nanocore | e5b4f0d80455434c5454347cce00f9f5367a19e9af19731ad04630e1c5cb5440

Analysis

max time kernel
151s
max time network
139s
platform
windows7_x64
resource
win7-en-20210920
submitted
26-09-2021 18:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

RFQ- 28300NB.scr
Size

999KB
MD5

c10afb1541eafecc15387c8c0f3db1c9
SHA1

7cd612bfed4ba6350c192142d55392ac8aa5a0a5
SHA256

89416f4296bcee3a4230b3845988246b0dc489376238061d26e4b75e6ecf972e
SHA512

d94a03f9281c34bbe563d44c920a5188b18ed4aee44fc507e9c706930f93e52f6beccec7fe3462b07d88994f70dddbfd0b17c8aed2a0c3613a35378cfe411b34

Score

10^/10

nanocore warzonerat infostealer keylogger persistence rat spyware stealer trojan

Malware Config

Extracted

Family

warzonerat

membership.myddns.rocks:5191

Signatures

NanoCore
NanoCore is a remote access tool (RAT) with a variety of capabilities.
keylogger trojan stealer spyware nanocore
WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
rat infostealer warzonerat

Warzone RAT Payload 10 IoCs

rat

Processes:

resource	yara_rule
\Users\Admin\AppData\Roaming\92809516\Client-1.exe	warzonerat
\Users\Admin\AppData\Roaming\92809516\Client-1.exe	warzonerat
\Users\Admin\AppData\Roaming\92809516\Client-1.exe	warzonerat
\Users\Admin\AppData\Roaming\92809516\Client-1.exe	warzonerat
C:\Users\Admin\AppData\Roaming\92809516\Client-1.exe	warzonerat
C:\Users\Admin\AppData\Roaming\92809516\Client-1.exe	warzonerat
\ProgramData\images.exe	warzonerat
\ProgramData\images.exe	warzonerat
C:\ProgramData\images.exe	warzonerat
C:\ProgramData\images.exe	warzonerat

Executes dropped EXE 56 IoCs

Processes:

Client-1.exemaxenlt.pifimages.exeRegSvcs.exemaxenlt.pifmaxenlt.pifRegSvcs.exemaxenlt.pifmaxenlt.pifRegSvcs.exemaxenlt.pifmaxenlt.pifRegSvcs.exemaxenlt.pifmaxenlt.pifRegSvcs.exemaxenlt.pifmaxenlt.pifRegSvcs.exemaxenlt.pifmaxenlt.pifmaxenlt.pifRegSvcs.exemaxenlt.pifmaxenlt.pifRegSvcs.exemaxenlt.pifmaxenlt.pifRegSvcs.exemaxenlt.pifRegSvcs.exemaxenlt.pifRegSvcs.exemaxenlt.pifRegSvcs.exemaxenlt.pifRegSvcs.exemaxenlt.pifRegSvcs.exemaxenlt.pifRegSvcs.exemaxenlt.pifRegSvcs.exemaxenlt.pifRegSvcs.exemaxenlt.pifRegSvcs.exemaxenlt.pifRegSvcs.exemaxenlt.pifRegSvcs.exemaxenlt.pifRegSvcs.exemaxenlt.pifRegSvcs.exemaxenlt.pif

pid	process
1672	Client-1.exe
1552	maxenlt.pif
268	images.exe
1004	RegSvcs.exe
1400	maxenlt.pif
1604	maxenlt.pif
968	RegSvcs.exe
572	maxenlt.pif
1188	maxenlt.pif
548	RegSvcs.exe
1344	maxenlt.pif
1668	maxenlt.pif
1600	RegSvcs.exe
1404	maxenlt.pif
1840	maxenlt.pif
616	RegSvcs.exe
864	maxenlt.pif
548	maxenlt.pif
1760	RegSvcs.exe
1736	maxenlt.pif
2036	maxenlt.pif
1672	maxenlt.pif
1340	RegSvcs.exe
1004	maxenlt.pif
1348	maxenlt.pif
1748	RegSvcs.exe
1772	maxenlt.pif
1604	maxenlt.pif
900	RegSvcs.exe
1684	maxenlt.pif
976	RegSvcs.exe
1028	maxenlt.pif
2032	RegSvcs.exe
304	maxenlt.pif
1524	RegSvcs.exe
572	maxenlt.pif
1540	RegSvcs.exe
1500	maxenlt.pif
1696	RegSvcs.exe
1536	maxenlt.pif
900	RegSvcs.exe
1592	maxenlt.pif
1676	RegSvcs.exe
1392	maxenlt.pif
2008	RegSvcs.exe
1736	maxenlt.pif
548	RegSvcs.exe
1404	maxenlt.pif
968	RegSvcs.exe
1780	maxenlt.pif
1376	RegSvcs.exe
1680	maxenlt.pif
2028	RegSvcs.exe
1464	maxenlt.pif
1616	RegSvcs.exe
1028	maxenlt.pif

Drops startup file 2 IoCs

Processes:

Client-1.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\programs.bat	Client-1.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\programs.bat:start	Client-1.exe

Loads dropped DLL 32 IoCs

Processes:

RFQ- 28300NB.scrClient-1.exemaxenlt.pifmaxenlt.pifmaxenlt.pifmaxenlt.pifmaxenlt.pifmaxenlt.pifmaxenlt.pifmaxenlt.pifmaxenlt.pifmaxenlt.pifmaxenlt.pifmaxenlt.pifmaxenlt.pifmaxenlt.pifmaxenlt.pifmaxenlt.pifmaxenlt.pifmaxenlt.pifmaxenlt.pifmaxenlt.pifmaxenlt.pifmaxenlt.pif

pid	process
1144	RFQ- 28300NB.scr
1144	RFQ- 28300NB.scr
1144	RFQ- 28300NB.scr
1144	RFQ- 28300NB.scr
1144	RFQ- 28300NB.scr
1144	RFQ- 28300NB.scr
1144	RFQ- 28300NB.scr
1144	RFQ- 28300NB.scr
1672	Client-1.exe
1672	Client-1.exe
1552	maxenlt.pif
1604	maxenlt.pif
1188	maxenlt.pif
1668	maxenlt.pif
1840	maxenlt.pif
548	maxenlt.pif
1672	maxenlt.pif
1348	maxenlt.pif
1604	maxenlt.pif
1684	maxenlt.pif
1028	maxenlt.pif
304	maxenlt.pif
572	maxenlt.pif
1500	maxenlt.pif
1536	maxenlt.pif
1592	maxenlt.pif
1392	maxenlt.pif
1736	maxenlt.pif
1404	maxenlt.pif
1780	maxenlt.pif
1680	maxenlt.pif
1464	maxenlt.pif

Adds Run key to start application 2 TTPs 63 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

maxenlt.pifmaxenlt.pifmaxenlt.pifmaxenlt.pifmaxenlt.pifmaxenlt.pifmaxenlt.pifClient-1.exemaxenlt.pifmaxenlt.pifmaxenlt.pifmaxenlt.pifmaxenlt.pifmaxenlt.pifmaxenlt.pifmaxenlt.pifmaxenlt.pifmaxenlt.pifmaxenlt.pifmaxenlt.pifmaxenlt.pifmaxenlt.pifmaxenlt.pifmaxenlt.pifmaxenlt.pifmaxenlt.pifmaxenlt.pifmaxenlt.pifmaxenlt.pifmaxenlt.pifmaxenlt.pifmaxenlt.pif

