3316	3764	svchost.exe	L42ZWZAZMW810VRSF8RRCP5A.exe
PID 3764 wrote to memory of 3316	3764	svchost.exe	L42ZWZAZMW810VRSF8RRCP5A.exe
PID 2428 wrote to memory of 2272	2428	cmd.exe	50943488247.exe
PID 2428 wrote to memory of 2272	2428	cmd.exe	50943488247.exe
PID 2428 wrote to memory of 2272	2428	cmd.exe	50943488247.exe
PID 2272 wrote to memory of 612	2272	50943488247.exe	50943488247.exe
PID 2272 wrote to memory of 612	2272	50943488247.exe	50943488247.exe
PID 2272 wrote to memory of 612	2272	50943488247.exe	50943488247.exe
PID 2272 wrote to memory of 612	2272	50943488247.exe	50943488247.exe
PID 2272 wrote to memory of 612	2272	50943488247.exe	50943488247.exe
PID 2272 wrote to memory of 612	2272	50943488247.exe	50943488247.exe
PID 2272 wrote to memory of 612	2272	50943488247.exe	50943488247.exe
PID 2272 wrote to memory of 612	2272	50943488247.exe	50943488247.exe
PID 2272 wrote to memory of 612	2272	50943488247.exe	50943488247.exe
PID 2272 wrote to memory of 612	2272	50943488247.exe	50943488247.exe
PID 2272 wrote to memory of 612	2272	50943488247.exe	50943488247.exe
PID 2272 wrote to memory of 612	2272	50943488247.exe	50943488247.exe
PID 2272 wrote to memory of 612	2272	50943488247.exe	50943488247.exe
PID 612 wrote to memory of 1296	612	50943488247.exe	1623252315290.exe
PID 612 wrote to memory of 1296	612	50943488247.exe	1623252315290.exe
PID 612 wrote to memory of 1296	612	50943488247.exe	1623252315290.exe
PID 3792 wrote to memory of 2124	3792	X60RMQ5Z609ALMH81NSQ6KPL.exe	cmd.exe
PID 3792 wrote to memory of 2124	3792	X60RMQ5Z609ALMH81NSQ6KPL.exe	cmd.exe
PID 3792 wrote to memory of 2124	3792	X60RMQ5Z609ALMH81NSQ6KPL.exe	cmd.exe
PID 2124 wrote to memory of 2068	2124	cmd.exe	26560116619.exe
PID 2124 wrote to memory of 2068	2124	cmd.exe	26560116619.exe
PID 2124 wrote to memory of 2068	2124	cmd.exe	26560116619.exe
PID 3792 wrote to memory of 3684	3792	X60RMQ5Z609ALMH81NSQ6KPL.exe	cmd.exe
PID 3792 wrote to memory of 3684	3792	X60RMQ5Z609ALMH81NSQ6KPL.exe	cmd.exe
PID 3792 wrote to memory of 3684	3792	X60RMQ5Z609ALMH81NSQ6KPL.exe	cmd.exe
PID 3684 wrote to memory of 3196	3684	cmd.exe	44102622419.exe
PID 3684 wrote to memory of 3196	3684	cmd.exe	44102622419.exe
PID 3684 wrote to memory of 3196	3684	cmd.exe	44102622419.exe
PID 3792 wrote to memory of 200	3792	X60RMQ5Z609ALMH81NSQ6KPL.exe	cmd.exe
PID 3792 wrote to memory of 200	3792	X60RMQ5Z609ALMH81NSQ6KPL.exe	cmd.exe
PID 3792 wrote to memory of 200	3792	X60RMQ5Z609ALMH81NSQ6KPL.exe	cmd.exe
PID 200 wrote to memory of 2208	200	cmd.exe	taskkill.exe
PID 200 wrote to memory of 2208	200	cmd.exe	taskkill.exe
PID 200 wrote to memory of 2208	200	cmd.exe	taskkill.exe
PID 3196 wrote to memory of 3684	3196	44102622419.exe	edspolishpp.exe
PID 3196 wrote to memory of 3684	3196	44102622419.exe	edspolishpp.exe
PID 3196 wrote to memory of 3684	3196	44102622419.exe	edspolishpp.exe

C:\Users\Admin\AppData\Local\Temp\4ae27f5a2ec7c7aa26ca725d79397e4645c807c6.exe
"C:\Users\Admin\AppData\Local\Temp\4ae27f5a2ec7c7aa26ca725d79397e4645c807c6.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:740

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C powershell Add-MpPreference -ExclusionExtension .exe -Force
2⤵
- Suspicious use of WriteProcessMemory
PID:3756

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell Add-MpPreference -ExclusionExtension .exe -Force
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2956

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c start /I "" "C:\Users\Admin\AppData\Roaming\L42ZWZAZMW810VRSF8RRCP5A.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:1420

C:\Users\Admin\AppData\Roaming\L42ZWZAZMW810VRSF8RRCP5A.exe
"C:\Users\Admin\AppData\Roaming\L42ZWZAZMW810VRSF8RRCP5A.exe"
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2064

C:\Users\Admin\AppData\Roaming\L42ZWZAZMW810VRSF8RRCP5A.exe
"C:\Users\Admin\AppData\Roaming\L42ZWZAZMW810VRSF8RRCP5A.exe"
4⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:3316

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c start /I "" "C:\Users\Admin\AppData\Roaming\X60RMQ5Z609ALMH81NSQ6KPL.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:1284

C:\Users\Admin\AppData\Roaming\X60RMQ5Z609ALMH81NSQ6KPL.exe
"C:\Users\Admin\AppData\Roaming\X60RMQ5Z609ALMH81NSQ6KPL.exe"
3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3792

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c start /I "" "C:\Users\Admin\AppData\Local\Temp\{GndP-iLjSX-U7Fx-joJQV}\50943488247.exe"
4⤵
- Suspicious use of WriteProcessMemory
PID:2428

C:\Users\Admin\AppData\Local\Temp\{GndP-iLjSX-U7Fx-joJQV}\50943488247.exe
"C:\Users\Admin\AppData\Local\Temp\{GndP-iLjSX-U7Fx-joJQV}\50943488247.exe"
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2272

C:\Users\Admin\AppData\Local\Temp\{GndP-iLjSX-U7Fx-joJQV}\50943488247.exe
"C:\Users\Admin\AppData\Local\Temp\{GndP-iLjSX-U7Fx-joJQV}\50943488247.exe"
6⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:612

C:\Users\Admin\AppData\Local\Temp\1623252315290.exe
"C:\Users\Admin\AppData\Local\Temp\1623252315290.exe"
7⤵
- Executes dropped EXE
PID:1296

