nanocore | e5b4f0d80455434c5454347cce00f9f5367a19e9af19731ad04630e1c5cb5440

Analysis

max time kernel
150s
max time network
142s
platform
windows7_x64
resource
win7-en-20210920
submitted
26-09-2021 17:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

RFQ- 28300NB.scr
Size

999KB
MD5

c10afb1541eafecc15387c8c0f3db1c9
SHA1

7cd612bfed4ba6350c192142d55392ac8aa5a0a5
SHA256

89416f4296bcee3a4230b3845988246b0dc489376238061d26e4b75e6ecf972e
SHA512

d94a03f9281c34bbe563d44c920a5188b18ed4aee44fc507e9c706930f93e52f6beccec7fe3462b07d88994f70dddbfd0b17c8aed2a0c3613a35378cfe411b34

Score

10^/10

nanocore warzonerat infostealer keylogger persistence rat spyware stealer trojan

Malware Config

Extracted

Family

warzonerat

membership.myddns.rocks:5191

Signatures

NanoCore
NanoCore is a remote access tool (RAT) with a variety of capabilities.
keylogger trojan stealer spyware nanocore
WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
rat infostealer warzonerat

Warzone RAT Payload 10 IoCs

rat

Processes:

resource	yara_rule
\Users\Admin\AppData\Roaming\92809516\Client-1.exe	warzonerat
\Users\Admin\AppData\Roaming\92809516\Client-1.exe	warzonerat
\Users\Admin\AppData\Roaming\92809516\Client-1.exe	warzonerat
\Users\Admin\AppData\Roaming\92809516\Client-1.exe	warzonerat
C:\Users\Admin\AppData\Roaming\92809516\Client-1.exe	warzonerat
C:\Users\Admin\AppData\Roaming\92809516\Client-1.exe	warzonerat
\ProgramData\images.exe	warzonerat
C:\ProgramData\images.exe	warzonerat
\ProgramData\images.exe	warzonerat
C:\ProgramData\images.exe	warzonerat

Executes dropped EXE 59 IoCs

Processes:

Client-1.exemaxenlt.pifimages.exeRegSvcs.exemaxenlt.pifmaxenlt.pifRegSvcs.exemaxenlt.pifmaxenlt.pifRegSvcs.exemaxenlt.pifmaxenlt.pifRegSvcs.exemaxenlt.pifmaxenlt.pifRegSvcs.exemaxenlt.pifmaxenlt.pifRegSvcs.exemaxenlt.pifRegSvcs.exemaxenlt.pifmaxenlt.pifRegSvcs.exemaxenlt.pifmaxenlt.pifRegSvcs.exemaxenlt.pifmaxenlt.pifRegSvcs.exemaxenlt.pifRegSvcs.exemaxenlt.pifmaxenlt.pifRegSvcs.exemaxenlt.pifRegSvcs.exemaxenlt.pifRegSvcs.exemaxenlt.pifRegSvcs.exemaxenlt.pifRegSvcs.exemaxenlt.pifRegSvcs.exemaxenlt.pifRegSvcs.exemaxenlt.pifRegSvcs.exemaxenlt.pifRegSvcs.exemaxenlt.pifRegSvcs.exemaxenlt.pifRegSvcs.exemaxenlt.pifRegSvcs.exemaxenlt.pifRegSvcs.exe

pid	process
2020	Client-1.exe
1636	maxenlt.pif
1564	images.exe
576	RegSvcs.exe
1080	maxenlt.pif
1592	maxenlt.pif
1260	RegSvcs.exe
320	maxenlt.pif
1992	maxenlt.pif
1428	RegSvcs.exe
824	maxenlt.pif
1880	maxenlt.pif
1744	RegSvcs.exe
1528	maxenlt.pif
1948	maxenlt.pif
1988	RegSvcs.exe
484	maxenlt.pif
1952	maxenlt.pif
1276	RegSvcs.exe
1900	maxenlt.pif
1720	RegSvcs.exe
1744	maxenlt.pif
2028	maxenlt.pif
1056	RegSvcs.exe
984	maxenlt.pif
2004	maxenlt.pif
620	RegSvcs.exe
1368	maxenlt.pif
836	maxenlt.pif
1212	RegSvcs.exe
1988	maxenlt.pif
1384	RegSvcs.exe
1196	maxenlt.pif
332	maxenlt.pif
1072	RegSvcs.exe
964	maxenlt.pif
1528	RegSvcs.exe
1368	maxenlt.pif
1480	RegSvcs.exe
1588	maxenlt.pif
1724	RegSvcs.exe
1428	maxenlt.pif
1948	RegSvcs.exe
1884	maxenlt.pif
1460	RegSvcs.exe
1708	maxenlt.pif
1624	RegSvcs.exe
1404	maxenlt.pif
1444	RegSvcs.exe
1976	maxenlt.pif
1480	RegSvcs.exe
1216	maxenlt.pif
2036	RegSvcs.exe
2000	maxenlt.pif
1232	RegSvcs.exe
1892	maxenlt.pif
1548	RegSvcs.exe
1612	maxenlt.pif
1624	RegSvcs.exe

Drops startup file 2 IoCs

Processes:

Client-1.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\programs.bat	Client-1.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\programs.bat:start	Client-1.exe

Loads dropped DLL 34 IoCs

Processes:

RFQ- 28300NB.scrClient-1.exemaxenlt.pifmaxenlt.pifmaxenlt.pifmaxenlt.pifmaxenlt.pifmaxenlt.pifmaxenlt.pifmaxenlt.pifmaxenlt.pifmaxenlt.pifmaxenlt.pifmaxenlt.pifmaxenlt.pifmaxenlt.pifmaxenlt.pifmaxenlt.pifmaxenlt.pifmaxenlt.pifmaxenlt.pifmaxenlt.pifmaxenlt.pifmaxenlt.pifmaxenlt.pifmaxenlt.pif

pid	process
1768	RFQ- 28300NB.scr
1768	RFQ- 28300NB.scr
1768	RFQ- 28300NB.scr
1768	RFQ- 28300NB.scr
1768	RFQ- 28300NB.scr
1768	RFQ- 28300NB.scr
1768	RFQ- 28300NB.scr
1768	RFQ- 28300NB.scr
2020	Client-1.exe
2020	Client-1.exe
1636	maxenlt.pif
1592	maxenlt.pif
1992	maxenlt.pif
1880	maxenlt.pif
1948	maxenlt.pif
1952	maxenlt.pif
1900	maxenlt.pif
2028	maxenlt.pif
2004	maxenlt.pif
836	maxenlt.pif
1988	maxenlt.pif
332	maxenlt.pif
964	maxenlt.pif
1368	maxenlt.pif
1588	maxenlt.pif
1428	maxenlt.pif
1884	maxenlt.pif
1708	maxenlt.pif
1404	maxenlt.pif
1976	maxenlt.pif
1216	maxenlt.pif
2000	maxenlt.pif
1892	maxenlt.pif
1612	maxenlt.pif

Adds Run key to start application 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

maxenlt.pifmaxenlt.pifmaxenlt.pifmaxenlt.pifmaxenlt.pifmaxenlt.pifmaxenlt.pifmaxenlt.pifmaxenlt.pifmaxenlt.pifmaxenlt.pifmaxenlt.pifmaxenlt.pifmaxenlt.pifmaxenlt.pifClient-1.exemaxenlt.pifmaxenlt.pifmaxenlt.pifmaxenlt.pifmaxenlt.pifmaxenlt.pifmaxenlt.pifmaxenlt.pifmaxenlt.pifmaxenlt.pifmaxenlt.pifmaxenlt.pifmaxenlt.pifmaxenlt.pifmaxenlt.pifmaxenlt.pifmaxenlt.pifmaxenlt.pif

