chinese_generic_botnet | 11b4633345982ace9d710465450941598b2f9289f0438c358fa79eb8eaf680c3

Analysis

max time kernel
45s
max time network
131s
platform
windows7_x64
resource
win7-en-20210920
submitted
26-09-2021 23:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

28351e9cfaca470a9f99b2455b3f1354.exe
Size

134KB
MD5

28351e9cfaca470a9f99b2455b3f1354
SHA1

3546e2d0d5732538a0bb565d410f5ca1de9c3416
SHA256

11b4633345982ace9d710465450941598b2f9289f0438c358fa79eb8eaf680c3
SHA512

2314aa8caf12dd0a730106b3fd6663bf80f8cc798956aef55eeb238d640b11f7a4afafb8f87293df7b6ece96afd4dc9002dfeacb6ecdca5a2296ada2826f4897

Score

10^/10

chinese_generic_botnet raccoon redline smokeloader tofsee 5ff0ccb2bc00dc52d1ad09949e9c7663bc9ca4d4 bliss denis karma backdoor botnet evasion infostealer persistence stealer suricata themida trojan

Malware Config

Extracted

Family

smokeloader

Version

2020

http://naghenrietti1.top/

http://kimballiett2.top/

http://xadriettany3.top/

http://jebeccallis4.top/

http://nityanneron5.top/

http://umayaniela6.top/

http://lynettaram7.top/

http://sadineyalas8.top/

http://geenaldencia9.top/

http://aradysiusep10.top/

rc4.i32

Extracted

Family

redline

Botnet

Denis

45.147.197.123:31820

Extracted

Family

raccoon

Botnet

5ff0ccb2bc00dc52d1ad09949e9c7663bc9ca4d4

Attributes

url4cnc
https://t.me/agrybirdsgamerept

rc4.plain

Extracted

Family

redline

Botnet

Bliss

185.237.98.178:62607

Extracted

Family

redline

Botnet

karma

94.103.9.133:39323

Signatures

Generic Chinese Botnet
A botnet originating from China which is currently unnamed publicly.
botnet chinese_generic_botnet
Raccoon
Simple but powerful infostealer which was very active in 2019.
stealer raccoon
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine Payload 6 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\348A.exe	family_redline
C:\Users\Admin\AppData\Local\Temp\348A.exe	family_redline
behavioral1/memory/1584-145-0x0000000001F10000-0x0000000001F33000-memory.dmp	family_redline
behavioral1/memory/1584-146-0x0000000002110000-0x0000000002132000-memory.dmp	family_redline
behavioral1/memory/1796-149-0x0000000001F70000-0x0000000001F8F000-memory.dmp	family_redline
behavioral1/memory/1796-151-0x0000000002140000-0x000000000215E000-memory.dmp	family_redline

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
Tofsee
Backdoor/botnet which carries out malicious activities based on commands from a C2 server.
trojan tofsee
suricata: ET MALWARE Sharik/Smoke CnC Beacon 11
suricata: ET MALWARE Sharik/Smoke CnC Beacon 11
suricata

Chinese Botnet Payload 1 IoCs

botnet

Processes:

resource	yara_rule
behavioral1/memory/1164-157-0x0000000010000000-0x0000000010018000-memory.dmp	unk_chinese_botnet

Creates new service(s) 1 TTPs
persistence

New Service
T1050
Downloads MZ/PE file
Executes dropped EXE 6 IoCs

Processes:

23C5.exe2980.exe2E71.exe348A.exe397A.exefrysxdqy.exe

pid process

1496 23C5.exe
1232 2980.exe
596 2E71.exe
296 348A.exe
1104 397A.exe
1760 frysxdqy.exe
Modifies Windows Firewall 1 TTPs
evasion

Modify Existing Service
T1031
Deletes itself 1 IoCs

Processes:

pid process

1268
Loads dropped DLL 2 IoCs

Processes:

pid process

1268
1064

pid	process
1496	23C5.exe
1232	2980.exe
596	2E71.exe
296	348A.exe
1104	397A.exe
1760	frysxdqy.exe

pid	process
1268

pid	process
1268
1064

Themida packer 6 IoCs

Detects Themida, an advanced Windows software protection system.

themida

Processes:

resource	yara_rule
\Users\Admin\AppData\Local\Temp\filename.exe	themida
C:\Users\Admin\AppData\Local\Temp\filename.exe	themida
\Users\Admin\AppData\Local\Temp\filename.exe	themida
behavioral1/memory/2748-190-0x000000013F6D0000-0x0000000140034000-memory.dmp	themida
C:\Users\Admin\AppData\Local\Temp\filename.exe	themida
\ProgramData\MicrosoftNetwork\System.exe	themida

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Suspicious use of SetThreadContext 2 IoCs

Processes:

28351e9cfaca470a9f99b2455b3f1354.exefrysxdqy.exe

description	pid	process	target process
PID 1044 set thread context of 2028	1044	28351e9cfaca470a9f99b2455b3f1354.exe	28351e9cfaca470a9f99b2455b3f1354.exe
PID 1760 set thread context of 784	1760	frysxdqy.exe	svchost.exe

Launches sc.exe
Sc.exe is a Windows utlilty to control services on the system.
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

28351e9cfaca470a9f99b2455b3f1354.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	28351e9cfaca470a9f99b2455b3f1354.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	28351e9cfaca470a9f99b2455b3f1354.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	28351e9cfaca470a9f99b2455b3f1354.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

28351e9cfaca470a9f99b2455b3f1354.exe

pid	process
2028	28351e9cfaca470a9f99b2455b3f1354.exe
2028	28351e9cfaca470a9f99b2455b3f1354.exe
1268
1268
1268
1268
1268
1268
1268
1268
1268
1268
1268
1268
1268
1268
1268
1268
1268
1268
1268
1268
1268
1268
1268
1268
1268
1268
1268
1268
1268
1268
1268
1268
1268
1268
1268
1268
1268
1268
1268
1268
1268
1268
1268
1268
1268
1268
1268
1268
1268
1268
1268
1268
1268
1268
1268
1268
1268
1268
1268
1268
1268
1268

Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

28351e9cfaca470a9f99b2455b3f1354.exe

pid process

2028 28351e9cfaca470a9f99b2455b3f1354.exe

Suspicious use of AdjustPrivilegeToken 8 IoCs

Processes:

397A.exepowershell.exe348A.exepowershell.exe

description	pid	process
Token: SeShutdownPrivilege	1268
Token: SeShutdownPrivilege	1268
Token: SeShutdownPrivilege	1268
Token: SeDebugPrivilege	1104	397A.exe
Token: SeShutdownPrivilege	1268
Token: SeDebugPrivilege	1228	powershell.exe
Token: SeDebugPrivilege	296	348A.exe
Token: SeDebugPrivilege	288	powershell.exe

Suspicious use of FindShellTrayWindow 6 IoCs

Processes:

pid process

1268
1268
1268
1268
1268
1268
Suspicious use of SendNotifyMessage 6 IoCs

Processes:

pid process

1268
1268
1268
1268
1268
1268

pid	process
1268
1268
1268
1268
1268
1268

pid	process
1268
1268
1268
1268
1268
1268

Suspicious use of WriteProcessMemory 61 IoCs

Processes:

28351e9cfaca470a9f99b2455b3f1354.exe2980.exe397A.exefrysxdqy.exe

description	pid	process	target process
PID 1044 wrote to memory of 2028	1044	28351e9cfaca470a9f99b2455b3f1354.exe	28351e9cfaca470a9f99b2455b3f1354.exe
PID 1044 wrote to memory of 2028	1044	28351e9cfaca470a9f99b2455b3f1354.exe	28351e9cfaca470a9f99b2455b3f1354.exe
PID 1044 wrote to memory of 2028	1044	28351e9cfaca470a9f99b2455b3f1354.exe	28351e9cfaca470a9f99b2455b3f1354.exe
PID 1044 wrote to memory of 2028	1044	28351e9cfaca470a9f99b2455b3f1354.exe	28351e9cfaca470a9f99b2455b3f1354.exe
PID 1044 wrote to memory of 2028	1044	28351e9cfaca470a9f99b2455b3f1354.exe	28351e9cfaca470a9f99b2455b3f1354.exe
PID 1044 wrote to memory of 2028	1044	28351e9cfaca470a9f99b2455b3f1354.exe	28351e9cfaca470a9f99b2455b3f1354.exe
PID 1044 wrote to memory of 2028	1044	28351e9cfaca470a9f99b2455b3f1354.exe	28351e9cfaca470a9f99b2455b3f1354.exe
PID 1268 wrote to memory of 1496	1268		23C5.exe
PID 1268 wrote to memory of 1496	1268		23C5.exe
PID 1268 wrote to memory of 1496	1268		23C5.exe
PID 1268 wrote to memory of 1232	1268		2980.exe
PID 1268 wrote to memory of 1232	1268		2980.exe
PID 1268 wrote to memory of 1232	1268		2980.exe
PID 1268 wrote to memory of 1232	1268		2980.exe
PID 1268 wrote to memory of 596	1268		2E71.exe
PID 1268 wrote to memory of 596	1268		2E71.exe
PID 1268 wrote to memory of 596	1268		2E71.exe
PID 1268 wrote to memory of 596	1268		2E71.exe
PID 1268 wrote to memory of 296	1268		348A.exe
PID 1268 wrote to memory of 296	1268		348A.exe
PID 1268 wrote to memory of 296	1268		348A.exe
PID 1268 wrote to memory of 296	1268		348A.exe
PID 1232 wrote to memory of 1464	1232	2980.exe	cmd.exe
PID 1232 wrote to memory of 1464	1232	2980.exe	cmd.exe
PID 1232 wrote to memory of 1464	1232	2980.exe	cmd.exe
PID 1232 wrote to memory of 1464	1232	2980.exe	cmd.exe
PID 1232 wrote to memory of 1176	1232	2980.exe	cmd.exe
PID 1232 wrote to memory of 1176	1232	2980.exe	cmd.exe
PID 1232 wrote to memory of 1176	1232	2980.exe	cmd.exe
PID 1232 wrote to memory of 1176	1232	2980.exe	cmd.exe
PID 1232 wrote to memory of 432	1232	2980.exe	sc.exe
PID 1232 wrote to memory of 432	1232	2980.exe	sc.exe
PID 1232 wrote to memory of 432	1232	2980.exe	sc.exe
PID 1232 wrote to memory of 432	1232	2980.exe	sc.exe
PID 1268 wrote to memory of 1104	1268		397A.exe
PID 1268 wrote to memory of 1104	1268		397A.exe
PID 1268 wrote to memory of 1104	1268		397A.exe
PID 1104 wrote to memory of 1228	1104	397A.exe	powershell.exe
PID 1104 wrote to memory of 1228	1104	397A.exe	powershell.exe
PID 1104 wrote to memory of 1228	1104	397A.exe	powershell.exe
PID 1232 wrote to memory of 1648	1232	2980.exe	sc.exe
PID 1232 wrote to memory of 1648	1232	2980.exe	sc.exe
PID 1232 wrote to memory of 1648	1232	2980.exe	sc.exe
PID 1232 wrote to memory of 1648	1232	2980.exe	sc.exe
PID 1232 wrote to memory of 1044	1232	2980.exe	sc.exe
PID 1232 wrote to memory of 1044	1232	2980.exe	sc.exe
PID 1232 wrote to memory of 1044	1232	2980.exe	sc.exe
PID 1232 wrote to memory of 1044	1232	2980.exe	sc.exe
PID 1232 wrote to memory of 292	1232	2980.exe	netsh.exe
PID 1232 wrote to memory of 292	1232	2980.exe	netsh.exe
PID 1232 wrote to memory of 292	1232	2980.exe	netsh.exe
PID 1232 wrote to memory of 292	1232	2980.exe	netsh.exe
PID 1760 wrote to memory of 784	1760	frysxdqy.exe	svchost.exe
PID 1760 wrote to memory of 784	1760	frysxdqy.exe	svchost.exe
PID 1760 wrote to memory of 784	1760	frysxdqy.exe	svchost.exe
PID 1760 wrote to memory of 784	1760	frysxdqy.exe	svchost.exe
PID 1760 wrote to memory of 784	1760	frysxdqy.exe	svchost.exe
PID 1760 wrote to memory of 784	1760	frysxdqy.exe	svchost.exe
PID 1104 wrote to memory of 288	1104	397A.exe	powershell.exe
PID 1104 wrote to memory of 288	1104	397A.exe	powershell.exe
PID 1104 wrote to memory of 288	1104	397A.exe	powershell.exe

C:\Users\Admin\AppData\Local\Temp\28351e9cfaca470a9f99b2455b3f1354.exe
"C:\Users\Admin\AppData\Local\Temp\28351e9cfaca470a9f99b2455b3f1354.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1044
- C:\Users\Admin\AppData\Local\Temp\28351e9cfaca470a9f99b2455b3f1354.exe
  "C:\Users\Admin\AppData\Local\Temp\28351e9cfaca470a9f99b2455b3f1354.exe"
  2⤵
  - Checks SCSI registry key(s)
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  PID:2028

C:\Users\Admin\AppData\Local\Temp\23C5.exe
C:\Users\Admin\AppData\Local\Temp\23C5.exe
1⤵
- Executes dropped EXE
PID:1496
- C:\Users\Admin\AppData\Local\Temp\SindonsWelfare_2021-09-26_15-02.exe
  "C:\Users\Admin\AppData\Local\Temp\SindonsWelfare_2021-09-26_15-02.exe"
  2⤵
  PID:1796
- C:\Users\Admin\AppData\Local\Temp\SolanumsYoghurt_2021-09-26_14-52.exe
  "C:\Users\Admin\AppData\Local\Temp\SolanumsYoghurt_2021-09-26_14-52.exe"
  2⤵
  PID:1584
- C:\Users\Admin\AppData\Local\Temp\fbf.exe
  "C:\Users\Admin\AppData\Local\Temp\fbf.exe"
  2⤵
  PID:1164

C:\Users\Admin\AppData\Local\Temp\2980.exe
C:\Users\Admin\AppData\Local\Temp\2980.exe
1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1232
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\qqmksfsk\
  2⤵
  PID:1464
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\frysxdqy.exe" C:\Windows\SysWOW64\qqmksfsk\
  2⤵
  PID:1176
- C:\Windows\SysWOW64\sc.exe
  "C:\Windows\System32\sc.exe" create qqmksfsk binPath= "C:\Windows\SysWOW64\qqmksfsk\frysxdqy.exe /d\"C:\Users\Admin\AppData\Local\Temp\2980.exe\"" type= own start= auto DisplayName= "wifi support"
  2⤵
  PID:432
- C:\Windows\SysWOW64\sc.exe
  "C:\Windows\System32\sc.exe" description qqmksfsk "wifi internet conection"
  2⤵
  PID:1648
- C:\Windows\SysWOW64\sc.exe
  "C:\Windows\System32\sc.exe" start qqmksfsk
  2⤵
  PID:1044
- C:\Windows\SysWOW64\netsh.exe
  "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul
  2⤵
  PID:292

C:\Users\Admin\AppData\Local\Temp\2E71.exe
C:\Users\Admin\AppData\Local\Temp\2E71.exe
1⤵
- Executes dropped EXE
PID:596