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c start /I "" "C:\Users\Admin\AppData\Local\Temp\{GndP-iLjSX-U7Fx-joJQV}\26560116619.exe" /mix
4⤵
- Suspicious use of WriteProcessMemory
PID:2124

C:\Users\Admin\AppData\Local\Temp\{GndP-iLjSX-U7Fx-joJQV}\26560116619.exe
"C:\Users\Admin\AppData\Local\Temp\{GndP-iLjSX-U7Fx-joJQV}\26560116619.exe" /mix
5⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of FindShellTrayWindow
PID:2068

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c start "" "C:\Users\Admin\AppData\Local\Temp\EErbpN.exe"
6⤵
PID:2428

C:\Users\Admin\AppData\Local\Temp\EErbpN.exe
"C:\Users\Admin\AppData\Local\Temp\EErbpN.exe"
7⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
PID:2948

C:\Users\Admin\AppData\Local\Temp\New Feature\vpn.exe
"C:\Users\Admin\AppData\Local\Temp\New Feature\vpn.exe"
8⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
PID:840

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c cmd < Gote.aiff
9⤵
PID:424

C:\Windows\SysWOW64\cmd.exe
cmd
10⤵
PID:3180

C:\Windows\SysWOW64\findstr.exe
findstr /V /R "^LjaIWKsNCnNrcrIGrRSgkvhmTVtiUhayrefgTaEfPZCszvASPFwjlwZgZTOwGpSgyIZzOzMKjDnkUVybxkagkuUerqfqE$" Diritto.aiff
11⤵
PID:740

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Gabbie.exe.com
Gabbie.exe.com c
11⤵
- Executes dropped EXE
PID:200

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Gabbie.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Gabbie.exe.com c
12⤵
- Executes dropped EXE
- Checks processor information in registry
- Modifies registry class
PID:2000

C:\Users\Admin\AppData\Local\Temp\rbqispq.exe
"C:\Users\Admin\AppData\Local\Temp\rbqispq.exe"
13⤵
- Executes dropped EXE
PID:1720

C:\Windows\SysWOW64\rundll32.exe
C:\Windows\system32\rundll32.exe C:\Users\Admin\AppData\Local\Temp\RBQISP~1.DLL,Z C:\Users\Admin\AppData\Local\Temp\rbqispq.exe
14⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:3868

C:\Windows\SysWOW64\RUNDLL32.EXE
C:\Windows\system32\RUNDLL32.EXE C:\Users\Admin\AppData\Local\Temp\RBQISP~1.DLL,lmMzfI0=
15⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:1276

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Executionpolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\tmp704A.tmp.ps1"
16⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1484

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Executionpolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\tmp7FDC.tmp.ps1"
16⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2180

C:\Windows\SysWOW64\nslookup.exe
"C:\Windows\system32\nslookup.exe" -type=any localhost
17⤵
PID:1232

C:\Windows\SysWOW64\schtasks.exe
schtasks /End /tn \Microsoft\Windows\Wininet\CacheTask
16⤵
PID:580

C:\Windows\SysWOW64\schtasks.exe
schtasks /Run /tn \Microsoft\Windows\Wininet\CacheTask
16⤵
PID:200

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\tdfhvsrrfvqh.vbs"
13⤵
PID:1256

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\gtygfpjuau.vbs"
13⤵
- Blocklisted process makes network request
PID:2548

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1 -n 30
11⤵
- Runs ping.exe
PID:1960

C:\Users\Admin\AppData\Local\Temp\New Feature\4.exe
"C:\Users\Admin\AppData\Local\Temp\New Feature\4.exe"
8⤵
- Executes dropped EXE
- Drops startup file
PID:3184

C:\Users\Admin\AppData\Roaming\Smart Clock\SmartClock.exe
"C:\Users\Admin\AppData\Roaming\Smart Clock\SmartClock.exe"
9⤵
- Executes dropped EXE
- Suspicious behavior: AddClipboardFormatListener
PID:3316

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c rd /s /q C:\Users\Admin\AppData\Local\Temp\sQGhORjDmd & timeout 3 & del /f /q "C:\Users\Admin\AppData\Local\Temp\{GndP-iLjSX-U7Fx-joJQV}\26560116619.exe"
6⤵
PID:2024

C:\Windows\SysWOW64\timeout.exe
timeout 3
7⤵
- Delays execution with timeout.exe
PID:1656

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c start /I "" "C:\Users\Admin\AppData\Local\Temp\{GndP-iLjSX-U7Fx-joJQV}\44102622419.exe" /mix
4⤵
- Suspicious use of WriteProcessMemory
PID:3684

C:\Users\Admin\AppData\Local\Temp\{GndP-iLjSX-U7Fx-joJQV}\44102622419.exe
"C:\Users\Admin\AppData\Local\Temp\{GndP-iLjSX-U7Fx-joJQV}\44102622419.exe" /mix
5⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of WriteProcessMemory
PID:3196

C:\Users\Admin\AppData\Roaming\nailedp\edspolishpp.exe
edspolishpp.exe
6⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3684

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c taskkill /im "X60RMQ5Z609ALMH81NSQ6KPL.exe" /f & erase "C:\Users\Admin\AppData\Roaming\X60RMQ5Z609ALMH81NSQ6KPL.exe" & exit
4⤵
- Suspicious use of WriteProcessMemory
PID:200

C:\Windows\SysWOW64\taskkill.exe
taskkill /im "X60RMQ5Z609ALMH81NSQ6KPL.exe" /f
5⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2208

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c taskkill /im "4ae27f5a2ec7c7aa26ca725d79397e4645c807c6.exe" /f & erase "C:\Users\Admin\AppData\Local\Temp\4ae27f5a2ec7c7aa26ca725d79397e4645c807c6.exe" & exit
2⤵
PID:384

C:\Windows\SysWOW64\taskkill.exe
taskkill /im "4ae27f5a2ec7c7aa26ca725d79397e4645c807c6.exe" /f
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:508

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s seclogon
1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3764

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Remote System Discovery

T1018

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Web Service

T1102

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
MD5
1c19c16e21c97ed42d5beabc93391fc5

SHA1
8ad83f8e0b3acf8dfbbf87931e41f0d664c4df68

SHA256
1bcd97396c83babfe6c5068ba590d7a3f8b70e72955a9d1e4070648e404cbf05

SHA512
7d18776d8f649b3d29c182ff03efc6cea8b527542ee55304980f24577aae8b64e37044407776e220984346c3998ace5f8853afa58c8b38407482a728e9495e0c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
2161911dcce4cea1081c5ef5dd38ef94