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	maxenlt.pif
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	maxenlt.pif
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "C:\\Users\\Admin\\AppData\\Roaming\\92809516\\maxenlt.pif C:\\Users\\Admin\\AppData\\Roaming\\92809516\\fruhcg.vbd"	maxenlt.pif
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "C:\\Users\\Admin\\AppData\\Roaming\\92809516\\maxenlt.pif C:\\Users\\Admin\\AppData\\Roaming\\92809516\\fruhcg.vbd"	maxenlt.pif
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	maxenlt.pif
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "C:\\Users\\Admin\\AppData\\Roaming\\92809516\\maxenlt.pif C:\\Users\\Admin\\AppData\\Roaming\\92809516\\fruhcg.vbd"	maxenlt.pif
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	maxenlt.pif
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	maxenlt.pif
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "C:\\Users\\Admin\\AppData\\Roaming\\92809516\\maxenlt.pif C:\\Users\\Admin\\AppData\\Roaming\\92809516\\fruhcg.vbd"	maxenlt.pif
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Images = "C:\\ProgramData\\images.exe"	Client-1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "C:\\Users\\Admin\\AppData\\Roaming\\92809516\\maxenlt.pif C:\\Users\\Admin\\AppData\\Roaming\\92809516\\fruhcg.vbd"	maxenlt.pif
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "C:\\Users\\Admin\\AppData\\Roaming\\92809516\\maxenlt.pif C:\\Users\\Admin\\AppData\\Roaming\\92809516\\fruhcg.vbd"	maxenlt.pif
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	maxenlt.pif
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "C:\\Users\\Admin\\AppData\\Roaming\\92809516\\maxenlt.pif C:\\Users\\Admin\\AppData\\Roaming\\92809516\\fruhcg.vbd"	maxenlt.pif
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "C:\\Users\\Admin\\AppData\\Roaming\\92809516\\maxenlt.pif C:\\Users\\Admin\\AppData\\Roaming\\92809516\\fruhcg.vbd"	maxenlt.pif
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "C:\\Users\\Admin\\AppData\\Roaming\\92809516\\maxenlt.pif C:\\Users\\Admin\\AppData\\Roaming\\92809516\\fruhcg.vbd"	maxenlt.pif
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "C:\\Users\\Admin\\AppData\\Roaming\\92809516\\maxenlt.pif C:\\Users\\Admin\\AppData\\Roaming\\92809516\\fruhcg.vbd"	maxenlt.pif
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "C:\\Users\\Admin\\AppData\\Roaming\\92809516\\maxenlt.pif C:\\Users\\Admin\\AppData\\Roaming\\92809516\\fruhcg.vbd"	maxenlt.pif
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "C:\\Users\\Admin\\AppData\\Roaming\\92809516\\maxenlt.pif C:\\Users\\Admin\\AppData\\Roaming\\92809516\\fruhcg.vbd"	maxenlt.pif
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "C:\\Users\\Admin\\AppData\\Roaming\\92809516\\maxenlt.pif C:\\Users\\Admin\\AppData\\Roaming\\92809516\\fruhcg.vbd"	maxenlt.pif
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "C:\\Users\\Admin\\AppData\\Roaming\\92809516\\maxenlt.pif C:\\Users\\Admin\\AppData\\Roaming\\92809516\\fruhcg.vbd"	maxenlt.pif
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	maxenlt.pif
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "C:\\Users\\Admin\\AppData\\Roaming\\92809516\\maxenlt.pif C:\\Users\\Admin\\AppData\\Roaming\\92809516\\fruhcg.vbd"	maxenlt.pif
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "C:\\Users\\Admin\\AppData\\Roaming\\92809516\\maxenlt.pif C:\\Users\\Admin\\AppData\\Roaming\\92809516\\fruhcg.vbd"	maxenlt.pif
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	maxenlt.pif
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "C:\\Users\\Admin\\AppData\\Roaming\\92809516\\maxenlt.pif C:\\Users\\Admin\\AppData\\Roaming\\92809516\\fruhcg.vbd"	maxenlt.pif
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "C:\\Users\\Admin\\AppData\\Roaming\\92809516\\maxenlt.pif C:\\Users\\Admin\\AppData\\Roaming\\92809516\\fruhcg.vbd"	maxenlt.pif
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "C:\\Users\\Admin\\AppData\\Roaming\\92809516\\maxenlt.pif C:\\Users\\Admin\\AppData\\Roaming\\92809516\\fruhcg.vbd"	maxenlt.pif
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	maxenlt.pif
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	maxenlt.pif
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "C:\\Users\\Admin\\AppData\\Roaming\\92809516\\maxenlt.pif C:\\Users\\Admin\\AppData\\Roaming\\92809516\\fruhcg.vbd"	maxenlt.pif
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "C:\\Users\\Admin\\AppData\\Roaming\\92809516\\maxenlt.pif C:\\Users\\Admin\\AppData\\Roaming\\92809516\\fruhcg.vbd"	maxenlt.pif
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "C:\\Users\\Admin\\AppData\\Roaming\\92809516\\maxenlt.pif C:\\Users\\Admin\\AppData\\Roaming\\92809516\\fruhcg.vbd"	maxenlt.pif
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "C:\\Users\\Admin\\AppData\\Roaming\\92809516\\maxenlt.pif C:\\Users\\Admin\\AppData\\Roaming\\92809516\\fruhcg.vbd"	maxenlt.pif
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	maxenlt.pif
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	maxenlt.pif
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	maxenlt.pif
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "C:\\Users\\Admin\\AppData\\Roaming\\92809516\\maxenlt.pif C:\\Users\\Admin\\AppData\\Roaming\\92809516\\fruhcg.vbd"	maxenlt.pif
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "C:\\Users\\Admin\\AppData\\Roaming\\92809516\\maxenlt.pif C:\\Users\\Admin\\AppData\\Roaming\\92809516\\fruhcg.vbd"	maxenlt.pif
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "C:\\Users\\Admin\\AppData\\Roaming\\92809516\\maxenlt.pif C:\\Users\\Admin\\AppData\\Roaming\\92809516\\fruhcg.vbd"	maxenlt.pif
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	maxenlt.pif
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	maxenlt.pif
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "C:\\Users\\Admin\\AppData\\Roaming\\92809516\\maxenlt.pif C:\\Users\\Admin\\AppData\\Roaming\\92809516\\fruhcg.vbd"	maxenlt.pif
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	maxenlt.pif
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "C:\\Users\\Admin\\AppData\\Roaming\\92809516\\maxenlt.pif C:\\Users\\Admin\\AppData\\Roaming\\92809516\\fruhcg.vbd"	maxenlt.pif
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	maxenlt.pif
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	maxenlt.pif
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	maxenlt.pif
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	maxenlt.pif
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	maxenlt.pif
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "C:\\Users\\Admin\\AppData\\Roaming\\92809516\\maxenlt.pif C:\\Users\\Admin\\AppData\\Roaming\\92809516\\fruhcg.vbd"	maxenlt.pif
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	maxenlt.pif
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	maxenlt.pif
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	maxenlt.pif
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	maxenlt.pif
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	maxenlt.pif
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "C:\\Users\\Admin\\AppData\\Roaming\\92809516\\maxenlt.pif C:\\Users\\Admin\\AppData\\Roaming\\92809516\\fruhcg.vbd"	maxenlt.pif
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	maxenlt.pif
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	maxenlt.pif
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	maxenlt.pif
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	maxenlt.pif
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	maxenlt.pif
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "C:\\Users\\Admin\\AppData\\Roaming\\92809516\\maxenlt.pif C:\\Users\\Admin\\AppData\\Roaming\\92809516\\fruhcg.vbd"	maxenlt.pif

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
NTFS ADS 1 IoCs

Processes:

Client-1.exe

description ioc process

File created C:\ProgramData:ApplicationData Client-1.exe

description	ioc	process
File created	C:\ProgramData:ApplicationData	Client-1.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

powershell.exemaxenlt.pifpowershell.exemaxenlt.pifmaxenlt.pifmaxenlt.pifmaxenlt.pifmaxenlt.pifmaxenlt.pifmaxenlt.pifmaxenlt.pifmaxenlt.pifmaxenlt.pif

pid	process
1904	powershell.exe
1552	maxenlt.pif
1552	maxenlt.pif
1552	maxenlt.pif
1552	maxenlt.pif
1552	maxenlt.pif
1552	maxenlt.pif
1472	powershell.exe
1400	maxenlt.pif
1400	maxenlt.pif
1400	maxenlt.pif
1400	maxenlt.pif
1400	maxenlt.pif
1400	maxenlt.pif
1604	maxenlt.pif
1604	maxenlt.pif
1604	maxenlt.pif
1604	maxenlt.pif
1604	maxenlt.pif
1604	maxenlt.pif
572	maxenlt.pif
572	maxenlt.pif
572	maxenlt.pif
572	maxenlt.pif
572	maxenlt.pif
572	maxenlt.pif
1188	maxenlt.pif
1188	maxenlt.pif
1188	maxenlt.pif
1188	maxenlt.pif
1188	maxenlt.pif
1188	maxenlt.pif
1344	maxenlt.pif
1344	maxenlt.pif
1344	maxenlt.pif
1344	maxenlt.pif
1344	maxenlt.pif
1344	maxenlt.pif
1668	maxenlt.pif
1668	maxenlt.pif
1668	maxenlt.pif
1668	maxenlt.pif
1668	maxenlt.pif
1668	maxenlt.pif
1404	maxenlt.pif
1404	maxenlt.pif
1404	maxenlt.pif
1404	maxenlt.pif
1404	maxenlt.pif
1404	maxenlt.pif
1840	maxenlt.pif
1840	maxenlt.pif
1840	maxenlt.pif
1840	maxenlt.pif
1840	maxenlt.pif
1840	maxenlt.pif
864	maxenlt.pif
864	maxenlt.pif
864	maxenlt.pif
864	maxenlt.pif
864	maxenlt.pif
864	maxenlt.pif
548	maxenlt.pif
548	maxenlt.pif

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

powershell.exepowershell.exe

description pid process

Token: SeDebugPrivilege 1904 powershell.exe
Token: SeDebugPrivilege 1472 powershell.exe

description	pid	process
Token: SeDebugPrivilege	1904	powershell.exe
Token: SeDebugPrivilege	1472	powershell.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