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	maxenlt.pif
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	maxenlt.pif
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	maxenlt.pif
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "C:\\Users\\Admin\\AppData\\Roaming\\92809516\\maxenlt.pif C:\\Users\\Admin\\AppData\\Roaming\\92809516\\fruhcg.vbd"	maxenlt.pif
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	maxenlt.pif
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "C:\\Users\\Admin\\AppData\\Roaming\\92809516\\maxenlt.pif C:\\Users\\Admin\\AppData\\Roaming\\92809516\\fruhcg.vbd"	maxenlt.pif
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "C:\\Users\\Admin\\AppData\\Roaming\\92809516\\maxenlt.pif C:\\Users\\Admin\\AppData\\Roaming\\92809516\\fruhcg.vbd"	maxenlt.pif
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "C:\\Users\\Admin\\AppData\\Roaming\\92809516\\maxenlt.pif C:\\Users\\Admin\\AppData\\Roaming\\92809516\\fruhcg.vbd"	maxenlt.pif
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "C:\\Users\\Admin\\AppData\\Roaming\\92809516\\maxenlt.pif C:\\Users\\Admin\\AppData\\Roaming\\92809516\\fruhcg.vbd"	maxenlt.pif
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	maxenlt.pif
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "C:\\Users\\Admin\\AppData\\Roaming\\92809516\\maxenlt.pif C:\\Users\\Admin\\AppData\\Roaming\\92809516\\fruhcg.vbd"	maxenlt.pif
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "C:\\Users\\Admin\\AppData\\Roaming\\92809516\\maxenlt.pif C:\\Users\\Admin\\AppData\\Roaming\\92809516\\fruhcg.vbd"	maxenlt.pif
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "C:\\Users\\Admin\\AppData\\Roaming\\92809516\\maxenlt.pif C:\\Users\\Admin\\AppData\\Roaming\\92809516\\fruhcg.vbd"	maxenlt.pif
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "C:\\Users\\Admin\\AppData\\Roaming\\92809516\\maxenlt.pif C:\\Users\\Admin\\AppData\\Roaming\\92809516\\fruhcg.vbd"	maxenlt.pif
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	maxenlt.pif
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	maxenlt.pif
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	maxenlt.pif
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "C:\\Users\\Admin\\AppData\\Roaming\\92809516\\maxenlt.pif C:\\Users\\Admin\\AppData\\Roaming\\92809516\\fruhcg.vbd"	maxenlt.pif
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Images = "C:\\ProgramData\\images.exe"	Client-1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "C:\\Users\\Admin\\AppData\\Roaming\\92809516\\maxenlt.pif C:\\Users\\Admin\\AppData\\Roaming\\92809516\\fruhcg.vbd"	maxenlt.pif
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	maxenlt.pif
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "C:\\Users\\Admin\\AppData\\Roaming\\92809516\\maxenlt.pif C:\\Users\\Admin\\AppData\\Roaming\\92809516\\fruhcg.vbd"	maxenlt.pif
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	maxenlt.pif
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	maxenlt.pif
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "C:\\Users\\Admin\\AppData\\Roaming\\92809516\\maxenlt.pif C:\\Users\\Admin\\AppData\\Roaming\\92809516\\fruhcg.vbd"	maxenlt.pif
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "C:\\Users\\Admin\\AppData\\Roaming\\92809516\\maxenlt.pif C:\\Users\\Admin\\AppData\\Roaming\\92809516\\fruhcg.vbd"	maxenlt.pif
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	maxenlt.pif
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "C:\\Users\\Admin\\AppData\\Roaming\\92809516\\maxenlt.pif C:\\Users\\Admin\\AppData\\Roaming\\92809516\\fruhcg.vbd"	maxenlt.pif
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "C:\\Users\\Admin\\AppData\\Roaming\\92809516\\maxenlt.pif C:\\Users\\Admin\\AppData\\Roaming\\92809516\\fruhcg.vbd"	maxenlt.pif
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "C:\\Users\\Admin\\AppData\\Roaming\\92809516\\maxenlt.pif C:\\Users\\Admin\\AppData\\Roaming\\92809516\\fruhcg.vbd"	maxenlt.pif
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "C:\\Users\\Admin\\AppData\\Roaming\\92809516\\maxenlt.pif C:\\Users\\Admin\\AppData\\Roaming\\92809516\\fruhcg.vbd"	maxenlt.pif
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	maxenlt.pif
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	maxenlt.pif
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "C:\\Users\\Admin\\AppData\\Roaming\\92809516\\maxenlt.pif C:\\Users\\Admin\\AppData\\Roaming\\92809516\\fruhcg.vbd"	maxenlt.pif
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	maxenlt.pif
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "C:\\Users\\Admin\\AppData\\Roaming\\92809516\\maxenlt.pif C:\\Users\\Admin\\AppData\\Roaming\\92809516\\fruhcg.vbd"	maxenlt.pif
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "C:\\Users\\Admin\\AppData\\Roaming\\92809516\\maxenlt.pif C:\\Users\\Admin\\AppData\\Roaming\\92809516\\fruhcg.vbd"	maxenlt.pif
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	maxenlt.pif
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "C:\\Users\\Admin\\AppData\\Roaming\\92809516\\maxenlt.pif C:\\Users\\Admin\\AppData\\Roaming\\92809516\\fruhcg.vbd"	maxenlt.pif
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	maxenlt.pif
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	maxenlt.pif
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	maxenlt.pif
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "C:\\Users\\Admin\\AppData\\Roaming\\92809516\\maxenlt.pif C:\\Users\\Admin\\AppData\\Roaming\\92809516\\fruhcg.vbd"	maxenlt.pif
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "C:\\Users\\Admin\\AppData\\Roaming\\92809516\\maxenlt.pif C:\\Users\\Admin\\AppData\\Roaming\\92809516\\fruhcg.vbd"	maxenlt.pif
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	maxenlt.pif
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	maxenlt.pif
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	maxenlt.pif
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	maxenlt.pif
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	maxenlt.pif
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	maxenlt.pif
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "C:\\Users\\Admin\\AppData\\Roaming\\92809516\\maxenlt.pif C:\\Users\\Admin\\AppData\\Roaming\\92809516\\fruhcg.vbd"	maxenlt.pif
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "C:\\Users\\Admin\\AppData\\Roaming\\92809516\\maxenlt.pif C:\\Users\\Admin\\AppData\\Roaming\\92809516\\fruhcg.vbd"	maxenlt.pif
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	maxenlt.pif
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	maxenlt.pif
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	maxenlt.pif
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	maxenlt.pif
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	maxenlt.pif
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "C:\\Users\\Admin\\AppData\\Roaming\\92809516\\maxenlt.pif C:\\Users\\Admin\\AppData\\Roaming\\92809516\\fruhcg.vbd"	maxenlt.pif
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "C:\\Users\\Admin\\AppData\\Roaming\\92809516\\maxenlt.pif C:\\Users\\Admin\\AppData\\Roaming\\92809516\\fruhcg.vbd"	maxenlt.pif
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "C:\\Users\\Admin\\AppData\\Roaming\\92809516\\maxenlt.pif C:\\Users\\Admin\\AppData\\Roaming\\92809516\\fruhcg.vbd"	maxenlt.pif
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "C:\\Users\\Admin\\AppData\\Roaming\\92809516\\maxenlt.pif C:\\Users\\Admin\\AppData\\Roaming\\92809516\\fruhcg.vbd"	maxenlt.pif
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	maxenlt.pif
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	maxenlt.pif
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "C:\\Users\\Admin\\AppData\\Roaming\\92809516\\maxenlt.pif C:\\Users\\Admin\\AppData\\Roaming\\92809516\\fruhcg.vbd"	maxenlt.pif

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
NTFS ADS 1 IoCs

Processes:

Client-1.exe

description ioc process

File created C:\ProgramData:ApplicationData Client-1.exe

description	ioc	process
File created	C:\ProgramData:ApplicationData	Client-1.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

powershell.exepowershell.exemaxenlt.pifmaxenlt.pifmaxenlt.pifmaxenlt.pifmaxenlt.pifmaxenlt.pifmaxenlt.pifmaxenlt.pifmaxenlt.pifmaxenlt.pifmaxenlt.pif

pid	process
1436	powershell.exe
620	powershell.exe
1636	maxenlt.pif
1636	maxenlt.pif
1636	maxenlt.pif
1636	maxenlt.pif
1636	maxenlt.pif
1636	maxenlt.pif
1080	maxenlt.pif
1080	maxenlt.pif
1080	maxenlt.pif
1080	maxenlt.pif
1080	maxenlt.pif
1080	maxenlt.pif
1592	maxenlt.pif
1592	maxenlt.pif
1592	maxenlt.pif
1592	maxenlt.pif
1592	maxenlt.pif
1592	maxenlt.pif
320	maxenlt.pif
320	maxenlt.pif
320	maxenlt.pif
320	maxenlt.pif
320	maxenlt.pif
320	maxenlt.pif
1992	maxenlt.pif
1992	maxenlt.pif
1992	maxenlt.pif
1992	maxenlt.pif
1992	maxenlt.pif
1992	maxenlt.pif
824	maxenlt.pif
824	maxenlt.pif
824	maxenlt.pif
824	maxenlt.pif
824	maxenlt.pif
824	maxenlt.pif
1880	maxenlt.pif
1880	maxenlt.pif
1880	maxenlt.pif
1880	maxenlt.pif
1880	maxenlt.pif
1880	maxenlt.pif
1528	maxenlt.pif
1528	maxenlt.pif
1528	maxenlt.pif
1528	maxenlt.pif
1528	maxenlt.pif
1528	maxenlt.pif
1948	maxenlt.pif
1948	maxenlt.pif
1948	maxenlt.pif
1948	maxenlt.pif
1948	maxenlt.pif
1948	maxenlt.pif
484	maxenlt.pif
484	maxenlt.pif
484	maxenlt.pif
484	maxenlt.pif
484	maxenlt.pif
484	maxenlt.pif
1952	maxenlt.pif
1952	maxenlt.pif

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

powershell.exepowershell.exe

description pid process

Token: SeDebugPrivilege 1436 powershell.exe
Token: SeDebugPrivilege 620 powershell.exe

description	pid	process
Token: SeDebugPrivilege	1436	powershell.exe
Token: SeDebugPrivilege	620	powershell.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