SHA1
903671413c10139ad2616afc748151a707dfb0ad

SHA256
c0a247e965e60a9862df7b91b1314abe6b1ffaaf81a91decab19dc12b720e67b

SHA512
acb4a4259c812c01894f06d626f302dd866e08d958daa64caf2ef874595a0ce80ae489d843aed82029baf0facfe5ea5909640fbf114b16c63dbdb6c314520e54

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
33865769b51516bff734508762e3845e

SHA1
ae073d00ec1af5d897cf81cef2083aceb4b30532

SHA256
2baed6036698332aa673e789c07d2fa7104612d06ca8c13849b1cdf878485e10

SHA512
c43e029dccdb1a0e7f38f55c9be5112ea1f754ad818741f216379af6fbfb71371752abe0c9c1cb335c91f2f2aa9d58a1d91765c89edbee8d6a475cde4acc16b4

Download Submit
C:\Users\Admin\AppData\Local\Temp\1623252315290.exe
MD5
f7c9a13397d677f20e17ff8cd4a35dc9

SHA1
7013289b0d2f199d42f13e6e1ab906e374cbbcb3

SHA256
bc6d816a5d52d3eb92ad229c882b4554d11e359e53b6fd371ab32777f1f3a0e2

SHA512
cbd11fc4ff2f4522d763054d9a239574bc1db0753290ccdefcd42b3958ed7c9362cb0ed7d730a2ae65d65c0a9382864eeeebd8d7ebb72f9d0c2a3d9befcc0ce3

Download Submit
C:\Users\Admin\AppData\Local\Temp\1623252315290.exe
MD5
f7c9a13397d677f20e17ff8cd4a35dc9

SHA1
7013289b0d2f199d42f13e6e1ab906e374cbbcb3

SHA256
bc6d816a5d52d3eb92ad229c882b4554d11e359e53b6fd371ab32777f1f3a0e2

SHA512
cbd11fc4ff2f4522d763054d9a239574bc1db0753290ccdefcd42b3958ed7c9362cb0ed7d730a2ae65d65c0a9382864eeeebd8d7ebb72f9d0c2a3d9befcc0ce3

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Dal.aiff
MD5
31dedc55170d4ed52eb76be3a9638985

SHA1
513dac3929f455ed419517b1c2c4d47f7eac31ac

SHA256
97f4344e07d26691dffaf8f46a00a05b72227b36efaa8ceb5c2c443fd1922bae

SHA512
82744a91d4ad070c30dd173cd5ec3e6c71f45b6e7df283fa3ffeaf8f2f8313c3c6bb2a576c730a80c2b740fce823139760249151cee7664a4e971b011768916d

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Diritto.aiff
MD5
e9c5421045344ad1ddc7e258ad6c2de3

SHA1
b5e34b9c6bbddc1b1d0f77c8e328896ad6e00099

SHA256
c49fa942faccaf5b0421615b8ed9a6a2dec6224842d01344f3fc56617d170fd4

SHA512
a23eac6f1bc5c973d66d3872b057833bdc6af258cfe5e59a8bf87ea93f5cf19e50e1cba8152490c66166827bf50d7403f642b6f04553e845c610cdb56047e703

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Dov.aiff
MD5
a75e61ee5ef9237ebfa7a39a46d92a7c

SHA1
697bfa9b2d843b464afd18ce8622095c1f26db60

SHA256
a0cc11634073dd89a19ce08c720f2ae583c7ba1f951869e0cd6bc5dcb1ab2058

SHA512
1224fd94be43bedf8d89b1a95b789ac41272eb4006b5b1f57d5879dcc666ffb54a204969256a44ae43dac56bd32a8c50e51f9fc1cc7778447ede7adbc2604b10

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Gabbie.exe.com
MD5
c56b5f0201a3b3de53e561fe76912bfd

SHA1
2a4062e10a5de813f5688221dbeb3f3ff33eb417

SHA256
237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d

SHA512
195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Gabbie.exe.com
MD5
c56b5f0201a3b3de53e561fe76912bfd

SHA1
2a4062e10a5de813f5688221dbeb3f3ff33eb417

SHA256
237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d

SHA512
195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Gabbie.exe.com
MD5
c56b5f0201a3b3de53e561fe76912bfd

SHA1
2a4062e10a5de813f5688221dbeb3f3ff33eb417

SHA256
237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d

SHA512
195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Gote.aiff
MD5
93b381d92ae8bb0723bf1ba3dd3acf47

SHA1
ebad215f84bf321e5d9dbae1ae7ac1b93d0f130d

SHA256
2318dabdad1ad9bfb9f5261b89016d3db0758c58187e7a52fda9e007a93ca783

SHA512
5bf53e505dc3d23335b7717516f2e5326ff3a7d8d8f3bc2840b412ffd7536b319db7a496f55e239b0721eafe4ddcd3e5abc9d1ff35445f6e0064f2c8c54927b2

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\c
MD5
a75e61ee5ef9237ebfa7a39a46d92a7c

SHA1
697bfa9b2d843b464afd18ce8622095c1f26db60

SHA256
a0cc11634073dd89a19ce08c720f2ae583c7ba1f951869e0cd6bc5dcb1ab2058

SHA512
1224fd94be43bedf8d89b1a95b789ac41272eb4006b5b1f57d5879dcc666ffb54a204969256a44ae43dac56bd32a8c50e51f9fc1cc7778447ede7adbc2604b10

Download Submit
C:\Users\Admin\AppData\Local\Temp\EErbpN.exe
MD5
4f8b192c791bf3cb38ff05af7761e503

SHA1
f8be899d4d3d678cdc96cb4a0dce4da2907e8082

SHA256
3dad22fd73ed8cd57325be22cc0a79058306e20afbd1318b49f591784294b700

SHA512
b3e92712d166305fd04b59327aa4925aa8aac9404c1ffefd9890702141c8cb745417bc7ff90d9f5e67a03caa35c70d5415cd5c522545ab60d516d4acc5875b0d

Download Submit
C:\Users\Admin\AppData\Local\Temp\EErbpN.exe
MD5
4f8b192c791bf3cb38ff05af7761e503

SHA1
f8be899d4d3d678cdc96cb4a0dce4da2907e8082

SHA256
3dad22fd73ed8cd57325be22cc0a79058306e20afbd1318b49f591784294b700

SHA512
b3e92712d166305fd04b59327aa4925aa8aac9404c1ffefd9890702141c8cb745417bc7ff90d9f5e67a03caa35c70d5415cd5c522545ab60d516d4acc5875b0d