RFQ- 28300NB.scrClient-1.exemaxenlt.pifimages.exeWScript.exemaxenlt.pifWScript.exemaxenlt.pifWScript.exe

description	pid	process	target process
PID 1144 wrote to memory of 1672	1144	RFQ- 28300NB.scr	Client-1.exe
PID 1144 wrote to memory of 1672	1144	RFQ- 28300NB.scr	Client-1.exe
PID 1144 wrote to memory of 1672	1144	RFQ- 28300NB.scr	Client-1.exe
PID 1144 wrote to memory of 1672	1144	RFQ- 28300NB.scr	Client-1.exe
PID 1144 wrote to memory of 1552	1144	RFQ- 28300NB.scr	maxenlt.pif
PID 1144 wrote to memory of 1552	1144	RFQ- 28300NB.scr	maxenlt.pif
PID 1144 wrote to memory of 1552	1144	RFQ- 28300NB.scr	maxenlt.pif
PID 1144 wrote to memory of 1552	1144	RFQ- 28300NB.scr	maxenlt.pif
PID 1672 wrote to memory of 1904	1672	Client-1.exe	powershell.exe
PID 1672 wrote to memory of 1904	1672	Client-1.exe	powershell.exe
PID 1672 wrote to memory of 1904	1672	Client-1.exe	powershell.exe
PID 1672 wrote to memory of 1904	1672	Client-1.exe	powershell.exe
PID 1672 wrote to memory of 268	1672	Client-1.exe	images.exe
PID 1672 wrote to memory of 268	1672	Client-1.exe	images.exe
PID 1672 wrote to memory of 268	1672	Client-1.exe	images.exe
PID 1672 wrote to memory of 268	1672	Client-1.exe	images.exe
PID 1552 wrote to memory of 1004	1552	maxenlt.pif	RegSvcs.exe
PID 1552 wrote to memory of 1004	1552	maxenlt.pif	RegSvcs.exe
PID 1552 wrote to memory of 1004	1552	maxenlt.pif	RegSvcs.exe
PID 1552 wrote to memory of 1004	1552	maxenlt.pif	RegSvcs.exe
PID 1552 wrote to memory of 1004	1552	maxenlt.pif	RegSvcs.exe
PID 1552 wrote to memory of 1004	1552	maxenlt.pif	RegSvcs.exe
PID 1552 wrote to memory of 1004	1552	maxenlt.pif	RegSvcs.exe
PID 268 wrote to memory of 1472	268	images.exe	powershell.exe
PID 268 wrote to memory of 1472	268	images.exe	powershell.exe
PID 268 wrote to memory of 1472	268	images.exe	powershell.exe
PID 268 wrote to memory of 1472	268	images.exe	powershell.exe
PID 268 wrote to memory of 1708	268	images.exe	cmd.exe
PID 268 wrote to memory of 1708	268	images.exe	cmd.exe
PID 268 wrote to memory of 1708	268	images.exe	cmd.exe
PID 268 wrote to memory of 1708	268	images.exe	cmd.exe
PID 1552 wrote to memory of 432	1552	maxenlt.pif	WScript.exe
PID 1552 wrote to memory of 432	1552	maxenlt.pif	WScript.exe
PID 1552 wrote to memory of 432	1552	maxenlt.pif	WScript.exe
PID 1552 wrote to memory of 432	1552	maxenlt.pif	WScript.exe
PID 268 wrote to memory of 1708	268	images.exe	cmd.exe
PID 268 wrote to memory of 1708	268	images.exe	cmd.exe
PID 432 wrote to memory of 1400	432	WScript.exe	maxenlt.pif
PID 432 wrote to memory of 1400	432	WScript.exe	maxenlt.pif
PID 432 wrote to memory of 1400	432	WScript.exe	maxenlt.pif
PID 432 wrote to memory of 1400	432	WScript.exe	maxenlt.pif
PID 1400 wrote to memory of 1748	1400	maxenlt.pif	WScript.exe
PID 1400 wrote to memory of 1748	1400	maxenlt.pif	WScript.exe
PID 1400 wrote to memory of 1748	1400	maxenlt.pif	WScript.exe
PID 1400 wrote to memory of 1748	1400	maxenlt.pif	WScript.exe
PID 1748 wrote to memory of 1604	1748	WScript.exe	maxenlt.pif
PID 1748 wrote to memory of 1604	1748	WScript.exe	maxenlt.pif
PID 1748 wrote to memory of 1604	1748	WScript.exe	maxenlt.pif
PID 1748 wrote to memory of 1604	1748	WScript.exe	maxenlt.pif
PID 1604 wrote to memory of 968	1604	maxenlt.pif	RegSvcs.exe
PID 1604 wrote to memory of 968	1604	maxenlt.pif	RegSvcs.exe
PID 1604 wrote to memory of 968	1604	maxenlt.pif	RegSvcs.exe
PID 1604 wrote to memory of 968	1604	maxenlt.pif	RegSvcs.exe
PID 1604 wrote to memory of 968	1604	maxenlt.pif	RegSvcs.exe
PID 1604 wrote to memory of 968	1604	maxenlt.pif	RegSvcs.exe
PID 1604 wrote to memory of 968	1604	maxenlt.pif	RegSvcs.exe
PID 1604 wrote to memory of 1712	1604	maxenlt.pif	WScript.exe
PID 1604 wrote to memory of 1712	1604	maxenlt.pif	WScript.exe
PID 1604 wrote to memory of 1712	1604	maxenlt.pif	WScript.exe
PID 1604 wrote to memory of 1712	1604	maxenlt.pif	WScript.exe
PID 1712 wrote to memory of 572	1712	WScript.exe	maxenlt.pif
PID 1712 wrote to memory of 572	1712	WScript.exe	maxenlt.pif
PID 1712 wrote to memory of 572	1712	WScript.exe	maxenlt.pif
PID 1712 wrote to memory of 572	1712	WScript.exe	maxenlt.pif

C:\Users\Admin\AppData\Local\Temp\RFQ- 28300NB.scr
"C:\Users\Admin\AppData\Local\Temp\RFQ- 28300NB.scr" /S
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1144

C:\Users\Admin\AppData\Roaming\92809516\Client-1.exe
"C:\Users\Admin\AppData\Roaming\92809516\Client-1.exe" Paul E. Patton (born May 26, 1937) is an American politician who served as the 59th governor of Kentucky from 1995 to 2003.
2⤵
- Executes dropped EXE
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- NTFS ADS
- Suspicious use of WriteProcessMemory
PID:1672

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell Add-MpPreference -ExclusionPath C:\
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1904

C:\ProgramData\images.exe
"C:\ProgramData\images.exe"
3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:268

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell Add-MpPreference -ExclusionPath C:\
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1472

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe"
4⤵
PID:1708

C:\Users\Admin\AppData\Roaming\92809516\maxenlt.pif
"C:\Users\Admin\AppData\Roaming\92809516\maxenlt.pif" fruhcg.vbd
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1552

C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe
"C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe"
3⤵
- Executes dropped EXE
PID:1004

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\92809516\run.vbs"
3⤵
- Suspicious use of WriteProcessMemory
PID:432

C:\Users\Admin\AppData\Roaming\92809516\maxenlt.pif
"C:\Users\Admin\AppData\Roaming\92809516\maxenlt.pif" fruhcg.vbd
4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1400

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\92809516\run.vbs"
5⤵
- Suspicious use of WriteProcessMemory
PID:1748

C:\Users\Admin\AppData\Roaming\92809516\maxenlt.pif
"C:\Users\Admin\AppData\Roaming\92809516\maxenlt.pif" fruhcg.vbd
6⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1604

C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe
"C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe"
7⤵
- Executes dropped EXE
PID:968

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\92809516\run.vbs"
7⤵
- Suspicious use of WriteProcessMemory
PID:1712

C:\Users\Admin\AppData\Roaming\92809516\maxenlt.pif
"C:\Users\Admin\AppData\Roaming\92809516\maxenlt.pif" fruhcg.vbd
8⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
PID:572

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\92809516\run.vbs"
9⤵
PID:848

C:\Users\Admin\AppData\Roaming\92809516\maxenlt.pif
"C:\Users\Admin\AppData\Roaming\92809516\maxenlt.pif" fruhcg.vbd
10⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
PID:1188

C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe
"C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe"
11⤵
- Executes dropped EXE
PID:548

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\92809516\run.vbs"
11⤵
PID:1116

C:\Users\Admin\AppData\Roaming\92809516\maxenlt.pif
"C:\Users\Admin\AppData\Roaming\92809516\maxenlt.pif" fruhcg.vbd
12⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
PID:1344

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\92809516\run.vbs"
13⤵
PID:1576

C:\Users\Admin\AppData\Roaming\92809516\maxenlt.pif
"C:\Users\Admin\AppData\Roaming\92809516\maxenlt.pif" fruhcg.vbd
14⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
PID:1668

C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe
"C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe"
15⤵
- Executes dropped EXE
PID:1600

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\92809516\run.vbs"
15⤵
PID:1280

C:\Users\Admin\AppData\Roaming\92809516\maxenlt.pif
"C:\Users\Admin\AppData\Roaming\92809516\maxenlt.pif" fruhcg.vbd
16⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
PID:1404

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\92809516\run.vbs"
17⤵
PID:1264

C:\Users\Admin\AppData\Roaming\92809516\maxenlt.pif
"C:\Users\Admin\AppData\Roaming\92809516\maxenlt.pif" fruhcg.vbd
18⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
PID:1840

C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe
"C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe"
19⤵
- Executes dropped EXE
PID:616

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\92809516\run.vbs"
19⤵
PID:848

C:\Users\Admin\AppData\Roaming\92809516\maxenlt.pif
"C:\Users\Admin\AppData\Roaming\92809516\maxenlt.pif" fruhcg.vbd
20⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
PID:864

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\92809516\run.vbs"
21⤵
PID:796

C:\Users\Admin\AppData\Roaming\92809516\maxenlt.pif
"C:\Users\Admin\AppData\Roaming\92809516\maxenlt.pif" fruhcg.vbd
22⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
PID:548

C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe
"C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe"
23⤵
- Executes dropped EXE
PID:1760

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\92809516\run.vbs"
23⤵
PID:1768

C:\Users\Admin\AppData\Roaming\92809516\maxenlt.pif
"C:\Users\Admin\AppData\Roaming\92809516\maxenlt.pif" fruhcg.vbd
24⤵
- Executes dropped EXE
- Adds Run key to start application
PID:1736