C:\Users\Admin\AppData\Local\Temp\348A.exe
C:\Users\Admin\AppData\Local\Temp\348A.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:296
- C:\Users\Admin\AppData\Local\Temp\filename.exe
  "C:\Users\Admin\AppData\Local\Temp\filename.exe"
  2⤵
  PID:2748
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" C:\ProgramData\UpSys.exe /SW:0 powershell.exe $(Add-MpPreference -ExclusionPath C:\); $(cd HKLM:\); $(New-ItemProperty –Path $HKLM\SOFTWARE\Policies\Microsoft\Windows\System –Name EnableSmartScreen -PropertyType DWord -Value 0); $(Set-ItemProperty -Path $HKLM\SYSTEM\CurrentControlSet\Services\mpssvc -Name Start -Value 4); $(netsh advfirewall set allprofiles state off); $(Get-Acl C:\ProgramData\Microsoft\Windows\SystemData | Set-Acl C:\ProgramData\MicrosoftNetwork); $(exit)
    3⤵
    PID:1012
  - - C:\Windows\system32\netsh.exe
      "C:\Windows\system32\netsh.exe" advfirewall set allprofiles state off
      4⤵
      PID:2252
  - - C:\ProgramData\UpSys.exe
      "C:\ProgramData\UpSys.exe" /SW:0 powershell.exe
      4⤵
      PID:2244
    - - C:\ProgramData\UpSys.exe
        
        "C:\ProgramData\UpSys.exe" /SW:0 powershell.exe
        5⤵
        
        PID:1820
      - C:\ProgramData\UpSys.exe
        
        "C:\ProgramData\UpSys.exe" /TI/ /SW:0 powershell.exe
        6⤵
        
        PID:292
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
        7⤵
        
        PID:2556
- - C:\ProgramData\Systemd\Database.exe
    -epool eth-eu1.nanopool.org:9999 -ewal 0x34B27139451244A628F226fF7405f7E79407B00A -worker Worker -epsw password666 -mode 1 -Rmode 1 -log 0 -mport 0 -etha 0 -retrydelay 1 -ftime 60 -tt 60 -tstop 70 -tstart 60 -coin eth
    3⤵
    PID:2272
- - C:\ProgramData\Systemd\Database.exe
    -epool eth-eu1.nanopool.org:9999 -ewal 0x34B27139451244A628F226fF7405f7E79407B00A -worker Worker -epsw password666 -mode 1 -Rmode 1 -log 0 -mport 0 -etha 0 -retrydelay 1 -ftime 60 -tt 60 -tstop 70 -tstart 60 -coin eth
    3⤵
    PID:2292
- - C:\ProgramData\Systemd\Database.exe
    -epool eth-eu1.nanopool.org:9999 -ewal 0x34B27139451244A628F226fF7405f7E79407B00A -worker Worker -epsw password666 -mode 1 -Rmode 1 -log 0 -mport 0 -etha 0 -retrydelay 1 -ftime 60 -tt 60 -tstop 70 -tstart 60 -coin eth
    3⤵
    PID:2432
- - C:\ProgramData\Systemd\Database.exe
    -epool eth-eu1.nanopool.org:9999 -ewal 0x34B27139451244A628F226fF7405f7E79407B00A -worker Worker -epsw password666 -mode 1 -Rmode 1 -log 0 -mport 0 -etha 0 -retrydelay 1 -ftime 60 -tt 60 -tstop 70 -tstart 60 -coin eth
    3⤵
    PID:1916
- - C:\ProgramData\Systemd\Database.exe
    -epool eth-eu1.nanopool.org:9999 -ewal 0x34B27139451244A628F226fF7405f7E79407B00A -worker Worker -epsw password666 -mode 1 -Rmode 1 -log 0 -mport 0 -etha 0 -retrydelay 1 -ftime 60 -tt 60 -tstop 70 -tstart 60 -coin eth
    3⤵
    PID:2608
- - C:\ProgramData\Systemd\Database.exe
    -epool eth-eu1.nanopool.org:9999 -ewal 0x34B27139451244A628F226fF7405f7E79407B00A -worker Worker -epsw password666 -mode 1 -Rmode 1 -log 0 -mport 0 -etha 0 -retrydelay 1 -ftime 60 -tt 60 -tstop 70 -tstart 60 -coin eth
    3⤵
    PID:848
- - C:\ProgramData\Systemd\Database.exe
    -epool eth-eu1.nanopool.org:9999 -ewal 0x34B27139451244A628F226fF7405f7E79407B00A -worker Worker -epsw password666 -mode 1 -Rmode 1 -log 0 -mport 0 -etha 0 -retrydelay 1 -ftime 60 -tt 60 -tstop 70 -tstart 60 -coin eth
    3⤵
    PID:2760
- - C:\ProgramData\Systemd\Database.exe
    -epool eth-eu1.nanopool.org:9999 -ewal 0x34B27139451244A628F226fF7405f7E79407B00A -worker Worker -epsw password666 -mode 1 -Rmode 1 -log 0 -mport 0 -etha 0 -retrydelay 1 -ftime 60 -tt 60 -tstop 70 -tstart 60 -coin eth
    3⤵
    PID:1304
- - C:\ProgramData\Systemd\Database.exe
    -epool eth-eu1.nanopool.org:9999 -ewal 0x34B27139451244A628F226fF7405f7E79407B00A -worker Worker -epsw password666 -mode 1 -Rmode 1 -log 0 -mport 0 -etha 0 -retrydelay 1 -ftime 60 -tt 60 -tstop 70 -tstart 60 -coin eth
    3⤵
    PID:1372

C:\Users\Admin\AppData\Local\Temp\397A.exe
C:\Users\Admin\AppData\Local\Temp\397A.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1104
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-NetConnection -TraceRoute facebook.com
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1228
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-NetConnection -TraceRoute twitter.com
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:288
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-NetConnection -TraceRoute google.com
  2⤵
  PID:768
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-NetConnection -TraceRoute bing.com
  2⤵
  PID:1224
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\_Mcmyxcl.vbs"
  2⤵
  PID:2220
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -ExclusionPath C:\,'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\putty.exe'
    3⤵
    PID:2276
- C:\Users\Admin\AppData\Local\Temp\397A.exe
  C:\Users\Admin\AppData\Local\Temp\397A.exe
  2⤵
  PID:2472

C:\Windows\SysWOW64\qqmksfsk\frysxdqy.exe
C:\Windows\SysWOW64\qqmksfsk\frysxdqy.exe /d"C:\Users\Admin\AppData\Local\Temp\2980.exe"
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1760
- C:\Windows\SysWOW64\svchost.exe
  svchost.exe
  2⤵
  PID:784

C:\Program Files (x86)\Microsoft Ouigga\Uuuocai.exe
"C:\Program Files (x86)\Microsoft Ouigga\Uuuocai.exe"
1⤵
PID:1768
- C:\Program Files (x86)\Microsoft Ouigga\Uuuocai.exe
  "C:\Program Files (x86)\Microsoft Ouigga\Uuuocai.exe" Win7
  2⤵
  PID:2588

C:\Windows\system32\makecab.exe
"C:\Windows\system32\makecab.exe" C:\Windows\Logs\CBS\CbsPersist_20210926233823.log C:\Windows\Logs\CBS\CbsPersist_20210926233823.cab
1⤵
PID:2484

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

New Service

T1050

Privilege Escalation

New Service

T1050

Defense Evasion

Web Service

T1102

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft Ouigga\Uuuocai.exe

MD5
fbf3187db919beaddb30ae7e52bd9a49

SHA1
d2891928551f2adff238547c7cae4e3fef7cc057

SHA256
a83b8dfadf92be244ccc6b2964eea2f67e0c807befa3ab969a68ee321be583dd

SHA512
1d609711a21609d3bc3df80d3616ef388f32e0adcb9af865bfa3aeb9c61f81e099e5591cdecbe5412a4ea18ef236043c977faad4245ae45fd58eeb15119715ab