Download Submit
C:\Users\Admin\AppData\Local\Temp\New Feature\4.exe
MD5
7ef8ad5de4fa46c24883d3175c874cd2

SHA1
e5720aa9a513cbe447f8a523d2779953ae4c13c3

SHA256
35d3210a87ba84d84c9c67504beec21e75a0f39ff14086490bdaa0d747fc9169

SHA512
d9cad29d7472fc8000de707be76ca475a4367e9fdb116104ed1ed7d085d9974122f5bf40fa0608f076a6051ca218fa639c316c1340dd6e12feade4bdf69577f0

Download Submit
C:\Users\Admin\AppData\Local\Temp\New Feature\4.exe
MD5
7ef8ad5de4fa46c24883d3175c874cd2

SHA1
e5720aa9a513cbe447f8a523d2779953ae4c13c3

SHA256
35d3210a87ba84d84c9c67504beec21e75a0f39ff14086490bdaa0d747fc9169

SHA512
d9cad29d7472fc8000de707be76ca475a4367e9fdb116104ed1ed7d085d9974122f5bf40fa0608f076a6051ca218fa639c316c1340dd6e12feade4bdf69577f0

Download Submit
C:\Users\Admin\AppData\Local\Temp\New Feature\vpn.exe
MD5
bec2296d7ddebe58a5726011a1e9dc87

SHA1
e3bafc52d8d426f43fc642beb4d82cdec0a8a9c3

SHA256
6355a148b4e7875887a72b883f7219f0dc9b5c7691eea40a89cb71c2c7215b64

SHA512
1e196048d014ba97931b815a141d76b43f54feb05482885251adf02da324bd9d841b981752c97e782a0c812941aec3063bd99afadd0a931b2958192b8e94fbe8

Download Submit
C:\Users\Admin\AppData\Local\Temp\New Feature\vpn.exe
MD5
bec2296d7ddebe58a5726011a1e9dc87

SHA1
e3bafc52d8d426f43fc642beb4d82cdec0a8a9c3

SHA256
6355a148b4e7875887a72b883f7219f0dc9b5c7691eea40a89cb71c2c7215b64

SHA512
1e196048d014ba97931b815a141d76b43f54feb05482885251adf02da324bd9d841b981752c97e782a0c812941aec3063bd99afadd0a931b2958192b8e94fbe8

Download Submit
C:\Users\Admin\AppData\Local\Temp\RBQISP~1.DLL
MD5
7ac078a4c0a0c82464f31418b512cad7

SHA1
edafdb4391106484521c3a76890690ee525a9d68

SHA256
8c8d6d7a1c6ce3ae445a85b32aac61eef74d00effcaaac0379d33cd299008418

SHA512
e5c6cff838a20a0130ed42b170fdd0fcca3491dd65ffb4ced4612b8c8598b3083172f3218a5471c22ffdd6189f748c22e6c7b9417a775344b04956fa2e141507

Download Submit
C:\Users\Admin\AppData\Local\Temp\gtygfpjuau.vbs
MD5
fea5f0d6f626d4aaa48355d4384df776

SHA1
176314dd40b9c0baf034a536d0d046f31039468c

SHA256
de29e5bc2c7141b3f8ef468a38184b9480484e5c53f62157b9959364cc0afc35

SHA512
411d69b2ccc6c0d7f67c5afbe30dc518496ca333df9e75282a00a2e3f0ec064215133565c33f8239331b5bc987526144dd9a8f5174392bb0d0320580b85d447b

Download Submit
C:\Users\Admin\AppData\Local\Temp\rbqispq.exe
MD5
61b31c8267fdb149ea1505a897a5d576

SHA1
f6d5c36acddf7788e19dbe50a0e13f2fe044895f

SHA256
5d29ea4a89d94d578daf235375de6bec0f2906fdbdefdfba6c223ccc52026b1c

SHA512
e442041b2b50651b9f66ac4137267f388c905479277c59d6afc888d65ec8ba4f53fb5b89f4c1696a80422458559609249bd794dbe185117e793c3ae075efe76f

Download Submit
C:\Users\Admin\AppData\Local\Temp\rbqispq.exe
MD5
61b31c8267fdb149ea1505a897a5d576

SHA1
f6d5c36acddf7788e19dbe50a0e13f2fe044895f

SHA256
5d29ea4a89d94d578daf235375de6bec0f2906fdbdefdfba6c223ccc52026b1c

SHA512
e442041b2b50651b9f66ac4137267f388c905479277c59d6afc888d65ec8ba4f53fb5b89f4c1696a80422458559609249bd794dbe185117e793c3ae075efe76f

Download Submit
C:\Users\Admin\AppData\Local\Temp\sQGhORjDmd\VQWBMG~1.ZIP
MD5
de0cd1f7659a28cd24259f19d0af254d

SHA1
d4c9e5052a8f608d69b4a514a253eada28b271f5

SHA256
91227b7f503b8a1db7c3431577ce69e076b35eb3a8b2b93fc0560210a19e9239

SHA512
4012657d89905ac30b48f5565596f78ed67ae7203c79c571bcbe82d34d007d86ac89d1f89c2c156a964b2e22872d33cab6cf43ea5827c1b65e7e6359bac2e103

Download Submit
C:\Users\Admin\AppData\Local\Temp\sQGhORjDmd\VUGLLV~1.ZIP
MD5
39adba9cb26f60767762bffd5b345996

SHA1
39b7d8ea242db215facfea2ddab7e65dada1c376

SHA256
42730a244929f578ba677c94cd568357487ea377a794edf9faaa8701220b17c2

SHA512
45342a859267256cbe57b0b5ad2f0bdc2dde13dd150d3785a23e6ddef498de5210864a7ea1847d9137562a7a25acc485f6663f8da908181f5070770abe6b6159

Download Submit
C:\Users\Admin\AppData\Local\Temp\sQGhORjDmd\_Files\_Files\SELECT~1.TXT
MD5
d69cf9a1c59f964c570bcd1094191127

SHA1
d6ec3b0f1a748667321d5d48d8f794192265bf3b

SHA256
a4ead87004082485fe1574f68dec612a7a432e2fffaffaf668b80ba1b7f47e6a

SHA512
65560a1b9c07dda77c90c49967b4a5e2d239bdb5c85c00d5c2094de0edb8a514ead0710f7955778c640269dc5c029d5a92ed90a9aae185f523ec39b50e581d9e