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\92809516\run.vbs"
25⤵
PID:1500

C:\Users\Admin\AppData\Roaming\92809516\maxenlt.pif
"C:\Users\Admin\AppData\Roaming\92809516\maxenlt.pif" fruhcg.vbd
26⤵
- Executes dropped EXE
- Adds Run key to start application
PID:2036

C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe
"C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe"
27⤵
PID:2044

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\92809516\run.vbs"
27⤵
PID:1620

C:\Users\Admin\AppData\Roaming\92809516\maxenlt.pif
"C:\Users\Admin\AppData\Roaming\92809516\maxenlt.pif" fruhcg.vbd
28⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
PID:1672

C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe
"C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe"
29⤵
- Executes dropped EXE
PID:1340

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\92809516\run.vbs"
29⤵
PID:616

C:\Users\Admin\AppData\Roaming\92809516\maxenlt.pif
"C:\Users\Admin\AppData\Roaming\92809516\maxenlt.pif" fruhcg.vbd
30⤵
- Executes dropped EXE
- Adds Run key to start application
PID:1004

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\92809516\run.vbs"
31⤵
PID:768

C:\Users\Admin\AppData\Roaming\92809516\maxenlt.pif
"C:\Users\Admin\AppData\Roaming\92809516\maxenlt.pif" fruhcg.vbd
32⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
PID:1348

C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe
"C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe"
33⤵
- Executes dropped EXE
PID:1748

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\92809516\run.vbs"
33⤵
PID:1764

C:\Users\Admin\AppData\Roaming\92809516\maxenlt.pif
"C:\Users\Admin\AppData\Roaming\92809516\maxenlt.pif" fruhcg.vbd
34⤵
- Executes dropped EXE
- Adds Run key to start application
PID:1772

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\92809516\run.vbs"
35⤵
PID:584

C:\Users\Admin\AppData\Roaming\92809516\maxenlt.pif
"C:\Users\Admin\AppData\Roaming\92809516\maxenlt.pif" fruhcg.vbd
36⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
PID:1604

C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe
"C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe"
37⤵
- Executes dropped EXE
PID:900

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\92809516\run.vbs"
37⤵
PID:1532

C:\Users\Admin\AppData\Roaming\92809516\maxenlt.pif
"C:\Users\Admin\AppData\Roaming\92809516\maxenlt.pif" fruhcg.vbd
38⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
PID:1684

C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe
"C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe"
39⤵
- Executes dropped EXE
PID:976

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\92809516\run.vbs"
39⤵
PID:1628

C:\Users\Admin\AppData\Roaming\92809516\maxenlt.pif
"C:\Users\Admin\AppData\Roaming\92809516\maxenlt.pif" fruhcg.vbd
40⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
PID:1028

C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe
"C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe"
41⤵
- Executes dropped EXE
PID:2032

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\92809516\run.vbs"
41⤵
PID:1952

C:\Users\Admin\AppData\Roaming\92809516\maxenlt.pif
"C:\Users\Admin\AppData\Roaming\92809516\maxenlt.pif" fruhcg.vbd
42⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
PID:304

C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe
"C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe"
43⤵
- Executes dropped EXE
PID:1524

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\92809516\run.vbs"
43⤵
PID:1280

C:\Users\Admin\AppData\Roaming\92809516\maxenlt.pif
"C:\Users\Admin\AppData\Roaming\92809516\maxenlt.pif" fruhcg.vbd
44⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
PID:572

C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe
"C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe"
45⤵
- Executes dropped EXE
PID:1540

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\92809516\run.vbs"
45⤵
PID:1068

C:\Users\Admin\AppData\Roaming\92809516\maxenlt.pif
"C:\Users\Admin\AppData\Roaming\92809516\maxenlt.pif" fruhcg.vbd
46⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
PID:1500

C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe
"C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe"
47⤵
- Executes dropped EXE
PID:1696

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\92809516\run.vbs"
47⤵
PID:544

C:\Users\Admin\AppData\Roaming\92809516\maxenlt.pif
"C:\Users\Admin\AppData\Roaming\92809516\maxenlt.pif" fruhcg.vbd
48⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
PID:1536

C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe
"C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe"
49⤵
- Executes dropped EXE
PID:900

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\92809516\run.vbs"
49⤵
PID:1292

C:\Users\Admin\AppData\Roaming\92809516\maxenlt.pif
"C:\Users\Admin\AppData\Roaming\92809516\maxenlt.pif" fruhcg.vbd
50⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
PID:1592

C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe
"C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe"
51⤵
- Executes dropped EXE
PID:1676

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\92809516\run.vbs"
51⤵
PID:1364

C:\Users\Admin\AppData\Roaming\92809516\maxenlt.pif
"C:\Users\Admin\AppData\Roaming\92809516\maxenlt.pif" fruhcg.vbd
52⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
PID:1392

C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe
"C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe"
53⤵
- Executes dropped EXE
PID:2008

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\92809516\run.vbs"
53⤵
PID:1028

C:\Users\Admin\AppData\Roaming\92809516\maxenlt.pif
"C:\Users\Admin\AppData\Roaming\92809516\maxenlt.pif" fruhcg.vbd
54⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
PID:1736

C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe
"C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe"
55⤵
- Executes dropped EXE
PID:548

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\92809516\run.vbs"
55⤵
PID:304

C:\Users\Admin\AppData\Roaming\92809516\maxenlt.pif
"C:\Users\Admin\AppData\Roaming\92809516\maxenlt.pif" fruhcg.vbd
56⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
PID:1404

C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe
"C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe"
57⤵
- Executes dropped EXE
PID:968

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\92809516\run.vbs"
57⤵
PID:1116

C:\Users\Admin\AppData\Roaming\92809516\maxenlt.pif
"C:\Users\Admin\AppData\Roaming\92809516\maxenlt.pif" fruhcg.vbd
58⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
PID:1780

C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe
"C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe"
59⤵
- Executes dropped EXE
PID:1376

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\92809516\run.vbs"
59⤵
PID:1180

C:\Users\Admin\AppData\Roaming\92809516\maxenlt.pif
"C:\Users\Admin\AppData\Roaming\92809516\maxenlt.pif" fruhcg.vbd
60⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
PID:1680

C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe
"C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe"
61⤵
- Executes dropped EXE
PID:2028

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\92809516\run.vbs"
61⤵
PID:1004

C:\Users\Admin\AppData\Roaming\92809516\maxenlt.pif
"C:\Users\Admin\AppData\Roaming\92809516\maxenlt.pif" fruhcg.vbd
62⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
PID:1464

C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe
"C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe"
63⤵
- Executes dropped EXE
PID:1616

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\92809516\run.vbs"
63⤵
PID:1760

C:\Users\Admin\AppData\Roaming\92809516\maxenlt.pif
"C:\Users\Admin\AppData\Roaming\92809516\maxenlt.pif" fruhcg.vbd
64⤵
- Executes dropped EXE
PID:1028

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\ProgramData\images.exe
MD5
15d206310b65d58f2920f7fbab42d2d7

SHA1
91e9f7fefa4d13b6fec522a0f2d78f735aaa0634

SHA256
5b6ac94ed2e8e2fda33d432f739588ad97db7a8865e51dc7ea2dc758eb1ed9cd

SHA512
dcf68d7615c69eb4ccf0d8ed27a123437f24aeb4f3770e51dcf7ec21570fc1777aa4dbd1afcbc670a080a460462e2944c7709a9d1f406848f38e7bb720795f61

Download Submit
C:\ProgramData\images.exe
MD5
15d206310b65d58f2920f7fbab42d2d7

SHA1
91e9f7fefa4d13b6fec522a0f2d78f735aaa0634

SHA256
5b6ac94ed2e8e2fda33d432f739588ad97db7a8865e51dc7ea2dc758eb1ed9cd

SHA512
dcf68d7615c69eb4ccf0d8ed27a123437f24aeb4f3770e51dcf7ec21570fc1777aa4dbd1afcbc670a080a460462e2944c7709a9d1f406848f38e7bb720795f61

Download Submit
C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe
MD5
0e06054beb13192588e745ee63a84173

SHA1
30b7d4d1277bafd04a83779fd566a1f834a8d113

SHA256
c5d6d56ded55fbd6c150ee3a0eb2e5671cae83106be2be4d70ce50aa50bab768

SHA512
251a112f3f037e62ff67a467389e47a56afb344bc942b17efa9bd2970494718b26bbee9adc3ac35f93ee4d2114aa426b6d0ea4bafad294b6c118a15f1977c215

Download Submit
C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe
MD5
0e06054beb13192588e745ee63a84173

SHA1
30b7d4d1277bafd04a83779fd566a1f834a8d113

SHA256
c5d6d56ded55fbd6c150ee3a0eb2e5671cae83106be2be4d70ce50aa50bab768

SHA512
251a112f3f037e62ff67a467389e47a56afb344bc942b17efa9bd2970494718b26bbee9adc3ac35f93ee4d2114aa426b6d0ea4bafad294b6c118a15f1977c215

Download Submit
C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe
MD5
0e06054beb13192588e745ee63a84173