RFQ- 28300NB.scrClient-1.exemaxenlt.pifimages.exeWScript.exemaxenlt.pifWScript.exemaxenlt.pifWScript.exe

description	pid	process	target process
PID 1768 wrote to memory of 2020	1768	RFQ- 28300NB.scr	Client-1.exe
PID 1768 wrote to memory of 2020	1768	RFQ- 28300NB.scr	Client-1.exe
PID 1768 wrote to memory of 2020	1768	RFQ- 28300NB.scr	Client-1.exe
PID 1768 wrote to memory of 2020	1768	RFQ- 28300NB.scr	Client-1.exe
PID 1768 wrote to memory of 1636	1768	RFQ- 28300NB.scr	maxenlt.pif
PID 1768 wrote to memory of 1636	1768	RFQ- 28300NB.scr	maxenlt.pif
PID 1768 wrote to memory of 1636	1768	RFQ- 28300NB.scr	maxenlt.pif
PID 1768 wrote to memory of 1636	1768	RFQ- 28300NB.scr	maxenlt.pif
PID 2020 wrote to memory of 1436	2020	Client-1.exe	powershell.exe
PID 2020 wrote to memory of 1436	2020	Client-1.exe	powershell.exe
PID 2020 wrote to memory of 1436	2020	Client-1.exe	powershell.exe
PID 2020 wrote to memory of 1436	2020	Client-1.exe	powershell.exe
PID 2020 wrote to memory of 1564	2020	Client-1.exe	images.exe
PID 2020 wrote to memory of 1564	2020	Client-1.exe	images.exe
PID 2020 wrote to memory of 1564	2020	Client-1.exe	images.exe
PID 2020 wrote to memory of 1564	2020	Client-1.exe	images.exe
PID 1636 wrote to memory of 576	1636	maxenlt.pif	RegSvcs.exe
PID 1636 wrote to memory of 576	1636	maxenlt.pif	RegSvcs.exe
PID 1636 wrote to memory of 576	1636	maxenlt.pif	RegSvcs.exe
PID 1636 wrote to memory of 576	1636	maxenlt.pif	RegSvcs.exe
PID 1636 wrote to memory of 576	1636	maxenlt.pif	RegSvcs.exe
PID 1636 wrote to memory of 576	1636	maxenlt.pif	RegSvcs.exe
PID 1636 wrote to memory of 576	1636	maxenlt.pif	RegSvcs.exe
PID 1564 wrote to memory of 620	1564	images.exe	powershell.exe
PID 1564 wrote to memory of 620	1564	images.exe	powershell.exe
PID 1564 wrote to memory of 620	1564	images.exe	powershell.exe
PID 1564 wrote to memory of 620	1564	images.exe	powershell.exe
PID 1564 wrote to memory of 808	1564	images.exe	cmd.exe
PID 1564 wrote to memory of 808	1564	images.exe	cmd.exe
PID 1564 wrote to memory of 808	1564	images.exe	cmd.exe
PID 1564 wrote to memory of 808	1564	images.exe	cmd.exe
PID 1636 wrote to memory of 748	1636	maxenlt.pif	WScript.exe
PID 1636 wrote to memory of 748	1636	maxenlt.pif	WScript.exe
PID 1636 wrote to memory of 748	1636	maxenlt.pif	WScript.exe
PID 1636 wrote to memory of 748	1636	maxenlt.pif	WScript.exe
PID 1564 wrote to memory of 808	1564	images.exe	cmd.exe
PID 1564 wrote to memory of 808	1564	images.exe	cmd.exe
PID 748 wrote to memory of 1080	748	WScript.exe	maxenlt.pif
PID 748 wrote to memory of 1080	748	WScript.exe	maxenlt.pif
PID 748 wrote to memory of 1080	748	WScript.exe	maxenlt.pif
PID 748 wrote to memory of 1080	748	WScript.exe	maxenlt.pif
PID 1080 wrote to memory of 1748	1080	maxenlt.pif	WScript.exe
PID 1080 wrote to memory of 1748	1080	maxenlt.pif	WScript.exe
PID 1080 wrote to memory of 1748	1080	maxenlt.pif	WScript.exe
PID 1080 wrote to memory of 1748	1080	maxenlt.pif	WScript.exe
PID 1748 wrote to memory of 1592	1748	WScript.exe	maxenlt.pif
PID 1748 wrote to memory of 1592	1748	WScript.exe	maxenlt.pif
PID 1748 wrote to memory of 1592	1748	WScript.exe	maxenlt.pif
PID 1748 wrote to memory of 1592	1748	WScript.exe	maxenlt.pif
PID 1592 wrote to memory of 1260	1592	maxenlt.pif	RegSvcs.exe
PID 1592 wrote to memory of 1260	1592	maxenlt.pif	RegSvcs.exe
PID 1592 wrote to memory of 1260	1592	maxenlt.pif	RegSvcs.exe
PID 1592 wrote to memory of 1260	1592	maxenlt.pif	RegSvcs.exe
PID 1592 wrote to memory of 1260	1592	maxenlt.pif	RegSvcs.exe
PID 1592 wrote to memory of 1260	1592	maxenlt.pif	RegSvcs.exe
PID 1592 wrote to memory of 1260	1592	maxenlt.pif	RegSvcs.exe
PID 1592 wrote to memory of 1104	1592	maxenlt.pif	WScript.exe
PID 1592 wrote to memory of 1104	1592	maxenlt.pif	WScript.exe
PID 1592 wrote to memory of 1104	1592	maxenlt.pif	WScript.exe
PID 1592 wrote to memory of 1104	1592	maxenlt.pif	WScript.exe
PID 1104 wrote to memory of 320	1104	WScript.exe	maxenlt.pif
PID 1104 wrote to memory of 320	1104	WScript.exe	maxenlt.pif
PID 1104 wrote to memory of 320	1104	WScript.exe	maxenlt.pif
PID 1104 wrote to memory of 320	1104	WScript.exe	maxenlt.pif

C:\Users\Admin\AppData\Local\Temp\RFQ- 28300NB.scr
"C:\Users\Admin\AppData\Local\Temp\RFQ- 28300NB.scr" /S
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1768

C:\Users\Admin\AppData\Roaming\92809516\Client-1.exe
"C:\Users\Admin\AppData\Roaming\92809516\Client-1.exe" Paul E. Patton (born May 26, 1937) is an American politician who served as the 59th governor of Kentucky from 1995 to 2003.
2⤵
- Executes dropped EXE
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- NTFS ADS
- Suspicious use of WriteProcessMemory
PID:2020

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell Add-MpPreference -ExclusionPath C:\
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1436

C:\ProgramData\images.exe
"C:\ProgramData\images.exe"
3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1564

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell Add-MpPreference -ExclusionPath C:\
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:620

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe"
4⤵
PID:808

C:\Users\Admin\AppData\Roaming\92809516\maxenlt.pif
"C:\Users\Admin\AppData\Roaming\92809516\maxenlt.pif" fruhcg.vbd
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1636

C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe
"C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe"
3⤵
- Executes dropped EXE
PID:576

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\92809516\run.vbs"
3⤵
- Suspicious use of WriteProcessMemory
PID:748

C:\Users\Admin\AppData\Roaming\92809516\maxenlt.pif
"C:\Users\Admin\AppData\Roaming\92809516\maxenlt.pif" fruhcg.vbd
4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1080

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\92809516\run.vbs"
5⤵
- Suspicious use of WriteProcessMemory
PID:1748

C:\Users\Admin\AppData\Roaming\92809516\maxenlt.pif
"C:\Users\Admin\AppData\Roaming\92809516\maxenlt.pif" fruhcg.vbd
6⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1592

C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe
"C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe"
7⤵
- Executes dropped EXE
PID:1260

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\92809516\run.vbs"
7⤵
- Suspicious use of WriteProcessMemory
PID:1104

C:\Users\Admin\AppData\Roaming\92809516\maxenlt.pif
"C:\Users\Admin\AppData\Roaming\92809516\maxenlt.pif" fruhcg.vbd
8⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
PID:320

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\92809516\run.vbs"
9⤵
PID:1308

C:\Users\Admin\AppData\Roaming\92809516\maxenlt.pif
"C:\Users\Admin\AppData\Roaming\92809516\maxenlt.pif" fruhcg.vbd
10⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
PID:1992

C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe
"C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe"
11⤵
- Executes dropped EXE
PID:1428

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\92809516\run.vbs"
11⤵
PID:1680

C:\Users\Admin\AppData\Roaming\92809516\maxenlt.pif
"C:\Users\Admin\AppData\Roaming\92809516\maxenlt.pif" fruhcg.vbd
12⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
PID:824

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\92809516\run.vbs"
13⤵
PID:1972

C:\Users\Admin\AppData\Roaming\92809516\maxenlt.pif
"C:\Users\Admin\AppData\Roaming\92809516\maxenlt.pif" fruhcg.vbd
14⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
PID:1880

C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe
"C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe"
15⤵
- Executes dropped EXE
PID:1744

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\92809516\run.vbs"
15⤵
PID:1748

C:\Users\Admin\AppData\Roaming\92809516\maxenlt.pif
"C:\Users\Admin\AppData\Roaming\92809516\maxenlt.pif" fruhcg.vbd
16⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
PID:1528

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\92809516\run.vbs"
17⤵
PID:2016

C:\Users\Admin\AppData\Roaming\92809516\maxenlt.pif
"C:\Users\Admin\AppData\Roaming\92809516\maxenlt.pif" fruhcg.vbd
18⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
PID:1948

C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe
"C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe"
19⤵
- Executes dropped EXE
PID:1988

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\92809516\run.vbs"
19⤵
PID:1256

C:\Users\Admin\AppData\Roaming\92809516\maxenlt.pif
"C:\Users\Admin\AppData\Roaming\92809516\maxenlt.pif" fruhcg.vbd
20⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
PID:484

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\92809516\run.vbs"
21⤵
PID:1572

C:\Users\Admin\AppData\Roaming\92809516\maxenlt.pif
"C:\Users\Admin\AppData\Roaming\92809516\maxenlt.pif" fruhcg.vbd
22⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
PID:1952

C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe
"C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe"
23⤵
- Executes dropped EXE
PID:1276

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\92809516\run.vbs"
23⤵
PID:368