Download Submit
C:\Users\Admin\AppData\Local\Temp\sQGhORjDmd\_Files\_INFOR~1.TXT
MD5
b6bb7e00c2cb2a99e576fe0b5c3801cf

SHA1
6379f0ad79ff857f071de872ab2bf4d2df981b4d

SHA256
4d39ea8b7d3234b83686f37f757b3607ee839841efd6bdce72a2fc9615b44e08

SHA512
a459c14d94a5528ba49f0af25277decdcbca34bf886bea871850af5f40408f9083aa0de60eace638aca7ceb7ae8d40118b3c2456a19019d88ab2f7612678607d

Download Submit
C:\Users\Admin\AppData\Local\Temp\sQGhORjDmd\_Files\_SCREE~1.JPE
MD5
d9845c5ef98aa0fcc82caa611cf60914

SHA1
2e0f830aa558a690f37882d4b2e923256ac949ab

SHA256
cde8af36c3805c5bbbd51926527fb3d63aa250ca3bcf9571d11c135e20883a13

SHA512
ceb30a0ea9aba41170157ea737becc6c7730c598398b9afaf9116437e0da4608651156893626476c49f4732d81bf38e6af2df45dc1666b28e6af1d22e8bfadb1

Download Submit
C:\Users\Admin\AppData\Local\Temp\sQGhORjDmd\files_\SCREEN~1.JPG
MD5
d9845c5ef98aa0fcc82caa611cf60914

SHA1
2e0f830aa558a690f37882d4b2e923256ac949ab

SHA256
cde8af36c3805c5bbbd51926527fb3d63aa250ca3bcf9571d11c135e20883a13

SHA512
ceb30a0ea9aba41170157ea737becc6c7730c598398b9afaf9116437e0da4608651156893626476c49f4732d81bf38e6af2df45dc1666b28e6af1d22e8bfadb1

Download Submit
C:\Users\Admin\AppData\Local\Temp\sQGhORjDmd\files_\SYSTEM~1.TXT
MD5
86352ece7f91e806244de74a905ade32

SHA1
005c36f1fe9d2b86941b0aafa5021bf2a66fbf22

SHA256
304e497ee8b3c8a52d84ea9a85a8addda5af52b3521258204a52a2d353f1ecd8

SHA512
41d45e2a98795cc1a8504d5476f99612184afec3e3c5bef9aa8c96ceb40dc4dd90136331c2f9e340b757b37bf9c3b4d6b2b607eae51ae4fd111348e1ba415c74

Download Submit
C:\Users\Admin\AppData\Local\Temp\sQGhORjDmd\files_\files\SELECT~1.TXT
MD5
d69cf9a1c59f964c570bcd1094191127

SHA1
d6ec3b0f1a748667321d5d48d8f794192265bf3b

SHA256
a4ead87004082485fe1574f68dec612a7a432e2fffaffaf668b80ba1b7f47e6a

SHA512
65560a1b9c07dda77c90c49967b4a5e2d239bdb5c85c00d5c2094de0edb8a514ead0710f7955778c640269dc5c029d5a92ed90a9aae185f523ec39b50e581d9e

Download Submit
C:\Users\Admin\AppData\Local\Temp\tdfhvsrrfvqh.vbs
MD5
e542372ba26b93f09a2b7a45aa7064ad

SHA1
f9ad830aa4b9a8d8a6ce62cae432b7f57ea7cb09

SHA256
7ba3a9751e0a5b2e8d7e895f8206d5fafe3b41f5c057f00279024e58663a9a58

SHA512
982234f2310bdcc3bef2b348736d446be071edb329814b770c87e911d9b7912a3cf01a757ea650dad56d67bf8c800ad8aae20c2146a734fef7281e78dc82a0ca

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp704A.tmp.ps1
MD5
75c25655208b037d512c5968197a6f4e

SHA1
c33816069a5b850505049d5323e7728016fe53ae

SHA256
f41999b8f5f9f47216c5c55bd395d622c7edbb748fff838b4db2abb2f91fc861

SHA512
779b3b5f4294e57172f9a3a3f3889d44830e3db29d799bc8bbc533c2731bdb7b5503795f97ce219e6e23d22275cd9fe30d50e28080af28a99cdcc1019e110bed

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp704B.tmp
MD5
c416c12d1b2b1da8c8655e393b544362

SHA1
fb1a43cd8e1c556c2d25f361f42a21293c29e447

SHA256
0600d59103840dff210778179fdfba904dcb737a4bfdb35384608698c86ea046

SHA512
cb6d3636be4330aa2fd577c3636d0b7165f92ee817e98f21180ba0c918eb76f4e38f025086593a0e508234ca981cfec2c53482b0e9cc0acfa885fefbdf89913c

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp7FDC.tmp.ps1
MD5
78630cfbb8dcc49d826612115734261f

SHA1
243a89a6fc49582baa8cc05ee4afd4d5b6930637

SHA256
2aec2ab405e8321a8c29004a3b97e7ddb0de433e0d33ed9bbbbaeba813f8512a

SHA512
736586ff32f5cb6112c3780c2887fd74247168101d229355634014145a93391b554d9bf89572f6f0e3c5f3c55579c6ad4ba89a8ac83dfbe95512b1fb176a4535

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp7FDD.tmp
MD5
1860260b2697808b80802352fe324782

SHA1
f07b4cb6a8133d8dd942fc285d63cb3ce5a1ed6b

SHA256
0c4bb6ae7726faa47aef8459bcf37bf9ca16f0b93fd52790932adaf7845d1fb1

SHA512
d9fd458e2fe871e93199d7f3783133ded898d824024d9525e8c9af2af31892b13f3fb147d3bfda7dfd7659b7072f5cd1d6c3ebfe2dbf5893afd00e59a96aa94f

Download Submit
C:\Users\Admin\AppData\Local\Temp\{GndP-iLjSX-U7Fx-joJQV}\26560116619.exe
MD5
9f70f3c99573438e3a904a056f09798f

SHA1
47bcdc19b767d13515af816b08d95fdac24e8521

SHA256
88483e5e82b2362be92c707450c3205427359e6c18bf7ae4d723282451af18d5

SHA512
5ea56ee3e682b801a488a0cfd2dfd883e7480dffef75dfe2629a0e2c8aa53cb23bf525d909a76ace292ba7d36f407ee261656de29bc090f74c36f7018c69aeb0

Download Submit
C:\Users\Admin\AppData\Local\Temp\{GndP-iLjSX-U7Fx-joJQV}\26560116619.exe
MD5
9f70f3c99573438e3a904a056f09798f