Download Submit
C:\Program Files (x86)\Microsoft Ouigga\Uuuocai.exe

MD5
fbf3187db919beaddb30ae7e52bd9a49

SHA1
d2891928551f2adff238547c7cae4e3fef7cc057

SHA256
a83b8dfadf92be244ccc6b2964eea2f67e0c807befa3ab969a68ee321be583dd

SHA512
1d609711a21609d3bc3df80d3616ef388f32e0adcb9af865bfa3aeb9c61f81e099e5591cdecbe5412a4ea18ef236043c977faad4245ae45fd58eeb15119715ab

Download Submit
C:\Program Files (x86)\Microsoft Ouigga\Uuuocai.exe

MD5
fbf3187db919beaddb30ae7e52bd9a49

SHA1
d2891928551f2adff238547c7cae4e3fef7cc057

SHA256
a83b8dfadf92be244ccc6b2964eea2f67e0c807befa3ab969a68ee321be583dd

SHA512
1d609711a21609d3bc3df80d3616ef388f32e0adcb9af865bfa3aeb9c61f81e099e5591cdecbe5412a4ea18ef236043c977faad4245ae45fd58eeb15119715ab

Download Submit
C:\ProgramData\Systemd\Database.exe

MD5
7b8d2817f8b8ff76db2c64e427e52328

SHA1
48f8320fd1e51dcaaa769a27fe32a849226f4988

SHA256
eaa1e369dbdd7823bfbc55f25b8cb0ba7597abe2a18c9b2d69c68008d7224d7c

SHA512
0bf811c34226ae3c571bad7ffef0e9ecd54ab50cdd28363cdf079eb7b6a2a6b6e89ac936e0cedb0d74f105b4c90a6c6c9686c6976b8d5efc67ad2bc50883b631

Download Submit
C:\ProgramData\Systemd\Database.exe

MD5
720e59f161ffc825e6dcf175a71d1dfe

SHA1
1f8b4ad599d49a48bca914e83fd2ef94289c0e9e

SHA256
01f25903a6a572af11250a8ac1147f3c48dabe0ab551b0b7926d62eb62126df8

SHA512
253a5e9779752c83c205772422e4e6682ca791a356b612e76996bb9f6687eaa9f5aae5d7e1cd3a58dadb481f2713213d51075272159edbd34823955065fded19

Download Submit
C:\ProgramData\Systemd\Database.exe

MD5
7b8d2817f8b8ff76db2c64e427e52328

SHA1
48f8320fd1e51dcaaa769a27fe32a849226f4988

SHA256
eaa1e369dbdd7823bfbc55f25b8cb0ba7597abe2a18c9b2d69c68008d7224d7c

SHA512
0bf811c34226ae3c571bad7ffef0e9ecd54ab50cdd28363cdf079eb7b6a2a6b6e89ac936e0cedb0d74f105b4c90a6c6c9686c6976b8d5efc67ad2bc50883b631

Download Submit
C:\ProgramData\Systemd\Database.exe

MD5
7b8d2817f8b8ff76db2c64e427e52328

SHA1
48f8320fd1e51dcaaa769a27fe32a849226f4988

SHA256
eaa1e369dbdd7823bfbc55f25b8cb0ba7597abe2a18c9b2d69c68008d7224d7c

SHA512
0bf811c34226ae3c571bad7ffef0e9ecd54ab50cdd28363cdf079eb7b6a2a6b6e89ac936e0cedb0d74f105b4c90a6c6c9686c6976b8d5efc67ad2bc50883b631

Download Submit
C:\ProgramData\Systemd\Database.exe

MD5
7b8d2817f8b8ff76db2c64e427e52328

SHA1
48f8320fd1e51dcaaa769a27fe32a849226f4988

SHA256
eaa1e369dbdd7823bfbc55f25b8cb0ba7597abe2a18c9b2d69c68008d7224d7c

SHA512
0bf811c34226ae3c571bad7ffef0e9ecd54ab50cdd28363cdf079eb7b6a2a6b6e89ac936e0cedb0d74f105b4c90a6c6c9686c6976b8d5efc67ad2bc50883b631

Download Submit
C:\ProgramData\Systemd\Database.exe

MD5
b651a44b2e3c85c30c11b7f5ca12b9d5

SHA1
9247e9de4d204b00f476d94efdb396f7a8439d76

SHA256
72239b5d1eb85e58e91758c7cb8aac0abf6295106bd033872143e02ef50e2d03

SHA512
864e7e88ab71e2b7c33059642a67993f8b2cd22c6fdeb8636ecdd8fcf46da4b2545696537a0e60e8dcbb43db219d0dd6ed3158fe3a67e165cdb42eaf3cf97734

Download Submit
C:\ProgramData\Systemd\Database.exe

MD5
69c5d6dd28c578a5eeaf7417fc6aff61

SHA1
5d688b3b7f95abe74339a9dd8287f3145c180a41

SHA256
539241a49aaa72f84757ca8300d89e7dd28ace780d53656d97434df0542a581c

SHA512
6c412c83f220821f8697c42e670bffcc35f25b1be461951100a7a328437fe682448ae2778448c6ed5adae966a4ad7deb467cd50442afafbff89ebddcf01ee2ed

Download Submit
C:\ProgramData\Systemd\Database.exe

MD5
2fa983ceca8c00612592b2834ba073ed

SHA1
cab95265c879ade14344f37374cf5fd177251bfb

SHA256
085e85ecafac1586a8c594dcc289efd530f5922eccc5f357d9ba55b645977903

SHA512
6ad40d50a9a0d2af4fdc12b9aceeddb5b5f99b94acdfa233410af6df1d28d4fac7a8e0036392ca47c2330dd84dcc94c0545bf6daf7e23a2be87f9d9d8f1811c1

Download Submit
C:\ProgramData\Systemd\Database.exe

MD5
927bc9589d6da900717ca6a293764964

SHA1
0ecbd40ab4ca95691efc7c282f62102695d720e6

SHA256
a88cc5e38ec1c2abcca6b82786bc20785f42f980aecb7080f49dd47b876e9557

SHA512
4ce2b8493759a5c7d35899051ac94c541acdfdc341e52418a20d10bd59203f9a9562d96a95c23ca96da844818c370524a0352c0237a8ca3a5c4e13bd5ca70fbd

Download Submit
C:\ProgramData\UpSys.exe

MD5
efe5769e37ba37cf4607cb9918639932

SHA1
f24ca204af2237a714e8b41d54043da7bbe5393b

SHA256
5f9dfd9557cf3ca96a4c7f190fc598c10f8871b1313112c9aea45dc8443017a2

SHA512
33794a567c3e16582da3c2ac8253b3e61df19c255985277c5a63a84a673ac64899e34e3b1ebb79e027f13d66a0b8800884cdd4d646c7a0abe7967b6316639cf1

Download Submit
C:\ProgramData\UpSys.exe

MD5
efe5769e37ba37cf4607cb9918639932

SHA1
f24ca204af2237a714e8b41d54043da7bbe5393b

SHA256
5f9dfd9557cf3ca96a4c7f190fc598c10f8871b1313112c9aea45dc8443017a2

SHA512
33794a567c3e16582da3c2ac8253b3e61df19c255985277c5a63a84a673ac64899e34e3b1ebb79e027f13d66a0b8800884cdd4d646c7a0abe7967b6316639cf1

Download Submit
C:\ProgramData\UpSys.exe

MD5
efe5769e37ba37cf4607cb9918639932

SHA1
f24ca204af2237a714e8b41d54043da7bbe5393b

SHA256
5f9dfd9557cf3ca96a4c7f190fc598c10f8871b1313112c9aea45dc8443017a2

SHA512
33794a567c3e16582da3c2ac8253b3e61df19c255985277c5a63a84a673ac64899e34e3b1ebb79e027f13d66a0b8800884cdd4d646c7a0abe7967b6316639cf1

Download Submit
C:\ProgramData\UpSys.exe

MD5
7dce124f2e967462f1d9b93b60b11e13

SHA1
496beb325a05660b7bd997afb199eeaf6c057ae7

SHA256
a545ac6af1b9519286d18f551ca2754a5f488b08ad534dcd6670aeb181f5924a

SHA512
ae0d438980521df1071afa969c581cdae8f5f2ed4520edff8436506f8bdec8205e004b0d4c46ee37a2c4ec6eeb021553c88e7a1fac9d070810352a0e95d9d0cf