C:\Users\Admin\AppData\Roaming\92809516\maxenlt.pif
"C:\Users\Admin\AppData\Roaming\92809516\maxenlt.pif" fruhcg.vbd
24⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
PID:1900

C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe
"C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe"
25⤵
- Executes dropped EXE
PID:1720

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\92809516\run.vbs"
25⤵
PID:1232

C:\Users\Admin\AppData\Roaming\92809516\maxenlt.pif
"C:\Users\Admin\AppData\Roaming\92809516\maxenlt.pif" fruhcg.vbd
26⤵
- Executes dropped EXE
- Adds Run key to start application
PID:1744

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\92809516\run.vbs"
27⤵
PID:1616

C:\Users\Admin\AppData\Roaming\92809516\maxenlt.pif
"C:\Users\Admin\AppData\Roaming\92809516\maxenlt.pif" fruhcg.vbd
28⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
PID:2028

C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe
"C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe"
29⤵
- Executes dropped EXE
PID:1056

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\92809516\run.vbs"
29⤵
PID:1532

C:\Users\Admin\AppData\Roaming\92809516\maxenlt.pif
"C:\Users\Admin\AppData\Roaming\92809516\maxenlt.pif" fruhcg.vbd
30⤵
- Executes dropped EXE
- Adds Run key to start application
PID:984

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\92809516\run.vbs"
31⤵
PID:1572

C:\Users\Admin\AppData\Roaming\92809516\maxenlt.pif
"C:\Users\Admin\AppData\Roaming\92809516\maxenlt.pif" fruhcg.vbd
32⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
PID:2004

C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe
"C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe"
33⤵
- Executes dropped EXE
PID:620

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\92809516\run.vbs"
33⤵
PID:1608

C:\Users\Admin\AppData\Roaming\92809516\maxenlt.pif
"C:\Users\Admin\AppData\Roaming\92809516\maxenlt.pif" fruhcg.vbd
34⤵
- Executes dropped EXE
- Adds Run key to start application
PID:1368

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\92809516\run.vbs"
35⤵
PID:1772

C:\Users\Admin\AppData\Roaming\92809516\maxenlt.pif
"C:\Users\Admin\AppData\Roaming\92809516\maxenlt.pif" fruhcg.vbd
36⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
PID:836

C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe
"C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe"
37⤵
- Executes dropped EXE
PID:1212

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\92809516\run.vbs"
37⤵
PID:812

C:\Users\Admin\AppData\Roaming\92809516\maxenlt.pif
"C:\Users\Admin\AppData\Roaming\92809516\maxenlt.pif" fruhcg.vbd
38⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
PID:1988

C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe
"C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe"
39⤵
- Executes dropped EXE
PID:1384

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\92809516\run.vbs"
39⤵
PID:1476

C:\Users\Admin\AppData\Roaming\92809516\maxenlt.pif
"C:\Users\Admin\AppData\Roaming\92809516\maxenlt.pif" fruhcg.vbd
40⤵
- Executes dropped EXE
- Adds Run key to start application
PID:1196

C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe
"C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe"
41⤵
PID:1412

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\92809516\run.vbs"
41⤵
PID:824

C:\Users\Admin\AppData\Roaming\92809516\maxenlt.pif
"C:\Users\Admin\AppData\Roaming\92809516\maxenlt.pif" fruhcg.vbd
42⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
PID:332

C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe
"C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe"
43⤵
- Executes dropped EXE
PID:1072

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\92809516\run.vbs"
43⤵
PID:1748

C:\Users\Admin\AppData\Roaming\92809516\maxenlt.pif
"C:\Users\Admin\AppData\Roaming\92809516\maxenlt.pif" fruhcg.vbd
44⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
PID:964

C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe
"C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe"
45⤵
- Executes dropped EXE
PID:1528

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\92809516\run.vbs"
45⤵
PID:1260

C:\Users\Admin\AppData\Roaming\92809516\maxenlt.pif
"C:\Users\Admin\AppData\Roaming\92809516\maxenlt.pif" fruhcg.vbd
46⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
PID:1368

C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe
"C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe"
47⤵
- Executes dropped EXE
PID:1480

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\92809516\run.vbs"
47⤵
PID:1684

C:\Users\Admin\AppData\Roaming\92809516\maxenlt.pif
"C:\Users\Admin\AppData\Roaming\92809516\maxenlt.pif" fruhcg.vbd
48⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
PID:1588

C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe
"C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe"
49⤵
- Executes dropped EXE
PID:1724

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\92809516\run.vbs"
49⤵
PID:1736

C:\Users\Admin\AppData\Roaming\92809516\maxenlt.pif
"C:\Users\Admin\AppData\Roaming\92809516\maxenlt.pif" fruhcg.vbd
50⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
PID:1428

C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe
"C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe"
51⤵
- Executes dropped EXE
PID:1948

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\92809516\run.vbs"
51⤵
PID:2040

C:\Users\Admin\AppData\Roaming\92809516\maxenlt.pif
"C:\Users\Admin\AppData\Roaming\92809516\maxenlt.pif" fruhcg.vbd
52⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
PID:1884

C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe
"C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe"
53⤵
- Executes dropped EXE
PID:1460

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\92809516\run.vbs"
53⤵
PID:108

C:\Users\Admin\AppData\Roaming\92809516\maxenlt.pif
"C:\Users\Admin\AppData\Roaming\92809516\maxenlt.pif" fruhcg.vbd
54⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
PID:1708

C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe
"C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe"
55⤵
- Executes dropped EXE
PID:1624

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\92809516\run.vbs"
55⤵
PID:2044

C:\Users\Admin\AppData\Roaming\92809516\maxenlt.pif
"C:\Users\Admin\AppData\Roaming\92809516\maxenlt.pif" fruhcg.vbd
56⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
PID:1404

C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe
"C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe"
57⤵
- Executes dropped EXE
PID:1444

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\92809516\run.vbs"
57⤵
PID:1200

C:\Users\Admin\AppData\Roaming\92809516\maxenlt.pif
"C:\Users\Admin\AppData\Roaming\92809516\maxenlt.pif" fruhcg.vbd
58⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
PID:1976

C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe
"C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe"
59⤵
- Executes dropped EXE
PID:1480

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\92809516\run.vbs"
59⤵
PID:1620

C:\Users\Admin\AppData\Roaming\92809516\maxenlt.pif
"C:\Users\Admin\AppData\Roaming\92809516\maxenlt.pif" fruhcg.vbd
60⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
PID:1216

C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe
"C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe"
61⤵
- Executes dropped EXE
PID:2036

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\92809516\run.vbs"
61⤵
PID:1680

C:\Users\Admin\AppData\Roaming\92809516\maxenlt.pif
"C:\Users\Admin\AppData\Roaming\92809516\maxenlt.pif" fruhcg.vbd
62⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
PID:2000

C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe
"C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe"
63⤵
- Executes dropped EXE
PID:1232

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\92809516\run.vbs"
63⤵
PID:1288

C:\Users\Admin\AppData\Roaming\92809516\maxenlt.pif
"C:\Users\Admin\AppData\Roaming\92809516\maxenlt.pif" fruhcg.vbd
64⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
PID:1892

C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe
"C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe"
65⤵
- Executes dropped EXE
PID:1548

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\92809516\run.vbs"
65⤵
PID:2008

C:\Users\Admin\AppData\Roaming\92809516\maxenlt.pif
"C:\Users\Admin\AppData\Roaming\92809516\maxenlt.pif" fruhcg.vbd
66⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
PID:1612

C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe
"C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe"
67⤵
- Executes dropped EXE
PID:1624

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\ProgramData\images.exe
MD5
15d206310b65d58f2920f7fbab42d2d7

SHA1
91e9f7fefa4d13b6fec522a0f2d78f735aaa0634

SHA256
5b6ac94ed2e8e2fda33d432f739588ad97db7a8865e51dc7ea2dc758eb1ed9cd

SHA512
dcf68d7615c69eb4ccf0d8ed27a123437f24aeb4f3770e51dcf7ec21570fc1777aa4dbd1afcbc670a080a460462e2944c7709a9d1f406848f38e7bb720795f61

Download Submit
C:\ProgramData\images.exe
MD5
15d206310b65d58f2920f7fbab42d2d7

SHA1
91e9f7fefa4d13b6fec522a0f2d78f735aaa0634

SHA256
5b6ac94ed2e8e2fda33d432f739588ad97db7a8865e51dc7ea2dc758eb1ed9cd

SHA512
dcf68d7615c69eb4ccf0d8ed27a123437f24aeb4f3770e51dcf7ec21570fc1777aa4dbd1afcbc670a080a460462e2944c7709a9d1f406848f38e7bb720795f61

Download Submit
C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe
MD5
0e06054beb13192588e745ee63a84173

SHA1
30b7d4d1277bafd04a83779fd566a1f834a8d113

SHA256
c5d6d56ded55fbd6c150ee3a0eb2e5671cae83106be2be4d70ce50aa50bab768

SHA512
251a112f3f037e62ff67a467389e47a56afb344bc942b17efa9bd2970494718b26bbee9adc3ac35f93ee4d2114aa426b6d0ea4bafad294b6c118a15f1977c215

Download Submit
C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe
MD5
0e06054beb13192588e745ee63a84173

SHA1
30b7d4d1277bafd04a83779fd566a1f834a8d113

SHA256
c5d6d56ded55fbd6c150ee3a0eb2e5671cae83106be2be4d70ce50aa50bab768

SHA512
251a112f3f037e62ff67a467389e47a56afb344bc942b17efa9bd2970494718b26bbee9adc3ac35f93ee4d2114aa426b6d0ea4bafad294b6c118a15f1977c215