SHA1
47bcdc19b767d13515af816b08d95fdac24e8521

SHA256
88483e5e82b2362be92c707450c3205427359e6c18bf7ae4d723282451af18d5

SHA512
5ea56ee3e682b801a488a0cfd2dfd883e7480dffef75dfe2629a0e2c8aa53cb23bf525d909a76ace292ba7d36f407ee261656de29bc090f74c36f7018c69aeb0

Download Submit
C:\Users\Admin\AppData\Local\Temp\{GndP-iLjSX-U7Fx-joJQV}\44102622419.exe
MD5
37428f7016077d4689c4b5cf110803d1

SHA1
99858fc1d99be082351d07f7a5ca0035b3c5b078

SHA256
aa68eec8a7206098f2cf085f1fcf8bc462b0d9847b25a8de3933fc354a618834

SHA512
d21f43bbeff890bf82b49934f2b9cc0e28f8af8bf662314af6e3003763057b09251ab8b1bc31d2ab6de2aaf5503a0ae0bf6b1925c0d00fce7ccfa6e12d783d86

Download Submit
C:\Users\Admin\AppData\Local\Temp\{GndP-iLjSX-U7Fx-joJQV}\50943488247.exe
MD5
90ae0e1aaabae3c8e40584611ed7fcab

SHA1
88a7ebdfef08c2d7728ec98e73478016570dc3bd

SHA256
d4264162a3de133ae8202bf1bd3eba3fd6e514c56aa4d286da200f52433dff4e

SHA512
5dd5043fdf145d53b143a3a2be374768f232897477b066bafd0af9a15d17329a88cd92734e07039defd7bfbd38b19366bea1c27886668b2a4469c618e0a54f29

Download Submit
C:\Users\Admin\AppData\Local\Temp\{GndP-iLjSX-U7Fx-joJQV}\50943488247.exe
MD5
90ae0e1aaabae3c8e40584611ed7fcab

SHA1
88a7ebdfef08c2d7728ec98e73478016570dc3bd

SHA256
d4264162a3de133ae8202bf1bd3eba3fd6e514c56aa4d286da200f52433dff4e

SHA512
5dd5043fdf145d53b143a3a2be374768f232897477b066bafd0af9a15d17329a88cd92734e07039defd7bfbd38b19366bea1c27886668b2a4469c618e0a54f29

Download Submit
C:\Users\Admin\AppData\Local\Temp\{GndP-iLjSX-U7Fx-joJQV}\50943488247.exe
MD5
90ae0e1aaabae3c8e40584611ed7fcab

SHA1
88a7ebdfef08c2d7728ec98e73478016570dc3bd

SHA256
d4264162a3de133ae8202bf1bd3eba3fd6e514c56aa4d286da200f52433dff4e

SHA512
5dd5043fdf145d53b143a3a2be374768f232897477b066bafd0af9a15d17329a88cd92734e07039defd7bfbd38b19366bea1c27886668b2a4469c618e0a54f29

Download Submit
C:\Users\Admin\AppData\Roaming\L42ZWZAZMW810VRSF8RRCP5A.exe
MD5
a26406d7beb522db60ac21ec0a158dd2

SHA1
575b8d300bf7b3df2e6962e73597fc3d82c2aa65

SHA256
56d24713cac1089743fd25e9862a05f9388bcd0379bde63345d8447df2e8f93c

SHA512
72bfe8eb26a441c31cc672b6e0df3c9fe4a61ef6ce7b44e57bbe86726dc6c39f984a40d1698f761c6f1e438c3c48ac90cf3a77b289d5e9d255134b2738333d11

Download Submit
C:\Users\Admin\AppData\Roaming\L42ZWZAZMW810VRSF8RRCP5A.exe
MD5
a26406d7beb522db60ac21ec0a158dd2

SHA1
575b8d300bf7b3df2e6962e73597fc3d82c2aa65

SHA256
56d24713cac1089743fd25e9862a05f9388bcd0379bde63345d8447df2e8f93c

SHA512
72bfe8eb26a441c31cc672b6e0df3c9fe4a61ef6ce7b44e57bbe86726dc6c39f984a40d1698f761c6f1e438c3c48ac90cf3a77b289d5e9d255134b2738333d11

Download Submit
C:\Users\Admin\AppData\Roaming\L42ZWZAZMW810VRSF8RRCP5A.exe
MD5
a26406d7beb522db60ac21ec0a158dd2

SHA1
575b8d300bf7b3df2e6962e73597fc3d82c2aa65

SHA256
56d24713cac1089743fd25e9862a05f9388bcd0379bde63345d8447df2e8f93c

SHA512
72bfe8eb26a441c31cc672b6e0df3c9fe4a61ef6ce7b44e57bbe86726dc6c39f984a40d1698f761c6f1e438c3c48ac90cf3a77b289d5e9d255134b2738333d11

Download Submit
C:\Users\Admin\AppData\Roaming\Smart Clock\SmartClock.exe
MD5
7ef8ad5de4fa46c24883d3175c874cd2

SHA1
e5720aa9a513cbe447f8a523d2779953ae4c13c3

SHA256
35d3210a87ba84d84c9c67504beec21e75a0f39ff14086490bdaa0d747fc9169

SHA512
d9cad29d7472fc8000de707be76ca475a4367e9fdb116104ed1ed7d085d9974122f5bf40fa0608f076a6051ca218fa639c316c1340dd6e12feade4bdf69577f0

Download Submit
C:\Users\Admin\AppData\Roaming\Smart Clock\SmartClock.exe
MD5
7ef8ad5de4fa46c24883d3175c874cd2

SHA1
e5720aa9a513cbe447f8a523d2779953ae4c13c3

SHA256
35d3210a87ba84d84c9c67504beec21e75a0f39ff14086490bdaa0d747fc9169

SHA512
d9cad29d7472fc8000de707be76ca475a4367e9fdb116104ed1ed7d085d9974122f5bf40fa0608f076a6051ca218fa639c316c1340dd6e12feade4bdf69577f0

Download Submit
C:\Users\Admin\AppData\Roaming\X60RMQ5Z609ALMH81NSQ6KPL.exe
MD5
9c8697e583e0071d29bc362cdfba1a21

SHA1
4957e631d8c622ffd64ccb338b0ed2793928f935

SHA256
255a309aa4ac9d53e3de0f3247b3388d6376af9efb19f8256fd8d1db5bfb2448

SHA512
991633afe078ccdc2328df1a24fe6728592941993696a776b508567579bb8ef0c6f2fa007529ab0eebf0af82503e3d05cb5b5c4eb7aaa1a2bfdbcf12be0be3d4