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

MD5
ab5c36d10261c173c5896f3478cdc6b7

SHA1
87ac53810ad125663519e944bc87ded3979cbee4

SHA256
f8e90fb0557fe49d7702cfb506312ac0b24c97802f9c782696db6d47f434e8e9

SHA512
e83e4eae44e7a9cbcd267dbfc25a7f4f68b50591e3bbe267324b1f813c9220d565b284994ded5f7d2d371d50e1ebfa647176ec8de9716f754c6b5785c6e897fa

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5
37adc4c4448132440fccc9c523ad3d91

SHA1
8331f6b192855ec385e501ffc579b3863e902c20

SHA256
8f55b654bf769423bb985e0459e78aab8ac6a31ebfa3ebe7e613997400e36f44

SHA512
c5551be1ca0ea438ae3e8118e864ad597469d3215d735884bbc1bc3829e4fc7b98618b64136a27183092b8055b38920827fcab417bde0bc4accb49ce5992eb97

Download Submit
C:\Users\Admin\AppData\Local\Temp\23C5.exe

MD5
b2d8e3fc81ee69664d1221439ffd9ee8

SHA1
c325fe65f692c8ee023f12f41cbb0663d658b917

SHA256
2532854386c2ac90a742a4cb593fa2502f261ff2909444de7415ea175285b89b

SHA512
d31b225f989b75c02e09660aa5ec70e6a92b901567c823b38a726ed9735d60df755fbd9f80fb12a34e835253707a3ba8e0318f233b54794e55b79f785287976f

Download Submit
C:\Users\Admin\AppData\Local\Temp\23C5.exe

MD5
b2d8e3fc81ee69664d1221439ffd9ee8

SHA1
c325fe65f692c8ee023f12f41cbb0663d658b917

SHA256
2532854386c2ac90a742a4cb593fa2502f261ff2909444de7415ea175285b89b

SHA512
d31b225f989b75c02e09660aa5ec70e6a92b901567c823b38a726ed9735d60df755fbd9f80fb12a34e835253707a3ba8e0318f233b54794e55b79f785287976f

Download Submit
C:\Users\Admin\AppData\Local\Temp\2980.exe

MD5
886b4b87250c31f9e17d0be3dde1a920

SHA1
94067fea1c477011731f491d912d3f1cb4f893b2

SHA256
b23f703c7ca079fa43cc7fb65f58ec401533fada301eeeec2403ef68f339bf23

SHA512
bee9cdbb85f872427b4d03a8fcd88eab072c23e50c305d9ddd41cfa66e6e5499c00a8c2ef5361db889a9833cc667ddfa7e820e399b645ec058e1890d9dd93db3

Download Submit
C:\Users\Admin\AppData\Local\Temp\2980.exe

MD5
886b4b87250c31f9e17d0be3dde1a920

SHA1
94067fea1c477011731f491d912d3f1cb4f893b2

SHA256
b23f703c7ca079fa43cc7fb65f58ec401533fada301eeeec2403ef68f339bf23

SHA512
bee9cdbb85f872427b4d03a8fcd88eab072c23e50c305d9ddd41cfa66e6e5499c00a8c2ef5361db889a9833cc667ddfa7e820e399b645ec058e1890d9dd93db3

Download Submit
C:\Users\Admin\AppData\Local\Temp\2E71.exe

MD5
663720a684eff50de9e6956ed87c6ae7

SHA1
6a67c3ae68f8a1d77ead8c3d3ce2edd65b79e06d

SHA256
5b8d654666c039518933e112214c380630e3d588f3143f0eba1a69a1e837cca0

SHA512
c5aa0fa7a05565be9f40ca5c8a175c177a1d1d9d657a3404b27437165b9fe9e20bfe85bbe131b2cdb0541f2f5f849e160212bcdd348db1c7a0327fe65cc13c10

Download Submit
C:\Users\Admin\AppData\Local\Temp\348A.exe

MD5
35ceb79f87d940f532a8d7bbbefc2e33

SHA1
150a568020e9f23306ffde5715d0dbbc7b33c358

SHA256
ab8ae68575886dd507b78611c3082d4de030d82bcabbb7707bfe58862e7b8383

SHA512
a7b071699979bbbe009d8b2698a4bf73b8d5d74b3ad3bc5b880c676dca34111f4451528f881a17709d7514b9d521fbfdf2ad5b0cb7c348a4d9b0808dc9286b0f

Download Submit
C:\Users\Admin\AppData\Local\Temp\348A.exe

MD5
35ceb79f87d940f532a8d7bbbefc2e33

SHA1
150a568020e9f23306ffde5715d0dbbc7b33c358

SHA256
ab8ae68575886dd507b78611c3082d4de030d82bcabbb7707bfe58862e7b8383

SHA512
a7b071699979bbbe009d8b2698a4bf73b8d5d74b3ad3bc5b880c676dca34111f4451528f881a17709d7514b9d521fbfdf2ad5b0cb7c348a4d9b0808dc9286b0f

Download Submit
C:\Users\Admin\AppData\Local\Temp\397A.exe

MD5
d7f8b0f5a2f69091f047641699d8410e

SHA1
c9dfde16c413f95fabab51adfe46658cb6fcb313

SHA256
a44258a51cc06bed58fb7117f02ce69d84f91295acf70dd3452c4f727effea72

SHA512
7445d4ab106da6199247d4ec8670ec49cdb379c1f91192f67430eea2c2fca2fc7146d661e24f81f1704ada4ec755da7236824df32894c018ac0668bf19937e98

Download Submit
C:\Users\Admin\AppData\Local\Temp\397A.exe

MD5
d7f8b0f5a2f69091f047641699d8410e

SHA1
c9dfde16c413f95fabab51adfe46658cb6fcb313

SHA256
a44258a51cc06bed58fb7117f02ce69d84f91295acf70dd3452c4f727effea72

SHA512
7445d4ab106da6199247d4ec8670ec49cdb379c1f91192f67430eea2c2fca2fc7146d661e24f81f1704ada4ec755da7236824df32894c018ac0668bf19937e98

Download Submit
C:\Users\Admin\AppData\Local\Temp\397A.exe

MD5
d7f8b0f5a2f69091f047641699d8410e

SHA1
c9dfde16c413f95fabab51adfe46658cb6fcb313

SHA256
a44258a51cc06bed58fb7117f02ce69d84f91295acf70dd3452c4f727effea72

SHA512
7445d4ab106da6199247d4ec8670ec49cdb379c1f91192f67430eea2c2fca2fc7146d661e24f81f1704ada4ec755da7236824df32894c018ac0668bf19937e98

Download Submit
C:\Users\Admin\AppData\Local\Temp\SindonsWelfare_2021-09-26_15-02.exe

MD5
85ea0a07196273bbe4f6c62a03a2f203

SHA1
cdd0dffd5d27e3ad577ae8b9d2bb96f6f5dfe04e

SHA256
6cb9da1cb79c8725942119d20eceb769f64513380285b8729310ba025f0c4843

SHA512
a5f0ce32164d00b13c6d9a88686c4db835366b68260b6e2ce16ad00b44f7c435c4e034d753c9774a7e237f3b02cf16d2983c56b1bc6925baa6d1902b67a2fe80

Download Submit
C:\Users\Admin\AppData\Local\Temp\SolanumsYoghurt_2021-09-26_14-52.exe

MD5
105284f4061d970957c38814ed96eec6

SHA1
a6a0adb7f986be857be7520da0b498c975b0d845

SHA256
5709a8b2658fa9ccf9137f164dae6094d997c0cc42e87cb84f9e6e86087b07ef

SHA512
771e64a374320d57f0b0f98272dd3dc657546494bb881efa5984ce4e0cf14c2f9b1aef8a1e269099c80dc9705d5af9f457519d2231150305206848a7d52658a7