Download Submit
C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe
MD5
0e06054beb13192588e745ee63a84173

SHA1
30b7d4d1277bafd04a83779fd566a1f834a8d113

SHA256
c5d6d56ded55fbd6c150ee3a0eb2e5671cae83106be2be4d70ce50aa50bab768

SHA512
251a112f3f037e62ff67a467389e47a56afb344bc942b17efa9bd2970494718b26bbee9adc3ac35f93ee4d2114aa426b6d0ea4bafad294b6c118a15f1977c215

Download Submit
C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe
MD5
0e06054beb13192588e745ee63a84173

SHA1
30b7d4d1277bafd04a83779fd566a1f834a8d113

SHA256
c5d6d56ded55fbd6c150ee3a0eb2e5671cae83106be2be4d70ce50aa50bab768

SHA512
251a112f3f037e62ff67a467389e47a56afb344bc942b17efa9bd2970494718b26bbee9adc3ac35f93ee4d2114aa426b6d0ea4bafad294b6c118a15f1977c215

Download Submit
C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe
MD5
0e06054beb13192588e745ee63a84173

SHA1
30b7d4d1277bafd04a83779fd566a1f834a8d113

SHA256
c5d6d56ded55fbd6c150ee3a0eb2e5671cae83106be2be4d70ce50aa50bab768

SHA512
251a112f3f037e62ff67a467389e47a56afb344bc942b17efa9bd2970494718b26bbee9adc3ac35f93ee4d2114aa426b6d0ea4bafad294b6c118a15f1977c215

Download Submit
C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe
MD5
0e06054beb13192588e745ee63a84173

SHA1
30b7d4d1277bafd04a83779fd566a1f834a8d113

SHA256
c5d6d56ded55fbd6c150ee3a0eb2e5671cae83106be2be4d70ce50aa50bab768

SHA512
251a112f3f037e62ff67a467389e47a56afb344bc942b17efa9bd2970494718b26bbee9adc3ac35f93ee4d2114aa426b6d0ea4bafad294b6c118a15f1977c215

Download Submit
C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe
MD5
0e06054beb13192588e745ee63a84173

SHA1
30b7d4d1277bafd04a83779fd566a1f834a8d113

SHA256
c5d6d56ded55fbd6c150ee3a0eb2e5671cae83106be2be4d70ce50aa50bab768

SHA512
251a112f3f037e62ff67a467389e47a56afb344bc942b17efa9bd2970494718b26bbee9adc3ac35f93ee4d2114aa426b6d0ea4bafad294b6c118a15f1977c215

Download Submit
C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe
MD5
0e06054beb13192588e745ee63a84173

SHA1
30b7d4d1277bafd04a83779fd566a1f834a8d113

SHA256
c5d6d56ded55fbd6c150ee3a0eb2e5671cae83106be2be4d70ce50aa50bab768

SHA512
251a112f3f037e62ff67a467389e47a56afb344bc942b17efa9bd2970494718b26bbee9adc3ac35f93ee4d2114aa426b6d0ea4bafad294b6c118a15f1977c215

Download Submit
C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe
MD5
0e06054beb13192588e745ee63a84173

SHA1
30b7d4d1277bafd04a83779fd566a1f834a8d113

SHA256
c5d6d56ded55fbd6c150ee3a0eb2e5671cae83106be2be4d70ce50aa50bab768

SHA512
251a112f3f037e62ff67a467389e47a56afb344bc942b17efa9bd2970494718b26bbee9adc3ac35f93ee4d2114aa426b6d0ea4bafad294b6c118a15f1977c215

Download Submit
C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe
MD5
0e06054beb13192588e745ee63a84173

SHA1
30b7d4d1277bafd04a83779fd566a1f834a8d113

SHA256
c5d6d56ded55fbd6c150ee3a0eb2e5671cae83106be2be4d70ce50aa50bab768

SHA512
251a112f3f037e62ff67a467389e47a56afb344bc942b17efa9bd2970494718b26bbee9adc3ac35f93ee4d2114aa426b6d0ea4bafad294b6c118a15f1977c215

Download Submit
C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe
MD5
0e06054beb13192588e745ee63a84173

SHA1
30b7d4d1277bafd04a83779fd566a1f834a8d113

SHA256
c5d6d56ded55fbd6c150ee3a0eb2e5671cae83106be2be4d70ce50aa50bab768

SHA512
251a112f3f037e62ff67a467389e47a56afb344bc942b17efa9bd2970494718b26bbee9adc3ac35f93ee4d2114aa426b6d0ea4bafad294b6c118a15f1977c215

Download Submit
C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe
MD5
0e06054beb13192588e745ee63a84173

SHA1
30b7d4d1277bafd04a83779fd566a1f834a8d113

SHA256
c5d6d56ded55fbd6c150ee3a0eb2e5671cae83106be2be4d70ce50aa50bab768

SHA512
251a112f3f037e62ff67a467389e47a56afb344bc942b17efa9bd2970494718b26bbee9adc3ac35f93ee4d2114aa426b6d0ea4bafad294b6c118a15f1977c215

Download Submit
C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe
MD5
0e06054beb13192588e745ee63a84173

SHA1
30b7d4d1277bafd04a83779fd566a1f834a8d113

SHA256
c5d6d56ded55fbd6c150ee3a0eb2e5671cae83106be2be4d70ce50aa50bab768

SHA512
251a112f3f037e62ff67a467389e47a56afb344bc942b17efa9bd2970494718b26bbee9adc3ac35f93ee4d2114aa426b6d0ea4bafad294b6c118a15f1977c215

Download Submit
C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe
MD5
0e06054beb13192588e745ee63a84173

SHA1
30b7d4d1277bafd04a83779fd566a1f834a8d113

SHA256
c5d6d56ded55fbd6c150ee3a0eb2e5671cae83106be2be4d70ce50aa50bab768

SHA512
251a112f3f037e62ff67a467389e47a56afb344bc942b17efa9bd2970494718b26bbee9adc3ac35f93ee4d2114aa426b6d0ea4bafad294b6c118a15f1977c215

Download Submit
C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe
MD5
0e06054beb13192588e745ee63a84173

SHA1
30b7d4d1277bafd04a83779fd566a1f834a8d113

SHA256
c5d6d56ded55fbd6c150ee3a0eb2e5671cae83106be2be4d70ce50aa50bab768

SHA512
251a112f3f037e62ff67a467389e47a56afb344bc942b17efa9bd2970494718b26bbee9adc3ac35f93ee4d2114aa426b6d0ea4bafad294b6c118a15f1977c215

Download Submit
C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe
MD5
0e06054beb13192588e745ee63a84173

SHA1
30b7d4d1277bafd04a83779fd566a1f834a8d113

SHA256
c5d6d56ded55fbd6c150ee3a0eb2e5671cae83106be2be4d70ce50aa50bab768

SHA512
251a112f3f037e62ff67a467389e47a56afb344bc942b17efa9bd2970494718b26bbee9adc3ac35f93ee4d2114aa426b6d0ea4bafad294b6c118a15f1977c215

Download Submit
C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe
MD5
0e06054beb13192588e745ee63a84173

SHA1
30b7d4d1277bafd04a83779fd566a1f834a8d113

SHA256
c5d6d56ded55fbd6c150ee3a0eb2e5671cae83106be2be4d70ce50aa50bab768

SHA512
251a112f3f037e62ff67a467389e47a56afb344bc942b17efa9bd2970494718b26bbee9adc3ac35f93ee4d2114aa426b6d0ea4bafad294b6c118a15f1977c215

Download Submit
C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe
MD5
0e06054beb13192588e745ee63a84173

SHA1
30b7d4d1277bafd04a83779fd566a1f834a8d113

SHA256
c5d6d56ded55fbd6c150ee3a0eb2e5671cae83106be2be4d70ce50aa50bab768

SHA512
251a112f3f037e62ff67a467389e47a56afb344bc942b17efa9bd2970494718b26bbee9adc3ac35f93ee4d2114aa426b6d0ea4bafad294b6c118a15f1977c215

Download Submit
C:\Users\Admin\AppData\Roaming\92809516\Client-1.exe
MD5
15d206310b65d58f2920f7fbab42d2d7

SHA1
91e9f7fefa4d13b6fec522a0f2d78f735aaa0634

SHA256
5b6ac94ed2e8e2fda33d432f739588ad97db7a8865e51dc7ea2dc758eb1ed9cd

SHA512
dcf68d7615c69eb4ccf0d8ed27a123437f24aeb4f3770e51dcf7ec21570fc1777aa4dbd1afcbc670a080a460462e2944c7709a9d1f406848f38e7bb720795f61

Download Submit
C:\Users\Admin\AppData\Roaming\92809516\Client-1.exe
MD5
15d206310b65d58f2920f7fbab42d2d7

SHA1
91e9f7fefa4d13b6fec522a0f2d78f735aaa0634

SHA256
5b6ac94ed2e8e2fda33d432f739588ad97db7a8865e51dc7ea2dc758eb1ed9cd

SHA512
dcf68d7615c69eb4ccf0d8ed27a123437f24aeb4f3770e51dcf7ec21570fc1777aa4dbd1afcbc670a080a460462e2944c7709a9d1f406848f38e7bb720795f61

Download Submit
C:\Users\Admin\AppData\Roaming\92809516\fruhcg.vbd
MD5
539e353ba0fd9074f9c3424e2c61f4d3