SHA1
30b7d4d1277bafd04a83779fd566a1f834a8d113

SHA256
c5d6d56ded55fbd6c150ee3a0eb2e5671cae83106be2be4d70ce50aa50bab768

SHA512
251a112f3f037e62ff67a467389e47a56afb344bc942b17efa9bd2970494718b26bbee9adc3ac35f93ee4d2114aa426b6d0ea4bafad294b6c118a15f1977c215

Download Submit
C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe
MD5
0e06054beb13192588e745ee63a84173

SHA1
30b7d4d1277bafd04a83779fd566a1f834a8d113

SHA256
c5d6d56ded55fbd6c150ee3a0eb2e5671cae83106be2be4d70ce50aa50bab768

SHA512
251a112f3f037e62ff67a467389e47a56afb344bc942b17efa9bd2970494718b26bbee9adc3ac35f93ee4d2114aa426b6d0ea4bafad294b6c118a15f1977c215

Download Submit
C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe
MD5
0e06054beb13192588e745ee63a84173

SHA1
30b7d4d1277bafd04a83779fd566a1f834a8d113

SHA256
c5d6d56ded55fbd6c150ee3a0eb2e5671cae83106be2be4d70ce50aa50bab768

SHA512
251a112f3f037e62ff67a467389e47a56afb344bc942b17efa9bd2970494718b26bbee9adc3ac35f93ee4d2114aa426b6d0ea4bafad294b6c118a15f1977c215

Download Submit
C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe
MD5
0e06054beb13192588e745ee63a84173

SHA1
30b7d4d1277bafd04a83779fd566a1f834a8d113

SHA256
c5d6d56ded55fbd6c150ee3a0eb2e5671cae83106be2be4d70ce50aa50bab768

SHA512
251a112f3f037e62ff67a467389e47a56afb344bc942b17efa9bd2970494718b26bbee9adc3ac35f93ee4d2114aa426b6d0ea4bafad294b6c118a15f1977c215

Download Submit
C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe
MD5
0e06054beb13192588e745ee63a84173

SHA1
30b7d4d1277bafd04a83779fd566a1f834a8d113

SHA256
c5d6d56ded55fbd6c150ee3a0eb2e5671cae83106be2be4d70ce50aa50bab768

SHA512
251a112f3f037e62ff67a467389e47a56afb344bc942b17efa9bd2970494718b26bbee9adc3ac35f93ee4d2114aa426b6d0ea4bafad294b6c118a15f1977c215

Download Submit
C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe
MD5
0e06054beb13192588e745ee63a84173

SHA1
30b7d4d1277bafd04a83779fd566a1f834a8d113

SHA256
c5d6d56ded55fbd6c150ee3a0eb2e5671cae83106be2be4d70ce50aa50bab768

SHA512
251a112f3f037e62ff67a467389e47a56afb344bc942b17efa9bd2970494718b26bbee9adc3ac35f93ee4d2114aa426b6d0ea4bafad294b6c118a15f1977c215

Download Submit
C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe
MD5
0e06054beb13192588e745ee63a84173

SHA1
30b7d4d1277bafd04a83779fd566a1f834a8d113

SHA256
c5d6d56ded55fbd6c150ee3a0eb2e5671cae83106be2be4d70ce50aa50bab768

SHA512
251a112f3f037e62ff67a467389e47a56afb344bc942b17efa9bd2970494718b26bbee9adc3ac35f93ee4d2114aa426b6d0ea4bafad294b6c118a15f1977c215

Download Submit
C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe
MD5
0e06054beb13192588e745ee63a84173

SHA1
30b7d4d1277bafd04a83779fd566a1f834a8d113

SHA256
c5d6d56ded55fbd6c150ee3a0eb2e5671cae83106be2be4d70ce50aa50bab768

SHA512
251a112f3f037e62ff67a467389e47a56afb344bc942b17efa9bd2970494718b26bbee9adc3ac35f93ee4d2114aa426b6d0ea4bafad294b6c118a15f1977c215

Download Submit
C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe
MD5
0e06054beb13192588e745ee63a84173

SHA1
30b7d4d1277bafd04a83779fd566a1f834a8d113

SHA256
c5d6d56ded55fbd6c150ee3a0eb2e5671cae83106be2be4d70ce50aa50bab768

SHA512
251a112f3f037e62ff67a467389e47a56afb344bc942b17efa9bd2970494718b26bbee9adc3ac35f93ee4d2114aa426b6d0ea4bafad294b6c118a15f1977c215

Download Submit
C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe
MD5
0e06054beb13192588e745ee63a84173

SHA1
30b7d4d1277bafd04a83779fd566a1f834a8d113

SHA256
c5d6d56ded55fbd6c150ee3a0eb2e5671cae83106be2be4d70ce50aa50bab768

SHA512
251a112f3f037e62ff67a467389e47a56afb344bc942b17efa9bd2970494718b26bbee9adc3ac35f93ee4d2114aa426b6d0ea4bafad294b6c118a15f1977c215

Download Submit
C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe
MD5
0e06054beb13192588e745ee63a84173

SHA1
30b7d4d1277bafd04a83779fd566a1f834a8d113

SHA256
c5d6d56ded55fbd6c150ee3a0eb2e5671cae83106be2be4d70ce50aa50bab768

SHA512
251a112f3f037e62ff67a467389e47a56afb344bc942b17efa9bd2970494718b26bbee9adc3ac35f93ee4d2114aa426b6d0ea4bafad294b6c118a15f1977c215

Download Submit
C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe
MD5
0e06054beb13192588e745ee63a84173

SHA1
30b7d4d1277bafd04a83779fd566a1f834a8d113

SHA256
c5d6d56ded55fbd6c150ee3a0eb2e5671cae83106be2be4d70ce50aa50bab768

SHA512
251a112f3f037e62ff67a467389e47a56afb344bc942b17efa9bd2970494718b26bbee9adc3ac35f93ee4d2114aa426b6d0ea4bafad294b6c118a15f1977c215

Download Submit
C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe
MD5
0e06054beb13192588e745ee63a84173

SHA1
30b7d4d1277bafd04a83779fd566a1f834a8d113

SHA256
c5d6d56ded55fbd6c150ee3a0eb2e5671cae83106be2be4d70ce50aa50bab768

SHA512
251a112f3f037e62ff67a467389e47a56afb344bc942b17efa9bd2970494718b26bbee9adc3ac35f93ee4d2114aa426b6d0ea4bafad294b6c118a15f1977c215

Download Submit
C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe
MD5
0e06054beb13192588e745ee63a84173

SHA1
30b7d4d1277bafd04a83779fd566a1f834a8d113

SHA256
c5d6d56ded55fbd6c150ee3a0eb2e5671cae83106be2be4d70ce50aa50bab768

SHA512
251a112f3f037e62ff67a467389e47a56afb344bc942b17efa9bd2970494718b26bbee9adc3ac35f93ee4d2114aa426b6d0ea4bafad294b6c118a15f1977c215

Download Submit
C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe
MD5
0e06054beb13192588e745ee63a84173

SHA1
30b7d4d1277bafd04a83779fd566a1f834a8d113

SHA256
c5d6d56ded55fbd6c150ee3a0eb2e5671cae83106be2be4d70ce50aa50bab768

SHA512
251a112f3f037e62ff67a467389e47a56afb344bc942b17efa9bd2970494718b26bbee9adc3ac35f93ee4d2114aa426b6d0ea4bafad294b6c118a15f1977c215

Download Submit
C:\Users\Admin\AppData\Roaming\92809516\Client-1.exe
MD5
15d206310b65d58f2920f7fbab42d2d7

SHA1
91e9f7fefa4d13b6fec522a0f2d78f735aaa0634

SHA256
5b6ac94ed2e8e2fda33d432f739588ad97db7a8865e51dc7ea2dc758eb1ed9cd

SHA512
dcf68d7615c69eb4ccf0d8ed27a123437f24aeb4f3770e51dcf7ec21570fc1777aa4dbd1afcbc670a080a460462e2944c7709a9d1f406848f38e7bb720795f61

Download Submit
C:\Users\Admin\AppData\Roaming\92809516\Client-1.exe
MD5
15d206310b65d58f2920f7fbab42d2d7

SHA1
91e9f7fefa4d13b6fec522a0f2d78f735aaa0634

SHA256
5b6ac94ed2e8e2fda33d432f739588ad97db7a8865e51dc7ea2dc758eb1ed9cd

SHA512
dcf68d7615c69eb4ccf0d8ed27a123437f24aeb4f3770e51dcf7ec21570fc1777aa4dbd1afcbc670a080a460462e2944c7709a9d1f406848f38e7bb720795f61

Download Submit
C:\Users\Admin\AppData\Roaming\92809516\fruhcg.vbd
MD5
539e353ba0fd9074f9c3424e2c61f4d3

SHA1
5aecb769a36d652035bd8c3cd1b8dab00dbe0abf

SHA256
756b5191e7e49f82188c9ac20bf8e281a6ba0e08105bf1aae0eaba2f34c502c0

SHA512
e6ec9d24b658bdc83ae6abbbf1e4d075db5ae36f86d02ddc4ca84c1202032d1eb4635b211b45827265668e2bacac26d31e5e86da8ef7e1a96f2437b02b2720a1

Download Submit
C:\Users\Admin\AppData\Roaming\92809516\maxenlt.pif
MD5
91e54ec0186cc136ebe1e16a47c4abb5