Download Submit
C:\Users\Admin\AppData\Local\Temp\_Mcmyxcl.vbs

MD5
88d229354c4065c2b2834e43e225457b

SHA1
cf08a692294c27053a643a8e0f44fcc1badb6c91

SHA256
b9a524175681990f2f7787c4d29f2adfe7f1baec47beb1e5a2de6787cc039fd2

SHA512
ff240b7f654f9ecb5ca4c1a316be6f6e49ecfe94b3c52cad144440a5138de51051c69af13418b15e3f5dec0977e484bbeb468cf8a770b85be49c3da68a7af7c7

Download Submit
C:\Users\Admin\AppData\Local\Temp\fbf.exe

MD5
fbf3187db919beaddb30ae7e52bd9a49

SHA1
d2891928551f2adff238547c7cae4e3fef7cc057

SHA256
a83b8dfadf92be244ccc6b2964eea2f67e0c807befa3ab969a68ee321be583dd

SHA512
1d609711a21609d3bc3df80d3616ef388f32e0adcb9af865bfa3aeb9c61f81e099e5591cdecbe5412a4ea18ef236043c977faad4245ae45fd58eeb15119715ab

Download Submit
C:\Users\Admin\AppData\Local\Temp\fbf.exe

MD5
fbf3187db919beaddb30ae7e52bd9a49

SHA1
d2891928551f2adff238547c7cae4e3fef7cc057

SHA256
a83b8dfadf92be244ccc6b2964eea2f67e0c807befa3ab969a68ee321be583dd

SHA512
1d609711a21609d3bc3df80d3616ef388f32e0adcb9af865bfa3aeb9c61f81e099e5591cdecbe5412a4ea18ef236043c977faad4245ae45fd58eeb15119715ab

Download Submit
C:\Users\Admin\AppData\Local\Temp\filename.exe

MD5
3b2d6a2b219e71204e158eda4be0e05c

SHA1
4e84bc50d0d8637eefabbabe9a98d7b9ee8ebb1a

SHA256
e773c486a18d3b9bcbac9dc04c37c1693b3210ddfb3411c8c695f1de22117a53

SHA512
66546b216ad4a9974d8cb0957b5ad5f79d6838a9592d313dfd71b6e7c11ce94fc5fb053e69766ef8b07fb0c5c3c975eedd1fb98b8556e9bdd47bf5654a341738

Download Submit
C:\Users\Admin\AppData\Local\Temp\filename.exe

MD5
3b2d6a2b219e71204e158eda4be0e05c

SHA1
4e84bc50d0d8637eefabbabe9a98d7b9ee8ebb1a

SHA256
e773c486a18d3b9bcbac9dc04c37c1693b3210ddfb3411c8c695f1de22117a53

SHA512
66546b216ad4a9974d8cb0957b5ad5f79d6838a9592d313dfd71b6e7c11ce94fc5fb053e69766ef8b07fb0c5c3c975eedd1fb98b8556e9bdd47bf5654a341738

Download Submit
C:\Users\Admin\AppData\Local\Temp\frysxdqy.exe

MD5
90905ab2cc106126a36552d9e85b73a7

SHA1
8169a35118d44bf35da60e23d80bb1aa36d0ac59

SHA256
4981fcd4c48afb752e3b7a84da522d14ae30c6e280e917b88a66683c33f341a6

SHA512
8f94cb1603d705494e3ab4e674167524fa980292dd6ad889b9ac0a9b36a946357a4afaf2e6df99bbed15d33c0412e5bbd2e55b9c93c7a3fb9ad2f60ab786ee41

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

MD5
dd5435554b2a30edf42813cfe1162c16

SHA1
c87ecff662793592d99bb513e875a45c6262c584

SHA256
3844e9abd135d396f96648e12624856e389a31f57f25356c245bb3566b4aec1f

SHA512
93940fe75ed878f960f5352d09200a5fa8a4c611d3942fb9ffa18f1a3f8fee106c0b52b4a67116eb1f743879b1bedf3c806c7c1672d51ff8c250dcd50f2d8c40

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

MD5
dd5435554b2a30edf42813cfe1162c16

SHA1
c87ecff662793592d99bb513e875a45c6262c584

SHA256
3844e9abd135d396f96648e12624856e389a31f57f25356c245bb3566b4aec1f

SHA512
93940fe75ed878f960f5352d09200a5fa8a4c611d3942fb9ffa18f1a3f8fee106c0b52b4a67116eb1f743879b1bedf3c806c7c1672d51ff8c250dcd50f2d8c40

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

MD5
dd5435554b2a30edf42813cfe1162c16

SHA1
c87ecff662793592d99bb513e875a45c6262c584

SHA256
3844e9abd135d396f96648e12624856e389a31f57f25356c245bb3566b4aec1f

SHA512
93940fe75ed878f960f5352d09200a5fa8a4c611d3942fb9ffa18f1a3f8fee106c0b52b4a67116eb1f743879b1bedf3c806c7c1672d51ff8c250dcd50f2d8c40

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

MD5
dd5435554b2a30edf42813cfe1162c16

SHA1
c87ecff662793592d99bb513e875a45c6262c584

SHA256
3844e9abd135d396f96648e12624856e389a31f57f25356c245bb3566b4aec1f

SHA512
93940fe75ed878f960f5352d09200a5fa8a4c611d3942fb9ffa18f1a3f8fee106c0b52b4a67116eb1f743879b1bedf3c806c7c1672d51ff8c250dcd50f2d8c40

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

MD5
dd5435554b2a30edf42813cfe1162c16

SHA1
c87ecff662793592d99bb513e875a45c6262c584

SHA256
3844e9abd135d396f96648e12624856e389a31f57f25356c245bb3566b4aec1f

SHA512
93940fe75ed878f960f5352d09200a5fa8a4c611d3942fb9ffa18f1a3f8fee106c0b52b4a67116eb1f743879b1bedf3c806c7c1672d51ff8c250dcd50f2d8c40

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Programs\desktop.ini

MD5
7f1698bab066b764a314a589d338daae

SHA1
524abe4db03afef220a2cc96bf0428fd1b704342

SHA256
cdb11958506a5ba5478e22ed472fa3ae422fe9916d674f290207e1fc29ae5a76

SHA512
4f94ad0fe3df00838b288a0ef4c12d37e175c37cbf306bdb1336ff44d0e4d126cd545c636642c0e88d8c6b8258dc138a495f4d025b662f40a9977d409d6b5719

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Programs\exe.lnk

MD5
db369c7780bf982b1b040b713881b409

SHA1
0f66829486f21c4ec3f500102d55111a2ee3612c

SHA256
9af74c9f4a12f7406098b3c3de31189fb1562f479174bdd427287fa61ad005ca

SHA512
e623a60355429dd9cc7e4397ea837cf88c869fd60400b739ea18563104c658b8ff67e9b3f1a08d9421a9158f63ebbf629e118a7b0ba197983ba9ffebe6386806

Download Submit
C:\Windows\SysWOW64\qqmksfsk\frysxdqy.exe

MD5
90905ab2cc106126a36552d9e85b73a7

SHA1
8169a35118d44bf35da60e23d80bb1aa36d0ac59

SHA256
4981fcd4c48afb752e3b7a84da522d14ae30c6e280e917b88a66683c33f341a6

SHA512
8f94cb1603d705494e3ab4e674167524fa980292dd6ad889b9ac0a9b36a946357a4afaf2e6df99bbed15d33c0412e5bbd2e55b9c93c7a3fb9ad2f60ab786ee41

Download Submit
\??\PIPE\srvsvc

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\??\c:\users\admin\appdata\local\temp\sindonswelfare_2021-09-26_15-02.exe