SHA1
5aecb769a36d652035bd8c3cd1b8dab00dbe0abf

SHA256
756b5191e7e49f82188c9ac20bf8e281a6ba0e08105bf1aae0eaba2f34c502c0

SHA512
e6ec9d24b658bdc83ae6abbbf1e4d075db5ae36f86d02ddc4ca84c1202032d1eb4635b211b45827265668e2bacac26d31e5e86da8ef7e1a96f2437b02b2720a1

Download Submit
C:\Users\Admin\AppData\Roaming\92809516\maxenlt.pif
MD5
91e54ec0186cc136ebe1e16a47c4abb5

SHA1
b501a7ab1d2e7d15e09052fdddd10ab181c107c5

SHA256
06ff490c64dfd76ff0b2b6a89acbd05c9b5fa0457109c48db73f238ae19dff0f

SHA512
57133d36dad69114c969388ae96de75f6e43636efda4dbf8de09d0e0f9c09852b6e0ad0c451b16b154e06df3881fa178aca0e9631f0497fdbab16b9148b48d41

Download Submit
C:\Users\Admin\AppData\Roaming\92809516\maxenlt.pif
MD5
91e54ec0186cc136ebe1e16a47c4abb5

SHA1
b501a7ab1d2e7d15e09052fdddd10ab181c107c5

SHA256
06ff490c64dfd76ff0b2b6a89acbd05c9b5fa0457109c48db73f238ae19dff0f

SHA512
57133d36dad69114c969388ae96de75f6e43636efda4dbf8de09d0e0f9c09852b6e0ad0c451b16b154e06df3881fa178aca0e9631f0497fdbab16b9148b48d41

Download Submit
C:\Users\Admin\AppData\Roaming\92809516\maxenlt.pif
MD5
91e54ec0186cc136ebe1e16a47c4abb5

SHA1
b501a7ab1d2e7d15e09052fdddd10ab181c107c5

SHA256
06ff490c64dfd76ff0b2b6a89acbd05c9b5fa0457109c48db73f238ae19dff0f

SHA512
57133d36dad69114c969388ae96de75f6e43636efda4dbf8de09d0e0f9c09852b6e0ad0c451b16b154e06df3881fa178aca0e9631f0497fdbab16b9148b48d41

Download Submit
C:\Users\Admin\AppData\Roaming\92809516\maxenlt.pif
MD5
91e54ec0186cc136ebe1e16a47c4abb5

SHA1
b501a7ab1d2e7d15e09052fdddd10ab181c107c5

SHA256
06ff490c64dfd76ff0b2b6a89acbd05c9b5fa0457109c48db73f238ae19dff0f

SHA512
57133d36dad69114c969388ae96de75f6e43636efda4dbf8de09d0e0f9c09852b6e0ad0c451b16b154e06df3881fa178aca0e9631f0497fdbab16b9148b48d41

Download Submit
C:\Users\Admin\AppData\Roaming\92809516\maxenlt.pif
MD5
91e54ec0186cc136ebe1e16a47c4abb5

SHA1
b501a7ab1d2e7d15e09052fdddd10ab181c107c5

SHA256
06ff490c64dfd76ff0b2b6a89acbd05c9b5fa0457109c48db73f238ae19dff0f

SHA512
57133d36dad69114c969388ae96de75f6e43636efda4dbf8de09d0e0f9c09852b6e0ad0c451b16b154e06df3881fa178aca0e9631f0497fdbab16b9148b48d41

Download Submit
C:\Users\Admin\AppData\Roaming\92809516\maxenlt.pif
MD5
91e54ec0186cc136ebe1e16a47c4abb5

SHA1
b501a7ab1d2e7d15e09052fdddd10ab181c107c5

SHA256
06ff490c64dfd76ff0b2b6a89acbd05c9b5fa0457109c48db73f238ae19dff0f

SHA512
57133d36dad69114c969388ae96de75f6e43636efda4dbf8de09d0e0f9c09852b6e0ad0c451b16b154e06df3881fa178aca0e9631f0497fdbab16b9148b48d41

Download Submit
C:\Users\Admin\AppData\Roaming\92809516\maxenlt.pif
MD5
91e54ec0186cc136ebe1e16a47c4abb5

SHA1
b501a7ab1d2e7d15e09052fdddd10ab181c107c5

SHA256
06ff490c64dfd76ff0b2b6a89acbd05c9b5fa0457109c48db73f238ae19dff0f

SHA512
57133d36dad69114c969388ae96de75f6e43636efda4dbf8de09d0e0f9c09852b6e0ad0c451b16b154e06df3881fa178aca0e9631f0497fdbab16b9148b48d41

Download Submit
C:\Users\Admin\AppData\Roaming\92809516\maxenlt.pif
MD5
91e54ec0186cc136ebe1e16a47c4abb5

SHA1
b501a7ab1d2e7d15e09052fdddd10ab181c107c5

SHA256
06ff490c64dfd76ff0b2b6a89acbd05c9b5fa0457109c48db73f238ae19dff0f

SHA512
57133d36dad69114c969388ae96de75f6e43636efda4dbf8de09d0e0f9c09852b6e0ad0c451b16b154e06df3881fa178aca0e9631f0497fdbab16b9148b48d41

Download Submit
C:\Users\Admin\AppData\Roaming\92809516\maxenlt.pif
MD5
91e54ec0186cc136ebe1e16a47c4abb5

SHA1
b501a7ab1d2e7d15e09052fdddd10ab181c107c5

SHA256
06ff490c64dfd76ff0b2b6a89acbd05c9b5fa0457109c48db73f238ae19dff0f

SHA512
57133d36dad69114c969388ae96de75f6e43636efda4dbf8de09d0e0f9c09852b6e0ad0c451b16b154e06df3881fa178aca0e9631f0497fdbab16b9148b48d41

Download Submit
C:\Users\Admin\AppData\Roaming\92809516\maxenlt.pif
MD5
91e54ec0186cc136ebe1e16a47c4abb5

SHA1
b501a7ab1d2e7d15e09052fdddd10ab181c107c5

SHA256
06ff490c64dfd76ff0b2b6a89acbd05c9b5fa0457109c48db73f238ae19dff0f

SHA512
57133d36dad69114c969388ae96de75f6e43636efda4dbf8de09d0e0f9c09852b6e0ad0c451b16b154e06df3881fa178aca0e9631f0497fdbab16b9148b48d41

Download Submit
C:\Users\Admin\AppData\Roaming\92809516\maxenlt.pif
MD5
91e54ec0186cc136ebe1e16a47c4abb5

SHA1
b501a7ab1d2e7d15e09052fdddd10ab181c107c5

SHA256
06ff490c64dfd76ff0b2b6a89acbd05c9b5fa0457109c48db73f238ae19dff0f

SHA512
57133d36dad69114c969388ae96de75f6e43636efda4dbf8de09d0e0f9c09852b6e0ad0c451b16b154e06df3881fa178aca0e9631f0497fdbab16b9148b48d41

Download Submit
C:\Users\Admin\AppData\Roaming\92809516\maxenlt.pif
MD5
91e54ec0186cc136ebe1e16a47c4abb5

SHA1
b501a7ab1d2e7d15e09052fdddd10ab181c107c5

SHA256
06ff490c64dfd76ff0b2b6a89acbd05c9b5fa0457109c48db73f238ae19dff0f

SHA512
57133d36dad69114c969388ae96de75f6e43636efda4dbf8de09d0e0f9c09852b6e0ad0c451b16b154e06df3881fa178aca0e9631f0497fdbab16b9148b48d41

Download Submit
C:\Users\Admin\AppData\Roaming\92809516\maxenlt.pif
MD5
91e54ec0186cc136ebe1e16a47c4abb5

SHA1
b501a7ab1d2e7d15e09052fdddd10ab181c107c5

SHA256
06ff490c64dfd76ff0b2b6a89acbd05c9b5fa0457109c48db73f238ae19dff0f

SHA512
57133d36dad69114c969388ae96de75f6e43636efda4dbf8de09d0e0f9c09852b6e0ad0c451b16b154e06df3881fa178aca0e9631f0497fdbab16b9148b48d41

Download Submit
C:\Users\Admin\AppData\Roaming\92809516\maxenlt.pif
MD5
91e54ec0186cc136ebe1e16a47c4abb5

SHA1
b501a7ab1d2e7d15e09052fdddd10ab181c107c5

SHA256
06ff490c64dfd76ff0b2b6a89acbd05c9b5fa0457109c48db73f238ae19dff0f

SHA512
57133d36dad69114c969388ae96de75f6e43636efda4dbf8de09d0e0f9c09852b6e0ad0c451b16b154e06df3881fa178aca0e9631f0497fdbab16b9148b48d41

Download Submit
C:\Users\Admin\AppData\Roaming\92809516\maxenlt.pif
MD5
91e54ec0186cc136ebe1e16a47c4abb5

SHA1
b501a7ab1d2e7d15e09052fdddd10ab181c107c5

SHA256
06ff490c64dfd76ff0b2b6a89acbd05c9b5fa0457109c48db73f238ae19dff0f

SHA512
57133d36dad69114c969388ae96de75f6e43636efda4dbf8de09d0e0f9c09852b6e0ad0c451b16b154e06df3881fa178aca0e9631f0497fdbab16b9148b48d41

Download Submit
C:\Users\Admin\AppData\Roaming\92809516\maxenlt.pif
MD5
91e54ec0186cc136ebe1e16a47c4abb5