SHA1
b501a7ab1d2e7d15e09052fdddd10ab181c107c5

SHA256
06ff490c64dfd76ff0b2b6a89acbd05c9b5fa0457109c48db73f238ae19dff0f

SHA512
57133d36dad69114c969388ae96de75f6e43636efda4dbf8de09d0e0f9c09852b6e0ad0c451b16b154e06df3881fa178aca0e9631f0497fdbab16b9148b48d41

Download Submit
C:\Users\Admin\AppData\Roaming\92809516\maxenlt.pif
MD5
91e54ec0186cc136ebe1e16a47c4abb5

SHA1
b501a7ab1d2e7d15e09052fdddd10ab181c107c5

SHA256
06ff490c64dfd76ff0b2b6a89acbd05c9b5fa0457109c48db73f238ae19dff0f

SHA512
57133d36dad69114c969388ae96de75f6e43636efda4dbf8de09d0e0f9c09852b6e0ad0c451b16b154e06df3881fa178aca0e9631f0497fdbab16b9148b48d41

Download Submit
C:\Users\Admin\AppData\Roaming\92809516\maxenlt.pif
MD5
91e54ec0186cc136ebe1e16a47c4abb5

SHA1
b501a7ab1d2e7d15e09052fdddd10ab181c107c5

SHA256
06ff490c64dfd76ff0b2b6a89acbd05c9b5fa0457109c48db73f238ae19dff0f

SHA512
57133d36dad69114c969388ae96de75f6e43636efda4dbf8de09d0e0f9c09852b6e0ad0c451b16b154e06df3881fa178aca0e9631f0497fdbab16b9148b48d41

Download Submit
C:\Users\Admin\AppData\Roaming\92809516\maxenlt.pif
MD5
91e54ec0186cc136ebe1e16a47c4abb5

SHA1
b501a7ab1d2e7d15e09052fdddd10ab181c107c5

SHA256
06ff490c64dfd76ff0b2b6a89acbd05c9b5fa0457109c48db73f238ae19dff0f

SHA512
57133d36dad69114c969388ae96de75f6e43636efda4dbf8de09d0e0f9c09852b6e0ad0c451b16b154e06df3881fa178aca0e9631f0497fdbab16b9148b48d41

Download Submit
C:\Users\Admin\AppData\Roaming\92809516\maxenlt.pif
MD5
91e54ec0186cc136ebe1e16a47c4abb5

SHA1
b501a7ab1d2e7d15e09052fdddd10ab181c107c5

SHA256
06ff490c64dfd76ff0b2b6a89acbd05c9b5fa0457109c48db73f238ae19dff0f

SHA512
57133d36dad69114c969388ae96de75f6e43636efda4dbf8de09d0e0f9c09852b6e0ad0c451b16b154e06df3881fa178aca0e9631f0497fdbab16b9148b48d41

Download Submit
C:\Users\Admin\AppData\Roaming\92809516\maxenlt.pif
MD5
91e54ec0186cc136ebe1e16a47c4abb5

SHA1
b501a7ab1d2e7d15e09052fdddd10ab181c107c5

SHA256
06ff490c64dfd76ff0b2b6a89acbd05c9b5fa0457109c48db73f238ae19dff0f

SHA512
57133d36dad69114c969388ae96de75f6e43636efda4dbf8de09d0e0f9c09852b6e0ad0c451b16b154e06df3881fa178aca0e9631f0497fdbab16b9148b48d41

Download Submit
C:\Users\Admin\AppData\Roaming\92809516\maxenlt.pif
MD5
91e54ec0186cc136ebe1e16a47c4abb5

SHA1
b501a7ab1d2e7d15e09052fdddd10ab181c107c5

SHA256
06ff490c64dfd76ff0b2b6a89acbd05c9b5fa0457109c48db73f238ae19dff0f

SHA512
57133d36dad69114c969388ae96de75f6e43636efda4dbf8de09d0e0f9c09852b6e0ad0c451b16b154e06df3881fa178aca0e9631f0497fdbab16b9148b48d41

Download Submit
C:\Users\Admin\AppData\Roaming\92809516\maxenlt.pif
MD5
91e54ec0186cc136ebe1e16a47c4abb5

SHA1
b501a7ab1d2e7d15e09052fdddd10ab181c107c5

SHA256
06ff490c64dfd76ff0b2b6a89acbd05c9b5fa0457109c48db73f238ae19dff0f

SHA512
57133d36dad69114c969388ae96de75f6e43636efda4dbf8de09d0e0f9c09852b6e0ad0c451b16b154e06df3881fa178aca0e9631f0497fdbab16b9148b48d41

Download Submit
C:\Users\Admin\AppData\Roaming\92809516\maxenlt.pif
MD5
91e54ec0186cc136ebe1e16a47c4abb5

SHA1
b501a7ab1d2e7d15e09052fdddd10ab181c107c5

SHA256
06ff490c64dfd76ff0b2b6a89acbd05c9b5fa0457109c48db73f238ae19dff0f

SHA512
57133d36dad69114c969388ae96de75f6e43636efda4dbf8de09d0e0f9c09852b6e0ad0c451b16b154e06df3881fa178aca0e9631f0497fdbab16b9148b48d41

Download Submit
C:\Users\Admin\AppData\Roaming\92809516\maxenlt.pif
MD5
91e54ec0186cc136ebe1e16a47c4abb5

SHA1
b501a7ab1d2e7d15e09052fdddd10ab181c107c5

SHA256
06ff490c64dfd76ff0b2b6a89acbd05c9b5fa0457109c48db73f238ae19dff0f

SHA512
57133d36dad69114c969388ae96de75f6e43636efda4dbf8de09d0e0f9c09852b6e0ad0c451b16b154e06df3881fa178aca0e9631f0497fdbab16b9148b48d41

Download Submit
C:\Users\Admin\AppData\Roaming\92809516\maxenlt.pif
MD5
91e54ec0186cc136ebe1e16a47c4abb5

SHA1
b501a7ab1d2e7d15e09052fdddd10ab181c107c5

SHA256
06ff490c64dfd76ff0b2b6a89acbd05c9b5fa0457109c48db73f238ae19dff0f

SHA512
57133d36dad69114c969388ae96de75f6e43636efda4dbf8de09d0e0f9c09852b6e0ad0c451b16b154e06df3881fa178aca0e9631f0497fdbab16b9148b48d41

Download Submit
C:\Users\Admin\AppData\Roaming\92809516\maxenlt.pif
MD5
91e54ec0186cc136ebe1e16a47c4abb5

SHA1
b501a7ab1d2e7d15e09052fdddd10ab181c107c5

SHA256
06ff490c64dfd76ff0b2b6a89acbd05c9b5fa0457109c48db73f238ae19dff0f

SHA512
57133d36dad69114c969388ae96de75f6e43636efda4dbf8de09d0e0f9c09852b6e0ad0c451b16b154e06df3881fa178aca0e9631f0497fdbab16b9148b48d41

Download Submit
C:\Users\Admin\AppData\Roaming\92809516\maxenlt.pif
MD5
91e54ec0186cc136ebe1e16a47c4abb5

SHA1
b501a7ab1d2e7d15e09052fdddd10ab181c107c5

SHA256
06ff490c64dfd76ff0b2b6a89acbd05c9b5fa0457109c48db73f238ae19dff0f

SHA512
57133d36dad69114c969388ae96de75f6e43636efda4dbf8de09d0e0f9c09852b6e0ad0c451b16b154e06df3881fa178aca0e9631f0497fdbab16b9148b48d41

Download Submit
C:\Users\Admin\AppData\Roaming\92809516\maxenlt.pif
MD5
91e54ec0186cc136ebe1e16a47c4abb5

SHA1
b501a7ab1d2e7d15e09052fdddd10ab181c107c5

SHA256
06ff490c64dfd76ff0b2b6a89acbd05c9b5fa0457109c48db73f238ae19dff0f

SHA512
57133d36dad69114c969388ae96de75f6e43636efda4dbf8de09d0e0f9c09852b6e0ad0c451b16b154e06df3881fa178aca0e9631f0497fdbab16b9148b48d41

Download Submit
C:\Users\Admin\AppData\Roaming\92809516\maxenlt.pif
MD5
91e54ec0186cc136ebe1e16a47c4abb5

SHA1
b501a7ab1d2e7d15e09052fdddd10ab181c107c5

SHA256
06ff490c64dfd76ff0b2b6a89acbd05c9b5fa0457109c48db73f238ae19dff0f

SHA512
57133d36dad69114c969388ae96de75f6e43636efda4dbf8de09d0e0f9c09852b6e0ad0c451b16b154e06df3881fa178aca0e9631f0497fdbab16b9148b48d41

Download Submit
C:\Users\Admin\AppData\Roaming\92809516\maxenlt.pif
MD5
91e54ec0186cc136ebe1e16a47c4abb5

SHA1
b501a7ab1d2e7d15e09052fdddd10ab181c107c5

SHA256
06ff490c64dfd76ff0b2b6a89acbd05c9b5fa0457109c48db73f238ae19dff0f

SHA512
57133d36dad69114c969388ae96de75f6e43636efda4dbf8de09d0e0f9c09852b6e0ad0c451b16b154e06df3881fa178aca0e9631f0497fdbab16b9148b48d41

Download Submit
C:\Users\Admin\AppData\Roaming\92809516\maxenlt.pif
MD5
91e54ec0186cc136ebe1e16a47c4abb5