MD5
85ea0a07196273bbe4f6c62a03a2f203

SHA1
cdd0dffd5d27e3ad577ae8b9d2bb96f6f5dfe04e

SHA256
6cb9da1cb79c8725942119d20eceb769f64513380285b8729310ba025f0c4843

SHA512
a5f0ce32164d00b13c6d9a88686c4db835366b68260b6e2ce16ad00b44f7c435c4e034d753c9774a7e237f3b02cf16d2983c56b1bc6925baa6d1902b67a2fe80

Download Submit
\??\c:\users\admin\appdata\local\temp\solanumsyoghurt_2021-09-26_14-52.exe

MD5
105284f4061d970957c38814ed96eec6

SHA1
a6a0adb7f986be857be7520da0b498c975b0d845

SHA256
5709a8b2658fa9ccf9137f164dae6094d997c0cc42e87cb84f9e6e86087b07ef

SHA512
771e64a374320d57f0b0f98272dd3dc657546494bb881efa5984ce4e0cf14c2f9b1aef8a1e269099c80dc9705d5af9f457519d2231150305206848a7d52658a7

Download Submit
\ProgramData\MicrosoftNetwork\System.exe

MD5
3b2d6a2b219e71204e158eda4be0e05c

SHA1
4e84bc50d0d8637eefabbabe9a98d7b9ee8ebb1a

SHA256
e773c486a18d3b9bcbac9dc04c37c1693b3210ddfb3411c8c695f1de22117a53

SHA512
66546b216ad4a9974d8cb0957b5ad5f79d6838a9592d313dfd71b6e7c11ce94fc5fb053e69766ef8b07fb0c5c3c975eedd1fb98b8556e9bdd47bf5654a341738

Download Submit
\ProgramData\Systemd\Database.exe

MD5
7b8d2817f8b8ff76db2c64e427e52328

SHA1
48f8320fd1e51dcaaa769a27fe32a849226f4988

SHA256
eaa1e369dbdd7823bfbc55f25b8cb0ba7597abe2a18c9b2d69c68008d7224d7c

SHA512
0bf811c34226ae3c571bad7ffef0e9ecd54ab50cdd28363cdf079eb7b6a2a6b6e89ac936e0cedb0d74f105b4c90a6c6c9686c6976b8d5efc67ad2bc50883b631

Download Submit
\ProgramData\UpSys.exe

MD5
efe5769e37ba37cf4607cb9918639932

SHA1
f24ca204af2237a714e8b41d54043da7bbe5393b

SHA256
5f9dfd9557cf3ca96a4c7f190fc598c10f8871b1313112c9aea45dc8443017a2

SHA512
33794a567c3e16582da3c2ac8253b3e61df19c255985277c5a63a84a673ac64899e34e3b1ebb79e027f13d66a0b8800884cdd4d646c7a0abe7967b6316639cf1

Download Submit
\Users\Admin\AppData\Local\Temp\397A.exe

MD5
d7f8b0f5a2f69091f047641699d8410e

SHA1
c9dfde16c413f95fabab51adfe46658cb6fcb313

SHA256
a44258a51cc06bed58fb7117f02ce69d84f91295acf70dd3452c4f727effea72

SHA512
7445d4ab106da6199247d4ec8670ec49cdb379c1f91192f67430eea2c2fca2fc7146d661e24f81f1704ada4ec755da7236824df32894c018ac0668bf19937e98

Download Submit
\Users\Admin\AppData\Local\Temp\397A.exe

MD5
d7f8b0f5a2f69091f047641699d8410e

SHA1
c9dfde16c413f95fabab51adfe46658cb6fcb313

SHA256
a44258a51cc06bed58fb7117f02ce69d84f91295acf70dd3452c4f727effea72

SHA512
7445d4ab106da6199247d4ec8670ec49cdb379c1f91192f67430eea2c2fca2fc7146d661e24f81f1704ada4ec755da7236824df32894c018ac0668bf19937e98

Download Submit
\Users\Admin\AppData\Local\Temp\397A.exe

MD5
d7f8b0f5a2f69091f047641699d8410e

SHA1
c9dfde16c413f95fabab51adfe46658cb6fcb313

SHA256
a44258a51cc06bed58fb7117f02ce69d84f91295acf70dd3452c4f727effea72

SHA512
7445d4ab106da6199247d4ec8670ec49cdb379c1f91192f67430eea2c2fca2fc7146d661e24f81f1704ada4ec755da7236824df32894c018ac0668bf19937e98

Download Submit
\Users\Admin\AppData\Local\Temp\filename.exe

MD5
3b2d6a2b219e71204e158eda4be0e05c

SHA1
4e84bc50d0d8637eefabbabe9a98d7b9ee8ebb1a

SHA256
e773c486a18d3b9bcbac9dc04c37c1693b3210ddfb3411c8c695f1de22117a53

SHA512
66546b216ad4a9974d8cb0957b5ad5f79d6838a9592d313dfd71b6e7c11ce94fc5fb053e69766ef8b07fb0c5c3c975eedd1fb98b8556e9bdd47bf5654a341738

Download Submit
\Users\Admin\AppData\Local\Temp\filename.exe

MD5
60a04a85ae384381089b2ea3a6e0c357

SHA1
9be9ccabf3ffa7daf31b08860baa9488b62a382a

SHA256
26b02ea721e1f14fd4bd1cc526c56ba4dd10ef5f4571510bbdbcdbc9a5d1776a

SHA512
a994a05c44e44094ec8c22067c8a10e7e99d49c36ce7639a44580b88c65ae68ad4414d5769c706ea5127277138b06235b1aaab98d8094d14cb16656c7abb9e2c