Download Submit
C:\Users\Admin\AppData\Roaming\X60RMQ5Z609ALMH81NSQ6KPL.exe
MD5
9c8697e583e0071d29bc362cdfba1a21

SHA1
4957e631d8c622ffd64ccb338b0ed2793928f935

SHA256
255a309aa4ac9d53e3de0f3247b3388d6376af9efb19f8256fd8d1db5bfb2448

SHA512
991633afe078ccdc2328df1a24fe6728592941993696a776b508567579bb8ef0c6f2fa007529ab0eebf0af82503e3d05cb5b5c4eb7aaa1a2bfdbcf12be0be3d4

Download Submit
C:\Users\Admin\AppData\Roaming\nailedp\edspolishpp.exe
MD5
84482ccc25d8732c2a33b2e731f53368

SHA1
24668ee2537bc9a1130a39a57a6905a3b2ef4542

SHA256
c8cbc34e33ac2d253932ce0767a96d461b40e70c0dc1dd0e1ac386d262328fa9

SHA512
4defe42ac2ee0c9914f955abb47cc34119a1b87d585cada7e31e1d167f9a8cb6b4d873e99d4ff80bf6026d216998c1fdccdc19e7a7791d0478492f1f4528c4af

Download Submit
C:\Users\Admin\AppData\Roaming\nailedp\edspolishpp.exe
MD5
84482ccc25d8732c2a33b2e731f53368

SHA1
24668ee2537bc9a1130a39a57a6905a3b2ef4542

SHA256
c8cbc34e33ac2d253932ce0767a96d461b40e70c0dc1dd0e1ac386d262328fa9

SHA512
4defe42ac2ee0c9914f955abb47cc34119a1b87d585cada7e31e1d167f9a8cb6b4d873e99d4ff80bf6026d216998c1fdccdc19e7a7791d0478492f1f4528c4af

Download Submit
\Users\Admin\AppData\Local\Temp\RBQISP~1.DLL
MD5
7ac078a4c0a0c82464f31418b512cad7

SHA1
edafdb4391106484521c3a76890690ee525a9d68

SHA256
8c8d6d7a1c6ce3ae445a85b32aac61eef74d00effcaaac0379d33cd299008418

SHA512
e5c6cff838a20a0130ed42b170fdd0fcca3491dd65ffb4ced4612b8c8598b3083172f3218a5471c22ffdd6189f748c22e6c7b9417a775344b04956fa2e141507

Download Submit
\Users\Admin\AppData\Local\Temp\RBQISP~1.DLL
MD5
7ac078a4c0a0c82464f31418b512cad7

SHA1
edafdb4391106484521c3a76890690ee525a9d68

SHA256
8c8d6d7a1c6ce3ae445a85b32aac61eef74d00effcaaac0379d33cd299008418

SHA512
e5c6cff838a20a0130ed42b170fdd0fcca3491dd65ffb4ced4612b8c8598b3083172f3218a5471c22ffdd6189f748c22e6c7b9417a775344b04956fa2e141507

Download Submit
\Users\Admin\AppData\Local\Temp\RBQISP~1.DLL
MD5
7ac078a4c0a0c82464f31418b512cad7

SHA1
edafdb4391106484521c3a76890690ee525a9d68

SHA256
8c8d6d7a1c6ce3ae445a85b32aac61eef74d00effcaaac0379d33cd299008418

SHA512
e5c6cff838a20a0130ed42b170fdd0fcca3491dd65ffb4ced4612b8c8598b3083172f3218a5471c22ffdd6189f748c22e6c7b9417a775344b04956fa2e141507

Download Submit
\Users\Admin\AppData\Local\Temp\nsb3B84.tmp\UAC.dll
MD5
adb29e6b186daa765dc750128649b63d

SHA1
160cbdc4cb0ac2c142d361df138c537aa7e708c9

SHA256
2f7f8fc05dc4fd0d5cda501b47e4433357e887bbfed7292c028d99c73b52dc08

SHA512
b28adcccf0c33660fecd6f95f28f11f793dc9988582187617b4c113fb4e6fdad4cf7694cd8c0300a477e63536456894d119741a940dda09b7df3ff0087a7eada

Download Submit
memory/200-320-0x0000000000000000-mapping.dmp

Download
memory/200-221-0x0000000000000000-mapping.dmp

Download
memory/200-263-0x0000000000000000-mapping.dmp

Download
memory/384-228-0x0000000000000000-mapping.dmp

Download
memory/424-247-0x0000000000000000-mapping.dmp

Download
memory/508-229-0x0000000000000000-mapping.dmp

Download
memory/580-319-0x0000000000000000-mapping.dmp

Download
memory/612-203-0x0000000000401480-mapping.dmp

Download
memory/612-206-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/740-251-0x0000000000000000-mapping.dmp