SHA1
b501a7ab1d2e7d15e09052fdddd10ab181c107c5

SHA256
06ff490c64dfd76ff0b2b6a89acbd05c9b5fa0457109c48db73f238ae19dff0f

SHA512
57133d36dad69114c969388ae96de75f6e43636efda4dbf8de09d0e0f9c09852b6e0ad0c451b16b154e06df3881fa178aca0e9631f0497fdbab16b9148b48d41

Download Submit
C:\Users\Admin\AppData\Roaming\92809516\maxenlt.pif
MD5
91e54ec0186cc136ebe1e16a47c4abb5

SHA1
b501a7ab1d2e7d15e09052fdddd10ab181c107c5

SHA256
06ff490c64dfd76ff0b2b6a89acbd05c9b5fa0457109c48db73f238ae19dff0f

SHA512
57133d36dad69114c969388ae96de75f6e43636efda4dbf8de09d0e0f9c09852b6e0ad0c451b16b154e06df3881fa178aca0e9631f0497fdbab16b9148b48d41

Download Submit
C:\Users\Admin\AppData\Roaming\92809516\maxenlt.pif
MD5
91e54ec0186cc136ebe1e16a47c4abb5

SHA1
b501a7ab1d2e7d15e09052fdddd10ab181c107c5

SHA256
06ff490c64dfd76ff0b2b6a89acbd05c9b5fa0457109c48db73f238ae19dff0f

SHA512
57133d36dad69114c969388ae96de75f6e43636efda4dbf8de09d0e0f9c09852b6e0ad0c451b16b154e06df3881fa178aca0e9631f0497fdbab16b9148b48d41

Download Submit
C:\Users\Admin\AppData\Roaming\92809516\mucft.txt
MD5
66509d249f10f3434f3a9f57f3834ca1

SHA1
5f9752739d0c91fa70ea630f3f79beacd53787f0

SHA256
d50cfe73844fdc1836adefdd3c7ed2abf82bd39e8a9690a5a54eae6f8ca1e10e

SHA512
43acd6add3860181bcc8b26ddc3f426edc591a869d1f8558f9a40f047c350567e5ad3613d0971179c12d4c68d708c98229df46b499c746235f506638da18f8d8

Download Submit
C:\Users\Admin\AppData\Roaming\92809516\run.vbs
MD5
d0d4f0054aae280e17d188c6b9f89a25

SHA1
f0941cdfcff06957727aedad7455db27542c8926

SHA256
092da3fdf59c64cefbde64e91fd94c63836d3ca833d97c7fa2a1a395d06a2b36

SHA512
54d80decc6e7d2f8e4d30594ab8a5bd50dc4f201703497df908f9ec406e7422d6f4b20e222563a2fae5497068c67353a4f7f4adc88e456e24606fb70df43a32e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
MD5
7717afd43dd53c70b98919a0cb7a31ad

SHA1
cd52dc68e8e122375f8578d9f81b3ad85e6cbec2

SHA256
b10bcdeb3a9f6f33694b29fbf98af1dcd81211251c934d9cae690be698bd0f95

SHA512
76d6e25052b68166eb92621a4a0aa7b3c784b37f7cd35c09f193b2391a8130cdefb661c6381e32e731d6f072f276cc9c2906798aa160748ccc7a3ef3a2c41914

Download Submit
\ProgramData\images.exe
MD5
15d206310b65d58f2920f7fbab42d2d7

SHA1
91e9f7fefa4d13b6fec522a0f2d78f735aaa0634

SHA256
5b6ac94ed2e8e2fda33d432f739588ad97db7a8865e51dc7ea2dc758eb1ed9cd

SHA512
dcf68d7615c69eb4ccf0d8ed27a123437f24aeb4f3770e51dcf7ec21570fc1777aa4dbd1afcbc670a080a460462e2944c7709a9d1f406848f38e7bb720795f61

Download Submit
\ProgramData\images.exe
MD5
15d206310b65d58f2920f7fbab42d2d7

SHA1
91e9f7fefa4d13b6fec522a0f2d78f735aaa0634

SHA256
5b6ac94ed2e8e2fda33d432f739588ad97db7a8865e51dc7ea2dc758eb1ed9cd

SHA512
dcf68d7615c69eb4ccf0d8ed27a123437f24aeb4f3770e51dcf7ec21570fc1777aa4dbd1afcbc670a080a460462e2944c7709a9d1f406848f38e7bb720795f61

Download Submit
\Users\Admin\AppData\Local\Temp\RegSvcs.exe
MD5
0e06054beb13192588e745ee63a84173

SHA1
30b7d4d1277bafd04a83779fd566a1f834a8d113

SHA256
c5d6d56ded55fbd6c150ee3a0eb2e5671cae83106be2be4d70ce50aa50bab768

SHA512
251a112f3f037e62ff67a467389e47a56afb344bc942b17efa9bd2970494718b26bbee9adc3ac35f93ee4d2114aa426b6d0ea4bafad294b6c118a15f1977c215

Download Submit
\Users\Admin\AppData\Local\Temp\RegSvcs.exe
MD5
0e06054beb13192588e745ee63a84173

SHA1
30b7d4d1277bafd04a83779fd566a1f834a8d113

SHA256
c5d6d56ded55fbd6c150ee3a0eb2e5671cae83106be2be4d70ce50aa50bab768

SHA512
251a112f3f037e62ff67a467389e47a56afb344bc942b17efa9bd2970494718b26bbee9adc3ac35f93ee4d2114aa426b6d0ea4bafad294b6c118a15f1977c215

Download Submit
\Users\Admin\AppData\Local\Temp\RegSvcs.exe
MD5
0e06054beb13192588e745ee63a84173

SHA1
30b7d4d1277bafd04a83779fd566a1f834a8d113

SHA256
c5d6d56ded55fbd6c150ee3a0eb2e5671cae83106be2be4d70ce50aa50bab768

SHA512
251a112f3f037e62ff67a467389e47a56afb344bc942b17efa9bd2970494718b26bbee9adc3ac35f93ee4d2114aa426b6d0ea4bafad294b6c118a15f1977c215

Download Submit
\Users\Admin\AppData\Local\Temp\RegSvcs.exe
MD5
0e06054beb13192588e745ee63a84173

SHA1
30b7d4d1277bafd04a83779fd566a1f834a8d113

SHA256
c5d6d56ded55fbd6c150ee3a0eb2e5671cae83106be2be4d70ce50aa50bab768

SHA512
251a112f3f037e62ff67a467389e47a56afb344bc942b17efa9bd2970494718b26bbee9adc3ac35f93ee4d2114aa426b6d0ea4bafad294b6c118a15f1977c215

Download Submit
\Users\Admin\AppData\Local\Temp\RegSvcs.exe
MD5
0e06054beb13192588e745ee63a84173

SHA1
30b7d4d1277bafd04a83779fd566a1f834a8d113

SHA256
c5d6d56ded55fbd6c150ee3a0eb2e5671cae83106be2be4d70ce50aa50bab768

SHA512
251a112f3f037e62ff67a467389e47a56afb344bc942b17efa9bd2970494718b26bbee9adc3ac35f93ee4d2114aa426b6d0ea4bafad294b6c118a15f1977c215

Download Submit
\Users\Admin\AppData\Local\Temp\RegSvcs.exe
MD5
0e06054beb13192588e745ee63a84173

SHA1
30b7d4d1277bafd04a83779fd566a1f834a8d113

SHA256
c5d6d56ded55fbd6c150ee3a0eb2e5671cae83106be2be4d70ce50aa50bab768

SHA512
251a112f3f037e62ff67a467389e47a56afb344bc942b17efa9bd2970494718b26bbee9adc3ac35f93ee4d2114aa426b6d0ea4bafad294b6c118a15f1977c215

Download Submit
\Users\Admin\AppData\Local\Temp\RegSvcs.exe
MD5
0e06054beb13192588e745ee63a84173

SHA1
30b7d4d1277bafd04a83779fd566a1f834a8d113

SHA256
c5d6d56ded55fbd6c150ee3a0eb2e5671cae83106be2be4d70ce50aa50bab768

SHA512
251a112f3f037e62ff67a467389e47a56afb344bc942b17efa9bd2970494718b26bbee9adc3ac35f93ee4d2114aa426b6d0ea4bafad294b6c118a15f1977c215

Download Submit
\Users\Admin\AppData\Local\Temp\RegSvcs.exe
MD5
0e06054beb13192588e745ee63a84173

SHA1
30b7d4d1277bafd04a83779fd566a1f834a8d113

SHA256
c5d6d56ded55fbd6c150ee3a0eb2e5671cae83106be2be4d70ce50aa50bab768

SHA512
251a112f3f037e62ff67a467389e47a56afb344bc942b17efa9bd2970494718b26bbee9adc3ac35f93ee4d2114aa426b6d0ea4bafad294b6c118a15f1977c215

Download Submit
\Users\Admin\AppData\Local\Temp\RegSvcs.exe
MD5
0e06054beb13192588e745ee63a84173

SHA1
30b7d4d1277bafd04a83779fd566a1f834a8d113

SHA256
c5d6d56ded55fbd6c150ee3a0eb2e5671cae83106be2be4d70ce50aa50bab768

SHA512
251a112f3f037e62ff67a467389e47a56afb344bc942b17efa9bd2970494718b26bbee9adc3ac35f93ee4d2114aa426b6d0ea4bafad294b6c118a15f1977c215

Download Submit
\Users\Admin\AppData\Roaming\92809516\Client-1.exe
MD5
15d206310b65d58f2920f7fbab42d2d7