Download Submit
memory/288-116-0x00000000027C0000-0x00000000027C2000-memory.dmp

Filesize
8KB

Download
memory/288-118-0x00000000027C4000-0x00000000027C7000-memory.dmp

Filesize
12KB

Download
memory/288-119-0x00000000027CB000-0x00000000027EA000-memory.dmp

Filesize
124KB

Download
memory/288-117-0x00000000027C2000-0x00000000027C4000-memory.dmp

Filesize
8KB

Download
memory/288-114-0x000000001B750000-0x000000001BA4F000-memory.dmp

Filesize
3.0MB

Download
memory/288-113-0x000007FEEDCE0000-0x000007FEEE83D000-memory.dmp

Filesize
11.4MB

Download
memory/288-110-0x0000000000000000-mapping.dmp

Download
memory/292-98-0x0000000000000000-mapping.dmp

Download
memory/296-71-0x0000000000000000-mapping.dmp

Download
memory/296-75-0x0000000000F70000-0x0000000000F71000-memory.dmp

Filesize
4KB

Download
memory/296-79-0x0000000004AE0000-0x0000000004AE1000-memory.dmp

Filesize
4KB

Download
memory/432-80-0x0000000000000000-mapping.dmp

Download
memory/596-92-0x0000000000290000-0x0000000000320000-memory.dmp

Filesize
576KB

Download
memory/596-65-0x0000000000000000-mapping.dmp

Download
memory/596-94-0x0000000000400000-0x00000000004F0000-memory.dmp

Filesize
960KB

Download
memory/768-115-0x0000000000000000-mapping.dmp

Download
memory/768-126-0x000000000279B000-0x00000000027BA000-memory.dmp

Filesize
124KB

Download
memory/768-122-0x000007FEEDCE0000-0x000007FEEE83D000-memory.dmp

Filesize
11.4MB

Download
memory/768-125-0x0000000002792000-0x0000000002794000-memory.dmp

Filesize
8KB

Download
memory/768-127-0x0000000002794000-0x0000000002797000-memory.dmp

Filesize
12KB

Download
memory/768-123-0x000000001B760000-0x000000001BA5F000-memory.dmp

Filesize
3.0MB

Download
memory/768-124-0x0000000002790000-0x0000000002792000-memory.dmp

Filesize
8KB

Download
memory/784-104-0x00000000000D0000-0x00000000000E5000-memory.dmp

Filesize
84KB

Download
memory/784-105-0x00000000000D9A6B-mapping.dmp

Download
memory/848-235-0x0000000000000000-mapping.dmp

Download
memory/1012-203-0x000007FEEADF0000-0x000007FEEB94D000-memory.dmp

Filesize
11.4MB

Download
memory/1012-199-0x0000000000000000-mapping.dmp

Download
memory/1012-206-0x000000001B6E0000-0x000000001B9DF000-memory.dmp

Filesize
3.0MB

Download
memory/1044-96-0x0000000000000000-mapping.dmp

Download
memory/1044-56-0x0000000000220000-0x0000000000229000-memory.dmp

Filesize
36KB

Download
memory/1104-137-0x00000000026C0000-0x0000000002756000-memory.dmp

Filesize
600KB

Download
memory/1104-82-0x0000000000000000-mapping.dmp

Download
memory/1104-165-0x0000000002820000-0x0000000002897000-memory.dmp

Filesize
476KB

Download
memory/1104-93-0x00000000027A0000-0x00000000027A2000-memory.dmp

Filesize
8KB

Download
memory/1104-87-0x00000000009A0000-0x00000000009A1000-memory.dmp

Filesize
4KB

Download
memory/1164-157-0x0000000010000000-0x0000000010018000-memory.dmp

Filesize
96KB

Download
memory/1164-142-0x0000000000000000-mapping.dmp

Download
memory/1176-77-0x0000000000000000-mapping.dmp

Download
memory/1224-135-0x0000000002674000-0x0000000002677000-memory.dmp

Filesize
12KB

Download
memory/1224-133-0x0000000002670000-0x0000000002672000-memory.dmp

Filesize
8KB

Download
memory/1224-134-0x0000000002672000-0x0000000002674000-memory.dmp

Filesize
8KB

Download
memory/1224-136-0x000000001B800000-0x000000001BAFF000-memory.dmp

Filesize
3.0MB

Download
memory/1224-128-0x0000000000000000-mapping.dmp

Download
memory/1224-132-0x000007FEEDCE0000-0x000007FEEE83D000-memory.dmp

Filesize
11.4MB

Download
memory/1224-138-0x000000000267B000-0x000000000269A000-memory.dmp

Filesize
124KB

Download
memory/1228-95-0x000007FEEDCE0000-0x000007FEEE83D000-memory.dmp

Filesize
11.4MB

Download
memory/1228-102-0x0000000002824000-0x0000000002827000-memory.dmp

Filesize
12KB

Download
memory/1228-100-0x0000000002820000-0x0000000002822000-memory.dmp

Filesize
8KB

Download
memory/1228-89-0x0000000000000000-mapping.dmp

Download
memory/1228-101-0x0000000002822000-0x0000000002824000-memory.dmp

Filesize
8KB

Download
memory/1228-109-0x000000000282B000-0x000000000284A000-memory.dmp

Filesize
124KB

Download
memory/1228-97-0x000000001B7C0000-0x000000001BABF000-memory.dmp

Filesize
3.0MB

Download
memory/1228-91-0x000007FEFB541000-0x000007FEFB543000-memory.dmp

Filesize
8KB

Download
memory/1232-70-0x0000000000400000-0x00000000004AD000-memory.dmp

Filesize
692KB

Download
memory/1232-69-0x0000000000230000-0x0000000000243000-memory.dmp

Filesize
76KB

Download
memory/1232-63-0x0000000000000000-mapping.dmp

Download
memory/1268-57-0x0000000002A70000-0x0000000002A86000-memory.dmp

Filesize
88KB

Download
memory/1304-244-0x0000000000000000-mapping.dmp

Download
memory/1372-247-0x0000000000000000-mapping.dmp

Download
memory/1464-73-0x0000000000000000-mapping.dmp

Download
memory/1496-61-0x00000000012C0000-0x00000000012C1000-memory.dmp

Filesize
4KB

Download
memory/1496-58-0x0000000000000000-mapping.dmp

Download
memory/1584-154-0x0000000004C01000-0x0000000004C02000-memory.dmp

Filesize
4KB

Download
memory/1584-153-0x0000000000400000-0x00000000004CB000-memory.dmp

Filesize
812KB

Download
memory/1584-145-0x0000000001F10000-0x0000000001F33000-memory.dmp

Filesize
140KB

Download
memory/1584-148-0x0000000000230000-0x0000000000267000-memory.dmp

Filesize
220KB

Download
memory/1584-140-0x0000000000000000-mapping.dmp

Download
memory/1584-146-0x0000000002110000-0x0000000002132000-memory.dmp

Filesize
136KB

Download
memory/1648-90-0x0000000000000000-mapping.dmp

Download
memory/1760-106-0x0000000000400000-0x00000000004AD000-memory.dmp

Filesize
692KB

Download
memory/1796-149-0x0000000001F70000-0x0000000001F8F000-memory.dmp

Filesize
124KB

Download
memory/1796-150-0x0000000004761000-0x0000000004762000-memory.dmp

Filesize
4KB

Download
memory/1796-139-0x0000000000000000-mapping.dmp

Download
memory/1796-151-0x0000000002140000-0x000000000215E000-memory.dmp

Filesize
120KB

Download
memory/1796-152-0x0000000004762000-0x0000000004763000-memory.dmp

Filesize
4KB

Download
memory/1916-226-0x0000000000000000-mapping.dmp

Download
memory/2028-53-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/2028-55-0x0000000075871000-0x0000000075873000-memory.dmp

Filesize
8KB

Download
memory/2028-54-0x0000000000402FA5-mapping.dmp

Download
memory/2220-164-0x0000000000000000-mapping.dmp

Download
memory/2244-209-0x0000000000000000-mapping.dmp

Download
memory/2252-212-0x0000000000000000-mapping.dmp

Download
memory/2272-217-0x000000013FB60000-0x0000000140D48000-memory.dmp

Filesize
17.9MB

Download
memory/2272-214-0x0000000000000000-mapping.dmp

Download
memory/2276-172-0x000000001B820000-0x000000001BB1F000-memory.dmp

Filesize
3.0MB

Download
memory/2276-168-0x0000000000000000-mapping.dmp

Download
memory/2276-171-0x000007FEEDCE0000-0x000007FEEE83D000-memory.dmp

Filesize
11.4MB

Download
memory/2292-220-0x000000013F960000-0x0000000140B48000-memory.dmp

Filesize
17.9MB

Download
memory/2292-218-0x0000000000000000-mapping.dmp

Download
memory/2432-221-0x0000000000000000-mapping.dmp

Download
memory/2432-223-0x000000013F580000-0x0000000140768000-memory.dmp

Filesize
17.9MB

Download
memory/2472-194-0x000000001B6B0000-0x000000001B6FE000-memory.dmp

Filesize
312KB

Download
memory/2472-197-0x000000001BB60000-0x000000001BBA6000-memory.dmp

Filesize
280KB

Download
memory/2472-196-0x000000001BB10000-0x000000001BB5F000-memory.dmp

Filesize
316KB

Download
memory/2472-182-0x00000000023E0000-0x0000000002463000-memory.dmp

Filesize
524KB

Download
memory/2472-195-0x0000000000580000-0x0000000000585000-memory.dmp

Filesize
20KB

Download
memory/2472-175-0x0000000140000000-mapping.dmp

Download
memory/2472-174-0x0000000140000000-0x0000000140070000-memory.dmp

Filesize
448KB

Download
memory/2556-234-0x0000000000000000-mapping.dmp

Download
memory/2588-180-0x0000000000000000-mapping.dmp

Download
memory/2608-229-0x0000000000000000-mapping.dmp

Download
memory/2748-190-0x000000013F6D0000-0x0000000140034000-memory.dmp

Filesize
9.4MB

Download
memory/2748-187-0x0000000000000000-mapping.dmp

Download
memory/2760-241-0x0000000000000000-mapping.dmp

Download