Download
memory/740-114-0x0000000000A10000-0x0000000000A11000-memory.dmp

Filesize
4KB

Download
memory/740-131-0x0000000005DD0000-0x0000000005DD1000-memory.dmp

Filesize
4KB

Download
memory/840-241-0x0000000000000000-mapping.dmp

Download
memory/1232-316-0x0000000000000000-mapping.dmp

Download
memory/1256-286-0x0000000000000000-mapping.dmp

Download
memory/1276-294-0x0000000000000000-mapping.dmp

Download
memory/1276-299-0x0000000004D71000-0x00000000053D0000-memory.dmp

Filesize
6.4MB

Download
memory/1276-311-0x00000000002F0000-0x00000000002F1000-memory.dmp

Filesize
4KB

Download
memory/1284-138-0x0000000000000000-mapping.dmp

Download
memory/1296-209-0x0000000000000000-mapping.dmp

Download
memory/1420-134-0x0000000000000000-mapping.dmp

Download
memory/1484-309-0x00000000039A3000-0x00000000039A4000-memory.dmp

Filesize
4KB

Download
memory/1484-305-0x00000000039A2000-0x00000000039A3000-memory.dmp

Filesize
4KB

Download
memory/1484-304-0x00000000039A0000-0x00000000039A1000-memory.dmp

Filesize
4KB

Download
memory/1484-302-0x0000000000000000-mapping.dmp

Download
memory/1656-261-0x0000000000000000-mapping.dmp

Download
memory/1720-290-0x0000000000B90000-0x0000000000CDA000-memory.dmp

Filesize
1.3MB

Download
memory/1720-289-0x0000000000400000-0x0000000000B14000-memory.dmp

Filesize
7.1MB

Download
memory/1720-288-0x0000000002FC0000-0x00000000036C7000-memory.dmp

Filesize
7.0MB

Download
memory/1720-283-0x0000000000000000-mapping.dmp

Download
memory/1960-266-0x0000000000000000-mapping.dmp

Download
memory/2000-267-0x0000000000000000-mapping.dmp

Download
memory/2000-281-0x0000000000850000-0x0000000000851000-memory.dmp

Filesize
4KB

Download
memory/2024-250-0x0000000000000000-mapping.dmp

Download
memory/2064-195-0x0000000003010000-0x000000000391C000-memory.dmp

Filesize
9.0MB

Download
memory/2064-196-0x0000000000400000-0x0000000000D26000-memory.dmp

Filesize
9.1MB

Download
memory/2064-135-0x0000000000000000-mapping.dmp

Download
memory/2068-217-0x0000000000400000-0x00000000004E5000-memory.dmp

Filesize
916KB

Download
memory/2068-213-0x0000000000000000-mapping.dmp

Download
memory/2068-216-0x00000000021F0000-0x00000000022D1000-memory.dmp

Filesize
900KB

Download
memory/2124-212-0x0000000000000000-mapping.dmp

Download
memory/2180-310-0x0000000000000000-mapping.dmp

Download
memory/2180-318-0x0000000006963000-0x0000000006964000-memory.dmp

Filesize
4KB

Download
memory/2180-313-0x0000000006962000-0x0000000006963000-memory.dmp

Filesize
4KB

Download
memory/2180-312-0x0000000006960000-0x0000000006961000-memory.dmp

Filesize
4KB

Download
memory/2208-222-0x0000000000000000-mapping.dmp

Download
memory/2272-200-0x0000000000000000-mapping.dmp

Download
memory/2272-205-0x0000000001FB0000-0x0000000001FF4000-memory.dmp

Filesize
272KB

Download
memory/2428-236-0x0000000000000000-mapping.dmp

Download
memory/2428-197-0x0000000000000000-mapping.dmp

Download
memory/2548-300-0x0000000000000000-mapping.dmp

Download
memory/2948-237-0x0000000000000000-mapping.dmp

Download
memory/2956-161-0x00000000099E0000-0x00000000099E1000-memory.dmp

Filesize
4KB

Download
memory/2956-126-0x0000000008050000-0x0000000008051000-memory.dmp

Filesize
4KB

Download
memory/2956-117-0x0000000000000000-mapping.dmp

Download
memory/2956-127-0x00000000080C0000-0x00000000080C1000-memory.dmp

Filesize
4KB

Download
memory/2956-155-0x00000000072A0000-0x00000000072A1000-memory.dmp

Filesize
4KB

Download
memory/2956-130-0x0000000008780000-0x0000000008781000-memory.dmp

Filesize
4KB

Download
memory/2956-128-0x0000000008020000-0x0000000008021000-memory.dmp

Filesize
4KB

Download
memory/2956-122-0x0000000007270000-0x0000000007271000-memory.dmp

Filesize
4KB

Download
memory/2956-147-0x00000000096C0000-0x00000000096F3000-memory.dmp

Filesize
204KB

Download
memory/2956-152-0x000000007ECC0000-0x000000007ECC1000-memory.dmp

Filesize
4KB

Download
memory/2956-129-0x0000000008460000-0x0000000008461000-memory.dmp

Filesize
4KB

Download
memory/2956-168-0x0000000007273000-0x0000000007274000-memory.dmp

Filesize
4KB

Download
memory/2956-123-0x0000000007272000-0x0000000007273000-memory.dmp

Filesize
4KB

Download
memory/2956-121-0x00000000078B0000-0x00000000078B1000-memory.dmp

Filesize
4KB

Download
memory/2956-120-0x0000000004C20000-0x0000000004C21000-memory.dmp

Filesize
4KB

Download
memory/2956-125-0x0000000007710000-0x0000000007711000-memory.dmp

Filesize
4KB

Download
memory/2956-124-0x0000000007670000-0x0000000007671000-memory.dmp

Filesize
4KB

Download
memory/2956-160-0x00000000097F0000-0x00000000097F1000-memory.dmp

Filesize
4KB

Download
memory/3180-249-0x0000000000000000-mapping.dmp

Download
memory/3184-276-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/3184-275-0x0000000000640000-0x0000000000666000-memory.dmp

Filesize
152KB

Download
memory/3184-244-0x0000000000000000-mapping.dmp

Download
memory/3184-270-0x0000000000470000-0x00000000005BA000-memory.dmp

Filesize
1.3MB

Download
memory/3184-271-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/3196-224-0x0000000000400000-0x00000000004D5000-memory.dmp

Filesize
852KB

Download
memory/3196-223-0x0000000002130000-0x00000000021FE000-memory.dmp

Filesize
824KB

Download
memory/3196-219-0x0000000000000000-mapping.dmp

Download
memory/3316-278-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/3316-198-0x0000000000000000-mapping.dmp

Download
memory/3316-272-0x0000000000000000-mapping.dmp

Download
memory/3316-280-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/3316-277-0x00000000020A0000-0x00000000020F2000-memory.dmp

Filesize
328KB

Download
memory/3684-233-0x0000000004B62000-0x0000000004B63000-memory.dmp

Filesize
4KB

Download
memory/3684-235-0x0000000004B64000-0x0000000004B66000-memory.dmp

Filesize
8KB

Download
memory/3684-230-0x00000000004E0000-0x000000000058E000-memory.dmp

Filesize
696KB

Download
memory/3684-218-0x0000000000000000-mapping.dmp

Download
memory/3684-234-0x0000000004B63000-0x0000000004B64000-memory.dmp

Filesize
4KB

Download
memory/3684-232-0x0000000004B60000-0x0000000004B61000-memory.dmp

Filesize
4KB

Download
memory/3684-231-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/3684-225-0x0000000000000000-mapping.dmp

Download
memory/3756-116-0x0000000000000000-mapping.dmp

Download
memory/3792-193-0x00000000004B0000-0x00000000004DF000-memory.dmp

Filesize
188KB

Download
memory/3792-141-0x0000000000000000-mapping.dmp

Download
memory/3792-194-0x0000000000400000-0x000000000045D000-memory.dmp

Filesize
372KB

Download
memory/3868-297-0x0000000004FB1000-0x0000000005610000-memory.dmp

Filesize
6.4MB

Download
memory/3868-298-0x0000000003010000-0x0000000003011000-memory.dmp

Filesize
4KB

Download
memory/3868-291-0x0000000000000000-mapping.dmp

Download