SHA1
91e9f7fefa4d13b6fec522a0f2d78f735aaa0634

SHA256
5b6ac94ed2e8e2fda33d432f739588ad97db7a8865e51dc7ea2dc758eb1ed9cd

SHA512
dcf68d7615c69eb4ccf0d8ed27a123437f24aeb4f3770e51dcf7ec21570fc1777aa4dbd1afcbc670a080a460462e2944c7709a9d1f406848f38e7bb720795f61

Download Submit
\Users\Admin\AppData\Roaming\92809516\Client-1.exe
MD5
15d206310b65d58f2920f7fbab42d2d7

SHA1
91e9f7fefa4d13b6fec522a0f2d78f735aaa0634

SHA256
5b6ac94ed2e8e2fda33d432f739588ad97db7a8865e51dc7ea2dc758eb1ed9cd

SHA512
dcf68d7615c69eb4ccf0d8ed27a123437f24aeb4f3770e51dcf7ec21570fc1777aa4dbd1afcbc670a080a460462e2944c7709a9d1f406848f38e7bb720795f61

Download Submit
\Users\Admin\AppData\Roaming\92809516\Client-1.exe
MD5
15d206310b65d58f2920f7fbab42d2d7

SHA1
91e9f7fefa4d13b6fec522a0f2d78f735aaa0634

SHA256
5b6ac94ed2e8e2fda33d432f739588ad97db7a8865e51dc7ea2dc758eb1ed9cd

SHA512
dcf68d7615c69eb4ccf0d8ed27a123437f24aeb4f3770e51dcf7ec21570fc1777aa4dbd1afcbc670a080a460462e2944c7709a9d1f406848f38e7bb720795f61

Download Submit
\Users\Admin\AppData\Roaming\92809516\Client-1.exe
MD5
15d206310b65d58f2920f7fbab42d2d7

SHA1
91e9f7fefa4d13b6fec522a0f2d78f735aaa0634

SHA256
5b6ac94ed2e8e2fda33d432f739588ad97db7a8865e51dc7ea2dc758eb1ed9cd

SHA512
dcf68d7615c69eb4ccf0d8ed27a123437f24aeb4f3770e51dcf7ec21570fc1777aa4dbd1afcbc670a080a460462e2944c7709a9d1f406848f38e7bb720795f61

Download Submit
\Users\Admin\AppData\Roaming\92809516\maxenlt.pif
MD5
91e54ec0186cc136ebe1e16a47c4abb5

SHA1
b501a7ab1d2e7d15e09052fdddd10ab181c107c5

SHA256
06ff490c64dfd76ff0b2b6a89acbd05c9b5fa0457109c48db73f238ae19dff0f

SHA512
57133d36dad69114c969388ae96de75f6e43636efda4dbf8de09d0e0f9c09852b6e0ad0c451b16b154e06df3881fa178aca0e9631f0497fdbab16b9148b48d41

Download Submit
\Users\Admin\AppData\Roaming\92809516\maxenlt.pif
MD5
91e54ec0186cc136ebe1e16a47c4abb5

SHA1
b501a7ab1d2e7d15e09052fdddd10ab181c107c5

SHA256
06ff490c64dfd76ff0b2b6a89acbd05c9b5fa0457109c48db73f238ae19dff0f

SHA512
57133d36dad69114c969388ae96de75f6e43636efda4dbf8de09d0e0f9c09852b6e0ad0c451b16b154e06df3881fa178aca0e9631f0497fdbab16b9148b48d41

Download Submit
\Users\Admin\AppData\Roaming\92809516\maxenlt.pif
MD5
91e54ec0186cc136ebe1e16a47c4abb5

SHA1
b501a7ab1d2e7d15e09052fdddd10ab181c107c5

SHA256
06ff490c64dfd76ff0b2b6a89acbd05c9b5fa0457109c48db73f238ae19dff0f

SHA512
57133d36dad69114c969388ae96de75f6e43636efda4dbf8de09d0e0f9c09852b6e0ad0c451b16b154e06df3881fa178aca0e9631f0497fdbab16b9148b48d41

Download Submit
\Users\Admin\AppData\Roaming\92809516\maxenlt.pif
MD5
91e54ec0186cc136ebe1e16a47c4abb5

SHA1
b501a7ab1d2e7d15e09052fdddd10ab181c107c5

SHA256
06ff490c64dfd76ff0b2b6a89acbd05c9b5fa0457109c48db73f238ae19dff0f

SHA512
57133d36dad69114c969388ae96de75f6e43636efda4dbf8de09d0e0f9c09852b6e0ad0c451b16b154e06df3881fa178aca0e9631f0497fdbab16b9148b48d41

Download Submit
memory/268-74-0x0000000000000000-mapping.dmp

Download
memory/304-207-0x0000000000000000-mapping.dmp

Download
memory/304-233-0x0000000000000000-mapping.dmp

Download
memory/432-87-0x0000000000000000-mapping.dmp

Download
memory/544-217-0x0000000000000000-mapping.dmp

Download
memory/548-150-0x0000000000000000-mapping.dmp

Download
memory/572-211-0x0000000000000000-mapping.dmp

Download
memory/572-105-0x0000000000000000-mapping.dmp

Download
memory/584-190-0x0000000000000000-mapping.dmp

Download
memory/616-171-0x0000000000000000-mapping.dmp

Download
memory/768-177-0x0000000000000000-mapping.dmp

Download
memory/796-148-0x0000000000000000-mapping.dmp

Download
memory/848-142-0x0000000000000000-mapping.dmp

Download
memory/848-109-0x0000000000000000-mapping.dmp

Download
memory/864-144-0x0000000000000000-mapping.dmp

Download
memory/1004-245-0x0000000000000000-mapping.dmp

Download
memory/1004-173-0x0000000000000000-mapping.dmp

Download
memory/1028-203-0x0000000000000000-mapping.dmp

Download
memory/1028-229-0x0000000000000000-mapping.dmp

Download
memory/1068-213-0x0000000000000000-mapping.dmp

Download
memory/1116-237-0x0000000000000000-mapping.dmp

Download
memory/1116-116-0x0000000000000000-mapping.dmp

Download
memory/1144-53-0x0000000075B11000-0x0000000075B13000-memory.dmp

Filesize
8KB

Download
memory/1180-241-0x0000000000000000-mapping.dmp

Download
memory/1188-111-0x0000000000000000-mapping.dmp

Download
memory/1264-135-0x0000000000000000-mapping.dmp

Download
memory/1280-129-0x0000000000000000-mapping.dmp

Download
memory/1280-209-0x0000000000000000-mapping.dmp

Download
memory/1292-221-0x0000000000000000-mapping.dmp

Download
memory/1344-118-0x0000000000000000-mapping.dmp

Download
memory/1348-179-0x0000000000000000-mapping.dmp

Download
memory/1364-225-0x0000000000000000-mapping.dmp

Download
memory/1392-227-0x0000000000000000-mapping.dmp

Download
memory/1400-92-0x0000000000000000-mapping.dmp

Download
memory/1404-131-0x0000000000000000-mapping.dmp

Download
memory/1404-235-0x0000000000000000-mapping.dmp

Download
memory/1472-83-0x0000000000000000-mapping.dmp

Download
memory/1500-161-0x0000000000000000-mapping.dmp

Download
memory/1500-215-0x0000000000000000-mapping.dmp

Download
memory/1532-197-0x0000000000000000-mapping.dmp

Download
memory/1536-219-0x0000000000000000-mapping.dmp

Download
memory/1552-65-0x0000000000000000-mapping.dmp

Download
memory/1576-122-0x0000000000000000-mapping.dmp

Download
memory/1592-223-0x0000000000000000-mapping.dmp

Download
memory/1604-192-0x0000000000000000-mapping.dmp

Download
memory/1604-98-0x0000000000000000-mapping.dmp

Download
memory/1628-201-0x0000000000000000-mapping.dmp

Download
memory/1668-124-0x0000000000000000-mapping.dmp

Download
memory/1672-166-0x0000000000000000-mapping.dmp

Download
memory/1672-58-0x0000000000000000-mapping.dmp

Download
memory/1680-243-0x0000000000000000-mapping.dmp

Download
memory/1684-199-0x0000000000000000-mapping.dmp

Download
memory/1708-91-0x0000000000120000-0x0000000000121000-memory.dmp

Filesize
4KB

Download
memory/1708-84-0x0000000000000000-mapping.dmp

Download
memory/1712-103-0x0000000000000000-mapping.dmp

Download
memory/1736-157-0x0000000000000000-mapping.dmp

Download
memory/1736-231-0x0000000000000000-mapping.dmp

Download
memory/1748-96-0x0000000000000000-mapping.dmp

Download
memory/1764-184-0x0000000000000000-mapping.dmp

Download
memory/1768-155-0x0000000000000000-mapping.dmp

Download
memory/1772-186-0x0000000000000000-mapping.dmp

Download
memory/1780-239-0x0000000000000000-mapping.dmp

Download
memory/1840-137-0x0000000000000000-mapping.dmp

Download
memory/1904-79-0x0000000002560000-0x00000000031AA000-memory.dmp

Filesize
12.3MB

Download
memory/1904-71-0x0000000000000000-mapping.dmp

Download
memory/1952-205-0x0000000000000000-mapping.dmp

Download
memory/2036-163-0x0000000000000000-mapping.dmp

Download