SHA1
b501a7ab1d2e7d15e09052fdddd10ab181c107c5

SHA256
06ff490c64dfd76ff0b2b6a89acbd05c9b5fa0457109c48db73f238ae19dff0f

SHA512
57133d36dad69114c969388ae96de75f6e43636efda4dbf8de09d0e0f9c09852b6e0ad0c451b16b154e06df3881fa178aca0e9631f0497fdbab16b9148b48d41

Download Submit
C:\Users\Admin\AppData\Roaming\92809516\maxenlt.pif
MD5
91e54ec0186cc136ebe1e16a47c4abb5

SHA1
b501a7ab1d2e7d15e09052fdddd10ab181c107c5

SHA256
06ff490c64dfd76ff0b2b6a89acbd05c9b5fa0457109c48db73f238ae19dff0f

SHA512
57133d36dad69114c969388ae96de75f6e43636efda4dbf8de09d0e0f9c09852b6e0ad0c451b16b154e06df3881fa178aca0e9631f0497fdbab16b9148b48d41

Download Submit
C:\Users\Admin\AppData\Roaming\92809516\maxenlt.pif
MD5
91e54ec0186cc136ebe1e16a47c4abb5

SHA1
b501a7ab1d2e7d15e09052fdddd10ab181c107c5

SHA256
06ff490c64dfd76ff0b2b6a89acbd05c9b5fa0457109c48db73f238ae19dff0f

SHA512
57133d36dad69114c969388ae96de75f6e43636efda4dbf8de09d0e0f9c09852b6e0ad0c451b16b154e06df3881fa178aca0e9631f0497fdbab16b9148b48d41

Download Submit
C:\Users\Admin\AppData\Roaming\92809516\mucft.txt
MD5
66509d249f10f3434f3a9f57f3834ca1

SHA1
5f9752739d0c91fa70ea630f3f79beacd53787f0

SHA256
d50cfe73844fdc1836adefdd3c7ed2abf82bd39e8a9690a5a54eae6f8ca1e10e

SHA512
43acd6add3860181bcc8b26ddc3f426edc591a869d1f8558f9a40f047c350567e5ad3613d0971179c12d4c68d708c98229df46b499c746235f506638da18f8d8

Download Submit
C:\Users\Admin\AppData\Roaming\92809516\run.vbs
MD5
d0d4f0054aae280e17d188c6b9f89a25

SHA1
f0941cdfcff06957727aedad7455db27542c8926

SHA256
092da3fdf59c64cefbde64e91fd94c63836d3ca833d97c7fa2a1a395d06a2b36

SHA512
54d80decc6e7d2f8e4d30594ab8a5bd50dc4f201703497df908f9ec406e7422d6f4b20e222563a2fae5497068c67353a4f7f4adc88e456e24606fb70df43a32e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
MD5
ffdba17ee654a20bc427f39e16f57e9d

SHA1
1703c5c7ddf3ea9c3dffe6116cef09ec8fb3b945

SHA256
18427504a33011277da82bb92f6a59fcf72489d13413eccb7110916c1b711888

SHA512
96767d24cacd1338b37698be7765f3b5d5b95db41d2396b34411a698d6a357c8073bc1e58f896292cfb92e4444cc78b63114ad810b459a44623852b784ca2061

Download Submit
\ProgramData\images.exe
MD5
15d206310b65d58f2920f7fbab42d2d7

SHA1
91e9f7fefa4d13b6fec522a0f2d78f735aaa0634

SHA256
5b6ac94ed2e8e2fda33d432f739588ad97db7a8865e51dc7ea2dc758eb1ed9cd

SHA512
dcf68d7615c69eb4ccf0d8ed27a123437f24aeb4f3770e51dcf7ec21570fc1777aa4dbd1afcbc670a080a460462e2944c7709a9d1f406848f38e7bb720795f61

Download Submit
\ProgramData\images.exe
MD5
15d206310b65d58f2920f7fbab42d2d7

SHA1
91e9f7fefa4d13b6fec522a0f2d78f735aaa0634

SHA256
5b6ac94ed2e8e2fda33d432f739588ad97db7a8865e51dc7ea2dc758eb1ed9cd

SHA512
dcf68d7615c69eb4ccf0d8ed27a123437f24aeb4f3770e51dcf7ec21570fc1777aa4dbd1afcbc670a080a460462e2944c7709a9d1f406848f38e7bb720795f61

Download Submit
\Users\Admin\AppData\Local\Temp\RegSvcs.exe
MD5
0e06054beb13192588e745ee63a84173

SHA1
30b7d4d1277bafd04a83779fd566a1f834a8d113

SHA256
c5d6d56ded55fbd6c150ee3a0eb2e5671cae83106be2be4d70ce50aa50bab768

SHA512
251a112f3f037e62ff67a467389e47a56afb344bc942b17efa9bd2970494718b26bbee9adc3ac35f93ee4d2114aa426b6d0ea4bafad294b6c118a15f1977c215

Download Submit
\Users\Admin\AppData\Local\Temp\RegSvcs.exe
MD5
0e06054beb13192588e745ee63a84173

SHA1
30b7d4d1277bafd04a83779fd566a1f834a8d113

SHA256
c5d6d56ded55fbd6c150ee3a0eb2e5671cae83106be2be4d70ce50aa50bab768

SHA512
251a112f3f037e62ff67a467389e47a56afb344bc942b17efa9bd2970494718b26bbee9adc3ac35f93ee4d2114aa426b6d0ea4bafad294b6c118a15f1977c215

Download Submit
\Users\Admin\AppData\Local\Temp\RegSvcs.exe
MD5
0e06054beb13192588e745ee63a84173

SHA1
30b7d4d1277bafd04a83779fd566a1f834a8d113

SHA256
c5d6d56ded55fbd6c150ee3a0eb2e5671cae83106be2be4d70ce50aa50bab768

SHA512
251a112f3f037e62ff67a467389e47a56afb344bc942b17efa9bd2970494718b26bbee9adc3ac35f93ee4d2114aa426b6d0ea4bafad294b6c118a15f1977c215

Download Submit
\Users\Admin\AppData\Local\Temp\RegSvcs.exe
MD5
0e06054beb13192588e745ee63a84173

SHA1
30b7d4d1277bafd04a83779fd566a1f834a8d113

SHA256
c5d6d56ded55fbd6c150ee3a0eb2e5671cae83106be2be4d70ce50aa50bab768

SHA512
251a112f3f037e62ff67a467389e47a56afb344bc942b17efa9bd2970494718b26bbee9adc3ac35f93ee4d2114aa426b6d0ea4bafad294b6c118a15f1977c215

Download Submit
\Users\Admin\AppData\Local\Temp\RegSvcs.exe
MD5
0e06054beb13192588e745ee63a84173

SHA1
30b7d4d1277bafd04a83779fd566a1f834a8d113

SHA256
c5d6d56ded55fbd6c150ee3a0eb2e5671cae83106be2be4d70ce50aa50bab768

SHA512
251a112f3f037e62ff67a467389e47a56afb344bc942b17efa9bd2970494718b26bbee9adc3ac35f93ee4d2114aa426b6d0ea4bafad294b6c118a15f1977c215

Download Submit
\Users\Admin\AppData\Local\Temp\RegSvcs.exe
MD5
0e06054beb13192588e745ee63a84173

SHA1
30b7d4d1277bafd04a83779fd566a1f834a8d113

SHA256
c5d6d56ded55fbd6c150ee3a0eb2e5671cae83106be2be4d70ce50aa50bab768

SHA512
251a112f3f037e62ff67a467389e47a56afb344bc942b17efa9bd2970494718b26bbee9adc3ac35f93ee4d2114aa426b6d0ea4bafad294b6c118a15f1977c215

Download Submit
\Users\Admin\AppData\Local\Temp\RegSvcs.exe
MD5
0e06054beb13192588e745ee63a84173

SHA1
30b7d4d1277bafd04a83779fd566a1f834a8d113

SHA256
c5d6d56ded55fbd6c150ee3a0eb2e5671cae83106be2be4d70ce50aa50bab768

SHA512
251a112f3f037e62ff67a467389e47a56afb344bc942b17efa9bd2970494718b26bbee9adc3ac35f93ee4d2114aa426b6d0ea4bafad294b6c118a15f1977c215

Download Submit
\Users\Admin\AppData\Local\Temp\RegSvcs.exe
MD5
0e06054beb13192588e745ee63a84173

SHA1
30b7d4d1277bafd04a83779fd566a1f834a8d113

SHA256
c5d6d56ded55fbd6c150ee3a0eb2e5671cae83106be2be4d70ce50aa50bab768

SHA512
251a112f3f037e62ff67a467389e47a56afb344bc942b17efa9bd2970494718b26bbee9adc3ac35f93ee4d2114aa426b6d0ea4bafad294b6c118a15f1977c215

Download Submit
\Users\Admin\AppData\Local\Temp\RegSvcs.exe
MD5
0e06054beb13192588e745ee63a84173

SHA1
30b7d4d1277bafd04a83779fd566a1f834a8d113

SHA256
c5d6d56ded55fbd6c150ee3a0eb2e5671cae83106be2be4d70ce50aa50bab768

SHA512
251a112f3f037e62ff67a467389e47a56afb344bc942b17efa9bd2970494718b26bbee9adc3ac35f93ee4d2114aa426b6d0ea4bafad294b6c118a15f1977c215

Download Submit
\Users\Admin\AppData\Roaming\92809516\Client-1.exe
MD5
15d206310b65d58f2920f7fbab42d2d7

SHA1
91e9f7fefa4d13b6fec522a0f2d78f735aaa0634

SHA256
5b6ac94ed2e8e2fda33d432f739588ad97db7a8865e51dc7ea2dc758eb1ed9cd

SHA512
dcf68d7615c69eb4ccf0d8ed27a123437f24aeb4f3770e51dcf7ec21570fc1777aa4dbd1afcbc670a080a460462e2944c7709a9d1f406848f38e7bb720795f61

Download Submit
\Users\Admin\AppData\Roaming\92809516\Client-1.exe
MD5
15d206310b65d58f2920f7fbab42d2d7

SHA1
91e9f7fefa4d13b6fec522a0f2d78f735aaa0634

SHA256
5b6ac94ed2e8e2fda33d432f739588ad97db7a8865e51dc7ea2dc758eb1ed9cd

SHA512
dcf68d7615c69eb4ccf0d8ed27a123437f24aeb4f3770e51dcf7ec21570fc1777aa4dbd1afcbc670a080a460462e2944c7709a9d1f406848f38e7bb720795f61

Download Submit
\Users\Admin\AppData\Roaming\92809516\Client-1.exe
MD5
15d206310b65d58f2920f7fbab42d2d7

SHA1
91e9f7fefa4d13b6fec522a0f2d78f735aaa0634

SHA256
5b6ac94ed2e8e2fda33d432f739588ad97db7a8865e51dc7ea2dc758eb1ed9cd

SHA512
dcf68d7615c69eb4ccf0d8ed27a123437f24aeb4f3770e51dcf7ec21570fc1777aa4dbd1afcbc670a080a460462e2944c7709a9d1f406848f38e7bb720795f61

Download Submit
\Users\Admin\AppData\Roaming\92809516\Client-1.exe
MD5
15d206310b65d58f2920f7fbab42d2d7

SHA1
91e9f7fefa4d13b6fec522a0f2d78f735aaa0634

SHA256
5b6ac94ed2e8e2fda33d432f739588ad97db7a8865e51dc7ea2dc758eb1ed9cd

SHA512
dcf68d7615c69eb4ccf0d8ed27a123437f24aeb4f3770e51dcf7ec21570fc1777aa4dbd1afcbc670a080a460462e2944c7709a9d1f406848f38e7bb720795f61

Download Submit
\Users\Admin\AppData\Roaming\92809516\maxenlt.pif
MD5
91e54ec0186cc136ebe1e16a47c4abb5

SHA1
b501a7ab1d2e7d15e09052fdddd10ab181c107c5

SHA256
06ff490c64dfd76ff0b2b6a89acbd05c9b5fa0457109c48db73f238ae19dff0f

SHA512
57133d36dad69114c969388ae96de75f6e43636efda4dbf8de09d0e0f9c09852b6e0ad0c451b16b154e06df3881fa178aca0e9631f0497fdbab16b9148b48d41

Download Submit
\Users\Admin\AppData\Roaming\92809516\maxenlt.pif
MD5
91e54ec0186cc136ebe1e16a47c4abb5

SHA1
b501a7ab1d2e7d15e09052fdddd10ab181c107c5

SHA256
06ff490c64dfd76ff0b2b6a89acbd05c9b5fa0457109c48db73f238ae19dff0f

SHA512
57133d36dad69114c969388ae96de75f6e43636efda4dbf8de09d0e0f9c09852b6e0ad0c451b16b154e06df3881fa178aca0e9631f0497fdbab16b9148b48d41

Download Submit
\Users\Admin\AppData\Roaming\92809516\maxenlt.pif
MD5
91e54ec0186cc136ebe1e16a47c4abb5

SHA1
b501a7ab1d2e7d15e09052fdddd10ab181c107c5

SHA256
06ff490c64dfd76ff0b2b6a89acbd05c9b5fa0457109c48db73f238ae19dff0f

SHA512
57133d36dad69114c969388ae96de75f6e43636efda4dbf8de09d0e0f9c09852b6e0ad0c451b16b154e06df3881fa178aca0e9631f0497fdbab16b9148b48d41

Download Submit
\Users\Admin\AppData\Roaming\92809516\maxenlt.pif
MD5
91e54ec0186cc136ebe1e16a47c4abb5

SHA1
b501a7ab1d2e7d15e09052fdddd10ab181c107c5

SHA256
06ff490c64dfd76ff0b2b6a89acbd05c9b5fa0457109c48db73f238ae19dff0f

SHA512
57133d36dad69114c969388ae96de75f6e43636efda4dbf8de09d0e0f9c09852b6e0ad0c451b16b154e06df3881fa178aca0e9631f0497fdbab16b9148b48d41

Download Submit
memory/108-230-0x0000000000000000-mapping.dmp

Download
memory/320-106-0x0000000000000000-mapping.dmp

Download
memory/332-208-0x0000000000000000-mapping.dmp

Download
memory/368-156-0x0000000000000000-mapping.dmp

Download
memory/484-145-0x0000000000000000-mapping.dmp

Download
memory/620-88-0x0000000002480000-0x00000000030CA000-memory.dmp

Filesize
12.3MB

Download
memory/620-82-0x0000000000000000-mapping.dmp

Download
memory/748-87-0x0000000000000000-mapping.dmp

Download
memory/808-95-0x0000000000160000-0x0000000000161000-memory.dmp

Filesize
4KB

Download
memory/808-84-0x0000000000000000-mapping.dmp

Download
memory/812-200-0x0000000000000000-mapping.dmp

Download
memory/824-119-0x0000000000000000-mapping.dmp

Download
memory/836-198-0x0000000000000000-mapping.dmp

Download
memory/964-212-0x0000000000000000-mapping.dmp

Download
memory/984-179-0x0000000000000000-mapping.dmp

Download
memory/1080-92-0x0000000000000000-mapping.dmp

Download
memory/1104-104-0x0000000000000000-mapping.dmp

Download
memory/1196-206-0x0000000000000000-mapping.dmp

Download
memory/1200-238-0x0000000000000000-mapping.dmp

Download
memory/1216-244-0x0000000000000000-mapping.dmp

Download
memory/1232-164-0x0000000000000000-mapping.dmp

Download
memory/1256-143-0x0000000000000000-mapping.dmp

Download
memory/1260-214-0x0000000000000000-mapping.dmp

Download
memory/1308-110-0x0000000000000000-mapping.dmp

Download
memory/1368-216-0x0000000000000000-mapping.dmp

Download
memory/1368-192-0x0000000000000000-mapping.dmp

Download
memory/1404-236-0x0000000000000000-mapping.dmp

Download
memory/1428-224-0x0000000000000000-mapping.dmp

Download
memory/1436-70-0x0000000000000000-mapping.dmp

Download
memory/1436-83-0x00000000025D0000-0x000000000321A000-memory.dmp

Filesize
12.3MB

Download
memory/1476-204-0x0000000000000000-mapping.dmp

Download
memory/1528-132-0x0000000000000000-mapping.dmp

Download
memory/1532-177-0x0000000000000000-mapping.dmp

Download
memory/1564-73-0x0000000000000000-mapping.dmp

Download
memory/1572-183-0x0000000000000000-mapping.dmp

Download
memory/1572-149-0x0000000000000000-mapping.dmp

Download
memory/1588-220-0x0000000000000000-mapping.dmp

Download
memory/1592-99-0x0000000000000000-mapping.dmp

Download
memory/1608-190-0x0000000000000000-mapping.dmp

Download
memory/1616-170-0x0000000000000000-mapping.dmp

Download
memory/1620-242-0x0000000000000000-mapping.dmp

Download
memory/1636-65-0x0000000000000000-mapping.dmp

Download
memory/1680-246-0x0000000000000000-mapping.dmp

Download
memory/1680-117-0x0000000000000000-mapping.dmp

Download
memory/1684-218-0x0000000000000000-mapping.dmp

Download
memory/1708-232-0x0000000000000000-mapping.dmp

Download
memory/1736-222-0x0000000000000000-mapping.dmp

Download
memory/1744-166-0x0000000000000000-mapping.dmp

Download
memory/1748-97-0x0000000000000000-mapping.dmp

Download
memory/1748-130-0x0000000000000000-mapping.dmp

Download
memory/1748-210-0x0000000000000000-mapping.dmp

Download
memory/1768-53-0x0000000075821000-0x0000000075823000-memory.dmp

Filesize
8KB

Download
memory/1772-196-0x0000000000000000-mapping.dmp

Download
memory/1880-125-0x0000000000000000-mapping.dmp

Download
memory/1884-228-0x0000000000000000-mapping.dmp

Download
memory/1900-158-0x0000000000000000-mapping.dmp

Download
memory/1948-138-0x0000000000000000-mapping.dmp

Download
memory/1952-151-0x0000000000000000-mapping.dmp

Download
memory/1972-123-0x0000000000000000-mapping.dmp

Download
memory/1976-240-0x0000000000000000-mapping.dmp

Download
memory/1988-202-0x0000000000000000-mapping.dmp

Download
memory/1992-112-0x0000000000000000-mapping.dmp

Download
memory/2004-185-0x0000000000000000-mapping.dmp

Download
memory/2016-136-0x0000000000000000-mapping.dmp

Download
memory/2020-58-0x0000000000000000-mapping.dmp

Download
memory/2028-172-0x0000000000000000-mapping.dmp

Download
memory/2040-226-0x0000000000000000-mapping.dmp

Download
memory/2044-234-0x0000000000000000-mapping.dmp

Download